The audit moment most managers dread
There is a moment in compliance audits where the auditor asks a simple question, and the person responsible for the building produces a paper folder. Then another. Then a third from a different cupboard. Some of it is sorted by date. Some by supplier. Some by no system at all. None of it is wrong. Almost none of it is what was asked for.
The premises is probably more compliant than it looks from the room. It is just impossible to prove on the spot. The auditor writes down what they see, not what is true. The visit ends with an action plan listing things that are usually already in place, just not findable.
This guide is the answer to that visit. It is what to hold, where the duty comes from in law, and what good evidence looks like for each category. Read it once, audit your own paperwork against it, and the next time someone asks the question, the answer is one document, in one place, in under five minutes.
Who this guide is for
This is written for the responsible person, premises manager, office manager, facilities lead or owner of a non-domestic premises in England or Wales. It covers shops, offices, warehouses, light industrial units, small workshops, places of worship, surgeries, salons, and the common parts of residential buildings. It does not cover construction sites (which have a separate regime under CDM 2015) and it does not cover dwellings in single occupation.
It assumes you have inherited the compliance role rather than chosen it. Most premises managers have. The duty is almost always wider than people are told when they get the job.
The two questions to expect first
Whoever turns up, whether it is the fire and rescue service, the local authority environmental health team, the Health and Safety Executive, an insurer's surveyor or a buyer's solicitor doing due diligence, the first two questions are almost always the same.
- Who is the responsible person, and what is their competence?
- Show me your current risk assessments and your live action list.
The first question fails if the building has nobody named, or names someone who left two years ago, or names a director who has never been briefed on what the role involves. The second fails if the assessment is a generic template downloaded from a search result, or is older than the last refurbishment, or has no list of actions tied to dates and owners. Get those two right before anything else.
Quick reference: which categories apply to you
Scan the table below. If a row applies to your premises, the third column tells you what records to hold. The detail on each row, with the underlying statute and the common stand-in documents that are not enough on their own, is in the section after this.
| Area | Does this apply to me? | Records you need to hold |
|---|---|---|
| Fire safety | Any non-domestic premises where you are the employer, have control of the building, or are responsible for its common parts. Applies to every responsible person under the Fire Safety Order, with no employee threshold for written records since 2023. | Written fire risk assessment, fire safety policy, weekly alarm test log, monthly emergency lighting test plus annual full-duration test, six-monthly extinguisher service, fire door inspection records, fire warden and general training records. |
| Asbestos | The building was constructed before the year 2000, or you have control of common parts of a residential building constructed before 2000. | Asbestos management survey or written no-asbestos assessment, asbestos register, written management plan, annual re-inspection record for every item on the register, contractor briefing log. |
| Water (legionella) | The premises has any wet system: hot and cold water taps, showers, spray taps, calorifiers, cold water tanks, cooling towers or evaporative condensers. Almost every premises with a tap qualifies. | Written legionella risk assessment, named responsible person for water hygiene, written scheme of control, monthly sentinel temperature checks, quarterly calorifier and tank checks, annual review of the risk assessment, descaling and cleaning records for shower heads and spray outlets. |
| Gas | The premises has any gas installation or appliance, including a commercial boiler, heater, cooker or catering equipment. | Annual Gas Safe commercial certificate for each relevant appliance, maintenance record in line with the manufacturer's instructions, evidence of any remedial work with the engineer's Gas Safe registration number, documented isolation procedure. |
| Electrical | The premises has any fixed electrical installation. This covers every workplace with mains power. | Current Electrical Installation Condition Report (EICR) with all C1 and C2 items addressed, a record of any portable appliance testing (interval is risk-based, not legally fixed), log of electrical defects reported by occupants and how they were resolved. |
| Lifts and lifting equipment | The premises has a passenger lift, goods lift, hoist, scissor lift, accessibility lift, vehicle lift, mobile elevating work platform, or any other lifting equipment used at work. | Six-monthly thorough examination certificate for any lift carrying people, twelve-monthly for goods-only lifts and most other lifting equipment, evidence that defects raised in the examination have been actioned, lift service contractor maintenance records. |
| Pressure systems | The premises has an air receiver (commonly behind a workshop compressor), steam boiler, autoclave, refrigeration plant, or any pressurised system above the regulatory thresholds. | Written scheme of examination drawn up by a competent person, examinations carried out at the intervals stated in the scheme, the competent person's reports with any actions tracked to completion. |
| Workplace, first aid and RIDDOR | Every employer in every non-domestic premises. The Workplace and Management Regulations apply at all sizes. RIDDOR applies to every employer or self-employed person in control of premises. | General workplace risk assessment, first aid arrangements based on a written first aid needs assessment, accident book that meets data protection requirements, RIDDOR log with copies of any F2508 reports, signed and dated health and safety policy if you employ five or more people. |
If you are not sure whether a category applies, default to assuming it does and check. The cost of an unused entry in your management system is zero. The cost of a missed category is a notice from the regulator or a refused insurance claim.
Category by category, what the law requires
There is no single regulation called "business compliance". There are several separate regimes that apply to most non-domestic premises in different combinations. Each is set out below with the statute, what records to hold, and the typical stand-in document that is not enough on its own.
1. Fire safety
The duty sits under the Regulatory Reform (Fire Safety) Order 2005, as amended by the Fire Safety Act 2021 and the Fire Safety (England) Regulations 2022. Since 2023 there is no employee threshold for written records. Every responsible person has to record the significant findings in writing, even a sole trader in a single unit.
What to hold:
- A written fire risk assessment, signed and dated, naming the responsible person and the assessor.
- A fire safety policy and the fire safety arrangements (how the warning is given, how the building is evacuated, where the assembly point is, who calls the fire and rescue service).
- A weekly alarm test log.
- A monthly functional emergency lighting test and an annual full-duration test.
- Six-monthly servicing of fire extinguishers by a competent person.
- Fire door inspections at the interval set by the building type. For multi-occupied residential above 11 metres, quarterly in common parts and annual on flat entrance doors as far as reasonable.
- Training records for fire wardens and for the general workforce.
The most common stand-in is a fire extinguisher service certificate. That is not the fire risk assessment. An insurer letter is not the fire risk assessment either.
2. Asbestos
If the premises was constructed before the year 2000, the Control of Asbestos Regulations 2012 apply. Regulation 4 sets a duty to manage asbestos on anyone who has control of a non-domestic premises, which includes the common parts of residential buildings.
What to hold:
- An asbestos management survey, or a written assessment recording why there is no reason to suspect asbestos-containing materials are present.
- An asbestos register showing the location, type and condition of any known materials.
- A written management plan setting out who reviews it and when.
- An annual reinspection record for every item on the register.
- Evidence that contractors are shown the register before any work that could disturb the building fabric.
A 2003 survey in a drawer is not a management plan. An air-clearance certificate from a one-off removal job years ago is not a register.
3. Water (legionella)
The general duty comes from the Health and Safety at Work etc. Act 1974 and the Control of Substances Hazardous to Health Regulations 2002. The Approved Code of Practice is HSE document L8, with technical detail in HSG274. Approved Codes have special status in law. A court will treat a failure to follow the ACOP as evidence of a breach unless the duty holder can show they did something at least as effective.
What to hold:
- A written legionella risk assessment of all water systems on site.
- A named responsible person for water hygiene.
- A written scheme of control setting out what is checked, by whom, at what frequency.
- Monthly temperature checks of sentinel outlets (typically the first and last on each loop).
- Quarterly checks of calorifiers and cold water tanks.
- An annual review of the risk assessment, and a fresh assessment after any significant change.
- Descaling and cleaning records for shower heads, spray taps and similar outlets.
A single water test certificate from a contractor is not a scheme of control.
4. Gas
For non-domestic premises with a gas installation, the Gas Safety (Installation and Use) Regulations 1998 apply. Any work on a gas appliance, pipework or flue must be done by a Gas Safe registered engineer holding the relevant commercial qualifications. Domestic engineers are not qualified for commercial appliances. The certificate is not valid if the engineer is on the wrong register.
What to hold:
- An annual gas safety check certificate for every relevant appliance.
- A maintenance record showing servicing has been carried out in line with the manufacturer's instructions.
- Evidence of any remedial work, including the date and the engineer's registration number.
- A documented isolation procedure for emergencies.
5. Electrical
The Electricity at Work Regulations 1989 require all electrical systems to be constructed and maintained so as to prevent danger. The Health and Safety Executive's expectation is a periodic inspection and test by a competent person, set on a risk basis. For most commercial premises that is every five years. Higher-risk premises, places open to the public, or premises with intensive electrical use may need it sooner.
What to hold:
- A current Electrical Installation Condition Report (EICR), with all C1 and C2 items addressed.
- A record of any portable appliance testing where it is part of the maintenance regime, including the inspector's competence.
- A log of any electrical defects reported by occupants and how they were resolved.
There is no fixed legal interval for portable appliance testing. The interval should follow a risk assessment of the equipment, the environment and how it is used. Treat the "annual PAT" sticker as a habit, not a legal requirement.
6. Lifts and lifting equipment
The Lifting Operations and Lifting Equipment Regulations 1998 (LOLER) require a thorough examination by a competent person at fixed intervals, alongside the duties in the Provision and Use of Work Equipment Regulations 1998 (PUWER) for routine maintenance.
What to hold:
- A thorough examination certificate every six months for any lift carrying people.
- A thorough examination certificate every twelve months for goods-only lifts and most other lifting equipment.
- Evidence that defects identified in the examination have been actioned.
- A maintenance record from the lift service contractor.
A service contract is not a thorough examination. The two are separate duties carried out by different people.
7. Pressure systems
The Pressure Systems Safety Regulations 2000 apply to systems containing relevant fluids above the regulatory thresholds. This catches air receivers, steam boilers, autoclaves, refrigeration plant and many compressors.
What to hold:
- A written scheme of examination drawn up by a competent person.
- Examinations carried out at the intervals stated in the scheme.
- The competent person's reports, with any actions tracked to completion.
Most premises do not have a pressure system. Most that do, do not know they have one. An air receiver behind a workshop compressor is the most commonly missed example.
8. Workplace conditions, first aid and accident reporting
Three regimes sit together here. The Workplace (Health, Safety and Welfare) Regulations 1992 set the baseline for the building itself (toilets, washing, lighting, temperature, ventilation, cleanliness, traffic routes, falls). The Management of Health and Safety at Work Regulations 1999 require a suitable and sufficient general risk assessment of every work activity. The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) require certain injuries, diseases and dangerous occurrences to be reported to the Health and Safety Executive within statutory windows.
What to hold:
- A general workplace risk assessment, reviewed at least annually and on any significant change.
- First aid arrangements based on a written first aid needs assessment, with first aiders named.
- An accident book that complies with data protection requirements.
- A log of any RIDDOR-reportable events, with copies of the F2508 reports.
- A signed and dated statement of health and safety policy if you employ five or more people.
What a defensible record actually looks like
A defensible record has four parts, repeated for each category:
- A current written assessment with a stated review date.
- A named person who is responsible.
- A list of actions with owners and target dates.
- Evidence that the routine checks set by the assessment are actually being done.
If a category has all four, it is defensible. If it has three of them and a stack of supplier certificates, it is not. The auditor's question is rarely "have you done this". It is "show me". A defensible record is the one that gets shown in under five minutes from a single place, by a person who can describe what is in it without reading it.
Stopping the paperwork shuffle
The paperwork shuffle happens because compliance arrives at a premises in fragments. The fire alarm contractor sends a PDF by email. The water hygiene company sends a paper report. The lift engineer leaves a hard-copy logbook in the lift room. The asbestos register lives on a shared drive somewhere. The general risk assessment was done by a consultant two years ago and exists as a single Word document on someone's laptop.
Pulling those fragments into one system, with one calendar of due dates and one action list across the whole site, is the single largest reduction in audit anxiety a premises manager can make. It also makes the building safer. The things that get done are the things that get tracked, and the things that get tracked are the things that have a date next to them.
Frequently asked
What is the difference between a compliance audit and a risk assessment?
A risk assessment identifies hazards and the controls in place for them. A compliance audit checks whether the duties placed on the responsible person by law are actually being met across every category that applies to the premises. A site can have well-written risk assessments and still fail a compliance audit, because the audit also looks at records, training, service intervals and whether the actions raised by the assessments have been completed.
Is there a single legal document that proves a premises is compliant?
No. Compliance is the sum of separate duties under separate regulations. The closest thing to a single document is a current site compliance register that lists each category, the assessment date, the named responsible person, the next service or review date, and the open actions. That is what most auditors expect to be handed first.
Do small businesses with fewer than five employees need all of this?
The five-employee threshold only applied to two specific duties: a written statement of health and safety policy under the Health and Safety at Work etc. Act 1974, and the requirement to record the significant findings of the general risk assessment under the Management of Health and Safety at Work Regulations 1999. Since 2023, the fire regs removed the equivalent threshold for fire risk assessments. Every other duty in this guide (asbestos, water, gas, electrical, lifts, pressure systems, RIDDOR) applies regardless of headcount. Small employers are not exempt from compliance, they are exempt from one or two of the writing-it-down rules.
How long should compliance records be kept?
Specific intervals vary. As a general rule: fire risk assessments while the building is occupied; asbestos surveys and the register for the life of the building; legionella records for at least five years; gas safety records for at least two years; LOLER reports for at least two years (or until the next examination supersedes them, whichever is longer); RIDDOR records for at least three years. Insurers often expect six years on most categories. When in doubt, keep them.
Can a consultant take responsibility for compliance on my behalf?
No. The legal duty stays with the responsible person, the duty holder or the employer named in each piece of legislation. A consultant can carry out the assessments, advise on competence, run the management system and produce the records. The legal accountability does not transfer. The contract with any consultant should be explicit that they are advising, not assuming the duty.