There are some misconceptions about what ISO audit findings are. In this article, I attempt to explain clearly what audit findings are, what types of findings may be generated in an audit and the guidelines that is widely use to categorize audit findings.
What are the results of audits?
Depending on the audit style adopted by the organization or the audit procedures for the company, the audit report for internal audits, may list all 4 different types of findings as explained below or only some. The organization may decide that only non-conformances (NCNs) will be reported on the internal audit report. The ISO 9001:2008 standard requires organizations to have a documented procedure for how audits will be carried out, however it does not specify how exactly audit findings should be reported. So it is up to the company to decide what and how audit findings are handled.
External audits are handled somewhat different. While each registrar has their own procedure as to how audits are conducted and how reports are issued, most registrars will issue various types of findings, such as noteworthy efforts, observations, opportunities for improvement and non-conformances. It is important to note that registrars, based on accreditation body guidelines, would not require action or response on any finding type except for non-conformances.
What are Findings?
ISO Audits do not result in a grade, percentage or score. The results of ISO audits are findings. Findings can be good or bad. A few types of findings are:
- Praises or noteworthy efforts
These are areas that were observed during the audit and that are seen as excellent examples of implementation of the requirements of the standard. Noteworthy efforts are also given when the practices are seen as best in class. They could also be issued when the company has shown significant improvement in certain areas from prior audits. Noteworthy efforts do not require any action. When provided in the audit report, it is done for reporting purposes only and to show to the organization areas where they can feel proud of.
Observation are simply pointed out by the auditor as areas being in compliance but very close to becoming a nonconformance or that given additional evidence could transform into a nonconformance. Observations can be looked as “accidents waiting to happen”. We at Mireaux advice our clients to treat observation very seriously and in fact incorporate them into the organization’s as preventive actions and handle them as such. This helps tremendously with the balancing of corrective and preventive action –most organizations have a real hard time to issue preventive actions. It also makes effective use of audit reports by taking into account the auditor efforts and experience.
Non-conformances or NCNs are areas where the organization’s quality management system does not comply with one of the requirements of the standard or where the organization failed to show evidence of compliance. Non-conformances have a clear requirement that was not met and there is clear evidence of what was seen –or not seen. Non-conformances have 3 elements:
Nonconformities are in essence, just another type of finding, however it is the one that everyone concentrates on and what the organization worries more about.
- Opportunities for Improvement
Opportunities for improvement are areas that are not necessarily wrong or not meeting the requirements of the standard. Unlike observations, opportunities for improvement are not accidents waiting to happen but rather these are practices that have been implemented poorly and either do not add value or consist of several non value added steps. Auditor usually point opportunities for improvement, when they believe –based on their expertise and expanded view of quality management systems-that those practices could be enhanced or done more efficiently.
Grading or classifying Nonconformities
Some registrars classify their non-conformances into major and minor, such as in major nonconformance and minor non-conformance. Other registrars classify non-conformances as Category 1 and Category 2. Those terms are basically interchangeable:
- Major non-conformances or Category 1
Are those findings where an element of the ISO standard has not been met or where there is a significant breakdown in the quality management system. A group of Minor NCNs in the same specific area of the standard may also be elevated to category 1. Minor NCNs that have not been properly addressed after a whole audit cycle may also be elevated to category 1.
- Minor non-conformances or Category 2
Minor nonconformities are those where there is a minor lapse on the quality management system and where basically it is evident that the system or requirement has been established and for the most part are implemented correctly.
ISO Non-conformances generated from internal audits are typically not even classified as major or minor and are simply reported as non-conformances in the audit report.