A few years ago, I worked with a school district in California. And this school district had a pool at every school that was run by subcontractors. Since we don't have pools at our schools in Texas, I was slightly jealous. And then I realized that this might be one reason why California is bankrupt and we are doing OK. When you build a pool - it costs money. It costs money to maintain and repair it. It costs money to regulate it and to audit it. The school district took on a world of expense and work when they took on pools!
The audit team I worked with was assigned the responsibility to monitor the pools (among other things). And the regulations over the pools were extensive. The four requirements I rememember from the regulations were:
* the pool chairs must be ergonomically designed
* the pool sign height should be at child level (30 inches above the floor)
* the pool should be staffed by qualified lifeguards when children are swimming
* the pool water quality should be monitored three times a day
Unfortunately, the pool auditors did not do a risk assessment on these requirements and were checking everything. So they used a ruler to measure sign height and then wrote the contractors up if they were off by an inch. WHAT?!? What an embarrasing finding to present to management. What should they have been looking at? Lifeguards and water quality obviously.
They complained that each pool audit took them several days and most of the pools went without review. Of course it took several days when they looked at every silly requirement! Wouldn't it be better to cover more pools for the significant requirements rather than cover every silly requirement at only a few pools? You'd better say yes! :)
Today, I am teaching a group of monitors and auditors from various state agencies in Texas. Compliance auditors don't think they need to do risk assessment. Yes, they do if they don't want to waste time and the taxpayer's money.
SAS 117 made it clear that when auditors do a compliance audit, they must also follow the other SAS's. INCLUDING the risk assessment SASs. Unfortunately, many of the auditors and monitors in my class are making no effort to follow standards. But that is a subject for another blog post...