Control of External Audit Notes and Documents

[drgnrider]

Having a discussion of what should and shouldn't be controlled and to what extent. Main issue: our CB leaves their draft audit report with us, to what extent should this record be controlled?

Since it is in MS Word format, that can be edited, should it be password protected somehow from changes? What type of controls should be in-place for copy and distribution?

"Top Management" says "no controls, e-mail to anyone". I disagree.

Am I overreaching this? I see this similarly as some of our in-house quality records and there needs to be some sort of control on access and dissemination.

 

[insect warfare]

Re: Control of external audits

Why not just make a PDF copy and discard the Word copy for good? If no changes are to be made to the document, the Word copy is not needed anyway - a PDF can be locked from editing and still be viewed by those you are allowed to distribute it to, provided they have downloaded a PDF reader (which is free).

On top of that, your controls for distribution could be modified to state that this is allowed, if there is a conflict.

Brian

 

[SimpleIsGood]

Re: Control of external audits

Perhaps I don't understand. Why would you want a draft copy of an audit report?

I would not make any changes to my QMS based on a DRAFT anything! You want me to make changes, you better show where I'm not meeting the standard, and it better be THE final version. Beside just being ornery (which I am), and pig headed (also guilty as charged), there is no sense making changes that may or may NOT be required, needed, wanted or necessary. I'd hate to change a procedure, get everyone retrained, then get my "official" audit report and find out I completely misunderstood what was required.

I would wait for the official results.

 

[drgnrider]

Re: Control of external audits

... by those you are allowed to distribute it to, ...

On top of that, your controls for distribution could be modified to state that this is allowed, if there is a conflict.

Brian

@Brian, this is part of our "discussion", Top Management says this is not a "controlled" record and feel they can e-mail it blithely to anyone, anywhere.

Perhaps I don't understand. Why would you want a draft copy of an audit report?

@SimpleIsGood, not making any changes based on this report. Assessor e-mailed it, and now managers are wanting to e-mail it and copy/save it on multiple drives within our network. They don't accept my argument that it should be treated as a controlled document.

 

[Golfman25]

Why would you control it? How would you disseminate audit results if you controlled the outside report? Why make life more difficult? Seems to me like you are over thinking it. Good luck.

 

[insect warfare]

Re: Control of external audits

@Brian, this is part of our "discussion", Top Management says this is not a "controlled" record and feel they can e-mail it blithely to anyone, anywhere.

I agree with Golfman25. You are overthinking this. All records needed for your management system need to be "controlled", of course. But "control" of records usually relates to 6 major things (identification, storage, protection, retrieval, retention and disposition). Control requirements for these 6 elements should already be specified in a documented procedure, including what is and what is not acceptable distribution, if that is what the organization needs to address. And what I mean by "acceptable distribution" is that organizations can allow unfedered access to copies of certain management system records, provided that the integrity of the original record is not compromised, and that the distribution itself does not violate any confidentiality agreements or other regulations.

Brian

 

[RoxaneB]

Re: Control of external audits

They don't accept my argument that it should be treated as a controlled document.

What points are you using to say that this should be a controlled document? Help us to understand your perspective.

That being said...it is a DRAFT document. Nothing official has come out the audit, so I would not control. If they wish to send it out to the world...let them...but perhaps they would be wise to include something like "Please find attached a DRAFT copy of the results of our recent audit. Final and official results are still pending, but we wanted to share the outcome while it was still fresh."

As for the final and official report, I do keep copies as 'records' and they are on my list with retention times, disposal methods, etc.. My reasons for keeping are mainly for historical purposes and changing personnel who ask questions about previous audits....and the "lottery factor" (i.e., if I win the lottery and leave, I'd like previous results to be easily accessible).

 

[mihzago]

Re: Control of external audits

is this a distribution issue to prevent some people acting on the findings/actions in the report before they are finalized or is this a confidentiality issue to prevent access to the report by people that are not privy to the information?

i agree with others that I would not control the draft.

 

[drgnrider]

Thanks all for the input.

For me, its not about "draft" vs. "final". I tend to treat all these strictly from the basis of habit. Especially in new systems, such as ours, where controls, and mindsets, never existed before. If one gets into the habit of exhibiting some form of control over this 'who_cares_about_it' version, then the other versions would hopefully be handled with at least the same care, or a second thought before sending it out. BTW, they are just as indiscriminate about "final" versions.

Old habits are hard to break. We are having issues with people fixing problems and not following the course of our Preventative Actions (PA) systems... we've always done it this way, now habits need to change and the PA system needs to be utilized.

Part of my argument is based on other records/reports we keep, they are stored but are not distributed to just anyone, only those with necessary need. We also don't send and/or make multiple copies of findings from other organizations (customer, regulatory, etc.) that come in and audit us.