1. Collecting and Verifying Information
During the audit information relevant to the ISO audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes should be collected by appropriate sampling and should be verified. Only information that is verifiable may be audit evidence. Audit evidence should be recorded. The audit evidence is based on samples of the available information. There for there is a element of uncertainty in auditing and those acting upon the audit conclusions should be aware of this uncertainty.
The following figure provides an overview of the process, from collecting information to reaching audit conclusions:
2. AUDIT REPORTING
- Team Meetings
At a daily meeting (or before the summery report is compiled) the auditors discuss their detailed observations with the audit team leader to determine if non – compliances exist and if applicable, are categorized.
When the audit team leader is satisfied with the evidence presented he / she in turn may discuss any non – compliance with the auditee’s representative to seek agreement that they exist. This is not to suggest a ‘bargaining’ situation, but one in witch the auditee is given an opportunity to discuss the non – compliance's and allow the production of any evidence to demonstrate that three is no deviation from the requirements.
Equally, the opportunity to discuss and recognize a non – compliance may enable the auditee to initiate corrective action.
In either event, the non – compliance is still recorded but the fact that corrective action has been taken it noted in the audit report.
It should be noted that non – compliance are owned by the auditee and not the auditor.
- Non – Compliance Categorization
It is common practice to classify non – compliances into categories. This subject is dealt with in Section 12.
Categorization of non – compliances is normally decided through discussion between the team leader and the auditors rather than applying a category at the time of the incident. Categorization is not an end in itself but an aid to assist the team leader to assess the severity of the non – compliance and form a reasoned judgment on the auditee’s FSMS arrangements.
- Non – Compliance
Reporting non – compliances is the method used to indicate to an organization during an audit that there is a deviation to the laid down FSMS requirement and the applicable legislative requirements.
A non – compliance is a non – fulfillment of specified requirements (GMP, SSOP, QMS, Quality, Environment).
Non – compliances arise from OBSERVATIONS made during an audit.
An observation is a statement of fact recorded on the checklist. The audit team will then review all of their observations to determine which of them are to be reported as non – compliances. The audit team shall ensure that non – compliances are documented in a clear, concise manner and are supported by objective evidence.
- Non – Compliance Categorization
All non – compliances have to be dealt with regardless of how important an impact they may on the established system. It is common practice to categories non – compliances to enable the overall effectiveness of a QMS management system and the urgency of corrective action to be assessed.
There is no defined standard for categorization of NCR’s, so if categorization is to be applied the methods are required to be defined by the auditing organization and made clear to the auditee at the start of the audit.
Categorization of NCR should be based on deviation to the FSMS / legislation and impact on product / process and its risk. Observations need to support the grading with sufficient justification.
A typical classification is as follows:-
- Critical
The absence or total breakdown of a FSMS to meet the requirements of ISO 22000 and the requirements of applicable regulations that impact QMS.
E.g. seriously inadequate hazard analysis, insufficient CCps are identified, no action responding to violation of critical limits, use unsafe water etc.
One critical NCR will lead to failure of certification. A re – audit is normally required within six months after initial audit.
- Major
A non – compliance which is likely to result in the failure of the QMS system or reduce its ability to assure safety of processes or products.
E.g. improper control of chemical compound, shop workers are not very hygienic or there is no necessary action to prevent food from contamination etc.
If there is any major NCR, registration is recommended subject to a satisfactory verification visit. Verification visits will be arranged within eight weeks after the audit to verify effectiveness of corrective actions.
- Minor
System deficiency (ies), which do not directly affect the QMS, but need to be improved.
E.g. environment of production areas is not in good condition, which may contaminate food, inadequate light in production areas or cleaning facility is not in a good condition etc.
When there are only minor NCRs and its number will not obstruct the system operation, registration can be recommended subject to a satisfactory review and verification of document evidence to corrective action. Document evidence, including self –declaration of corrective actions, is required to be submitted within four weeks after the audit.
A number of minor lapses of the same content (incorrect issue of documentation in use in several areas) show a system breakdown and may therefore be regarded as more serious and be upgraded.
It is normal with certification bodies that once a corrective action has been agreed that the check for practice effectiveness may be left until the next surveillance visit.
Categorization of non – compliances is normally decided through discussion with the lead auditor and the auditor rather than applying at the time of the incident.
Categorization is not an end in itself but an aid to assist the lead auditor to assess the severity of the non – compliance and form a reasoned judgment on the auditee’s QMS management system.
If the audit was undertaken for a ‘customer’ or a ‘third party’, then it may well be up to them to decide on the acceptances of any non – compliance. This may be influenced by any contractual or specification requirements. The lead auditor should be made aware of any such restriction.
- Reporting Non – Conformities
During the audit, the auditor will be documenting observations of the system. These observations may well result in non – conformities being raised. When the auditor decides that there is a non – compliance, then a written report will be submitted. This type of report is commonly referred to as a NCR (Non – Compliance Report).
There should be sufficient detail in the report to clearly identify all the facts concerned, the specification requirement and the evidence of the non – compliance. It is important that sufficient information is provided to ensure traceability to the source of the problem in order that effective corrective action can be completed.
A quick guide is to examine and describe the:-
- Where – the area where the non – compliance was found or can be identified.
- When – date of audit.
- What – description of the problem.
- Why – a statement of the requirements from the specification or procedure.
- Who – not the report must not attribute blame.
REMEMBER someone has to read the report. Clarity of information and the inclusion of as many facts as possible will assist the reader to understand your findings THE FIRST TIME.
The auditor must produce absolute proof that non – compliances exist.
A typical non – conformity report is attached.
3. Objective Evidence
Often members of the work force will give a rehearsed version of the controls being applied. It is there fore very important during and audit to establish that the facts investigated by the auditor and the observations made are a true and accurate reflection of the way in which the food system is applied.
4. Audit Report Observations
Statements NOT substantiated by objective evidence may be made as comments if the auditor thinks this will be useful or constructive.
These are usually observations noted during the ISO audit, which did not require non compliance to be raised since they do not contravene a standard or process, but could included in the audit report to assist the assessed organization with potential improvement.
The auditor should exercise care when making observation for improvements to ensure that the auditee understands that he / she is responsible for any decision taken.
5. Preparing the Summary Report
At the conclusion of the audit, the team leader (lead assessor) in consultation with the team auditors will prepare a summary report.
This report is normally hand written, while a formal typed copy is prepared later and subsequently submitted. An example of a suitable format is included at the end of this section.
As its title implies, the report summarizes the detailed reports of non – compliances and observations, notes any corrective action to be taken and, depending on the authority given, may allow the team leader to give a recommendation that the auditee’s FSMS arrangements are ACCEPTABLE, CONDITIONAL or unacceptable.
(Acceptability may be conditional on certain agreed corrective action being completed to the satisfaction of the team leader or customer, ie a CONDITIONAL recommendation).
The three levels of recommendation may be applied as follows:-
å Acceptable - award certificate or accept as an approved supplier.
å Conditional – includes statement of agreed corrective action to be completed prior to acceptance being granted.
å Unacceptable – failure due to a number of serious non – compliances.
A conditional recommendation report will indicate the corrective action required. The team leader may make recommendations as to the way in witch corrective action providing there is a clear understanding of the relationship between the two organizations in terms of any cost or liability that may arise from taking the required corrective action.
It is the 3rd party certification body which makes the decision to award a certification, not the auditor. The auditor only makes a recommendation.
In the case of an audit by a certification body, the team leader will always make a recommendation against the relevant specification.
For 2nd party audits it will be up to the purchaser to decide what action is taken following an audit based on the auditor’s recommendations and other commercial factors, ie price, delivery etc when placing a supplier on their approved supplier list.
6. The Closing Meting and Presenting the Summary Report
The summary report is formally presented at a closing Meeting attended by the audit team and the auditee’s management representatives. At this meeting the team leader shall:-
å Thank the management for their assistance and co – operation.
å Point out that only a sample of the FSMS arrangements has been taken and that the audit result has been determined against this sample.
å Propose that any questions for clarification of the report findings are kept until the end of the presentation.
å Present a summary of the findings and quantify the non – compliances raised.
å Invite each auditor to report their detailed findings and give a recommendation.
å Invite questions for clarification only and give answers
å Agree on any follow – up action which may be required, This may already have been agreed on non – compliance reports (NCR’s)
å Advise the auditee on the procedure for processing the final report (depending on the instructions given to the team leader), but in any case advise that fully written report will be raised.
å Agree the duration of any approval that may be granted.
å Make a statement regarding confidentiality of information.
Note:
The team leader may choose to present the whole report and only ask the auditors to deal with the questions relating to their area of audit.
Before departing the team leader will normally leave a copy of Summary Report and the original non – compliance reports.
7. Agreement and Follow – up of Corrective Action
Where the corrective action is required, the team leader may have agreed a date upon which a revisit to the auditee is to take place in order to verify that all non – compliances have been successfully corrected.
It may be that the nature and number of non – compliances require a further complete re – audit. If so, the team leader will state this at the closing meeting and in the final report.
For More info about ISO Certification process visit Global Manager Group website
