Most Australian organisations have a wellbeing program. Many have an annual engagement survey. Some have a policy on the shared drive. Very few have what a regulator will actually ask for during a psychosocial inspection: structured, documented evidence that they have identified their psychosocial hazards, assessed the risks, implemented specific controls, and reviewed whether those controls are working. Since December 2025, that evidence is a legal requirement under Australian WHS law, not a matter of good practice. This checklist is a practical instrument for closing the gap.

What this checklist covers

This guide is written for Australian employers operating under the harmonised WHS jurisdictions (NSW, Queensland, Western Australia, South Australia, Tasmania, Northern Territory, Australian Capital Territory, and the Commonwealth) and for Victorian employers operating under the Occupational Health and Safety Act 2004. The duties are substantively similar across jurisdictions, though the penalty ranges and specific provisions vary.

The checklist is built around the seven questions a regulator asks during a psychosocial inspection. If your organisation can answer all seven with documented evidence, you are inspection-ready. If you cannot, the checklist tells you exactly where the gaps sit and what evidence each item requires.

Why a checklist now

The regulatory context has changed materially over the past eighteen months. Psychosocial provisions have commenced across every Australian jurisdiction, and enforcement capacity has followed the legislation.

In New South Wales, SafeWork became a standalone regulator on 1 July 2025, received $127.7 million in enforcement funding, hired 51 additional inspectors, and introduced mandatory psychosocial checks during all inspector visits for organisations with 200 or more workers. Compliance visits are up 25% year-on-year. For context on active enforcement in New South Wales, the NSW picture is the most developed; every other jurisdiction is moving in the same direction.

In Victoria, the standalone Psychological Health Regulations commenced on 1 December 2025 without a transitional period, giving employers the most prescriptive framework in the country. The landmark prosecution of Court Services Victoria produced a $379,157 penalty after a failure to assess psychosocial risk contributed to an employee's death. See Victoria's standalone psychological health regulations for the local detail.

Behind the enforcement numbers sits a cost pattern that regulators and boards increasingly understand. Mental health claims have risen 161% over the past decade and cost approximately three to four times more to resolve than physical injury claims. The checklist below is the operational response to that environment.

The seven questions a regulator will ask

Psychosocial inspections follow a predictable line of questioning. The seven questions below come from current SafeWork enforcement practice and map directly to the duties in the model Code of Practice: Managing Psychosocial Hazards at Work. Each one expects documented evidence, not a verbal answer.

1. What process do you use to identify psychosocial hazards? The inspector expects a systematic identification method aligned to the Code, not a one-off engagement survey.

2. How do workers report psychosocial concerns? The inspector expects an accessible, documented reporting pathway that is actively used, not a clause in the handbook.

3. Can you show me the records? The inspector expects a psychosocial risk register that is current, not a folder of historical assessments.

4. What controls have you implemented? The inspector expects specific controls mapped to identified hazards, following the hierarchy of control.

5. Who is responsible for each control? The inspector expects named owners, not "the leadership team" or "HR".

6. When were controls last reviewed? The inspector expects dated review records with documented findings.

7. How do you know the controls are effective? The inspector expects monitoring data, not assurances.

The checklist below is organised so that working through it in order produces the evidence that answers each of the seven.

The checklist

Use this to self-audit your psychosocial compliance posture. If you are working through it for the first time and cannot tick most items, that is the normal starting point. What matters is having a path to close each gap before an inspection happens, not after.

1. Hazard identification (Code Chapter 3)

• Coverage of all 17 recognised psychosocial hazard categories under the Commonwealth Code (job demands, low job control, poor support, lack of role clarity, poor organisational change management, inadequate reward and recognition, poor organisational justice, traumatic events, remote or isolated work, poor physical environment, violence and aggression, bullying, harassment including sexual harassment, conflict or poor workplace relationships, fatigue, job insecurity, and intrusive surveillance).

• Multiple identification methods, not a single instrument. Examples include a validated psychometric survey, focus groups, worker consultation, incident and complaint data, exit interview data, and direct observation. For the underlying method, see a structured psychosocial risk assessment process.

• The identification method is documented and repeatable across review cycles.

• Findings cover every work group, site, or role category with materially different exposure.

• Identification runs on a defined cadence, not ad hoc.

2. Risk assessment (Code Chapter 4)

• Each identified hazard has been assessed for severity, frequency, and duration of exposure.

• Hazards have been assessed collectively, recognising that they interact and combine. The Code requires this explicitly.

• The assessment considers the design of work, systems of work, physical environment, workplace interactions, and the information, training, and supervision provided to workers.

• Risk ratings are recorded with a documented justification, not simply assigned.

3. Control measures (Code Chapter 5)

• Controls follow the hierarchy: eliminate risks if reasonably practicable; if not, minimise so far as is reasonably practicable.

• Each control targets a specific identified hazard, not generic wellbeing activity.

• Each control has a named owner responsible for implementation.

• Controls are documented with implementation dates.

• Where elimination is not reasonably practicable, the reasoning is recorded.

4. Review and effectiveness (Code Chapter 6)

• A review cadence is defined and calendarised.

• Controls are reviewed when they are not effective, before workplace changes, when new hazards emerge, when consultation indicates a review is needed, or when a health and safety representative requests one.

• Effectiveness is measured with data, such as repeat survey scores, incident trends, or complaint volumes. Not with assurances.

• Review findings are documented and feed back into the risk register.

5. Worker consultation (Code Chapter 2)

• Workers and HSRs have been consulted during identification, assessment, control selection, and review.

• Consultation records are kept: meeting notes, committee minutes, consultation records.

• Consultation outputs visibly influence control decisions, not merely document them.

6. Governance and officer due diligence

• The board or relevant governance body receives psychosocial risk reporting on a defined cadence.

• Officers can demonstrate the six due diligence requirements in the Code: current knowledge of psychosocial WHS matters; understanding of operations and the associated hazards and risks; appropriate resources and processes to eliminate or minimise risks; processes for receiving and responding to incident and hazard information; processes for complying with WHS duties; and verification that resources and processes are performing effectively.

• A named accountable officer owns the psychosocial risk programme.

The mistakes to avoid

Three patterns show up repeatedly in organisations that have a psychosocial programme on paper but cannot answer the regulator's questions under inspection.

Spreadsheet compliance. Risk registers, control logs, and review notes scattered across spreadsheets and shared drives. Two predictable failures follow. The record goes stale within a quarter because no one owns it end-to-end. And when an inspector asks for the audit trail, the organisation produces a folder of files instead of a coherent, timestamped record of what was identified, what was controlled, by whom, and when.

Tick-and-flick compliance. An annual survey followed by a "we looked at the results" debrief. Regulators distinguish engagement measurement from hazard management explicitly. Engagement surveys are not a substitute for structured psychosocial risk assessment. Surveys measure how people feel. Hazard assessment measures what could cause harm and how severely. Both are useful; only one satisfies the regulation.

HR ownership without WHS alignment. Psychosocial risk sits entirely within HR's remit and never connects to the WHS register. Under the WHS Act, psychosocial hazards are WHS hazards. The duty sits with the PCBU and the safety function. HR supports wellbeing; WHS manages hazards. A regulator will not accept "we have an employee assistance program" as a control for, say, unsustainable job demands.

What good looks like

An organisation that is inspection-ready can produce, within a short timeframe, the following evidence:

• A current psychosocial risk register covering all 17 hazard categories, updated within the last review cycle.

• Named control owners for every identified risk, with documented implementation dates.

• Consultation records showing worker and HSR involvement at every step of the risk management process.

• A review log showing what was tested, when, and what was found.

• Board or officer-level reporting on psychosocial risk posture at a defined cadence.

A static document cannot produce this in isolation. The register drifts, owners change, the review cadence slips, and the evidence gets reconstructed under inspection pressure rather than assembled in the normal course of work. What a live system adds is continuity: the register stays current, the reviews fire on schedule, and the evidence assembles itself in the background.

This is where ReFresh sits. The psychosocial operating system runs the Code's four-step process as a continuous workflow, maintains the audit trail in real time, and produces inspection-ready evidence on demand. It does not replace a general WHS platform; it completes it for the hazard class the general tools were never designed to handle.

Next steps

The fastest way to see how your current position maps against this checklist is a structured 20-minute walkthrough. We map what your existing system produces against what a psychosocial-focused inspection would look for, and hand you a written gap summary at the end.

Primary CTA: Book a 20-minute compliance gap walkthrough (Cal.com)
Secondary CTA: Check your compliance readiness (Tally readiness survey)

Frequently asked questions

Is a psychosocial compliance checklist legally required?
No, but the evidence the checklist captures is. Australian WHS law (and Victoria's OHS Act) requires duty holders to identify, assess, control, and review psychosocial risks and to demonstrate that they have done so. A checklist is an operational instrument for producing and maintaining that evidence.

How often should the checklist be reviewed?
At minimum, annually. The Code of Practice also requires review when controls are not working, before workplace changes, when new hazards emerge, when consultation indicates a review is needed, or when a health and safety representative requests one. In practice, organisations with mature programmes run a full review annually and interim reviews quarterly.

Who in the organisation owns the checklist?
Accountability sits with the PCBU and the named officer with WHS responsibility. Operational ownership typically sits with the WHS function, supported by HR for consultation and control implementation. HR alone is not sufficient; under the Act, psychosocial hazards are WHS hazards, and the duty holder framework applies accordingly.

Does a wellbeing program count as a psychosocial control?
It depends on the hazard. An employee assistance program is a secondary control for hazards such as traumatic exposure, but it is not a primary control for hazards such as job demands, poor role clarity, or poor organisational change management. Controls must target identified hazards specifically and follow the hierarchy of control, with elimination or minimisation preferred over response.

What is the penalty for failing a psychosocial inspection?
Penalties range from improvement notices and prohibition notices through to prosecution. The landmark Court Services Victoria prosecution in 2023 produced a penalty of $379,157 after a failure to assess psychosocial risk contributed to an employee's death. Officer due diligence failures under section 27 of the WHS Act carry a maximum penalty of five years' imprisonment.