How to write a Good Quality Audit Report
A good report should contain:
- Who performed the audit – we might, as management, want to ask for clarification of detail. External authorities might want to establish the credibility or independence of the auditor.
- When the audit was conducted – we need to fix it in time so we can tell later whether improvements or incidents that occur later were as a result of changes we made.
- What was covered, the scope of the audit – where did we start and finish, what did we cover and what did we not get time to do. We need to avoid duplication of effort, but we also need to ensure our audits are comprehensive and cover all the areas of risk.
- A summary of findings – this allows readers to quickly assimilate the impact of the report, were any issues raised, how severe is the risk if there were, do we have to take action now? The summary should identify particularly successful areas of the system that could act as a guide to other areas.
- Copies of Corrective Actions – The original of whatever corrective action form is in use might need to be re-examined to establish the detail of the finding, who has accepted responsibility to keep it under control or to fix it, and when is the fix required.
Often a pro-forma report is available electronically or in paper form, which then provides for a consistent format. The exact structure or appearance is unimportant as long as it allows the recording of the information above.
Again, due to the issue of sensitivity and confidentiality and the difficulty to create a simulated corrective action report due to the nature and variances in the activity; a list of what should be in the corrective action report follows (in collaboration with these requirements), quality auditors should ensure their reports are objective and consist of objective evidence references.
Action reports have many titles, Corrective Action Reports, Opportunities for Improvement, Improvement Notes, Observation Reports, Non-conformance Notes etc. They all however provide the same service and only the acceptance of the organisation’s culture dictates the title.
At the end of the day they are merely a way of recording and communicating a specific instance or concern which has been identified as a threat to the business or the public. Typically they contain references to the location the incident was found (WHERE), who found it (WHO), perhaps a description of the cause (WHY) if known, (WHAT) what exactly was found and a date to mark the time it was noted (WHEN).
Another major ingredient is the risk it is believed to present. In many organisations they use grading such as Major, Minor and Observation as a way of indicating this, but this type of definition then needs further definition of it’s own so that everyone has the same understanding. Grading is covered a little later so let’s walk through a typical CAR and identify the components and the reason they exist. See the example form provided on page 30 for reference.
Corrective Action Report – Number
Every action raised should have a unique reference number that everyone can use to trace the problem and subsequent investigation. Everyone concerned will know they are talking about the same and not similar incidents.
It is important that the person responsible for identifying the concern should be known so that they can more clearly explain the problem if required. They can also lead other parties to the evidence of the concern more quickly as they have the experience of how they located it. It also enables analysis of the effectiveness of the auditors to be reviewed, the qualification of the auditor to be established (for external auditors) and it makes the CAR itself an auditable record.
Agreed By Department Manager
To avoid any conflict the person who has responsibility for the area under audit should accept the finding at the time it is identified. This allows them to be warned early of the threat to their system and it allows them to question the finding and obtain satisfaction that it is in fact a threat. This is a potential area for severe disagreement, and the auditor must be able to provide adequate evidence of the concern or they are likely to leave the Departmental Head unsupportive of the need to change, thus it is unlikely to change.
This section provides a reference point to the physical area in which the incident was noted. The reference might be to an audit report number or other document leading to the raising of the CAR e.g. It is possible to use CAR’s as a method of ensuring action is taken after meetings.
This fixes the incident to a point in time. We can then see if the condition recurs, and we can set a period of time for corrective and preventive actions to happen within.
This is the description of what exactly was found, why it is perceived to be a problem, and what was the non-conformance against. In order to be a non-compliance the incident must be in violation of the plan. Remember the plan contains the legislative and customer specified requirements as well as the companies’ own methods of ensuring success.
So how can we ensure that this description contains enough to capture what we saw or found? One way is to use the mnemonic, or a similar one of your own, shown on the bottom of the CAR form:
Evidence to support the concern
Scale or severity – risk
Time or urgency of response needed
We all know that raising Non-conformances or Corrective Action Requests is a PEST but these letters enable us to ensure a complete description that will be useful in future action. These critical ingredients of a good Corrective Action Form are explained as follows:
Problem identified: Simply means what exactly did you see or find. This is best expressed in your own words rather than a technical style script and if the form doesn’t provide enough space then use the back or an attached piece of paper. The important thing is to make it as comprehensive as time allows e.g. The records reviewed showed that the blenders on line three mixing plant were running outside the tolerances during the night shift throughout week 15. Procedure 9 revision 1 states the required tolerances.
Evidence: No case was ever established without evidence. Without it a statement is just that, and becomes only opinion. No CAR should be raised because the auditor thought it would be a good idea, only because his knowledge and experience was able to enable him to demonstrate which part of the regulation, specification, procedure or plan the concern is in breach of.
Examples of the evidence should be quoted e.g. Evidence of the out of tolerance blender was established from batch cards 29,34,38, and 45, all dated during week 15.
Scale: The scale of the problem determines an element of risk. If the scale of the concern is large this indicates a potentially widespread weakness in the system, the problem has occurred often and thus the system is ineffective in keeping it under control.
If the scale is small, however this may not mean the problem is small, only that it has occurred infrequently, if it is also of low risk then the urgency to fix is reduced e.g. From a sample of 30 night shift batch cards 10 were noted to have no evidence of the checking of blender speed. This sounds as if the system only worked two-thirds of the time!
Or of the 10 batch cards only one was for a product that was high risk for inadequate mixing. This sounds less severe but because of the nature of the problem might still warrant urgent investigation.
Time: Time on a corrective action is critical. It governs the effect it has and controls the way in which we treat the concern. All of the other areas of Problem, Evidence and Scale lead only to the determination of how much time we should allow to investigate the issue. As auditors we should attempt to make certain we identify the real cause of the problem rather than the symptoms in order to establish how quickly we need to fix it.
Action taken: At the time of the finding it was probably appropriate to establish some form of action to immediately correct the problem eg. If the speed controller was not being used then it could be immediately put in place, and previous product could be quarantined pending investigation or rework. This would hopefully remove the immediate threat. The section supervisor or section head rather than the auditor often fill out this section, as it generally requires local responsibility, they sign to indicate that the responsibility for action has been accepted.
Action to prevent recurrence: This aspect may take a little longer to resolve. The real reason the problem occurred might not be easily identified during the audit and may require some or even extensive investigation to locate. Once located however the action taken should be sufficient to fix it for good, not just for the immediate future. Most problems are usually due to:
- Inappropriate requirement specified by the company itself, where a control that is too restrictive has been applied but has no reason to be applied in that way. The cure is to eliminate the requirement or respecify it to a more manageable level.
- Training of personnel was somehow inadequate or incomplete. The surest cure is to complete, repeat or restructure the training to make it more effective.
- Available instructions – the procedure or associated information was inadequate to control the risk. The cure is to rewrite the procedure to cover the missing link and then retrain staff to understand the change.
Follow up findings: There is no certainty that the well thought out corrective and preventive action you decided upon has in fact cured the problem identified. The only true test is that of TIME. You cannot just assume that the problem has gone away because something was done, you have only increased the probability that it has gone, but can you see all the factors? In reality you can only take your best and most educated guess, using the experience of personnel and knowledge of the condition, to make your attempt at the fix. Who knows, you might get lucky and get it right first time, but what if you didn’t? The only way to be sure is to leave it a while and then go back. Take another sample or audit the area again and see if the same problem jumps out. If not then great, but also make sure the fix hasn’t caused a whole heap of other problems that made it worse not better. You won’t know if you don’t have another look!
Closed by: When you can finally say the problem is cured someone can say so by authorising the closure of the note. Other measures such as Key Performance Indicators should remain vigilant to later incidents that hopefully will not occur.
LMIT provides online training and Nationally Recognised Courses in Certificate IV in Quality Management and Assurance, Diploma of Quality Management and the Diploma of Quality Auditing.
Published by: LMIT