How are audit findings classified?
In line with ISO 19011:2018 i.e. (guidelines for auditing management systems), audit evidence normally would be evaluated against audit criteria in order to determine audit findings. Broadly speaking, audit findings can be graded as either a conformity or nonconformity.
In addition to classifying the audit findings as conformity or nonconformity, audit findings can also be classified as observations or opportunity for improvements.
These are all the possible approach to classifying audit findings i.e., conformity, nonconformity, observation and opportunity for improvement.
What does each finding mean?
Conformity is an audit finding that shows that the specific requirement of the standard has been sufficiently fulfilled within the audited process or area of the management system. For instance, clause 8.2 of ISO 27001:2013 mandates that risk assessment should be conducted and report of the outcome of risk assessment exercise should be available as documented information. In such a case, the risk assessment report serves as a reliable evidence to demonstrate conformity with the requirement of the audit criteria on risk assessment.
Nonconformity in line with the ISO 19011:2018 standard can be graded depending on the context of the organization and its risks. This grading can be quantitative (e.g., 1 to 5) and qualitative (e.g., minor or major). However, in practice, nonconformities are usually classified into either major or minor by virtually all certification bodies. A nonconformity simply refers to non-fulfilment or partial fulfilment of a requirement. In other words, it is a major breakdown or partial breakdown in the system.
Going by the example cited under conformity, supposing the risk assessment was not conducted as required by the standard, then we have a nonconformity situation at hand. A major nonconformity is a total or significant breakdown within the management system while a minor nonconformity is a small defect or weakness within the management system.
Observation could be positive or negative depending on the situation. Positive observations normally include good practices along with their supporting evidence as noted within the client’s management system while negative observations usually speak to potential nonconformities. In other words, a weakness that might occur if nothing is done to prevent its occurrence. An example of positive observation is high level of automated processes as spotted within the environment while example of negative observation could be a routine maintenance that is due within a week after the completion of the audit.
Finally, we may classify the audit findings into opportunities for improvement in which case, we have found sufficient evidence to demonstrate conformity with the requirement of the management systems, however, we have also noted a more efficient approach to conforming with this requirement. An example here is using a visitor management solution to manage visitors’ activities in the organization as against using manual log-book.
The importance of issuing audit findings
Audit finding will simply help us to arrive at audit conclusion. Without audit findings, we cannot provide our recommendation as auditors. An audit process is expected to be concluded with expression of an opinion, the audit finding is the basis for expression of this opinion i.e., whether a requirement was found in place or not. Hence, the quality of the audit outcome is highly dependent on the audit findings.
How those can help companies to improve?
Audit findings can either be a positive finding which can either be classified as conformity or opportunity for improvement or nonconformity or observation. In any case, audit findings mostly do unravel certain details either positive or negative that might have not been identified within the context of an organization.
Because of the nature of audit as an independent activity, a lot of times, some nonconformities or weaknesses are normally discovered during an audit exercise. When nonconformities are given proper attention (by applying correction and corrective action), they always translate either into some cost savings, optimized processes and realization of the management system goals and objectives and by extension realization of the business objectives amongst others.
The way to respond to the findings
Once a nonconformity is declared and agreed with the client, a nonconformity report will be issued by the auditor to the auditee. Whenever an audit finding is classified as a nonconformity resulting into a weakness(es) within an organization’s management system, a response would be required from the auditee’s organization to be shared with the auditor(s) in response to the issued nonconformity report by the auditor.
The auditee would need to respond to the raised nonconformity by providing the following:
- root cause analysis,
- correction and corrective
- action respectively.
The root cause will aim to address the problem from its source in order to ensure the nonconformity is tackled from its root. A common technique used for addressing this is called the fishbone diagram also known as the Ishikawa diagram – identifies possible causes for an effect or problem.
Also, a correction will be proposed to contain the problem from spreading further into other areas of the management system. Hence, a correction is a short-term measure or a containment strategy.
The corrective action will aim at eliminating the root cause of the problem and ensuring the problem does not reoccur again either within the segment of the management systems where nonconformity was raised or in any other part of the management system respectively.
These actions i.e., correction and corrective action would be evaluated or verified by the auditor to ascertain that the proposed actions can correct or prevent the reoccurrence of the identified nonconformity.
However, when the audit findings are a conformity, the auditee do not need to provide any response to the auditor.
Oludare Ogunkoya is a well-breed auditor from diverse perspective with over 20 years industry experience. He is an astute practitioner in the field of Governance, Risk and Compliance (GRC) in various sectors including financial institutions, manufacturing and public sector, among others. Since 2017, on behalf of MSECB, Mr. Ogunkoya has been leading audits for many large firms with a lot of diligence and in the most professional way. His will to cooperate, his impartiality, his punctuality, and his outstanding professional preparedness against ISO/IEC 27001:2013, ISO/IEC 20000-1:2018, ISO 9001:2015, ISO 45001:2018, and ISO 22301:2019 has been prominent in all the audits that he has conducted. We are honored to have Mr. Ogunkoya part of MSECB Auditors Network.