Seven findings. Eight opportunities for improvement. All captured in Shell's own words, in the order they were written. This is the audit report, faithfully reproduced — because the first thing the close-out visit should see is that nothing has been softened.
The Draft Audit Report landed on 5 February 2026, two weeks after the on-site visit. Seven findings, eight opportunities for improvement, and a clear set of recommendations behind each one. Fair in scope, specific in language, and — on reflection — a generous roadmap from an audit team that wanted the relationship to succeed.
This chapter does one thing: it reproduces the findings and OFIs exactly as Shell wrote them. Each entry retains the original finding description, the original recommendation, and a current status indicator drawn from the NCR / OFI / CAPA register. The evidence — documents produced, procedures written, systems built — lives in Chapter 05, where the close-out story is told in full.
Shell's language, Shell's sequence. Status indicators reflect the position on the NCR register as at 10 April 2026.
Seagull Maritime is required to provide formal documentary evidence confirming its claimed exemption from Maltese law to demonstrate compliance with or exemption from S.L. 480.05 and Arms Act under Maltese law; however, no such documentation from the Maltese government was available during the audit, leaving the company's legal standing and jurisdictional obligations insufficiently verified. This gap indicates a compliance risk, as operational authorisation and governance expectations cannot be fully assessed without proof of exemption.
Seagull Maritime should formally obtain and maintain written confirmation from a competent Maltese government body or relevant regulatory authority that clearly specifies the company's exemption status from S.L. 480.05 and Arms Act under Maltese law. This documentation should be filed within the corporate governance records, referenced in compliance documentation, and communicated to stakeholders to ensure regulatory certainty.
Seagull Maritime is required to maintain a structured risk management framework that consistently addresses risk identification, assessment, control measures, and mitigation strategies across all operational theatres, including West Africa (WAF) and the Indian Ocean Region (IOR); however, current processes remain informal, inconsistently applied, and lack the documented methodology necessary for a robust and repeatable approach to operational high risk such as personal transfer. Seagull Maritime seeks to adopt ISO 45001:2018 for managing occupational health and safety risks which provides a recognised management system.
Develop and implement a unified, organisation-wide risk management framework that includes structured processes for risk identification, assessment, control implementation, and mitigation tracking such as ISO 45001. The framework should cover all operational environments (WAF and IOR), integrate HSSE considerations, and be documented within SOPs. Regular reviews and risk register updates should be embedded into operational governance cycles.
The organisation is required to maintain a formalised media and social media policy to govern communications, conduct expectations, and reputational safeguards for both office-based and operational employees; however, the audit confirmed that no such policy exists, leaving staff without clear guidance on media engagement, online behaviour, or incident-related communication protocols. The absence of structured communication controls increases exposure to reputational, security, and confidentiality risks.
Draft and approve a formal media and social media policy that outlines expectations, behavioural standards, confidentiality rules, escalation pathways, and approval processes for both office and operational staff. The policy should be communicated company-wide, incorporated into onboarding, and reinforced through periodic training.
Seagull Maritime must ensure its personal insurance documentation accurately reflects the correct legal entity responsible for employee coverage; however, evidence indicates the insurance provider is listed under "Seagull UK," while the audited operating entity is registered in Malta, creating ambiguity about the validity and applicability of employee insurance protections. This discrepancy may result in coverage gaps or misalignment with legal obligations under the correct jurisdiction.
Review all personal insurance documentation to confirm the correct legal entity responsible for employee coverage. Update all policy documentation, contracts, and internal records to reflect the accurate entity (Malta or UK). Communicate amendments to employees and ensure alignment with jurisdictional legal requirements.
For legitimised armed operations within Nigerian territorial waters, Seagull Maritime is required to maintain a current Memorandum of Understanding (MOU) with the Nigerian Navy; however, the audit found that the organisation does not yet possess a formalised or validated MOU, a Shell requirement for PMSC to provide security escort vessels.
Engage directly with the Nigerian Navy to finalise and obtain an officially endorsed Memorandum of Understanding (MOU) authorising maritime security operations in Nigerian waters. Once formalised, incorporate the MOU into compliance documentation and ensure operational teams are trained on any associated constraints or requirements.
Seagull Maritime is required to align its security practices with internationally recognised human rights standards — including the Voluntary Principles on Security and Human Rights (VPSHR) — to ensure responsible conduct, proportional use of force, and protection of personnel and third parties; however, while the company demonstrates general awareness of human rights considerations, its procedures, SOPs, and training materials do not reference or integrate VPSHR guidance. This omission limits consistency and assurance in human-rights-aligned operational behaviour.
Update operational procedures, training material, and use of force guidelines to explicitly incorporate the Voluntary Principles on Security and Human Rights (VPSHR). Conduct awareness sessions with office and deployed personnel and embed VPSHR requirements into contractor agreements and monitoring processes.
The organisation is required to regularly conduct and document Incident Response Team (IRT) exercises to validate emergency preparedness, coordination effectiveness, and crisis management readiness; however, no records of completed IRT drills or formalised after-action reviews were available during the audit. This requirement is especially important because the office staff work in a region affected by conflict (Odessa, Ukraine). The absence of evidence indicates that the organisation has not yet tested its incident response framework under realistic conditions.
Conduct a full Incident Response Team (IRT) exercise simulating a realistic operational scenario, ensuring participation from all relevant functions. Document the exercise, including objectives, scenario, performance evaluation, lessons learned, and corrective actions. Integrate improvements into the company's Incident Response Plan and repeat exercises regularly.
Not blockers — considered improvements offered by the audit team. Each one was adopted and closed with supporting evidence. Shell's language retained throughout.
The company would benefit from documenting and implementing a formal Management of Change process to ensure that updates to procedures are systematically reviewed, approved, and communicated.
Establishing a structured annual management review cycle would support leadership accountability, promote follow-up on key actions, and reinforce continual improvement.
Routine checks of sanctions listings should be embedded into compliance workflows to ensure ongoing adherence to regulatory requirements.
The wording related to delaying vessels should be revised to clearly reflect that client vessels may be delayed for legitimate safety reasons, including adverse weather during transfers.
The vessel defence section should be updated to ensure the primary incident reporting pathway is aligned with industry expectations, specifically designating UKMTO as the initial point of contact.
Seagull Maritime should also define and communicate minimum standards for Security Escort Vessels (SEVs).
Clarify the applicability of the Drugs & Alcohol (D&A) policy across all personnel types.
Implement a formal PCASP security briefing to Masters to enhance operational transparency and coordination.
Every finding and every OFI has been worked, evidenced, and cross-referenced in the NCR / OFI / CAPA register. The one exception — Finding 1, the Malta exemption letter — is a government process held up on the Maltese side. Escalation is in hand and the intent is to have it closed out and filed with the rest of the evidence before the 3 May close-out. Chapter 05 shows, finding by finding, exactly how each one was closed and where the evidence lives.