A black pen on white paper

Photo by Akhmad Muzakir on Unsplash

News

Audits and health checks

Who should carry out your audit

The choice between a self-audit, an internal team and an independent auditor is not about cost alone. It is about what each one can credibly tell you.

The SAMRISK Team 5 min read

The question of who carries out an audit usually arrives wearing a cost label, but that is the least interesting thing about it. A self-audit, an internal compliance team and an independent third party each produce a different kind of assurance, and the gap between them is not effort or thoroughness so much as distance. The closer the auditor sits to the thing being audited, the more they know and the less their conclusion is worth as evidence to an outsider. Choosing well means being honest about which of those two things you actually need.

What each option can credibly tell you

It helps to separate the three options by what their findings can be relied on to mean, rather than by who employs whom.

Who auditsWhat it is good forWhere it is weak
Self-audit by the site teamFrequency, local knowledge, catching drift earlyFamiliarity blindness; limited weight as external evidence
Internal audit functionConsistency across a portfolio, independence from the siteStill inside the organisation; can be deprioritised
Independent third partyCredible assurance for boards, insurers, regulatorsCost, scheduling, less day-to-day familiarity

None of these is the "right" answer on its own. A portfolio run entirely on self-audits has no outside check on its own optimism. A portfolio that only ever uses third parties pays a great deal for assurance and learns about problems slowly. Most well-run estates use all three, deliberately, for different jobs.

The case for the self-audit

The self-audit's great strength is frequency. A site team can walk a building monthly, notice that a fire door has started to bind or that a riser cupboard is filling with stored items, and act before it becomes a finding in someone else's report. That early, cheap detection is genuinely valuable, and no external auditor visiting once a year can replicate it.

Its weakness is the same proximity that makes it useful. People stop seeing the things they pass every day. A self-audit catches change well and catches long-standing problems badly, because the long-standing problem has become part of the scenery. The fix is structure: a checklist the auditor follows rather than a walk-round they improvise, so the assessment does not quietly narrow to the things they already worry about.

When independence is the point

Some audiences will not accept assurance from inside the organisation, and they are right not to. A board signing off on a building's safety, an insurer pricing risk, or a regulator weighing a building's management all need to know that the assessment was not marking its own homework. For those readers, the value of the audit comes precisely from the auditor's distance.

This matters more as the regulatory weather changes. Under the Building Safety Act 2022, the Accountable Person for a higher-risk building has to satisfy the Building Safety Regulator that the building's risks are understood and managed, supported by a safety case (RICS). The credibility of that case rests in part on whether the evidence behind it would survive an outsider's scrutiny. An independent audit is one way to test that before the regulator does.

The Grenfell Tower Inquiry's Phase 2 report, published on 4 September 2024, was blunt about the old regime being too complex and fragmented, and its first recommendation was a single construction regulator for England and Wales (gov.uk; Construction Briefing). The direction of travel is towards more external scrutiny, not less, and buildings managed entirely on internal say-so are increasingly exposed.

Matching the auditor to the question

The practical rule is to start from the question and work back to the auditor, not the other way around.

  • If the question is "has anything drifted since last month," a structured self-audit by the site team is the proportionate answer.
  • If the question is "are we consistent across forty buildings," an internal audit function that applies the same standard everywhere is what you want.
  • If the question is "can we prove to someone who does not trust us that this building is well run," only independence will carry the weight.

Trouble usually comes from using the wrong instrument: relying on a self-audit to reassure a board, or paying for a third party to do the routine monthly walk a site team should be doing anyway.

Keeping the trail consistent whoever holds the pen

Whoever carries out the audit, the finding has to land somewhere durable, scored, attributed, and trackable to a close-out. A self-audit and an independent audit are far more useful when they sit in the same system, against the same building, scored on the same scale, because then a third party can see what the site team found last month and a board can see both. The auditor changes; the record should not fragment.

That is the practical argument for holding all three kinds of audit in one place. SAMRISK keeps audits against the building rather than against whoever performed them, so the same building accumulates a consistent history regardless of who walked it. For the related question of where each type fits, our note on self-audits and independent audits: where each one fits goes further, and why an audit is only as good as its sign-off covers what has to happen after the finding is made.

Pick the auditor for the question, use all three over a year, and keep the trail in one place. The audit that reassures the right reader is the one carried out by someone with the right distance from the building.