In this post, we are going to discuss Internal & External Audit Findings Examples (Based on ISO 9001:2015). Through these examples, you will be able to understand exactly the mindset that an auditor would have during an internal audit or an external audit done by a certification body.
Types of findings:
ISO, which is the International Organization for Standardisation has define the following types of Findings within an audit.
- Positive – points that are being done well by company
- OFI – opportunity for improvement
- Observation – something that didn’t happen, but should it happen – it would be a NC
- Minor NC – a breach of the standard that happened once
- Major NC – a major threat to the system – breach of the standard that happened multiple times – for example no Internal Audit was done, or no NC were recorded for a department within the company
Each type of finding that we note for our client must be value-adding. Therefore, if, through an internal audit, corrective action has already been outlining, and there is an action plan on how to solve such an issue, then there is no need for us to note another NC.
Most importantly, when finding a non-conformity we shall always state the clause that has been breached. Moreover, we must make sure that we only quote 1 Clause. There might be more than 1 Clause that is relevant for a specific NC, however, we must make sure to quote the single Clause that is most relevant to our NC.
Through this blog, we want to help you understand the types of Internal & External Audit Findings Examples (Based on ISO 9001:2015). Now, should we find a non-conformity, in the non-conformity report, we have to submit the following information:
|Description of the nonconformity: Identify scenario as nonconformity |
Clear description of nonconformity
|Objective Evidence Quoting relevant evidence|
|ISO 9001:2015 clause and requirement: Identify the relevant ISO 9001 requirement|
If, on the other hand, we need more information we will fill in this form:
Audit investigation template:
|The reason why there is not yet sufficient evidence for reporting nonconformity|
|Audit Trail||Evidence Sought||Purpose|
|The questions that the auditor will ask||Interview/document||Clause Number|
Internal & External Audit Findings Examples (Based on ISO 9001:2015)
XYZ Ltd. is a service inspection and testing company. In the Food Analysis Laboratory, two operators were not wearing nylon caps, one operator had her laboratory coat undone and was wearing jewelry. The other three operators were OK. Procedure FAL 002 rev.2 (which is the current version) available in an area clearly describes, in clause 7, the dress code which requires that laboratory coats must be buttoned up, nylon caps must be worn, and wearing jewelry is not permitted.
This is a non-conformity, and now this can be a non-conformity because of various reasons:
- If top management didn’t provide the nylon caps: 5.1.2
- If people were not trained on how to do it: 7.2
- Top management allocated budget for caps, but was not available on shopfloor: 8.5.1(d)
- The environment necessary for operation was not being maintained: 7.1.4
XYZ Ltd. is manufacturing food products. Whilst conducting an audit in the production area you are observing the reactor unit on production line number 5 which is in normal operation. The pressure gauge shows 2.8 bar. The temperature gauge shows a 128 degrees centigrade. Flowmeter shows 1.2 cum/min. All instruments have valid calibration stickers. You wish to see Process Specification for this station. The operator shows the current version of specification PSC02 that stipulates the following process parameters:
Pressure: 2.5 ± 0.1 bar
Temperature: 130 ± 2 centigrade
Flow: 1.15 – 1.2 cum/min
You ask the operator how often the parameters are checked. The operator explains that this normally is done every hour and recorded in process chart. You check the charts for past few days and notices that the parameters reading are not recorded since last shift changeover four hours ago. The operator explains that he was busy cleaning the reactors on another line and did not have time to take readings. You had previously reviewed the procedure PP16 that indeed required checking and recording the process parameters every hour. Further investigation showed that the whole batch produced on that shift did not meet the requirements.
Note that there are 2 deviations here. The first is that the pressure is out of spec, and that that the PP16 requires that measurement of readings is done every 1 hour.
Even though the infrastructure is available, and the systems are in place, and the person knows what their role is, the measuring is not being done.
I would investigate further to determine the workload of the said operator to ensure whether 8.1 (operational planning and control) has been effectively planned to cater to the workload of the said employee. The evidence that I would seek would relate to other shifts, which had the same workload to determine whether they could do the work needed.
If there is sufficient time, I would mark this non-conformity as per Clause 8.5.1(c) – the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met;
In the Quality Manager’s office of a leading travel agency in Malta, and you reviewed a number of internal audit reports. You notice that regularly in all audit rounds for the past two years around 70% of non-conformances were noted in the design department. The procedures required auditing all departments at six-monthly intervals and this was followed strictly ever since the implementation of the system.
I would need to investigate further.
The problem here is that there seems to a trend of negative non-conformance. So, to understand further, I would determine what type of non-conformances were found – whether they are the same non-conformance, or whether different problems are being created.
Now the standard states in 9.2.2(a) “plan, establish, implement and maintain an audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits”.
Moreover, I would investigate, as per 9.3.2c 6 – whether these were discussed within the management review meeting, and whether appropriate action was taken.
In the production hall, you noticed two weighing machines. Weighing machine serial no. 1624 had an affixed label stating the due date for calibration which was over 4 months ago. Weighing machine serial no. 1636 had no calibration label attached.
This can be seen as non-conformity, as follows:
- Serial number 1624: Clause 220.127.116.11(a)
- Serial number 1636: Clause 18.104.22.168(b)
However, in this case, we would say that further investigation is required. Not having the label, does not mean that it was not calibrated:
- Are they being used in the production? Interview people
- If using, is it going to affect the product conformity/quality (8.5.1)
- Does this equipment require calibration?
- If yes, I’d want to see calibration records
- Who are the people responsible for putting the sticker on this scale (5.3)
During the audit in the design department in XYZ Ltd., you reviewed the Design and Development Manual and noticed that it did not contain procedures for design validation. Further, you reviewed the documentation pertinent to a selection of ten completed projects # 99/007, 99/010, 99/020, 99/025, 99/031, 99/042, 99/051, 99/054, 99/062 and 99/070 and were unable to find any records of design validation activity. The design Director explained that as every design was unique and one-off kind, the requirement for design validation was not applicable to the products they were designing.
This is a non-conformity.
Clause 8.3.4(d) states that “validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use”. Now the problem here is that the Quality Manual does not include the requirement to do design validation. If you accept that 8.3 will be included, you will have to accept all requirements of 8.3 – and cannot exclude just part of it, for example, validation.
In the design department, you reviewed the list of five quality objectives for that department. You asked if the results of planning that was carried out to achieve these objectives were created as part of the documentation required for ISO 9001:2015. The design director replied that any such document was not prepared, as he believed that it would suppress the creativity.
This is not a non-conformity.
Clause 6.2.2 does not require documented information to note the plan, and therefore, as such the document being requested does not need to be prepared.
In the material stores, you noticed that there were no tags or stickers to show the inspection status of the materials. You previously visited the assembly line and noticed that tags or stickers were being used to identify the inspection status. The storekeeper explained that there was no need to use stickers or tags as all incoming material was kept in the receiving area until verified and accepted. Only accepted material was being allowed into designated areas.
In this case, this more information is needed. Is this system working? Are there NCs being caused due to this?
In the Quality Manager’s office you review the internal audit reports and note the following:
Report 03 shows two corrective actions outstanding (due ten months ago)
Report 05 shows one corrective action outstanding (due six months ago)
Report 07 shows one corrective action outstanding (due four months ago)
There is no evidence of follow-up action.
This is a non-conformity because 9.2.2e states that “take appropriate correction and corrective actions without undue delay”
The hospital, XYZ plc, operates emergency ambulance services. Whilst auditing the Ambulance Department you ask if there were any documented procedures or instructions for paramedics covering first aid, resuscitation, etc. The head of the department explained that as all paramedics are highly competent there was no need to have any such instructions in writing.
I would need to see more information. Mainly, relating to checking the competence of the paramedics to ensure that they are competent in covering first aid, resuscitation, etc. I would see the job descriptions of the employees, and check the skills required – including training records/certificates.
I would also check other metrics, relating to customer feedback relating to this situation. Are there any other risks relating to this, and have they been discussed accordingly?
XYZ plc manufactures various cosmetics. In the despatch area you are reviewing the products released for shipment and notice that the quantity of anti-wrinkle night cream “Gloria” (Production Order Number 99/6802) which was kept on three pallets and marked ‘ready for shipment’, did not have the following marked on the boxes:
- Batch number.
- Production date.
- Expiry date.
Procedure FP 001, clause 7.8 requires that the above-mentioned information must be printed on the boxes for all creams and lotions
This is a non-conformity. The procedure FP001 states that the said information must be attached to the product before shipment.
In this case, the problem relates to traceability (8.5.2). We can also talk (with 2nd priority) about the 8.6 – release of the product. Who has released the product, and why not check for 8.5.2?
In the organization ABC, while auditing the Purchase function for Risk Process, the Purchase Manager replied that he has only one risk identified due to the external issue related to a single supplier for a key input material PA 6. When asked how they have planned to address this risk she informed that they have decided to always maintain 180 days of inventory to face any potential crisis situations due to the supply chain issues arising out of this single supplier. On further investigation, it was found that during the past 12 months period after this decision was implemented, there are several occasions when the inventory levels were found to be much lower than the stipulated level. When questioned, the Manager said it is always not possible to maintain this level of inventory. In fact, in the production line that you had visited earlier, it was indeed found that production had been stopped due to a shortage of this key input.
Investigate further because it might be that the supplier is not possible to send all the material that we need, or maybe we don’t have enough space to store all of this material. Now, when the production has stopped, was there a non-conformity raised 10.2?
More importantly, the risk has already been identified, and as per 6.1.2 the effectiveness of the action taken has not solved the problem at hand.
During an audit of a multidiscipline engineering design, consulting, and project management firm you review the project control process. The process involves a number of gateways at which approvals by authorized personnel are required. Gateway 3 – authorization to submit fee proposal involves a risk assessment where a number of questions related to financial, commercial, quality, OH&S, environmental, and other issues need to be answered. The software then calculates the level of risk (low, medium, and high). Depending on the risk management as defined by ISO 9001, gateway approval would require authorization at different organizational levels (Low Risk – Project Manager; Medium Risk – Regional Director; High Risk – Technical Director. You reviewed a sample of ten large projects and noted the following:
- Project number 20XX/0078 – the fee proposal was issued to the client on 16th of June 20XX, the clients purchase order was received on 28th of June 20XX and the work on the project work commenced on the 1st of August 20XX. Gateway 3 approval was signed off on the 30th of November (ten days before the audit).
- Project number 20XX/0137 – The project control process records showed that project was classed as high risk, yet gateway 3 approval was authorised by the regional Director.
- Project number 20XX/0162 – The project control records showed that 17 out of 42 questions included in the risk assessment questionnaire were not answered. But the project found to have been completed
This is a non-conformity as per 4.4.1 e & f.
Conclusions re: Internal & External Audit Findings Examples (Based on ISO 9001:2015)
In this post, we have discussed Internal & External Audit Findings Examples (Based on ISO 9001:2015). We hope that you found this post interesting. If you have any more questions, feel free to go through a detailed post about what is ISO 9001:2015. If you are wondering how much would it cost to hire an expert ISO 9001 Consultant to help you out with the implementation, feel free to get in touch. Or else, you can click here to read everything relating to the cost of getting ISO 9001 certified.