Why follow up is important in internal audit process?

by J.P. Russell: 

This column is devoted to a review of ISO 19011 topics. I discuss a different topic and follow that with a quiz so readers may evaluate their understanding of the information. Readers are encouraged to share this column during short informal meetings with other auditors or interested parties, which I believe will result in more effective audits. Text from ISO 19011 is in italic.

Clause 6—Performing the audit, is a major part of ISO 19011. The clause covers the typical audit activities for preparing, performing, reporting, and following up on an audit. This column is about distributing the audit report.

Conducting the audit follow-up

Clause 6 starts out with a statement that the conclusions of the audit can, depending on the audit objectives, indicate the need for actions. Audit reports normally contain conclusions, but the need to act or respond is dependent on the audit objectives or purpose. The ISO 19011 clause that provides guidance on defining audit objectives for an individual audit includes determining the extent of conformity, evaluating capability, evaluating effectiveness, and identification of areas for improvement. Initially, it may seem like following up on audit report findings would be automatic. If it’s a third-party certification audit and the report indicates there’s a need for action, it would be necessary to verify that action before issuing a certification. If you are conducting a second-party supplier audit, the customer would expect any nonconformities to be corrected. The same is true for an internal audit—management expects the audit results to be addressed.

When not to follow-up

However, not all audits require a formal follow-up audit by the auditing organization to verify nonconformities or opportunities for improvement. For example, there are audits that do not require the auditee to act on the audit results, cases where auditee actions do not need to be verified by a formal follow-up audit, and situations where the audit program manager believes the audit process ends with the audit report.

Although an audit is centered on determination of the extent to which agreed upon criteria are fulfilled or met, the audit purpose or objectives can vary greatly depending on the context of the organization and relationships between parties. For example, audit results may be used for implementation purposes, to verify or determine capabilities, or for information-only purposes such as assessing risks of a new venture.

There are many options to the auditing organization for conducting a follow-up audit. Verifications of actions taken could be done remotely instead of onsite, as an audit or an inspection. For first-party audits, the auditee management, instead of auditors, may ensure actions are verified.

Clause 6.7 has been controversial. Many individuals prefer that the audit process end with the audit report. However, others believe the audit process does not end until findings are acted upon. To close the loop on the audit process, someone needs to make sure organizations respond appropriately to the audit results and that the audit program is accountable for the quality of service it provided. This clause is very short but the consequences to the audit program and auditee organization are significant.

What’s important is that you realize that not all subsequent actions as a result of audit findings need to be verified and that a formal follow-up audit may not be necessary. Audit organizations must consider the cost versus the benefit of a formal follow-up audit.

Auditee actions

Actions include the need for corrections, or for corrective, preventive, or improvement actions. Some people still struggle with the difference between corrections and corrective actions. Corrections is the official ISO term for eliminating a detected nonconformity. It includes the five R’s: rework, re-grade, reject, repair, and release. Other terms to describe similar actions include remedial action, containment action, or quick fix. In contrast, corrective action is action to eliminate the cause of the nonconformity or undesirable situation to prevent it from recurring. The difference between preventive action and improvement action is less clear. Both actions benefit the organization either by eliminating potential nonconformities or enhancing performance.

Corrections or remedial action may be done singularly or as part of the corrective action plan. It may be determined that a nonconformity is a result of an isolated incident (special cause) and that only corrections or remedial actions are necessary.

On time?

Actions (such as corrections and corrective-preventive-improvement actions) are usually decided and undertaken by the auditee within an agreed upon timeframe. This is good guidance but many organizations still don’t follow it. In some cases, auditee managers want the auditor to tell them what to do because they think it’s faster and easier. In other cases, audit program managers like to specify a time for all nonconformities to be addressed, such as 30 days. The advantage of the agreed upon timeframe is that some problems are more complicated and take the auditee organization longer to investigate and solve. It’s important to address findings in a timely manner, but it’s more important to eliminate the cause of the nonconformity so that it doesn’t recur.

ISO 19011 doesn’t mention that there needs to be a corrective action plan. A plan is critical for identification of a solution that eliminates the cause of nonconformity. However, unless the management system standard requires a corrective action plan, the auditing organization cannot require it. Yet planning is a critical aspect of problem solving to ensure future nonconformities from the same cause will be eliminated. For internal audits, management can require corrective action plans and, therefore, the internal auditing organization can require a corrective action plan by a specific date. The advantage of requiring a corrective action plan is that management can review the plan to ensure the solution is likely to eliminate the cause(s) of the problem/nonconformity. This method is more efficient than finding out at the follow-up audit that the solution did not address the problem. The amount of planning will vary depending on factors such as simplicity/complexity of the problem, authority level of the person(s) doing the planning, expertise of the planners, and so on.

For second-party supplier audits, customers could require a corrective action plan depending on their relationship with the supplier. Third-party independent auditing organizations cannot normally require corrective action plans. However, submitting corrective actions plans for review can be optional or contractual. Requiring corrective action plans and reviewing them before resources are consumed supports the “Do it right the first time” approach.

If a nonconformity is critical to quality, environmental controls, or safety, and could result in unauthorized release of pollutants, injuries, and defective products or inadequate services, then the solution needs to be fast-tracked.

Status of Solutions

Next, the standard guidelines state, as appropriate, the auditee should keep the person managing the audit program and the audit team informed of the status of these actions. Using the words as appropriate makes the guidance flexible and open-ended. If the audit program function is responsible for verification that the nonconformities/findings were addressed, appropriate personnel need to be informed for scheduling purposes.

There are a host of approaches and solutions for tracking auditee actions, including many electronic and software solutions. When selecting software tracking programs, audit program management should ensure the software assumptions and data controls are consistent with audit program methods and objectives. In some cases, software can render the program less effective. When considering software solutions, be on guard (alert, watchful) for blotted template reports, the negative cultural effect of notices and warning letters/email, inconsistency with organization terminology, difficulties rescheduling or making changes, inability to control access, wrong assumptions in the design, ease of use, flexibility to address atypical situations, etc. Some tracking processes can be complicated or as simple as on time, overdue, or verified.

Verified

The completion and effectiveness of these actions should be verified. First, the completion of the corrections and corrective-preventive-improvement actions should be verified. For corrective-preventive-improvement actions, where the system is being changed to eliminate the underlying cause, the solution may first be tested or piloted on a small scale. This step is advisable and prudent to avoid unintended consequences of a system-wide change. In some cases, auditee organizations close a corrective-preventive-improvement action upon completion of the test or pilot if it was determined to be effective. Some actions need capital funding and other resources, leaving the corrective action open for a long period of time. Some audit organizations close corrective actions pending final implementation. At a later time, audit program managers schedule a system-wide verification of the implementation of the solution.

Next, the auditing organization should verify that the actions were effective. Effectiveness is defined by ISO 9000 as the extent to which planned activities are realized and planned results achieved. This means auditors must investigate both the process and the results. The corrective action will be effective if the results (metrics) were achieved and the process is capable and efficient. For example, adding three new inspectors and five new inspection stations to the process to achieve quality level objectives may not be an effective solution. It’s not uncommon for solutions to have unintended consequences such as decreasing the efficiency of processes or changing the output of a process such that it is no longer viable (useful). The test or pilot of the solution should reveal ineffectiveness issues.

This verification may be part of a subsequent audit or an individual follow-up audit. Follow-up may be conducted on-site or remotely as an e-audit. It may be conducted by the original auditing organization or subcontracted to a surrogate or proxy auditor or organization. Subcontracting may be favorable due to travel expenses or the need for expertise.

Conclusion

Results come from checking, not expecting. This statement closes the loop on the audit process. Why should organizations conduct audits if they don’t benefit from them? The audit follow-up is as simple as addressing all the findings, taking remedial and/or corrective-preventive-improvement action, and verifying that auditee actions worked as intended.

Audit Follow-up Quiz

Please choose the best answer considering the guidance provided by ISO 19011.

1. What is the need for action on audit conclusions dependent upon?
a) availability of resources
b) an agreed upon timeframe
c) audit objectives
d) auditee approval

2. Who decides what actions need to be taken as a result of audit findings?
a) audit team leader
b) customer
c) audit program manager
d) auditee

3. Who is responsible for keeping the appropriate parties informed about the status of the actions taken?
a) auditee
b) audit team leader
c) audit program manager
d) none of the above

4. What must be verified as a result of audit findings?
a) an acceptable timeframe
b) completion and effectiveness of auditee actions
c) auditor credentials
d) legal credentials

Quiz answers are below the about the author section.

About the author

J.P. Russell is the founder and managing director of QualityWBT Center for Education. He is an ASQ fellow, ASQ-certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee, member of the ASQ Z1 Auditing Committee and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. Russell is a recipient of the Paul Gauthier Award from the ASQ Audit Division and author of several ASQ Quality Press books about auditing, standards and quality improvement.

Conducting the audit follow-up quiz answers

1. c) System audits are conducted for many different purposes besides conformity to a management system standard. The audit objectives need to be considered when determining the need for corrections or corrective-preventive-improvement actions.
2. d) The actions are usually decided and undertaken by the auditee within an agreed upon timeframe. Auditors find the nonconformities or opportunities for improvement but should not decide what to do about them. It would be a conflict of interest and additionally, auditors are not normally experts in the areas they audit.
3. a) As appropriate, the auditee should keep the person managing the audit program and the audit team informed of the status of these actions.
4. b) The completion and effectiveness of auditee actions taken as a result of the audit should be verified.

TAG: Audit follow-up.