Audit Findings are anything an auditor finds. The best kind of finding is “in conformance” where the auditor determines the requirement, and then has evidence of conformity, and so you’re good. Here is what to know about Audit Findings.
An opportunity for improvement is a possible improvement that is in the public domain that an auditor can suggest. The obligation for you to follow up on an OFI is zero, and in fact, the auditor shouldn’t even give it because it potentially taints his or her audit.
The second kind is an observation, which is that there is a condition that might be a non-conformity under different circumstances. Auditors will issue an observation to give you more time to solve a problem. The most frequent cause of an observation is lack of clarity in the requirement.
Areas of Nonconformity
There are other findings which indicate a nonconformity. Minor, which is not systemic and not affecting the product, and major, which is systemic and does affect the product.
These findings are discussed with the guide as the audit progresses, and the auditor makes sure he or she understands the evidence, and that conversation sometimes gets heated. That leads to Jim’s Rule #2 which is, don’t get into an argument with an ISO auditor
Opportunity for Improvement
An OFI is an area of possible improvement on which the auditor, because of his or her vast experience, may give suggestions. The obligation of the client to address an Opportunity for Improvement is zero.
As an auditor I personally am very hesitant to give opportunities for improvement because it quite often taints the audit. I can’t tell you how many times I’ve written up a non-conformance because the client says “that previous auditor told us to do that.” I am very careful about what to say after that.
Actually, one of the registrars that I work for that is heavily involved in Aerospace doesn’t encourage documentation of OFI because it’s hard to make it not seem like a non-conformance. Other registrars may have a different attitude.
Observation
An observation is a potential non-conformity, depending on the condition. It might not be a non-conformity today, but might be at some future time.
An auditor can use the observation to give you more time to solve a problem.
The auditor can use the observation to leave a message to the future.
The number one cause of an observation is lack of clarity in the work instruction.
I have actually done a lot of audits for companies that are from outside the US and not English speaking. One of the fun things to look at is how the technical language in the work instructions get lost in translation. When that happens, I typically just shrug and move on and ask the client to clarify what that work instruction actually means so that some future auditor (and the client’s personnel) can understand it.
My favorite story on this is the audit I did down in Augusta, which, as anybody knows, is hot and humid. This particular place made batteries that go into golf carts.
In the back of this place was a big open Quonset hut, and in the back of that was a plastic drum of Acetic Acid which had on it clearly labeled “do not store over 90F.”
So, the day I was there it was late fall, very pleasant and 75 degrees. Do I believe that this place would get over 90F in the middle of summer? So. an observation would be that at the moment, this wasn’t an area of non-conformity but it was going to be one in the future.
Minor Non-conformance
A Minor NC is a one-off failure of someone to do their job. This does not affect product integrity and not systemic or widespread.
Major NC
There are several ways to get one of these. Multiple minor NC of the same type (systemic issue). Multiple minor NC in the same process (indicates lack of process control). Repeated NC from previous audit (lack of corrective action or commitment). Known defective product going to delivery. Portions of the quality system missing.
Rules for handling non conformities are determined by the registrar. This is including timing, how to do the documentation, and process for acceptance.
A major non-conformance usually requires a follow up audit by your auditor. This happens sometime within a 90-day period, and you will be expected to provide objective evidence that you fixed your issue.
What to know about Audit Findings: Documentation of Audit Findings
One of the primary failures on this is lack of proper documentation of the non-conformity by the auditor. Unless the auditor is very careful to document what happened, where it happened, and what clause of the standard was violated, the auditee may not be able to properly respond.
So, if there is the slightest doubt as an auditee as to what the non-conformity was, ask for clarification.
Here’s an example:
NC-1
Raised by: Jim (there may be more than one auditor)
Severity (Minor, Major Observation or OFI)
Requirement: The organization shall determine, provide and maintain the infrastructure (Clause 7.1.3)
NC: Infrastructure is not always maintained as planned
Evidence: Maintenance procedure SOP-007 A Revision 3 calls for inspection of Machine #5 monthly. But, no objective evidence that inspection took place (Maintenance checklist not filled out).
How not to fail: Writing and responding to Findings
At the time of the audit, the auditor is supposed to confirm that you, the client, understands the non-conformity, including where it happened. This is because In some organizations, in huge buildings, it is easy to forget where something was found.
From that, the client should be able to figure out how to submit the action plan. The action plan is a way to address the issue. The registrar has a set of rules as to the timing of this.
The first part of the action plan is containment, which is fixing the immediate short-term problem, and then inspecting similar processes to be sure that the problem is not more widespread.
The client is expected to come up with a “root cause.” There is no specific methodology for this except that there is guidance by ANAB as to the best way to do this. This is because the system wants the client to deal with the root cause to avoid reoccurrence.
The action plan is submitted to the auditor who then either accepts it or rejects it. You’re then expected to implement the plan for containment, and then the longer-term plan for keeping the condition from happening again.
Reoccurrence of the non-conformity indicates one of two things: lack of commitment or ineffective corrective actions, and if either happens, it is problematic. This is because of the client’s commitment to meeting requirements. The finding is usually checked in the following audit, and upgraded to “major” if not addressed effectively.
Auditors Dislike a Vacuum
Here is a side issue, which is that auditors dislike a vacuum.
If your action plan and evidence of conformity are not clear, very often an auditor will invent a requirement for you. This is called “auditor overreach.”
This is a bad practice because it taints the audit. Some other auditor may come in behind him or her and have a different idea.
So, your plans for conformity (your processes and procedures) should be as clear as possible as to what needs to get done, and what form the objective evidence takes.
“The organization shall” appears in the standard 91 times. “The organization shall determine” appears 19 times
“The auditor shall determine” appears zero times.
So, the better you, the auditee, know the standard, and the more-clear your plan is, the easier it will be to push back on “auditor overreach”
The Auditor Hammer
The auditor’s job is to make a recommendation for certification or registration
The registrar (approval authority) makes the final determination. As an auditor I have been very thankful that this is the case. I have been in little conference rooms, a long way from Switzerland, and that makes for a potential abuse of the system.
The auditor can’t give you anything, nor take it away.
But, if you don’t take care of your findings, the auditor may recommend termination or suspension of the certificate
Anything the auditor says or does can be appealed, however.
The registrar has a set of rules on how to do this. But the point is, this is the only thing the auditor can do to “encourage” you to have better discipline, and even at that they give you follow up audits and plenty of opportunities to fix the problem.
ISO Training
Here is my link to Udemy course, “How Not to Fail at ISO9001”
https://www.udemy.com/course/how-not-to-fail-at-iso9001/learn/lecture/34733460#content
Here’s the link to my Quality Systems Training. You can hire me to give this training in person, complete with questions and answers, and along with a few decades worth of horror stories about product quality, dangerous products, and why people don’t do their jobs.
HTTP://www.jimshell.com/quality-systems-training/