Rainbows, Unicorns... and Audit Reports?

Audit Reports are “supposed” to contain the results of an “audit”… which is defined as:

ISO 9000:2015, sec. 3.13.1
systematic, independent and documented process for obtaining objective evidence (data supporting the existence or verity of something) and evaluating it objectively to determine the extent to which the audit criteria (set of policies, procedures or requirements used as a reference against which objective evidence is compared) are fulfilled.

So why does AS9101F, Form 5, “Audit Report” include a field, under the “Audit Conclusions” section, requiring auditors to include their “subjective opinions” regarding “Strengths and Good Practices”?

Is this actually required? Upon examining ISO 17021-1:2015 & AS9101F, the ONLY reference I could find was the requirement in AS9101F, sec. 4.2.3 to complete the “…Audit Report (Form 5)”.

I did find “best practices” mentioned in ISO 19011:2018, “Guidelines for auditing management systems”.

5.5.6 Managing audit programme results
The individual managing the audit programme should consider, where appropriate:
— communicating audit results and best practices to other areas of the organization, and
— the implications for other processes.

But, of course, ISO 19011 is only a guideline, that's not mandatory.

When reading “should consider, where appropriate”, I imagine a “Monty Python” skit featuring John Cleese saying, with his very British accent, “…should consider, where appropriate because we would really, really feel extremely bad if this were the least bit of a burden on you. We really don't want it to be a bother. But seriously, if it's not too much of an inconvenience, think about:

Even worse, some registrars require their auditors to complete a SWOT analysis for each audit! This is beyond ridiculous because auditors have extremely limited time to assess a management system… much less reasonably identify any meaningful “Strengths, Weaknesses, Opportunities and Threats” to the organization.


Ultimately, incorporating subjective “Strengths and Good Practices” OR a SWOT Analysis into an audit report dilutes the purpose of audit using “objective evidence” to “objectively” determine the extent to which the audit criteria are fulfilled.

There have been instances where I've issued NCs against areas that previous auditors had identified as “Strengths” or “Good Practices”. Usually, because the previous auditor(s) had either missed something in that area or was “struggling” to identify any “strength”. Of course, the client was confused. How could I issue a NC against an area that a previous auditor had actually complimented them on? So I have to bite my tongue to keep from criticizing the previous auditor for misidentifying a mediocre practice as a good practice… leading into the “All audits are based on a sample” speech.

Requiring AS9100 auditors to provide subjective opinions regarding “Strengths and Good Practices” in audit reports is an example of a BAD practice being promoted by IAQG.

IAQG… please consider this an “opportunity for improvement”; and remove the “Strengths and Good Practices” from Form 5 in the next revision of AS9101.

And as for other standards, registrars, please stop requiring your auditors to waste their time by ”dreaming up“ some nonsense data to complete a SWOT for your report.

For a variety of reasons, these add about as much value (perhaps even less) as placing a rainbow unicorn clipart graphic into the report.