At the check out

With third party certification moving rapidly centre stage, Richard Jenkins reveals exactly how the auditing process works in practice

THIRD PARTY certification (TPC) is fast rising up the post Grenfell agenda, its importance being recognised in a raft of review reports examining how to improve fire safety in the wake of the 2017 tragedy.

In October 2020, the final report – Setting the Bar – of the cross industry’s Competence Steering Group contained a number of key recommendations recognising the value of TPC and calling for its adoption in areas including fire risk assessments. Indeed, the report declares that there should be a statutory duty to use accredited fire risk assessors to conduct assessments on ‘in scope’ multi occupant residential buildings more than 18m or six storeys high.

In addition, TPC is an important consideration in the draft Building Safety Bill (BSB), published in July 2020 and which, once passed, will represent the biggest change in building legislation for almost 40 years.

NSI’s firm view, expressed in its consultation response to the BSB’s proposals, is that TPC should be more widely adopted to help govern the sector, since independent audit of competence and management control can demonstrably improve outcomes and help raise standards for a range of fire safety measures which the public can rely on.

TPC in the fire safety sector is not new, but is purely voluntary. Leveraging it to raise standards and safety is currently restricted to those providers and buyers of services which believe in its merits. Organisations holding TPC demonstrate their predisposition to continuous improvement and its benefits in terms of organisational effectiveness, as well as the quality of fire safety systems and services delivered.

Independent TPC plays proxy for the discerning buyer. It serves to give confidence in the capability and integrity of providers, with the reassurance of quality services supplied by companies which meet relevant standards and operational codes of practice. The work of all certification bodies delivers value that the market can rely on.

For almost 20 years, NSI has been involved in the TPC of fire system providers, and within the security sector it has been in the ‘inspectorate business’ for 50 years. Unlike other certification bodies, NSI operates a two tier approach – Gold and Silver level approvals – allowing companies to choose the tier that suits them best.

NSI Gold signifies that, in addition to complying with industry specific standards such as BS 5839-1: 2017: Fire detection and fire alarm systems for buildings. Code of practice for design, installation, commissioning and maintenance of systems in non-domestic premises, the provider also operates an ISO 9001 quality management system.

The ISO 9001 quality management system and industry specific standards are bridged through NSI’s unique quality schedules. Quality management systems are sometimes discounted as adding little value. NSI holds that when it comes to activities such as employee screening, competency management, maintenance programmes and the like, a management system might be taken for granted by buyers but is an essential element in the overall package that providers deliver.

Lifting the lid

So having described the advantages of certification to end user customers, buyers, specifiers and insurers alike, what are the specific operational implications for service providers? In practice, certification is attained and maintained through a rigorous ongoing audit programme – a not insignificant investment cost for the approved company.

There are clear benefits to operating in line with approval in terms of operational effectiveness, demonstrably maintaining competence and capability. The certification process for applicant service providers involves ‘due diligence’ checks on the company’s financial stability, along with verification of company directors and an assessment of the competency of key individuals involved in the provision of the service for which certification is sought.

In the case of fire detection and fire alarm systems, for example, this includes system designers. Once all checks are completed successfully, an auditor with specific expertise in the relevant discipline is assigned to carry out an initial certification audit. This process usually takes two to three days, depending on the size of the company and the certification applied for.

The procedure involves sample auditing of the applicant company’s office processes and procedures. This includes looking at client files, checking competency and continuing professional development (CPD) records for personnel involved in providing the system or service, and looking at the processes for providing the product or service.

Importantly, audits are also conducted on site at premises where systems have recently been installed or where risk assessments are being carried out. This allows the auditor to assess the competency of the individuals involved in providing the system or service, as well as the quality of the system or service itself.

 However, the initial certification audit is only the start of the process. Once a company has achieved its initial certification, it signs up to a programme of ongoing annual audits to ensure continued compliance with relevant standards, codes of practice and applicable legislation.

A strong focus is maintained on the ‘continual improvement’ process within the company by looking to see if a company is realistically and tangibly reviewing its processes and procedures, to enhance its performance and increase the quality of the product or service provided to the customer.

Every third year, approved companies undergo a major ‘recertification audit’. This involves the auditor evidencing existing competence by sampling relevant activities to ensure the provider continues to meet the benchmark standards required. If successful, the approved company is issued with a renewed certificate of approval spanning the following three years.

Auditing the auditors

Certification bodies, including NSI, earn their own accreditation through opening themselves up to the scrutiny of auditors at the United Kingdom Accreditation Service (UKAS), the sole national accreditation body for the UK (both before and after Brexit). UKAS tailors its audit programmes so that all certification bodies are comprehensively audited in accordance with international guidelines, such as International Accreditations Forum (IAF) documents.

Adaptability has been a key element for certificating bodies in maintaining the necessary rigour of the auditing process during the COVID-19 pandemic. Different approaches have been adopted as solutions to this conundrum, but given the various lockdown and tier guidance issued by the governing authorities across the four nations of the UK over the past year, NSI has evolved its audit programmes with what it calls its ‘blended approach’.

This incorporates remote audits – using communications technologies where they are appropriate – into its audit programmes, complementing the rigour of essential site visits. Interest in remote auditing has exploded dramatically over the last 12 months. COVID-19, so the headlines have it, means that in the world of auditing the time for remote audit has come.

Where audit programmes require a focus on reviewing and a reliance on documentation, the now widely familiar technologies of Skype, Teams, Zoom and the like go a long way to making this possible. Yet there are solid reasons why remote auditing is not always practically possible or desirable.

On site audits continue to be valuable in gathering evidence of compliance to technical product (and service) standards. NSI’s adopted blended audit strategy is a carefully considered combination of remote and on site audit capability, which is fit for the future post pandemic world and in sync with government COVID-19 guidelines.

As part of NSI’s new blended audit programme, remote audits are now being routinely carried out at NSI’s discretion for assessing ‘management system’ requirements, where process and control has a greater emphasis on documentation; whilst on site verification and evidence gathering of service delivery ensures that the audit jigsaw is completed.

Understanding the pros and cons and the limits of what can be achieved through remote auditing is key. So what is its place in the auditor’s toolbox? What are the benefits and drawbacks?

Pros and cons

Remote audit means many parts of an audit programme jigsaw can now be completed without a physical, on site presence. However, in many sectors, and certainly in the fire safety sector, remote auditing is not and never will be a universal panacea for the public and businesses reliant on the certification proxy.

To suggest that it is, is folly: it cannot be considered a complete confirmation of the ongoing ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements. Without on site verification and evidence gathering of service delivery, the audit jigsaw remains incomplete.

‘Trust in the audit’ is key: when an auditor has physical access during face to face, one to one interviews, the strength of evidence gathered is unquestionably greater; confidence in observations and reports made first hand is stronger; and the opportunity to seek clarification when needed is far more open. Unscrupulous auditees have much less opportunity to be economical with the truth, disguise grey areas and hide non conformities during physical audits. The opportunity for auditors to dip sample ‘off piste’ and ‘kick the tyres’ in a free ranging way is clearly easier in person.

Non verbal signals evident in a face to face meeting can be virtually impossible to detect during a remote audit, lessening the opportunity for in depth situational analysis. Moreover, the auditor’s skill in triangulating fully the evidence presented through independent interview of multiple parties and ‘disconnected’ documentation is severely hampered and potentially nullified.

Only where information gathering is highly structured, with an audit trail readily reviewable and dip sampling facilitated by business tools, can remote auditing deliver unquestionably. Establishing the new normal for the use of these tools is crucial. Will the pendulum swing too far toward remote audit, as early enthusiasm in the technology takes hold? It’s almost inevitable. The rules of successive approximation dictate it.

Will the take up of remote audits add value in the world of certification? In many cases, most certainly. Finding the optimal balance for each client, as part of its individually designed blended audit programme, is the job of the certification body.

An important factor

Certification (or approval) is being seen as increasingly important in keeping people safe. Post Grenfell, the Setting the Bar report, the draft BSB and other legislation currently underway – including the Fire Safety Bill and the separate review of the Regulatory Reform (Fire Safety) Order 2005 now being considered – all point to it.

This is not the time for the industry or legislators to tolerate watering down TPC with ineffectual light touch regimes. On the contrary, NSI approved companies know that maintaining approval with teeth might, from time to time, seem an effort or even a challenge, particularly as standards evolve and prompt businesses to move with the times.

But in the round they also know that TPC, as evidence of competency and capability which buyers of fire safety products and services can rely on, helps save lives and protect property

Richard Jenkins is chief executive of NSI