Non-Conformance vs OFI -- your best descriptions

[Ed Panek]

Ed,

How do you avoid sharing a previous auditee’s intellectual property (aka holistic improvements) with future auditees?

And that the systems you audit are not reliant on your periodic suggested holistic improvements?

Thanks.

I dont provide specific advice. For example, "Management Review isnt limited to the definition of what ISO wants to be in it. It can be expanded and still comply" is advice I gave to a supplier wondering where to discuss technology trends in an inspection process.

 

[Mike S.]

As per the OP, we are talking internal audits here -- where we hopefully all share the common goal of making the company better in the most efficient way possible.

Personally, if I see an isolated, minor nonconformance that can be immediately fixed I will sometimes not write it up as a formal CAR. I do not feel that every single nonconformance "MUST" be treated via a formal CAR process.

IMO an opportunity for improvement is, for example, where you may see an inefficiency that could be improved. Maybe you see a certain department keeping a record via scanning it and keeping it electronically and also paying for hardcopies to be stored as well. I may suggest an OFI is to do one or the other, but not both. There is no nonconformance, but there is inefficiency.

 

[Randy]

Why not just use the ISO definition of non-conformance?

From the ISO 9001 Auditing Practices Group Guidance on: Nonconformity - Documenting

"What is a nonconformity? According to the definition in ISO 9000 a nonconformity is "non-fulfillment of a requirement". There are three parts to a well-documented nonconformity:
• the audit evidence to support auditor findings;
• a record of the requirement against which the nonconformity is detected;
• the statement of nonconformity. "

"If there is no audit evidence – there is no nonconformity. If there is evidence – it must be documented as a nonconformity, instead of being softened with another classification (e.g. “observations”, “opportunities for improvement”, “recommendations”, etc.). In the longer term, neither the organization, its customers, © ISO & IAF 2016 – All rights reserved www.iaf.nu; www.iso.org/tc176/ISO9001AuditingPracticesGroup 2 of 4 nor the CRB benefit by the use of softer classifications, as this risks the nonconformity being given a lower priority for corrective action. "

 

[Jim Wynne]

Tagin,

Is a conforming system not meant to invoke preventive action without any help from its auditors?

John

Do not bother with OFIs.

Report every system weaknesses as a nonconformity.

...including the systems that rely on auditors to initiate improvements.

A nonconformity, in ISO-Land, is simply non-fulfillment of a requirement. Requirements are documented. A "system weakness" that doesn't represent non-fulfillment of a documented requirement is not a nonconformity and should never be documented as such. The fact that an internal auditor initiates improvement is not necessarily evidence of a system that relies on internal auditors to initiate improvement. If internal auditors can't or shouldn't identify potential improvements, most of the value of internal auditing is lost. Internal auditors don't exist outside of the system--they're an integral part of it.

 

[John Broomfield]

A failure to initiate preventive action to address a known system weakness would probably be agreed by auditee management to be a nonconformity.

The requirements (audit criteria) come from management as well as the standard.

 

[Sidney Vianna]

Even though most people are oblivious to ISO 19011, it contains some sound advice. When it comes to auditors personal behaviour, among other traits, it suggests:

acting with fortitude, i.e. able to act responsibly and ethically, even though these actions may not always be popular and may sometimes result in disagreement or confrontation;​

As I asked before, why are internal auditors sofgrading the findings? Are they afraid of confrontation, retaliation, friction? Definitions will not make an iota of a change if people are allowed to misreport audit results.

 

[Sidney Vianna]

Requirements are documented.

Not always, according to the ISO 9000 defintion of the term requirement.

​

 

[Jim Wynne]

A failure to initiate preventive action to address a known system weakness would probably be agreed by auditee management to be a nonconformity.

The requirements (audit criteria) come from management as well as the standard.

The documented requirements can come from the standard or from the organization's documented requirements. In my own view, there is no sense in doing internal audits against the standard, because the internal requirements should include the requirements of the standard. If you think it's a good idea to call something a nonconformity that doesn't violate a requirement, you're looking for trouble.

 

[John Broomfield]

All the auditor has to do is ask management if they are happy to do nothing about a known system weaknesses.

Failure to take preventive action would be the nonconformity.

 

[Sidney Vianna]

A failure to initiate preventive action to address a known system weakness would probably be agreed by auditee management to be a nonconformity.

I don't think it would be wise to miscategorize all findings as nonconformities. ISO 19011, refers to OFI's, conformity and good practices and recommendations, IN ADDITION to nonconformities. Auditors who know how to properly report audit results should be able to properly categorize their findings so, the level of attention and reaction by the auditees, including top management would be commensurate with the severity of the issues at hand.