Will ISO 9001:2015 require Audit NCs to be different?

AndyN

Moved On
Since ISO 9001:2015 is very likely to include requirements to identify risks and opportunities, it got me wondering if the current methods of both teaching how to write and then reporting audit non-conformities will have to change: Typically, audit training teaches an audit nc has to include:

The requirement.
The source of the requirement.
The evidence.
The source of the evidence.

Is it going to be necessary to identify how the nc evidence is a risk?
 

John Broomfield

Leader
Super Moderator
Re: ISO 9001:2015 - will it require audit NCs to be different?

Since ISO 9001:2015 is very likely to include requirements to identify risks and opportunities, it got me wondering if the current methods of both teaching how to write and then reporting audit non-conformities will have to change: Typically, audit training teaches an audit nc has to include:

The requirement.
The source of the requirement.
The evidence.
The source of the evidence.

Is it going to be necessary to identify how the nc evidence is a risk?

Andy,

Don't forget the nature of the nonconformity, as in:

  1. Failure to identify opportunity, and
  2. Failure to assess risk, etc...
What would be evidence of failure to identify an opportunity?

Interesting,

John
 

AndyN

Moved On
Re: ISO 9001:2015 - will it require audit NCs to be different?

Andy,

Don't forget the nature of the nonconformity, as in:

  1. Failure to identify opportunity, and
  2. Failure to assess risk, etc...
What would be evidence of failure to identify an opportunity?

Interesting,

John

I don't understand - what did I forget? I'm asking how nc reports will now have to be different...(if at all)
 

John Broomfield

Leader
Super Moderator
Re: ISO 9001:2015 - will it require audit NCs to be different?

Andy,

A nonconformity statement has three parts

  • Requirement
  • Evidence
  • Nature
Nature informs the auditee what problem to solve.

Just as it does with product nonconformities (see 8.3).

Using the language of ISO 19011, "nature" would declare the nonconformity.

John

From ISO 19011:

B.8.3 Recording nonconformities
For records of nonconformity, the following should be considered:
— description of or reference to audit criteria;
— nonconformity declaration;
— audit evidence;
— related audit findings, if applicable.
 
Last edited:

AndyN

Moved On
Re: ISO 9001:2015 - will it require audit NCs to be different?

Andy,

A nonconformity statement has three parts

  • Requirement
  • Evidence
  • Nature
Nature informs the auditee what problem to solve.

Just as it does with product nonconformities (see 8.3).

Using the language of ISO 19011, "nature" would declare the nonconformity.

John

From ISO 19011:

B.8.3 Recording nonconformities
For records of nonconformity, the following should be considered:
— description of or reference to audit criteria;
— nonconformity declaration;
— audit evidence;
— related audit findings, if applicable.

If you refer back to my original post, John, you will see that I noted the 4 things an audit nc includes (I have bragging rights here - I worked for the people who wrote BSI's Lead and Internal Auditor courses - I don't NEED to be informed about what an nc statement includes).

I was hoping to have a discussion about if something ELSE had to be added into an nc statement, not a lecture in the basics...
 
Last edited:

Jim Wynne

Leader
Admin
Re: ISO 9001:2015 - will it require audit NCs to be different?

Since ISO 9001:2015 is very likely to include requirements to identify risks and opportunities, it got me wondering if the current methods of both teaching how to write and then reporting audit non-conformities will have to change: Typically, audit training teaches an audit nc has to include:

The requirement.
The source of the requirement.
The evidence.
The source of the evidence.

Is it going to be necessary to identify how the nc evidence is a risk?

Although I'm not sure anyone knows the answer to your question, I think that we've always addressed risk by deciding on whether corrective action is necessary. When deciding that CA isn't necessary, the rationale should either be obvious or explained. Invoking CA is in itself an acknowledgement of the presence of risk.
 

AndyN

Moved On
Re: ISO 9001:2015 - will it require audit NCs to be different?

Although I'm not sure anyone knows the answer to your question, I think that we've always addressed risk by deciding on whether corrective action is necessary. When deciding that CA isn't necessary, the rationale should either be obvious or explained. Invoking CA is in itself an acknowledgement of the presence of risk.

I agree in principle, Jim. However, if we take some examples of audit nc's which have been posted here, it's difficult to see where risk is involved! Take for example, the simple "Operators weren't following the procedure" - where's the risk?
 

John Broomfield

Leader
Super Moderator
Re: ISO 9001:2015 - will it require audit NCs to be different?

If you refer back to my original post, John, you will see that I noted the 4 things an audit nc includes (I have bragging rights here - I worked for the people who wrote BSI's Lead and Internal Auditor courses - I don't NEED to be informed about what an nc statement includes).

I was hoping to have a discussion about if some ELSE had to be added into an nc statement, not a lecture in the basics...

Andy,

I accept completely your expertise. It is why I was surprised to see no mention of the nature of ISO 9001:2015 nonconformities against the risk and opportunity requirements.

What would constitute acceptable evidence of failure to identify an opportunity?

John
 
R

Reg Morrison

Re: ISO 9001:2015 - will it require audit NCs to be different?

What would constitute acceptable evidence of failure to identify an opportunity
The same type of evidence currently used to report a failure to identify a preventive action.....:sarcasm:

I think that it is important to remember that, just because something is a requirement in the standard, it does not mean that organizations will be expected to demonstrate conformance to.

If auditors (internal and external) don't feel comfortable with assessing "risks and opportunities", they will shy away from that aspect of the standard, just like they did with the process approach requirement, for 14 years now.

:popcorn:
 

AndyN

Moved On
Re: ISO 9001:2015 - will it require audit NCs to be different?

I was surprised to see no mention of the nature of ISO 9001:2015 nonconformities against the risk and opportunity requirements.

I still don't see what your point is John, sorry for being dense. I'm asking what would the nature of non-conformities be, once audits are performed (internal or external) against a system which now complies with ISO 9001:2015. Is there going to have to be a 5th statement or even a sixth which describes the risk and/or opportunity?

For example, in a previous life, an audit coaching event was used to instill in the internal auditors the idea of "risk" and "impact" of the audit non-conformities. In fact, the client didn't WANT a typical nc statement. He wanted just a risk and impact statement and that's all. Didn't want to know a requirement of ISO, or references to compliance with procedures. It was actually very liberating and when management saw the nature of the audit findings - took swift action!
 
Top Bottom