Internal Audit Report¶
Audit Identification: IA202615
Area: Legal Compliance
Audit Date: 12/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 12/05/2026
Findings: 0 Non-conformities, 1 Observation
Scope: Clause 6.1.3 (ISO 14001 & ISO 45001)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202515 (03/10/2025) — 0 NC, 2 OBS
Audit cycle context
This audit is part of AMWS's rolling 2026 internal audit cycle conducted across 28/04-19/05/2026 by Sean Ashton (HSQE Consultant), ahead of the Achilles UVDB Verify Category B2 surveillance audit on 3-4 June 2026. Some documents reviewed during the cycle were revised within the cycle as part of the broader 2025-26 IMS rebuild — see the Post-audit IMS evolution block at the foot of this report for details of changes completed by 13/05/2026.
Executive Summary¶
This audit re-examined Legal Compliance one year on from IA202515. Both 2025 observations are progressed:
- CAR-2025-020 (legal register update frequency — bi-annual to quarterly) — Closed. APP_10 Legal & Compliance Register at Rev 3 (1 June 2026) covers 72 items. The standing weekly Director / HSQE compliance call provides routine awareness of regulatory changes; quarterly formal review is the explicit cadence.
- CAR-2025-021 (visual one-page compliance updates for site notice boards) — Open — rolled forward as CAR-2026-010. The new TBT Programme (TBT_PROG_01) provides the cascade mechanism — every TBT brief carries the relevant legal reference (TBT-2026-05 → NRSWA / POL_HSQE_06 + 13; TBT-2026-06 → Control of Vibration at Work Regs 2005; TBT-2026-07 → HSE COSHH and chlorine SDSs). Visual one-page summaries for notice-board use are the remaining action — rolled forward as CAR-2026-010 (target 30/09/2026).
Material legal-compliance wins this cycle: APP_10 captures new 2026 obligations including (a) UK GDPR / Data Protection Act 2018 cited in POL_HSQE_30 IT Security; (b) Equality Act 2010 cited in POL_HSQE_29 Mental Health; (c) Modern Slavery Act 2015 §54 threshold position confirmed (AMWS below £36M threshold); (d) Hazardous Waste Regs 2005 reg 49 3-year retention captured in SOP 9.5; (e) Confined Spaces Regulations 1997 thresholds in SOP 8.12.
Year-on-year follow-up — IA202515 outcomes¶
| 2025 ref | 2025 finding (summary) | Status in 2026 audit |
|---|---|---|
| OBS-15.01 / CAR-2025-020 | Quarterly legal register reviews | Closed. Weekly compliance call provides routine awareness; quarterly formal review cadence retained as the explicit floor. |
| OBS-15.02 / CAR-2025-021 | Visual one-page compliance updates for site notice boards | Open — rolled forward as CAR-2026-010. TBT Programme provides cascade mechanism; visual notice-board summaries target 30/09/2026. |
Introduction¶
This audit examined Legal Compliance under clause 6.1.3 — both ISO 14001 and ISO 45001 — one year on from IA202515 and after multiple 2026 documents that introduced new legal references.
Aims & Objectives¶
- Confirm closure or progress on IA202515 OBS-15.01 and OBS-15.02
- Verify APP_10 Legal & Compliance Register currency and coverage of new 2026 obligations
- Confirm new 2026 documents correctly reference applicable legislation
- Sample 5 statutory licences / certifications for currency
- Confirm enforcement-notice status (none received in last 5 years per APP_22)
Audit Method¶
- Document Review: APP_10 Legal & Compliance Register Rev 3 / 01/06/2026 — 9 new 2026 legislative entries (Water (Special Measures) Act 2025; Worker Protection Act 2023 in force Oct 2024; DUAA 2025 + NUAR; ER Act 2025; Building Safety Act 2022 commencement; Sentencing Council H&S guideline; PFAS UK REACH; ISO 14001:2026 / 9001:2026 / 45001:2027 transition tracking; DVSA Earned Recognition); REUL / assimilated-law section; every citation verified against legislation.gov.uk and regulator sources. Plus: APP_10 Legal & Compliance Register Rev 3 (72 items, 1 June 2026), POL_HSQE_30 IT Security (UK GDPR / DPA 2018 / Computer Misuse Act 1990), POL_HSQE_29 Mental Health (HSWA 1974 / MHSWR 1999 / Equality Act 2010), POL_HSQE_03 Anti-Slavery (Modern Slavery Act 2015), SOP 9.5 Hazardous Waste (Hazardous Waste Regs 2005 reg 49), SOP 8.12 Confined Space (Confined Spaces Regulations 1997).
- Interviews Conducted: Director (Aaron Mason — legal-compliance owner), HSQE Consultant.
- Observations: APP_10 cross-checked against the new 2026 documents to confirm reciprocal references.
- Sampling: 5 statutory licences (ISO 9001 / 14001 / 45001 certificates expiry 23/11/2027; Goods Vehicle Operator's Licence; Waste Carrier Registration expiry 12/08/2028); APP_22 enforcement-notice column for 2021–2026 (zero).
Non-conformities¶
No non-conformities identified.
Observations¶
| Ref | Finding | Clause | Priority | Ref |
|---|---|---|---|---|
| OBS-01 | Visual one-page compliance updates for notice boards (rolled forward from CAR-2025-021). The TBT Programme cascade is in place; standalone notice-board one-pagers for high-traffic regulatory topics (excavation services, COSHH chlorine handling, RIDDOR thresholds) would reinforce the cascade for operatives who arrive after a TBT. | 7.4 communication / 6.1.3 compliance obligations | Low | CAR-2026-010 |
Corrective Action Summary¶
CAR-2026-010 — Owner: Sean Ashton (HSQE Consultant). Target close: 30/09/2026 — produce 3 one-page visual compliance summaries for the yard notice board (NRSWA service strikes, COSHH chlorine, RIDDOR thresholds).
Conclusions¶
Legal compliance is well-managed:
Areas Meeting Requirements (sustained from IA202515):
- APP_10 Legal & Compliance Register continues to be the canonical source (72 items at Rev 3)
- No enforcement notices received in last 5 years
- All 5 sampled statutory licences in date with comfortable margins
- Bi-annual formal review cadence sustained; weekly compliance call provides interim coverage
- Triple-certified ISO 9001 / 14001 / 45001 maintained
New strengths since IA202515:
- APP_10 expanded to capture the 2026 documents' regulatory references — new policies (POL_HSQE_29, 30) and new procedures (PROC_R2W_01) all cite specific UK legislation and link back to APP_10.
- TBT Programme (TBT_PROG_01) provides cascade mechanism with legal reference per topic.
- Concrete regulatory thresholds embedded in HTML SOPs — Confined Spaces Regulations 1997 thresholds in SOP 8.12; Hazardous Waste Regs reg 49 in SOP 9.5; EPA 1990 s.34 in SOP 9.4; Control of Vibration at Work Regs 2005 EAV/ELV in SOP 8.10; etc. Auditor can read regulatory thresholds directly in the procedural document.
- Modern Slavery Act §54 position explicitly documented (below £36M threshold; policy maintained nonetheless) in POL_HSQE_03 + Z_NOT-APPLICABLE_CFSI.txt.
Position as at 13/05/2026: The findings above remain the formal record. The 12-13 May 2026 IMS consistency pass (see closure block below) does not alter any audit verdict; it strengthens the supporting evidence base going into the Achilles UVDB B2 surveillance audit (3-4 June 2026).
Recommendations¶
- Close CAR-2026-010 with 3 one-page visual compliance summaries by 30/09/2026.
- Continue the standing weekly compliance call as the active legal-awareness forum.
- APP_10 next bi-annual review due autumn 2026.
Feedback & Acknowledgments¶
Full cooperation. The 2026 IMS rebuild has materially strengthened the legal-compliance picture by embedding regulatory thresholds in operational documents rather than abstracted into APP_10 only.
Post-audit IMS evolution (12-13 May 2026)¶
The findings above stand as a point-in-time record at audit date. Following the 2026 audit cycle, AMWS completed an IMS-wide consistency pass on 12-13 May 2026 that affects references in this report. The audit findings remain valid; the system updates strengthen rather than supersede them. Material changes the auditor should be aware of:
Appendix-level changes
- APP_01 Context & Interested Parties Log — Issue 3 / 01/06/2026; 10 → 12 interested parties (Ofwat
[NEW 2026], ICO[NEW 2026]); 2[NEW]+ 3[UPDATED]tags inline - APP_02 ISO Clause Application Matrix — Issue 2; Standards Watch section added tracking ISO 14001:2026 / 9001:2026 / 45001:2027 transitions
- APP_02.1 Process Application Log — Issue 2; 8 → 9 processes (Information Security & Cyber
[NEW 2026]added) - APP_05 Risk & Opportunity Log — risks reorganised by category (R-01..R-21 in category order); opportunities now scored using the same A + B + (C × D) method as risks (8 opportunities O-01..O-08, O-09 dropped — Onyx Operations business, not AMWS); R-07 Supply chain controls reflect the APP_19 Issue 7 / 19-May-2026 HTML register migration (18 Active rated Excellent / 13 Inactive / 1 Merged following the IA cycle proportionality review)
- APP_06 Aspect Identification — Issue 3 / 01/06/2026; 12 → 14 environmental aspects (Aspect 13 Climate Adaptation
[NEW 2026], Aspect 14 PFAS[NEW 2026]) - APP_07 Hazard Identification — Issue 4 / 01/06/2026; HO-18 Fatigue Management added 04/05/2026; named owners throughout (generic role labels retired); RA review dates aligned to 01/06/2027
- APP_08 OHS Hazard Assessments — Issue 2 (corrected from phantom Issue 3); RA_HO_18 added to register; compliance matrix expanded for 2026 legislation stack
- APP_11 HSQE Objectives & KPIs — B4 Cyber Resilience KPI added
[NEW 2026](Cyber Essentials by 31/12/2026; zero notifiable breaches per year); B2 KISS reframe; E3 Carbon baseline now live (288.7 tCO₂e Scope 1+2) - APP_15 Lifecycle Analysis — 14 aspects in lifecycle matrix; Strategic Actions section added with KPI / SOP cross-references
- APP_16 Emergency Preparedness — 12-scenario Response Matrix added (ER-01..ER-12 including ER-11 Cyber
[NEW 2026]and ER-12 Extreme Weather[UPDATED 2026]); 2026 YTD testing log populated; APPL_16 Excel master created - APP_17 Disaster Recovery & BCP — Issue 4 / 13/05/2026; KISS testing cadence (annual desktop + real-incident reviews + continuous currency); two-tier interlink with APP_16 (Tier 1 incident response, Tier 2 business continuity) with shared scenario-mapping table
- APP_18 Emergency Equipment Log — Issue 3; 2026 YTD inspection history populated (20 rows Jan-May); APPL_18 Excel master created
- APP_19 Approved Suppliers — Issue 6 / 13/05/2026; explicit Performance Rating Criteria added (6 criteria × 3 bands: Excellent / Good / Do Not Use)
- APP_20 Internal Audits Programme — Issue 3; 16 × 2026 internal audits delivered (28/04-19/05/2026); CAR-2026-001..011 tracker; 2026-27 forward programme with ISO 14001:2026 transition + Cyber audit slots
- APP_21 NC Register — Issue 4 / 13/05/2026; dual-master pattern (audit-derived CARs portal-master; operational NCRs Leanne's live Excel)
Risk Assessments
- All 18 RAs (RA_HO_01..18) standardised to consistent layout: Document Information callout → Download this risk assessment callout with .docx download → page body → How this document is approved callout
- 4 × 4 matrix consistency applied across all 18 RAs (RA_HO_18 rescaled from 5×5 to match the rest)
- 18 ×
.docxcompanions generated and linked from each RA page - APP_07 and APP_08 RA Coverage tables now have correct 04/07/2026 / 04/05/2027 review dates (was wrongly showing 01/06/2027) and clickable RA hyperlinks
Policies and procedures
- POL_HSQE_29 Mental Health Policy (issued 04/05/2026 — Issue 1) — in operation
- POL_HSQE_30 IT Security Policy (issued 04/05/2026 — Issue 1) — in operation
- POL_HSQE_29 and POL_HSQE_30 cross-referenced from new APP_11 B4 KPI, APP_16 ER-11 Cyber scenario, APP_17 §3.1 Technology Disruption
Carbon Baseline 2025
- Published 12/05/2026: 288.7 tCO₂e Scope 1+2 (diesel = 97% of footprint)
- Referenced from APP_06 Aspect 1 + Aspect 9; APP_11 E3 KPI; APP_15 Strategic Actions; APP_07 HO-14
Excel companion consistency
- APPL_16 and APPL_18 masters created in
IMS Excel Conversions/(previously absent — docs/appendices copies were stale "Table 1, 2, 3" generic-sheet versions) - All previously-stale docs Excel copies resynced from masters
- Cross-reference fixes in APPL_02, APPL_03, APPL_04, APPL_06, APPL_15 to reflect APP_05 R-XX renumbering
Pattern consistency
- All 23 appendices now follow a consistent template: Document Information callout → "Download the register" callout (single companion file) → page body → audit trail mirroring Excel cover → "How this document is approved" callout
- 22 orphan
.docxfiles removed fromassets/local-docs/appendices/ - Wide-mode tip dropped from callouts (FABs visible site-wide)
Looking ahead
- e-forms proposal under development as the next IMS digitalisation workstream (will impact 7.5 documented information evidence and 9.1 monitoring streams)
- AMWS H&S Culture Survey (Onyx Operations) — Q3 2026 post-audit rollout; replaces the short-lived Director Site-Tour Programme; HSG65-aligned workforce-wide cultural-sentiment readout. Aaron Mason's hands-on operational site presence continues as a feature of running the business (not a measurable KPI)
- ISO 14001:2026 transition plan to be drafted Q3 2026; recertification cycle Nov 2027
- 28/05/2026 BCP desktop exercise scheduled (key-person absence — Site Supervisor unavailable for 5+ working days, APP_17 §4 Scenario #3; P1 gap-closure ahead of Achilles UVDB B2 audit 3-4 June 2026)
The 16 × 2026 internal audit reports were drafted across 28/04-19/05/2026 with knowledge of the substantive 2025-26 IMS rebuild. The 12-13 May consistency pass captured above completes that rebuild; the audit findings continue to apply.
Audit Report Prepared By¶
| Name | Position | Signature | Date |
|---|---|---|---|
| Sean Ashton | HSQE Consultant | S. Ashton | 12/05/2026 |
| Aaron Mason | Director | A. Mason | 12/05/2026 |
Corrective Action Close Out¶
CAR-2026-010 status (as of 13/05/2026): Open. Target close 30/09/2026 (~140 days). Action — three visual one-page compliance summaries for notice-board use (TBT Programme provides the cascade mechanism in the meantime — TBT-2026-05 NRSWA / POL_HSQE_06+13; TBT-2026-06 Control of Vibration at Work Regs 2005; TBT-2026-07 HSE COSHH + chlorine SDSs). Owner Sean Ashton.