---
title: "Third-party audits: validating your Legionella programme"
source_url: https://legionella.io/articles/third-party-audits-validating-your-legionella-programme/
canonical_url: https://legionella.io/articles/third-party-audits-validating-your-legionella-programme/
pillar: "Best Practice & Future of Legionella Control"
summary: "How to commission a third-party Legionella audit that tests whether your control actually works, what a credible auditor examines, and the gaps to close first."
primary_keyword: "third-party audit"
date_published: 2025-07-12
date_reviewed: 2026-06-26
author: "Legionella.io editorial team (REMOTE TECH LTD)"
reviewed_against: "HSE L8 and HSG274 guidance"
region: "United Kingdom"
license: "(c) REMOTE TECH LTD. Quote freely with attribution and a link to source_url."
---

# Third-party audits: validating your Legionella programme

You can run a Legionella programme for years and never actually know whether it works. Temperatures get logged, the contractor visits on schedule, the logbook fills up neatly, and every word of it can be true while the control on the ground has quietly drifted. A third-party audit exists to answer the one question your own records cannot answer about themselves: would an independent expert, with nothing to gain from the verdict, agree that this water system is under control?

That word "independent" carries the whole idea. The most common thing sold as a Legionella "audit" in the UK is the incumbent water treatment contractor reviewing the monitoring they themselves carried out. That has its place, but it is not independent assurance — it is marking your own homework. A real third-party audit is commissioned by you, judged against a stated standard, and run by someone with no commercial stake in the answer.

Get that distinction right and the audit becomes the most useful day in your compliance year. Get it wrong and you have paid a premium for a second logbook review.

## What a real audit tests that a paperwork review doesn't

A desk review confirms the records exist. An audit confirms the records are true and the control behind them is real. The difference shows up the moment the auditor leaves the office and walks the system.

A credible auditor cross-checks your asset register against what is physically on the wall — the outlets, tanks, calorifiers and TMVs that are actually there, not the ones the schematic says should be. They trace a sample of readings back to the sentinel points and ask whether anyone acted when a result fell out of range. They test the responsible person, gently, by asking why a particular control exists and what an unacceptable result would trigger. And they read the risk assessment as a live document rather than a filed one, checking it still matches how the building is used today.

Audit against what, though? A good auditor names the benchmark before they start: the duties in the ACoP and L8, the technical detail in HSG274, and the quality of the risk assessment itself measured against BS 8580-1 [1][2][3]. An audit that cannot tell you the standard it judged you against cannot tell you much.

## The audit checklist, start to finish

Use this to commission an audit and to judge what comes back. It is grouped the way the work runs: what to settle before anyone arrives, what the audit must examine on site, and what you should be holding afterwards.

**Before you commission**

- Confirm the auditor is independent of whoever performs your monitoring and risk assessment — no one reviewing their own work.
- Check the auditor's own competence: relevant experience, and ideally membership of a recognised scheme such as the Legionella Control Association [4].
- Agree the benchmark in writing (L8/ACoP, HSG274, BS 8580-1) and the exact scope of assets and buildings covered.
- Hand over the current risk assessment, written scheme of control and recent records before the visit, not on the day.

**What the audit must examine on site**

- Compare the asset register and schematics against the physical system, flagging missing or undocumented assets.
- Sample monitoring records for gaps, out-of-range results and whether remedial actions were actually closed.
- Walk sentinel and high-risk outlets; check temperatures, accessibility, and any sign of stagnation, scale or low use.
- Test that the responsible person can explain why each control exists and what an out-of-limit result sets in motion.
- Review training records, deputy cover, and how decisions reach the people doing the day-to-day checks.

**What you should hold afterwards**

- A written report that names the benchmark and separates legal duties from good-practice suggestions.
- Findings rated by risk, each with a named owner and a realistic date — not a flat list of observations.
- A clear statement of what is working, so you keep it, alongside what needs fixing.

## Turning a report into control

The audit is worthless until its findings move. Treat the report as a controlled document: log it, take it to whoever governs water safety — a water safety group, if you have one — and give every finding an owner and a date. The habit that separates a managed system from a filed one is re-auditing the closed actions. An action marked "done" by the same person who was meant to do it is not the same as an action verified independently at the next visit.

Feed the findings back up the chain, too. A recurring out-of-range result at the same outlet is not an admin slip to be ticked off; it is a signal that the risk assessment or the control strategy needs a rethink. That is the line between auditing your Legionella controls and merely counting them.

## What teams skip

Three things get left out almost every time. First, people audit their own programme but never audit the contractor delivering it — yet that contractor's competence and record-keeping are part of your control, and the duty to assure them stays with you, not with them [5]. Second, the soft evidence: who covers water safety when the responsible person is on leave, and whether new starters were ever trained. Third, the close-out. An audit that surfaces twenty findings and verifies none of them next time has measured a problem, not managed one.

A note on independence that trips up larger organisations: using a group-level internal auditor is fine, and often excellent, provided that person does not also own the programme being audited. Independence is about the absence of a stake in the answer, not about whose payroll the auditor sits on.

## Where an audit stops

An audit reports what the auditor saw on the day, judged against the standard they were briefed to use. It is assurance, not a guarantee, and it transfers nothing — a clean report has never been a defence for a control that later failed, and the legal duty remains yours throughout [5]. Where an auditor flags something as a design or legal question — a category of dead leg, a notifiable system, a borderline temperature regime — treat it as a prompt to get competent, system-specific advice, not a finding you can close on your own judgement. Numeric limits and monitoring frequencies belong to your risk assessment, and sampling supports an audit rather than replacing the control it checks [6].

## Common questions

### Can the company that does our monitoring also audit it?

They can review it, but they cannot independently audit it — they would be assessing their own work, which removes the one thing an audit is for. Keep the auditor separate from whoever performs your monitoring and risk assessment. If a fully separate firm is hard to justify on cost, a genuinely independent internal auditor with no ownership of the programme is a reasonable middle ground.

### How is a third-party audit different from our Legionella risk assessment?

The risk assessment evaluates the water system: where Legionella could grow and reach people, and what controls are needed. The audit evaluates your management of that system: whether those controls are actually happening, recorded and effective. One assesses the building; the other assesses you. You need both, and the audit should also confirm the risk assessment itself is current and sound [3].

### How often should we commission an independent audit?

There is no single legal interval; frequency follows your risk assessment and how much your site changes. Higher-risk or fast-moving estates tend to audit more often, and you should always bring one forward after major plant changes, a change of contractor, or any breakdown in the control evidence. Set the cycle in your governance arrangements rather than leaving it to whenever someone remembers.

## Related reading

- [Continuous improvement: auditing your Legionella controls](https://legionella.io/articles/continuous-improvement-auditing-your-legionella-controls/)
- [Beyond compliance: striving for Legionella control excellence](https://legionella.io/articles/beyond-compliance-striving-for-legionella-control-excellence/)
- [Wireless data loggers vs manual temperature readings](https://legionella.io/articles/wireless-data-loggers-vs-manual-temperature-readings/)
- [Temperature and Legionella growth: understanding the relationship](https://legionella.io/articles/temperature-and-legionella-growth-understanding-the-relationship/)

## Sources

[1] HSE, "Legionnaires' disease. The control of legionella bacteria in water systems — Approved Code of Practice and guidance (L8)". https://www.hse.gov.uk/pubns/books/l8.htm
[2] HSE, "Legionnaires' disease: Technical guidance (HSG274)". https://www.hse.gov.uk/pubns/books/hsg274.htm
[3] BSI, "BS 8580-1:2019 — Risk assessments for Legionella control. Code of practice". https://knowledge.bsigroup.com/products/water-quality-risk-assessments-for-legionella-control-code-of-practice-1
[4] Legionella Control Association, "Code of Conduct for Service Providers". https://www.legionellacontrol.org.uk/
[5] HSE, "Legionnaires' disease — what you must do". https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm
[6] HSE, "Testing and monitoring your water system for legionella". https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm