ISO 17025:2017 / ANAB 3125 - Articulating / Communicating Risks vis-a-vis Audit Findings

[iRankin]

Hi,

I have found that auditees may sometimes not fully appreciate the scope/scale of an audit findings and its impact (Risks) to the organisation. Although I am looking specifically at ISO 17025 Testing (digital forensic) laboratories; I decided to try and convey the audit findings in a more articulated method so that one could no argue that they did not fully appreciate the risk or impact.

Attached is an audit finding template that attempts to convey the risks to auditees more explicitly. Typically this would be part of a much larger report and have a summary of key findings and risk exposure at the start of the audit findings report.

I am wondering if anyone else has used a similar approach or experienced similar issues and how did you address them? Any feedback would be welcome.

Thanks & Regards,

Ivor

 

[Jean_B]

More communication (noun) does not necessarily equal more communication (verb).
Most people will see those checkboxes, and apply HHGTTG Somebody Else's Problem filter cognitively. Unless someone already knows the concepts underlying the checkboxes they'll mean nothing. If they do know them, they don't usually need the checkboxes.
Ignorant people respond slightly better to story-form, but even then the SEP filter is a strong interference. Ironically the only people that truly appreciate a risk either have felt its sting in the past or are confident in being able to apply an (appropriate) solution. The latter needs to take into account knowledge and skill as well as resources and capacity. The more of these are lacking, the more you need to compensate and develop the shortcoming ones for the next go around until they are fulfilled.

 

[iRankin]

Hi Jean,

Thanks for your valuable insight. I guess yes I am trying to over compensate to address certain issues, but you have raised some good points for me to consider and plan for my next audit report. Thanks for your feedback.