Skip to content

Internal Audit Report

Audit Identification: IA202609
Area: Document Control
Audit Date: 14/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 14/05/2026
Findings: 0 Non-conformities, 0 Observations
Scope: Clause 7.5 (Documented Information)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202509 (26/09/2025) — 0 NC, 0 OBS

Executive Summary

This audit re-examined Document Control one year on from IA202509. The 2025 audit was clean (0 NC, 0 OBS) and the 2025–26 cycle has materially advanced documented-information control:

  • 44-SOP HTML migration (04/05/2026) — every SOP rebuilt to the SOP 3.4 standard with named roles, regulatory thresholds, functional swimlanes; embedded into the IMS portal via auto-resizing iframe per page. Master is the IMS portal; legacy drawio SVGs no longer referenced.
  • 23 appendices all at Rev 3 (or Rev 2 for APP_09 COSHH log) with consistent doc-control admonition format and master-source callout.
  • 2 new policies added (POL_HSQE_29 Mental Health, POL_HSQE_30 IT Security) following the existing policy doc-control format.
  • Continuous-compliance admonition added to the bottom of 24+ controlled documents, replacing the misleading "approved (planned) — pending sign-off at annual MR" rows.
  • Year-on-year evidence retained — Suppliers section restructured into sar-2025/ (32 prior-year SAR pages) + sar-2026/ (32 current-year SAR pages); 2025 internal audit reports retained alongside the 2026 cycle.

No new observations. The document-control workflow is operating as designed and has been demonstrably exercised through the 2025–26 cycle's substantial change set.

Year-on-year follow-up — IA202509 outcomes

2025 ref 2025 finding (summary) Status in 2026 audit
(none) IA202509 was clean — 0 NC, 0 OBS No 2025 follow-ups required.

Introduction

This audit examined documented-information control under clause 7.5 one year on from IA202509 — particularly relevant given the substantial 2025–26 change volume.

Aims & Objectives

  1. Verify documented-information identification, format, review and approval continues to operate (7.5.2)
  2. Confirm distribution, access, retrieval and use are controlled (7.5.3)
  3. Sample document version control across the 2025–26 changes
  4. Confirm change-log entries trace document evolution
  5. Assess the new continuous-compliance admonition's impact on clause 9.3-relevant minutes / approval

Audit Method

  • Document Review: SOP 4.6 Document Control Rev 3 HTML, SOP 4.7 Control of Records Rev 3 HTML, MAN_01 IMS Manual Rev 3, all 23 appendices doc-control headers, 31 policies doc-control headers, all 44 SOP HTML pages, mkdocs.yml nav structure (canonical sequence and grouping).
  • Interviews Conducted: Director (Leanne Mason — Document-Control owner with HSQE Consultant), HSQE Consultant.
  • Observations: Random sample of 10 controlled documents traced from latest portal version → Word/Excel companion → change-log entry → standing weekly compliance call notes for any approvals; verification of mkdocs strict-build green status as the canonical no-broken-link test.
  • Sampling: APP_06 (significant 2026 change), APP_11 (KPI simplification), APP_17 (BCP testing-log backfill + cross-reference fix), APP_19 (SAR refresh to Issue 4), MAN_01 (role-label retirement), POL_HSQE_29 (new policy), POL_HSQE_30 (new policy), SOP 3.4 (HTML format reference), SOP 6.3 (recovered into nav), RA_HO_18 (new RA).

Non-conformities

No non-conformities identified.

Observations

No observations identified.

Conclusions

Document control is the area with the most demonstrably exercised workflow in the 2025–26 cycle:

Areas Meeting Requirements (sustained from IA202509):

  • IMS portal continues to be master; Word/Excel companions are working snapshots
  • SOP 4.6 / 4.7 continue to define the document-control workflow (now in HTML format)
  • MAN_01 IMS Manual continues to set the scope
  • Strict-build CI gate ensures broken links are caught at build time

New strengths since IA202509:

  • 44-SOP HTML migration delivered and stable. Each MD wrapper embeds its matching HTML via iframe; iframe height auto-sizes; portal nav restructured to host both MD wrappers and standalone-page links.
  • Continuous-compliance admonition standardised across 24+ controlled documents — positively reframes how revisions are approved (weekly call + monthly visit + September strategic confirmation) rather than the misleading "approved (planned)" rows that were retired 04/05/2026.
  • Year-on-year evidence preservation — Suppliers section split into sar-2025/ + sar-2026/ folders preserves the prior-year SAR records as audit-defensible evidence rather than overwriting them.
  • Generic role labels retired across 7 documents (16 substitutions) — every responsibility now lands on a named individual.
  • Change-log entries now consistently terse, substantive, and free of fluff / annual-review framing.

Recommendations

  1. Continue the strict-build CI gate as the primary document-integrity test.
  2. Continue the IMS portal as master and the Word/Excel companions as snapshots.
  3. At the September 2026 MR, formally adopt the document-control improvements as part of the 2026–27 baseline.

Feedback & Acknowledgments

Full cooperation. The 2025–26 document-control work has been the foundational improvement that everything else has built on; the audit experience is materially better than at IA202509.

Audit Report Prepared By

Name Position Signature Date
Sean Ashton HSQE Consultant S. Ashton 14/05/2026
Aaron Mason Director A. Mason 14/05/2026

Corrective Action Close Out

No CARs raised by this audit.