1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Internal audit results - what do you report?

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Aug 8, 2017.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm going to post this under the audit sub-forum:

    I was going through the agenda of an organization's Management Review and I was stuck by the fact that the FIRST thing discussed was the results of internal audits. I then concluded that I'd never seen internal audit results reported in a manner which management truly understand what they mean.

    How does your organization treat the results of your internal audits? What do management get from that report out?
     
  2. bkirch

    bkirch Active Member

    Joined:
    Jun 24, 2016
    Messages:
    73
    Likes Received:
    13
    Trophy Points:
    7
    For management reviews, I just give a summary of the audits. I report how many audits have been completed, how corrective actions are on time or late, etc. I usually also report how many findings there have been in the different processes. If asked about the types of findings were issued, I will give some examples.
     
  3. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    How does that summary support leadership's ability to...well...lead? Why should they care about the number of audits or if people fixed stuff on time?

    When the forecast says there is an 80% of rain, we all instinctively know to dress appropriately, pack an umbrella, that sort of thing.

    When you tell your leadership "Process AAA had 80% of our findings this year", what should they do? What does that statement mean? Why should they feel concerned?...or should they feel concerned at all?

    The trick to management review and any audit report outs is, in my opinion, to make the recipient actually care about what needs to be cared about. If all I hear is "75% of our audit findings were people not following the documented procedures", big deal. What risk/impact/effect can that have on the organization? Put it in terms of the need to rework or dispose of nonconforming product...or loss of market share if you lose certification...or poorly trained staff because they're being trained on documents that don't reflect the actual process...

    It's easy to say that as leadership, they should know to make that leap. Let's be realistic...that ain't gonna happen and especially not if they entered that room with the mindset that the meeting is simply a box to be checked off for that piece of paper on the wall.

    The first time I went through this kind of exercise, I tried to show how the audit findings could have a negative impact on the organization's objectives. These were their objectives and the findings had the potential to hold us back in achieving them. Rank the findings - risk of impact, frequency, sort of sounds likes a mini-FMEA (but the numbers could help prioritize how the findings are addressed).

    They may not agree with what you say the possible risks/impacts/effects are, but now you're having a conversation about the audit results, not the audit logistics.
     
  4. yodon

    yodon Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    198
    Likes Received:
    115
    Trophy Points:
    42
    RoxanneB is certainly on the right track, IMO.

    I work in a small company where management is fully engaged so going over the findings in the management review is quite redundant. So we do go over them but mostly in terms of any trends or higher-level actions.

    I could envision (outside my company) something like year after year reporting "we had x findings in document control and these have all been corrected." Management might nod thinking all was good. But if this is repeated year after year, there's really a deeper concern and management needs to provide resources to make the improvement.