An audit of your Legionella controls answers a question your monitoring records cannot: is the system you designed actually running the way you designed it, and is it still the right system for the building? Routine checks tell you a reading was in range last Tuesday. An audit tells you whether the whole arrangement still holds together.

If you already have a risk assessment, a written control scheme and a logbook that is mostly being filled in, you have something worth auditing. This is the deliberate, periodic look that turns a pile of compliance tasks into a system that gets better each time you run it — the review step in the HSE chain of assess, control, monitor, record and review [3].

Done well, it is not a heavier round of monitoring. Monitoring asks whether an outlet was in range; an audit asks whether you could prove the building is under control to someone who turned up unannounced — and if not, where the proof breaks.

What you need before you start

Pick a scope you can finish in one sitting: a single building and a representative stretch of records — say the last quarter — rather than the whole estate at once. Then put five things on the desk:

  • the current Legionella risk assessment
  • the written scheme of control (the document that says what gets done, to what limit, and what happens when a result is out of range)
  • the logbook: temperature readings, flushing records, tank and shower-head cleaning, any sampling reports, and the remedial actions that followed
  • the asset register or schematic
  • a short list of who actually does each task

One preference, offered as opinion: get someone competent who did not write the scheme to run the audit. The author has stopped seeing its gaps, and fresh, qualified eyes are the biggest difference between an audit that finds things and one that rubber-stamps.

How to run the audit, step by step

  1. State what “in control” means here before you look at anything. Read the written scheme and list every control measure with its acceptance limit and its escalation. Done when each routine task has a figure a technician can act on and a named action for when the result misses it. The common failure is a task logged for years with no stated limit, so nobody can say whether a reading was good or bad.

  2. Trace the scheme into the records — sample, don’t read everything. Take a few sentinel outlets and a couple of months and follow them through: did the task that should have happened actually happen, on time, and in range? Done when you can trace a far hot outlet from scheme to recorded reading to resulting action without a gap. The failure is a missing month quietly read as “probably fine”.

  3. Check the paper against the building. Walk to the plant and a handful of outlets. Feel whether the cold storage is genuinely cold and sitting somewhere cool, confirm a sentinel hot outlet runs hot, and look for the dead leg the schematic claims was removed. Done when the building matches the documents. The failure that keeps surfacing is a “decommissioned” branch still plumbed in and quietly going stagnant — see Biofilms: how Legionella hides in plumbing systems on how biofilm settles into exactly those forgotten runs.

  4. Test the escalation path with a real event. Find the last out-of-range reading in the log and trace it end to end. Done when you can see the sequence — flagged, acted on, re-checked, closed — all recorded with dates. The failure is out-of-range readings entered faithfully and then forgotten: a logbook that records problems but never resolves them.

  5. Ask whether the scheme still fits the building. Has anything changed since the risk assessment — a new shower block, a wing taken out of use, a change of occupants, a contractor swap? UK guidance is clear that material change is a trigger to review the controls [3]. Done when every change since the last assessment has either been reflected in the scheme or formally judged not to matter. The failure is a new outlet that no document knows exists.

  6. Turn findings into ranked actions and feed them back into the scheme. This is the improvement step, and it is the one most often skipped. Done when each finding has an owner, a date and a specific change to a document or a task — not a line in a report nobody reopens.

When the audit turns something up: what to fix first

Not every finding deserves equal urgency, and treating them as equal wastes the time of the people who can fix the urgent ones. Run each finding through this, in order:

  • Could this let someone inhale contaminated aerosol now? An unflushed low-use shower, a hot outlet running tepid, a stagnant branch feeding a spray tap. If yes, fix it or take the outlet offline today, then record what you did. Exposure beats paperwork every time.
  • If not, is it a hole in your proof of control? A missing run of records, a task with no stated limit, an escalation that never fired. The water may well be fine — but you cannot show it is. Treat this as a system fault and rewrite the task, threshold or escalation this week.
  • If not, does it show the scheme no longer matches the building? A new outlet, a changed use pattern, plant that was replaced. This is a trigger to review the risk assessment, not something to patch at task level.
  • Otherwise it is admin — an old form version, a naming mismatch. Log it and batch it with the next scheduled review. Real, but not worth interrupting anyone for.

The order matters more than the labels. Fix exposure first, evidence second, scope third, tidiness last.

Knowing the audit actually worked

A single audit proves very little. The value shows up over two or three cycles, when the next audit finds last time’s actions closed and fewer new findings of the same type. That downward trend is what continuous improvement actually looks like on a site — not a thicker folder, but a shrinking list of repeat faults. CDC describes effective Legionella control as an ongoing water management programme that is checked and adjusted rather than set and filed [4], and the same logic sits inside L8 and HSG274 [1][2].

If the same fault keeps reappearing — flushing always slips on the same floor, the same outlet always reads warm — stop logging it and treat the recurrence itself as the finding. A control that fails the same way every quarter is usually a design or resourcing problem, not a discipline one, and another tick in the box will not cure it.

A fair word on what this is and isn’t

An internal audit checks your own system against your own scheme and the HSE framework. It does not replace the site-specific risk assessment by a competent person, and it is not the same as an independent third-party audit, which exists partly to catch what your own team has quietly normalised. Acceptance figures, monitoring intervals and remedial actions come from your risk assessment and the system in front of you, not from any general method — including this one. Use what is here to ask sharper questions, then answer them against your own building.

Where to start this week

Don’t schedule a full programme. Pick one building, block out a morning, and pull the written scheme alongside last quarter’s logbook. Choose a single sentinel outlet — a far hot tap, or a shower in a low-use room — and trace it end to end: what the scheme says, what the records show, what the building actually does. If that one thread holds, widen the audit to the rest. If it breaks, you have already found where your continuous improvement effort should go first.

FAQ

How is auditing our controls different from reviewing the risk assessment?

The risk assessment defines what good control should look like for the building. The audit checks whether that control is actually happening day to day and whether the assessment still describes reality. Different questions: one sets the standard, the other tests it. You can fail an audit while holding a perfectly sound risk assessment — finding that gap is the whole point of looking.

How often should we run an internal audit?

There is no fixed interval set in law; the sensible cadence follows the size and risk of the site, set through your risk assessment, with an extra look after any significant change to the system, its use or the people exposed [3]. Many duty holders run an internal review more often than their formal risk assessment review, with routine monitoring continuing throughout. Confirm the right frequency for your site rather than copying a number.

Do we still need a third-party audit if we audit ourselves?

They do different jobs. Self-audits are frequent, cheap and catch drift early; an independent audit, ideally by a provider working to a recognised code of conduct [5], catches what your team has stopped noticing and carries more weight with regulators and insurers. Run internal audits between independent ones, not instead — see Third-party audits: validating your Legionella programme for what a good external audit covers.

Sources

[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] CDC, “Controlling Legionella”. https://www.cdc.gov/control-legionella/index.html [5] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/