When an audit concludes, the audit team presents its findings to the auditees at a closing meeting. At the closing, or before the audit team departs the facility, it is typical for the auditee’s representative to receive findings in handwritten format. This documentation contains only factual statements of nonconformities supported by objective evidence.
Later, a confidential, more detailed written audit report is completed. In addition to reiterating the findings presented at the closing meeting, the audit report includes objective data intended to assist not only those engaged in follow-up action, but also those conducting any subsequent audits. It also is important to define the clause or requirement from the appropriate standard or procedure for which the nonconformance was written.
The audit report needs to be issued as soon as possible after the audit is completed. If, for any reason, it cannot be issued by the deadline set in the audit plan, an explanation for the delay should be provided to the auditee and a revised issue date established.
Every effort should be made to ensure the report is kept at a reasonable length and conveys a balanced summary of the status of the areas audited. Excluding the corrective action requests, which are included as attachments, and the cover letter, the audit report should be no more than two pages. The report should always mention positive actions and practices that were observed during the audit. Certainly nonconformances and non-compliances that were identified during the completion of the audit must be documented, as well as any opportunities for improvement.
Audit Report ResponsibilityThe lead auditor has the responsibility to direct the preparation of the audit report. Information is obtained from working papers and input from all members of the audit team. Additionally, any agreements with the auditee regarding the results and conclusions can be included.
The audit report is shared among the audit team, and with the audit organization’s management, for review of accuracy and completeness. The integrity of the audit report process is the lead auditor’s responsibility and he/she must ensure that it reflects the tone and content of the audit. The audit report is signed and dated, minimally by the lead auditor, before distribution.
It is recommended that any communication with the auditee after the closing meeting and before distribution of the report be limited to the lead auditor. This reduces the risk of conflicting statements to the auditee.
Audit Report PurposeThe purpose of the audit report is to summarize the findings in a way that auditee management can readily understand and see the impact of these findings.
The report should not include specific recommendations for corrective action. It is the auditee’s responsibility to devise and effectively implement corrective actions appropriate to the observations and nonconformities found in the system.
In internal audit situations, the auditee typically has directive and consent powers with respect to corrective actions.
In order to create an effective audit report, members of an auditing team should understand the value of the information they gather and which items should be highlighted in the report.
Audit reports are often used:
As a basis for initiating corrective and preventative action measures by auditee and/or management. Audit results provide objective evidence and unequivocal guidance as to changes and improvements that may be needed in the system. Because audit results are objective and impartial, they can influence unbiased business decisions.
To aid in making cost-effective financial decisions relating to improvement. Organizations stay in business by making a profit, or in the case of not-for-profit organizations, by being able to meet its financial obligations. Management concerns itself with the most efficient use of the company’s available dollars. Even in regard to quality, management must optimize the cost expended vs. the quality provided. The audit report assists management in making decisions to improve a process or product in the most cost-efficient way.
As a factor in decisions to audit outside suppliers.
To determine acceptance under customer mandated requirements; for example, registration to national or international quality system requirements.
Audit Report ContentISO 19011: 2002 provides a very good guideline for audit reports and should be reviewed and used as a reference by all quality auditors. The report should include, as applicable, the following:
The scope and objectives of the audit. This would include areas that were audited. When the scope is broad and inclusive of multiple sites, this would be very important, as the boundaries need to be defined.
Details of the audit plan.
Identification of the reference documents and standards against which the audit was conducted. For a third-party audit, this would typically include the quality management system standard, such as IS0 9001, ISO/TS 16949, ISO 17025, etc. For internal audits, the documents and standards may be a list of internal documents and procedures associated with the functions and activities that were audited. Examples may include the quality plan, approved procedures, policies, work instructions, etc.
Identification of the auditor or audit team members. When multiple auditors are used, the lead auditor must be identified. The auditee representative also should be identified.
Audit dates and length of the audit needs to be identified. This is important as it provides evidence that audits are conducted in accordance with established audit schedules. By identifying the audit days, it also is evidence of resource needs. This provides an indication of expenses the organization has spent and might need to consider when planning future audits.
Identification of interviewees. Process owners should be interviewed and names documented. Recording of the names, on working papers, of interviewees provide connectivity to objective evidence while providing supporting evidence that the auditors have fulfilled the requirements of the audit process.
Auditors should always find positive activities or areas of best practices to highlight. Modern auditing is not about catching people doing something wrong; it is about confirming compliance and conformance. Therefore, it is important that the audit report mention positive practices or behavior.
When identifying positive practices try to be specific. “The corrective action process used by the widget manufacturing team is among the best we have observed.” Likewise, if positive behavior is observed try to be more specific. “Craig Miller, process engineer in the commodity department, was extremely helpful in his demonstration of how widgets are processed.”
Documentation of nonconformities. When documenting findings, it is important to be clear and precise. What is the actual nonconformity and why is it a nonconformity? What standard has been violated? What is the objective evidence used to determine that a nonconformity exists?
The statement of nonconformity needs to be well written, clear and precise with enough detail that the auditee or process owner can use it to initiate root cause analysis. The audit report should contain specifics such as machine number, building location, assembly station, etc. The information on nonconformities will be critical to developing viable corrective actions.
The audit report should be concise. Auditors should use care not to over-load the auditee organization with minutia. For example, if there are findings in three different areas regarding document control, combine them into one finding that indicates where the non-conformities were noted. Although no firm rule exists, this auditor recommends keeping the number of findings to 10 or less as a general rule. Also, when documenting nonconformities, much care must be taken to protect sources of informa-tion and not to reveal the sources of nonconformities (generated or caused by individuals).
Identification of Opportunities for Improvements (OFI) or Areas of Improvement. It is permissible for auditors to make statements, or judgments, regarding the auditee’s compliance with the applicable system standards and related documentation.
It also is appropriate to comment on the perception of risk, or the identification of a process that is not being controlled as well as it should be. Since this is an OFI, and not a nonconformity, care should be taken to avoid saying that something is actually wrong, but to stress there is a risk that something might go wrong. As with nonconformities, observations or QFI’s should be linked to requirements. In this manner the auditee will be inclined to see that there is a basis for the concern.
Distribution list. For external audits, the report distribution is small and generally limited to the client-typically the organization management representative. The client or representative has the responsibility for broader distribution within their organization. For internal audits, the audit report distribution tends to be much larger, but is typically specified in an internal procedure governed by the audit group management.
Special SituationsSpecial considerations should be made in the following situations:
Proprietary information should be handled with sensitivity. Typically, proprietary processes and related information should be identified in the planning stage and discussed at the opening meeting.
As a general rule, nonconformities that cannot be documented without protecting pro-priety information must be documented separately. These situations should be discussed with the auditee to ensure that corrective action will be taken. The auditee and the auditors should mutually agree on the documentation of proprietary information.
Evidence of fraud and abuse also require special handling outside the typical report. All evidence with respect to fraud or abuse, upon discovery, should be referred im-mediately to the auditee’s legal department. These items should be documented in a sepa-rate letter to the auditee and included in the audit report only with the concurrence of the auditee and auditor management.
Audit Report Timing and RecordsThere is no hard rule on the publication of the audit report. The timing should be established during the planning and preparation phase with agreement from the auditee. For internal audits, there should exist some guidelines for timeliness of issuing reports. As a general rule, audit reports should be distributed in seven to 14 calendar days. “If the report is not published within two weeks, the auditee has an indication of the importance you give it. Additionally, the quality of the report is jeopardized as the audit team might not be able to accurately clarify questionable findings if too much time passes between the audit and receipt of the report.”
The audit report is considered a “long-term quality record. Paper copies, in addition to electronic files, shall be maintained by the audits manager.” Audit reports and other records, including data supporting the quality records, should be maintained in accordance with documented retention schedules. In absence of a documented schedule, “at least five years retention is recommended.” With the onset of computer technology, we should be prepared for an extension of the recommended retention guidelines.
The audit report should be considered the end product of the audit. Care should be taken to protect the integrity of the report and the confidentiality of the information contained therein. Audit reports are considered a controlled document and should be maintained in accordance with approved practices, but minimally until the next scheduled au-dit of the same area.
Following these basic audit practices should ensure that the information management gets is accurate, reflects the status of the organization, and is detailed enough that it results in good business decisions and appropriate corrective actions. This is what makes the audit process effective. Anything less may result in an ineffective audit and the audit then becomes a meaningless exercise that may benefit no one. In such instances the client has no return on their investment in the audit; therefore, everyone loses.