Two surveyors in hard hats discussing blueprints

Photo by Fiqih Alfarish on Unsplash

News

Audits and health checks

An audit trail a regulator can follow without you

The test of a compliance record is whether a stranger can read it in order and understand it without you in the room. How to build a trail that passes.

The SAMRISK Team 5 min read

There is a simple test for a compliance record, and most records fail it. Could a stranger pick it up, read it in order, and understand what was assessed, when, by whom and what happened next, without you standing beside them to explain it. If the answer depends on a conversation, a memory or a person who might have left, the trail is not really a trail. It is a set of fragments that you alone can assemble. The point of an audit trail is that it survives the absence of the person who made it, because the moment it is examined seriously is often the moment that person is unavailable.

The trail is the asset, not the audit

It is tempting to think the audit is the valuable thing and the trail around it is administrative overhead. In practice it is the other way round. A flawless audit with no record of who did it, when, and what was done about its findings is hard to rely on. A modest audit embedded in a clear, dated history is defensible. Regulators, insurers and courts do not assess buildings; they assess records of how buildings were managed. The trail is what they read. If it cannot be followed without you, it cannot do its job at the one moment it matters.

What a followable trail contains

A trail that a stranger can read tends to hold the same elements, joined together rather than scattered. For each piece of compliance work, the record should make plain:

  • What was assessed, described well enough that a reader knows the scope without guessing.
  • When, with a date that reflects when the work was actually done, not when the file happened to be saved.
  • Who did it and who approved it, named individuals rather than a team or a job title.
  • What was found, including the things that passed, so the reader can see the assessment was complete rather than only seeing problems.
  • What was done about it, linking each finding to the action that resolved it and the evidence that closed it.
  • What changed since, so the reader can tell the building's current state from its state on the day of the audit.

When these sit together and in sequence, a stranger can reconstruct the story. When they live in different systems, inboxes and drawers, only the author can.

Dates and ownership do the heavy lifting

Two things carry most of the weight in a followable trail: honest dating and named ownership. A record without a reliable date cannot be placed in sequence, and sequence is most of what a reader needs. A record without a named owner leaves the reader unable to tell who was responsible, which is precisely the question an investigation asks first. These are not bureaucratic niceties. Where a building falls within the Building Safety Act 2022 regime, the Accountable Person, and where there are several a Principal Accountable Person, is a named, registered dutyholder for exactly this reason: the law wants a person attached to the building, not a vague collective responsibility. The same principle scales down to every record. Name who owned it and when, and the trail starts to stand on its own.

Freeze the record at the point of approval

A trail that can be quietly edited after the fact is a trail a careful reader will distrust. The fix is to freeze each record when it is approved, so that its content on the day of sign-off is preserved. If the situation changes, the right response is a new dated record that supersedes the old one, not an edit to the original. This gives the reader a sequence of point-in-time documents, each fixed, that together show how the position evolved. A single living file that keeps being overwritten tells the reader only where things stand now, and offers no way to check whether the history was tidied after the event. We set this out in more depth in point-in-time records: freezing an audit when it is approved.

The golden thread is the same idea, made statutory

For higher-risk buildings, the Building Safety Act 2022 gives this principle a name: the golden thread, an accurate, up-to-date digital record of building information held through design, construction and occupation. The intent is precisely a trail a regulator can follow, current and complete, rather than a set of documents that only the people who built and ran the building can interpret. Even where a building sits outside the higher-risk threshold and the statutory duty does not bite, the standard is a good one to hold to. A record built so the Building Safety Regulator could read it cold is a record built well.

Build it so the search is easy

A followable trail is also a findable one. A regulator's first request is usually a specific document, and the speed and confidence with which you produce it says a great deal about how the building is run. If finding the current fire risk assessment means hunting through folders and asking colleagues, the trail is weaker than it looks, even if every document technically exists. Records that are searchable, dated and linked, plans tied to assessments, assessments tied to their actions, actions tied to their evidence, let a reader pull the thread and have the rest follow. Our note on the document a regulator asks for first deals with this from the retrieval side.

Write for the reader who was not there

The habit that produces a good trail is to write every record for someone who was not present and never will be. Not for yourself next month, who remembers the context, but for a stranger in two years who has only the file. That reader needs scope, date, owner, finding, action and outcome, joined up and frozen at each step. Build for them, and the trail will hold whether or not you are in the room when it is examined.

This is the standard SAMRISK is built around: dated and owned records, audits that freeze on sign-off, and a single linked history per building that a reader can follow in order. You can see how it fits together on the audits and safety case pages. The best compliance trail is the one you never have to explain, because it explains itself.