1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

As Internal Auditors, should we even care about Corrective Action?

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Aug 17, 2021.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It's common for Internal Auditor training to included details of follow-up and audit of corrective actions, taken in response to non-conformities. Why should Internal Auditors even care/be involved?

    If we draw a comparison with QC of products, the function simply reports the facts (it might be a vision system which does the QC, after all) - it's management who decide to address the nature of the non-conformity as: "use as is", "scrap", "rework", "replace" etc. The QC function simply checks that if the management disposition is to rectify the product in some manner, it's re-QC'd.

    Why, then, do we not adopt the same practices for Internal Audits? Simply report the facts and when appropriate, simply turn up to audit the scope and criteria (which may be that part of the QMS etc) as normal? Why do we insist on adopting the external model of participation in CA etc?
     
  2. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    Is not one of the steps within corrective action to implement actions that will prevent recurrence (of the nonconformance resulting from the same cause(s) that triggered the corrective action in the first place)?

    If the answer to the above is 'no,' then, hey, to your point, there is perhaps little reason in "caring" to look at it as internal auditors.
    If the answer to the above is 'yes,' then...

    Is not one of the purposes of an internal audit to assess the conformity to the QMS? If 'yes,' this would include ensuring that corrective actions do include steps taken to prevent recurrence of that which triggered a nonconformance.
    Is not one of the purposes of an internal to evaluate effectiveness of the the QMS? If 'yes,' a nonconformance that continually triggers corrective action which, in turn, states the same root cause and the same corrective actions, I would then suggest that effectiveness (of the corrective action process) does appear to be potentially questionable.

    Just because QC, within your scenario, is seemingly more focused on simply providing direction for a correction (i.e., as opposed to corrective action), I fail to follow the logic that internal auditors should keep the same path (i.e., show up, check some boxes, leave). This approach does little add value to either the organization or the internal audit process.
     
  3. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Well, @Andy Nichols, the short answer to your post title is, "NO".


    Not because any of us have such an opinion, but because ISO 9001 9.2.1 clearly states "...to provide information..."

    Now, an opinion (based on experience).
    ISO 9001 9.2.2 goes on to state...
    d) ensure that the results of the audits are reported to relevant management;
    e) take appropriate correction and corrective actions without undue delay;

    I don't find it an accident that "take appropriate...action..." comes AFTER "...report...to relevant management".


    As I teach in my internal auditing course, unless "relevant management" assigns and delegates duties beyond "provide information" (something I council against doing for the same reason(s) Andy Nichols CQP MCQI is stating), then indeed the auditor's duties stop at "provide information"...as part of the audit report. Likewise, 9.3 requires results of audits as input into management review.

    The sequence and logic of requirements as stated in the standard is consistent with my experiences and council, wherein, Top Management holds the key to resources and accountability. Therefore, to put those burdens on the auditor is illogical, impractical, (and a "cop out").

    Be well.
     
  4. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Good day @RoxaneB . I don't disagree with you very often (first time ?!?), but I do in this case. I am not implying that internal auditors can NOT be assigned follow up responsibilities or that they should not be aware of how actions were taken to address what they wrote as a nonconformance. However, I do see this as a slippery slope and one that most organization's should avoid based on my experiences. Most (all) internal auditors I have worked with have a proverbial "day job". In other words, they are on a hamster wheel of OTHER responsibilities for which they are actually held accountable to. To place the burden of holding accountability over their peers (which often takes multiple "attempts" and of course this involves considerable time), is simply not realistic in any of my observations. Oh, I've seen it "done" (attempted), and the result was usually frustration, bitterness, bad feelings with the peers whom they are holding accountable (remember, many of these assigned internal auditors have no actual authority), and often, a failure of any effective corrective action being applied.

    From my experience and based on my interpretation/opinion, the standard is wanting the auditor to REPORT (provide information) and top management to assign resources and hold accountable. Even if my interpretation is incorrect, my experiences tell me that this is the most effective approach.

    I'm not generally an advocate for a standard (i.e. 9001 in particular) from being overly prescriptive, but from what I observer, a clear requirement for audit results and response to be owned by top management, would likely be helpful.

    Be well.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    In my analogy, QC doesn't do anything to be involved with the actions taken by management to resolve the issue detected with the product. They provide the facts/details as to the observed non-conformity. This is a very strong analogy to auditing the QMS. As @John C. Abnet is suggesting, management are responsible for defining, implementing and controlling their processes to achieve conformity to requirements and, ultimately, lead to customers' satisfaction. If a (product) non-conformity exists, management should (I've seen plenty of instances where they don't of course) identify a course of potential actions (scrap, rework and so on), based on the various reports, to deal with the product and "get it off the books" (whether it made any money or not is their issue to deal with) and, ultimately leading to removal of the reasons the product failed QC.

    It seems to me that there's plenty of value (when doing internal audits effectively) in mirroring this Process>QC>NC>Analysis of NC Data>Action to Correct/Corrective Action approach but applied to the QMS. Indeed the value comes from determining if the process is ineffective vs not being complied with (or other scenarios) and reporting that as audit findings (non-conformities) as an input to managements' decision on what do do about it. Internal audits can then be scheduled to determine/verify how well the management supported actions really worked.

    I fear that, with the conflating of the three types of Management Systems auditing and their quite different objectives, we've lost sight of the role of the Internal Audit and added a degree of responsibility which is a) inappropriate and b) given to people with zero authority (in most cases).

    Time to stop feeding on the hype that CBs have been feeding us about "value-adding" audits and correct the various trainings to steer them away from the CB model of audits.
     
  6. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    I'm not suggesting that internal auditors do the actual follow-up nor am I suggesting that internal auditors evaluate the exact content of the steps take to prevent recurrence. However, an internal auditor, as part of the internal audit, can assess the effectiveness of the corrective action process by determining if there are repetitive nonconformances (where 'repetitive' = similar effect(s) + similar cause(s)).
     
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    If the internal auditors are tasked to "provide information" on conformity and effectiveness of the QMS (clause 9.2.1), then I don't see disadvantages when they are also tasked to "review the effectiveness of any corrective action taken" (clause 10.2.1d) on nonconformities that were found on internal audits. For other nonconformities found outside the internal audit (such as from customer complaints, nonconforming products, regulatory infringement, etc.), the "authorized" individual/function who raised the nonconformity, is usually, has more interest in checking the effectiveness of the corrective action/s taken.
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm wondering, Tony, if the need for follow-up from an audit non-conformity could be treated as simply another audit, with a scope and criteria which directs the auditor appropriately. I believe that the idea of "follow-up" audits is a very external audit approach and as a result, (here in the USA, most commonly) there's a 30, 45, 60 day schedule which is (arbitrarily) applied.
     
  9. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    I would offer one further consideration @Andy Nichols . I'm not sure why any organization treats any nonconformance uniquely. For example, in the organization's where I've been employed, we tracked "incidents" via a data base. That data base had a toggle to allow us (require) us to identify the category of the incident being documented. The categories included "result of audits"

    Except for the ability to run the reports specifically by a selected category, all were treated identically. There was an assigned process owner and a due date. The report would identify "Due" date and could be filtered by "overdue". This was reviewed during leadership meetings. It did not "matter" if it was a nonconformity from an audit (internal or 2nd or 3rd party) or a product nonconformance, or even an injury/health/safety issue. All nonconformances went into the same data base and assigned a process owner. If one showed up on the "overdue" list, we (leadership) would challenge as to why it was overdue and what, if any, resources were needed to correct the situation.


    No distinctions = best approach in my experience.

    Be well.