Practical guide

What makes an IEC 62305 lightning risk report audit-ready

An auditor, an insurer or an authority does not accept a risk figure on trust. They accept a report they can follow: the structure and its inputs stated plainly, the edition used, each risk built from its components, every coefficient traceable to its source, the protection measures specified, and a named engineer who signed it. This guide sets out what that report contains and why each part earns its place.

An IEC 62305 risk report is audit-ready when a reader can follow it from the result all the way back to its inputs without having to ask a question. The figure at the end is the easy part. What an auditor, an insurer or an authority actually wants is the working: the structure and every input it was assessed on, the edition of the standard the numbers were computed under, each risk figure broken into the components behind it, every coefficient traced to where it came from, the protection measures specified, and the name of the engineer who stands behind it.

A result on its own is not evidence. The same structure can pass or fail depending on the inputs fed in and the edition used, so a number with neither attached cannot be checked, reproduced or revisited when the building changes. This guide walks through who reads the report and why, the contents that make it defensible, why the edition and the input record are inseparable from the result, why traceability and a clear revision history matter once a structure starts to change, how the periodic inspection ties back to the assessment over the maintenance cycle, and the plain difference between a report an auditor can accept and one they have to send back.

The readers

Who reads the report, and what each one is checking

A risk report is not written for the engineer who produced it. It is written for three readers who never sat in the assessment, each of whom is checking something different and all of whom need to see the working, not just the answer.

The building owner, for compliance. The owner keeps the report as the record that the structure was assessed and that the protection in place is the protection the assessment called for. It is the document they produce when asked to show the building is compliant, and the baseline they return to whenever the building changes.
The auditor or authority, for acceptance. An authority having jurisdiction or an independent auditor reads the report to decide whether to accept the result for approval. They are not re-running the assessment; they are checking that the working is sound, the inputs fit the structure, and the result follows from them. A figure they cannot follow is a figure they cannot accept.
The insurer, for cover and claims. An insurer reads the report to price cover, and reads it again if a claim follows a strike. They are looking for evidence that the protection was specified correctly and was current at the time of loss. A vague or undated report weakens both the cover and the claim, because there is nothing solid to point to.
The contents

What a defensible report actually contains

A defensible report is built from a fixed set of contents, each of which answers a question an auditor would otherwise have to ask. Leave one out and the gap is exactly where the report gets queried.

The assessed structure and its inputs. The structure stated plainly: its dimensions, location, use, occupancy and the services connected to it, along with the existing protection. These are the inputs the whole result rests on, so they are set out in full rather than summarised, because a reader has to see them to judge the numbers that follow.
The edition of the standard used. Which edition of IEC 62305 the assessment was computed on, stated next to the result. The method differs between editions, so the edition is part of what the result means. A report that omits it leaves the reader unable to tell whether the working matches the method in force.
Each risk figure with its components. The risk of loss of human life and the frequency of damage each shown not as a single total but as the sum of the components behind it, so the reader can see which component drove the result. This is what lets an auditor confirm the assessment addressed the part of the risk that was actually too high.
The coefficient trace. Every coefficient that feeds a component shown with the value used and where it came from, so a number can be followed to its source. The trace turns each factor from an unexplained figure into a choice the reader can confirm fits the structure described.
The protection measures specified. The measures the assessment calls for, each tied to the risk it brings into line. It is not enough to list a protection level; the report shows which measure reduces which risk, so the reader can see the result was reached by acting on the right component, not by chance.
The engineer responsible and the sign-off. A named engineer who carried out the assessment and put their name to the result, with a dated sign-off. Accountability is part of acceptance: an auditor wants to know who stands behind the figure, not just that a figure exists.
Edition and inputs

Why a result means nothing without its edition and its inputs

A risk figure is not a fact about a building. It is the output of a calculation, and a calculation is only defined by the method it ran and the values it ran on. State the result without the edition and you have hidden which method produced it. State it without the inputs and you have hidden what it was produced from. In both cases the reader is left holding a number they cannot check, because the things that would let them check it have been left off the page.

The edition matters because the method has moved. The 2024 third edition changed how the frequency of dangerous events is calculated, among other revisions, so the same structure can produce a different result under the 2010 and the 2024 methods. An auditor citing the current edition needs to know the report used it, not a spreadsheet built on the older one. The inputs matter for the same reason: the dimensions, the occupancy, the location, the connected services and the existing protection all feed the formula, and the result moves with them. A report that names its edition and records its inputs in full is one a reader can both check and reproduce. A report that gives only the result is asking to be trusted, which is the one thing an audit will not do.

The result and its conditions travel together. Treat the edition and the input record as part of the result, not as appendices to it. The moment they are separated, the figure stops being evidence and becomes an assertion. For how the inputs feed each risk, see the IEC 62305-2 risk method.
The component breakdown

Showing each risk figure with the working behind it

Each computed figure is a sum of risk components, and the protection only works if it acts on the component that was too high. A total on its own hides whether it did.

The risk of loss of human life R and the frequency of damage F are each built by adding risk components that pair a source of damage with a type of damage. The dominant component, the one carrying most of the risk, is what the protection has to target. If a report gives only the totalled risk, a reader cannot tell which component drove it, and so cannot tell whether the measure claimed to reduce the risk acts on the right part. A surge protective device that addresses an internal-systems component does nothing for a risk driven by a direct-strike fire component, and only the breakdown reveals the mismatch.

The breakdown shows where the risk lives. With each component visible, an auditor can see at a glance whether the result is driven by a direct strike, a strike to a service, or the surges induced on internal systems, and confirm the assessment understood its own structure rather than reaching a total by aggregation.
It proves the measure fits the risk. When the report ties each protection measure to the component it lowers, the reader can confirm the chosen measures actually bring the dominant component into line, rather than reducing a part of the risk that was never the problem.

For the full method that produces these components, including how each one is computed from the structure and its services, see how an IEC 62305 assessment is calculated and the dedicated guide to the IEC 62305-2 risk assessment.

Traceability

Following a number to its source, and recording what changes

The single test an auditor applies to any figure is simple: can I follow this to where it came from. Every coefficient in the assessment is a choice, a value picked for the structure because of something true about it, the type of surface, the construction, the fire risk, the protection already present. A coefficient trace records which value was used for each and on what basis, so the reader confirms the choice against the structure described rather than accepting an unexplained number dropped into the formula. Traceability is not extra detail; it is the difference between a report that answers questions and one that raises them.

Traceability also has to hold over time, because a building rarely stays as assessed. An extension, a new connected service, a change of use or a different occupancy moves the inputs, and the risk moves with them. A clear revision history records what changed, when, and what the new result was, so the current report is the live position and the earlier versions explain how it got there. Without that history a stale assessment can sit in a file looking valid long after the structure it described was altered, and an audit that finds the mismatch has reason to doubt everything else in the file. The revision history is what keeps the report honest as the building evolves.

The maintenance cycle

How the inspection report ties back to the assessment

The risk assessment and the periodic inspection are two halves of one chain, and an audit reads them as one. The assessment ends by choosing a protection level that brings the risk into line, and the protection system is built to that level. Over the years that follow, the periodic inspection confirms that the installed system still matches the level the assessment called for: that the conductors are continuous, the bonding intact, the earth resistance sound, and nothing in the structure has quietly degraded the protection the assessment relied on.

This is why the two reports belong together in the file. The assessment sets the target; the inspection proves the target is still being met. A sound assessment with a lapsed inspection leaves the reader unsure the protection is still real, and an inspection against no recorded assessment leaves them unsure the protection was ever the right level to begin with. Read in sequence across the maintenance cycle, the assessment and the successive inspections show a continuous record: the protection was specified correctly, installed to that specification, and kept sound since. That continuity is what an audit is really looking for, and it only exists when the assessment and the inspection point back to each other.

Defensible vs bare

The practical difference between a defensible report and a number

Put a defensible report and a bare number side by side and they can reach the same result. One says the structure passes, or needs a given protection level, and stops. The other says the same thing and then shows its working: the structure and its inputs, the edition, the component breakdown, the coefficient sources, the measures tied to the risks they lower, and a named sign-off. The result is identical. The acceptance is not.

An auditor cannot accept a figure they cannot follow, and a bare number gives them nothing to follow. Every gap is a question, and every question sends the report back for the working that should have been there in the first place. A defensible report clears review precisely because it anticipates those questions and has already answered them on the page. The practical difference, then, is not quality of engineering; both reports may rest on the same careful assessment. It is whether the assessment is visible. The defensible report makes its reasoning auditable, and that is the property that gets a result accepted by an owner, an authority and an insurer alike.

Reports that carry their own evidence. Lumex produces branded, audit-ready IEC 62305 reports with the full coefficient trace and an audit log built in, so the inputs, the edition, the component breakdown and the sign-off travel with the result rather than being reconstructed later. For how traceability is captured end to end, see the traceable assessment, start from what IEC 62305 is to see how the parts fit, or run an assessment and produce the report.

Get started today

Produce an audit-ready report,
with the trace already in it

Contact our team