How to Audit Control of Work in 30 Days

A control-of-work system can contain permits, job safety analyses, isolation records, contractor approvals, and SIMOPS maps, yet still fail at the exact interface where two crews meet. This guide shows EHS managers how to audit that system in 30 days without turning the exercise into a paperwork inspection.

Why control of work fails even when permits exist

Control of work fails when the organization treats authorization as proof of control, because the real test happens where planning, supervision, isolation, and changing field conditions intersect.

On the Headline Podcast, Andreza Araujo and Dr. Megan Tranter often return to the same leadership problem: systems look disciplined in the conference room and become fragile at the workface. The issue is not whether a permit form exists. The issue is whether the permit changes the decision made by a supervisor at 6:10 a.m., when production pressure, contractor coordination, and incomplete isolation compete for attention.

ISO 45001:2018 clause 8.1.2 requires organizations to remove hazards and reduce occupational health and safety risks through operational controls. OSHA 29 CFR 1910.147 gives a more specific example for hazardous energy, because lockout and tagout only protect people when isolation is verified before the task starts. A control-of-work audit should connect those requirements to field evidence rather than counting signatures.

Step 1: Define the work that belongs inside control of work

Control of work should cover non-routine and high-risk activities whose failure mode can create serious injury, fatality, fire, release, or simultaneous-operations conflict.

The 30-day audit starts with scope because most weak programs audit every permit equally. That dilutes attention. A low-risk housekeeping authorization does not deserve the same scrutiny as line opening, confined-space entry, energized troubleshooting, hot work, lifting over live operations, excavation, or maintenance with stored energy. A useful scope names the work types where the wrong decision can defeat several barriers at once.

Build a one-page scope map with 8 work families: hot work, confined space, line break, lifting, excavation, electrical work, hazardous energy, and SIMOPS. If your operation has marine loading, rail switching, radiation, or work at height, add those as local families. Then compare that map with the published procedures and ask whether every family has a clear owner, trigger, approval level, and field verification requirement.

This is where the audit should link to related controls already in the blog network, such as hot work permit tests before ignition and lockout-tagout verification before maintenance. Those topics are separate procedures, although the control-of-work audit must test whether they meet in the same operating system.

Step 2: Build a sample that follows real risk, not document volume

A control-of-work audit sample should be selected by risk exposure, because permit volume alone hides the jobs most likely to create severe outcomes.

The common shortcut is to pull 20 recent permits and score completion. That is fast, but it rewards administrative neatness. A better sample includes current and recent work from each high-risk family, at least one contractor job, at least one task with shift handover, and at least one job that changed after authorization. This mix exposes the interfaces where control normally breaks.

For a 30-day review, use a minimum sample of 24 work packs: 12 completed jobs, 8 active field observations, and 4 jobs selected from near misses or supervisor escalations. The numbers matter less than the mix, although the mix should force the audit team to see planning, authorization, execution, and closeout rather than the document archive alone.

As co-host Andreza Araujo notes in her own work *Safety Culture: From Theory to Practice*, culture becomes visible through repeated decisions, not slogans. The work-pack sample therefore needs decision evidence: who stopped, who approved, who challenged, who verified, and who accepted the remaining risk.

Step 3: Test the permit as a decision record

The permit should record a decision that changed the work, because a permit that only repeats the procedure is evidence of administration, not control.

Open each sampled permit and look for three signs. The hazard list should match the actual job, the controls should be specific enough for a supervisor to verify, and the authorization should show what changed before work began. If every permit says the same thing, the system is producing language instead of decisions.

The strongest audit question is simple: what would have been different if this permit had been rejected at first review? If no one can answer, the permit has become a ritual. That is especially dangerous for tasks involving line breaks, confined spaces, and energy isolation, where the written approval can give crews confidence before the physical state of the equipment has been proven.

Use the same standard when you review related risk tools. A JSA before high-risk work should add task-level controls that the permit does not contain, while the permit should set the authorization boundaries that the JSA cannot decide by itself.

Step 4: Verify isolations in the field

Isolation verification is the point where control of work stops being a document and becomes physical protection.

OSHA 29 CFR 1910.147 requires control of hazardous energy during servicing and maintenance, and the audit should treat verification as a separate evidence point from lock application. The question is not whether a lock was placed. The question is whether the crew proved zero energy, controlled stored energy, and understood the boundary between their equipment and adjacent systems.

Walk down active jobs with the authorized employee, the supervisor, and, when contractors are involved, the contractor lead. Ask them to show the isolation points, the verification method, and the restart conditions. If the field explanation does not match the work pack, score the gap as a control failure even when the form is complete.

This step often reveals a quiet weakness: the person who signs the permit may not be the person who understands the isolation. In more than 250 cultural transformation projects, Andreza Araujo has observed that formal authority and practical knowledge drift apart when leaders reward speed more than verification.

Step 5: Audit SIMOPS before crews collide

Simultaneous operations need a visible coordination method, because each job can be safe in isolation while the combination creates unacceptable risk.

SIMOPS failures appear when maintenance, operations, contractors, logistics, and engineering work in the same area with separate approvals. The permit for a hot-work job may be correct, while a nearby line-opening task changes the atmosphere risk. The lifting plan may be acceptable, while pedestrian flow, scaffolding, and electrical troubleshooting change the drop-zone assumptions.

During the audit, compare the area plan, shift schedule, active permits, and supervisor briefing. The field should show one shared view of the day, not five isolated fragments. When there is no common SIMOPS board, map, or digital equivalent, the audit team should test how conflicts are found before work starts.

The Headline lens is leadership-oriented here. Senior EHS leaders should ask whether the system makes conflict visible early enough for a supervisor to act, or whether it depends on individual memory during a noisy shift start.

Step 6: Check handover and change after authorization

Control of work must survive shift handover and job change, because many serious exposures appear after the original authorization looks complete.

Review every sampled job that crossed a shift boundary or changed scope. The audit should find who revalidated the permit, which conditions changed, whether isolations were rechecked, and how incoming supervisors received unresolved risks. If the handover only says "continue work," the system has lost the reasoning behind the original controls.

This is also where a management-of-change safety test becomes part of control of work. A temporary repair, alternate tool, weather change, missing part, or contractor substitution may not trigger a capital MOC process, but it can still change the risk profile of the job.

Co-host Andreza Araujo has explored this pattern further in *Antifragile Leadership*: leaders make systems stronger when they treat disruption as information. In a control-of-work audit, the practical version is to ask what the shift learned from the change and how that learning altered the next authorization.

Step 7: Score supervisor intervention, not only compliance

The audit should score whether supervisors intervened at the right moment, because control of work depends on field leadership when conditions deviate.

A permit system can satisfy a procedure and still fail the moment a supervisor ignores an unclear isolation, a rushed briefing, or an unplanned crew overlap. For that reason, the scorecard should include evidence of intervention: questions asked, work paused, controls added, escalation made, or restart denied.

Use three evidence sources. Interview the supervisor, interview two workers from the crew, and compare both accounts with the work pack. The purpose is not to catch someone out. The purpose is to find whether the control system gives supervisors enough permission, time, and backing to challenge weak preparation before people enter the risk zone.

This step is close to safety risk appetite boundaries, because leaders must say which risks supervisors are not allowed to normalize. Without that boundary, the field learns that approval means permission to continue.

Step 8: Close the audit with owners, dates, and retest evidence

A control-of-work audit only improves risk control when findings are translated into owners, due dates, and retest evidence in the field.

Separate findings into three groups: immediate job fixes, system design fixes, and leadership decisions. Immediate fixes include missing gas-test records or unclear isolation labels. System design fixes include poor permit triggers, weak SIMOPS planning, or unclear contractor interfaces. Leadership decisions include staffing, production pressure, approval authority, and supervisor escalation rights.

The final report should avoid a long list of observations with equal weight. Rank findings by fatal-risk potential, recurrence, and barrier weakness. Then schedule a field retest within 30 to 60 days for the top risks, because document closure without retesting only moves the problem from the worksite to the action tracker.

Every month without a retest allows crews to rebuild informal workarounds around the same weak interfaces, while the dashboard reports closure because the corrective action was typed into the system.

Control-of-work audit table

The table below gives a practical comparison between a paperwork audit and a risk-based control-of-work audit.

Conclusion

A 30-day control-of-work audit should prove whether high-risk work is being governed in the field, not whether the organization can produce a clean folder of authorizations.

Use the audit to expose interface risk, strengthen supervisor intervention, and retest the controls that protect people when work changes. For more real conversations on leadership and safety, listen to Headline Podcast, the space where leadership and safety come together to shape better workplaces and better lives.