What makes an IEC 62305 lightning risk report audit-ready
An auditor, an insurer or an authority does not accept a risk figure on trust. They accept a report they can follow: the structure and its inputs stated plainly, the edition used, each risk built from its components, every coefficient traceable to its source, the protection measures specified, and a named engineer who signed it. This guide sets out what that report contains and why each part earns its place.
An IEC 62305 risk report is audit-ready when a reader can follow it from the result all the way back to its inputs without having to ask a question. The figure at the end is the easy part. What an auditor, an insurer or an authority actually wants is the working: the structure and every input it was assessed on, the edition of the standard the numbers were computed under, each risk figure broken into the components behind it, every coefficient traced to where it came from, the protection measures specified, and the name of the engineer who stands behind it.
A result on its own is not evidence. The same structure can pass or fail depending on the inputs fed in and the edition used, so a number with neither attached cannot be checked, reproduced or revisited when the building changes. This guide walks through who reads the report and why, the contents that make it defensible, why the edition and the input record are inseparable from the result, why traceability and a clear revision history matter once a structure starts to change, how the periodic inspection ties back to the assessment over the maintenance cycle, and the plain difference between a report an auditor can accept and one they have to send back.
Who reads the report, and what each one is checking
A risk report is not written for the engineer who produced it. It is written for three readers who never sat in the assessment, each of whom is checking something different and all of whom need to see the working, not just the answer.
What a defensible report actually contains
A defensible report is built from a fixed set of contents, each of which answers a question an auditor would otherwise have to ask. Leave one out and the gap is exactly where the report gets queried.
Why a result means nothing without its edition and its inputs
A risk figure is not a fact about a building. It is the output of a calculation, and a calculation is only defined by the method it ran and the values it ran on. State the result without the edition and you have hidden which method produced it. State it without the inputs and you have hidden what it was produced from. In both cases the reader is left holding a number they cannot check, because the things that would let them check it have been left off the page.
The edition matters because the method has moved. The 2024 third edition changed how the frequency of dangerous events is calculated, among other revisions, so the same structure can produce a different result under the 2010 and the 2024 methods. An auditor citing the current edition needs to know the report used it, not a spreadsheet built on the older one. The inputs matter for the same reason: the dimensions, the occupancy, the location, the connected services and the existing protection all feed the formula, and the result moves with them. A report that names its edition and records its inputs in full is one a reader can both check and reproduce. A report that gives only the result is asking to be trusted, which is the one thing an audit will not do.
Showing each risk figure with the working behind it
Each computed figure is a sum of risk components, and the protection only works if it acts on the component that was too high. A total on its own hides whether it did.
The risk of loss of human life R and the frequency of damage F are each built by adding risk components that pair a source of damage with a type of damage. The dominant component, the one carrying most of the risk, is what the protection has to target. If a report gives only the totalled risk, a reader cannot tell which component drove it, and so cannot tell whether the measure claimed to reduce the risk acts on the right part. A surge protective device that addresses an internal-systems component does nothing for a risk driven by a direct-strike fire component, and only the breakdown reveals the mismatch.
For the full method that produces these components, including how each one is computed from the structure and its services, see how an IEC 62305 assessment is calculated and the dedicated guide to the IEC 62305-2 risk assessment.
Following a number to its source, and recording what changes
The single test an auditor applies to any figure is simple: can I follow this to where it came from. Every coefficient in the assessment is a choice, a value picked for the structure because of something true about it, the type of surface, the construction, the fire risk, the protection already present. A coefficient trace records which value was used for each and on what basis, so the reader confirms the choice against the structure described rather than accepting an unexplained number dropped into the formula. Traceability is not extra detail; it is the difference between a report that answers questions and one that raises them.
Traceability also has to hold over time, because a building rarely stays as assessed. An extension, a new connected service, a change of use or a different occupancy moves the inputs, and the risk moves with them. A clear revision history records what changed, when, and what the new result was, so the current report is the live position and the earlier versions explain how it got there. Without that history a stale assessment can sit in a file looking valid long after the structure it described was altered, and an audit that finds the mismatch has reason to doubt everything else in the file. The revision history is what keeps the report honest as the building evolves.
How the inspection report ties back to the assessment
The risk assessment and the periodic inspection are two halves of one chain, and an audit reads them as one. The assessment ends by choosing a protection level that brings the risk into line, and the protection system is built to that level. Over the years that follow, the periodic inspection confirms that the installed system still matches the level the assessment called for: that the conductors are continuous, the bonding intact, the earth resistance sound, and nothing in the structure has quietly degraded the protection the assessment relied on.
This is why the two reports belong together in the file. The assessment sets the target; the inspection proves the target is still being met. A sound assessment with a lapsed inspection leaves the reader unsure the protection is still real, and an inspection against no recorded assessment leaves them unsure the protection was ever the right level to begin with. Read in sequence across the maintenance cycle, the assessment and the successive inspections show a continuous record: the protection was specified correctly, installed to that specification, and kept sound since. That continuity is what an audit is really looking for, and it only exists when the assessment and the inspection point back to each other.
The practical difference between a defensible report and a number
Put a defensible report and a bare number side by side and they can reach the same result. One says the structure passes, or needs a given protection level, and stops. The other says the same thing and then shows its working: the structure and its inputs, the edition, the component breakdown, the coefficient sources, the measures tied to the risks they lower, and a named sign-off. The result is identical. The acceptance is not.
An auditor cannot accept a figure they cannot follow, and a bare number gives them nothing to follow. Every gap is a question, and every question sends the report back for the working that should have been there in the first place. A defensible report clears review precisely because it anticipates those questions and has already answered them on the page. The practical difference, then, is not quality of engineering; both reports may rest on the same careful assessment. It is whether the assessment is visible. The defensible report makes its reasoning auditable, and that is the property that gets a result accepted by an owner, an authority and an insurer alike.