Later, a confidential, more detailed written audit report is completed. In addition to reiterating the findings presented at the closing meeting, the audit report includes objective data intended to assist not only those engaged in follow-up action, but also those conducting any subsequent audits. It also is important to define the clause or requirement from the appropriate standard or procedure for which the nonconformance was written.
The audit report needs to be issued as soon as possible after the audit is completed. If, for any reason, it cannot be issued by the deadline set in the audit plan, an explanation for the delay should be provided to the auditee and a revised issue date established.
Every effort should be made to ensure the report is kept at a reasonable length and conveys a balanced summary of the status of the areas audited. Excluding the corrective action requests, which are included as attachments, and the cover letter, the audit report should be no more than two pages. The report should always mention positive actions and practices that were observed during the audit. Certainly nonconformances and non-compliances that were identified during the completion of the audit must be documented, as well as any opportunities for improvement.
Audit Report ResponsibilityThe lead auditor has the responsibility to direct the preparation of the audit report. Information is obtained from working papers and input from all members of the audit team. Additionally, any agreements with the auditee regarding the results and conclusions can be included.
The audit report is shared among the audit team, and with the audit organization’s management, for review of accuracy and completeness. The integrity of the audit report process is the lead auditor’s responsibility and he/she must ensure that it reflects the tone and content of the audit. The audit report is signed and dated, minimally by the lead auditor, before distribution.
It is recommended that any communication with the auditee after the closing meeting and before distribution of the report be limited to the lead auditor. This reduces the risk of conflicting statements to the auditee.
Audit Report PurposeThe purpose of the audit report is to summarize the findings in a way that auditee management can readily understand and see the impact of these findings.
The report should not include specific recommendations for corrective action. It is the auditee’s responsibility to devise and effectively implement corrective actions appropriate to the observations and nonconformities found in the system.
In internal audit situations, the auditee typically has directive and consent powers with respect to corrective actions.
In order to create an effective audit report, members of an auditing team should understand the value of the information they gather and which items should be highlighted in the report.
Audit reports are often used:
Audit Report ContentISO 19011: 2002 provides a very good guideline for audit reports and should be reviewed and used as a reference by all quality auditors. The report should include, as applicable, the following:
When identifying positive practices try to be specific. “The corrective action process used by the widget manufacturing team is among the best we have observed.” Likewise, if positive behavior is observed try to be more specific. “Craig Miller, process engineer in the commodity department, was extremely helpful in his demonstration of how widgets are processed.”
The statement of nonconformity needs to be well written, clear and precise with enough detail that the auditee or process owner can use it to initiate root cause analysis. The audit report should contain specifics such as machine number, building location, assembly station, etc. The information on nonconformities will be critical to developing viable corrective actions.
It also is appropriate to comment on the perception of risk, or the identification of a process that is not being controlled as well as it should be. Since this is an OFI, and not a nonconformity, care should be taken to avoid saying that something is actually wrong, but to stress there is a risk that something might go wrong. As with nonconformities, observations or QFI’s should be linked to requirements. In this manner the auditee will be inclined to see that there is a basis for the concern.
Special SituationsSpecial considerations should be made in the following situations:
As a general rule, nonconformities that cannot be documented without protecting pro-priety information must be documented separately. These situations should be discussed with the auditee to ensure that corrective action will be taken. The auditee and the auditors should mutually agree on the documentation of proprietary information.
Audit Report Timing and Records
The audit report should be considered the end product of the audit. Care should be taken to protect the integrity of the report and the confidentiality of the information contained therein. Audit reports are considered a controlled document and should be maintained in accordance with approved practices, but minimally until the next scheduled au-dit of the same area.
Following these basic audit practices should ensure that the information management gets is accurate, reflects the status of the organization, and is detailed enough that it results in good business decisions and appropriate corrective actions. This is what makes the audit process effective. Anything less may result in an ineffective audit and the audit then becomes a meaningless exercise that may benefit no one. In such instances the client has no return on their investment in the audit; therefore, everyone loses.