What You Need to Know About Your Annual RMP Review & Audit

Understanding Your Legal Obligations and Avoiding Compliance Risk

Many cooling tower operators assume that if routine servicing is occurring, compliance is under control. In reality, we regularly speak with site managers who are unaware that their Annual RMP Review & Audit is a separate legal obligation. Often, this only becomes apparent when an audit deadline approaches or documentation is requested.

An Annual RMP Review & Audit is not optional. It is a regulatory requirement.

Under the Public Health and Wellbeing Regulations 2019, every registered cooling tower system must have a compliant Risk Management Plan in place, must undergo an annual review of that plan, and must be audited annually by an approved independent auditor. At the time of the audit, the Certificate of Registration for the cooling tower system must also be produced. These requirements apply regardless of whether servicing is outsourced. The legal responsibility remains with the responsible person for the system.

Understanding what the Annual RMP Review & Audit actually involves is critical to avoiding unnecessary compliance risk.

What Is an Annual RMP Review & Audit?

Although often discussed together, the review and the audit are two distinct processes that serve different purposes. Both depend on a compliant Risk Management Plan being in place.

The Annual RMP Review

An Annual RMP Review evaluates whether your Risk Management Plan still accurately reflects your cooling tower system and its associated risks. A proper review goes beyond checking that a document exists. It examines whether the plan continues to represent how the system actually operates and whether the identified risks are being effectively controlled. A structured review typically considers questions such as:

Water treatment technician wearing a hard hat and high-visibility vest reviewing a Risk Management Plan folder while standing in front of an industrial cooling tower system, completing an RMP Review.

The Annual RMP Review

An Annual RMP Review evaluates whether your Risk Management Plan still accurately reflects your cooling tower system and its associated risks. A proper review goes beyond checking that a document exists. It examines whether the plan continues to represent how the system actually operates and whether the identified risks are being effectively controlled. A structured review typically considers questions such as:

Is the system description still accurate?

Over time, equipment is replaced, pipework is altered, and treatment strategies evolve. If the RMP does not reflect the current configuration of the cooling tower system, it cannot properly assess risk.

Have any components been modified or replaced?

Even minor mechanical or operational changes can alter risk exposure. The RMP must document those changes and reassess associated hazards.

Are control measures still appropriate?

Control measures that were suitable at commissioning may not remain effective as system age, usage, or water quality changes.

Are monitoring and sampling frequencies compliant?

Testing frequencies must align with regulatory expectations and reflect the system’s risk category.

Are corrective action triggers clearly defined?

The RMP must clearly specify when intervention is required and how it is documented.

Have regulatory requirements changed?

Updates to legislation or guidance may require revisions to monitoring, documentation, or procedural controls.

Are responsible persons and contact details still correct?

Changes in facility management, contractors, or corporate structure are common. The RMP must reflect the current responsible person, emergency contacts, and escalation pathways. Incorrect contact details can delay response during a compliance issue or incident.

Are the nominated water treatment provider and laboratory still current?

If service providers or laboratories have changed, the RMP must be updated to reflect those arrangements. The plan should clearly document who is responsible for servicing, sampling, testing, and reporting to ensure accountability remains clear.

A review focuses on whether the plan itself remains fit for purpose. It requires technical assessment of the system, its operation, and its risk controls. An Annual RMP Review should also be conducted whenever the system is modified, when a Legionella result exceeds regulatory thresholds, when an audit identifies deficiencies, or when operating conditions change. Without an up to date and accurate RMP, compliance cannot be demonstrated.

The Independent Audit

The audit component of your Annual RMP Review & Audit is conducted by a Department approved independent auditor. It cannot be completed by the person who prepared the Risk Management Plan, as independence is a mandatory requirement. The purpose of the audit is to determine whether your cooling tower system has been managed in accordance with its Risk Management Plan over the previous audit period. Where the annual review asks whether the plan remains suitable, the audit assesses whether the plan has actually been followed.

To make that determination, the auditor examines your current Risk Management Plan together with supporting documentation from the preceding twelve months. This includes service and maintenance reports, microbiological test results for HCC and Legionella, cleaning and disinfection records, and documented evidence that corrective actions were completed within required timeframes. The Certificate of Registration for the cooling tower system must also be produced at the time of audit. Evidence that an RMP review was completed within the audit period must also be supplied, confirming that the Annual RMP Review was formally conducted and that any required updates were incorporated into the plan.

The audit component of your Annual RMP Review & Audit is conducted by a Department approved independent auditor. It cannot be completed by the person who prepared the Risk Management Plan, as independence is a mandatory requirement. The purpose of the audit is to determine whether your cooling tower system has been managed in accordance with its Risk Management Plan over the previous audit period. Where the annual review asks whether the plan remains suitable, the audit assesses whether the plan has actually been followed.

The audit component of your Annual RMP Review & Audit is conducted by a Department approved independent auditor. It cannot be completed by the person who prepared the Risk Management Plan, as independence is a mandatory requirement. The purpose of the audit is to determine whether your cooling tower system has been managed in accordance with its Risk Management Plan over the previous audit period. Where the annual review asks whether the plan remains suitable, the audit assesses whether the plan has actually been followed.

To make that determination, the auditor examines your current Risk Management Plan together with supporting documentation from the preceding twelve months. This includes service and maintenance reports, microbiological test results for HCC and Legionella, cleaning and disinfection records, and documented evidence that corrective actions were completed within required timeframes. The Certificate of Registration for the cooling tower system must also be produced at the time of audit. Evidence that an RMP review was completed within the audit period must also be supplied, confirming that the Annual RMP Review was formally conducted and that any required updates were incorporated into the plan.

Beyond verifying that documents are present, the auditor assesses whether records are consistent, complete, and reflective of actual system management. They consider whether actions were taken within allowable tolerances for risk and whether regulatory requirements have been met in practice. An audit is therefore not a paperwork exercise. It is an evidence based assessment of how your system has been controlled.

A compliant and current Risk Management Plan underpins the entire Annual RMP Review & Audit process. If the RMP does not accurately reflect the system, deficiencies will inevitably be identified.

An Annual RMP Review & Audit should never be treated as two isolated administrative requirements. Together, they form a structured compliance cycle designed to continuously strengthen risk control rather than simply confirm that documentation exists. The independent audit looks backward, assessing how the cooling tower system was managed over the previous audit period and identifying any gaps, deficiencies, or areas for improvement. Those findings are not simply compliance notes. They provide a clear picture of where processes, documentation, or control measures may not be fully aligned with regulatory expectations.

The annual review then shifts the focus forward. It provides the opportunity to formally incorporate audit findings into the Risk Management Plan, update system descriptions where required, refine control measures, and ensure monitoring and corrective action procedures remain appropriate. When the review is conducted promptly after the audit, necessary changes can be embedded within the plan while there is still adequate time to implement improvements before the next audit cycle begins.

This sequencing is critical. When sites delay the review until just before the next audit, pressure increases and compliance becomes reactive. Documentation must be assembled quickly, corrective works may need to be expedited, and there is limited opportunity to demonstrate that improvements have been integrated into routine management. By contrast, a well managed Annual RMP Review & Audit cycle provides a clear twelve month window to address identified risks, strengthen documentation practices, and confirm that control measures are operating effectively. Proactive scheduling reduces compliance risk, improves audit outcomes, and allows responsible persons to demonstrate due diligence with confidence.

Legal Responsibility and Consequences of Non Compliance

Under the Public Health and Wellbeing Act 2008 (Victoria) and the Public Health and Wellbeing Regulations 2019 (Victoria), the responsible person for a registered cooling tower system remains legally accountable for its management and compliance. The legislation makes clear that the duty holder must ensure a compliant Risk Management Plan is in place, that an Annual RMP Review & Audit is completed within required timeframes, and that records are accurate and available for inspection by authorised officers.

While contractors may assist with servicing, documentation, or coordination, legal responsibility cannot be transferred. The responsible person remains accountable for ensuring that the cooling tower system complies with the regulatory framework.

Where an Annual RMP Review & Audit is not completed, authorised officers appointed under the Act have enforcement powers. These may include issuing improvement notices, requiring immediate corrective action, directing additional testing, or suspending operation of the cooling tower system until compliance is restored. Further information regarding regulatory powers and cooling tower obligations is available from the Victorian Department of Health.

While contractors may assist with servicing, documentation, or coordination, legal responsibility cannot be transferred. The responsible person remains accountable for ensuring that the cooling tower system complies with the regulatory framework.

Where an Annual RMP Review & Audit is not completed, authorised officers appointed under the Act have enforcement powers. These may include issuing improvement notices, requiring immediate corrective action, directing additional testing, or suspending operation of the cooling tower system until compliance is restored. Further information regarding regulatory powers and cooling tower obligations is available from the Victorian Department of Health.

Beyond formal enforcement action, failure to complete the required review and audit increases the likelihood that system deficiencies remain undetected. The regulatory framework governing cooling towers exists to reduce public health risks, particularly those related to Legionella transmission. An Annual RMP Review & Audit is therefore not an administrative formality. It is an enforceable compliance control designed to ensure that risk management measures are functioning as intended.

Department of Health and Safety (DHS) officer wearing a hard hat and high-visibility vest reviewing a Risk Management Plan (RMP) folder with a site representative during a compliance site visit at an industrial cooling tower facility.

Beyond formal enforcement action, failure to complete the required review and audit increases the likelihood that system deficiencies remain undetected. The regulatory framework governing cooling towers exists to reduce public health risks, particularly those related to Legionella transmission. An Annual RMP Review & Audit is therefore not an administrative formality. It is an enforceable compliance control designed to ensure that risk management measures are functioning as intended.

For many facilities, keeping track of compliance deadlines alongside operational demands can become challenging. Audit due dates approach quickly, documentation must be assembled, and coordination with independent auditors takes time. Without a structured system in place, an Annual RMP Review & Audit can shift from a controlled process to a reactive exercise.

Tandex assists clients by conducting structured Annual RMP Reviews, coordinating independent audits with approved auditors, confirming documentation readiness in advance, and implementing corrective actions where required. We monitor compliance timelines and contact you before your Annual RMP Review & Audit is due. Once confirmed, we manage the process through to completion so your cooling tower system remains compliant, audit-ready, and aligned with regulatory expectations.

If you would like support with your Annual RMP Review & Audit, contact us to discuss how we can help you maintain compliance with confidence.

Published On: March 30th, 2026Tags: , , ,
Published On: March 30th, 2026Tags: , , ,