Want some tips on how to write an audit report? We have some insider tips on what to include in your report, how long it should be, and how to write your findings.
In this article, we’re going to specifically focus on the final written report (not the verbal report given in the closing meeting – more on that later), and some tips on how to write an audit report that add value to the organisation, and actually be used to help with continual improvement.
In many cases the audit report template that you have to use is predetermined, so you are governed by that to a large degree. But even then, you should still have a fair amount of flexibility in what you write.
What to include in an audit report
Let’s start with what must be included. There are a few mandatory items: the objective, the scope, and the criteria. These should clearly explain the purpose and the boundaries of the audit. You can combine these and call them something different, but they should still be included. The objective is why the audit is being done; the scope is the boundaries of the audit; and the criteria is what you’re checking against.
You also must state where you went, so include the name of the business or business unit, and its address. Also include the name of your contact person. Often report templates require you to include the names of everyone you had contact with. I personally don’t see the point of this and it’s a good place to make a mistake. It’s very easy to spell someone’s name wrong or miss someone completely. It’s better just to state the main contact’s name, and the names of those who attended the closing meeting –, and certainly make sure you spell their names correctly.
There are also a few other mandatory items, like the disclaimer, which are normally included in your template.
The next thing you need is a clear executive summary. The emphasis here is on clear. Think about who will read this and what they need to know. Essentially there are three things they want to know:
- Did the organization pass the audit?
- What nonconformances/noncompliances are there and how many? You don’t need the full details in this summary, but you do need to say how many, and maybe in what areas they are.
- What needs to happen next? Are you coming back? And state how and when the organization needs to respond.
We are now into the bulk of the report and need to include information about what you saw. Keep it factual, and I don’t use words such as: good, very good or excellent. For example,
If I reviewed three reports and all were fine and compliant, I would write…
The following three reports were reviewed:
- Report number ….
- Report number ….
- Report number ….
What I would not write is…
Three random reports were reviewed and these were all very well written and contained some excellent information.
The reason for this is when you or someone else comes back next year and possibly finds an issue with a report, the auditee’s reply could well be: “But last year you said they were excellent?”
How to structure an audit report
How should you lay out the body of your report? The body text should be in logical groups that align with how the business operates, and ideally you should write around their business processes. If the business is not structured that way, then write around business functions or departments, or possibly locations if it is a multi-site business.
Do not write your report around the criteria you’ve audited against. I have written about this previously in another blog: Why Certification or Regulatory Auditors should not use a checklist?. One of the main problems with this approach is you are given a report template to use, and the template defines how to structure the report. In these cases you’re a bit stuck, so do the best you can.
How much to write in an audit report?
How much do you write about what you saw? Personally, I don’t write too much. I write enough that demonstrates that I was actually there, and did review evidence, but I’m not writing a story – and since the primary people who will read the report work at the business, they should know most of it anyway.
Now let’s talk about the findings – the things that you found that weren’t as they should be. The official name for these are nonconformances or if we’re legally speaking, noncompliances. But they are often called something different, normally because people want to put a positive spin on them: Corrective Action Request or CAR, Opportunity For Improvement or OFI, Let’s fix it, Let’s fix it together, Potential Improvement Note or PIN, Corrective Action Preventive Action or CAPA, and Area of concern. There are many – I wonder what term you use?
For the purpose of this article, we’re going to use nonconformance just to keep it simple. Nonconformances also are graded or classified. The normal gradings are: Critical, Major and Minor, and can be described as:
The organization has demonstrated a direct impact on public health due to a loss of process control or a breach of legislation. Note: This is only relevant to certain types of audits such as: Food Safety or other high risk audits.
The organization has no process in place which meets a major component of a requirement, or the outcome is not effective.
The organization does not fully meet the components of a requirement, or the outcome is only partly effective.
The writing of nonconformances is, in my opinion, the most important part of the audit report. Why? Simply it’s what people need to act on; so it needs to be clear, it needs to be understood, and it needs to be correct.
I have written about writing nonconformances in two previous blogs: How to write nonconformances and Why recording evidence drives the wrong behaviour? But in a nutshell, you write the relevant part of the criteria and state the evidence you have to show that it does not comply. What you don’t do is tell the organization what they have to do; the fix or the containment and the corrective action.
You may also want to include recommendations… what they could do better, and improve on. But be careful here; there are traps for new players.
If you’re conducting a certification audit or an audit on behalf of the government, then it is a definite ‘no no’ to provide recommendations, give advice or consult.
To clarify this, ISO 17021-1:2015, section 5.2.5 states:
The certification body and any part of the same legal entity and any entity under the organizational control of the certification body shall not offer or provide management system consultancy. This also applies to that part of government identified as the certification body.
Further, section 188.8.131.52 states:
The audit team may identify opportunities for improvement but shall not recommend specific solutions.
So you can find things wrong, as long as you have evidence to back up your findings, but you are not allowed to advise the organization as to how to correct them. You can identify opportunities for improvement, but again you can’t tell the organization what to do. You can only identify the issue.
An example of an opportunity for improvement could be:
The document control processes may benefit from reduced complexity.
You can’t write:
You should reduce the complexity of your document control.
Not being able to tell the organization what to do can be frustrating for you both. However, it is their system of management, not yours. If you tell them what to do, what are the implications for you if they follow your advice and something goes wrong?
I have often heard of auditees saying: “But we do it like that because that’s what the last auditor wanted”. Don’t fall into the trap of advising – if you want to do that, become a consultant.
How big should the audit report be?
And how long should your report be? How much do you need to write? Should it be a massive report that passes the drop test, takes three months to produce and is reviewed by a team of thousands? The International Accreditation Forum’s Mandatory Document IAF MD5:2015 gives us some guidance here:
2.1.1 The audit time for all types of audits includes the total time on-site at a client’s location (physical or virtual) and time spent off-site carrying out planning, document review, interacting with client personnel and report writing.
4.1 Determination of audit time of management systems involved in combined offsite activities should not reduce the total on-site duration of management systems audits to less than 80% of the audit time calculated.
So this means that you shouldn’t spend an enormous amount of time writing the report. For an audit with a total duration of six days, by the time you take out a bit of planning and preparation time, allow 80% of the time on site which is the best part of five days (actually 4.8), you’re left with about a day to write the report.
How many words can you write in a day? Well, this is what some famous authors can write:
|Arthur Conan Doyle||3000|
An average page has in the region of 500 words, so if you write as quick as Sir Arthur Conan Doyle you could bang out a six-page report; but if you write like Carol Shields or Ian McEwan, you’re going to manage just over a page.
When should you write the audit report?
And when should you write this report? Straightaway – and if you don’t understand that, I’ll tell you again – straightaway! I always had my report to the auditee within five days. Most auditing bodies seem to have a specified time of between five and 28 days. I think the quicker the better, while the audit is still fresh in everyone’s minds. Receiving a report three months after the audit is waste of everyone’s time; people have forgotten what happened, some people have moved on, processes may have changed, and you, the auditor, look useless.
Why does it take so long to get the audit report written? Two reasons: firstly you prioritise other tasks to be more important; secondly the report has to be reviewed by someone else and it sits in their inbox for too long. And, of course, if something needs correcting, then it’s back and forth we go.
What is the solution to this?
- Write the report immediately while the audit is still fresh; don’t write too much (fewer mistakes);
- employ competent auditors (again, fewer mistakes); and
- If the report must be reviewed by someone else, make sure they do it promptly.
At the start I said this article would be about the written audit report and not the closing meeting. However I will say this about the closing meeting: what you tell people in this meeting and what you write in your audit report need to be the same. Don’t fall into the trap of finding new nonconformities when you are back at your desk. Don’t be a keyboard warrior!
When you’re writing your audit report, keep it simple, remember your audience, stay factual, avoid terms like excellent, don’t consult or advise, and do it promptly. There are two secrets to this:
- Have a good template, and
- Practice – reports become easier and quicker the more you do.
Now, go and enjoy your auditing.