An auditor asking for a record is rarely the real problem. The problem is losing time searching through email folders, site files and paper binders while trying to establish which version is current. Knowing how to prepare audit records means building a system that shows what your business does, when it did it and how issues were followed up.
For small and medium-sized businesses, the aim is not to produce a mountain of paperwork. It is to keep clear, relevant evidence that reflects day-to-day operations and can be retrieved without disruption.
Start with the scope of the audit
Before gathering documents, establish what is being audited. A health and safety audit may cover risk assessments, training, inspections, accident records, maintenance and corrective actions. A client, certification body, insurer or internal manager may have a narrower focus.
Ask for the audit scope, period under review and any document request list in advance. This prevents the common mistake of supplying every record you hold, including old or irrelevant files that create questions rather than answer them.
It also helps to distinguish between an audit and an inspection. An inspection records what was observed at a particular time, such as a workplace check or equipment examination. An audit looks at whether your overall arrangements are in place, followed and effective. Both create useful evidence, but they should not be treated as the same thing.
Build an audit record checklist around your actual work
Your records should follow the way your business operates. A construction contractor will usually need site-specific RAMS, inductions, plant checks and subcontractor records. An office-based business may place greater emphasis on display screen equipment assessments, fire arrangements, training and facilities checks.
A practical checklist normally includes the following categories:
- Health and safety policy, responsibilities and arrangements
- Risk assessments, method statements and safe systems of work
- Training, competence, inductions and refresher records
- Workplace inspections, equipment checks and maintenance certificates
- Accident, incident and near-miss reports, including investigations
- Emergency arrangements, fire safety records and drill reports
- Contractor, visitor and supplier safety information where relevant
- Corrective action records showing how identified issues were closed out
Not every category will apply to every business. Keep the checklist proportionate to your risks and the scope of the audit. What matters is that you can explain why a record is relevant, who owns it and where the current version is held.
How to prepare audit records that provide evidence
A document is not automatically good audit evidence because it has been completed. Auditors will generally look for records that are current, specific, dated and capable of being traced back to the activity they support.
For example, a generic risk assessment with no review date, no location and no named responsible person offers limited assurance. A suitable assessment should identify the work or area covered, the hazards, the controls in place, the person responsible and when it was reviewed. If the assessment says staff require training or checks, the associated training and inspection records should support that statement.
This connection between documents is where many systems fall short. A policy may say that monthly inspections are completed, but there is no inspection register. A training matrix may show a qualification is required, but certificates have expired. A near miss may be recorded, but no action shows what changed afterwards.
Review your records as a chain of evidence. For each important control, ask three straightforward questions: what was required, what was done, and where is the proof? If there is a gap, address it honestly rather than backdating paperwork. A current record that identifies an overdue action and gives it an owner is more credible than a file that appears complete but does not reflect reality.
Use a clear filing and naming structure
A consistent folder structure makes audit preparation much quicker. Whether you use a shared drive, cloud storage or a controlled paper filing system, arrange records by function and then by year, site, project or department where appropriate.
For example, a health and safety folder might contain separate sections for policies, risk assessments, training, inspections, incidents and corrective actions. Within each section, use file names that state what the document is, where it applies and its date or revision. A file called `RA-Warehouse-Manual-Handling-Rev03-2026-04` is far easier to control than `risk assessment final new`.
Avoid keeping several editable copies in different locations. Nominate one master location and make it clear who can amend documents. Where staff need access on site, provide a controlled copy or read-only version. This reduces the risk of a team using an old method statement after work practices have changed.
Paper records can still be suitable where they are practical for the task, particularly for site checks and signatures. Scan completed forms promptly if possible, and file them against the relevant location or activity. The important point is retrieval and control, not whether every record is digital.
Check dates, versions and signatures
A short pre-audit review should focus on the details that are easy to overlook. Check that documents have dates, review dates where applicable, revision numbers and the name of the person who completed or approved them. Make sure records requiring signatures or attendance confirmation have been signed.
Do not assume annual review is the answer for every document. Review frequency depends on the level of risk, legal requirements, client expectations and changes in your operation. A risk assessment may need immediate review after an incident, a new process, different equipment or a material change to the workforce. A policy may have a planned annual review, while a daily equipment check is only useful if it is completed daily.
Training records deserve the same attention. Record the person trained, course or subject, date, provider or competent trainer, and any expiry or refresher date. If an employee has been briefed on a revised procedure, retain evidence of that briefing rather than relying on the revised document alone.
Keep corrective actions visible until they are closed
An audit is likely to identify improvements. That is not a failure if your business records, assigns and completes the actions properly. The weak point is allowing issues to disappear into meeting notes or email threads.
Use a corrective action register with a clear description of the issue, date raised, source, responsible person, target date, action taken and closure evidence. Closure should be more than a tick. It may be a photograph, replacement certificate, updated assessment, purchase record, training attendance sheet or follow-up inspection.
This register is particularly useful because it demonstrates management involvement. It shows that inspections, incidents and employee feedback lead to practical decisions rather than being filed and forgotten.
Protect personal information while keeping records accessible
Some audit records contain personal data, including accident reports, medical information, disciplinary material and training details. Access should be limited to people who need it for a legitimate business purpose. Keep sensitive files separate from general safety folders and avoid sharing full records where a redacted copy will meet the audit request.
Retention periods vary by record type, the nature of the work and any contractual or insurer requirements. Set a simple retention schedule so records are not destroyed too early or retained indefinitely without reason. Where there is uncertainty, seek appropriate professional advice before disposal, especially after a serious incident or claim.
Prepare an audit pack, not a document dump
In the days before an audit, create a simple index showing the requested records and where each one can be found. Put the current core documents first, then supporting registers and evidence. If the audit is remote, check file permissions and make sure documents open correctly. If it is on site, arrange a quiet space and ensure the person who understands the records is available.
Brief relevant managers and supervisors on the audit scope. They do not need a rehearsed script, but they should understand their responsibilities and know where to find the procedures they use. Consistent practice on site carries more weight than a polished folder alone.
Professionally designed editable forms can save significant administration time, provided they are tailored to your business and kept under review. ACI Safety templates are designed to give businesses a practical starting point for records such as risk assessments, RAMS, registers and toolbox talks, without starting each document from a blank page.
The best time to prepare audit records is just after the work is done, the inspection is completed or the briefing has taken place. Make that routine part of the job, and an upcoming audit becomes a check of an organised system rather than a last-minute paperwork exercise.



