ASQ CQA – 2. Audit Process Part 4

18. 2C3 Final audit report steps

Now we are coming to the third topic in audit reporting, which is final audit report steps. So, here on this slide, there are few important questions which the audit team or the audit team leader needs to be aware of when issuing the report. So the first thing which audit team leader needs to be aware of is whether this report is to be reviewed by client before this is issued to audity or not. The second question which needs to be considered here is that who issues report to the audit, whether this report is issued by client or by lead auditor or anyone else. The third question which needs to be considered is that what are the confidentiality considerations during report distribution? Who this report should go to, what are the considerations related to safety, security or the confidentiality of the report. So, these are some of the things which needs to be considered when you are issuing report.

Now, coming to three important things in regards to report issuing. One is the record retention. Second is the lessons learned, and third is confidentiality. We have talked about confidentiality earlier as well, but we have not talked about first two topics which are record retention. Let’s talk about this first, how long this audit report needs to be retained, and whether this needs to be retained or whether this needs to be disposed of, when this needs to be disposed of, in what format this report needs to be retained. So all those things need to be considered. The retention requirements could be based on the agreement between the participating parties or in accordance with the audit program or any other applicable requirement. Most of the times.

What I have seen is that the organization who is doing the audit, they have their own rules, they have their own archiving and the record retention procedure which tells that all these audits need to be retained for how long and what all documents need to be retained and what all documents need to be disposed of. Let’s hypothetically consider that the organization might have the requirement that the audit report needs to be retained for five years in the hard copy or in the electronic copy. And all the supporting documents need to be retained, let’s say for one year.

Whatever this is, the organization will have that rule, and those rules need to be followed. So if it says that report needs to be retained for five years, that means you retain the report for five years and after five years you dispose of, shredded, deleted from the directory. Many at times there are legal implications related to record retention.

So make sure that you just follow whatever is the requirement. So let’s say if the requirement says that all supporting documents need not be retained, then make sure that those are not retained. Because if you keep extra material, if you retain documents which were not required to be retained, first thing is that it takes space for the organization. It takes the hard disk space or it takes the physical space. But in addition to that, there are some legal liabilities as well, which probably you and me as an auditor might not know. So let’s leave that part to legal people.

And if it says that don’t retain supporting documents, then just don’t retain those documents. Now, coming to the second topic here, which is lessons learned. So whenever you do audit, there are a few things which you learn as a part of audit process. So let’s take an example where I did one audit and it was very important to take pictures of the product or the project being made. And I took my camera with me without thinking that this might or might not be allowed. But in that first audit, the audit did not allow me to use camera at the site.

So basically I had to miss on that part to have objective evidences in the form of picture. I could not do that. So this was a lesson learned for me that next time when I do audit, I make sure that I clarify all those things beforehand, whether the camera is allowed at the site or not. If it is not, then how I will get all the pictures or how I will get all the objective evidence is what I need. This could be done using the auditing people, taking the picture of the area which I am interested in. In another case, when I did audit during my early period, I did not clarify about the safety requirements, I did not clarify what all personal protective equipment I need to take myself, what all equipment will be provided by them. In most of the cases, safety boots you are required to use your own, and let’s say the helmet is provided by auditing.

So all those things need to be clarified. So in the initial audits I missed to clarify those things and that led to confusion at the audit side. So now I make sure that I clarify all those things beforehand before I start audit, that these are the equipment I will bring myself and this is what you will be providing me. So these are some of the lessons you learn at the individual level, but then at the organization level also there are some lessons which are learned during each audit. Those lessons learned or experiences need to be recorded so that you can avoid those in future. Some of these lessons learned could be negative, which will pose risk on the audit process, and some of these lessons could be opportunities as well, which you want to utilize.

So look at all these things, record these lessons learned, all the risks and opportunities related to audit, which will help you in improving the audit process. So this was about the lessons learned as regards to the audit process and the report writing. And then we have already talked a lot about confidentiality, that you need to maintain confidentiality because as an auditor you’ve come across number of things which are confidential in nature. So you need to maintain the confidentiality of that and you should not be disclosing that information to any other party without the approval of the client or with approval of the audit unless it is required by the law. So these are some of the things which you need to consider when you are doing the audit and completing the report.

19. 2D1 Elements of the corrective and preventive action (CAPA) process

And then once we have completed the audit, we looked at the third aspect of audit process which was audit reporting. In audit reporting we talked about audit report, how the audit report should be written. The audit report should be given well in time, the confidentiality should be maintained, the document needs to be retained and so on. So now we have issued the audit report to auditing. Most of the time people to think that this is the end of the audit. Now audit is complete, but audit is not complete until all the actions which were identified in the audit report are taken. So after issuing the audit report, the next important aspect in audit process is audit follow up and closure.

So as an auditor, you need to follow up on all the findings which were identified in the audit follow up, make sure that the necessary action is taken and if there is any need to reverify that, reverify that and then you close the audit report. Then only the audit gets completed. So this is the fourth topic which we will be discussing here, which is audit follow up and closure. Earlier also, we have talked about terms corrective action and preventive action. We will talk about these terms once again here in this section, when I say Kappa CAPA, kappa means corrective action and preventive action. So once the audit report has been issued, this audit report will have some non conformities which were identified during the audit. Now on those nonconformities, some action need to be taken. This action is called as Kappa corrective action and preventive action.

That’s something which will be done by the audit. So in audit follow up and closure, we will be talking about these five topics. The first topic is elements of the Kappa process. Here we will look at what all is included in the Kappa, the corrective action and preventive action form or the corrective action preventive action process, what all is included in that. So once the audit has received the audit report which has non conformities, what audit will do is audit will plan for the corrective actions and once those corrective actions are planned, those will be given to the audit team leader. So the audit team leader will review the corrective action plan. This is topic number two which is review of kappa plan and then verification of kappa. After the corrective action has been reviewed by the audit team leader, audit team leader will confirm to audit whether to go ahead with that corrective action or to modify that corrective action. Once the corrective action has been agreed, then the audit team will go ahead and take necessary corrective action.

Now that corrective action need to be verified. So auditor or the audit team leader will verify the corrective action. This corrective action could be verified by revisiting the site or through documentary evidences. So the next thing is follow up on ineffective corrective actions. So if the corrective action was not very effective in resolving the problem that also needs to be followed up. And in the last, when all the corrective actions have been completed, then the audit is considered as closed. One thing you would have noticed, that I started talking about Kapa corrective action, preventive action first, and then slowly I moved to the term as corrective action and I forgot about the preventive action and why did I do that? We will talk about later in this video as we go further and understand the definition of corrective action and preventive action and how that has changed in the recent ISO 9001. So, before we go any further, before we talk about corrective action and preventive action elements, or the kappa elements, let’s understand some definitions here.

And here we have three definitions. Definition of correction, the definition of corrective action and preventive action. Let’s talk about correction. Correction is the action to eliminate a detected nonconformity. So if a nonconformity has been detected, there is some action which is taken to immediately remove or eliminate that nonconformity. That is called as correction. So let’s say if I look at one assembly, in that one assembly, the bolt was loose. So this was my audit finding, or this was the non conformity that the bolt in the assembly was loose.

The correction is the immediate action which is taken. So the action would be to tighten the bolt. So this is correction. Now, what is corrective action? Corrective action is the action to eliminate the cause of non conformity and to prevent recurrence. So here we are not just talking about tightening that bolt here we are talking about all the actions which are taken to eliminate the cause of the non conformity. Why does this happen? And how can we prevent these bolts to be loose? So this is a corrective action. So corrective action is action to eliminate the cause. So you look at the root cause, you eliminate that. This is corrective action.

Many times people get confused between the definition of correction and corrective action. So correction is the immediate step which you take. Tighten the bolt. Corrective action is the action to eliminate that. So for that, you go to root cause. In root cause you will look at why this bolt was loose. This bolt was loose because this was not accessible. This bolt was loose because the operator could not see that this bolt was loose because during assembly there was vibration. And because of that these bolts become loose. So you look at all the causes and you eliminate that so that this problem is not repeated. That’s corrective action. Preventive action, on the other hand, is action to eliminate the cause of a potential nonconformity. Potential nonconformity means. This nonconformity has not yet occurred. Now, what has happened in ISO 9001 2015 edition is the requirement related to preventive action has been removed from that. So if you look at the standard, the standard has ten clauses and the clause number four to clause number ten are the requirements which organizations need to follow. So prior to 9001 2015, the prior edition was 2008 edition, in that there was a requirement related to preventive action, that in case of preventive actions, what all steps organization need to take.

But in the recent version of ISO 9001, those requirements have been eliminated. This is done with the consideration that having a quality management system is a preventive action. And instead of preventive action now the standard talks about the risk based thinking that whatever you do think about the risk, what all could go wrong. So with that thinking, the preventive action has been removed from the standard. So what you need to focus right now in regards to audit is the correction and the corrective action. And you will see that in many of the auditing related books also they don’t talk about kappa mostly they talk about the corrective action correction and the corrective action. So that is the reason I was not using the term kappa, I was using the term corrective action. And that is something which I’ll be using in this section as we go further.

So instead of kappa, I will be using the term corrective action. So, once again, when a nonconformity is identified in the audit report, the auditor need to take two action. One is correction. Correction is the immediate action to remove the problem or the contain the problem or the remedial action. And the corrective action is to prevent the recurrence. So these two aspects need to be considered when the audit receives the audit report which has a non conformity. Now, let’s look at the corrective action plan. What all are included in a corrective action plan? In the corrective action plan, the first thing will be a clear statement of the problem, what was wrong.

So the simple example which we took earlier was that the bolt was loose. So here we will put that in assembly number this, this the bolt number, this was found to be loose during the audit. So this is a clear statement of the problem. Then you look at the potential causes of the problem. So the cause of this problem could be that the boot was not accessible, the bolt was not visible or the bolt size is not right. Whatever potential causes could be, you list down those, then you determine if the similar problem exists or potentially could exist somewhere. And this you do with the intention to check whether the corrective action is required or not. Not every nonconformity might require a corrective action. If the non conformity is something which is a one off, which is a rare thing which has just happened and there is no chance of that thing getting repeated, then there is no point of wasting time in analyzing all these things.

So basically, you can skip the corrective action part. You can just do the correction and this is the reason you see whether this type of problem could happen somewhere else as well. Whether this board being loose was a single case and all other hundreds and thousands of units which you have, there’s no way that the board could be lose. If that’s the case, then you forget about the corrective action. But if there’s a possibility that this boat could be loose in other assemblies as well, or this bolt is actually loose in some other assemblies, then you plan for the corrective action.

And then once you have identified number of these potential causes, then you determine the action plan to avoid that. So if the bolt was invisible or the bolt was hidden, make sure that you put assembly in such a way that operator can see that bolt. So you take action to eliminate all the causes which you have identified, and then you assign the responsibilities and targets. If there is, then any action which takes time, which needs a lot of work to be done. So you assign that action to someone and you set a target date. So these are the elements of corrective action.