Is there a difference between "Recommendation" and an "OFI" in Internal Audit?

L

lukaslukas

#21
Thanks!
Not sure I understand your comment about OBS, maybe I was not clear on this: they are not optional for execution to make sure we address the risk of a potential NC. If there is an Observation it has to be addressed, optional is only OFI implementation.
Regards,
Lukasz
 
Elsmar Forum Sponsor

somashekar

Staff member
Super Moderator
#22
Thanks!
Not sure I understand your comment about OBS, maybe I was not clear on this: they are not optional for execution to make sure we address the risk of a potential NC. If there is an Observation it has to be addressed, optional is only OFI implementation.
Regards,
Lukasz
Since OBS is an action item to avoid potential NC, I say it is an audit NC.
This sets direction
That is the reason I said OBS = NC
I am not for fancy words, nor the standard expects it.
We simply take actions without undue delay to eliminate the NC, which is appropriate to the effects of the NC noted.
 
Last edited:

Jim Wynne

Staff member
Admin
#23
Since OBS is an action item to avoid potential NC, I say it is an audit NC.
This sets direction
That is the reason I said OBS = NC
I am not for fancy words, nor the standard expects it.
We simply take actions without undue delay to eliminate the NC, which is appropriate to the effects of the NC noted.
You can't eliminate an NC that hasn't happened. Nonconformity = Non-fulfillment of a requirement (ISO 9000:2005). If there is no requirement, there is no NC. If there is a weakness in the system that has the potential to allow an NC to occur, the weakness should be addressed, but I don't like the idea of hanging negative descriptors on positive audit results. Identification of holes in the system is how improvement happens.
 

somashekar

Staff member
Super Moderator
#24
You can't eliminate an NC that hasn't happened. Nonconformity = Non-fulfillment of a requirement (ISO 9000:2005). If there is no requirement, there is no NC. If there is a weakness in the system that has the potential to allow an NC to occur, the weakness should be addressed, but I don't like the idea of hanging negative descriptors on positive audit results. Identification of holes in the system is how improvement happens.
You can eliminate a NC situation, the adverse effect of which has not yet happened.
With no disagreement with the NC definition, the bigger thing that an internal audit must see is how requirements are determined, and then how they are met, and how are they effective.
Internal audit must identify holes in the system, tag it as NC and drive CA.
If there is a weakness in the system that has the potential to allow an NC to occur, the weakness should be addressed,
I am calling this as a NC to be effectively addressed
Example:
People who are familiar with Epoxy use know that epoxy process requires validation. They also know that higher temperature of cure reduces the curing time. This combination effectively comes from good validation.
People who are familiar with engineering plastics know about Glass transition temperature and the effects on plastic parts when the temperature nears or reaches this temperature range.
When you audit validation process, you look at both these and assess how the epoxy curing process has been validated, when the part / assembly under validation process also has some engineering plastic parts, that may or may not be directly contacting the epoxy, but are subjected to curing temperatures.
The process may not have been yet put to practice, a NC part / assembly may not have been noticed yet. However in your audit you notice that the selected curing temperature is into the glass transition temperature of any of the engineering parts associated in the curing, one is tempted to call it observation.
I would prefer calling it NC, so that a good CA will avoid such further situations.
 

Jim Wynne

Staff member
Admin
#25
You can eliminate a NC situation, the adverse effect of which has not yet happened.
With no disagreement with the NC definition, the bigger thing that an internal audit must see is how requirements are determined, and then how they are met, and how are they effective.
Internal audit must identify holes in the system, tag it as NC and drive CA.

I am calling this as a NC to be effectively addressed
Example:
People who are familiar with Epoxy use know that epoxy process requires validation. They also know that higher temperature of cure reduces the curing time. This combination effectively comes from good validation.
People who are familiar with engineering plastics know about Glass transition temperature and the effects on plastic parts when the temperature nears or reaches this temperature range.
When you audit validation process, you look at both these and assess how the epoxy curing process has been validated, when the part / assembly under validation process also has some engineering plastic parts, that may or may not be directly contacting the epoxy, but are subjected to curing temperatures.
The process may not have been yet put to practice, a NC part / assembly may not have been noticed yet. However in your audit you notice that the selected curing temperature is into the glass transition temperature of any of the engineering parts associated in the curing, one is tempted to call it observation.
I would prefer calling it NC, so that a good CA will avoid such further situations.
Again, if we accept the ISO 9000 definitions as normative, An NC doesn't exist until a requirement hasn't been fulfilled. You are asking for CA when no NC exists; anything that might be done in the examples you cite would be preventive in nature. If an internal audit reveals a significant opportunity for an NC to occur, and whether or not that situation is addressed conscientiously is dependent on what the revelation is called, a new opportunity has been discovered. :D
 

John Broomfield

Staff member
Super Moderator
#26
Hello friends,

I wanted to know if there is a difference between "Recommendation" and an "OFI" ...

As per our system, we categorize audit findings into Major, minor and Recommendation but in line with other concepts, wanted to add in "Oppurtunities for Imprivement (OFI)" and I thought I would be able to differentiate both terms as follows -

Recommendation - any suggested improvement in the existing system

OFI - any suggested imporvements based on industry best practices or from benchmarking.

Would I be right in my approach ?
SGquality,

It would appear that you have no confidence in your system's ability to indicate the need for improvement before the auditor arrives.

In many systems employees tend to rely on the auditor. The system becomes weaker and more dependent on its auditors to function.

What proportion of your CARs come from non-audit activities?

Making the system depend on its auditors to identify needed improvements is robbing the auditors of their independence.

The auditors should stick to evaluating evidence and reporting the system's strengths for recognition and nonconformity (incl. failure to take preventive action) for corrective action.

Show me an OFI and I will identify the system weakness. Although I do understand that some auditors need to feel needed.

We should not make our management systems depend on auditors in any way and we should protect the independence of our auditors.

And auditees should know they must continue their vigilance even when the auditor's sample found no weaknesss.

John

PS: Managers who put the auditor's "good ideas" in the round file have my support.
 

Randy

Super Moderator
#27
SGquality,

PS: Managers who put the auditor's "good ideas" in the round file have my support.
I'm with you on this. I may ask "is there any reason why" but to fill the report with OFI's, no way.

I'm also an old schooler in the "recommendation" arena, as a 3rd part guy the only recommendation's I can make are either for certification, for continued certification or against certification
 

Helmut Jilling

Auditor / Consultant
#28
I'm with you on this. I may ask "is there any reason why" but to fill the report with OFI's, no way.

I'm also an old schooler in the "recommendation" arena, as a 3rd part guy the only recommendation's I can make are either for certification, for continued certification or against certification
I would take quite the opposite view. My clients find a lot of value from any ideas they get from audits...regardless what terms we use. It is their option whether to implement, but my clients frequently take notes during audits as opportunities present themselves. And, they implement a lot of ideas, OFIs, recommendations, whatever you want to call them.

My clients want value from their efforts, and most of them would tell you their metrics have improved, their customer performance has improved, their profitability has improved. Their systems generally pay for themselves from the improvements. Audit compliance only? ....not a chance... if this stuff doesn't make companies better, why do it?
 

Randy

Super Moderator
#29
I would take quite the opposite view. My clients find a lot of value from any ideas they get from audits...regardless what terms we use. It is their option whether to implement, but my clients frequently take notes during audits as opportunities present themselves. And, they implement a lot of ideas, OFIs, recommendations, whatever you want to call them.

My clients want value from their efforts, and most of them would tell you their metrics have improved, their customer performance has improved, their profitability has improved. Their systems generally pay for themselves from the improvements. Audit compliance only? ....not a chance... if this stuff doesn't make companies better, why do it?
How much of that do you put to paper in the report? Anybody that says "discussions" don't occur during an audit is flat out being dishonest, you know it and so do I.
 

Helmut Jilling

Auditor / Consultant
#30
How much of that do you put to paper in the report? Anybody that says "discussions" don't occur during an audit is flat out being dishonest, you know it and so do I.
No, I agree. Smithers' auditors generally document only nonconformities. The rules for documenting and justifying "OFIs" in TS have simply become too burdensome and impractical. (IATF ruined a good thing that clients generally liked).

But, discussions do occur during audits, audit trails are followed, and perceptive clients and auditors can see areas where improvements and low hanging fruit are readily available. It is at these points where my clients typically jot some notes.

I believe for a mature system, it is these opportunities that provide clients with additional value. They pay a lot for these audits and deserve to receive more value than just a recommendation for continued certification.
 
Thread starter Similar threads Forum Replies Date
W What is the difference between TYPE B and TYPE BF? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
T The difference between ISO 14644-3:2005 and ISO 14644:2019 Other Medical Device Related Standards 2
Q Terminal Lugs sizes - Difference between 225/24 vs. 275/24 lugs Manufacturing and Related Processes 2
M Difference between "Production Trial Run" and "Run at Rate" IATF 16949 - Automotive Quality Systems Standard 8
D Difference between Test Method Validation and Gage R&R Qualification and Validation (including 21 CFR Part 11) 18
A What is the difference between Design Process, Process Design and Design Control? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
R What's the major difference between Green Belt and Black Belt in term of training and project Six Sigma 3
T Difference between a subcontractor and a supplier ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
H Difference between Stainless Steel 316 ASTM F899 and ASTM A276 Other Medical Device Related Standards 3
A Exact terms for a plating failure and difference between rejection rate and failure rate Manufacturing and Related Processes 9
M Difference between MSA and MSE? General Measurement Device and Calibration Topics 1
gramps What is the difference between discrete and continuous variables? Problem Solving, Root Cause Fault and Failure Analysis 3
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
S Difference between EU-MDR Annex IX and the Annex-combo X&XI EU Medical Device Regulations 4
T ISO 17025:2017 Clause 4.2.2 - The difference between "be notified" and "be informed" ISO 17025 related Discussions 4
Jimmy123 What is the difference between Error Proofing and Controls? ISO/IATF 16949 - Control Plans FMEA and Control Plans 16
C IEC 60601-1-8, difference between table 4 and annex D IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
A What is the difference between Basic UDI-DI and UDI-DI? EU Medical Device Regulations 6
Q What is the difference between AS9100D 9.3.2.f and 9.3.3.a AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
M Aluminum - What is the difference between 6061-T6 and 6061-T651 (both per ASTM B211)? Manufacturing and Related Processes 4
P What is the exact difference between Risk and Opportunity in context of ISO 27001? IEC 27001 - Information Security Management Systems (ISMS) 7
S Difference between Surface Finish (Ra) and Flatness (GD&T) Inspection, Prints (Drawings), Testing, Sampling and Related Topics 6
O Air Flow - Which is the operational difference between LAF (vertical and horizontal) and RLAF? Manufacturing and Related Processes 2
S What the difference is between Stub Acme & Acme thread? Oil and Gas Industry Standards and Regulations 1
S DO 178B - What is the difference between review and verification? Federal Aviation Administration (FAA) Standards and Requirements 1
T The difference between SOP and Kaizen Standardization Lean in Manufacturing and Service Industries 2
K Difference between intended purpose and intended use of the device EU Medical Device Regulations 9
Q What is the difference between normal and licensed internal auditor? VDA Standards - Germany's Automotive Standards 9
J What is the difference between Process Variation and Tolerance? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
O Difference Between PFMEA & Control Plan FMEA and Control Plans 3
S Difference between an Advisory Notice (ISO 13485) and a Field Safety Notice? ISO 13485:2016 - Medical Device Quality Management Systems 3
T Difference between "data analysis" and "management review" ISO 13485:2016 - Medical Device Quality Management Systems 4
qualprod What is the difference between 7.4.1 (2008) and 8.4.1 (2015)? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
D Difference between uncertainty and expanded uncertainty of measurement General Measurement Device and Calibration Topics 1
S EASA Part 145 - The difference between non-certifying staff and Certifying staff Federal Aviation Administration (FAA) Standards and Requirements 2
S The difference between a Medical Device Accessory and Component Canada Medical Device Regulations 2
S What is the difference between a service request and a complaint? ISO 13485:2016 - Medical Device Quality Management Systems 2
I What is the difference between OOS/OOT Imported Legacy Blogs 3
A Definition Difference between Quality System Procedure and Standard Operating Procedure (SOP) Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 4
Q Difference between Monitor & Measurement ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T QA vs. RA - The difference between QA and RA Coffee Break and Water Cooler Discussions 6
A Difference between Discrimination and Least Count IATF 16949 - Automotive Quality Systems Standard 2
K Difference between Medical Electrical Equipment and Medical Equipment System IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
M Usability Standard - The difference between IEC 60601-1-6 to IEC 62336 Human Factors and Ergonomics in Engineering 1
S What is the difference between Verification and Validation of Test Reports? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
A Difference between ISO 9001:2015 Clauses 8.1 and 8.5.1 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
M IATF 16949 Cl. 8.4.2.2 vs 8.6.5 - Is there any difference between these clauses? IATF 16949 - Automotive Quality Systems Standard 7
C What is the difference between "Overall Risk" and "Risk"? (ISO 14971) ISO 14971 - Medical Device Risk Management 10
C The difference between a Critical Dimension vs. Critical Characteristic Misc. Quality Assurance and Business Systems Related Topics 2
A ISO 9001:2015 - The difference between 6.1.1b and 6.1.1d - IMHO, d) implies b) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1

Similar threads

Top Bottom