Mock Audit Checklist for ISN Contractors: A Pre-Hiring Client Review Walkthrough

Hiring client audits on ISNetworld are not random. When Chevron, ExxonMobil, Shell, ConocoPhillips, or any of the larger ISN clients schedule a desktop review of your account, they are checking whether the answers you gave on the Management System Questionnaire (MSQ) match the documents in your account, whether the documents in your account match what your crews actually do in the field, and whether your RAVS-reviewed written programs are real or template fluff. The point of a mock audit is to find every gap before the client does — because once a client opens a finding, you're on the clock to close it, often with bids on hold.

This is the checklist we use. It is structured to mirror the order most hiring client auditors actually go through: corporate program docs first, then MSQ answer sampling, then statistics cross-checks, then insurance, then training, then field documentation. Score yourself honestly with red, yellow, green at the end of each section. Anything red gets fixed before anyone outside your company sees the account.

How a Hiring Client Desktop Audit Actually Runs

A typical hiring client auditor — sometimes the operator's safety contracts coordinator, sometimes a third party like Avanta Risk Management or a regional HSE consultant the operator retains — pulls your ISN account, downloads your written programs, exports your MSQ responses, and spends two to four hours cross-referencing. They are not reading your HSE manual cover to cover. They are sampling. They open three or four answers from your MSQ, follow each answer to the cited document, and verify that the document says what you claimed. If three out of four samples fail, the audit fails.

Your mock audit must do the same thing: sample, don't read. If you read every page you'll miss the pattern. If you sample the way an auditor samples, you'll find the same gaps they will.

The Six-Stage Process Map

1. Corporate Program Documents: HSE Manual TOC Check

Pull your master HSE manual and open the table of contents. Auditors will compare your TOC against the topics you claimed coverage for on the MSQ. The TOC is the first credibility check — a manual missing whole topics that your MSQ claims you cover is the fastest way to fail.

Verify each of these is a discrete chapter or section with its own title, owner, revision date, and approval signature:

• HSE Policy Statement signed by the current senior officer (CEO or President), dated within the last 24 months.
• Roles and responsibilities by position, including HSE Manager, supervisors, and individual employees.
• Hazard identification, JHA / JSA process with a sample form.
• Incident reporting and investigation with thresholds and the escalation path.
• Training program covering new hire, annual, and task-specific.
• Subcontractor management (yes, this gets reviewed even on small contractors — see the dedicated subcontractor management program guide).
• Drug and alcohol program with policy, testing categories (pre-employment, random, post-incident, reasonable suspicion), and consortium administrator named.
• PPE program with hazard assessment certification.
• Emergency response and evacuation.
• Recordkeeping including OSHA 300/300A/301 retention.
• Topic-specific programs: LOTO (29 CFR 1910.147), Confined Space (1910.146), Hot Work, Fall Protection (1926.501), Excavation (1926 Subpart P), Respiratory Protection (1910.134), Hearing Conservation (1910.95), Bloodborne Pathogens (1910.1030) if applicable, HazCom (1910.1200).

Score: green if every chapter exists, is dated within revision policy, and is signed; yellow if any chapter is over 24 months without a revision review; red if any topic claimed on MSQ is missing entirely.

2. MSQ Answer Evidence Sampling

Open your MSQ. Pick any five answers where you said "Yes" and where the system asks for a supporting document. Now actually open each cited document and confirm:

1. The document exists and uploads successfully in your ISN account.
2. The document is current — not expired, not superseded by a newer revision sitting in someone's email.
3. The document content matches the answer. If you said "We perform documented JHAs for every task," the JHA template attached must actually be a JHA template, not a generic toolbox talk.
4. The document references the correct legal entity. Auditors flag mismatches — a program signed under the parent company when the ISN account is under a subsidiary creates a finding.

This is where most contractors fail their first mock audit. The MSQ said yes, the document is uploaded, but on inspection the document doesn't support the answer. For the full walkthrough, see the ISNetworld MSQ walkthrough.

3. RAVS — Attached and Current

RAVS (Review and Verification Service) programs are written safety programs reviewed by ISN against client templates. Walk your RAVS list in ISN and confirm:

• Each required RAVS topic for your hiring clients is attached and shows a passing review.
• The revision date on each program is within ISN's and the client's acceptance window — typically annual review for the larger operators.
• Reviewer comments from prior cycles have been addressed in the latest revision. If ISN said "cite 1910.147(c)(4) explicitly" and your current version still says "follow OSHA standards," that's an open finding waiting to happen.
• Programs are signed by the current responsible person, not someone who left two years ago.

If you're unsure what RAVS even is or how it gets graded, start with our RAVS guide.

4. OSHA 300 / 300A / 301 Cross-Check vs MSQ

This is the single most common point of failure on hiring client audits. You posted a TRIR or DART rate on the MSQ. The auditor will recompute it from your OSHA 300 logs and your annual employee hours. Do the math yourself first.

• Pull the last three years of OSHA Form 300 (log of recordable injuries) and 300A (annual summary) and 301 (incident report) for each establishment.
• Confirm every recordable case on the 300 has a matching 301 and vice versa.
• Recompute TRIR = (Recordable cases x 200,000) / Total hours worked. Confirm it matches the MSQ.
• Recompute DART = (Days Away + Restricted/Transferred cases x 200,000) / Total hours worked.
• Confirm the 300A is signed by an executive (per 29 CFR 1904.32) and posted in the prior calendar year's February 1 to April 30 window.
• For establishments with 100+ employees in covered industries, confirm electronic submission to OSHA (the ITA) was completed by March 2 of the following year.

For the deeper mechanics of which form does what, see OSHA 300 vs 300A vs 301.

5. COIs — Current with Proper Endorsements

Pull the Certificate of Insurance on file and verify:

• Policy effective and expiration dates — current as of audit date, with at least 30 days of remaining coverage.
• Limits meet or exceed each hiring client's minimums (often $1M/$2M general liability, $1M auto, $1M workers' comp employer liability, plus $5M–$10M umbrella for larger operators).
• Additional insured endorsement attached to the certificate, with the correct form. The right answer for ongoing and completed operations is usually CG 20 10 + CG 20 37, or a single combined endorsement that does both. Read CG 20 10 vs CG 20 37 for the difference.
• Waiver of subrogation in favor of the hiring client where required. See waiver of subrogation explained.
• Primary and non-contributory language where required.
• Insurer A.M. Best rating meets the client minimum (commonly A- VII or better).

6. EMR Letter for the Current Year

Your Experience Modification Rate (EMR) letter must be on letterhead from your workers' compensation carrier or NCCI, signed and dated within the current rating year. A photocopy of last year's letter with a hand-edited date is a finding. The EMR posted on the MSQ must match the letter exactly. If you have multi-state operations with different rating bureaus, the letter must address each.

7. Training Records — Sample 5 to 10 Pulls

Pick five to ten employees at random from your active roster and pull their training files. For each, verify:

• New hire orientation documented with date and topics.
• Topic-specific training matching their job: LOTO authorized employee training, confined space entrant/attendant/supervisor, fall protection competent person, excavation competent person, respiratory protection medical clearance and fit test, BBP if exposed, forklift / aerial lift certification, HAZWOPER if applicable.
• Annual refresher dates within the last 12 months.
• Trainer credentials documented for any program requiring a qualified or competent person trainer.
• Records cross-reference back to a roster — no orphan certificates and no missing employees.

8. Employee Files: PPE Certification, BBP, Medicals

The PPE hazard assessment certification required by 29 CFR 1910.132(d)(2) is one of the most frequently missing documents on contractor audits. It must:

• Identify the workplace evaluated.
• Identify the person certifying the assessment.
• Be signed and dated.
• State that the document is a hazard assessment certification.

If Bloodborne Pathogens exposure is reasonably anticipated (first aid responders, certain industrial cleaning roles), confirm the written exposure control plan is reviewed annually and Hepatitis B vaccinations are documented or declined in writing.

9. JHA Samples

Pull JHAs from three to five recent jobs. Each JHA must list job steps, hazards per step, and controls. JHAs that say "be careful" or "use PPE" without specific controls fail. Confirm crew members signed the JHA before work started — not after, not retroactively.

10. Near-Miss / Incident Logs and Corrective Actions

Auditors look for leading indicators as much as lagging stats. A contractor with zero recordable injuries and zero near-misses logged is more suspicious than one with twenty near-misses and clear corrective action follow-through. Pull your near-miss log, your incident log, and your corrective action register. Confirm each open corrective action has an owner, a due date, and a current status. Closed actions should reference the verification step.

11. Drug Program Documentation

Verify the written drug and alcohol policy is current, the consortium administrator is named (DISA, Cordant, FormFox, or your TPA), and your random testing rates and statistical reports are available. Pre-employment, random, post-incident, reasonable suspicion, and return-to-duty categories must be defined with thresholds. If you operate under DOT (49 CFR Part 40 / Part 382), confirm DOT-specific policy elements separately from the non-DOT policy.

12. Subcontractor Documentation

If you said yes to "do you prequalify your subcontractors?" on the MSQ, you must have evidence: a written subcontractor management program, a current sub list, prequalification records for each, COIs on file with the right additional insured endorsements, and pre-mobilization meeting records. Reviewers grade the written program separately from operational practice — both must hold up. The full breakdown is in our subcontractor management guide.

Self-Score: Red, Yellow, Green

Anything red gets fixed before a hiring client opens the account. Yellow gets a written corrective action with a 30-day due date. Green moves to ongoing monitoring. Pair this with our broader ISN audit prep guide and our first-time ISN setup checklist if your account was set up in a hurry.

Run It Annually, Not Once

A mock audit is not a one-time exercise. The most disciplined contractors run a full mock audit on their ISN account once a year and a quick MSQ-vs-evidence sample every quarter. Hiring client audits arrive with about two weeks' notice — sometimes less. The contractors who pass without drama are the ones who never let the gap between MSQ and reality grow more than a quarter wide.

PrequalPilot keeps your MSQ answers, RAVS programs, COIs, EMR letters, and training records aligned across ISNetworld and other platforms with automated expiry alerts and gap detection. See pricing.