No one looks forward to an audit. They are inevitable, but you can make sure you get additional value from the process, rather than just ticking a box for the regulator. It is not often you have the opportunity to take a critical look at how the risk management plan is working, let alone having an independent risk management specialist whose main focus look for ways to improve your processes.
Audits don’t need to be onerous or daunting; a little bit of preparation can make the audit run smoothly and take the pressure off staff and improve the audit outcomes. Here are a couple of recommendations from our auditors.
Understand the audit scope: The water regulators often issue guidelines on undertaking regulatory audits which include the audit scope, audit criteria and the auditable elements of the risk management plan. It is a good idea to look at this and understanding why you are auditing and what will be audited before commencing down the audit path.
Get the right auditor: Make sure your auditor has the necessary accreditations and experience. If your regulator doesn’t require preapproval of your auditor, it could be a rude shock if the audit report is rejected for the auditor not being appropriately qualified.
Ensure that they specialise in water quality and risk management and have audited water quality risk management plans. Findings from the audit are based on the knowledge and experience of the auditor. It’s important for the auditee and regulator that audit findings are appropriate, practical and actually improve risk management.
Speak to other utilities to get an independent reference.
Consider undertaking an internal audit prior to the regulatory audit: A pre-audit or internal audit can help gather evidence, identify gaps in compliance and identify opportunities for improvement, that can be implemented prior to the regulatory audit. When internal auditing becomes business as usual, preparing for the regulatory audit can be less onerous.
In QLD recycled water providers with an approved recycled water management plan are required to undertake internal audits at the frequency specified in the approval notice.
Gather the right evidence: Make sure that you have the evidence on hand to demonstrate your compliance. Think about the documents that can confirm that you are implementing your plan, for example, if the risk assessment identifies a standard operating procedure (SOP) for implementing a preventive measure, ensure that:
the SOP is up-to-date
accessible
required forms completed
any training recorded and available
If your DWQMP requires inspections, how can it be demonstrated to the auditor that they are undertaken? The use of checklists is a good idea. Make sure they are filled out and available at the time of the audit.
Most plans have improvement actions. If there is an action to be completed in the audit period, gather evidence to demonstrate that it was complete or if it wasn’t, what was the reason?
Maintain records of communications with the regulator in relation to compliance issues. Keep emails to demonstrate submission of annual report and reviews are on time.
Ensure documentation is up to scratch: Auditors collect evidence through the following:
review of documentation and records
observation of practice
interviews with staff
A sure-fire way of getting a non-compliance is not maintaining the documents and records that are referenced in the DWQMP. Check that:
evidence is relevant to the audit period
documents are up-to-date and reviewed as required
easy to access
records are kept
Have the right people at the audit: Implementing a risk management plan requires a team effort. Plan to have the people who are responsible for implementing the auditable elements attend the staff interviews and site visits. Not only does this spread the workload during the audit, it also encourages ownership for implementing the management plan.
Have executives involved in the opening and closing meeting, so that management is aware of your work and its importance.
Don’t be too hard on yourself: Risk management is a continuous improvement process, so don’t be put off by minor non-compliances and opportunities for improvement. Whilst compliance is the aim, non-compliance is not an indicator of how good or bad you or your organisation are, and all organisations do some things better than others. Having processes for improvement are vital in improving compliance.
Use the audit findings to drive the improvement plan processes: Implement the findings of the audit and track how you are going. You will be able to show the effectiveness of your improvement program and improve your compliance grade at the next audit.
