Corrective action responses following internal audits

As the internal auditor for an organisation which is implementing a quality management system to meet ISO 9001:2015 Quality management systems – Requirements, you are likely to invest a good deal of time and effort in your audits. From scheduling when to do audits, planning audit assignments, performing the actual audits, to then authoring your findings as audit nonconformity or summary reports, it can be a monster.

It would be of importance to you, then, that the organisation would “take necessary correction and corrective actions without undue delay” (as stated in 9.2.2 e), in response to those nonconformities you reported. But what does that really mean?

Setting aside for one moment, the issue of correction vs corrective action, when does delay become “undue”, for example? Who decides?

These can quickly become vexing questions for anyone responsible for the organisation’s internal audits. Apart from anything else, this is one of the topics which are scrutinised at each certification visit because it’s considered a key indicator of the ‘health’ of the quality management system – someone probably loses sleep over that part!

Typically – and incorrectly, as we shall discover – actions are often assigned timeframes of 30, 60 or even 90 days. A response to an audit nonconformity with a corrective action plan may be submitted within 30 days for ‘approval’ and the closure of action may then take the remaining 30 to 60 days.

Such timeframes are very common and, more importantly, in my opinion, totally inappropriate for the purposes of internal management systems audits. As with many requirements of the International Standard’s requirements (such as training, calibration, internal audits and management review), basing activities on time periods, rather than in consideration of the needs of ‘interested parties’, is likely to be less than effective.

Call it ‘risk’ if you wish: •

• Risk to the customer and their satisfaction. 
• Risk to regulatory compliance and legal liability.
• Risk to operational performance and cost.
• Risk to supplier relationships.
• Risk to personnel.

Why 30, 60 or 90 days?

These corrective action time limits originally came about mainly from the customer expectations of their suppliers when action was warranted. This may have been following a detected nonconforming product, or perhaps before the next delivery was made in a month’s time.

With the advent of conformity assessment bodies (CABs), it would appear that similar follow-up has become their model for certified organisations, often drawn from the contract ‘rules’ of major procurement organisations.

"Frequently with a ‘one size fits all’ requirement, there’s little consideration given to the information the nonconformity is reporting, relying mainly on a grading of ‘major’ or ‘minor’ to frame the timing of the action."

Andy Nichols CQP FCQI, business advisor.

The responses given by ISO-certified organisations are typically a corrective action plan being submitted for review within 30 days. This is followed by completed actions, with supporting evidence of effectiveness of those planned actions being provided up to 90 days after.

Frequently with a ‘one size fits all’ requirement, there’s little consideration given to the information the nonconformity is reporting, relying mainly on a grading of ‘major’ or ‘minor’ to frame the timing of the action.

The nature of these time limits is clearly derived from external audits and, as such, is almost entirely inappropriate for use as a response to internal audits, which needs to consider the list of ‘risks’ if it is to be effective.

Begin with the end in mind

Stephen R. Covey’s book 7 Habits of Highly Effective People includes this exhortation to “begin with the end in mind”.

If we revisit the 9.2 requirements, we can see that the purpose of the internal audit is to “provide information…” which is the ‘end’ auditors should keep in mind. If the message which results from the audit is that management need to do something, either correction of an issue or deeper into the cause, it is the information which we provide which determines the response from management.

It’s not uncommon, for example, to report that the auditor observed a process that is not being followed as described (documented). While it may be accurate, the finding is incomplete when it comes to taking action since another vital piece of information is missing.

The effect on the results of the process

There are two possible outcomes of not following a planned, defined process: 

• The output is as intended (it is effective)
• The output is not as intended (it is ineffective).

Clearly, the auditor’s job is to report which of the above is associated with ‘not following the process’. Together, each part will be the driver for:

a) correction – since if the results are as planned, the defined planned process can be corrected to reflect practice and;

b) if the result is ineffective, corrective action (root cause) needs to be identified.

Where the time aspect is considered, it should be recognised by management that in the case of correcting the defined process, a simple documentation edit will be necessary. This will take perhaps 24 hours as nothing else will need to be done, since the people are already getting the required results.

In the case where corrective action is needed, once again, it is the auditor’s responsibility to provide information regarding the ineffectiveness, as far as possible (or to recommend a further audit to investigate the extent of the ineffectiveness) during the audit.

This may include evaluating both quantitative and qualitative results – ‘how many’ and ‘how bad’ should be determined. It is this additional information which may be a challenge for the internal auditor, but it is vital as management will need to understand it in determining how to act ‘without undue delay’.

In summary then, internal audits must be planned with involvement from management, and should focus on the performance of the processes of the quality management system.

They should not focus simply on compliance to documentation, and it is in the reporting of the significance of their findings, couched in terms which management understand, which will drive the timeliness of actions to correct or improve matters.