ISO 9001 Lead Auditor Training

Module 7 - Audit Reporting

7.1 Audit Reports and Records
The report of an external audit should provide a complete, accurate, concise and clear record of the audit. It is the major output of the audit process and may be read and used by people who were not at the audit (and have no other information about the audit). It is, therefore, important that the audit report give a balanced picture of the whole audit not merely the nonconformities found.

ISO 9000 Auditor Training - Some organizations require their auditors to give a complete audit account, including all observations made, all persons addressed, and all samples taken. This approach provides a complete picture of all the conformities seen, not just the nonconformities.

However, many organizations require fairly brief reports. Although shorter and less costly to prepare, they still provide an adequate amount of information. The whole reason for preparing a report is for the use by various people to initiate corrective actions and evaluate and address any recommended opportunities for improvement.

The audit team leader should be responsible for the preparation and contents of the audit report. Essentially, the following points are to be addressed in an audit report:
• Unique audit identity (number/ letter, etc.)
• Audit objectives and criteria
• The audit scope, particularly the organizational and functional units or processes audited and time period covered
• Identification of the audit client
• The dates and places where the on-site audit was conducted
• The audit findings and conclusions

The report may also include or refer to the following, as appropriate:

• The audit plan
• A list of audit attendees
• A summary of the audit process, including the uncertainty and/or any obstacles encountered that could decrease the reliability of the audit conclusions
• Confirmation that the audit objectives have been accomplished within the audit scope in accordance with the audit plan
• Any areas not covered, although in the audit plan
• Any unresolved diverging opinions between the audit team and the auditee
• Recommendations for improvement, if specified in the audit objectives
• Agreed follow-up actions if any
• A statement of the confidential nature of the contents
• The distribution list for the audit report
• Applicable quality system requirements (the Standard)
• Names and positions of team leader and team
• Summary

ISO Auditor Training - There should be a summary statement the “polished up” version of the one presented at the closing meeting. This summary provides the informed judgement of the auditors.

• Nonconformities
All audit reports include the nonconformities exactly as they were written and presented to the auditee. If there is a classification system, such as Major or Minor, then this is used. There may also be a reference to a clause in the Standard. If a nonconformity was “closed out” during the audit, then a note is made to that effect.

• Suggestions for correction of nonconformities
This is becoming less typical as organizations recognize its futility. However, certain companies require auditors to include suggestions for correction of nonconformities. This is difficult, time consuming, and risky; it may also be nonconforming with registrar policy and procedures (for reasons previously discussed). The auditors have to be very careful about any suggestions because their knowledge of the auditee's systems is so very limited. Their ability to make valued criticism is so limited, in fact, that in many cases, it is useless and best omitted.

• Suggestions for improvement
As part of the value-added approach to auditing, the audit team should provide improvement suggestions relating to:
o Areas of concern where controls are in place and conforming with requirements, but in the auditor’s experience and judgement, appear weak and likely to lead to a nonconformity in the future
o Opportunities where organizations can more effectively or efficiently manage, perform or control an activity or process, based on the auditors experience with similar situations in other organizations
It should be understood that the organization has no obligation to implement such suggestions, but it must be aware of the risks of not doing so.

• Approval
The report should be signed and dated by the audit team leader as “approved”. Some organizations require a further signature of a senior person before the report is issued.

ISO 9001 Auditor Training - It is important to prepare and issue an audit report within a reasonable timeframe. Typically, the report should be issued within 1 2 weeks of the audit and include a letter defining the required response. Another option, used by most registrars, is to leave the report with the auditee at the conclusion of the closing meeting.

The audit response must be considered confidential. Even the fact that an audit has taken place is confidential between the two parties. The audit information must not be disclosed to another party without the permission of both parties.

As with any record, audit reports should be retained on file for a prescribed time. All the other records from the audit should also be retained. For example, checklists that are useful for re-audits, as well as, the auditor's own notes made during the audit investigation. Records will also be kept of corrective actions to satisfy the “close out” requirements of each nonconformity.

Internal audits may not require the same depth of documentation of reporting, but the records retained will include at least the following:

• Reference and date of the audit
• Department/office/section audited
• Audit scope and objective
• Names of auditor(s), audit plan, and audit checklists plus nonconformities
• Auditor notes
• Audit summary and conclusions
• Corrective actions taken. 

"Understanding ISO 9001" provides a detailed explanation of each ISO 9001 clause (requirements).

ISO 9001 FAQ provides answers to commonly asked questions about the ISO 9000 family of quality management standards.