Audit reporting requires a complete picture – to report the good as well as the bad – but in this post I want to concentrate on how we construct nonconformances. Depending upon how adversarial the audit relationship is (and some of them can be very adversarial) you might need to be forensic in our choice of words, with watertight nonconformances. You won’t normally need to be so forensic in your choice of words when reporting the good points because, let’s face it, nobody ever challenges the positive findings.
The problem with nonconformance reporting is that many can be written in an unhelpful, general, consultative and even downright confusing way. “x is inadequate”, “y is insufficiently robust”, “the requirement for z is not fully met”. None of these statements give the required level of clarity that the auditee deserves. Frankly, it’s lazy. So what should a solid nonconformance report contain? Well, here’s the formula …
The 1-2-3 Trick
A solid nonconformance report will contain three components, and will be written in a clear, objective way.
- Quote the requirement that has been breached. Most auditees don’t have a detailed knowledge of the audit criteria, so help them out by being specific. This also creates the basis for objectivity.
- Describe how the requirement has been breached. Again this is useful information. It helps them understand the gap between the requirement and what is currently happening and, consequently, will give them a starting point with regard to how they may correct the issue.
- Detail the Evidence. You will have a reason for raising the nonconformance and this should not be limited to a feeling in your water. You should have evidence, so tell them what it is. Not only does this give them the opportunity to check it themselves if they doubt you, but it also gives them a starting point for their investigation, rather than having to find the problem all over again from scratch.
At the first level, think about writing out your nonconformance in that way as a test for yourself. If you can’t describe it in those terms you have to consider whether you can defend the nonconformance if it is challenged, and you probably can’t. At the second level you are giving the auditee everything they need to know about the requirement, the breach and where you found it. It will be specific enough to be helpful, evidenced and objective.