by J.P. Russell:
This column is devoted to a review of ISO 19011 topics. In each issue of The Auditor, I’ll discuss a different topic and follow that with a quiz so readers may evaluate their understanding of the information. Readers are encouraged to share this column during short informal meetings with other auditors or interested parties, which I believe will result in more effective audits.
Clause 6—Performing the audit, is a major part of ISO 19011. The clause covers the typical audit activities for preparing, performing, reporting, and following-up on an audit. This column is about distributing the audit report.
Distributing the audit report
The audit report should be issued within an agreed upon period of time. As with any feedback or metric, the sooner the results are communicated the more relevant they are and the more likely it is they will be acted upon. Besides relevance and effectiveness of the audit, there are many other factors that can affect the timing of an audit report. Both the context of the audit as well as the context of the audited organization influence the timing of the audit report.
Audit considerations include:
- Reason for the audit—routine monitoring, product/service failures-approvals, product/service system changes, product/service system safety, product/service system violations
- The size of the audit team and their availability
- The audit service environment could be friendly, cordial, or strained
Organization considerations include:
- Criticality of the product/service or process
- Regulatory nature of the organization, i.e., highly regulated versus unregulated
Setting a specific time for the audit report to be published is the easiest metric to monitor, but may not be the most effective. Organizations should ensure that the publication of the report fits within the agreed upon time period, whether it is three days or three weeks.
If the publication of the audit report is delayed, it’s good practice to notify the auditee, client, and the person(s) managing the audit program. It would be awkward, if not embarrassing, if the official report was published after the corrective action plan was approved and implemented. However, that could happen for high-risk nonconformities regarding product/service quality, environment, and safety issues.
The audit report should be dated, reviewed, and approved, as appropriate, in accordance with audit program procedures. The report should include the report publication date and the date(s) of the audit. And, yes, there may be other dates such as due dates for corrective actions or plans. Next, the report must be reviewed and approved, whether by one person or multiple persons. Review may be conducted by a person who is knowledgeable of the audit process and report requirements. In some cases of a technical nature, the review would include an expert in the process that was audited. Approval focuses on the person with authority to publish the report and make requests or demands of the organization or area that was audited. Such authority may be in a business manual or contract. Lastly, the audit organization documented information, methods, or procedures should address the review and approval process. Although there is no suggestion to do so in ISO 19011, the audit organization may also monitor the audit report process to ensure it is effective and efficient.
The nature of the review and approvals may be affected if high-risk nonconformities for quality, environment, or safety were reported. For internal audits, the review and approval process may be streamlined to ensure fast turn-around to improve effectiveness. For second-party audits (supplier audits) the review and approval process will depend on the criticality of the product or service and nature of relationship between parties. The third-party process for reviewing and approving the audit report is more formal.
The audit report should then be distributed to the recipients as defined in the audit procedures or audit plan. Typically, the auditing organization will distribute the audit report to the client (person with authority to require the audit) and any person in the audited organization who has authority to address the audit findings. When other parties request distribution of the report, a myriad of issues and concerns surface.
Interested parties include:
- Audit process observers
- Certification or accreditation bodies
- Auditors who conducted the audit
- Direct supervisor of the area audited
- News media organizations
- Local government representatives
- Government agencies
- Employees and/or union representatives
However, a minor discrepancy is that ISO 19011, clause 5 (Managing the audit program) doesn’t take into account the distribution of the audit report nor identification of the recipients. Nor does the clause regarding the audit plan guidance take into account the distribution of the audit report or who the recipients should be. However, the need to take confidentiality and information security into consideration is addressed several places in the standard.
Audit program procedures should address the means to distribute the report and recipients. This issue is not trivial. The auditor and auditee must consider confidentiality, proprietary information, customer goodwill, legal, need-to-know, and other issues. Quality, environmental, and safety audit reports will present different challenges.
The process for distribution of the audit report should consider confidentiality and information security as well as effectiveness and efficiency. Methods for distribution include:
- Printing a hard copy, then mailing or faxing to recipients. This is perhaps the most secure except for the existence of an electronic version on the computer or server used to create the report.
- Internet pull options for electronic distribution include posting in a Dropbox or cloud account. The information may be encrypted and password protected.
- Internet push options include emailing recipients and attaching the report. This is perhaps the least secure.
The auditing organization should also determine the form of the report. For example should it be a Word file that is password protected or a PDF file with security to prevent changing the audit report record?
Once the report is distributed, its retention and storage should be determined. Some reports may need to be kept forever or the life-cycle of a product. In other cases, it may be appropriate to destroy the report after a certain time period of retention. My thinking is that organizations should comply with all legal or contractual/license recordkeeping requirements, but for all other cases the reports should only be retained for as long as they are useful for management or control purposes.
The audit report is a record that should be published in an agreed upon timely manner that ensures its effectiveness. Reports should be reviewed and approved. The need for multiple reviews and approvals will depend on such issues as risk of inaccuracies in the report (technical or complexity), potential effect on resources (needed to address findings), as well as the context of the organization (regulated or unregulated). An organization must determine the audit report recipients based on need-to-know and potential consequences. There are several means to distribute the audit report, each with its own security and maintainability issues.
Audit Report Distribution Quiz
Please choose the best answer considering the guidance provided by ISO 19011.
- How soon should the audit report be issued?
- as soon as practical
- within the agreed upon time period
- within 30 days of the audit
- when reviewed and approved
- Beside reviewing and approving the audit report prior to distribution, what else must be done in accordance with audit program procedures?
- When distributing the audit report, what are some elements you should take into consideration?
- confidentiality issues, proprietary information, customer goodwill, legal, as well as need-to-know
- information security
- all of the above
- Who should receive the audit report?
- the audit client and manager of the area audited
- if an environmental system audit, a copy should be sent to the Environmental Protection Agency
- as defined in audit program procedures or the audit plan
- the organization’s legal department
About the author
J.P. Russell is the founder and managing director of QualityWBT Center for Education. He is an ASQ fellow, ASQ-certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee, member of the ASQ Z1 Auditing Committee, and member of the U.S. technical advisory group for ISO technical committee 176. Russell is a recipient of the Paul Gauthier Award from the ASQ Audit Division and author of several ASQ Quality Press books about auditing, standards, and quality improvement.