One of the most common internal audit nonconformities is related to discovering that employees are not following a published procedure, or that the procedure no longer matches current practice. What’s astonishing is that while ISO 9001 and AS9100 require you to write procedures where you deem them necessary, there’s never been a clause that tells anyone to follow those procedures! As a result, auditors often struggle with how to write a nonconformity, understanding that all such NCs must be grounded on a clause in the particular standard.

So how do you write up a finding in such a case?

(Quick aside: I realize that you’re auditing not only to ISO or AS, but also to your own procedures. Yes, you can write the finding up against the paragraph or section of your procedure, but my view is that this is insufficient. You should also tie back to an ISO 9001 requirement. Some will disagree, and there’s no universal agreement on this point, so you can choose what you’d like to do. This is just best practice, however.)

There are two ways to address this. Your desired method may depend on how you want to track nonconformities later. Obviously, auditing practices (and standards such as ISO 19011) dictate you ground your finding on an exact requirement, meaning a clause in the ISO 9001 or AS9100 standard. But beyond that, some companies do trend analysis over long periods of time, to see which clauses give them the most grief, and result in the most findings. If you don’t assign the right clause, you can’t do this tracking; you also haven’t grounded your finding on an actual requirement.

The first method is to write the finding up against the clause that is closest to that under which the particular procedure falls. For example, if you find the Purchasing staff are not following their procedure, you’d write it up under 8.4, the clause for purchasing requirements. This is a good practice in that later it allows better reporting on trends, enabling you to identify, perhaps, that the purchasing clause is giving you the most grief.

But it wouldn’t really be accurate. A strict reading of the three sub-clauses in 8.4 finds that nowhere does it even require a Purchasing procedure, much less that employees follow it. so you’d only be filing it there to help trend reporting later, not because “failure to follow a purchasing procedure” was a requirement in that section of the standard.

Next, some procedures you might include in your QMS won’t have an ISO 9001 clause applicable to them at all; perhaps something related to personal protective equipment, or sales goals, or shipping (yes, believe it or not, there’s no shipping clause in ISO 9001 or AS9100.)

So a better practice is to assign all such findings to a single clause in the standard that represents the best — f not perfect — place to write it: 8.1.

Specifically 8.1. bullet point (e)(1) reads:

The organizaton shall plan, implement and control the processes needed to meet the requirements for the provision of products and services…by: (e) determining, maintaining and retaining documented information to the extent necessary (1) to have confidence that the processes have been carried out as planned.”

It’s not perfect, but it’s close. This is because the latter part of the requirement requires that you develop the procedures (“documented information“), and the first part of the requirement requires that these procedures then be “implemented.” Yes, it’s another Yoda sentence, in that it makes more sense if you read it predicate-first.

The only problem here is the requirement’s physical location within the standard: by appearing in Clause 8, this implies the requirement is only related to manufacturing or service execution. One could argue that it doesn’t really apply, then, to procedures written under the other clauses, such as 4, 5, 6, 7, 9 or 10. But if you squint, you can justify that it works nevertheless, and it’s a minor quibble.

Ideally, the TC 176 gurus should have added two tiny words to clause 4.4.2, as follows (added words are emphasized):

4.4.2 To the extent necessary, the organization shall (a) maintain and implement documented information to support the operation of its processes

But they never thought of that, and TC 176 doesn’t allow smart people to join their ranks, so we’re stuck with a standard that says you have to have procedures, but not necessarily follow them.

And so we return to 8.1(e)(1), which is our best place to write this finding.

I have, however, seen clever audit trend analysis systems that provide for tracking a “primary” clause that has been violated, as well as a “contributing” clause. In such cases, you might assign 8.1.(e)(1) as the primary, and 8.4.1 as the secondary (if the issue is related to Purchasing, for example.)  Then you can track both for trends.

The failure of third-party CB auditors to do this, by the way, is an easy way to have their nonconformities thrown out. Unable to find where to write such findings, CB auditors are forced to invent requirements out of the blue. For example, a recent audit report I read said, “clause 4.1 requires a context of the organization procedure, and the employees were not following it” We had the nonconformity thrown out because, no, clause 4.1 doesn’t require a procedure. If he had written it under 8.1(e)(1), we’d have a harder time fighting it.



ISO 17000 Series Consulting