Do all findings (nonconformities) in an internal audit require a corrective action?

John Broomfield

Leader
Super Moderator
Re: Do all findings in an internal audit require a corrective action?

All,

Yes, many internal auditors think they are under pressure not to report to a failure to fulfill requirements, with evidence, as a nonconformity.

But the managers responsible for the management system should evaluate the need for corrective action (after making the correction) instead of depending on an auditor to advise them of the depth of improvement needed.

Best not to make managers depend on the auditors for getting their management system right...

...and to preserve the objectivity and impartiality of the audit process without nitpicking.

John
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Re: Do all findings in an internal audit require a corrective action?

This is purely because CBs have been told to "tighten up" on the grading of findings. It's silly. Firstly, what has it got to do with what you "grade" them as? Did the auditor spend any time to look at the content? No, it's a silly, picky nonsense comment.
Nonsense? I don't know - it depends on what the issues were. I sometimes audit a site with an internal audit process that never results in corrective actions. If I find nonconformities and their own team doesn't, I have to ask why that is happening.
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Re: Do all findings in an internal audit require a corrective action?

As a result of that comment in the CB surveillance audit report, the Top Management was at its full throttle to fix the finding and as internal auditors we earned a bad reputation within our peers. However, when we did the audit, we wrote down justifications for the nonconformance and the consequence of not taking action. Thank you.
I would be disappointed if a bad reputation resulted from this in my organization. If it is happening as a group I would look to the process for preparing and supporting the audit team.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Do all findings in an internal audit require a corrective action?

It's silly. Firstly, what has it got to do with what you "grade" them as? Did the auditor spend any time to look at the content? No, it's a silly, picky nonsense comment.
Not really. If an (internal or external) auditor softgrades a nonconformity as an OFI, the clear and direct implication is that there is no requirement for a corrective action to be implemented in anything other than a nonconformity. OFI's can be totally disregarded.

So, by softgrading nonconformities as OFI's and allowing problems to linger, the system is deteriorating over time, in addition to being a blatant lack of adherence to basic audit techniques.

If a real system problem exists, auditors MUST report the issue as a nonconformity, so, correction, root cause analysis and corrective action implementation happens.

As we all know, most systems should be following the Plan Do Check Act (PDCA) cycle. When we audit and observe system failures and breakdowns (part of the Check step), if we fail to report the issues properly, chances are, the necessary corrective actions (part of the Act step) will not occur.
 
Last edited:

AndyN

Moved On
Re: Do all findings in an internal audit require a corrective action?

Not really. If an (internal or external) auditor softgrades a nonconformity as an OFI, the clear and direct implication is that there is no requirement for a corrective action to be implemented in anything other than a nonconformity. OFI's can be totally disregarded.

So, by softgrading nonconformities as OFI's and allowing problems to linger, the system is deteriorating over time, in addition to being a blatant lack of adherence to basic audit techniques.

If a real system problem exists, auditors MUST report the issue as a nonconformity, so, correction, root cause analysis and corrective action implementation happens.

As we all know, most systems should be following the Plan Do Check Act (PDCA) cycle. When we audit and observe system failures and breakdowns (part of the Check step), if we fail to report the issues properly, chances are, the necessary corrective actions (part of the Act step) will not occur.

Grading often has NOTHING to to with CONTENT and CONTEXT, and is a futile activity for internal audits. This is yet another example of where the distinction between internal audits and external audits has been confused.
 
Last edited:

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Do all findings in an internal audit require a corrective action?

Grading has NOTHING to to with CONTENT and CONTEXT, and is a futile activity for internal audits.
So, are you saying that internal auditors can (soft)grade a nonconformity, for which a corrective action is expected, as an OFI, instead, for which no subsequent actions are required?

Softgrading a finding is mis-grading it.

Grading is not only categorizing a nonconformity as minor or major. Proper grading implies in categorizing an audit finding as conformity, nonconformity and opportunities for improvement, according to ISO 9000:2005.

Why would internal auditors softgrade nonconformities as OFI's? Because they have been misdirected to do so for the simple fact nonconformities have a negative connotation and, require the hard work of RCA and ensuing CA.

Any registrar that allows internal auditors to softgrade nonconformities as OFI's are doing their customers and customer's customers a disservice, in my view.
 
Last edited:

AndyN

Moved On
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

Let me be very clear:

THERE IS NO PLACE FOR INTERNAL AUDIT FINDINGS TO BE GRADED

The fact of the matter is that without a clearly and comprehensively reported situation, which itself will convey the "gravity" and hence the need for action, then it doesn't matter what the heck you call a nc - no-one will take it seriously!

Don't confuse the time-honored tradition of reporting to other (external) functions the "grade" of non-conformity so that the Purchasing or Certification personnel can make their decision, without understanding the technical content.

None of this applies to an internal audit!
 
Last edited:

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

Let me be very clear:

THERE IS NO PLACE FOR INTERNAL AUDIT FINDINGS TO BE GRADED

The fact of the matter is that without a clearly and comprehensively reported situation, which itself will convey the "gravity" and hence the need for action, then it doesn't matter what the heck you call a nc - no-one will take it seriously!

Don't confuse the time-honored tradition of reporting to other (external) functions the "grade" of non-conformity so that the Purchasing or Certification personnel can make their decision, without understanding the technical content.

None of this applies to an internal audit!
I wonder how the upcoming requirement for risk based thinking will factor in? Not everything needs the same treatment; some issues are small but represent death-by-a-thousand-cuts inefficiency and/or impact the ability to achieve goals.

I have found a number of people who welcome the idea of introducing some nuance into internal audits.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

ISO 19011:2011 establishes as a guidance:

Audit evidence should be evaluated against the audit criteria in order to determine audit findings. Audit findings can indicate conformity or nonconformity with audit criteria. When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee.

Nonconformities and their supporting audit evidence should be recorded. Nonconformities may be graded. They should be reviewed with the auditee in order to obtain acknowledgement that the audit evidence is accurate, and that the nonconformities are understood.

In my opinion, an audit team that collects evidence, but does not grade the findings in conformity (positive/negative), nonconformity and opportunities for improvement is not fulfilling their responsibilities. The audit team must present an audit conclusion, which would include, among other items, instances of nonconformities, if any are observed during the audit.

To relinquish the responsibility of an audit conclusion to management whom did not participate actively during the audit would be a risky proposition, in my opinion. Obviously in some tricky situations, top management could be brought in as an arbitrator and reviewer, but to make that as the modus operandi of an internal audit process would be inappropriate.
 
Top Bottom