Technical regulatory assurance

All our audit activity starts with establishing the context. This ensures a full understanding of organisational objectives, stakeholder requirements, and pertinent issues, as well as confirming information security and confidentiality needs.

Having established the context, we will then collaboratively design the audit programme with you while ensuring the integrity of the programme is maintained at all times. The programme will be designed to prioritise the assessment of areas of inherently higher risk or lower performance. The resulting programme is documented in our standard template and managed by a dedicated project manager for each audit programme. Every audit programme will have formal review points to assess the need for changes and identify improvement opportunities.

In establishing the audit programme objectives, we will work with you to understand the needs and expectations of internal and external stakeholders (including regulators). We will also consider the maturity of the management system being reviewed and any recent history of non-conformance or known risks and issues.

We recognise the importance of aligning scope across multiple audits, potentially being delivered by separate auditing companies. Our approach ensures a thorough understanding of the scopes of separate audit programmes and audits, seeking alignment with minimal overlap through the sharing of risk registers and joint meetings where appropriate, as detailed below.

We will establish a formal audit programme risk register at the start of every programme. This ensures risks relating to planning, resources, team selection, communication, implementation, document control, and availability are effectively mitigated. We will also review opportunities to maximise value by optimising the audit programme, aligning with client availability, and matching audit team to the level of capability required to achieve the audit objectives.

The audit programme will be established by the lead assurer. The lead assurer will be an industry expert in audit principles, methods, and processes. They will have an in depth understanding of the management system under audit, and any associated regulatory requirements. They will ensure appropriate continual professional development to maintain their competence to manage the audit programme.

The lead assurer is accountable for the following:

• Maintain independence from company management and delivery teams to ensure objectivity, having regard to the regulator
• Demonstrate technical competence in infrastructure delivery, assurance, and the sector
• Assure the credibility, governance and deliverability of regulated plans and delivery
• Base assurance judgements on verifiable evidence such as delivery schedules, risk registers, and governance documentation
• Produce clear, structured reports outlining assurance levels, risks, and alignment with regulatory expectations

To determine the appropriate level of resources required to deliver the audit programme, the lead assurer uses our audit resource allocator. This tool combines the number, extent and method of audit with an initial view of availability of documented information and other evidence to establish an estimate of the level of effort required. The tool is then used to allocate team members with the appropriate level of expertise to determine the total audit programme requirements. We then use our workbook tool to allocate and schedule the audit programme.

All our audit programmes begin with a kick-off meeting between the client and all individuals tasked with delivering the programme. This meeting covers the following elements:

• Define the objective, scope and criteria for each audit
• Confirm the audit methods to be applied
• Coordination and schedule of audits, including site visits if required
• Definition of operational controls to monitor audit programme performance
• Confirm ongoing communication programme

At the kick-off meeting, we also share a bespoke introduction slide which can be circulated to the people being audited to introduce Aqua Consultants and the scope of the audit

Each individual audit will be based on defined audit objectives, scope and criteria that align with the overall audit programme. The audit scope will include the locations, functions, activities and processes to be audited, as well as the time period covered by the audit.

The audit criteria will be the reference against which conformity is assessed. This may be based upon regulatory requirements, system specifications, codes of conduct, documented policies and procedures, or the risks and opportunities identified by the client.

We maintain audit records throughout the programme. These records include:

• Audit programme schedule and actual completion
• Audit programme RAID log
• Individual audit plan, report, supporting evidence (subject to information security constraints), corrective action log, and follow-on audit findings
• Audit resource allocator
• Lessons learned and continuous improvement log

The lead assurer will ensure the objectives and scope of each individual audit are met. They will review and approve all audit reports, ensuring consistency across each individual audit. The lead assurer will also assess the effectiveness of the proposed actions to address the audit findings based on the evidence presented and ensure that findings and reports are communicated to the client.

The Aqua Assure approach adds value by identifying any audit findings that may be of relevance to other processes or management systems that you use.

Continuous improvement is embedded within the Aqua Assure approach. We take a structured approach to capturing lessons learned after every audit, which enables the identification of potential areas of improvement. We use this feedback to review and optimise ongoing audit programmes, identify and enhance training and competency needs, and improve our client engagement where required.