How to Write Effective Audit Notes

This may sound like a daft article but this is one of the most common issues with auditing these days as the requirements have changed over time but the auditors have not changed their technique in line with these changes.

Writing audit notes effectively will not only help the auditor, it will also help the technical reviewer, the client and any auditor who comes in after you. It will also speed up the entire process as the technical reviewer will be able to see that everything was covered and they do not need to play ping pong emails with the auditor to get the decision made.

Why are Audit Notes Needed?

Another daft question but its best to read the requirements from the ISO 17021 standard as that is our bible in all cases.

The first main point is in the audit report requirement itself:

“The audit report shall provide an accurate, concise and clear record of the audit to enable an informed certification decision to be made”

That is pretty clear in my eyes:

Concise-giving a lot of information clearly and in a few words; brief but comprehensive.

And why do we need to make our notes in this manner? We need to look at another clause of the standard which refers to the certification decision:

“The information provided by the audit team is sufficient with respect to the certification requirements and the scope of certification”

Certification Decision

To elaborate on the above further, it is very difficult for someone who is responsible for putting their name to the certificate to make an informed decision on something when you haven’t got all of the information. It would be like signing up to a credit card when you don’t know the interest rate that will be charged, you just wouldn’t do it.

When a certification reviewer is reviewing the information provided by an audit team they are checking for a number of things but most importantly has the auditor covered the entire scope which has been applied and is there evidence that the processes the organisation has in place meet the requirements of the standard.

Auditors have a tendency to not cover all of the scope applied for, for example, we often see a scope which mentions installation of some description yet when we look at the notes there are no details on how the installation takes place and no examples which could include a site visit. You can’t make a recommendation for something you have not seen.

The other part commonly missing is that there are gaps in the notes relating to parts of the standard as the auditor will do a huge data dump of evidence but that evidence often doesn’t cover everything. When someone is reviewing the notes they are not sure whether the auditor has missed it or the organisation doesn’t need to apply the requirement. For example, Planning of changes is missed 95% of the time and special process controls never cover all the requirements under that clause such as how they revalidate the process.

Often the auditor has not looked at the process from a deep enough technical perspective. Sticking with the special process control theme, lets pick painting as an example. When an organisation is painting parts they should have some controls which require degreasing/cleaning of the part first, this could be a simple acetone wipe, full degreasing bath or vapour process. With each of those methods there are certain controls to be in place such as temperatures, timings, application process… The next step might be to mix the paint with thinners, what is the ratio of this mix, how does the person doing this know what they’re doing, how do they check they have done it correctly, how do they validate this? Then you move onto applying the paint, curing the paint, inspecting the paint and there are many controls surrounding each of those steps which need to be discussed with the auditee and verified.

Instead of covering all of those technical aspects, auditors will give a job number, paint colour and a person who done it. It never tells us the story of the process and all the controls that are in place to give confidence that firstly the client has done everything they should but also that the auditor has checked everything is in place as required.

Tell a Story

When I am training up new auditor’s I will always tell them to “Tell a Story” when writing their notes, the story doesn’t need to be millions of words but it needs to walk me through the process so that i can read it and understand what the organisation does for that given process. Simple wording which highlights the key steps and controls is sufficient. I need to be able to make a decision and if i haven’t got all the information then i will reject the report and you will have to amend the notes or in some cases go back to the client which can be embarrassing.

The objective evidence that you provide only needs to be sufficient enough to allow some validation if needed of what was reviewed, this can be as simple as a job number as that would be enough for the client to see the offending job/document if required so they can put in sufficient actions. It also gives the decision maker confidence that you reviewed enough jobs to determine the certification recommendation as being suitable.

Some Examples

Poor Audit Notes

Looked at following Purchase orders:

Supplier: XXX

PO No: 5932

Part No: VT04568

Supplier: XXX

PO No: G16/5

Part No: 659–56

Supplier: XXX

PO No: 1036685

Part No: 2 Round Pieces

Supplier: XXX

PO No: 3434689

Part No: SD27

There is nothing within the notes which details their purchasing process in line with the standard requirements, I do not know if the information provided on the Purchase orders is sufficient or if the process is actually effective which is one of the main requirements for auditors nowadays, processes may be there but are they effective? The process is not clear at all and i would not made a positive certification decision based on these notes.

Better Audit Notes

Spoke to the purchasing manager who walked me through the process; an MRP is run daily using their MRP software and the requirements are reviewed and needs determined by looking at future orders. The purchasing manager will contact a number of the suppliers who are approved on the ASL to supply those goods and request a quotation, the quotation is reviewed and the best option selected based on price and delivery. The purchase order is raised through the accounts system and the parts are selected from the set stock list in the system which holds all of the correct information such as part reference, revision. The due date is entered into the purchase order and a request made for a certificate of conformity and/or material certificate if it is required, the purchasing manager knows if it is required by reviewing the job card as it will be highlighted there. The purchase order is then emailed to the supplier and standard terms and conditions issued in the email along with drawings and specifications if required, only the current revisions of drawings and specifications can be selected but this is controlled by the quality manager. Checked the following purchase orders, all contained sufficient information to the supplier, correct drawings were supplied and approved suppliers were used from the ASL. PO Nos: 5932, G16/5,: 1036685, 3434689

No non-conformances were raised in this process, the process appears effective.

The above notes tell the story so i can understand how their process works, I can now confirm that their process meets the standard requirements and I have confidence that the auditor has asked the right questions and done some verification checks. Now there may be some technical aspects which should have been applied such as material certificates but this all depends on the nature of the client’s business. I would approve this certificate based on these notes.

Now people will often moan that this will take them too long to write but I have proven time and time again that it takes no longer to write these notes than it would by doing a lot of data dumping with information i do not need. I do not need part numbers, I do not need supplier names, I do not need delivery dates… It has no bearing on my certification decision, I am more interested in knowing that the clients process is effective and meets the standard requirements. Writing the notes like this will also prevent me rejected the report and asking for information on how the process works.

My Top Tip for Effective Audit Notes

I find this to be the most important part of the process audit, before you look at a single piece of paper, before you ask for examples, you need to first understand the process. If you don’t understand the process you won’t actually know what evidence you need to see.

Whenever i arrive at a new process, i ask the auditee to “walk” me through the process from start to finish in their own words and then I will ask specific questions if they have left anything out that the standard needs them to have in place. Once I have understood how the process works I will ask to see some examples, 9 times out of 10 I have some examples i want to see from information i have gathered from other processes. I will then check that what they have told me is reflected in the examples and then I am satisfied and can make a decision on that process. When you don’t understand the process and just see lots of examples it does actually take a lot longer, trust me.

On a final notes, ensure that you have audited the scope fully, we need to see evidence that you have audited the scope and clauses fully otherwise the decision maker will reject the report.