by Richard Vincins
Many auditors struggle with deciding what level of importance audit findings constitute in relation to an organization’s quality system or audit criteria. More important, auditors must also decide whether to issue a corrective action or give only a recommendation for corrective action.
Whether the audit criteria calls for verification of the quality system against the company’s own procedures or against a regulatory standard, audit findings must be evaluated for significance. In most audits the issuance of a corrective action is an automatic process that is mandated by the company’s internal procedure. This article will discuss this approach as well as some alternative approaches that can be taken for ensuring that important audit findings can be effectively prioritized over insignificant findings. It will discuss some approaches that auditors can either assign corrective action based on their experience with auditing or using a risk-based approach.
Let’s look first at how most organizations, registrars, or regulatory agencies assign levels of importance to audit findings. Auditors generally assign findings as major, moderate, and minor to observations; some companies only assign levels of major or minor. Depending on the type of audit being performed, auditors can also assign audit findings as opportunities for improvement (OFI) or recommendations. The basic definition of these different categories is shown in the sidebar, and many organizations will establish their own definitions for levels of audit findings. The importance of a major observation vs. a minor observation may result in the company receiving certification or obtaining a contract. This means that every auditor must understand the difference between important audit findings and insignificant findings when they are assigning categories.
The assignment of the category for audit findings is usually left up to the auditor who ultimately may make the recommendation for corrective action.
The most common method for determining whether a corrective action is assigned based on the importance of the audit finding is based on auditor experience. The difficulty with this approach is that new auditors or auditors of unfamiliar management systems may struggle to understand what is important. There are many times when an audited organization gets frustrated or even hostile because the auditor has assigned a major audit finding on an observation that the company deems insignificant. This is particularly important if the assignment of a major observation will prevent the company from receiving certification.
The most common way to gain this experience is for a new auditor to use trial and error as he or she becomes familiar with the types of observation the auditor might encounter during an audit. New auditors should read previous internal audit reports, third-party audit reports, and audit findings that are published publically. The FDA’s warning letters from facility inspections is a good source. An auditor who does not have enough experience will definitely struggle trying to determine if an audit finding is important. The biggest danger of not properly assigning audit findings is that a company might not take any audit finding seriously. This may result in failure of the quality system and ultimately generate a loss of quality for the finished product. There is no magic approach to this method but continued experience in conducting audits will help the auditor determine important audit findings from insignificant ones.
Another method for determining whether corrective action is assigned based on the level of audit finding is to use a risk-based approach. This has been gaining momentum in the last few years because it partially removes the guess work associated with auditor’s experience. Although the risk-based approach is more itemized, it still requires auditor training and experience because ultimately the auditor will still have to decide the level of severity associated with the audit finding. The risk-based approach provides more granularity of the audit process because utilizing severity of the audit finding and occurrence or probability of occurrence will help to identify important audit findings.
Figure 1 shows how auditors can use a risk-based approach to determine if an audit finding requires corrective action. This assists new auditors in understanding important audit findings because as they identify a problem they can use other qualitative features to help determine the magnitude of an audit finding. An audit using the risk-based approach may take longer to complete because the auditor may need to determine the extent of an observation. This may require more sampling than is normally performed. However, as the auditor gains experience and knowledge in auditing, he or she can use the risk assignment with more skill and greater confidence.
Figure 1: Severity of Audit Finding
Critical | Observation would result in a failure of the quality system that would have an effect on the finished product quality or may result in not achieving management system certification. |
Major | Observation would result in a failure of one or more quality system processes that may have an effect on the finished product quality or may result in problems achieving management system certification. |
Moderate | Observation would result in a failure of a process in the quality system that may have an effect on the finished product quality or may cause delays in achieving management system certification. |
Minor | Observation would not have an effect on the finished product quality or may not have any impact on achieving management system certification. |
Using a risk-based approach also helps auditors determine important audit findings based on their severity level and occurrence rate. The auditor can then determine, based on the risk level, whether a corrective action should be assigned because this will identify important audit findings.
Severity of audit finding
- A critical observation would result in a failure of the quality system that would have an effect on the finished product quality or may result in not achieving management system certification.
- A major observation would result in a failure of one or more quality system processes that may have an effect on the finished product quality or may result in problems achieving management system certification.
- A moderate observation would result in a failure of a process in the quality system that may have an effect on the finished product quality or may cause delays in achieving management system certification.
- A minor observation would not have an effect on the finished product quality or may not have any effect on achieving management system certification.
Figure 2: Corrective Action Determination Chart
Critical | FrequentCorrective action required. | CommonCorrective action required. | InfrequentCorrective action possible. | IsolatedCorrective action possible. |
Major | Corrective action required. | Corrective action required. | Corrective action possible. | Corrective action possible. |
Moderate | Corrective action required. | Corrective action possible. | Corrective action possible. | No corrective action needed. |
Minor | Corrective action possible | Corrective action possible | No corrective action needed. | No corrective action needed. |
Occurrence of an audit finding
- Frequent: This is a frequently seen observation that occurs more than 20 percent of the time or is seen frequently in the quality records examined.
- Common: This is a commonly seen observation that occurs 10 to 20 percent of the time or is seen throughout the quality records.
- Infrequent: The observation is not seen too often occurring less than 10 percent of the time or is seen in a few quality records examined.
- Isolated: The observation is isolated only seen once or in very few quality records.
Experienced auditors might be thinking, “But we always issue a corrective action for each audit finding.” This is perfectly acceptable, but many companies overburden their corrective action systems. The corrective action system is still one of the processes in a management system that companies struggle to maintain and keep in compliance with its requirements. Often, the corrective action system becomes unmanageable simply because so many corrective actions are issued.
Rather than arbitrarily assigning corrective action to each audit finding, consider assigning corrective actions only to important audit findings. The insignificant audit findings will still be recorded on the audit report, but the auditee can address them through normal work activities, especially if the audit finding is only an isolated incident. Why would you assign a corrective action to a minor issue that was observed with only one record?
Some auditors might ask, “What are we to do with audit findings that are determined to be insignificant and no corrective action is assigned?” The best approach is that during subsequent audits (either internal or second-party) all of the audit findings should be reviewed to ensure they have been addressed in some manner. In fact, this is a requirement for any management system standard: to ensure audit finding corrections are implemented and follow-up verification takes place. If there are observations made through the auditing function, the owner of the process should determine how prevalent the nonconformity is. Then the organization can quickly take the necessary corrections or corrective actions to address it.
Important audit findings are determined from the audit process to ensure corrective actions are identified, implemented, and verified. Insignificant audit findings may simply need to be corrected by the auditee or another function in the organization. It doesn’t mean that these insignificant audit findings are forgotten. The organization can monitor them through follow-up audits or subsequent audits of that process in the management system.
There are many functions, skills, and activities that an auditor must understand when he or she performs an audit. Differentiating important audit findings from insignificant ones for issuing corrective action will help new auditors and seasoned auditors learn to concentrate on auditing those activities in the management system that may need more attention. It’s always frustrating to an auditee when an auditor spends time on areas or issues that aren’t really important. In addition, auditees won’t show their problem areas outright to the auditor. Many auditees are relieved when problem areas are identified as significant problems in the process, part of the management system, or even the whole company. Once the importance of the problem has been identified, the department or function can assign resources to address it. The auditor is doing the company a disservice by not identifying important audit findings and assuring that when corrective action is assigned it addresses the root cause.
Don’t let your auditing practices grab only the “low-hanging fruit” as these are inevitably just insignificant issues for the overall management system. Through using skill and experience, important audit findings can be properly identified. This will allow the company to address them through the corrective action system, identify their causes, and implement corrective action to ensure that product quality is not compromised.
Different Types of Nonconformity
Major observation: This classification indicates an element of the standard or regulation where requirements have not been effectively implemented or where there is a significant issue with the management system.
Minor observation: This classification suggests a low probability of adverse affect on product quality or the quality management system; these may also be individual observations noted during the audit.
Opportunity for improvement or recommendation: This suggests an item or deficiency that may result in an observation by a registrar but does not necessarily fall in an observation category. It may also be used as item for the organization to research and use for improvement.
About the author
Richard A. Vincins is a Certified Quality Auditor and regulatory affairs consultant with Emergo Group, a global medical device consultancy with headquarters in Austin, Texas.
As you mentioned, one of the ways it is determined whether something is minor or major is based on the level of risk posed to the general public. Is there a list of things that could be on the audit so that a company can prepare for the audit before hand? I wonder if there is a company one could hire to help with the audit process.
Hi, I am an operational compliance reviewer with two year experience in this field. So far, I can say that what I can acquire within this period is merely the on the surface. Since compliance assessment focusing more on ensuring ones organisation adhere to the requirements, I would like to understand more on the auditing approaches as I have a little clue in building up case where it is difficult for me to identify the severity of the finding as most of the assessment conducted are based on case to case basis.