NSW Government
Dams Safety NSW

07 November 2025

Conducting an internal audit of your Dam Safety Management System 

A Dam Safety Management System (DSMS) is an approach to managing your dam’s safety that encompasses all organisational elements associated with the dam. All owners of declared dams in NSW must have a DSMS in place. 

Under the Dams Safety Regulation 2019, DSMS need to comply with the Asset management standard ISO 550001. The standard requires asset owners to conduct internal audits. 

What is an internal audit? 

An internal audit tests whether a system is functioning the way it is intended to - consistent with the organisation’s policies and procedures, its risk management controls and regulatory requirements. An internal auditor determines whether what they observe in practice is the same as the stated processes, culture and commitments, whether all the requirements of the system are in place and whether the system is working to achieve the stated objectives and outcomes. Internal audits usually identify areas where improvements can be made and are therefore part of a cycle of continuous improvement for the dam safety management system. 

An internal audit of a DSMS is essentially a sampling process to assess whether the dam owner is meeting and delivering the requirements stated in the DSMS, and ensuring the dam being monitored, operated and maintained safely.   

Why is it important to conduct internal audits of your DSMS? 

An internal audit helps to provide assurance that dam safety procedures, policies and processes are working, that staff are capable and familiar with the dam safety management system and are implementing and reporting on it as required, and that dam safety risks are being effectively managed. 

Internal audits also uncover gaps, needs and areas where additional controls or corrective actions are required for continuous improvement.  

Who should conduct an internal audit?  

There are no mandatory requirements to be an internal auditor, except being independent of the area and topics being audited. 

But an auditor should have strong interpersonal skills, such as good verbal and written communication and an ability to build rapport and manage conflict. They should be able to handle sensitive findings tactfully and ethically. Internal auditors should understand audit principles and techniques, including planning, conducting and reporting audits, and be familiar with quality principles and continual improvement. They should also be able to identify inefficiencies, non-compliances and areas for improvement. 

It is highly recommended that auditors have formal training/qualifications - especially if auditing against international standards like ISO 9001 and ISO 55001. 

Internal auditing principles 

Below are some generally accepted principles of internal auditing 

Independence. Although an internal audit will be initiated by the organisation itself, it is important to design the program in a way that maximises the independence of the auditor or audit team. This may involve using staff from other parts of the business or engaging third parties. 

Evidence-based. Collecting and recording evidence is a key part of the internal audit and helps to ensure the conclusions are valid and fair. The ISO guidelines for auditing management systems suggests that information should be verifiable to be accepted as audit evidence. 

Competence. Auditors need specific skills and experience to be effective. Internal auditors should undertake professional development to ensure they have the knowledge and capabilities to perform the role.  

Fit for purpose. Some DSMS are relatively simple, and others are very complex. Declared dam-owning organisations can be large corporate or state-owned entities with many staff, while others are small businesses with few employees. Owners may have a single low risk dam or several higher risk dams. These and other factors will influence the design of your internal audits and what is needed to meet your requirements.  

Tips to help you design and implement your internal audit program 

Designing the audit program and planning individual audits 

  • Decide what you need to audit in your DSMS and how frequently you will conduct audits. You may find it useful to prepare a calendar of audits over several years, and set notifications to ensure these occur at regular planned intervals as required by ISO 55001.
  • The audit program will likely focus in on different elements of the DSMS in different years. If this approach is taken, develop an audit program that prioritises the highest risks (a risk-based approach). For example, if surveillance procedures have been identified as a high risk, consider auditing them in the first year.
  • Develop a plan for each audit with timelines, resourcing, objectives, tasks, any risks in conducting the audit and how you will measure the effectiveness of this audit.
  • Consider who will conduct the audit and how they will ensure their independence. How will privacy and confidentiality be managed? Set this out in the audit plan.
  • Define the scope of the audit. What will be covered as part of the audit and what is out of scope?

Some areas of the DSMS you may consider auditing, depending on your risk-based priorities: 

  • Risk management framework
  • Operations and maintenance procedures
  • Emergency preparedness
  • Surveillance, including annual and five-yearly reviews
  • Resourcing and support for the DSMS
  • Leadership and top management involvement
  • Internal and external (consultants and contractors) competency and training
  • Management of corrective actions
  • Internal and external stakeholder engagement
  • Record keeping
  • Reduction of risks so far as is reasonably practicable (SFAIRP)
  • Compliance with ISO 55001
  • Incident management  

What does ‘success’ look like? 

Set criteria to help assess whether the evidence demonstrates a sufficient conformance with each of the areas you are investigating. For example, if your audit focuses on the emergency plan, you may have a criteria related to regulatory requirements – like ‘has the emergency plan been reviewed to update contact details in the last 12 months’ and organisational awareness criteria, like ‘do dam staff know where copies of the emergency plan are located and what the key triggers are to initiate it?’. Your policies and plans, and your processes for monitoring, measurement and evaluation of the DSMS should help set these criteria.

In many organisations, it may not be practical to involve every relevant person and review every record in the audit. If the audit team proposes to ‘sample’, that is select a subset of people, records, procedures etc. to review, then the audit plan should set out how the sampling will occur. 

Who will be involved and why?

Document how you will initiate the audit, how you will reach out to auditees and explain the audit’s process and purpose to them, and what documentation you intend to request from them for review before the audit field work. 

In your audit plan, describe how the audit findings will be shared and who with. How will senior leadership be involved and what is their commitment to take action on the audit findings? Note that ISO 550001 also requires top management to review the DSMS at planned intervals (Clause 9.3 ISO55001 Management review). Reviewing internal audit results should be part of this process. 

  • Document your plans for record keeping. 

Conducting the audit 

Depending on the size of the organisation, audits may have an opening meeting with one or more auditees and senior management. The opening meeting can be used to:

  • introduce the audit team and the purpose, scope and context of the audit
  • check that all the planned audit activities can be undertaken
  • identify any risks to the audit or team not previously noted
  • share the audit plan and make agreed amendments if necessary
  • allow auditees to ask any questions
  • explain what will happen during and after the audit

In the field work/sampling phase, the audit team should collect evidence about the areas in scope. This will likely include interviews, observations and records. Give sufficient notice to auditees so that they can gather the requested records and make time in their schedules for interviews and discussions. 

As part of the field work, you may need to make travel arrangements, book online meetings, participate in safety inductions and possibly even replacement staff to cover auditees who are offline while they participate in the audit. 

To guide the interviews, you may have a set of standard questions to draw from as well as the flexibility to lead the discussion into other relevant issues or topics that emerge during conversation, including those the auditee may wish to raise.  

Auditors ask for verification to confirm a particular practice or statement. For example, if an auditee says ‘we always take readings from the v-notch while we are out mowing the embankment’, the auditor will likely ask to see a sample of the recorded v-notch readings.  

Compiling the findings and presenting the report 

Compare the evidence collected to the criteria you have set. For example, if the criteria was “all routine inspections use the current version of the inspection template document and are completed with date and time and the names and signature of the surveillance staff”, review the records to see if they conform. 

Prepare a report on your findings, conclusions and recommendations. The report will include sources of evidence that show how each conclusion has been reached and will be shared with key decision makers. 

Audits usually have a closing or exit meeting with auditees, including senior management, to present the audit’s findings and recommendations for improvements and corrective actions. At this meeting, you may also seek to gain commitments to proceed with assigning and undertaking the proposed actions. 

For more detailed information on auditing management systems – see ISO 19011:2018 (Guidelines for auditing management systems)