Contractor qualification
10 min read

Audit-Ready Records Every Oil & Gas Contractor Needs

Qualification audits from operators, ISNetworld, and Veriforce stand between your company and the contracts that keep crews working. Here is what auditors pull, where contractors fall short, and how to get organized in 90 days.

Jacob Szyszka, Founder & CEO of BasinCheck

Written by Jacob Szyszka

Founder & CEO, BasinCheck · ASSP Permian Basin Chapter member · Updated July 8, 2026

By Jacob Szyszka · Published July 8, 2026. Audit requirements vary by operator, platform, and work scope. Verify current requirements before relying on any checklist.

Document request list

Audit request packet

10-day deadline

OSHA-300-2026

Reconciled against 300A summary

CA-LOG-Q2-2026

All items closed with owner and date

SITE-INSP-20260701-REV00

Supervisor signed, photos attached

HW-PERMIT-20260614-003

Gas test and fire watch recorded

The audit notice arrives on a Tuesday. You have 10 days to produce six months of corrective action records, your OSHA 300 log, signed inspection forms from every rig, and evidence that each open finding has been closed. Your safety team pulls up three different folders, two email threads, and a binder someone left in the Midland office. Nothing is organized the way the auditor will expect it. For a lot of oilfield service companies, that is an ordinary week.

Contractor qualification audits from major operators, ISNetworld, and Veriforce are a standing gate between your company and the contracts that keep crews working. The records you maintain determine whether you walk through that gate or get flagged for noncompliance. A documentation gap costs more than points on a scorecard. It can cost the contract.

This article covers what auditors pull, where oilfield service companies consistently fall short, and how to get your records organized within 90 days. BasinCheck is built to keep every record category covered here timestamped and export-ready before an audit notice arrives, but the checklist below works whether you are running software or rebuilding a paper process from scratch.

What major operators actually check during a contractor qualification audit

A common misconception is that qualification audits are primarily a numbers review: your TRIR, your DART rate, your EMR. Those numbers matter, but auditors treat them as the starting point. What they are actually verifying is whether your safety program is real and operational, not just documented on paper once a year.

ISNetworld runs contractor submissions through its RAVS (Review and Verification Services) process, and Veriforce applies a comparable audit framework. Both require contractors to submit written safety programs, evidence of corrective action closure, verified employee training certifications, and OSHA recordable incident data backed by actual 300 logs. Auditors cross-reference your submitted TRIR against your 300A summary and your workers' compensation documentation to check for consistency. A mismatch between those three sources triggers a finding on its own, regardless of your actual injury rate.

Operators increasingly require documentation that goes beyond form submission. They want proof of how quickly your company responds to identified hazards, whether your written safety manual reflects the actual work scope your crews perform, and whether task-specific records like JSAs and permits were completed before work started or assembled after the fact. Auditors trained under both the ISNetworld RAVS and Veriforce frameworks are calibrated to spot backdated or retroactively completed documentation.

Founder-led setup

See how your current records would hold up in a qualification audit.

Bring a corrective action log, inspection form, or last audit request list. We will map it to BasinCheck and show the smallest rollout that gets one crew producing audit-ready records.

Audit-ready records oil and gas contractors must have on file

Four record categories carry most of the weight in a qualification review. Get these right and the rest of the audit gets easier.

OSHA 300 and 300A logs

The first records an auditor requests. Every recordable entered, classified by injury type, reconciled against the 300A summary, and retained for the full five-year period.

Corrective action log

Each entry needs three things: a description of the finding, the action taken, and a closed-out timestamp with the responsible person's name.

Inspections, JSAs, and permits

Rig inspection checklists signed by the supervisor, task-specific JSAs crew-signed before work starts, and hot work permits with gas test results and photo evidence where required.

Written program and training records

A safety manual that matches your actual work scope, plus training certificates for field personnel with visible expiry dates inside the record.

Your OSHA 300 log and 300A annual summary are the first records an auditor requests. They are the fastest proxy for whether your company tracks injuries accurately and classifies them correctly. A complete, audit-ready OSHA 300 log has every recordable incident entered, classified by injury type, reconciled against your 300A summary, and retained for the full five-year period required under OSHA's recordkeeping rules. If you are starting from scratch, our OSHA 300 log template covers the required fields, and our guide to contractor OSHA audits covers how those logs get reviewed. When a record is missing or the numbers between your 300 and 300A do not match, auditors flag it immediately, and that flag cascades into questions about every other record category.

Corrective action documentation produces more audit findings than any other single category in contractor qualification reviews. A corrective action is only auditable when it has three things: a description of the finding, the action taken, and a closed-out timestamp with the responsible person's name. Auditors from both Veriforce and ISNetworld look for a complete corrective action tracking trail that proves you identified the root cause, assigned a fix to a specific person, and confirmed closure. An open corrective action with no closure date is counted as an open finding, even if the physical hazard no longer exists on the rig.

Beyond incident logs and corrective actions, auditors verify the operational records that prove daily safety compliance. That includes completed rig inspection checklists signed by the appropriate supervisor, JSAs for non-routine tasks that are task-specific and crew-signed before work begins, and hot work permits with pass/fail documentation, atmospheric test results, and photo evidence where required. The authorization chain on each of these documents matters. A hot work permit without a clear sign-off sequence tells an auditor the permit process is not being followed in the field.

Why timestamped audit trails change the outcome

A timestamp is what makes a record defensible. Keep these retention baselines straight across every location.

  • OSHA 300, 300A, and 301 records: five years following the end of the calendar year they cover (29 CFR 1904.33)
  • Employee exposure and medical records: duration of employment plus 30 years
  • Operator prequalification requests: usually cover the last three years, so current recordkeeping should already have them
  • Open litigation or an open citation: retain the related records until final resolution

When an incident is investigated or an OSHA citation is issued, the question is always the same: when was this identified, who was assigned to fix it, and when was it confirmed closed? A proper audit trail answers all three without ambiguity. Records without timestamps or version history cannot be defended, even if the underlying safety work was done correctly.

Contractors operating across multiple basins (the Permian, Eagle Ford, Bakken) often apply inconsistent retention standards across locations. Keep it simple. OSHA 300, 300A, and 301 records must be retained for five years following the end of the calendar year they cover, under 29 CFR 1904.33. Exposure and medical records carry a much longer requirement: duration of employment plus 30 years. Most operator prequalification requests only ask for the last three years, so current recordkeeping should already cover them. And if litigation or an open citation is pending, retain the related records until it is resolved. Applying those standards uniformly, regardless of where a well pad sits, eliminates a gap that auditors consistently find in multi-basin operations.

Records usually fail audit scrutiny over metadata rather than content. Incident reports submitted as PDFs without document IDs, JSAs with typed names instead of verifiable signatures, and training certificates with no visible expiry date inside the record itself are rejected by prequalification platforms even when the underlying safety work was performed correctly.

The documentation gaps that cost contractors their contracts

The most common documentation failure in contractor qualification audits is not a missing program or an unreported injury. It is a corrective action with no closure evidence. A hazard is identified during a rig inspection, a corrective action is logged, and then no one records when it was resolved. The physical hazard may have been fixed the same day. But without a timestamp, a responsible party's name, and a written close-out entry, auditors count it as open. That single gap category can drop a qualification score below the threshold major operators accept.

Unsigned daily inspection reports, JSAs with missing crew signatures, and hot work permits missing the fire watch designation are flagged in virtually every audit. Auditors read them as a sign the safety program is not being followed consistently in the field, which is exactly the conclusion a major operator is trying to avoid when qualifying a contractor. An experienced auditor can tell the difference between a form completed in the moment and one filled out retroactively. The handwriting changes, the time entries cluster unnaturally, and the level of detail drops off. Paper-based processes make this pattern almost inevitable under field conditions.

Safety manuals that do not reflect the actual work scope your crews perform are a separate failure category that is easy to overlook. If your written HSE program does not include hot work protocols because they were added to your scope two years ago and no one updated the manual, your written program fails the RAVS review regardless of how well your crews execute hot work permits in the field. Written programs must match what your crews do. That alignment is audited directly.

A 90-day plan to get audit-ready

Before fixing anything, you need to know what you actually have. In the first 30 days, pull all corrective actions from the last 12 months and identify every item with no documented closure date. Review the last three months of rig inspection records and flag any missing signatures. Reconcile your OSHA 300 log against incident reports to confirm every recordable is entered and classified consistently. Assign an owner to each gap category with a documented due date. This inventory step is what separates a real audit-readiness effort from a last-minute document assembly sprint.

From days 31 through 90, the work shifts to standardization and gap closure. Implement a naming convention for all safety records, for example SITE-INSP-YYYYMMDD-REV00, so files are consistently locatable across locations. Build a simple retention schedule per record type and document it. Add a chain-of-custody log for records that need to show a clear handling history. These process fixes do not require a full software rollout; they require consistent execution and assigned ownership.

The most effective step in this 90-day period is a structured internal mock audit. Walk through the exact questions an ISNetworld auditor or operator safety representative would ask:

Show me the corrective actions from your last three rig inspections and their closure dates.
Pull your OSHA 300 log for the current year and reconcile it against the 300A summary.
Provide the JSA and hot work permit from your last non-routine task, with crew signatures and atmospheric test results.

If your team can answer those questions in under an hour with organized, timestamped documentation, your audit-ready records are in solid shape. If the answer requires a search across multiple systems and email threads, the mock audit just told you exactly where to focus the remaining time.

What auditors request in writing

Most ISNetworld and Veriforce audits issue a formal document request list at the start of the review. Typical line items include: current written safety program with revision date, OSHA 300 and 300A for the current and prior two years, corrective action log with closure status, training certificates for all field personnel with visible expiry dates, and completed JSAs and permits from the most recent non-routine tasks. Having these pre-packaged in a labeled folder, digital or physical, before the request arrives is the single fastest way to demonstrate program maturity to an auditor.

How to export audit-ready documentation without a last-minute scramble

When an audit notice arrives, the goal is to produce complete, organized documentation within hours. Every completed inspection needs an automatic timestamp, every corrective action needs a visible closure date and owner, and every OSHA log entry needs to be reconcilable with the supporting incident report. A system that needs manual assembly of those elements under a 10-day deadline works against you. Our guide to oilfield safety audit efficiency covers how to cut that assembly time down.

BasinCheck was built for this scenario. It centralizes every record category covered in this article: OSHA 300/300A logs with export formats aligned to what operators and prequalification platforms accept, corrective action tracking with timestamps and overdue alerts so nothing ages out without a close-out entry, rig inspection records with photo evidence capture, a JSA builder that handles crew signatures digitally, and hot work permits with pass/fail documentation and atmospheric test fields built in. Every record is timestamped automatically when completed in the field, whether the crew has cell service or not. The offline-first mobile design means records from remote well pads in the Delaware Basin sync to the central dashboard the moment connectivity is restored, with no manual data entry back at the office. Our oilfield audit documentation page covers the full record structure.

That structure mirrors what operators actually request during qualification audits, not a generic EHS template adapted from a different industry. The distinction matters when an auditor asks for documentation in a specific format and your system produces something that requires translation. Starting at $149 per month with unlimited users on flat company tiers, it is a practical option for oilfield service companies that cannot justify enterprise EHS pricing but cannot afford to lose contracts over documentation gaps.

Build the habit before the notice arrives

Audit-ready records mean the right documents, structured correctly, with timestamps and closure evidence that hold up under a formal review. Most contractors that fail qualification audits do not fail because they skipped the safety work. They fail because the documentation does not reflect what actually happened in the field.

The checklist in this article is the starting point: know what categories auditors pull, close your corrective action backlog, standardize your inspection records, and apply a consistent retention policy across all locations. Those steps, executed in 90 days, change the outcome of the next qualification review.

If you are managing records across multiple rigs or well pads, a platform like BasinCheck turns this from an annual scramble into an always-on process. Field crews complete inspections and JSAs in the mobile app, corrective actions get assigned and tracked automatically, and the records package that takes most contractors a week to assemble is available in a single export. The next qualification audit should be the one where your team sends the complete documentation package before the auditor asks for a follow-up.

Founder-led setup

See how your current records would hold up in a qualification audit.

Bring a corrective action log, inspection form, or last audit request list. We will map it to BasinCheck and show the smallest rollout that gets one crew producing audit-ready records.

Audit-ready records FAQ

Common questions from contractors preparing for qualification audits.

Typical document request lists include the current written safety program with revision date, OSHA 300 and 300A logs for the current and prior two years, a corrective action log with closure status, training certificates for field personnel with visible expiry dates, and completed JSAs and permits from recent non-routine tasks. Exact line items vary by operator and review type.