How are audit findings classified? 

In line with ISO 19011:2018 i.e. (guidelines for auditing management systems), audit evidence normally would be evaluated against audit criteria in order to determine audit findings. Broadly speaking, audit findings can be graded as either a conformity or nonconformity. 

In addition to classifying the audit findings as conformity or nonconformity, audit findings can also be classified as observations or opportunity for improvements. 

These are all the possible approach to classifying audit findings i.e., conformity, nonconformity, observation and opportunity for improvement.

What does each finding mean?

Conformity is an audit finding that shows that the specific requirement of the standard has been sufficiently fulfilled within the audited process or area of the management system. For instance, clause 8.2 of ISO 27001:2013 mandates that risk assessment should be conducted and report of the outcome of risk assessment exercise should be available as documented information. In such a case, the risk assessment report serves as a reliable evidence to demonstrate conformity with the requirement of the audit criteria on risk assessment.

Nonconformity in line with the ISO 19011:2018 standard can be graded depending on the context of the organization and its risks. This grading can be quantitative (e.g., 1 to 5) and qualitative (e.g., minor or major). However, in practice, nonconformities are usually classified into either major or minor by virtually all certification bodies. A nonconformity simply refers to non-fulfilment or partial fulfilment of a requirement. In other words, it is a major breakdown or partial breakdown in the system. 

Going by the example cited under conformity, supposing the risk assessment was not conducted as required by the standard, then we have a nonconformity situation at hand. A major nonconformity is a total or significant breakdown within the management system while a minor nonconformity is a small defect or weakness within the management system.

Observation could be positive or negative depending on the situation. Positive observations normally include good practices along with their supporting evidence as noted within the client’s management system while negative observations usually speak to potential nonconformities. In other words, a weakness that might occur if nothing is done to prevent its occurrence. An example of positive observation is high level of automated processes as spotted within the environment while example of negative observation could be a routine maintenance that is due within a week after the completion of the audit.

Finally, we may classify the audit findings into opportunities for improvement in which case, we have found sufficient evidence to demonstrate conformity with the requirement of the management systems, however, we have also noted a more efficient approach to conforming with this requirement. An example here is using a visitor management solution to manage visitors’ activities in the organization as against using manual log-book.

The importance of issuing audit findings

Audit finding will simply help us to arrive at audit conclusion. Without audit findings, we cannot provide our recommendation as auditors. An audit process is expected to be concluded with expression of an opinion, the audit finding is the basis for expression of this opinion i.e., whether a requirement was found in place or not. Hence, the quality of the audit outcome is highly dependent on the audit findings.

How those can help companies to improve?

Audit findings can either be a positive finding which can either be classified as conformity or opportunity for improvement or nonconformity or observation. In any case, audit findings mostly do unravel certain details either positive or negative that might have not been identified within the context of an organization. 

Because of the nature of audit as an independent activity, a lot of times, some nonconformities or weaknesses are normally discovered during an audit exercise. When nonconformities are given proper attention (by applying correction and corrective action), they always translate either into some cost savings, optimized processes and realization of the management system goals and objectives and by extension realization of the business objectives amongst others.

The way to respond to the findings

Once a nonconformity is declared and agreed with the client, a nonconformity report will be issued by the auditor to the auditee. Whenever an audit finding is classified as a nonconformity resulting into a weakness(es) within an organization’s management system, a response would be required from the auditee’s organization to be shared with the auditor(s) in response to the issued nonconformity report by the auditor.

The auditee would need to respond to the raised nonconformity by providing the following:

• root cause analysis,
• correction and corrective
• action respectively. 

The root cause will aim to address the problem from its source in order to ensure the nonconformity is tackled from its root. A common technique used for addressing this is called the fishbone diagram also known as the Ishikawa diagram – identifies possible causes for an effect or problem.

Also, a correction will be proposed to contain the problem from spreading further into other areas of the management system. Hence, a correction is a short-term measure or a containment strategy. 

The corrective action will aim at eliminating the root cause of the problem and ensuring the problem does not reoccur again either within the segment of the management systems where nonconformity was raised or in any other part of the management system respectively.

These actions i.e., correction and corrective action would be evaluated or verified by the auditor to ascertain that the proposed actions can correct or prevent the reoccurrence of the identified nonconformity. 

However, when the audit findings are a conformity, the auditee do not need to provide any response to the auditor.