How do you write up an audit finding when you observe that personnel are not following procedures?

You don't - because it's not helpful!

What you won't get is effective or even appropriate corrective action, from such a finding. I believe that this type of audit report is what drives management nutz. You're only telling them half the info they need to get the issue corrected! Just like any 'puzzle' you need two bits of data.

So, even though they weren't 'following procedures', was the result satisfactory? Did the 'product' meet the internal or customer requirements, because, if so, then the procedure needs to be changed.

If not, then we need to find out what to do about sub-standard product (contain etc.) and then find out why the folks didn't 'follow' the procedure.

You see, one solution is infinitely easier to fix, if you include what's 'effective' as part of the audit finding!

Andy

You don't - because it's not helpful!
I disagree.

Write up a nonconformance to your internal procedure. Then everyone will be forced to look at the procedure and either revise it or delete it - or they may decide to address the reason personnel aren't following it.

Either way - if people aren't following established procedures - the people in charge need to determine why.

I disagree.

Write up a nonconformance to your internal procedure. Then everyone will be forced to look at the procedure and either revise it or delete it - or they may decide to address the reason personnel aren't following it.

Either way - if people aren't following established procedures - the people in charge need to determine why.

I agree with Cari, ....5 whys

I'm with Cari.
The main purpose of audits is to determine if the company is "doing what it says", is it not?

And I write it against the procedure not being followed, not necessarily a standard element.

You don't - because it's not helpful!

I also agree with Cari. There was a failure to follow documented procedures of the QMS, therefore it should be documented. and appropriate action taken.

I would write a nonconformity referencing the procedure.

It's not the auditor's job to determine why the procedure isn't being followed although, as an internal auditor, I might have a valid opinion. It's up to the owner of the relevant process to determine if there's a disciplinary/training issue or whether the people doing the job have genuinely found a better way of doing it.

What is missing here is the 'effectiveness' of the situation. From my 25 years of auditing experience, I can safely say that this type of audit finding is simply insufficient to help management (who probably weren't involved in the audit, anyway) come to a conclusion about what needs to be fixed.;)

And no, I don't subscribe to the opinion that (internal) audits aren't there to (simply) confirm "we did what we said" - especially with the advent of the ISO 9001:2000 standard. If what's being achieved is a 'quality' result, then the procedure is probably wrong (since when did anyone really write an effective procedure that didn't need some input from the people don't the job?). If the result isn't a quality one, then yes, maybe someone does need to do some form of problem solving.........:agree1:

O.K I'm in the minority, but then so were the folks who found out the world isn't flat...........:lol:

Andy

If what's being achieved is a 'quality' result, then the procedure is probably wrong
So bring it to management's attention and revise or delete the procedure. Why wouldn't someone want to know that procedures aren't being followed?

You don't - because it's not helpful!

What you won't get is effective or even appropriate corrective action, from such a finding. I believe that this type of audit report is what drives management nutz. You're only telling them half the info they need to get the issue corrected! Just like any 'puzzle' you need two bits of data.

So, even though they weren't 'following procedures', was the result satisfactory? Did the 'product' meet the internal or customer requirements, because, if so, then the procedure needs to be changed.

If not, then we need to find out what to do about sub-standard product (contain etc.) and then find out why the folks didn't 'follow' the procedure.

You see, one solution is infinitely easier to fix, if you include what's 'effective' as part of the audit finding!

Andy

Andy-

I agree with everything you stated above, however, that information would be included in the response to the finding. You could add a note to the finding that states something along the lines of: Procedre/WI XXX was not being followed, however, it was determined that the product/service did/did not meet the specifications. If it did not meet the specs. you have a potential for a major problem, if it did meets specs. part of the investigation to the finding would be then what is wrong with the documented procedure/W that was causing them not to follow it.

And no, I don't subscribe to the opinion that (internal) audits aren't there to (simply) confirm "we did what we said" - especially with the advent of the ISO 9001:2000 standard. If what's being achieved is a 'quality' result, then the procedure is probably wrong (since when did anyone really write an effective procedure that didn't need some input from the people don't the job?). If the result isn't a quality one, then yes, maybe someone does need to do some form of problem solving.........:agree1:



Yes - we all know and believe the continual improvement rhetoric, but the bottom line is that the purpose of an audit is to see what's going right or wrong with a process in comparison to a standard (i.e. documented procedure). It's the very definition of the word.

How else to you make management aware of the issue and the need to change the procedure, process, or culture?

My vote's in for citing the procedure and saying "Practice does not match the process" or some equivalent.

It is up to the process owners and personnel to learn what the problem is, but I advocate the auditor following the progress as a facilitator through the corrective action process. It's too easy to take a band-aid approach to this sort of thing.

Now if an operator or grop has brought in a sensible improvement that works but isn't described in the procedure, it's a good idea to point out that documenting the New Method is an important part of the Continual Improvement element. In such a case, perhaps the procedure should be changed but then there should be some energy made to ensure everyone is going to do things the new way.

For some people/organizations/systems, however, it is desired to track findings vs clauses as a means of data to analyze at a later date. That being said, we already have had 2 discussions on this matter about which clause to cite this against (let's not re-hash here, please).

I'm with Andy on this. The issue to me is not that people were not following the documented process. There could be reasons and who are we, as auditors, to say which is better. We must simply record the evidence, which in this case is "The observed process does not match the documented process" (or something to that effect).

Let the recepient determine if the issue is people not following or if the documentation needs to be modified.

Let the recepient determine the root cause.

Added later - Jennifer, you beat me to it by two whole minutes...but you said much better!

The other thread “Are other procedures binding other than the 6 stated by the ISO 9001” I felt is different. If People went off topic then should have started a different thread. Hence…this thread!
As for our internal corrective action process, every finding goes into a corrective action database where I MUST associate a section of the standard with that finding as an external registrar must associate a non-conformance with a section of the standard. I have never seen a 3rd party auditor not cite a section of the 9001 standard for an audit finding even if it was that "the actual activity does not match the documented procedure". All you registrar auditor chime in. Being an RAB certified auditor I would think it unethical not to write it up regardless if I am 1st, 2nd or 3rd party auditor and regardless if I think it would benefit the company or not. Call me a hard http://elsmar.com/Forums/images/icons/coveringass.gif I am a former Marine.
In this instance an engineering group did not follow procedure and enter in data after their work was done. They stated that it added no value to them, however, they did not see that other areas needed that data as an input to their work...fairly typical...

As for our internal corrective action process, every finding goes into a corrective action database where I MUST associate a section of the standard with that finding as an external registrar must associate a non-conformance with a section of the standard. I have never seen a 3rd party auditor not cite a section of the 9001 standard for an audit finding even if it was that "the actual activity does not match the documented procedure". All you registrar auditor chime in. Being an RAB certified auditor I would think it unethical not to write it up regardless if I am 1st, 2nd or 3rd party auditor and regardless if I think it would benefit the company or not. Call me a hard http://elsmar.com/Forums/images/icons/coveringass.gif I am a former Marine.
In this instance an engineering group did not follow procedure and enter in data after their work was done. They stated that it added no value to them, however, they did not see that other areas needed that data as an input to their work...fairly typical...


Maybe the following clauses might apply to this scenario:

ISO9001:2000 Paragraphs:

4.1 (e)
4.2.1 (d)
5.5.2 (a)
5.6.2 (a)
6.2.2 (a)
7.5.2 (c)
8.1 (a)
8.2.2 (b)

I am always learning and if they don't apply, than I learned something else.

This in some ways is at the heart of the issue of 'value added auditing'. We have all been trained in courses that have their roots in 2nd/3rd party audits (I've been teaching them for 16 years) - and I for one believe that it's time to change that! What value is it to 'dump' a simple finding like 'not following procedures' onto management?:mg:

Sure, all auditors can 'expect' management to take them seriously, but since when did we do something serious that management could recognize? Certainly not referencing an element of ISO! Heck, most management secretly wish the durned ISO thing would go away...........:yes:

The mananagement mantra has always been "don't bring me a problem, bring me a solution". So, when we deliver an audit finding and we omit the 'effectiveness' part, we aren't doing anything to help out! Why do you think that most corrective action databases are full of issues management isn't really trying to work on? Do you think that an organization's management team is losing sleep at night over that kind of issue?:rolleyes:

Perhaps this is one reason 6 Sigma has more kudos than anything else. The folks actually identify the issue and work on solutions.:yes:

Of course 2nd/3rd party auditors have to cite ISO requirements, it's their job, but my guess is that it's less relevant to an internal auditor (tho' the audit manager/mgmt rep. should know).:mg:

Oh, and another thing - why does everything have to have a corrective action? Why constrain yourself to using a sledgehammer, when sometimes things just require 'correction' which is also very legitimate? (Ask the TC 176 chair......!!):read:

Andy

This in some ways is at the heart of the issue of 'value added auditing'. We have all been trained in courses that have their roots in 2nd/3rd party audits (I've been teaching them for 16 years) - and I for one believe that it's time to change that! What value is it to 'dump' a simple finding like 'not following procedures' onto management?:mg:

Sure, all auditors can 'expect' management to take them seriously, but since when did we do something serious that management could recognize? Certainly not referencing an element of ISO! Heck, most management secretly wish the durned ISO thing would go away...........:yes:

That is true.

The mananagement mantra has always been "don't bring me a problem, bring me a solution". So, when we deliver an audit finding and we omit the 'effectiveness' part, we aren't doing anything to help out! Why do you think that most corrective action databases are full of issues management isn't really trying to work on? Do you think that an organization's management team is losing sleep at night over that kind of issue?:rolleyes:

I guess my question is, since there was an issue with not following procedures, wouldn't/couldn't it reflect a lack of training?

Why don't people stay on diets and exercise programs? Why don't people follow procedures? Why didn't the 13yr old clean his room? Most likely just discipline...Better yet, lets error proof it and find and automated solution :lol:

I guess my question is, since there was an issue with not following procedures, wouldn't/couldn't it reflect a lack of training?

Coury Ferguson! How could you?

Since when did any organization actually take the time to develop a process and its documentation with the folks concerned?
Having read the issue about the Engineering staff not recording data - because they didn't want to do it - I believe makes it obvious! I'm going way out on a limb and say that most quality management systems are designed because "ISO-Says-so"(copyright Andy N c1995) and not because a good business case has been made (like analyzing where errors are caused iin the process and what they cost in re-engineering/changes)

Also, don't forget - training just makes people dangerous! You have to determine their competencies first and then their level of awareness and then, only then, determine if training or some other action is required to develop them..........

Now, Coury - go wash your mouth out and never, ever write that again!:lmao: :lol: :D

Hi,

If personnel do not follow procedure, its of no use to generate NCs or any records.

The people have to be trained first, followed by strict vigil whether they follow or not. They have to be constantly instructed till they imbibe those requirements. Training should not be superficial but should be given with the intent of convincing the people of the benefits of the procedure.

Its said that "Practise makes a man perfect". The inner meaning of this sentence is that if a man practices certain thing, he will continue doing it in a particular way and hence becomes consistent. Consistency is what makes him Perfect. .

So to put in simple terms, "Practise makes a man follow the Procedure". If it can not be solved, then resort to warnings, discussion in Management Review Meetings etc.

Hope this helps.

Now, Coury - go wash your mouth out and never, ever write that again!:lmao: :lol: :D

Children, behave. :cool: Don't make me separate you two.

Coury, what Andy is trying to say is what if the issue isn't training? What if the documented procedure was not developed so that it reflects what is truly supposed to happen?

By citing the finding that the practice and the documentation don't match, you leave it to the recipient to determine the issue (i.e., lack of training, poor document, etc.)

Don't assume that it's the operator.

Hi,If personnel do not follow procedure, its of no use to generate NCs or any records.

Why, would you state this above, based upon your statement below?

The people have to be trained first, followed by strict vigil whether they follow or not. They have to be constantly instructed till they imbibe those requirements. Training should not be superficial but should be given with the intent of convincing the people of the benefits of the procedure.

If this is true, than why wouldn't you want to document the error? Is there some reason that this should not be identified as a training issue?
For example: I was the trainer and I don't want to point out my errors in training.

Its said that "Practise makes a man perfect". The inner meaning of this sentence is that if a man practices certain thing, he will continue doing it in a particular way and hence becomes consistent. Consistency is what makes him Perfect.

Perfection is achieved through perfect practice. Again isn't training part of this?

So to put in simple terms, "Practise makes a man follow the Procedure". If it can not be solved, then resort to warnings, discussion in Management Review Meetings etc.

Aren't findings/observations all part of the information that is discussed during Management Review? Always trying to improve the system.


Main Entry: 1per·fect
Pronunciation: 'p&r-fikt
Function: adjective
Etymology: Middle English parfit, from Anglo-French, from Latin perfectus, from past participle of perficere to carry out, perfect, from per- thoroughly + facere to make, do -- more at DO
1 a : being entirely without fault or defect : FLAWLESS <a perfect diamond> b : satisfying all requirements : ACCURATE c : corresponding to an ideal standard or abstract concept <a perfect gentleman> d : faithfully reproducing the original; specifically : LETTER-PERFECT e : legally valid
2 : EXPERT, PROFICIENT <practice makes perfect>
3 a : PURE, TOTAL b : lacking in no essential detail : COMPLETE c obsolete : SANE d : ABSOLUTE, UNEQUIVOCAL <enjoys perfect happiness> e : of an extreme kind : UNMITIGATED <a perfect brat> <an act of perfect foolishness>
4 obsolete : MATURE
5 : of, relating to, or constituting a verb form or verbal that expresses an action or state completed at the time of speaking or at a time spoken of
6 obsolete a : CERTAIN, SURE b : CONTENTED, SATISFIED
7 of a musical interval : belonging to the consonances unison, fourth, fifth, and octave which retain their character when inverted and when raised or lowered by a half step become augmented or diminished
8 a : sexually mature and fully differentiated <a perfect insect> b : having both stamens and pistils in the same flower <a perfect flower>
- per·fect·ness /-fik(t)-n&s/ noun
synonyms PERFECT, WHOLE, ENTIRE, INTACT mean not lacking or faulty in any particular. PERFECT implies the soundness and the excellence of every part, element, or quality of a thing frequently as an unattainable or theoretical state <a perfect set of teeth>. WHOLE suggests a completeness or perfection that can be sought, gained, or regained <felt like a whole person again after vacation>. ENTIRE implies perfection deriving from integrity, soundness, or completeness of a thing <the entire Beethoven corpus>. INTACT implies retention of perfection of a thing in its natural or original state <the boat survived the storm intact>.

Children, behave. :cool: Don't make me separate you two.

Coury, what Andy is trying to say is what if the issue isn't training? What if the documented procedure was not developed so that it reflects what is truly supposed to happen?

By citing the finding that the practice and the documentation don't match, you leave it to the recipient to determine the issue (i.e., lack of training, poor document, etc.)

Don't assume that it's the operator.

Rox,

What if scenarios I agree. Here is the original posts:

How do you write up an audit finding when you observe that personnel are not following procedures?

In this instance an engineering group did not follow procedure and enter in data after their work was done. They stated that it added no value to them, however, they did not see that other areas needed that data as an input to their work...fairly typical...

What If: With the underlined issues in the above post does this not say that they may have not understood their procedures (Training)?

What If: It is a lack of documented procedures. But I don't think I see that scenario here.

What If: The personnel just don't want to complete the required entry? This What if scenario is very possible.

I don't totally disagree with AndyN on his statement in the following post:

Sure, all auditors can 'expect' management to take them seriously, but since when did we do something serious that management could recognize? Certainly not referencing an element of ISO! Heck, most management secretly wish the durned ISO thing would go away...........

The mananagement mantra has always been "don't bring me a problem, bring me a solution". So, when we deliver an audit finding and we omit the 'effectiveness' part, we aren't doing anything to help out! Why do you think that most corrective action databases are full of issues management isn't really trying to work on? Do you think that an organization's management team is losing sleep at night over that kind of issue?

Perhaps this is one reason 6 Sigma has more kudos than anything else. The folks actually identify the issue and work on solutions.

Of course 2nd/3rd party auditors have to cite ISO requirements, it's their job, but my guess is that it's less relevant to an internal auditor (tho' the audit manager/mgt rep. should know).

Oh, and another thing - why does everything have to have a corrective action? Why constrain yourself to using a sledgehammer, when sometimes things just require 'correction' which is also very legitimate?

I know that most upper management don't want to be bothered with these types of findings. But the point here is that there should be a NC written, based uopn the finding "of not following the procedures." If management wishes not to take any action then fine, but at least it has been documented.

Hi Coury,

I am not undermining the importance of TRAINING. This is the most important to make them aware but if you are going to come up with NCs and subsequently Corr Actions and Prev Actions etc, its not always a good solution.

I tell you the example of my previous organisation which was a Pharmaceutical company and as a site, we had about 500 procedures. Since the proocedure had to detailed, step wise instructions used to be mentioned. I give you the example of Water sampling. The procedure would mention a sequence and ideally, anyone would say that every sampler should carry the procedure and follow it. Do you expect that the sampler would always read step by step and do sampling ??? There would be a stage when he will feel that he has mastered a technique and shall not refer the procedure. When he doesnot refer, may be he misses one step (may not be crucial) BUT THEORETICALLY HE HAS NOT FOLLOWED THE PROCEDURE.

NCs, discussion in Management Review Meetings etc are not always good solution to address the Human Pyschology. Another thing I have seen the more you try to be transparent, people will try to hide things and not following procedure is a classic example of this.

Sounds to me like the people in the example don't feel they are part of a controlled system. The engineers might not feel like they are much a part of the QMS as shop floor personnel. I've seen this elsewhere as well.

In the case of regulated industries like pharma, if procedures are clear and understood, appropriate and easily available then personnel discipline might be called for. There are some proceses and industries one just can't fool around with or go soft on.

I know that most upper management don't want to be bothered with these types of findings. But the point here is that there should be a NC written in violation of the procedures. If management wishes not to take any action then fine, but at least it has been documented.

Coury, I can tell it's a frustration.:(

So, you say that the data wasn't entered but others use it, so what does not having the data available cause the folks who use it as an input? Do they have the wait, or spend time chasing it down someplace? - What I'm looking for is an inefficiency caused by the Engineering folks not 'following procedure'. That can be evaluated in terms of $$$ and since your accounting system probably doesn't capture that, no-one will argue if you calculate what it costs over a year! Well, they will, but they won't have more credible info. An internal auditor I worked with found $8M savings due to this kind of thing!:mg: It wasn't written as an nc or 'finding', but in the verbal and written audit summary report it was clearly identified.

Oh - one other thing. Can I (respectfully) suggest that you stop calling them 'violations'.........for those folks who already have a dislike for audits such a word confirms that it's about being "policed" against "stupid laws"........ :rolleyes: I know a rose by any other name, but it doesn't help your case:nope:
Andy

Coury, I can tell it's a frustration.:(

Oh - one other thing. Can I (respectfully) suggest that you stop calling them 'violations'.........for those folks who already have a dislike for audits such a word confirms that it's about being "policed" against "stupid laws"........ :rolleyes: I know a rose by any other name, but it doesn't help your case:nope:
Andy

Frustration: :nope: No I have been in this business for along time and I have seen a lot of this. This isn't my first Rodeo.

Violations: What would you like me to call them? Findings-ok

How do you write up an audit finding when you observe that personnel are not following procedures?

Without getting into the specifics of what procedure isn't being followed ask yourself these questions:
What is/are the goal/s of the affected process?
What is the purpose of this 'procedure' and the impact of not follwoing it?
NOTE: Remember you can have standardized procedures that are not documented

Lets provide an example:
Process - paying bills by snail mail
part of the standard procedure requires postage to be applied to the envelope. If the norm is 'lick the stamp and apply' yet someone 'wipes with a damp sponge and applies' is there an impact? Don't go bogging example down with just how wet is too wet - agree for argument sake both methods apply just enough moisture to activate glue and provide good adhesion of stamp to envelope.

Does it matter the procedure wasn't followed - NO
Should there be a NC - NO
Should there be an 'Opportunity For Improvement' written - Sure, alternate methods can be used - give your process enough flexibility. Just be sure to evaluate the potential negative consequences and plan accordingly.

If in your situation there is a negative impact, you will get more buy-in if its possible to show an impact to the process goal(s).

Something to remember is that short of 'sabotage' - Something in your system allows for individuals to make errors, if you cannot error-proof (feasibility, cost, time, whatever...) do what you can to catch the error before an escape occurs to the next process. IF there is enough value to it - collect data to improve within the process and also provide feedback loop from direct customer (next process - not actual end user) to work on any issues if you do have escapes. Bolster your training so individuals all know the potential impact of not following procedure.

Hope this helps, E

Without getting into the specifics of what procedure isn't being followed ask yourself these questions:
What is/are the goal/s of the affected process?
What is the purpose of this 'procedure' and the impact of not follwoing it?
NOTE: Remember you can have standardized procedures that are not documented

Lets provide an example:
Process - paying bills by snail mail
part of the standard procedure requires postage to be applied to the envelope. If the norm is 'lick the stamp and apply' yet someone 'wipes with a damp sponge and applies' is there an impact? Don't go bogging example down with just how wet is too wet - agree for argument sake both methods apply just enough moisture to activate glue and provide good adhesion of stamp to envelope.

Does it matter the procedure wasn't followed - NO
Should there be a NC - NO
Should there be an 'Opportunity For Improvement' written - Sure, alternate methods can be used - give your process enough flexibility. Just be sure to evaluate the potential negative consequences and plan accordingly.

If in your situation there is a negative impact, you will get more buy-in if its possible to show an impact to the process goal(s).

With this scenario a finding would not be considered. But the OP states that the personnel just didn't want to enter the data because they felt that it wasn't cost effective. See OP below:

In this instance an engineering group did not follow procedure and enter in data after their work was done. They stated that it added no value to them, however, they did not see that other areas needed that data as an input to their work...fairly typical...

Something to remember is that short of 'sabotage' - Something in your system allows for individuals to make errors, if you cannot error-proof (feasibility, cost, time, whatever...) do what you can to catch the error before an escape occurs to the next process. IF there is enough value to it - collect data to improve within the process and also provide feedback loop from direct customer (next process - not actual end user) to work on any issues if you do have escapes. Bolster your training so individuals all know the potential impact of not following procedure.

I agree with you on this issue.

Wow. I am impressed on how much thought goes into writing up or not writing "not following procedures." Let me clarify my particular situation. 1. The procedure is documented. 2. Without the procedure being followed there is a potential impact to safety. Other groups and personnel that work with the equipment would not know what exhaust lines were being altered that connect to a piece of equipment.
I think there was some failure on our part, not that we needed to necessarily train the engineers (because they know how to do the data entry) but to communicate to the engineers the importance of entering in the data. You could call communication training I guess its semantical.

I should have clarified some important assumptions... which is that procedures in a company are not frivolous...they impact the businiess/product/customer, or safety and the procedure is a documented procedure.

Wow. I am impressed on how much thought goes into writing up or not writing "not following procedures." Let me clarify my particular situation. 1. The procedure is documented. 2. Without the procedure being followed there is a potential impact to safety. Other groups and personnel that work with the equipment would not know what exhaust lines were being altered that connect to a piece of equipment.
I think there was some failure on our part, not that we needed to necessarily train the engineers (because they know how to do the data entry) but to communicate to the engineers the importance of entering in the data. You could call communication training I guess its semantical.

I should have clarified some important assumptions... which is that procedures in a company are not frivolous...they impact the businiess/product/customer, or safety and the procedure is a documented procedure.

This clarifies the situation better. I would still write it as a finding using one of the previous paragraphs as I posted:

Maybe the following clauses might apply to this scenario:

ISO9001:2000 Paragraphs:

4.1 (e)
4.2.1 (d)
5.5.2 (a)
5.6.2 (a)
6.2.2 (a)
7.5.2 (c)
8.1 (a)
8.2.2 (b)

I am always learning and if they don't apply, than I learned something else.

Practice does not correlate with documented process. Elements 6.2.2 (d) and 6.4 (6.4.1 for TS 16949) seem to apply best for this in my mind.

You see, in my view these are both management issues.
a. Processes to help the thing get done right and safely must be developed (done, but not followed) and
b. Personnel must be aware of their part in it all. (How aware are they? Maybe this needs visiting.)

My point it, many times nonproduction people don't know how important their work is to the end result and why. Often there's no clear way for them to know if their work is going well or needs to be improved, and little oversight to see if their thinking continously matches the organization's needs.

Its good that qualityboi came early for a clarification on his thread or else we would have heavily debated :D

I agree that the department that isn't following the procedure must get to root cause and corrective action. And for the person who asked why we need to get to root cause and corrective action - I agree that sometimes root cause shouldn't be necessary, unfortunately ISO requires root cause for all internal audit findings :(
8.2.2 Internal Audit: "The management responsible for the area being audited shall ensure that actions are taken without undue delay to
eliminate detected nonconformities and their causes." bold emphasis added by me.

However, I also strongly stand in the minority that the internal auditor should go further than simply writing up the finding. they should determine if the omission cused any downstream problems - going to the downstream operations and investigating themselves. I don't make the auditor responsible for cause or corrective action - but going further in the audit provides a very useful service and takes the auditing team from 'the police' to true value-add monitors. One of the big drawbacks from a management perspective to internal auditing is that they are so 'removed' - they are the police, not people who help with continual improvement. I have always required my internal audit teams to go the extra mile and assess the effect of their findings where possible - it is invaluable to the organization and ultimately makes the audit program a recognized value add.

It may not be required nor easy, but why accept the status quo? Isn't ISO about continual improvement? even improvement of the internal audit function???

remember the old joke: the definition of an auditor is someone who comes in after the battle and bayonets the wounded!

remember the old joke: the definition of an auditor is someone who comes in after the battle and bayonets the wounded!

I hope Randy doesn't see this statement he might like it. I certainly see how this could be part of the thought pattern about most Auditors:lol:

I voted other
4.1 f) implement actions necessary to achieve planned results and continual improvement of these processes.

This quote leads me to the desire for the auditor to determine if not following the procedure matters to the quality of the product or process.
If it doesn't the finding is written up as an observation/suggestion that the procedure shoudl be changed - then no cause must be determined (as required for all nonconformities (8.2.2 Internal Audit: The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. A simple correction is all that is needed.

If the omission does have a negative affect on the quality then a finding is written up and I write the finding against 4.1 f and site the procedure, providing evidence of the affect on quality...

How do you write up an audit finding when you observe that personnel are not following procedures?

Well, this is not such a difficult question...

If it is an internal audit:
1. I read the procedure for 8.2.2
2. I grab the form specified by the organization
3. I take pen in hand and fill in the required blanks on the form describing the finding and the objective evidence.
4. I place it in the stack of other NCRs and number it sequentially.
5. I grab another blank form from the multiple copies requested after the opening meeting.
6. Take pen in hand
7. Document another finding and title it "Opportunity for Improvement"
8. Explain the effectiveness of using electronic documentation, kindly suggest they implement such activities.
9. Number it sequentially and place on stack of other NCRs.

If a 3rd party audit:
1. Document the finding stating the systemic issue (electronically)
2. Document the objective evidence
3. Reference applicable area of the standard that applies to the actual evidence observed --- cannot assume that it falls under 4.1 or 7.5 or any other planned arrangements....
4. Cite the organization's procedural reference as well
5. Return to the audit


Did I miss the point of this discussion?

Did I miss the point of this discussion?

yes I think you might have

it depends on the procedure not being followed.for instance if the person knows that a procedure exist finding can be give under 7.5.1 if the person does not know that one even exists then the finding should be 6.2.2 (Training)becuase someone should have told him.and if the person is not able to follow his procedur because he does not have the equipment to do so the the finding can be place under 6.1(provision of resourses)

so you can see there are variuos findings for not using a procedure .:evidence:

Hello Forum,
Interesting topic. As I am certain, many of us are certified auditors and have performed many internal and external audits. No-conformances are imposed to identify aspects of the QMS that are not in compliance with the regulations or standards. Training is in both as a topic and must be addressed regardless of its effect on the morale of the staff involved. Without constructive objective input, how do we all know that what we are doing is right? or how can we improve? In this instance I too agree with our wonderful forum moderators. Issues need to be identified during internal audits so they are NOT identified during formal audits. Getting dinged internal is much easier to swallow that coming from an ISO or FDA auditor- agreed? Internal audits are designed to improve the systems and bring them into compliance. They are NOT designed to place blame on a person or department but rather to show, here is a weak spot in our system that we need to fix. It IS the responsibility of upper management to ensure these internal findings are addressed in a manner where the company staff can view it as a way to get better.
Thank You for the opportunity to share.
Katherine

Hello Forum,
Interesting topic. As I am certain, many of us are certified auditors and have performed many internal and external audits. No-conformances are imposed to identify aspects of the QMS that are not in compliance with the regulations or standards. Training is in both as a topic and must be addressed regardless of its effect on the morale of the staff involved. Without constructive objective input, how do we all know that what we are doing is right? or how can we improve? In this instance I too agree with our wonderful forum moderators. Issues need to be identified during internal audits so they are NOT identified during formal audits. Getting dinged internal is much easier to swallow that coming from an ISO or FDA auditor- agreed? Internal audits are designed to improve the systems and bring them into compliance. They are NOT designed to place blame on a person or department but rather to show, here is a weak spot in our system that we need to fix. It IS the responsibility of upper management to ensure these internal findings are addressed in a manner where the company staff can view it as a way to get better.
Thank You for the opportunity to share.
KatherineI agree with you Katherine, and I suppose it is our lot in life to help our internal customers understand all these points. I've done pretty well with most of them. I guess wording the finding can help. I would say "Practice does not match procedure" and try to let the process owner decide if the procedure needs work or what.

I voted other
4.1 f) implement actions necessary to achieve planned results and continual improvement of these processes.

This quote leads me to the desire for the auditor to determine if not following the procedure matters to the quality of the product or process.
If it doesn't the finding is written up as an observation/suggestion that the procedure shoudl be changed - then no cause must be determined (as required for all nonconformities (8.2.2 Internal Audit: The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. A simple correction is all that is needed.

If the omission does have a negative affect on the quality then a finding is written up and I write the finding against 4.1 f and site the procedure, providing evidence of the affect on quality...


Generally, whether the procedure should be changed, or any other fault, should be discovered during the root cause investigation. In some obvious cases, it might be apparent during the audit, but usually not so. The finding should usually be written against the cl. appropriate for that process, or against the procedure not being followed. Whatever is deemed the best fit. But, rarely against 4.1 or 4.2 in this kind of case. maybe 7.5.

We need to determine why the system is not being used. Unlike the 1994 version, ISO 9001:2008 does not require conformity with procedures.

8.2.3 does however require monitoring and correction of the processes in the system. So, I would investigate further to see if we have evidence of:

1. An ineffective procedure, in which case cite 4.1c
2. Managers contradicting their procedures, again 4.1c
3. A failure to monitor and correct the process, 8.2.3

Auditees have enough problems without auditors inventing requirements. As auditors we should remember that we are looking to see how well the system helps it users to do good work.