Skip to content

Internal Audit Report

Audit Identification: IA202609
Area: Document Control
Audit Date: 14/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 14/05/2026
Findings: 0 Non-conformities, 0 Observations
Scope: Clause 7.5 (Documented Information)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202509 (26/09/2025) — 0 NC, 0 OBS

Audit cycle context

This audit is part of AMWS's rolling 2026 internal audit cycle conducted across 28/04-19/05/2026 by Sean Ashton (HSQE Consultant), ahead of the Achilles UVDB Verify Category B2 surveillance audit on 3-4 June 2026. Some documents reviewed during the cycle were revised within the cycle as part of the broader 2025-26 IMS rebuild — see the Post-audit IMS evolution block at the foot of this report for details of changes completed by 13/05/2026.

Executive Summary

This audit re-examined Document Control one year on from IA202509. The 2025 audit was clean (0 NC, 0 OBS) and the 2025–26 cycle has materially advanced documented-information control:

  • 44-SOP HTML migration (04/05/2026) — every SOP rebuilt to the SOP 3.4 standard with named roles, regulatory thresholds, functional swimlanes; embedded into the IMS portal via auto-resizing iframe per page. Master is the IMS portal; legacy drawio SVGs no longer referenced.
  • 23 appendices all at Rev 3 (or Rev 2 for APP_09 COSHH log) with consistent doc-control admonition format and master-source callout.
  • 2 new policies added (POL_HSQE_29 Mental Health, POL_HSQE_30 IT Security) following the existing policy doc-control format.
  • Continuous-compliance admonition added to the bottom of 24+ controlled documents, replacing the misleading "approved (planned) — pending sign-off at annual MR" rows.
  • Year-on-year evidence retained — Suppliers section restructured into sar-2025/ (32 prior-year SAR pages) + sar-2026/ (32 current-year SAR pages); 2025 internal audit reports retained alongside the 2026 cycle.

No new observations. The document-control workflow is operating as designed and has been demonstrably exercised through the 2025–26 cycle's substantial change set.

Year-on-year follow-up — IA202509 outcomes

2025 ref 2025 finding (summary) Status in 2026 audit
(none) IA202509 was clean — 0 NC, 0 OBS No 2025 follow-ups required.

Introduction

This audit examined documented-information control under clause 7.5 one year on from IA202509 — particularly relevant given the substantial 2025–26 change volume.

Aims & Objectives

  1. Verify documented-information identification, format, review and approval continues to operate (7.5.2)
  2. Confirm distribution, access, retrieval and use are controlled (7.5.3)
  3. Sample document version control across the 2025–26 changes
  4. Confirm change-log entries trace document evolution
  5. Assess the new continuous-compliance admonition's impact on clause 9.3-relevant minutes / approval

Audit Method

  • Document Review: SOP 4.6 Document Control Rev 3 HTML, SOP 4.7 Control of Records Rev 3 HTML, MAN_01 IMS Manual Rev 3, all 23 appendices doc-control headers, 31 policies doc-control headers, all 44 SOP HTML pages, mkdocs.yml nav structure (canonical sequence and grouping).
  • Interviews Conducted: Director (Leanne Mason — Document-Control owner with HSQE Consultant), HSQE Consultant.
  • Observations: Random sample of 10 controlled documents traced from latest portal version → Word/Excel companion → change-log entry → standing weekly compliance call notes for any approvals; verification of mkdocs strict-build green status as the canonical no-broken-link test.
  • Sampling: APP_06 (significant 2026 change), APP_11 (KPI simplification), APP_17 (BCP testing-log backfill + cross-reference fix), APP_19 (SAR refresh to Issue 4), MAN_01 (role-label retirement), POL_HSQE_29 (new policy), POL_HSQE_30 (new policy), SOP 3.4 (HTML format reference), SOP 6.3 (recovered into nav), RA_HO_18 (new RA).

Non-conformities

No non-conformities identified.

Observations

No observations identified.

Conclusions

Document control is the area with the most demonstrably exercised workflow in the 2025–26 cycle:

Areas Meeting Requirements (sustained from IA202509):

  • IMS portal continues to be master; Word/Excel companions are working snapshots
  • SOP 4.6 / 4.7 continue to define the document-control workflow (now in HTML format)
  • MAN_01 IMS Manual continues to set the scope
  • Strict-build CI gate ensures broken links are caught at build time

New strengths since IA202509:

  • 44-SOP HTML migration delivered and stable. Each MD wrapper embeds its matching HTML via iframe; iframe height auto-sizes; portal nav restructured to host both MD wrappers and standalone-page links.
  • Continuous-compliance admonition standardised across 24+ controlled documents — positively reframes how revisions are approved (weekly call + monthly visit + September strategic confirmation) rather than the misleading "approved (planned)" rows that were retired 04/05/2026.
  • Year-on-year evidence preservation — Suppliers section split into sar-2025/ + sar-2026/ folders preserves the prior-year SAR records as audit-defensible evidence rather than overwriting them.
  • Generic role labels retired across 7 documents (16 substitutions) — every responsibility now lands on a named individual.
  • Change-log entries now consistently terse, substantive, and free of fluff / annual-review framing.

Position as at 13/05/2026: The findings above remain the formal record. The 12-13 May 2026 IMS consistency pass (see closure block below) does not alter any audit verdict; it strengthens the supporting evidence base going into the Achilles UVDB B2 surveillance audit (3-4 June 2026).

Recommendations

  1. Continue the strict-build CI gate as the primary document-integrity test.
  2. Continue the IMS portal as master and the Word/Excel companions as snapshots.
  3. At the September 2026 MR, formally adopt the document-control improvements as part of the 2026–27 baseline.

Feedback & Acknowledgments

Full cooperation. The 2025–26 document-control work has been the foundational improvement that everything else has built on; the audit experience is materially better than at IA202509.

Post-audit IMS evolution (12-13 May 2026)

The findings above stand as a point-in-time record at audit date. Following the 2026 audit cycle, AMWS completed an IMS-wide consistency pass on 12-13 May 2026 that affects references in this report. The audit findings remain valid; the system updates strengthen rather than supersede them. Material changes the auditor should be aware of:

Appendix-level changes

  • APP_01 Context & Interested Parties Log — Issue 3 / 01/06/2026; 10 → 12 interested parties (Ofwat [NEW 2026], ICO [NEW 2026]); 2 [NEW] + 3 [UPDATED] tags inline
  • APP_02 ISO Clause Application Matrix — Issue 2; Standards Watch section added tracking ISO 14001:2026 / 9001:2026 / 45001:2027 transitions
  • APP_02.1 Process Application Log — Issue 2; 8 → 9 processes (Information Security & Cyber [NEW 2026] added)
  • APP_05 Risk & Opportunity Log — risks reorganised by category (R-01..R-21 in category order); opportunities now scored using the same A + B + (C × D) method as risks (8 opportunities O-01..O-08, O-09 dropped — Onyx Operations business, not AMWS); R-07 Supply chain controls reflect the APP_19 Issue 7 / 19-May-2026 HTML register migration (18 Active rated Excellent / 13 Inactive / 1 Merged following the IA cycle proportionality review)
  • APP_06 Aspect Identification — Issue 3 / 01/06/2026; 12 → 14 environmental aspects (Aspect 13 Climate Adaptation [NEW 2026], Aspect 14 PFAS [NEW 2026])
  • APP_07 Hazard Identification — Issue 4 / 01/06/2026; HO-18 Fatigue Management added 04/05/2026; named owners throughout (generic role labels retired); RA review dates aligned to 01/06/2027
  • APP_08 OHS Hazard Assessments — Issue 2 (corrected from phantom Issue 3); RA_HO_18 added to register; compliance matrix expanded for 2026 legislation stack
  • APP_11 HSQE Objectives & KPIsB4 Cyber Resilience KPI added [NEW 2026] (Cyber Essentials by 31/12/2026; zero notifiable breaches per year); B2 KISS reframe; E3 Carbon baseline now live (288.7 tCO₂e Scope 1+2)
  • APP_15 Lifecycle Analysis — 14 aspects in lifecycle matrix; Strategic Actions section added with KPI / SOP cross-references
  • APP_16 Emergency Preparedness12-scenario Response Matrix added (ER-01..ER-12 including ER-11 Cyber [NEW 2026] and ER-12 Extreme Weather [UPDATED 2026]); 2026 YTD testing log populated; APPL_16 Excel master created
  • APP_17 Disaster Recovery & BCP — Issue 4 / 13/05/2026; KISS testing cadence (annual desktop + real-incident reviews + continuous currency); two-tier interlink with APP_16 (Tier 1 incident response, Tier 2 business continuity) with shared scenario-mapping table
  • APP_18 Emergency Equipment Log — Issue 3; 2026 YTD inspection history populated (20 rows Jan-May); APPL_18 Excel master created
  • APP_19 Approved Suppliers — Issue 6 / 13/05/2026; explicit Performance Rating Criteria added (6 criteria × 3 bands: Excellent / Good / Do Not Use)
  • APP_20 Internal Audits Programme — Issue 3; 16 × 2026 internal audits delivered (28/04-19/05/2026); CAR-2026-001..011 tracker; 2026-27 forward programme with ISO 14001:2026 transition + Cyber audit slots
  • APP_21 NC Register — Issue 4 / 13/05/2026; dual-master pattern (audit-derived CARs portal-master; operational NCRs Leanne's live Excel)

Risk Assessments

  • All 18 RAs (RA_HO_01..18) standardised to consistent layout: Document Information callout → Download this risk assessment callout with .docx download → page body → How this document is approved callout
  • 4 × 4 matrix consistency applied across all 18 RAs (RA_HO_18 rescaled from 5×5 to match the rest)
  • 18 × .docx companions generated and linked from each RA page
  • APP_07 and APP_08 RA Coverage tables now have correct 04/07/2026 / 04/05/2027 review dates (was wrongly showing 01/06/2027) and clickable RA hyperlinks

Policies and procedures

  • POL_HSQE_29 Mental Health Policy (issued 04/05/2026 — Issue 1) — in operation
  • POL_HSQE_30 IT Security Policy (issued 04/05/2026 — Issue 1) — in operation
  • POL_HSQE_29 and POL_HSQE_30 cross-referenced from new APP_11 B4 KPI, APP_16 ER-11 Cyber scenario, APP_17 §3.1 Technology Disruption

Carbon Baseline 2025

  • Published 12/05/2026: 288.7 tCO₂e Scope 1+2 (diesel = 97% of footprint)
  • Referenced from APP_06 Aspect 1 + Aspect 9; APP_11 E3 KPI; APP_15 Strategic Actions; APP_07 HO-14

Excel companion consistency

  • APPL_16 and APPL_18 masters created in IMS Excel Conversions/ (previously absent — docs/appendices copies were stale "Table 1, 2, 3" generic-sheet versions)
  • All previously-stale docs Excel copies resynced from masters
  • Cross-reference fixes in APPL_02, APPL_03, APPL_04, APPL_06, APPL_15 to reflect APP_05 R-XX renumbering

Pattern consistency

  • All 23 appendices now follow a consistent template: Document Information callout → "Download the register" callout (single companion file) → page body → audit trail mirroring Excel cover → "How this document is approved" callout
  • 22 orphan .docx files removed from assets/local-docs/appendices/
  • Wide-mode tip dropped from callouts (FABs visible site-wide)

Looking ahead

  • e-forms proposal under development as the next IMS digitalisation workstream (will impact 7.5 documented information evidence and 9.1 monitoring streams)
  • AMWS H&S Culture Survey (Onyx Operations) — Q3 2026 post-audit rollout; replaces the short-lived Director Site-Tour Programme; HSG65-aligned workforce-wide cultural-sentiment readout. Aaron Mason's hands-on operational site presence continues as a feature of running the business (not a measurable KPI)
  • ISO 14001:2026 transition plan to be drafted Q3 2026; recertification cycle Nov 2027
  • 28/05/2026 BCP desktop exercise scheduled (key-person absence — Site Supervisor unavailable for 5+ working days, APP_17 §4 Scenario #3; P1 gap-closure ahead of Achilles UVDB B2 audit 3-4 June 2026)

The 16 × 2026 internal audit reports were drafted across 28/04-19/05/2026 with knowledge of the substantive 2025-26 IMS rebuild. The 12-13 May consistency pass captured above completes that rebuild; the audit findings continue to apply.

Audit Report Prepared By

Name Position Signature Date
Sean Ashton HSQE Consultant S. Ashton 14/05/2026
Aaron Mason Director A. Mason 14/05/2026

Corrective Action Close Out

Status as of 13/05/2026: No CAR raised directly by this audit. Document-control evidence (controlled identification, version-control, controlled-by, review-cycle) verified across all 23 appendices, 31 policies, 44 SOPs and 18 RAs. The 12-13 May 2026 IMS consistency pass standardised the callout pattern across all controlled documents (see closure block below).