--- title: "The importance of regular audits to avoid enforcement" source_url: https://legionella.io/articles/the-importance-of-regular-audits-to-avoid-enforcement/ canonical_url: https://legionella.io/articles/the-importance-of-regular-audits-to-avoid-enforcement/ pillar: "Common Failures & Enforcement" summary: "Regular Legionella audits catch outdated assessments, open remedial actions and unproven records before an HSE inspector does. The audit mistakes to fix first." primary_keyword: "Legionella audits" date_published: 2025-10-08 date_reviewed: 2026-06-26 author: "Legionella.io editorial team (REMOTE TECH LTD)" reviewed_against: "HSE L8 and HSG274 guidance" region: "United Kingdom" license: "(c) REMOTE TECH LTD. Quote freely with attribution and a link to source_url." --- # The importance of regular audits to avoid enforcement An improvement notice rarely arrives because a building had no Legionella controls at all. It arrives because the controls on paper had quietly stopped matching the building in front of the inspector, and nobody had looked closely enough to notice. A regular Legionella audit is the thing that looks. Done honestly, it is the cheapest insurance you have against an enforcing authority finding that gap before you do. The word "audit" puts people off because it sounds like more paperwork on top of the records you already keep. It is not. An audit is a deliberate step back to ask one question: if someone independent walked in today and tested every claim in your records against the actual system, would the two still agree? Usually the controls themselves are fine. The damage is done by small drift that nobody owns, and by a handful of audit habits that make the whole exercise pointless. ## What a regular audit is actually checking A risk assessment tells you what should be controlled. A written scheme says how. Routine monitoring records say it happened. An audit sits above all three: it checks that those documents are current, consistent with each other, and true. UK guidance sets the bar a competent regime is measured against, with L8 as the Approved Code of Practice and HSG274 as the technical detail [1][2]. An audit is simply you measuring yourself against that bar before anyone else does. This matters because HSE's position is consistent. A foreseeable risk has to be assessed, controlled, monitored and reviewed, and the duty holder stays accountable for all of it even when the hands-on work is contracted out [3]. An audit is how you generate the evidence that the loop is genuinely closed. [Inside an HSE Legionella inspection](https://legionella.io/articles/inside-an-hse-legionella-inspection-what-inspectors-look-for/) shows what that scrutiny looks like from the other side of the table. ## The audit mistakes that turn into enforcement notices The failures below come up again and again. None of them are exotic engineering problems. They are ordinary lapses in how organisations check themselves. ### Auditing the paperwork, not the water system What it looks like: someone sits in the office, confirms the logbook is filled in, the risk assessment is signed and the contractor reports are filed, then signs the audit off. What it does not include is a walk of the plant room and the outlets. Why it happens: the records are easy to reach and the building is not. Reading a folder takes an hour; checking whether the sentinel outlet named in the assessment still exists after a refit takes a morning. The fix: every audit has to leave the desk. Take a sample of recorded readings and trace them back to the real fitting. Does that tap still exist, is it reachable, does the temperature hold? A record you cannot tie to a physical point is not evidence of control; it is evidence that a form got completed. ### Auditing against an outdated risk assessment What it looks like: the audit confirms every task in the scheme was carried out, so it passes. But the scheme rests on an assessment written before a wing was refurbished, a tenant changed, or half the building dropped into intermittent use. Why it happens: the assessment feels like the fixed point, so nobody questions it. BS 8580-1 is clear that a Legionella risk assessment should be reviewed and kept current [5], yet "review it when something changes" quietly becomes "never review it". The fix: start the audit by listing what has physically changed since the assessment was written. New occupancy patterns, dead legs left behind by removed fittings, altered hot-water plant; any of these can move the risk. If the building has changed and the assessment has not, that is your first finding, and everything downstream is suspect. [Misinterpreting guidance](https://legionella.io/articles/misinterpreting-guidance-common-compliance-misunderstandings/) covers how a stale baseline pushes teams into controlling the wrong thing. ### Closing the audit but leaving the actions open What it looks like: the audit produces a tidy list of findings, the report is filed, and three months later the same remedial actions are still open with no owner and no date. Why it happens: finding problems feels like progress; fixing them is harder and competes with everything else on a facilities desk. An open-actions list with no accountability is precisely what an inspector reads first, because it proves you knew about a gap and let it sit. The fix: every finding gets a named owner, a deadline, and a defined escalation route if the deadline slips. The audit is not closed when the report is written. It is closed when the last action is verified done. Track the open list between audits, not only at the next one. ### Marking your own homework What it looks like: the person who runs the monitoring regime is the same person who audits it. They know it is fine, so it always passes. Why it happens: it is convenient, and they know the system best. But familiarity is exactly what hides drift. You stop seeing the outlet that has been "temporarily" out of service for a year. The fix: build in independence, whether that is a colleague from another team, a head-office review, or a competent external provider. The Legionella Control Association's code of conduct is a sensible benchmark when you bring one in [6]. The auditor's job is to stay unconvinced until the evidence convinces them. ### Treating the audit as a once-a-year tick What it looks like: a single annual audit scheduled to suit the calendar, with eleven months of silence either side. Why it happens: annual fits the budget cycle and the contract. The trouble is that risk does not move on an annual cycle. A seasonal closure, a staffing handover or a run of empty rooms can build a problem in weeks. The fix: match audit frequency to how much your building actually changes, and run lighter interim checks on the things that drift fastest, such as low-use outlets and temperature trends. Buildings with swinging occupancy need more frequent eyes, as [Seasonal buildings](https://legionella.io/articles/seasonal-buildings-managing-intermittently-used-properties/) explains. ## If you only fix one thing Make the open-actions list the spine of the whole programme, and put someone independent in charge of it. A current assessment and clean readings still leave you exposed if known gaps sit unresolved. The reverse is also true: an organisation that finds its own problems and demonstrably closes them is in the strongest position if an inspector calls. Enforcement targets unmanaged risk, not honest, documented work in progress. ## A note on limits An internal audit is a management check, not a replacement for a competent, site-specific risk assessment, and a clean audit is not proof that your water is safe. It tells you your evidence and your system agreed on the day you looked. Any temperatures, sampling intervals or review periods you test against come from your own assessment and the people who set it, not from a generic figure; HSE is explicit that testing frequency follows the system and the risk assessment rather than a fixed schedule [4]. If an audit surfaces something you cannot interpret, treat it as a trigger to get competent advice, not a box to close. ## FAQ ### How often should we audit our Legionella control programme? There is no single legal interval. Set the audit frequency in your risk assessment and tie it to how much the building changes, then audit sooner after anything significant, such as a refurbishment, a change of occupancy or use, new contractors, or a run of monitoring results outside the expected range [2]. An annual formal audit backed by lighter interim checks suits many sites, but confirm the right rhythm for yours. ### Is a Legionella audit the same as a risk assessment? No. A risk assessment identifies the hazards and sets the controls. An audit checks that those controls are still appropriate, are actually being carried out, and can be proven from the records. You need both: an audit against an out-of-date assessment only confirms that you are doing the wrong things consistently. ### Will a clean internal audit protect us if the HSE inspects? It helps considerably, but only if it was honest and acted on. A self-audit that walks the system, names the gaps and shows them being closed is strong evidence of a managed regime. One that rubber-stamps the paperwork without leaving the office offers little protection, because an inspector will test the records against the building [3]. ## Related reading - [Inside an HSE Legionella inspection: what inspectors look for](https://legionella.io/articles/inside-an-hse-legionella-inspection-what-inspectors-look-for/) - [Misinterpreting guidance: common compliance misunderstandings](https://legionella.io/articles/misinterpreting-guidance-common-compliance-misunderstandings/) - [Seasonal buildings: managing intermittently used properties](https://legionella.io/articles/seasonal-buildings-managing-intermittently-used-properties/) ## Sources [1] HSE, "Legionnaires' disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)". https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, "Legionnaires' disease: Technical guidance (HSG274)". https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, "Legionnaires' disease - what you must do". https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] HSE, "Testing and monitoring your water system for legionella". https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm [5] BSI, "BS 8580-1:2019 - Risk assessments for Legionella control. Code of practice". https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1 [6] Legionella Control Association, "Code of Conduct for Service Providers". https://www.legionellacontrol.org.uk/