Audit Results (Findings and Evidence)
During the audit, the auditor samples, observes, asks questions, examines processes or processes outputs like records or products, or observes locations where a service was provided.
The inspections or observations shall be considered and recorded as the audit findings. The findings will be used for the audit’s conclusions and will describe what the auditor saw and revealed.
These shall then be compared to the predefined criteria and shall indicate the status of the processes or products: conformity, nonconformity, or opportunity for improvement.
The findings include the evidence that the auditor reviewed (e.g., processes, products, records); for each, he or she may document
• What was presented or found—whether it is a product or a record
• The context: what is the relevant process or product
• The requirement or the relevant criteria
• The significance of the process to the QMS and its influence on the quality of the product
• Changes that may affect the QMS (will be discussed in the next paragraph)
• Results of the previous audits (will be discussed in the next paragraph)
Indicating the significance is important for the classification of the findings, particularly when the auditor reveals a deviation from the specifications and must decide whether to submit it as a nonconformity (when the process is significant) or just as an opportunity for improvement.
That is why the auditor must have the knowledge, the ability, or at least the minimal understanding of the area he or she is auditing for deciding what is significant and what is not.
Accuracy of the documentation is important for the next step; the classification, for example, good, opportunity for improvement, or corrective action, is required (which will be reviewed later).
This is the most important part of the audit report.
Changes Affecting the Organization
One of the issues that must be reviewed during the audit is the effect of occurred changes on the QMS and their consequences. If such changes are relevant, they and their consequences will be mentioned to the auditor at the beginning of the audit.
A good example is changes in the product—the auditor must know about such a change in order to assess whether it was properly implemented. Changes to the QMS are referred two times on the standard:
• 6.3—Planning of changes—where it is required to develop a method for planning the implementation of changes
• 8.5.6—Control of changes—where it is required to ensure that changes do not affect the ability of the organization to continually provide goods or services that conform to the requirements
Those two aspects of changes will be reviewed during the internal audit, and the auditor will review
• Changes that occurred in the QMS since the last audit
• Changes in the specifications or requirements of the product
• Changes in processes
• Change in resources
• Changes in documentations
• Changes that were submitted to a planned method for implementation
• Changes that were reviewed for assurance that they do not affect the ability of the organization to continually provide products or services that conform to the requirements
In practice, the audit plan shall include references to changes in the QMS, shall indicate their consequences and the results of the audit, and shall prove that those changes were reviewed.
Results of Previous Audits
The results of previous audits shall be referred in the internal audit. This requirement refers mainly to nonconformities that were revealed during previous audits but may refer also to opportunities for improvement.
The organization shall prove to the auditor that :
• For each nonconformity, a corrective action was taken within the scheduled time frame, the treatment was effective (objectives were achieved and the nonconformity was removed), and the nonconformity did not occur again
• Where opportunities were adopted, the implementation was effective
In practice, the audit plan shall include references to the results of previous audits, and the results of the internal audit shall prove that those findings were addressed.
The Classification of Audit Findings
Any findings during the audit shall be indicated with one of the following classifications:
• Conformity—the process or product sampled was in accordance with the relevant requirements and criteria.
• Opportunity for improvement—in the auditor’s opinion, an improvement can be applied to the matter, and the organization may or may not adopt this opportunity and submit it to the control of opportunities as required in clause 6.1—Actions to address risks and opportunities.
• Nonconformity—the process sampled was not according to the requirements and the audit criteria.
• If the organization feels the need to add another classification suitable to its nature or processes, it may do that.
This classification is important for the auditee to know afterward where he or she must invest resources; nonconformities must be removed while opportunities for improvements may be considered.
Non conformities Revealed in the Audit
Nonconformities revealed during the audit must be addressed, documented, and submitted for correction.
The nonconformities may be documented three times during the audit process:
- Within the audit report along with the audit findings. We can also refer to it as the report itself.
- Where it is suitable, as nonconformities.
Any audit report should contain a summary of the nonconformities revealed during the audit.
- As an input for a corrective action followed by the audit.
When nonconformities are revealed, they should be applied to a controlled process.
The ISO 9001 Standard specifically requires that for each nonconformity, a decision and an action will be determined without unnecessary delays in order to ensure that they will be handled and removed.
The goal is to verify that the nonconformities are removed or eliminated and will not be repeated. In order to ensure the submission to the correction, you need to initiate the interrelation between the internal audit process and the control of nonconformities (as required in clause 10.2— Nonconformity and corrective action), where the outputs and the nonconformities discovered in the audit shall serve as inputs to the control of nonconformities and opportunities shall serve as inputs to the continual improvement process.
Communicating the Results
Any audit must have a summary report that will communicate the results to the appropriate persons in the organization. The auditor should gather all the information, data, findings, nonconformities, and opportunities for improvement and present them together in one report.
The goals are to provide the organization with a status report regarding the QMS and for follow-up during the next audit, to review the treatment, and to verify that all nonconformities are closed.
Who are the target groups of this report?
• The function that is responsible for the auditee
• The auditee—workers of personnel if the organization finds it appropriate
• The top management
This report is a tool for those target groups for understanding the status of the QMS and of the organization with reference to the requirements or the criteria. Therefore, it is recommended that the report be designed in a format that would be easy to understand.
Retaining Documented Information
The documented information of the internal audit is the output of the audit process. The organization shall retain documented information as demonstration for the planning of the audit as well as evidences for implementing the program and plan and conducting the audit activities.
The records of the internal audit have several goals:
• Planning the audit and the audit activities
• Ensuring that the audit was conducted according to its scope
• Proving that activities were performed according to the plan
• Proving that objectives of the audit were achieved
The documentation shall be submitted to the control of documented information as required in clause 7.5—Documented information.
The ISO 9001 Standard chooses not to refer to the distinction between two types of the documentations:
• Documented information used for the planning of the audit such as the audit program and plan
• Records and evidence of the implementation of the audit program and the audit results such as audit protocol or audit report
Which documented information may we expect?
• Audit program—a document describing the program
• Audit plan—a document describing the activities of the audit
• The audit report
• The reviewed issues such as changes or follow-ups of previous audits
• The findings of the audit—a documentation of what was inspected and observed
• List of detected nonconformities and opportunities
• Summary report
Clause : 9.2.1
• The organization shall conduct internal audits at planned intervals.
• The internal audit shall provide information on whether the QMS conforms to the organization’s own requirements for the QMS.
• The internal audit shall provide information on whether the QMS conforms to the requirements of the ISO 9001 Standard.
• The internal audit shall provide information on whether the QMS is effectively implemented and maintained.
Clause : 9.2.2
• The organization shall define, implement, and maintain an internal audit program.
The program shall refer to
• The frequency and intervals of the audit
• The methods for conducting the audit
• Roles and responsibilities that take part in an internal audit
• Planning requirements
• Reporting the results
• The organization shall define the scope of the audit.
The results shall include reference to :
• The importance of the audited processes, activities, or operations
• Changes that may affect or might have affected the organization
• The results of previous audits
• The organization shall define the criteria for the audit.
• The organization shall select auditors and conduct the audit to ensure objectivity and the impartiality of the audit process.
• The organization shall ensure that the results of the audit are communicated and distributed to the appropriate relevant managerial levels.
• The organization shall ensure that nonconformities are addressed and corrective actions are applied without unnecessary delays.
• The organization shall retain documented information referring to the findings and results of the audit as evidence of the implementation of the audit program and the audit results.
• Remark—the ISO 19011 Standard may serve as guidelines for establishing and implementing QMS auditing.