You are here: Home > Accounting > The Audit’s Results and Report – the True Story, According to the Iso 9001 Standard Requirements

The Audit’s Results and Report – the True Story, According to the Iso 9001 Standard Requirements

Posted in Accounting | October 10th, 2010

The internal audit chapter is included under chapter 8.2 – Monitoring and measurement (it’s been said before on our web site already). When performing an audit you are monitoring processes. You sample a process and validate that it is done according to prior requirements. Once you stumble upon nonconformity, a process that was performed not according to a requirement, you must mention it in the audit report. But this is not the end of your story.

In this article we will review the ISO 9001 requirements for conducting the internal audit with reference to the ISO 19011 Standard “Guidelines for auditing quality management systems”. ISO 19011 provides guidance in order to achieve the ISO 9001 requirements for internal audit. Actually it is suitable for the environmental management system requirements for internal audits as well, but for now, we will focus on the ISO 9001 requirements only.

The ISO 9001 Standard requires that the management would bear the responsible for the audit’s results. The management will assure that any nonconformity revealed during the audit would be removed without any delays. The removal than would be verified and validated. Harsh requirements! Well, they have a point. The ISO 9001 Standard requires the management’s responsibility for implementing the Standard’s requirements. In fact, a whole chapter was dedicated to the matter (chapter 5 management responsibility , very clear). One aspect of the required responsibility is to assure the minimum as possible of nonconformities. Nonconformities can be revealed during audits. The relation is clear. The management becomes responsible for the audit’s results. Actually the revised ISO 9001:2008 Specifically requires that the management would ensure corrective action to nonconformities revealed during audits.

All of the above are nice and well written over and over again. We are sure that most of you heard it already throughout audits (internal and external). But the big question is how to maintain? Well, that’s why we are here for. We will explain it in plain English and suggest solutions. If you would have further questions you may send them to us via this page.

The audit main goal is to give a status report. The tactic of an audit (external or internal) is to evaluate the organization’s performances with reference to the requirements. In plain words, it is required from your organization to maintain several activities. The audit evaluates whether the activities are performed and how well they are performed.

When you reveal nonconformities, those nonconformities should be applied to a controled process. The purpose is to verify that the nonconformities are removed. The main activity during the audit is sampling and documenting. The auditor samples processes and documents the results. But this activity is divided into several stages that take place during the audit. Let’s review them.

An opening meeting:

In this meeting the management meets the auditor. In this meeting usually the auditor documents some general details and information about the organization:

Which units are being audited
Which are the persons involved during the audit and what is their role
How many employees working in the audited organization
The the main products of the organization
Special events that occurred lately within the organization that might affect the product or the processes

The purpose is to gather information that can shed light on the audit’s report. This part is very important.

The next one is an informal advice!! Sometime the organization can’t compete with its requirements for various reasons that are or not depended on the organization’s ability to compete. It happens a lot. This is perfectly normal. But this is the time to explain why. If you know that some of the requirements are not fulfilled and there is a good reason, reveal it and explain exactly why, before the auditor sample the process and gets angry…

An opening meeting is not mandatory within internal audits. But it is within external audits. In this meeting the auditor should publish his schedules for the audit. Actually, the schedules should be published a week or so before the audit, allowing the relevant parties to prepare themselves. But in the opening meeting the auditor should declare the schedules again. Just to be polite.

And now the audit begins!

Ohhh! Stay calm! We are used to say: whatever happens, act as if it is normal! Another informal advice. Please erase the last comment from the protocol.

The main activity during the audit should be sampling. The auditor must sample the processes in order to determine whether the process was performed according to prior requirements… or not. Samples can occur as:

Records of processes
Documentations of any kind such as working instructions, quality plans or standard requirements
Records of Knowledge and employees trainings
Compliant product handling according to defined requirements

Any process that was sampled must be documented. The auditor must describe specifically what he had observed and document it. The documentation must indicate whether it is according to the requirements or not. The requirements can be such as:

A working procedures requirement
A quality plan
Customers’ requirements
A Standard requirements (not only ISO 9001 but any other Standard applicable)
A legal or regulatory requirement.

The ISO 9001 Standard requires a procedure specifying how the internal audit should be performed within the organization – one of the Quality procedures required by the ISO 9001 Standard. This is not a recommendation but a requirement. You must document it and maintain it. That means that it’s not enough to document the procedure, you must also prove that you follow what you define and actually perform it , perform a quality management activities for internal audits (chapter 8.2.2). It’s not easy being an auditor. It also not so easy to maintain all of the above without some help.

The audit’s findings

The documentation, during the audit, should include details about the processes sampled. The auditor should supply as much details as he can. These are the audit’s findings. For example, if he samples a construction plan, he should document:

Who is the customer
The planer
Which employee is responsible
The date of the plan
The plan’s status
The version or edition of the plan

This way, anyone who reads the report, has as much information as possible. The purpose is to make the picture clear. Remember who is assigned to read this report; the top management. They might seem far from the processes but once they hold the audit’s report they would be highly interested in any details written. Any sampled process leads to the audit’s results. Is or not according to the specific relevant requirement, these results, later are stated.

The audit’s results

Any finding during the audit should be indicated as three states:

Conformity: the process sampled was according to the relevant requirement , the audit’s criteria
Opportunity for improvement (OFI): the organization may or may not adopt this opportunity
Non conformity: the process sampled, was not according to the requirements, the audit’s criteria

Now’ we are getting to the most thrilling part – The nonconformities! Nonconformities may be documented three times during the audit.

First time, within the audit’s report along with the audit’s findings. We can also refer it as the report itself. Second time, where it is suitable, as nonconformities. Any audit report should bear at the end a summary of the nonconformities. Third time, as a corrective action.

The report’s summit

any audit’s report must have a summit. The auditor should concentrate all the non conformities and opportunities for improvement and present them together. The purpose is to go over them during the next audit and to review the treatment and to verify that all nonconformities are closed.

In the next stage the organization must eliminate the nonconformities. Nonconformity was revealed – the organization must introduce it into a controlled process in order to eliminate it. The auditor should also determine the time frame for conducting any corrective action. Want to know more about this subject? Turn to this section about the old famous CAPA. But the principle is very simple:

The organization should prove to the auditor that a corrective action was taken over any nonconformity (revealed during the audit) within the time frame that was scheduled.
The organization must prove closing these nonconformities by the next audit.

Summary:

The ISO 9001 Standard requires that the management would bear the responsible for the audit’s results. The audit’s main goal is to give a status report. The tactic of an audit (external or internal) is to evaluate the organization’s performances with reference to prior requirements. The main activity during the audit is sampling processes and documenting the findings. An opening meeting – the purpose is to gather information that can shed light on the audit’s report. This part is very important. The auditor must sample the processes in order to determine whether the process was performed according to prior requirements. The auditor must describe specifically what he had observed and document it.

Any finding during the audit should be indicated as three states: Conformity, opportunity for improvement or Conformity The auditor should concentrate all the non conformities and opportunities for improvement and present them together. The organization must eliminate the nonconformities. The auditor should determine the time frame for conducting a corrective action.