Writing Audit Reports

Audit Reports

Audit Evidence

Corrective Action

Opportunities for Improvement

Example Audit Report

Writing Audit Reports

The Audit Report is prepared under the direction of the Team Leader.  It is the Team Leader who ensures overall accuracy and completeness of the report.

The Audit Report is prepared before the Closing Meeting by the audit team during its final review meeting.  In this meeting, the Team Leader leads the discussion by asking the team members to discuss their respective findings, concerns and impressions.  The team members identify their respective audit findings and notations justifying their position when requested by the Team Leader.  From this discussion, certain conclusions can be drawn.

Often, it is not possible to reach a concise and final conclusion to the audit process until this meeting simply because this is typically the only time when all audit team members share their notes.  Based upon these discussions, however, the Team Leader is able to suggest conclusions and recommendations. 

The Team Leader, in considering what the audit team’s conclusions should be, must listen for an understanding regarding the system’s effectiveness in ensuring that quality objectives will be met during the review in individual input.  This review is a high level review that outweighs specific individual inputs.  The review of information must be a collective review.  Only by this collectivity of information can the conclusions and recommendations be soundly considered.

Depending upon the Team Leader’s suggestions, it is possible to have immediate consensus.  Alternately, if there is a difference of opinion, the Team Leader must then further discuss with the members their thoughts.  Ideally, the audit team reaches a consensus.  It then becomes easy to speak as one during the presentations at the Closing Meeting.  However, the Team Leader is ultimately responsible for the contents of the report; and therefore, must make the final decision, though it may not necessarily be the popular decision.

The Audit Report contents must represent a fair and accurate accounting of events which states the recommendations and conclusions supported by both positive and negative objective evidence.  It is essential for the Team Leader to review all report contents to ensure their acceptability.  Should there be any question as to the validity of a finding or notation, the Team Leader must ask for clarification.  Typically, even though the finding may be somewhat questionable, the Team Leader will allow it to remain.  If, however, there is a fundamental flaw in a finding, it is the Team Leader’s responsibility to address the issue to the point of removal if necessary, even if this removal causes a bit of a rift in the team membership.  The Team Leader’s first responsibility is to the audit process.  The audit team membership must accept the Team Leader’s final conclusions and recommendations.

The Team Leader is responsible for the preparation of the final report.  However, the Team Leader quite often only prepares the relevant cover sheet, summary and conclusion sheet, plus any specific investigation activities he or she may have directly participated in.  Additionally, it is the Team Leader who is responsible for ensuring the overall conclusions and recommendations recorded onto the report are supported by the balance of the report contents.  The audit activity summaries must be concise listing both the positive and negative audit evidence, and the nonconformance reports must clearly state the relevant findings and failed requirements. 

The Team Leader is the one person who must sign the report.  However, it demonstrates positive leadership when the Team Leader shares the signing with the other audit team members.  A ‘oneness’ is clearly developed and demonstrated when each member of the audit team has signed the Audit Report.  The entire audit process wins!

At the conclusion of the Closing Meeting, the Team Leader will typically distribute a copy of the Audit Report (subject to the policies of the organization and the requirements of the Quality Management System) to the audited organization’s representative.  From this point on, the organization is responsible for any further distributions.

Audit Reports are confidential.  These reports must be treated as such and, therefore, all necessary safeguards must be used to ensure they remain so.  The only distribution points authorized are typically to the audited organization and the auditing authority.  Auditors may keep copies only when the organization permits it.  Otherwise, no additional copies are produced and held.

Additionally, confidentiality extends to all documents used by the audit team, such as manuals procedures, instructions, and technical data sheets.  Copies of such documents provided by the organization for the audit must be returned.    

The Team Leader must ensure the return of these documents at the end of the audit process.  Typically, this event occurs at the signing and distributing of the Audit Report.  If certain documents are to be retained, for whatever reason, some form of written notice is made.  This could even include a notation within the body of the report itself.  

Audit Reports

Audit Reports are written after the formal audit which follows the Audit Plan.  The Audit Report states the scope of the audit and all relevant Standards / Specifications / Procedures / Processes / etc. to which the audit took place.  The report details audit evidence, nonconformances and observations raised.

A summary of events should be stated giving the reviewer a complete picture of the audit activities.  This includes a restatement of the QMS structure, specific serious nonconformances, if any, actions resulting from previous visits, and the audit team’s conclusions and recommendations.

Further, all participants, such as the audit team members, organization representatives, and other observers, along with any other areas visited and by whom, should be stated within the report.

The Audit Report must be fully reviewed with the representatives (Auditees), after which signatures are requested.  During this formal review of the report, should the representatives wish to formally add to the report in the form of a written addendum, the Team Leader shall afford them this opportunity and then include it in the report.

Lastly, a follow-up review and / or area visit should be agreed to address any nonconformances identified using the Nonconformance / Corrective Action Report issued by the audit team.

Audit Reports take on many shapes.  Whatever their appearance, they must achieve one goal - communicate to the reviewer, usually a senior manager, the true state of the system audited.  Audit reports include essential information identifying the event, the results of the event and follow-up activities that may be required from the event.  Follow-up activities required as a result of the audit are typically presented in the form of Nonconformance / Corrective Action Reports.

Audit Reports are a source of process or system information and action at the Top Management review levels.  They must be coordinated in a presentable manner for review.  Further, Audit Reports are long term records of conformance and must, therefore, be archived for longer periods of time than most other documents and records.

Audit Reports include these essential elements:

Scope and objectives - The scope and objectives of the audit are best described by expressing the ‘whys’ of the audit and the ‘whats’ of the audit,

Control numbers - Each audit report is a controllable quality document and must be referenced into the Quality Management System’s document control structure,

Area references - The area(s) or section(s) under review must be stated on the audit report.  Without this reference, the report cannot represent any specific activity,       

References - Each procedure or Standard section audited must be stated using both the procedure or Standard reference number and a description,

Auditor - The auditor name must be stated on the report.  This includes space for signatures, as applicable,

Representative (Auditee) - The auditee name must be stated on the report.  The auditee is the person directly involved in the audit process.  There must be space for signatures, as applicable.  (Note: only the auditor must sign the report.)

Audit Evidence - Audit evidence is the teeth to any report.  It is what authenticates the audit.  Both positive and negative audit evidence must be recorded in the report,

Results - State whether the audit evidence is acceptable or not,

Recommendation and Conclusions - The final opinion of the auditor (audit team) based on facts requires recording.  It may be to include specific actions, or it may be merely to maintain status-quo.

Completion Signature - An audit is only completed after all investigations are finished and any ensuing follow-up activities are complete.  Upon these activity closures, the Audit Report must be reviewed and endorsed by the audit authority, typically the Audit Coordinator or Quality Manager or other QMS nominated Management Representative.

Audit Evidence

Audit evidence is:    

It is used to support audit findings recorded in Audit Reports.  Without audit evidence, no Audit Report results, conclusions or recommendations can be substantiated and supported.

Audit Reports must demonstrate a balanced approach to the event; both positive and negative audit evidence must be recorded.  The auditor collects and reviews audit evidence in line with the investigation requirements in order to formulate a conclusion ... an audit finding.

Audit evidence is recorded onto the Audit Report in such a manner so that it is clear precisely what was reviewed and what decisions were made around it.  Examples of audit evidence are:

• Purchase Order Numbers,

• Test Report Numbers,

• Supplier Records and Identification,

• Training Records,

• Procedure Numbers,

• Work Instruction Numbers,

• Production Machine Numbers / Locations,

• Management Review Minutes,

• Production Meeting Minutes

• Calibration Certificates.

This list can go on and on, and the nature of the evidence collected, reviewed and recorded depends on the processes and areas audited.

Further, whenever audit evidence is used to describe a nonconforming condition or opportunity for improvement, additional clarity is required.  The reader must be absolutely clear as to the nature of the issue; therefore, in addition to the specific references, an explanation of the issue is required.  Together, they build the needed picture of audit evidence to support the audit finding.

Corrective Action

Corrective action resulting from an audit is intended to affect change and/or correction as soon as possible with a goal of establishing or re-establishing the quality system mandates.

There are two types of corrective actions: 

• Procedure,

• Performance.

Procedure related corrective action is change to procedure... essentially, this means adjusting a written procedure or process to reflect or clarify an existing practice only.  No further changes in performance are required.  Performance related corrective action is change to or reinforcement of an existing practice or process... this means adjusting to a new method of performance or activity.

Understanding the difference between these types of corrective actions is fundamental when agreeing a follow-up visit date.  Procedure related corrective actions only require a review of the newly issued procedure; no further objective evidence is required and becomes subject to closure immediately.  However, when a performance related corrective action is agreed, a reasonable period of time must be agreed from when the corrective action is to be implemented to when the follow-up visit takes place.  The time required must be sufficient in order to evaluate the new performance mandate.

It is possible to have a combination of both a procedure and performance related corrective action.  When this occurs, the auditor must treat the corrective action as performance related as there must be a review of change to activity as well as reviewing the revised procedure.

Opportunities for Improvement

Improvement activities are prescribed in ISO 9001:2000 through the clause 8.5.1 (Continual Improvement).  This clause addresses internal audits as one of its components:   

Internal audits are a management tool for improvement.  It is essential that Audit Reports identify opportunities for improvement wherever identified.

Auditors do not own the processes they audit; however, they are participants in the general process of identifying opportunities for improvement of the activities audited whenever presented to do so.  At no time is it the responsibility of the auditor to tell a process owner to change; rather, it remains the responsibility of the auditor to be an active partner / participant in the review of the process being audited.

Opportunities for improvement arise whenever there is imminent risk of failure to the process.  For example, an audit investigation may have run its course successfully with little or no issues raised, in fact, there is clear evidence that the process or system being audited is performing quite well; and yet ... during the investigation, it was determined that there is no mechanism whatsoever for replacing or substituting a signing authority for a set of reports whenever the named authorized individual is off-site; essentially the work stops whenever this individual is gone.  This is a problem; there is an inherent risk of failure; maybe not today, maybe not tomorrow or next week, but certainly this process is destined to fail ... an opportunity for improvement!

Section 6 Review - Crossword Puzzle

GO TO SECTION 7

Return to the top of this page