Rainbows, Unicorns... and Audit Reports?
Audit Reports are “supposed” to contain the results of an “audit”… which is defined as:
ISO 9000:2015, sec. 3.13.1
audit
systematic, independent and documented process for obtaining objective evidence (data supporting the existence or verity of something) and evaluating it objectively to determine the extent to which the audit criteria (set of policies, procedures or requirements used as a reference against which objective evidence is compared) are fulfilled.
So why does AS9101G, Form 5, “Audit Report” include a field, under the “Audit Conclusions” section, requiring auditors to include their “subjective opinions” regarding “Strengths and Good Practices”?
Is this actually required? Upon examining ISO 17021-1:2015 & AS9101G, the ONLY reference I could find was “Table 1 - Audit reporting requirements” in AS9101G, sec. 4.3.1 indicating that Form 5 was “Required”.
I did find “best practices” mentioned in ISO 19011:2018, “Guidelines for auditing management systems”.
5.5.6 Managing audit programme results
The individual managing the audit programme should consider, where appropriate:
— communicating audit results and best practices to other areas of the organization, and
— the implications for other processes.
But, of course, ISO 19011 is only a guideline, that's not mandatory.
When reading “should consider, where appropriate”, I imagine a “Monty Python” skit featuring John Cleese saying, with his very British accent, “…should consider, where appropriate because we would really, really feel extremely bad if this were the least bit of a burden on you. We really don't want it to be a bother. But seriously, if it's not too much of an inconvenience, think about:”
Even worse, some registrars require their auditors to complete a SWOT analysis for each audit! This is beyond ridiculous because auditors have extremely limited time to assess a management system… much less reasonably identify any meaningful “Strengths, Weaknesses, Opportunities and Threats” to the organization.
Conclusion
Ultimately, incorporating subjective “Strengths and Good Practices” OR a SWOT Analysis into an audit report dilutes the purpose of an audit relying on “objective evidence” to “objectively” determine the extent to which the audit criteria are fulfilled.
There have been instances where I've issued NCs against areas that previous auditors had identified as “Strengths” or “Good Practices”. Usually, because the previous auditor(s) had either missed something in that area or was “struggling” to identify any “strengths”. Of course, the client was confused. How could I issue a NC against an area that a previous auditor had actually complimented them on? So I have to bite my tongue to keep from criticizing the previous auditor for misidentifying a mediocre practice as a good practice… leading into the “All audits are based on a sample” speech.
Requiring AS9100 auditors to provide subjective opinions regarding “Strengths and Good Practices” in audit reports is an example of a BAD practice being promoted by IAQG.
IAQG… please consider this an “opportunity for improvement”; and remove the “Strengths and Good Practices” from Form 5 in the next revision of AS9101.
And ANAB… since many of your auditors pay little to no attention to the IAQG, please consider this an “opportunity for improvement”; and stop mandating that CBs force their auditors to identify “Strengths and Good Practices” on Form 5 of AS9101 in OASIS.
And as for other standards, registrars, please stop requiring your auditors to waste their time by ”dreaming up“ some nonsense data to complete a SWOT for your report.
For a variety of reasons, these add about as much value (perhaps even less) as placing a rainbow unicorn clipart graphic into the report.