Mike Sopp examines the importance of developing and implementing an appropriate auditing process.
Article 11 of the Regulatory Reform (Fire Safety) Order, or the equivalent in Scotland and Northern Ireland, requires the responsible person to “give effect to such arrangements as are appropriate, for the effective planning, organisation, control, monitoring and review of the preventive and protective measures” that must be applied to manage fire risks to relevant persons.
Although Article 11 does not specifically make mention of auditing, there is clearly an implied requirement to undertake such a process to meet requirements of the above. Auditing also forms a key element of any management system cycle that may be applied to fire safety.
However, if the responsible person/dutyholder fails to develop and implement an appropriate auditing process, the effectiveness of auditing will be negated.
PAS 7: Fire Risk Management System Specification defines an audit as a “systematic independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the specified criteria are fulfilled”.
Put more succinctly, UK Government guidance states that “a pre-planned audit can quickly identify if there have been any significant changes which may affect the fire safety systems”.
Auditing can be a useful tool in assisting the responsible person/dutyholder with the development of the fire safety system by:
confirming statutory compliance and best practice standards are being met
confirming that the fire safety management system is working as it should
identifying strengths and weaknesses within the management system
providing feedback and assurance to the organisation’s governance bodies over fire safety
helping with the creation of action plans to make improvements on areas of non-compliance
helping to ensure that resources are committed to fire safety and that these are used to best effect in terms of risk control.
Certainly, the need for auditing is now recognised in key fire safety-related documents. For example, BS9999: Fire Safety in the Design, Management and Use of Buildings — Code of Practice notes that a key function of a fire safety manager is to ensure that “audits are carried out as necessary” and that an “audit should be carried out as a matter of routine and especially when there are significant changes to personnel, or the usage of the building”.
Similarly, PAS 7: Fire Risk Management System Specification suggests that the purpose of the audit is to provide information on whether a fire risk management system conforms to organisational requirements and is effectively implemented and maintained.
Auditing can be undertaken internally (first-party audits) and often forms part of a self-declaration of conformity but can also be undertaken by external stakeholders including independent audit organisations, customers or enforcing authorities (second and third-party audits).
Clearly, those undertaking external audits will follow best industry practice, depending upon the circumstances of the audit.
For internal audits, organisations can follow various best practice documents, including PAS 7 and BS EN ISO 19011: Guidelines for Auditing Management Systems. The former document suggests that the organisation should:
plan, establish, implement and maintain an audit programme
define the audit criteria and scope for each audit
select auditors and conduct audits to ensure objectivity and the impartiality of the audit process
ensure that the results of the audits are reported to relevant management
retain audit records as evidence of the implementation of the audit programme and the audit results.
BS EN ISO 19011 contains a number of principles that aim to make the audit an effective and reliable tool. These principles are integrity of auditors, fair presentation of findings, due professional care in the audit process, confidentiality, independence and the use of an evidence-based approach to reach reliable and reproducible audit conclusions.
Competence is a key element of any audit programme. BS EN ISO 19011 highlights that the person managing the audit programme must have sufficient competence in the audit process and have sufficient knowledge of the activities to be audited. Similarly, PAS 7 states that auditors must be a “person with the demonstrated personal attributes and competence to conduct a fire risk management system audit”.
In terms of competence, auditors need to understand their task, have the experience and knowledge of the relevant standards and systems they are auditing to enable them to evaluate performance and identify deficiencies. Auditors should also be familiar with the requirements set out in any relevant legislation.
In addition, auditors should be “independent of the part of the organisation or the activity that is to be audited”.
In essence, auditing is about collecting information and then making judgments about its adequacy and performance. Generally, there are three sources of information that can be drawn on when carrying out the audit, as follows.
Documentation including fire risk assessments, emergency plans, policies, maintenance records for any fire-related precautions (eg detection and alarm systems), outcomes from investigations of incidents, external audit findings, etc.
Physical observations to indicate that fire safety measures are being maintained and used effectively. Matters that can be considered will include both internal and external features such as means of escape, final exits, good housekeeping, signage, waste storage, security and working practices.
Staff interviews to gain information about the operation of the fire safety management systems, risk control measures and fire safety climate. Consideration has to be given to who to interview, at what level within the organisation and their role in relation to fire safety.
Evidence gained should be evaluated against the audit criteria in order to determine audit findings, which can indicate conformity/good practice or non-conformity with the set criteria.
PAS 7 contains a useful checklist that reflects the requirements of a modern management system based upon best practice requirements found in the various system standards that are available.
There are no set methodologies for rating or grading non-conformity outcomes but it is useful to formulate some form of system, either qualitative or quantitative so as to prioritise remedial action. This may also be useful when numerous and/or similar parts of the organisation are to be audited as a comparison of compliance to the management system can then be used to make judgments as to future resource allocation to make improvements.
An audit report should be developed that summarises the audit process, its outcomes, any supporting evidence, opportunities for improvement and any recommendations.
The results of the audit, through the subsequent report, should be communicated to all relevant parties as soon as possible, to allow corrective actions to be taken. When communicating the information contained within the report, confidentiality must be given consideration and it may be necessary to redact the audit for some stakeholders.
In particular, findings should be reviewed with managers responsible for the area audited in order to obtain acknowledgment that the audit evidence is accurate, and that non-conformities are understood. The senior management team should also consider the outcomes of the audit and take appropriate action as necessary within an appropriate time.
Finally, an important element of the audit process is a review and where necessary, follow-up audit to determine the success or otherwise of the implementation of the recommendations.
BS EN ISO 19011: Guidelines for Auditing Management Systems
PAS 7: Fire Risk Management System Specification
BS 9999: Fire Safety in the Design, Management and Use of Buildings — Code of Practice
PAS 911: Fire Strategies — Guidance and Framework for their Formulation
Last reviewed 26 September 2017