Should an auditor document potential nonconformities in the audit report?

S

samsung

Should potential nonconformities be documented along with detected/ verified nonconformities in the audit report ? How are they categorized, I mean as NC's or as observations ?

If they are reported as NCs, should a CAR & follow up audit be applicable ?

Your inputs appreciated.

Thanks.
 

somashekar

Leader
Admin
Should potential nonconformities be documented along with detected/ verified nonconformities in the audit report ? How are they categorized, I mean as NC's or as observations ?

If they are reported as NCs, should a CAR & follow up audit be applicable ?

Your inputs appreciated.

Thanks.
The potential NC would be a good input as an observation point which as many call it 'Value addition' in the audit activity. An audit NC reported must be fact based or objective evidence based. I am sure more inputs will flow on this.
 

qusys

Trusted Information Resource
I think that the auditor could have already some data from the preventive action process, auditing management review.
However I agree that they could be some observations as said in the previous post.:bigwave:
 

AndyN

Moved On
Should potential nonconformities be documented along with detected/ verified nonconformities in the audit report ? How are they categorized, I mean as NC's or as observations ?

If they are reported as NCs, should a CAR & follow up audit be applicable ?

Clearly, an internal auditor should point out the potential for problems. If it's a POTENTIAL problem, then calling it a non-conformity will confuse people, won't it? I would advocate not 'classifying' them but making clear in the report what you are indicating. Too much effort is placed in naming things, rather than on the description of what's reported. If you are clear on what it is you're telling management, they'll notice and fix it - if you're correct! If they don't , it's still recorded in the audit report, for use by the audit management in directing the focus of the next auditor!:read:
 
S

samsung

Clearly, an internal auditor should point out the potential for problems. If it's a POTENTIAL problem, then calling it a non-conformity will confuse people, won't it? I would advocate not 'classifying' them but making clear in the report what you are indicating. Too much effort is placed in naming things, rather than on the description of what's reported. If you are clear on what it is you're telling management, they'll notice and fix it - if you're correct! If they don't , it's still recorded in the audit report, for use by the audit management in directing the focus of the next auditor!:read:

:agree1: Yes, it's more appropriate to call it a 'potential problem' than a 'potential nonconformity' to erase the confusion. However, much of the confusion lies in:
The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence.

Anyway, but not taking a preventive action against a perceived problem should, then form a basis for writing a nonconformity ?
 

AndyN

Moved On
:agree1: Yes, it's more appropriate to call it a 'potential problem' than a 'potential nonconformity' to erase the confusion. However, much of the confusion lies in:


Anyway, but not taking a preventive action against a perceived problem should, then form a basis for writing a nonconformity ?

If we are talking about an audit report then, no. The auditor should report if they see a potential problem. How can they write a nonconformity? It's only their 'opinion' at this point.

Also, there would have to be a great deal of confidence in the whole audit program, IMHO, before management would address an audit report as 'preventive action - IMHO. It would be sheer luck unless the audit was planned with the idea of detecting a potential failure...
 
S

samsung

If we are talking about an audit report then, no. The auditor should report if they see a potential problem. How can they write a nonconformity? It's only their 'opinion' at this point.

Also, there would have to be a great deal of confidence in the whole audit program, IMHO, before management would address an audit report as 'preventive action - IMHO. It would be sheer luck unless the audit was planned with the idea of detecting a potential failure...

All I can conclude from this discussion is that:

1. The definition of 'nonconformity' isn't consistent with the one suffixed in 'potential nonconformity' that has yet not taken any definite shape to point to a 'requirement' that hasn't been fulfilled.

2. 'Potential nonconformity', as pointed by Andy, should be construed as a 'problem' rather than a 'nonconformity' in its literal sense.

Thanks for all great inputs.
 

AndyN

Moved On
‘Certification/registration bodies (CRB’s, or “registrars”) are subject to the rules of both ISO 19011.CRB:
□ When writing findings, the CRB must adhere to the following convention:
o Clearly record the nonconformity
o Indicate the clause under which the nonconformity falls
o Clearly state the objective evidence that supports the nonconformity
o Indicate whether the nonconformity is a major or minor, using definitions of those
terms as defined by the CRB’s procedures
o Review the nonconformity, and revise as necessary, to ensure that it is written in a way that is verifiable at a later date without any further request for information.
□ Findings that do not follow all the requirements of this convention will be considered to be nonconforming against ISO 19011’.


ISO 19011 requirements aren't rules! A Certification Body doesn't have to follow ISO 19011, it's a guideline. If we're talking accreditation of a CB to ISO/IEC 17021, ISO 19011 is a normative reference', called out in a few sections of 17021.

I don't believe that Mr. YYYYYYYYY 's quote is an authoritative reference today (5 years later)
 
Top Bottom