Documenting Your Internal Audit
Documenting Your Internal Audit
The February and April 2012 Risky Business articles covered planning the type of audit to be performed, your purpose and objectives for the audit, and the four phases of an audit. After performance of an audit it must be documented.
Purpose of the Audit Report
An audit report serves the following functions:
- It provides information to indicate either adherence to requirements or that corrective action must be initiated in the form of corrective action or system improvement.
- It guides management in subsequent decisions and activities.
- It establishes a record of the investigation and conclusions.
An audit report should be formalized in writing even if there are no deficiencies to report. This will help in comparing audit reports each year to identify positive and negative trends.
Format of the Audit Report
The format of the audit report can vary widely so you need to determine the best format for you and your organization. Whatever format you decide to use it should be used consistently. There is no standard length for the audit report. The following items should be included in the audit report:
- An introduction
- A summary
- The results
- Requests for corrective action
The introduction would include the purpose and scope of the audit, names of audit team members, dates of the audit, standards used for the audit, list of personnel involved in or contacted during the audit, and distribution list for the audit report.
The summary includes statements pertaining to the observations of nonconformities and findings, the audit team's judgment of the extent of the conformance/compliance with the applicable standard, the system's ability to achieve defined objectives, and the effectiveness and efficiency of the system and processes.
The conclusion reached and shown in the summary for a first-party audit, could be that:
- The department functions well but is falling short of organizational objectives.
- Pending resolution of the audit findings, the department may continue to function provided that specified remedial actions or countermeasures are immediately implemented.
- Due to the conditions observed, the interval for periodic audits of the area will be extended (or shortened).
The results section of the report contains the most detail and should include the following:
- Findings/nonconformities and number
- Specific requirement
- Audit evidence of the nonconformity or finding
- Provisions for response
- Provisions for recording corrective action and follow-up activities
- Opportunities for improving the quality, environmental, and/or safety program
Each problem area should be listed in one to three sentences. The comments should include the issue and facts or examples that support each finding or positive practice. Accomplishments, positive practices, best practices, or processes that work exceptionally well can be included and can be listed at the front or back of the report.
Nonconformity statements must be written so they are clear and factual. Here are some points to consider when you're writing this statement:
- State the requirements of the internal or external standard or specification.
- State the department where the nonconformity occurred.
- State the factual evidence to support the nonconformity.
- State the type of nonconformity with reference to the internal or external standard, procedure, or element with which it does not comply.
The results of the audit may be shown as findings, nonconformities, deficiencies, adverse conclusions, or significant observations and conclusions. The most common terms used are nonconformity, noncompliance or finding.
Review of Results
It's usually best for audit results to be reviewed by management prior to sending them to the manager of the area audited. Management will review the findings to ensure they are clearly stated, are correct and value added.
The next step is for the process owner to document corrective/preventive action. A form can be provided to the process owner for this purpose.
Follow-up Actions and Closure
So what is your organization going to do with all this information in order to reap the benefits of finding out where non-conformances exist?
Documentation of the corrective action is important, but should not be so rigid and bureaucratic that the process steps become more important than taking action to correct the problem. The problem must be investigated and the root cause determined. After this determination, then an action plan can be prepared. The action plan will be sent to a designated person for review and approval. You may want to consider providing the designated review person with a summary of the supporting data so they have the information necessary to approve the steps to be taken to correct the problem.
After the corrective actions have been taken, it is wise to evaluate the problem to determine if the problem has been fixed. As an internal auditor, member of a corrective action team or member of management, you may be assigned to assess a system change as a result of a corrective action. You will be checking the effectiveness of the change to determine if there are long-term beneficial results.
You may also consider performing a follow-up audit for the purpose of confirming that the actions taken have effectively corrected the situation in the audit finding. A single auditor who was a part of the original audit team and who documented the finding would usually perform the follow-up audit. The follow-up audit could be scheduled in direct relationship with the corrective action target date. Or you can verify the corrective action during a subsequent regularly scheduled internal audit.
Evaluation of Audit Program Effectiveness
Audits and the audit program should be evaluated at a minimum annually in the management review meeting. The evaluation process could include:
- Observing audit teams performing an audit
- Examining auditor training records
- Reviewing audit schedules
- Evaluation of the sample audit program to ensure that the corrective actions and follow-up activities are working as intended
- Reviews by peers, subordinates and superiors
- Evaluating auditor performance and value-added contributions
In conclusion, you should use the auditing process as one of your tools for continuous improvement which is a key element of a quality system. If you've determined that meeting the expectations of your customers is critical to the success of your business, then auditing that performance is critical. An effective auditing program will assist you in determining how to improve the internal and external quality of your product or service.