Writing a good QMS internal audit report

In ISO 9001, the process for internal audits is one of the most important ways for you to ensure that your quality management system (QMS) is functioning properly and efficiently, but what is the role of the audit report in this process? Many people who are not well versed in audits or the overall quality management system may not fully understand how important an audit report can be. Here is the information you need to know.

What is the importance of an audit report?

An audit report is the official record of an audit – the only official record. All of the notes taken by the auditors, all of the comments made by employees during the audit, all of the information taken by the process owners during the audit, and all of the statements made at the closing meeting really don’t amount to anything official. If something is not recorded in the audit report, it doesn’t really count. Remember that it will not only be the people who were audited or were at the closing meeting that will read the audit report; these are also used in management review by people who were not part of the audit.

This is why the audit report from, e.g., a third-party certification body is so detailed; the report needs to record all the information necessary to detail any corrective actions needed and justify why your company is compliant with the ISO 9001 standard. The audit report needs to be the complete recorded evidence of all aspects of the audit. In many ways, an audit without a good report is not really an audit.

What should be in an audit report?

So, this brings up the question of what makes a good audit report. What needs to be included, and what should be eliminated? When looking at this, it is important to remember again that the audit report is the one official report of the audit, and therefore must stand on its own. The best practice for audit report content is included in ISO 19011, guidelines for quality and/or environmental management systems auditing. This may be overkill for a small company, and can be reduced if required, but it is a good start when considering what you want to include in your audit reports.

Here is a list from ISO 19011 of the seven items that should be included in an audit report:

  1. Audit Objective – What was the purpose of the audit? Was this a regular audit of a process, or a follow-up on a corrective action? All audits are done to demonstrate compliance with the requirements, but was there anything else that was being done?
  2. Audit Scope – What were the boundaries of the audit? If there is more than one manufacturing line using the process, how many were audited? Was a night shift or evening shift excluded?
  3. Audit Client – Who was the process owner or owners that the audit was performed for?
  4. Audit Dates and Places – It is important to be able to demonstrate the timeframe when all of your audits of the system take place. Also, for management review, it might be important to know the chronology of the audits that are being reviewed.
  5. Audit Criteria – What were the processes audited against? For instance, this could be the ISO 9001 standard, internal company procedures & policies, or customer requirements.
  6. Audit Findings – What are the results of the evidence found? Some companies discriminate between major findings (where there is a systemic failure) and minor findings (such as one or two mistakes that were made, but that were not universal), but this is not necessarily the case. Some companies include positive findings and best practices that can be shared throughout the organization in this section as well. It is important to include the audit evidence for these findings, such as the contract numbers that were reviewed, but leave out the names of people who were audited. The findings are about identifying corrective action, not assigning blame.
  7. Audit Conclusions – What is the summary of the outcome of the audit? Were there too many findings to determine if the process was properly implemented? What is the assessment of the effectiveness of the QMS from this audit? For some busy executives who just want the summary of the audit, this might be the one and only thing they read in the report, leaving the details to the process specialists.

Additionally, ISO 19011 includes some optional items; the following could be applicable to an internal audit if deemed to be useful:

  1. Audit Plan – This is the plan of who is auditing what processes, and when. For a large audit with multiple auditors, this can be useful.
  2. Summary of Audit Process & Obstacles – This is especially important to include if there were some obstacles, such as scheduling for an absent process expert, which hindered the audit.
  3. Any Areas not Covered – If you needed to exclude something you intended to cover, like a second shift, this should be noted for future reference.
  4. Disagreement between Auditor and Auditee – If the process owner does not agree that the audit evidence presented is non-conforming, as specified by the auditor, then this should probably be noted in the report.
  5. Opportunities for Improvement – Like the positive finding mentioned above, many companies will use recommendations for improvement as a way to document the cases when an auditor has identified something that is not non-conforming, but could be improved.
  6. Agreed Follow-up Plans – If an agreement was made on how to address a non-conformance, recording it in the report can be helpful.

For more on using ISO 19011 to improve your internal audit process, see ISO 9001 internal audit in 13 steps using ISO 19011.

An audit report should not include surprises

One final thing to note is that nothing in the report should come as a surprise to the auditees who read it. If information was not presented at the closing meeting, it should not find its way into the audit report. Use your audit report to document what happened in the audit, make it easy to understand, and you will find that your audit information will benefit your efforts to improve your QMS.

Click here to download the free white paper  Clause by clause explanation of ISO 9001 that will explain all the requirements for internal audit.

Advisera Mark Hammar
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.