Skip to content

Internal Audit Report

Audit Identification: IA202615
Area: Legal Compliance
Audit Date: 12/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 12/05/2026
Findings: 0 Non-conformities, 1 Observation
Scope: Clause 6.1.3 (ISO 14001 & ISO 45001)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202515 (03/10/2025) — 0 NC, 2 OBS

Audit cycle context

This audit is part of AMWS's rolling 2026 internal audit cycle conducted across 28/04-19/05/2026 by Sean Ashton (HSQE Consultant), ahead of the Achilles UVDB Verify Category B2 surveillance audit on 3-4 June 2026. Some documents reviewed during the cycle were revised within the cycle as part of the broader 2025-26 IMS rebuild — see the Post-audit IMS evolution block at the foot of this report for details of changes completed by 13/05/2026.

Executive Summary

This audit re-examined Legal Compliance one year on from IA202515. Both 2025 observations are progressed:

  • CAR-2025-020 (legal register update frequency — bi-annual to quarterly) — Closed. APP_10 Legal & Compliance Register at Rev 3 (1 June 2026) covers 72 items. The standing weekly Director / HSQE compliance call provides routine awareness of regulatory changes; quarterly formal review is the explicit cadence.
  • CAR-2025-021 (visual one-page compliance updates for site notice boards) — Open — rolled forward as CAR-2026-010. The new TBT Programme (TBT_PROG_01) provides the cascade mechanism — every TBT brief carries the relevant legal reference (TBT-2026-05 → NRSWA / POL_HSQE_06 + 13; TBT-2026-06 → Control of Vibration at Work Regs 2005; TBT-2026-07 → HSE COSHH and chlorine SDSs). Visual one-page summaries for notice-board use are the remaining action — rolled forward as CAR-2026-010 (target 30/09/2026).

Material legal-compliance wins this cycle: APP_10 captures new 2026 obligations including (a) UK GDPR / Data Protection Act 2018 cited in POL_HSQE_30 IT Security; (b) Equality Act 2010 cited in POL_HSQE_29 Mental Health; (c) Modern Slavery Act 2015 §54 threshold position confirmed (AMWS below £36M threshold); (d) Hazardous Waste Regs 2005 reg 49 3-year retention captured in SOP 9.5; (e) Confined Spaces Regulations 1997 thresholds in SOP 8.12.

Year-on-year follow-up — IA202515 outcomes

2025 ref 2025 finding (summary) Status in 2026 audit
OBS-15.01 / CAR-2025-020 Quarterly legal register reviews Closed. Weekly compliance call provides routine awareness; quarterly formal review cadence retained as the explicit floor.
OBS-15.02 / CAR-2025-021 Visual one-page compliance updates for site notice boards Open — rolled forward as CAR-2026-010. TBT Programme provides cascade mechanism; visual notice-board summaries target 30/09/2026.

Introduction

This audit examined Legal Compliance under clause 6.1.3 — both ISO 14001 and ISO 45001 — one year on from IA202515 and after multiple 2026 documents that introduced new legal references.

Aims & Objectives

  1. Confirm closure or progress on IA202515 OBS-15.01 and OBS-15.02
  2. Verify APP_10 Legal & Compliance Register currency and coverage of new 2026 obligations
  3. Confirm new 2026 documents correctly reference applicable legislation
  4. Sample 5 statutory licences / certifications for currency
  5. Confirm enforcement-notice status (none received in last 5 years per APP_22)

Audit Method

  • Document Review: APP_10 Legal & Compliance Register Rev 3 / 01/06/2026 — 9 new 2026 legislative entries (Water (Special Measures) Act 2025; Worker Protection Act 2023 in force Oct 2024; DUAA 2025 + NUAR; ER Act 2025; Building Safety Act 2022 commencement; Sentencing Council H&S guideline; PFAS UK REACH; ISO 14001:2026 / 9001:2026 / 45001:2027 transition tracking; DVSA Earned Recognition); REUL / assimilated-law section; every citation verified against legislation.gov.uk and regulator sources. Plus: APP_10 Legal & Compliance Register Rev 3 (72 items, 1 June 2026), POL_HSQE_30 IT Security (UK GDPR / DPA 2018 / Computer Misuse Act 1990), POL_HSQE_29 Mental Health (HSWA 1974 / MHSWR 1999 / Equality Act 2010), POL_HSQE_03 Anti-Slavery (Modern Slavery Act 2015), SOP 9.5 Hazardous Waste (Hazardous Waste Regs 2005 reg 49), SOP 8.12 Confined Space (Confined Spaces Regulations 1997).
  • Interviews Conducted: Director (Aaron Mason — legal-compliance owner), HSQE Consultant.
  • Observations: APP_10 cross-checked against the new 2026 documents to confirm reciprocal references.
  • Sampling: 5 statutory licences (ISO 9001 / 14001 / 45001 certificates expiry 23/11/2027; Goods Vehicle Operator's Licence; Waste Carrier Registration expiry 12/08/2028); APP_22 enforcement-notice column for 2021–2026 (zero).

Non-conformities

No non-conformities identified.

Observations

Ref Finding Clause Priority Ref
OBS-01 Visual one-page compliance updates for notice boards (rolled forward from CAR-2025-021). The TBT Programme cascade is in place; standalone notice-board one-pagers for high-traffic regulatory topics (excavation services, COSHH chlorine handling, RIDDOR thresholds) would reinforce the cascade for operatives who arrive after a TBT. 7.4 communication / 6.1.3 compliance obligations Low CAR-2026-010

Corrective Action Summary

CAR-2026-010 — Owner: Sean Ashton (HSQE Consultant). Target close: 30/09/2026 — produce 3 one-page visual compliance summaries for the yard notice board (NRSWA service strikes, COSHH chlorine, RIDDOR thresholds).

Conclusions

Legal compliance is well-managed:

Areas Meeting Requirements (sustained from IA202515):

  • APP_10 Legal & Compliance Register continues to be the canonical source (72 items at Rev 3)
  • No enforcement notices received in last 5 years
  • All 5 sampled statutory licences in date with comfortable margins
  • Bi-annual formal review cadence sustained; weekly compliance call provides interim coverage
  • Triple-certified ISO 9001 / 14001 / 45001 maintained

New strengths since IA202515:

  • APP_10 expanded to capture the 2026 documents' regulatory references — new policies (POL_HSQE_29, 30) and new procedures (PROC_R2W_01) all cite specific UK legislation and link back to APP_10.
  • TBT Programme (TBT_PROG_01) provides cascade mechanism with legal reference per topic.
  • Concrete regulatory thresholds embedded in HTML SOPs — Confined Spaces Regulations 1997 thresholds in SOP 8.12; Hazardous Waste Regs reg 49 in SOP 9.5; EPA 1990 s.34 in SOP 9.4; Control of Vibration at Work Regs 2005 EAV/ELV in SOP 8.10; etc. Auditor can read regulatory thresholds directly in the procedural document.
  • Modern Slavery Act §54 position explicitly documented (below £36M threshold; policy maintained nonetheless) in POL_HSQE_03 + Z_NOT-APPLICABLE_CFSI.txt.

Position as at 13/05/2026: The findings above remain the formal record. The 12-13 May 2026 IMS consistency pass (see closure block below) does not alter any audit verdict; it strengthens the supporting evidence base going into the Achilles UVDB B2 surveillance audit (3-4 June 2026).

Recommendations

  1. Close CAR-2026-010 with 3 one-page visual compliance summaries by 30/09/2026.
  2. Continue the standing weekly compliance call as the active legal-awareness forum.
  3. APP_10 next bi-annual review due autumn 2026.

Feedback & Acknowledgments

Full cooperation. The 2026 IMS rebuild has materially strengthened the legal-compliance picture by embedding regulatory thresholds in operational documents rather than abstracted into APP_10 only.

Post-audit IMS evolution (12-13 May 2026)

The findings above stand as a point-in-time record at audit date. Following the 2026 audit cycle, AMWS completed an IMS-wide consistency pass on 12-13 May 2026 that affects references in this report. The audit findings remain valid; the system updates strengthen rather than supersede them. Material changes the auditor should be aware of:

Appendix-level changes

  • APP_01 Context & Interested Parties Log — Issue 3 / 01/06/2026; 10 → 12 interested parties (Ofwat [NEW 2026], ICO [NEW 2026]); 2 [NEW] + 3 [UPDATED] tags inline
  • APP_02 ISO Clause Application Matrix — Issue 2; Standards Watch section added tracking ISO 14001:2026 / 9001:2026 / 45001:2027 transitions
  • APP_02.1 Process Application Log — Issue 2; 8 → 9 processes (Information Security & Cyber [NEW 2026] added)
  • APP_05 Risk & Opportunity Log — risks reorganised by category (R-01..R-21 in category order); opportunities now scored using the same A + B + (C × D) method as risks (8 opportunities O-01..O-08, O-09 dropped — Onyx Operations business, not AMWS); R-07 Supply chain controls reflect the APP_19 Issue 7 / 19-May-2026 HTML register migration (18 Active rated Excellent / 13 Inactive / 1 Merged following the IA cycle proportionality review)
  • APP_06 Aspect Identification — Issue 3 / 01/06/2026; 12 → 14 environmental aspects (Aspect 13 Climate Adaptation [NEW 2026], Aspect 14 PFAS [NEW 2026])
  • APP_07 Hazard Identification — Issue 4 / 01/06/2026; HO-18 Fatigue Management added 04/05/2026; named owners throughout (generic role labels retired); RA review dates aligned to 01/06/2027
  • APP_08 OHS Hazard Assessments — Issue 2 (corrected from phantom Issue 3); RA_HO_18 added to register; compliance matrix expanded for 2026 legislation stack
  • APP_11 HSQE Objectives & KPIsB4 Cyber Resilience KPI added [NEW 2026] (Cyber Essentials by 31/12/2026; zero notifiable breaches per year); B2 KISS reframe; E3 Carbon baseline now live (288.7 tCO₂e Scope 1+2)
  • APP_15 Lifecycle Analysis — 14 aspects in lifecycle matrix; Strategic Actions section added with KPI / SOP cross-references
  • APP_16 Emergency Preparedness12-scenario Response Matrix added (ER-01..ER-12 including ER-11 Cyber [NEW 2026] and ER-12 Extreme Weather [UPDATED 2026]); 2026 YTD testing log populated; APPL_16 Excel master created
  • APP_17 Disaster Recovery & BCP — Issue 4 / 13/05/2026; KISS testing cadence (annual desktop + real-incident reviews + continuous currency); two-tier interlink with APP_16 (Tier 1 incident response, Tier 2 business continuity) with shared scenario-mapping table
  • APP_18 Emergency Equipment Log — Issue 3; 2026 YTD inspection history populated (20 rows Jan-May); APPL_18 Excel master created
  • APP_19 Approved Suppliers — Issue 6 / 13/05/2026; explicit Performance Rating Criteria added (6 criteria × 3 bands: Excellent / Good / Do Not Use)
  • APP_20 Internal Audits Programme — Issue 3; 16 × 2026 internal audits delivered (28/04-19/05/2026); CAR-2026-001..011 tracker; 2026-27 forward programme with ISO 14001:2026 transition + Cyber audit slots
  • APP_21 NC Register — Issue 4 / 13/05/2026; dual-master pattern (audit-derived CARs portal-master; operational NCRs Leanne's live Excel)

Risk Assessments

  • All 18 RAs (RA_HO_01..18) standardised to consistent layout: Document Information callout → Download this risk assessment callout with .docx download → page body → How this document is approved callout
  • 4 × 4 matrix consistency applied across all 18 RAs (RA_HO_18 rescaled from 5×5 to match the rest)
  • 18 × .docx companions generated and linked from each RA page
  • APP_07 and APP_08 RA Coverage tables now have correct 04/07/2026 / 04/05/2027 review dates (was wrongly showing 01/06/2027) and clickable RA hyperlinks

Policies and procedures

  • POL_HSQE_29 Mental Health Policy (issued 04/05/2026 — Issue 1) — in operation
  • POL_HSQE_30 IT Security Policy (issued 04/05/2026 — Issue 1) — in operation
  • POL_HSQE_29 and POL_HSQE_30 cross-referenced from new APP_11 B4 KPI, APP_16 ER-11 Cyber scenario, APP_17 §3.1 Technology Disruption

Carbon Baseline 2025

  • Published 12/05/2026: 288.7 tCO₂e Scope 1+2 (diesel = 97% of footprint)
  • Referenced from APP_06 Aspect 1 + Aspect 9; APP_11 E3 KPI; APP_15 Strategic Actions; APP_07 HO-14

Excel companion consistency

  • APPL_16 and APPL_18 masters created in IMS Excel Conversions/ (previously absent — docs/appendices copies were stale "Table 1, 2, 3" generic-sheet versions)
  • All previously-stale docs Excel copies resynced from masters
  • Cross-reference fixes in APPL_02, APPL_03, APPL_04, APPL_06, APPL_15 to reflect APP_05 R-XX renumbering

Pattern consistency

  • All 23 appendices now follow a consistent template: Document Information callout → "Download the register" callout (single companion file) → page body → audit trail mirroring Excel cover → "How this document is approved" callout
  • 22 orphan .docx files removed from assets/local-docs/appendices/
  • Wide-mode tip dropped from callouts (FABs visible site-wide)

Looking ahead

  • e-forms proposal under development as the next IMS digitalisation workstream (will impact 7.5 documented information evidence and 9.1 monitoring streams)
  • AMWS H&S Culture Survey (Onyx Operations) — Q3 2026 post-audit rollout; replaces the short-lived Director Site-Tour Programme; HSG65-aligned workforce-wide cultural-sentiment readout. Aaron Mason's hands-on operational site presence continues as a feature of running the business (not a measurable KPI)
  • ISO 14001:2026 transition plan to be drafted Q3 2026; recertification cycle Nov 2027
  • 28/05/2026 BCP desktop exercise scheduled (key-person absence — Site Supervisor unavailable for 5+ working days, APP_17 §4 Scenario #3; P1 gap-closure ahead of Achilles UVDB B2 audit 3-4 June 2026)

The 16 × 2026 internal audit reports were drafted across 28/04-19/05/2026 with knowledge of the substantive 2025-26 IMS rebuild. The 12-13 May consistency pass captured above completes that rebuild; the audit findings continue to apply.

Audit Report Prepared By

Name Position Signature Date
Sean Ashton HSQE Consultant S. Ashton 12/05/2026
Aaron Mason Director A. Mason 12/05/2026

Corrective Action Close Out

CAR-2026-010 status (as of 13/05/2026): Open. Target close 30/09/2026 (~140 days). Action — three visual one-page compliance summaries for notice-board use (TBT Programme provides the cascade mechanism in the meantime — TBT-2026-05 NRSWA / POL_HSQE_06+13; TBT-2026-06 Control of Vibration at Work Regs 2005; TBT-2026-07 HSE COSHH + chlorine SDSs). Owner Sean Ashton.