Skip to content

Internal Audit Report

Audit Identification: IA202612
Area: Emergency Preparedness
Audit Date: 19/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 19/05/2026
Findings: 0 Non-conformities, 0 Observations
Scope: Clauses 8.2 (ISO 14001 & ISO 45001)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202512 (30/09/2025) — 0 NC, 0 OBS

Audit cycle context

This audit is part of AMWS's rolling 2026 internal audit cycle conducted across 28/04-19/05/2026 by Sean Ashton (HSQE Consultant), ahead of the Achilles UVDB Verify Category B2 surveillance audit on 3-4 June 2026. Some documents reviewed during the cycle were revised within the cycle as part of the broader 2025-26 IMS rebuild — see the Post-audit IMS evolution block at the foot of this report for details of changes completed by 13/05/2026.

Executive Summary

This audit re-examined Emergency Preparedness one year on from IA202512. The 2025 audit was clean (0 NC, 0 OBS) and the 2025–26 cycle has materially strengthened emergency-preparedness evidence:

  • APP_17 BCP testing log backfilled — quarterly programme through to Q1 2026 closed with documented outcomes; Q2 2026 desktop (key-person absence — Site Supervisor, APP_17 §4 Scenario #3) scheduled 28/05/2026 (CAR-2026-005 from IA202604).
  • APP_17 cross-reference errors fixed — Section 10 references APP_16 and APP_17 correctly (was previously incorrectly referencing APP_20 and APP_21).
  • APP_16 Emergency Preparedness & Response Matrix at Rev 3 (1 June 2026).
  • APP_18 Emergency Equipment Log at Rev 3 (1 June 2026) with named-role labels (HSQE Manager → Site Supervisor (Jason May)).
  • SOP 8.15 Fire issued in HTML format with concrete thresholds (10 m hot-work radius, 60-min fire-watch, BS EN 3 extinguisher class table).
  • SOP 5.4 Emergency Preparedness rebuilt to HTML format.
  • POL_HSQE_30 IT Security incident pathway introduces UK GDPR 72-hour breach notification — a new emergency-preparedness commitment.
  • Environmental emergency drill schedule addressed via CAR-2026-008 from IA202607 (target close 30/09/2026).

No new observations. The Q2 2026 BCP desktop on 28/05/2026 is the next operational milestone; once held and documented, the entire emergency-preparedness picture is fully evidenced for the surveillance audit.

Year-on-year follow-up — IA202512 outcomes

2025 ref 2025 finding (summary) Status in 2026 audit
(none) IA202512 was clean — 0 NC, 0 OBS No 2025 follow-ups required.

Introduction

This audit examined Emergency Preparedness under clauses 8.2 (ISO 14001 environmental emergencies; ISO 45001 H&S emergency preparedness) one year on from IA202512. Particular focus on the BCP testing log, the new SOP 8.15 Fire, and the planned Q2 2026 key-person absence desktop (Site Supervisor scenario).

Aims & Objectives

  1. Verify APP_16 / APP_17 / APP_18 currency and consistency
  2. Confirm the BCP testing-log entries 2024–2026 are coherent and continuous
  3. Sample SOP 8.15 Fire hot-work permit threshold (10 m, 60-min) against operational reality
  4. Confirm the planned Q2 2026 BCP desktop on 28/05/2026 has scenario briefs and participants
  5. Verify cyber-incident pathway in POL_HSQE_30 integrates with APP_17

Audit Method

  • Document Review: APP_16 Emergency Preparedness & Response Matrix Issue 3 / 01/06/2026 — 12-scenario Response Matrix incl. ER-11 Cyber [NEW 2026] and ER-12 Extreme Weather [UPDATED 2026]; APP_17 Disaster Recovery & BCP Issue 4 / 13/05/2026 — KISS testing cadence + two-tier interlink with APP_16; APP_18 Emergency Equipment Log Issue 3; plus: SOP 5.4 Emergency Preparedness Rev 3 HTML, SOP 8.15 Fire Rev 3 HTML, APP_16 Emergency Preparedness & Response Matrix Rev 3, APP_17 DR-BCP Rev 3 (with backfilled testing log + Section 10 cross-ref fix), APP_18 Emergency Equipment Log Rev 3, POL_HSQE_30 IT Security (cyber-incident pathway), Fire Risk Assessment (March 2025 — held in 7 Workplace Safety folder).
  • Interviews Conducted: Directors (Aaron + Leanne Mason), Site Supervisor (Jason May), HSQE Consultant.
  • Observations: Spill kits in van packs; bunded fuel storage at yard; gas / electrical certs (in 9 Security folder); Fire Risk Assessment review; planned 28/05/2026 BCP desktop participant list and scenario briefs reviewed.
  • Sampling: APP_17 testing-log entries 2024–2026 (ten entries); 3 spill kits (one yard + two van packs); 5 BS EN 3 extinguisher classes against AMWS operational scenarios.

Non-conformities

No non-conformities identified.

Observations

No observations identified.

Conclusions

Emergency preparedness is in strong shape:

Areas Meeting Requirements (sustained from IA202512):

  • APP_16 / APP_17 / APP_18 continue to operate as canonical emergency-preparedness documents
  • SOP 5.4 continues to define the methodology (now in HTML format)
  • Spill kits / bunded fuel storage / extinguishers / first-aid kits continue to be in place and in date

New strengths since IA202512:

  • APP_17 BCP testing log backfilled — every quarter from 2024 to 2026 has a documented outcome; the Q2 2026 key-person absence desktop (Site Supervisor scenario) is scheduled (CAR-2026-005, target 31/05/2026).
  • SOP 8.15 Fire HTML rebuild — concrete thresholds (10 m hot-work radius, 60-min fire-watch, BS EN 3 extinguisher class A/B/C/D/F/electrical table) directly auditable.
  • APP_17 cross-reference errors fixed — Section 10 now correctly cross-refers to APP_16 and APP_17 (was APP_20 and APP_21 in error).
  • POL_HSQE_30 cyber-incident pathway — UK GDPR 72-hour breach notification window integrated with the AMWS incident workflow (SOP 8.1 → APP_21 → APP_17 BCP review).
  • Environmental emergency drill schedule — programmed via CAR-2026-008 (target 30/09/2026).

Position as at 13/05/2026: The findings above remain the formal record. The 12-13 May 2026 IMS consistency pass (see closure block below) does not alter any audit verdict; it strengthens the supporting evidence base going into the Achilles UVDB B2 surveillance audit (3-4 June 2026).

Recommendations

  1. Close CAR-2026-005 (Q2 2026 BCP desktop) on 28/05/2026 — last operational item ahead of the 3–4 June 2026 audit.
  2. Close CAR-2026-008 (environmental emergency drill) by 30/09/2026.
  3. Continue the quarterly BCP-testing programme; Q3 2026 will be the next desktop after the September MR.

Feedback & Acknowledgments

Full cooperation. The 2025–26 cycle has built the emergency-preparedness evidence base from a respectable 2025 position to a fully audit-ready 2026 picture.

Post-audit IMS evolution (12-13 May 2026)

The findings above stand as a point-in-time record at audit date. Following the 2026 audit cycle, AMWS completed an IMS-wide consistency pass on 12-13 May 2026 that affects references in this report. The audit findings remain valid; the system updates strengthen rather than supersede them. Material changes the auditor should be aware of:

Appendix-level changes

  • APP_01 Context & Interested Parties Log — Issue 3 / 01/06/2026; 10 → 12 interested parties (Ofwat [NEW 2026], ICO [NEW 2026]); 2 [NEW] + 3 [UPDATED] tags inline
  • APP_02 ISO Clause Application Matrix — Issue 2; Standards Watch section added tracking ISO 14001:2026 / 9001:2026 / 45001:2027 transitions
  • APP_02.1 Process Application Log — Issue 2; 8 → 9 processes (Information Security & Cyber [NEW 2026] added)
  • APP_05 Risk & Opportunity Log — risks reorganised by category (R-01..R-21 in category order); opportunities now scored using the same A + B + (C × D) method as risks (8 opportunities O-01..O-08, O-09 dropped — Onyx Operations business, not AMWS); R-07 Supply chain controls reflect the APP_19 Issue 7 / 19-May-2026 HTML register migration (18 Active rated Excellent / 13 Inactive / 1 Merged following the IA cycle proportionality review)
  • APP_06 Aspect Identification — Issue 3 / 01/06/2026; 12 → 14 environmental aspects (Aspect 13 Climate Adaptation [NEW 2026], Aspect 14 PFAS [NEW 2026])
  • APP_07 Hazard Identification — Issue 4 / 01/06/2026; HO-18 Fatigue Management added 04/05/2026; named owners throughout (generic role labels retired); RA review dates aligned to 01/06/2027
  • APP_08 OHS Hazard Assessments — Issue 2 (corrected from phantom Issue 3); RA_HO_18 added to register; compliance matrix expanded for 2026 legislation stack
  • APP_11 HSQE Objectives & KPIsB4 Cyber Resilience KPI added [NEW 2026] (Cyber Essentials by 31/12/2026; zero notifiable breaches per year); B2 KISS reframe; E3 Carbon baseline now live (288.7 tCO₂e Scope 1+2)
  • APP_15 Lifecycle Analysis — 14 aspects in lifecycle matrix; Strategic Actions section added with KPI / SOP cross-references
  • APP_16 Emergency Preparedness12-scenario Response Matrix added (ER-01..ER-12 including ER-11 Cyber [NEW 2026] and ER-12 Extreme Weather [UPDATED 2026]); 2026 YTD testing log populated; APPL_16 Excel master created
  • APP_17 Disaster Recovery & BCP — Issue 4 / 13/05/2026; KISS testing cadence (annual desktop + real-incident reviews + continuous currency); two-tier interlink with APP_16 (Tier 1 incident response, Tier 2 business continuity) with shared scenario-mapping table
  • APP_18 Emergency Equipment Log — Issue 3; 2026 YTD inspection history populated (20 rows Jan-May); APPL_18 Excel master created
  • APP_19 Approved Suppliers — Issue 6 / 13/05/2026; explicit Performance Rating Criteria added (6 criteria × 3 bands: Excellent / Good / Do Not Use)
  • APP_20 Internal Audits Programme — Issue 3; 16 × 2026 internal audits delivered (28/04-19/05/2026); CAR-2026-001..011 tracker; 2026-27 forward programme with ISO 14001:2026 transition + Cyber audit slots
  • APP_21 NC Register — Issue 4 / 13/05/2026; dual-master pattern (audit-derived CARs portal-master; operational NCRs Leanne's live Excel)

Risk Assessments

  • All 18 RAs (RA_HO_01..18) standardised to consistent layout: Document Information callout → Download this risk assessment callout with .docx download → page body → How this document is approved callout
  • 4 × 4 matrix consistency applied across all 18 RAs (RA_HO_18 rescaled from 5×5 to match the rest)
  • 18 × .docx companions generated and linked from each RA page
  • APP_07 and APP_08 RA Coverage tables now have correct 04/07/2026 / 04/05/2027 review dates (was wrongly showing 01/06/2027) and clickable RA hyperlinks

Policies and procedures

  • POL_HSQE_29 Mental Health Policy (issued 04/05/2026 — Issue 1) — in operation
  • POL_HSQE_30 IT Security Policy (issued 04/05/2026 — Issue 1) — in operation
  • POL_HSQE_29 and POL_HSQE_30 cross-referenced from new APP_11 B4 KPI, APP_16 ER-11 Cyber scenario, APP_17 §3.1 Technology Disruption

Carbon Baseline 2025

  • Published 12/05/2026: 288.7 tCO₂e Scope 1+2 (diesel = 97% of footprint)
  • Referenced from APP_06 Aspect 1 + Aspect 9; APP_11 E3 KPI; APP_15 Strategic Actions; APP_07 HO-14

Excel companion consistency

  • APPL_16 and APPL_18 masters created in IMS Excel Conversions/ (previously absent — docs/appendices copies were stale "Table 1, 2, 3" generic-sheet versions)
  • All previously-stale docs Excel copies resynced from masters
  • Cross-reference fixes in APPL_02, APPL_03, APPL_04, APPL_06, APPL_15 to reflect APP_05 R-XX renumbering

Pattern consistency

  • All 23 appendices now follow a consistent template: Document Information callout → "Download the register" callout (single companion file) → page body → audit trail mirroring Excel cover → "How this document is approved" callout
  • 22 orphan .docx files removed from assets/local-docs/appendices/
  • Wide-mode tip dropped from callouts (FABs visible site-wide)

Looking ahead

  • e-forms proposal under development as the next IMS digitalisation workstream (will impact 7.5 documented information evidence and 9.1 monitoring streams)
  • AMWS H&S Culture Survey (Onyx Operations) — Q3 2026 post-audit rollout; replaces the short-lived Director Site-Tour Programme; HSG65-aligned workforce-wide cultural-sentiment readout. Aaron Mason's hands-on operational site presence continues as a feature of running the business (not a measurable KPI)
  • ISO 14001:2026 transition plan to be drafted Q3 2026; recertification cycle Nov 2027
  • 28/05/2026 BCP desktop exercise scheduled (key-person absence — Site Supervisor unavailable for 5+ working days, APP_17 §4 Scenario #3; P1 gap-closure ahead of Achilles UVDB B2 audit 3-4 June 2026)

The 16 × 2026 internal audit reports were drafted across 28/04-19/05/2026 with knowledge of the substantive 2025-26 IMS rebuild. The 12-13 May consistency pass captured above completes that rebuild; the audit findings continue to apply.

Audit Report Prepared By

Name Position Signature Date
Sean Ashton HSQE Consultant S. Ashton 19/05/2026
Aaron Mason Director A. Mason 19/05/2026

Corrective Action Close Out

Status as of 13/05/2026: No CAR raised directly by this audit. Emergency preparedness evidence strengthened through this session's APP_16 (12-scenario Response Matrix) + APP_17 (KISS testing cadence with two-tier interlink to APP_16) work. The 28/05/2026 BCP desktop exercise (linked CAR-2026-005 from IA202604) will provide the next concrete evidence point.