Internal Audit Report¶
Audit Identification: IA202612
Area: Emergency Preparedness
Audit Date: 19/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 19/05/2026
Findings: 0 Non-conformities, 0 Observations
Scope: Clauses 8.2 (ISO 14001 & ISO 45001)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202512 (30/09/2025) — 0 NC, 0 OBS
Audit cycle context
This audit is part of AMWS's rolling 2026 internal audit cycle conducted across 28/04-19/05/2026 by Sean Ashton (HSQE Consultant), ahead of the Achilles UVDB Verify Category B2 surveillance audit on 3-4 June 2026. Some documents reviewed during the cycle were revised within the cycle as part of the broader 2025-26 IMS rebuild — see the Post-audit IMS evolution block at the foot of this report for details of changes completed by 13/05/2026.
Executive Summary¶
This audit re-examined Emergency Preparedness one year on from IA202512. The 2025 audit was clean (0 NC, 0 OBS) and the 2025–26 cycle has materially strengthened emergency-preparedness evidence:
- APP_17 BCP testing log backfilled — quarterly programme through to Q1 2026 closed with documented outcomes; Q2 2026 desktop (key-person absence — Site Supervisor, APP_17 §4 Scenario #3) scheduled 28/05/2026 (CAR-2026-005 from IA202604).
- APP_17 cross-reference errors fixed — Section 10 references APP_16 and APP_17 correctly (was previously incorrectly referencing APP_20 and APP_21).
- APP_16 Emergency Preparedness & Response Matrix at Rev 3 (1 June 2026).
- APP_18 Emergency Equipment Log at Rev 3 (1 June 2026) with named-role labels (HSQE Manager → Site Supervisor (Jason May)).
- SOP 8.15 Fire issued in HTML format with concrete thresholds (10 m hot-work radius, 60-min fire-watch, BS EN 3 extinguisher class table).
- SOP 5.4 Emergency Preparedness rebuilt to HTML format.
- POL_HSQE_30 IT Security incident pathway introduces UK GDPR 72-hour breach notification — a new emergency-preparedness commitment.
- Environmental emergency drill schedule addressed via CAR-2026-008 from IA202607 (target close 30/09/2026).
No new observations. The Q2 2026 BCP desktop on 28/05/2026 is the next operational milestone; once held and documented, the entire emergency-preparedness picture is fully evidenced for the surveillance audit.
Year-on-year follow-up — IA202512 outcomes¶
| 2025 ref | 2025 finding (summary) | Status in 2026 audit |
|---|---|---|
| (none) | IA202512 was clean — 0 NC, 0 OBS | No 2025 follow-ups required. |
Introduction¶
This audit examined Emergency Preparedness under clauses 8.2 (ISO 14001 environmental emergencies; ISO 45001 H&S emergency preparedness) one year on from IA202512. Particular focus on the BCP testing log, the new SOP 8.15 Fire, and the planned Q2 2026 key-person absence desktop (Site Supervisor scenario).
Aims & Objectives¶
- Verify APP_16 / APP_17 / APP_18 currency and consistency
- Confirm the BCP testing-log entries 2024–2026 are coherent and continuous
- Sample SOP 8.15 Fire hot-work permit threshold (10 m, 60-min) against operational reality
- Confirm the planned Q2 2026 BCP desktop on 28/05/2026 has scenario briefs and participants
- Verify cyber-incident pathway in POL_HSQE_30 integrates with APP_17
Audit Method¶
- Document Review: APP_16 Emergency Preparedness & Response Matrix Issue 3 / 01/06/2026 — 12-scenario Response Matrix incl. ER-11 Cyber [NEW 2026] and ER-12 Extreme Weather [UPDATED 2026]; APP_17 Disaster Recovery & BCP Issue 4 / 13/05/2026 — KISS testing cadence + two-tier interlink with APP_16; APP_18 Emergency Equipment Log Issue 3; plus: SOP 5.4 Emergency Preparedness Rev 3 HTML, SOP 8.15 Fire Rev 3 HTML, APP_16 Emergency Preparedness & Response Matrix Rev 3, APP_17 DR-BCP Rev 3 (with backfilled testing log + Section 10 cross-ref fix), APP_18 Emergency Equipment Log Rev 3, POL_HSQE_30 IT Security (cyber-incident pathway), Fire Risk Assessment (March 2025 — held in 7 Workplace Safety folder).
- Interviews Conducted: Directors (Aaron + Leanne Mason), Site Supervisor (Jason May), HSQE Consultant.
- Observations: Spill kits in van packs; bunded fuel storage at yard; gas / electrical certs (in 9 Security folder); Fire Risk Assessment review; planned 28/05/2026 BCP desktop participant list and scenario briefs reviewed.
- Sampling: APP_17 testing-log entries 2024–2026 (ten entries); 3 spill kits (one yard + two van packs); 5 BS EN 3 extinguisher classes against AMWS operational scenarios.
Non-conformities¶
No non-conformities identified.
Observations¶
No observations identified.
Conclusions¶
Emergency preparedness is in strong shape:
Areas Meeting Requirements (sustained from IA202512):
- APP_16 / APP_17 / APP_18 continue to operate as canonical emergency-preparedness documents
- SOP 5.4 continues to define the methodology (now in HTML format)
- Spill kits / bunded fuel storage / extinguishers / first-aid kits continue to be in place and in date
New strengths since IA202512:
- APP_17 BCP testing log backfilled — every quarter from 2024 to 2026 has a documented outcome; the Q2 2026 key-person absence desktop (Site Supervisor scenario) is scheduled (CAR-2026-005, target 31/05/2026).
- SOP 8.15 Fire HTML rebuild — concrete thresholds (10 m hot-work radius, 60-min fire-watch, BS EN 3 extinguisher class A/B/C/D/F/electrical table) directly auditable.
- APP_17 cross-reference errors fixed — Section 10 now correctly cross-refers to APP_16 and APP_17 (was APP_20 and APP_21 in error).
- POL_HSQE_30 cyber-incident pathway — UK GDPR 72-hour breach notification window integrated with the AMWS incident workflow (SOP 8.1 → APP_21 → APP_17 BCP review).
- Environmental emergency drill schedule — programmed via CAR-2026-008 (target 30/09/2026).
Position as at 13/05/2026: The findings above remain the formal record. The 12-13 May 2026 IMS consistency pass (see closure block below) does not alter any audit verdict; it strengthens the supporting evidence base going into the Achilles UVDB B2 surveillance audit (3-4 June 2026).
Recommendations¶
- Close CAR-2026-005 (Q2 2026 BCP desktop) on 28/05/2026 — last operational item ahead of the 3–4 June 2026 audit.
- Close CAR-2026-008 (environmental emergency drill) by 30/09/2026.
- Continue the quarterly BCP-testing programme; Q3 2026 will be the next desktop after the September MR.
Feedback & Acknowledgments¶
Full cooperation. The 2025–26 cycle has built the emergency-preparedness evidence base from a respectable 2025 position to a fully audit-ready 2026 picture.
Post-audit IMS evolution (12-13 May 2026)¶
The findings above stand as a point-in-time record at audit date. Following the 2026 audit cycle, AMWS completed an IMS-wide consistency pass on 12-13 May 2026 that affects references in this report. The audit findings remain valid; the system updates strengthen rather than supersede them. Material changes the auditor should be aware of:
Appendix-level changes
- APP_01 Context & Interested Parties Log — Issue 3 / 01/06/2026; 10 → 12 interested parties (Ofwat
[NEW 2026], ICO[NEW 2026]); 2[NEW]+ 3[UPDATED]tags inline - APP_02 ISO Clause Application Matrix — Issue 2; Standards Watch section added tracking ISO 14001:2026 / 9001:2026 / 45001:2027 transitions
- APP_02.1 Process Application Log — Issue 2; 8 → 9 processes (Information Security & Cyber
[NEW 2026]added) - APP_05 Risk & Opportunity Log — risks reorganised by category (R-01..R-21 in category order); opportunities now scored using the same A + B + (C × D) method as risks (8 opportunities O-01..O-08, O-09 dropped — Onyx Operations business, not AMWS); R-07 Supply chain controls reflect the APP_19 Issue 7 / 19-May-2026 HTML register migration (18 Active rated Excellent / 13 Inactive / 1 Merged following the IA cycle proportionality review)
- APP_06 Aspect Identification — Issue 3 / 01/06/2026; 12 → 14 environmental aspects (Aspect 13 Climate Adaptation
[NEW 2026], Aspect 14 PFAS[NEW 2026]) - APP_07 Hazard Identification — Issue 4 / 01/06/2026; HO-18 Fatigue Management added 04/05/2026; named owners throughout (generic role labels retired); RA review dates aligned to 01/06/2027
- APP_08 OHS Hazard Assessments — Issue 2 (corrected from phantom Issue 3); RA_HO_18 added to register; compliance matrix expanded for 2026 legislation stack
- APP_11 HSQE Objectives & KPIs — B4 Cyber Resilience KPI added
[NEW 2026](Cyber Essentials by 31/12/2026; zero notifiable breaches per year); B2 KISS reframe; E3 Carbon baseline now live (288.7 tCO₂e Scope 1+2) - APP_15 Lifecycle Analysis — 14 aspects in lifecycle matrix; Strategic Actions section added with KPI / SOP cross-references
- APP_16 Emergency Preparedness — 12-scenario Response Matrix added (ER-01..ER-12 including ER-11 Cyber
[NEW 2026]and ER-12 Extreme Weather[UPDATED 2026]); 2026 YTD testing log populated; APPL_16 Excel master created - APP_17 Disaster Recovery & BCP — Issue 4 / 13/05/2026; KISS testing cadence (annual desktop + real-incident reviews + continuous currency); two-tier interlink with APP_16 (Tier 1 incident response, Tier 2 business continuity) with shared scenario-mapping table
- APP_18 Emergency Equipment Log — Issue 3; 2026 YTD inspection history populated (20 rows Jan-May); APPL_18 Excel master created
- APP_19 Approved Suppliers — Issue 6 / 13/05/2026; explicit Performance Rating Criteria added (6 criteria × 3 bands: Excellent / Good / Do Not Use)
- APP_20 Internal Audits Programme — Issue 3; 16 × 2026 internal audits delivered (28/04-19/05/2026); CAR-2026-001..011 tracker; 2026-27 forward programme with ISO 14001:2026 transition + Cyber audit slots
- APP_21 NC Register — Issue 4 / 13/05/2026; dual-master pattern (audit-derived CARs portal-master; operational NCRs Leanne's live Excel)
Risk Assessments
- All 18 RAs (RA_HO_01..18) standardised to consistent layout: Document Information callout → Download this risk assessment callout with .docx download → page body → How this document is approved callout
- 4 × 4 matrix consistency applied across all 18 RAs (RA_HO_18 rescaled from 5×5 to match the rest)
- 18 ×
.docxcompanions generated and linked from each RA page - APP_07 and APP_08 RA Coverage tables now have correct 04/07/2026 / 04/05/2027 review dates (was wrongly showing 01/06/2027) and clickable RA hyperlinks
Policies and procedures
- POL_HSQE_29 Mental Health Policy (issued 04/05/2026 — Issue 1) — in operation
- POL_HSQE_30 IT Security Policy (issued 04/05/2026 — Issue 1) — in operation
- POL_HSQE_29 and POL_HSQE_30 cross-referenced from new APP_11 B4 KPI, APP_16 ER-11 Cyber scenario, APP_17 §3.1 Technology Disruption
Carbon Baseline 2025
- Published 12/05/2026: 288.7 tCO₂e Scope 1+2 (diesel = 97% of footprint)
- Referenced from APP_06 Aspect 1 + Aspect 9; APP_11 E3 KPI; APP_15 Strategic Actions; APP_07 HO-14
Excel companion consistency
- APPL_16 and APPL_18 masters created in
IMS Excel Conversions/(previously absent — docs/appendices copies were stale "Table 1, 2, 3" generic-sheet versions) - All previously-stale docs Excel copies resynced from masters
- Cross-reference fixes in APPL_02, APPL_03, APPL_04, APPL_06, APPL_15 to reflect APP_05 R-XX renumbering
Pattern consistency
- All 23 appendices now follow a consistent template: Document Information callout → "Download the register" callout (single companion file) → page body → audit trail mirroring Excel cover → "How this document is approved" callout
- 22 orphan
.docxfiles removed fromassets/local-docs/appendices/ - Wide-mode tip dropped from callouts (FABs visible site-wide)
Looking ahead
- e-forms proposal under development as the next IMS digitalisation workstream (will impact 7.5 documented information evidence and 9.1 monitoring streams)
- AMWS H&S Culture Survey (Onyx Operations) — Q3 2026 post-audit rollout; replaces the short-lived Director Site-Tour Programme; HSG65-aligned workforce-wide cultural-sentiment readout. Aaron Mason's hands-on operational site presence continues as a feature of running the business (not a measurable KPI)
- ISO 14001:2026 transition plan to be drafted Q3 2026; recertification cycle Nov 2027
- 28/05/2026 BCP desktop exercise scheduled (key-person absence — Site Supervisor unavailable for 5+ working days, APP_17 §4 Scenario #3; P1 gap-closure ahead of Achilles UVDB B2 audit 3-4 June 2026)
The 16 × 2026 internal audit reports were drafted across 28/04-19/05/2026 with knowledge of the substantive 2025-26 IMS rebuild. The 12-13 May consistency pass captured above completes that rebuild; the audit findings continue to apply.
Audit Report Prepared By¶
| Name | Position | Signature | Date |
|---|---|---|---|
| Sean Ashton | HSQE Consultant | S. Ashton | 19/05/2026 |
| Aaron Mason | Director | A. Mason | 19/05/2026 |
Corrective Action Close Out¶
Status as of 13/05/2026: No CAR raised directly by this audit. Emergency preparedness evidence strengthened through this session's APP_16 (12-scenario Response Matrix) + APP_17 (KISS testing cadence with two-tier interlink to APP_16) work. The 28/05/2026 BCP desktop exercise (linked CAR-2026-005 from IA202604) will provide the next concrete evidence point.