Do all findings (nonconformities) in an internal audit require a corrective action?

AndyN

Moved On
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

Andy,

Sure, the audits are scheduled according to their status and importance (or risk and opportunity) but once the nature and evidence of a nonconformity is agreed it is for the auditee to evaluate the need for corrective action.

The interface between where audit stops and corrective action starts is movable but as the management system matures the auditee should need less help from the auditor.

If the corrective action starts without an evaluation then this would be another nonconformity for the auditee to catch and correct per 8.2.3. Failing that the auditor may need to bring this nonconformity to the attention of the auditee.

If the auditee relies too much on their auditors we can see how auditors weaken the management system instead of strengthening it.

The only other findings reported by internal auditors should be positive points, what was sampled and the answer to the audit objective (aka audit conclusion).

I agree with you, integral auditors trying to mimic CB auditors by expressing their opinions in OFIs is not a good idea.

John

Agreed, John. Common practice shows otherwise, in a significant number of cases! How many (internal) audit processes tell auditors to write "CARs"? Similarly, with the grading of non-conformities - the auditor is telling management how significantly they should respond. Not the internal auditor's job! You are totally correct that, if the auditor does anything more than report what was observed, accurately and clearly, that they begin to abrogate managements' job of understanding.

Of course, it's far easier to have auditors do things like writing OFIs etc, than to have them actually plan and prepare their audits effectively, by working with management to understand the scope of the audit, the objective and any risk opportunities and to report in due course, to those things. But then, the whole model for training internal auditors would look so totally different from what external (CB) auditors are taught (and teach) it might be difficult for some to comprehend...
 

John Broomfield

Leader
Super Moderator
Re: Do all findings in an internal audit require a corrective action?

But if the Internal Auditor could not find any nonconformity (for example the design process), would it reflect the skill of the auditor? Or should the auditor nitpick and issue a nonconformance for a slight blip in the process? Thank you and Happy Holiday!

LUV-d-4UM,

Yes, unfortunately, some so-called auditors are like this and they deserve every ounce of disrespect from their auditees.

Instead, true auditors engage their auditees in looking for evidence of effectiveness. Consequently, they are helped and the auditee often identifies the nonconformity before the auditor has to.

Happy Christmas,

John
 

insect warfare

QA=Question Authority
Trusted Information Resource
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

When it comes to NC grading in internal audits (which I personally prefer not to do), I've always maintained the position that OFI's are not something to be downgraded to from an NC (major or minor) - rather they are a separate extension or "another arm" of the audit process. In the past, I've offered OFI's in my audit reports for conforming situations as well as nonconforming ones, because even in conforming situations there can still be room for improvement. Whether or not those OFI's are taken seriously is another matter for discussion.

It is up to us as auditors to utilize the competencies and skill sets that we have to point out where these opportunities are, because if we don't then (I hate to say it but) we are not optimizing the value of the internal audit program by maximizing effectiveness throughout the organization.

And a well-written NC is still the backbone and foundation of a good corrective action - classifying it as "major" or "minor" will not make a huge impact if it is worded poorly....

Brian :rolleyes:
 

John Broomfield

Leader
Super Moderator
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

When it comes to NC grading in internal audits (which I personally prefer not to do), I've always maintained the position that OFI's are not something to be downgraded to from an NC (major or minor) - rather they are a separate extension or "another arm" of the audit process. In the past, I've offered OFI's in my audit reports for conforming situations as well as nonconforming ones, because even in conforming situations there can still be room for improvement. Whether or not those OFI's are taken seriously is another matter for discussion.

It is up to us as auditors to utilize the competencies and skill sets that we have to point out where these opportunities are, because if we don't then (I hate to say it but) we are not optimizing the value of the internal audit program by maximizing effectiveness throughout the organization.

And a well-written NC is still the backbone and foundation of a good corrective action - classifying it as "major" or "minor" will not make a huge impact if it is worded poorly....

Brian :rolleyes:

Brian,

I agree that internal auditors should not grade nonconformities. But I take issue with auditors issuing OFIs.

Should the management system have resulted in the managers or other employees seeing the needed improvement for themselves before the audit?

If the management system failed to do this, the auditor may have missed evidence of a 6.2, 8.2.3, 8.4, 8.5.1 or 5.6 nonconformity. This is what the auditor should have investigated if they have the time and it's within the audit's scope.

I'm concerned that an auditor-issued OFI could leave that system weakness in place. So, perhaps it is better for the auditor to investigate the system weakness or to transfer this responsibility to the auditee or to a subsequent audit.

John
 

insect warfare

QA=Question Authority
Trusted Information Resource
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

Brian,

I agree that internal auditors should not grade nonconformities. But I take issue with auditors issuing OFIs.

Should the management system have resulted in the managers or other employees seeing the needed improvement for themselves before the audit?

If the management system failed to do this, the auditor may have missed evidence of a 6.2, 8.2.3, 8.4, 8.5.1 or 5.6 nonconformity. This is what the auditor should have investigated if they have the time and it's within the audit's scope.

I'm concerned that an auditor-issued OFI could leave that system weakness in place. So, perhaps it is better for the auditor to investigate the system weakness or to transfer this responsibility to the auditee or to a subsequent audit.

John

Good points....

Your concerns would certainly be well-founded if you knew for sure that an OFI was offered in response to an actual system weakness. My point was to illustrate that an OFI could also be applied to a conforming situation, namely one which technically meets company and/or MSS requirements, but one that could be made even more effective with tweaks and adjustments (i.e. consider the mature organization who has "plucked" most of their low-hanging fruit). In my internal audit procedure, I have specifically defined "OFI" as:

A situation where the audit evidence presented indicates that (based on auditor experience or knowledge) additional effectiveness or robustness of a process, task or activity may be possible with a modified approach.
I believe that - like having another tool in the toolbox - internal auditors should be able to provide this value-added service in addition to identifying system weaknesses. Moreover (and speaking strictly from a CI standpoint), opportunities for improvement should be encouraged from everyone, whether it be manager, auditor, worker, etc. so that the communication lanes always stay open.

Brian :rolleyes:
 

LUV-d-4UM

Quite Involved in Discussions
Re: Do all findings (nonconformities) in an internal audit require a corrective actio

:applause:
If someone wants to report internal audit findings to management so they take notice, write them under the following format:

Risk: State what was observed in terms of a risk to company, customer etc.

Impact: State what was observed in terms of the result on customer, profit etc.

If you report anything found during an IA where something wasn't being implemented as planned, then this is an effective method. The "nc" statement, phrased in such a manner will be readily understood by management as something which warrants action. The traditional nc methodology has had it's time. It was always a copy of what external auditors do and often was only about a simple compliance issue (arcanely) relating to an ISO clause which management rarely have any understanding of.

Thank you Andy,Sydney, Jennifer, Big Jim and all the experts,

This is how we are starting to report our internal audits finding by looking at the RAM matrix and determine the number which would create impact in the bottom line.:applause:
 
Top Bottom