The Audit is Over! Now What?
The audit is over. Now comes the time to manage the outcomes of the audit. Whether this is from an auditors or auditees perspective.
Auditors will generally only need to write up the report. But this report may bounce back and forth between other members of the auditing party or even between them and the auditee.
Very large audits, specifically compliance audits which can cover large aspects of the legislation may take time to complete. These types of audit report may even be sent to the auditee as a draft version for verification of details or even require additional documented information for evidence and verification.
Some auditors may require the auditee to complete non-conformance reports which detail the audit finding, as well as an action plan from the auditee.
From the Auditors Perspective
Once an audit is over and the close-out meeting between the auditors and the organization has occurred, the auditors need to write up the audit report.
The lead auditor will gather the observations, notes, and findings from the audit team to populate the audit report before sending it off to the auditees. An audit report should cover the following:
- The executive summary contains a brief outline of the audit conducted, and the findings within the audit.
- The executive summary can also include a conclusion which points to the overall conformance with the audit criteria and if the system is being properly implemented and maintained
- Audit Report
- The definition of the types of findings or findings ratings
- Audit scope
- Audit Criteria
- Audit objectives
- Evidence guide – stipulates the type(s) of evidence gathered during the audit, documents referenced, and records reviewed.
- Audit Schedule
- Questionnaire or Detailed Criteria
- This section may go into detail for each clause or compliance obligation, highlighting evidence (documents, records, photographs, etc) and findings.
- Audit Nonconformance Report Template (optional)
- This section can contain specific nonconformances, a detailed description thereof, the standard and/or clauses applicable, and an auditee action plan with a root cause analysis and proposed completion date.
The lead auditor should aim to have the final report with the auditee as soon as possible. During the closing meeting, the lead auditor should be able to commit to a date for the final audit report.
From the Auditees Perspective
After the close-out meeting, with feedback is given to your organization about the audit conducted, your organization can begin its post-audit management.
1. Assess the organization’s management of the audit
Your organization, or the Top Management and the Management Representatives can have a brief discussion of how the organization managed the audit overall. This discussion can include the overall preparation and planning for the auditors, strengths, and areas of improvement.
2. Reflecting on the system(s) holistically
Management system audits may only focus on certain criteria or clauses within the ISO Standard. Because of this, findings or opportunities for improvement that have been identified for one clause may hold relevance for another clause. For this reason alone, the management representative for a management system needs to decide with their team if they can apply any of the learnings and outcomes of the audit in other areas of the management system.
Similarly, if your organization runs several different management systems, which may or may not interact with each other, a finding or opportunity for improvement identified in one management system may apply to another management system.
The same applies to compliance audits. If a single permit is being audited and findings or opportunities for improvement are identified, they may apply to other permits.
3. Recording Action Plans and Finding Close-Out Progress
Your organization will probably have a process in place which not only tracks the action plans for audit findings but the progress of the close-out as well.
As soon as the final audit report has been received, it should be logged into this system. Action plans, tasks, due dates and responsibilities should be captured accordingly.
This not only allows your organization to reflect on what has been done, but auditors in future audits will most likely request to see evidence of close-out of findings.
Evidence of close-out can refer to before and after photographs, root-cause analysis investigations, changes to documented information (update of procedures and processes), additional monitoring reports, training records, etc.
Overall, audits require planning and preparation, during the audit process, the management representatives are usually dedicated to answering questions and providing audit evidence. But the job doesn’t end when the audit is over, it triggers a new set of tasks which will inevitably tie into the next audit. An audit should not only be seen as an assessment of the system or compliance obligations but as an overall opportunity to improve on the system.