Conduct HVA scheme audits

This page guides approved auditors through each stage of completing a HVA scheme audit—from accepting the audit through to final reporting. It reflects the requirements of the National Audit Standard (NAS) and helps ensure audits are consistent, clear, and effective.

Find detailed information about the HVA scheme audit framework.

Accepting an audit

Audits are initiated by the operator. Once selected, you can confirm your availability and agree on the timing and scope of the audit.

Before accepting, take a moment to make sure you’re the right fit. You should be confident you can complete the audit within the required timeframe and that you meet independence and competency requirements. If anything feels unclear—such as a potential conflict—it’s best to check with us early.

How to accept

The operator will submit an audit application through NHVR Go. You’ll receive a request to complete an audit, which you can decline or accept. The application confirms key details such as the audit date, location, and scope. You’ll also be able to see the operator’s details and compliance history. This allows you to determine what may be required. If accepted, the application will be sent to us for final approval. Once approved, you can begin preparing for the audit.

What to be aware of

Before confirming an audit, consider:

  • conflicts of interest and independence requirements
  • auditor rotation rules
  • your availability to complete the audit and reporting within required timeframes
  • the compliance history of the operator.

Taking a few moments to confirm these upfront helps avoid delays later.

Planning an audit

Audit plan

An audit plan provides a clear structure for how the audit will be carried out. It helps both you and the operator understand what will happen and when.

Your plan should outline the scope, key activities, and any requirements such as documents, staff interviews, or site visits. Sharing this in advance helps the operator prepare and supports a smoother audit process.

Timing

Audit timing is agreed between you and the operator. The time required will vary depending on the size and complexity of the business, as well as the level of risk involved.
It’s important to allow enough time to properly review evidence, speak with staff, and document your findings clearly.

Logistics

Before the audit, confirm practical arrangements with the operator. This helps avoid delays on the day. This may include:

  • site access, inductions, and safety requirements
  • your main contact onsite
  • availability of staff for interviews
  • access to relevant systems or records.

Finalising these details at least a week before the audit is good practice.

Scope

The audit scope defines what will be reviewed. This includes the operator’s activities, locations, and any specific accreditation requirements.

The scope should reflect the nature of the business, including its size, complexity, and risk profile. Being clear about scope early helps keep the audit focused and consistent.

Desktop audit guide

In some situations, audits may be conducted remotely with NHVR approval. Desktop audits focus on reviewing documentation and evidence off-site. They are generally used for entry audits or specific approved scenarios and are considered on a case-by-case basis.

See the Desktop Audit Guide (coming soon) for more information. 

Conducting an audit

PSOE audit method

The PSOE method is used to assess how well a Safety Management System (SMS) works in practice. It looks beyond whether documents exist and focuses on whether the system is fit for purpose and delivering the outcomes it is designed to achieve.

By assessing each criteria as Present, Suitable, Operating and Effective, PSOE provides a practical and consistent way to evaluate performance. It supports a more meaningful view of assurance by helping identify whether systems are established, proportionate to the operation, embedded in everyday activities, and producing the intended safety outcomes.

Example of Present, Suitable, Operating and Effective, PSOE method
Figure 1: Present, Suitable, Operating and Effective, PSOE method

When does PSOE apply?

The PSOE method applies to all audits conducted during an operator’s accreditation lifecycle, including:

  • entry audits
  • initial compliance audits
  • ongoing compliance audits.

An entry audit is required to confirm that a system is Present and is Suitable. Subsequent audits are then required to demonstrate that the system is Operating and Effective. This allows an operator time to implement and embed their SMS in day-to-day operations. Where PSOE can be demonstrated at an entry audit, the initial compliance audit may be waived.

Read more about the different types of audits and when they are conducted - HVA scheme audit framework.

Audit matrix

The audit matrix tool acts as your guide throughout the audit. It helps you work through each requirement, record your evidence, and capture your findings in a consistent way.

All sections should be completed clearly, with enough detail to support your conclusions.

Evidence sampling

Audits rely on sampling rather than reviewing every record. Sampling allows you to form a reasonable view of how well the system is working.

Your sample should reflect the size and complexity of the operator and focus on higher-risk areas where appropriate. If issues are identified, you may need to expand your sample to better understand what’s happening.

Audit findings

Your findings should be based on objective, verifiable evidence and clearly linked to the audit criteria.

It’s important to present a balanced view—highlighting both areas that are working well and areas that need attention. If there isn’t enough evidence to confirm compliance, you should make further. Where evidence can’t be confirmed, you must record a nonconformance.

Finalising an audit

Documentation and reporting

The audit matrix is the tool used to document what was reviewed, the evidence assessed, and the basis for each conclusion. All information entered into the matrix is automatically converted into a structured summary, which becomes the final audit report. This approach ensures clear, consistent reporting that supports both operators and our teams in understanding your findings.

Mandatory tools

You must complete all audits using the NHVR-approved audit tool. You’re required to complete all fields and retain supporting evidence, including documents and notes, for at least 7 years. Store records securely and handle them in line with confidentiality requirements.

Level of detail

Your report should include enough detail for someone else, such as another auditor or us, to understand how you reached your conclusions. The evidence listed needs to be written in a way that allows it to be identified and reproduced if called upon.

Nonconformances and opportunities for improvement

Audit outcomes may include nonconformances and opportunities for improvement. Nonconformances are raised where requirements are not met and may be:

  • Minor – isolated or low-impact
  • Major – significant or systemic

Opportunities for Improvement (OFIs) highlight areas that could be strengthened but do not require action. All nonconformances require corrective action, which should be agreed with the operator and followed through. The corrective action requests must include an appropriate timeframe for the action to be completed, but no more than 3 months. If additional time is required, the operator must request this along with an action plan describing what they intend to do.

Corrective Action Requests (CARs)

Audit findings that do not meet the SMS Standard result in a Corrective Action Request (CAR). Operators must address the issue and implement actions to prevent recurrence. All CARs focus on resolving root causes and must be closed within agreed timeframes. Full details of requirements and processes are outlined in the NAS (NAS). Major CARs must be closed before the audit report can be accepted by the NHVR.

Each CAR must include an appropriate timeframe for the action to be completed, but no more than 3 months. If additional time is required, the operator must contact the auditor to request this along with an action plan describing what they intend to do.

For more information, see the Corrective Action Request (CAR) Guideline (coming soon).

How to submit

Once finalised, you must submit the audit report through NHVR Go. Before finalising, make sure all findings are complete, corrective actions are agreed, and declarations have been signed. The operator will then be notified to review the outcome. Once the operator reviews, agrees and signs, they will submit to the NHVR to meet accreditation requirements.

Note: Auditors have the right to retain the audit report until they have received the agreed payment for the audit.

Assistance

If you need support at any stage, the NHVR is available to help. This might include guidance on audit requirements, conflicts of interest, use of tools, or more complex situations. Reaching out early can help you stay on track and complete the audit with confidence.

Contact us with any enquiries or if you need assistance.