by Denise Robitaille
Most discussions concerning audit reports revolve around auditors’ roles and responsibilities—what to include in the report, how much evidence to provide, how to articulate the findings, etc.
I’d like to refocus the lens and look at audit reports from the perspective of the readers. In particular, and in concert with the requirements in ISO 9001:2015 relative to top management accountability, I’d like to discuss audit reports and management review.
ISO 9001:2015 and comparable other management system standards require top management—as part of the management review process—to review audit results. What exactly does this mean? And, since management review is a process, what are the inputs into this part of the review that enable it to be an effective activity for the organization?
The requirements relating to top management in section 5 of ISO 9001:2015 make it clear that accountability for the effective deployment of the quality management system (QMS) rests ultimately with top management. Moving down to section 9, we see that the standard states plainly and unambiguously that management review shall be planned. It makes sense, therefore, to expect that top management (i.e., the individuals who own the management review process) should have input into the plans. They should have some say as to what should be reviewed. Logically then, should they not, after reviewing the internal audits from one cycle, express their opinion on what should be audited during the next cycle? What should be looked at more frequently or what processes have remained stable and no longer warrant a heightened level of scrutiny? What information will facilitate their decision making in relation to selective activities and processes?
Let’s start with the audit plan. This is usually formulated to cover all parts of the QMS over a one-year period. ISO 9001:2015 requires that this plan reflect issues such as criticality and results of previous audits. A lot of plans basically say, “We audit everything in the system once per year.” There’s no consideration of criticality, changes in the scope of the QMS, or results of previous audits. The review of the audits is driven solely by what was audited in the previous cycle, as decided by one individual without consulting those who need to get value from the reports.
Moving from the audit plan, we can fast-forward past the actual audits and look at the reports comprising part of the management review. What should top managers consider during the review? Typical records of management review are lukewarm when it comes to internal audits. The notation in the minutes of the meeting are so brief as to beg the question: “Why bother?”
So, what should the review include? It should include issues that top managers care about, presented in language that reflects what they care about.
The audit reports—or at least a summary of the audits—should encompass information about:
- Problems and errors and actions taken to resolve them
- Observations of risk
- Determination of appropriate actions, if any, and the results
- Opportunities for improvement
This serves three purposes. It allows management to see what problems were identified and resolved before they became an issue affecting customers. It creates a forum for assessing risk and determining what further action, if any, is warranted. Finally, it validates the internal auditing process as a valuable contributor to organizational goals, which brings us full circle to management accountability.
About the author
Denise Robitaille is the author of numerous books on various quality topics. She is an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. Denise is an active member of U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is also an Exemplar Global-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of the ASQ.
Denise’s latest book The (Almost) Painless ISO 9001:2015 Transition was published by Paton Professional in late December.
Hi,
I’m not sure I agree that the audit report should include “actions taken to resolve problems” and “Determination of appropriate actions, if any, and the results”. The audit report should identify nonconformances, OFIs, and now risks. Top management should review the audit report or at least a summary soon after the internal audit. Process owners should be tasked with the responsibility of determining necessary actions; not the auditor who writes the report.
At some point in a future management review, top management should then review the actions taken to resolve the problems and results to ensure that problems are effectively resolved and risks have been appropriately addressed. In addition, top management should review the overall effectiveness of the internal audit program which includes the time allocated to audit each process.
An audit is a ” snap – shot ” inspection of the organisation activities. I am conducting internal SHEQ audits of my organisation branches spread across Australia. The audit report goes to the branch regional manager and his team only , not to the senior manager of the organisation .My additional role as the SHEQ manager is to record non conformities , observations , recommendations in the audit report and also back them up by recording corrective actions request and assigning them to the branch regional manager for investigation and correction.
The top management of the organisation which meets 1/ month receives a brief stating : audits done against annual plan, No of corrective actions YTD , no of corrective actions overdue. Since this management meeting reviews all business performance in the month , we don’t have time to go into details of audit results . Is this a problem ? Please advise..