by Denise Robitaille
Most discussions concerning audit reports revolve around auditors’ roles and responsibilities—what to include in the report, how much evidence to provide, how to articulate the findings, etc.
I’d like to refocus the lens and look at audit reports from the perspective of the readers. In particular, and in concert with the requirements in ISO 9001:2015 relative to top management accountability, I’d like to discuss audit reports and management review.
ISO 9001:2015 and comparable other management system standards require top management—as part of the management review process—to review audit results. What exactly does this mean? And, since management review is a process, what are the inputs into this part of the review that enable it to be an effective activity for the organization?
The requirements relating to top management in section 5 of ISO 9001:2015 make it clear that accountability for the effective deployment of the quality management system (QMS) rests ultimately with top management. Moving down to section 9, we see that the standard states plainly and unambiguously that management review shall be planned. It makes sense, therefore, to expect that top management (i.e., the individuals who own the management review process) should have input into the plans. They should have some say as to what should be reviewed. Logically then, should they not, after reviewing the internal audits from one cycle, express their opinion on what should be audited during the next cycle? What should be looked at more frequently or what processes have remained stable and no longer warrant a heightened level of scrutiny? What information will facilitate their decision making in relation to selective activities and processes?
Let’s start with the audit plan. This is usually formulated to cover all parts of the QMS over a one-year period. ISO 9001:2015 requires that this plan reflect issues such as criticality and results of previous audits. A lot of plans basically say, “We audit everything in the system once per year.” There’s no consideration of criticality, changes in the scope of the QMS, or results of previous audits. The review of the audits is driven solely by what was audited in the previous cycle, as decided by one individual without consulting those who need to get value from the reports.
Moving from the audit plan, we can fast-forward past the actual audits and look at the reports comprising part of the management review. What should top managers consider during the review? Typical records of management review are lukewarm when it comes to internal audits. The notation in the minutes of the meeting are so brief as to beg the question: “Why bother?”
So, what should the review include? It should include issues that top managers care about, presented in language that reflects what they care about.
The audit reports—or at least a summary of the audits—should encompass information about:
- Problems and errors and actions taken to resolve them
- Observations of risk
- Determination of appropriate actions, if any, and the results
- Opportunities for improvement
This serves three purposes. It allows management to see what problems were identified and resolved before they became an issue affecting customers. It creates a forum for assessing risk and determining what further action, if any, is warranted. Finally, it validates the internal auditing process as a valuable contributor to organizational goals, which brings us full circle to management accountability.
About the author
Denise Robitaille is the author of numerous books on various quality topics. She is an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. Denise is an active member of U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is also an Exemplar Global-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of the ASQ.