IRCA INform

Write better audit reports

Do your audit reports give the right information? The Auditing Practices Group outlines what your reports should contain

The audit report is an important tool in demonstrating that organizations are satisfying the requirements of ISO 9001. While ISO/IEC 17021 outlines the minimum requirements for reporting, it does not define a specific format for ISO 9001 reports. The format and content of an audit report may be varied depending on the size and nature of the auditee and on the objectives and scope of the audit. Not all of the topics listed below are applicable to every type of audit and the sequence of topics can vary.

Introduction

This section of the report should reference the mandatory requirements of ISO/IEC 17021 and the guidance given in ISO 19011.

Executive summary

This section should concentrate on giving a summary of the overall effectiveness of the quality management system, including information on its strengths and weaknesses, continual improvement and other key performance indicators.

Particular highlights of the audit should be commented upon, as well as an overview of any findings that represent nonconformity or significant ‘areas of concern’ that could become a nonconformity. The conclusions of the audit regarding conformance to the standard being assessed against, and any recommendations, should be stated.

The organization should be thanked, as appropriate, for its hospitality, cooperation and openness.

Management commitment, objectives and targets

Comment on the organization’s processes for determining, setting and communicating policies and objectives. It should cover monitoring, measuring, reporting and reviewing against key performance objectives. It should include appropriate comments regarding the progress the organization has made against its objectives since the last audit.

Actions taken on previous audit issues

Comment on the organization’s ability to determine the root causes of previously identified quality problems and on the effectiveness of the actions it has taken to correct such situations and prevent their recurrence. It should also comment on the sufficiency of the organization’s formal processes for corrective and preventive action.

Internal audit, management review and continual improvement processes

Comment on the timeliness and effectiveness of the internal audit, management review and continual improvement processes with regard to the risks associated with achieving and maintaining quality.

Additionally, it should provide comment about the organization’s progress:

• in its actions aimed at continual improvement
• in monitoring information relating to customer satisfaction and perceptions of the organization’s performance relating to quality.

Impact of significant changes

This section could apply to any type of audit, but it is more likely to be applicable at surveillance and re-certification audits rather than initial audits. Details that should be recorded include the impact of changes in, for example, ownership, key personnel and scope of certification.

System requirements and interrelationships, functions, processes, areas audited

The heading of this section may need to be customised to refer explicitly to specific functions, areas or processes, for example, sales, warehouse, training and competence or customer perception.

The following should be identified:

• the standard being used as the basis for the audit
• the situation being audited
• the key documents and records used during the audit.

This section can be used to give comments about the conformance of the organization’s management system to a clause or specific requirement of the standard. Similarly, it can be used to provide comment about the way different aspects of the organization’s quality management system work together (either in synthesis or separation) with their respective impacts on the ability of the system to deliver its intended outputs.

Such comments should be focused on the effectiveness of the links between the standard’s requirements and factors such as the organization’s policy, performance objectives, any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data or internal audit findings and conclusions.

The comments on processes will probably account for most of the report, as a quality management system is generally audited process by process. The report should address the applicable requirements for each process being covered and should focus on the process factors that assist or hinder consistency or improvement of the outputs.

And that’s not all

Other sections the APG recommends including in audit reports comprise a description of the site visit, commentary on the organization's compliance to legal, regulatory and other requirements and an examination of the continuing effectiveness of the system. The report should end by highlighting the issues that require the auditees' further attention and a disclaimer saying the audit is based on a sampling process of the available information and that consequently there will always be an element of uncertainty present in auditing evidence, which may be reflected in the audit findings.

It should also advise that the recommendations from the audit will be subject to an independent review, before any final decision is made concerning the awarding or maintenance of certification.

The ISO 9001 Auditing Practices Group is an informal group of quality management system experts, auditors and practitioners drawn from ISO/TC 176 and the IAF. It has developed a number of guidance papers and presentations that contain explanations about the auditing of quality management systems. These reflect the process-based approach that is essential for auditing the requirements of ISO 9001

 

Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums.