9.2 QA activities Outsourced Internal Audit to be conducted BEFORE or AFTER Management Review?

One reason we require process managers to respond to OFIs in writing is because if the person performing the audit feels intimidated by area management or is unsure if the issue does warrant a NCR he can issue an OFI. Each calendar quarter the Internal Audit supervisor is required to review every OFI and of the OFIs is determined to be a NCi it is imedatel raised to NC status and a NCR is issued immediately. We don't use the Major or Minor categories. We treat all NCs the same way. So far this year we have completed audits of 8 processes in Operations and there has been 2 NCRs issued and subsequently closed, and 11 OFIs have been responded to and cleared.

 

I agree that it is worrying but it's basic human nature particularly for an auditor who works for the company he is auditing. Some managers take everything personal, I'm sure you know the type " Who are you to tell ME it's wrong". Many times the arrogant, loud-mouthed manager gets his way. The auditor covers himself by raising the issue as an OFI.

 

The use of 'wrong' was just pulled off the top of my head. The auditor would use other terms like "It is non-conforming', or 'defective', etc. We have a great Internal Audit process that is supported by Top Management completely. We also ensure that managers and staff work as a team. Management at all levels encourage their people to find errors and report them so "we can get it right" . I've always believed that a successful audit process is only possible when the adversarial attitude is removed completely. Even for CB audits we tell the auditor's up front if there are serious quality issues that we know about and are working to correct.

 

If the auditor has the expertise in the function and has clear understanding of your method/approach and the areas where it can still be improved, OFIs can be beneficial. ISO/IEC 17021-1:2015, in section 9.4.8, has this statement re: OFIs:

"The certification body shall provide a written report for each audit to the client. The audit team may identify opportunities for improvement but shall not recommend specific solutions".​

In ISO 19011:2018, there are only two types of audit findings based on this definition:

3.10
audit findings
results of the evaluation of the collected audit evidence (3.9) against audit criteria (3.7)
Note 1 to entry: Audit findings indicate conformity (3.20) or nonconformity (3.21).
Note 2 to entry: Audit findings can lead to the identification of risks, opportunities for improvement or recording good practices.​

There are ISO 9000 standard definitions for conformity and nonconformity. Unfortunately, there's no ISO 9000 standard definition for OFI. Hence, the confusion. IMHO, OFIs are not NCs. I based this position using the definition of the automotive sector's Rules for Achieving and Maintaining IATF Recognition (5th Ed), which specifies that:

"An opportunity for improvement is a situation where the evidence presented indicates a requirement has been effectively implemented, but based on auditor experience and knowledge, additional effectiveness or robustness might be possible with a modified approach".​

 

For internal audit purposes we do things slightly different from that which is covered by ISO19011:2018. All NCs are classified the same (no Minor or Major choice). We have eliminated the possibility of a process NC being classified as an OFI by making Managers respond in writing/email as to how they dealt with the OFI. We did this because on reviewing numerous audit reports we came to the conclusion that many OFIs were actually NC's. The auditor's were not 'soft-grading' it was just how they were describing the OFI. The QC Spervisor still reviews audit reports but now he looks closely at OFIs before signing off the QC inspection plan - we sample 25% of reports and hopefully that rate will fall soon but any reduction will be based on variables.

 

All processes are inspected and Internal Audit reporting is a process, we have guidelines to be followed. Incorrect classification of OFIs and NCs is only part of what is inspected. In our organization no process is exempt from a minimum of an annual audit.

 

Can you or the QC Supervisor just train the internal auditors on the proper classification of audit findings so you don't need an extra step just to validate the audit reports? Usually, a wrap-up meeting is administered with the auditee/s to discuss the highlights of the audit activity. This will include the audit findings (i.e. conformity and nonconformity), including OFIs and good practices. This is usually done prior to writing of the formal reports. If the reports are to be screened first by the QC Supervisor to correct improper classification, this stalls the audit process and may affect the results that were discussed during the wrap-up meeting.

 

I don't know how many people you have doing Internal Audits but read some of their reports concentrate in particular on OFIs and see how many are actually NCs. It may surprise you.

 

I think I indicated in an earlier post that it really doesn't matter if the auditor makes a mistake and identifies a NC as an OFI because managers must reply in writing to every OFI stating what they did to deal with it.

 

It's not odd it's smart audit management.

 

Isn't this a bit taxing to the managers? OFIs are supposed to be recommendatory and not mandatory. Section 6.4.10 of ISO 19011:2018 has this statement: "If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be emphasized that recommendations are not binding".

OFIs are not NCs. Though not for internal audit, i believe the statement in Section 9.4.5 of ISO/IEC 17021-1:2015 is also applicable i.e. "Opportunities for improvement may be identified and recorded, unless prohibited by the requirements of a management system certification scheme. Audit findings, however; which are nonconformities, shall not be recorded as opportunities for improvement".

You may need to consider Roxane's no. 1 suggestion. Try to get some feedback from the managers on whether they are comfortable of receiving OFIs that they are mandated to deal with.