by J.P. Russell
Preparing a quality management system (QMS) or environmental management system (EMS) audit report can be a hurried, punch list—a list of minor things to be completed at the end of a project.
By the time you are ready to do the report for the current audit, you are already planning your next assignment. Everybody wants the audit report right away and every day you put off writing the report has made it more difficult.
So, you pull out your punch list, fill in the blanks, and move on to your next assignment. But, are you providing sufficient detail? The report is the product of your investigation and it will be referenced long after the assessment and oral reporting are done.
As a guide for this article about preparing and structuring an audit report, I am using the guidance provided by ISO 19011.1
ISO 19011’s clause 6.6.1 is about preparing the audit report, but most of the clause is a list of topics that should or may be included in the audit report. It is a de facto audit report checklist. The list includes the main ingredients that should be considered for every report and optional choices that may (could) be added depending on the situation.
Prior to the list of ingredients, the clause has two sentences with report preparation guidance. The first says the audit team leader is responsible for the preparation and content of the audit report. That doesn’t mean the audit team leader has to write the entire report by him or herself to comply with ISO 19011.
I don’t think the audit team leader has to work alone on the audit report. Certain sections or findings can be assigned to others as long as the audit team leader takes responsibility for the content of the final report. The audit team leader or lead auditor should review and approve any content provided by others. When making assignments, the audit team leader should ensure expectations are known. The audit team leader is also responsible for meeting deadlines.
ISO 19011 says the report, which is the record of the audit, should be complete, accurate, clear, and concise. I prefer the four C’s (clear, correct, complete, and concise) because they are easy to remember.
It is also important to remember that the audit report is a record that states results achieved or provides evidence of processes completed. Records can include variables and both attribute and contextual data that can be traced and analyzed.
ISO 19011, clause 7.3.1k, covering generic knowledge and skills for QMS or EMS auditors, says auditors should have the skills to prepare audit reports. However, auditors are usually given a template, and the report, except for portions on nonconformities, becomes a fill-in-the-blanks activity.
This has the advantage of ensuring the topics required by the audit program procedures are included in the report. This also allows the lead auditor to focus on the findings rather than creation of the report.
This might be a good thing because, in my experience, I have found that many auditors are not skilled in writing. I have occasionally been shocked by the poor quality of audit reports that are created from scratch. Auditors might be required to have a secondary or tertiary education, but this unfortunately does not mean they can prepare a report that is clear, correct, complete, concise, and able to be understood by all.
ISO 19011 contains a checklist of items that should or may be in the audit report. There is no guidance or practical help regarding report structure or how the information should be grouped or sorted. Perhaps there is no specific report structure guidance because there can be many report variations, depending on the type of audit and client-audit program needs.
For purposes of this article, I have created a report outline as a starting point for the report structure. To help you understand how your report should be the same or different, I have also divided the topic into “should,” “may” and “JP’s suggestions.” The information in the “should” and “may” columns might also contain my interpretations and suggestions.
JP’s Audit Reports
Following is the outline I use for audit reports:
I. Cover page or logistics header: contextual information that characterizes the report.
II. Introduction and background: information regarding the purpose and scope that was contained in either the audit plan or notification letter.
III. Results and summary: the overall conclusions and recommendations.
IV. Detailed results: a listing of all findings.
V. Appendix: supplemental information that might explain or clarify the information contained in the report.
Many audit reports start with either a cover page or logistics header that contains contextual information (see Table 1) that dates or characterizes the report. The contextual information might be sorted, researched, traced, or analyzed. When designing audit reports, some auditors add everything they can think of in this section while others include very limited information.
Organizations should think about the data they need for data warehousing purposes—how much data is sufficient for current and future needs while not polluting the database with extraneous matter. What kind of data reports do you anticipate you will need? What information services might be requested by management, the client, external audit organizations, regulators, and other interested parties?
The introduction starts the main part of the report and normally contains background information that might include the audit purpose and scope (see Table 2). This section contains much of the material previously developed for the audit plan. I believe the audit objective and scope should be in the form of statements and not be just a list of words, such as conformance, compliance or performance for the objectives; plating, molding or ordering for the scope.
Logistical information such as audit dates and times, audit criteria, auditee organization and areas (processes) audited, the client, auditing organization and audit team members might be in this section in paragraph format. However, putting the contextual information here makes the introduction less searchable and retrievable for your data warehouse matrix.
The results and summary section (see Table 3) contains the overall assessment as to conformity or compliance to the audit criteria or achievement of the objectives. Conclusions can include passing or failing, recommended certification, and approval or disapproval. The conclusion should relate to the purpose or audit objective. This section could include any audit limitations or audit report qualifications.
For internal audit reports, I also like to report good practices found during the audit. Reporting best or good practices is important for continual improvement of other areas within the organization that might benefit from implementing the practice.
A good practice is not the same as an opportunity for improvement. A good practice is a process conducted in an outstanding manner. It might be something quite simple to implement, yet effective and efficient. It is something others in the organization should copy and benefit from.
The detailed results section (see Table 4) contains the findings on which the conclusions are based. This can be list of statements sorted by clause, area and order of importance. This section or the summary section (Table 3) could include the expected auditee response or follow-up actions such as a corrective action plan and dates.
I have added an attachments section (see Table 5) because many reports include them. Every audit is different and might require other relevant or requested documents not normally included in the report.
How to Use the Tables
Use the tables as a checklist for your system and process audits as well as internal and external audits. External system audits are normally more formal, while internal process audit reports might be the simplest and most streamlined reports. The report complexity depends on the audit objectives, scope, client requirements and audit program guidelines.
Review the reports as a record that can be input into a data warehouse for data retrieval and analysis. Ask yourself, “What can I learn from the data (such as repeat nonconformities)?” Or ask, “What data can I provide the customers of the audit process?”
Ensure your reports contain all the relevant information needed for now and expected future needs.
- ANSI/ISO/ASQ QE19011S-2004, Guidelines for Quality and/or Environmental Management Systems Auditing—U.S. Version with Supplemental Guidance Added, ASQ Quality Press, 2004.
About the author
J.P. Russell is an ASQ Fellow and a voting member of the American National Standards Institute/ASQ Z1 committee. He is a member of the U.S. Technical Advisory Group to Technical Committee 176, the body responsible for the ISO 9000 standard series. Russell is the managing director of the internationally accredited Quality Web-Based Training Center for Education, www.qualitywbt.com, an online auditing, standards, metrics, and quality tools training provider. A former RAB and IRCA lead auditor and an ASQ Certified Quality Auditor, Russell is author of several ASQ Quality Press bestselling books, including Process Auditing Techniques; Internal Auditing Basics; ISO Lesson Guide 2015: Pocket Guide to ISO 9001:2015; and he is the editor of the ASQ Auditing Handbook.
This article first appeared in the ASQ June 2007 Quality Progress Standards Outlook column. Some concepts presented may be outdated. However, the message of the article is relevant today.