by Matt Liephart
Accurate, precise, concise, and complete nonconformity statements are the most important output of an audit. They are more than just a statement of, “What’s not right.” Nonconformities are the input to the corrective action system, which takes action to prevent the recurrence of nonconformities discovered during audits. The corrective action system is a process, and just like any other process, “Garbage in, garbage out.” It is important that nonconformities be written with precision and accuracy, or the corrective action system will not eliminate the appropriate causes, leading to recurrence of the nonconformities. The information in this article will help auditors learn how to write effective nonconformity statements, and will help auditees understand what a well-documented nonconformity contains, keeping garbage out of the corrective action process.
The Importance of Nonconformity Statements
Nonconformity statements are the actionable outputs of an audit. The auditor may generate a long report to satisfy registration requirements, but it’s the nonconformities that will be acted upon. Those of you fortunate enough to have zero nonconformities after an audit know you can get back to your “regular” job when auditors find nothing. Since it’s the nonconformities that get acted upon, it is critical they be correct.
Registration is most often granted (or renewed) only after nonconformities are addressed. If the nonconformities are unclear or inaccurate, auditees will not be able to act to address the nonconformities. This could place registration in jeopardy simply because the auditor was not skilled enough or didn’t take the correct actions at the right time to write a decent nonconformity.
Depending upon the registrar and the way they are organized, the person reviewing the corrective action may not be the auditor who wrote the nonconformity. If the nonconformity wasn’t written correctly in the first place, the reviewer might be confused about how the corrective action taken addresses the nonconformity cited. If the nonconformity and the corrective action do not align, the reviewer may reject the action taken simply because the nonconformity was written poorly, to begin with.
The audit process is linked to the corrective action process. The output of the audit process is the input to the corrective action process. The material that passes from the audit process to the corrective action process is nonconformity statements. Just like organizations have inspection criteria for incoming material, the corrective action process would benefit from quality criteria for the incoming nonconformity statements. It would be a good idea to instruct auditors that nonconformities will be inspected against the quality criteria in this article prior to being entered into the corrective action system. The corrective action process requires high-quality nonconformities as input to ensure the management system will be effective.
Accurate, Precise, Concise, Complete
Accurate nonconformity statements provide detailed evidence indicating a requirement has not been met, not that there is a risk that there might be a problem. Nonconformities are based on objective evidence that requirements have not been satisfied. They are not used to communicate nonconformities may exist in the future if present performance continues.
Accurate nonconformities clearly identify all the evidence observed, and specify exactly which requirement has not been satisfied. The requirement cited must match the evidence that’s been documented. Unfortunately, many nonconformity statements cite a valid requirement, and evidence indicates nonconformance, but the evidence indicates a different requirement has been violated then the one cited in the nonconformance. One method to make sure nonconformities have been documented correctly is to find the exact word of the requirement (in the standard, procedure, or work instruction) that was not satisfied. Going to that level of detail helps prevent laziness in the process of documenting nonconformities.
Precision supports accuracy if we are getting down to the word that was not satisfied. Mistakes will be less likely on the requirements aspect of the nonconformance by linking evidence to a specific word in a requirement. Precision is also supported by reflecting the depth of the investigation in the nonconformity statement. If an auditor looked at 50 training records and found problems with three of them, the auditor should not only cite the three that were nonconforming, they should also include the fact that 50 were investigated during the audit. There is a big difference between three of 50 causing a nonconformity and three of three causing a nonconformity. It is important that the auditor be precise so auditees can access the exact evidence that was evaluated and contributed to the nonconformity. The evidence must be detailed to support effective cause analysis and corrective action.
Writing nonconformity statements has nothing to do with creative writing. Nonconformity statements should not sound like the author could write The Great American Novel, and they should not indicate how incredible the auditor is at manipulating language. My nonconformity statements should sound just like yours. Nonconformity statements should be straightforward and dense with information, not meandering and chock full of anecdotes and clever asides. Extra words that add no value tend to lead to misunderstandings regarding the evidence observed, the requirement that has been violated, or both. A good practice is to read the nonconformity statement after it is written and intentionally look for extra words which do not contribute to accuracy or precision. It can be difficult to be concise while trying to include all the detail needed to support the nonconformity. A balance can be achieved through proofreading and intentional actions to evaluate each written word.
Each nonconformity statement must be able to stand alone, with no additional information or context required to begin the corrective action process. If a well-written nonconformity falls out of the audit records stack onto the floor and someone picks it up later, they will be able to tell exactly what the requirement was, exactly what the evidence was, and exactly why the evidence indicates the requirement was not satisfied. The nonconformity statement needs to be understandable out of context, and without additional research or reference. In practical terms, nonconformities do get separated from the rest of the audit records when the details are entered into the corrective action system. They often get entered into software, where there is nothing except what has been written to support the nonconformity. They also get separated in time from the audit, as nonconformities will be looked at when initiating the corrective action, while the corrective action is being implemented, and while following up to verify the actions taken eliminated the nonconformity. At each one of these steps, the nonconformity statement needs to be understood. If the nonconformity is relying on context or references to other documents, other information, other statements, and other evidence, it will be misunderstood. A good practice is to read the nonconformity statement as if it was the first time. If the contents are understandable without knowing anything else about the audit, then the nonconformity statement is acceptable.
Structure of Nonconformity Statements
Well-written nonconformity statements follow a simple recipe. Cite the requirement, document the evidence, and connect the requirement to the evidence with a brief statement of nonconformity.
The requirement is quoted directly from the source, usually a management system standard (such as ISO 9001 or ISO 14001) or a procedure or work instruction maintained by the auditee. It is typical to think of management system standards as the main source of requirements, but it is worth noting organizational documents such as procedures and work instructions are often the source of the requirement for nonconformities discovered during internal audits. This is because the procedures get into more detail regarding how a specific organization wants to do something, and it’s those details that are not being satisfied. The general requirements of a management system standard might be satisfied, but a specific requirement of the procedure has not been.
The requirement may need to be truncated in the nonconformity statement to ensure precision. Remember, we are getting down to THE WORD in the requirement source that was not satisfied. The contents of the requirement may include several levels. For example, ISO 9001:2015 clause 8.5.1 Control of Production and Service Provision contains requirements lettered “a” through “h.” If the requirement not satisfied is letter “d,” there is no need to include the rest of the requirements, as that does not provide the precision necessary to understand exactly what happened. In this case, the required portion of the nonconformity would be written, “ISO 9001:2015 clause 8.5.1d states, “Controlled conditions shall include, as applicable… d) the use of suitable infrastructure and environment for the operation of processes…” This requirement includes both infrastructure and environment for the operation of processes. We could specify the word that was not satisfied in the statement of nonconformity by stating, “Oven processing records indicate the specified environment was not used during production,” (a hypothetical example). When citing requirements from procedures, quote exactly what is documented, don’t correct what you think is awkward sentence structure, and don’t paraphrase. It is important that the people operating the corrective action system can access the exact requirement that was not satisfied and see the requirement in the source. Paraphrasing or changing the exact sentence structure can make it difficult to find the requirement in the source document.
Evidence cited in nonconformity statements must be clear and complete. This means ALL the evidence of nonconformity must be included. Ideally, the evidence can be retrieved or recreated by the auditee based on the contents of the nonconformity alone. This is often necessary to perform effective analysis of the cause.
The evidence must contain specific citations and specific details. For example, the evidence may include detailed identification of specific purchase orders, specific dates, specific fields on specific forms stored in specific folders in specific rooms indicating specific actions have not been taken or weren’t taken correctly. As a former Quality Manager at a 24/7/364 (we had Christmas off) manufacturing facility, it was often necessary for me to find the exact information in the exact place where the problem was found during an audit. To understand the cause of a nonconformity, I may investigate a specific action taking place in a several hundred thousand square foot facility at a specific time with a specific shift processing a specific item. I needed to see what the auditor saw to figure out what happened. In the Toyota Production System, they speak of shop floor focus. The shop floor is the most dynamic portion of the entire organization. If a nonconformity is found within that dynamic environment the auditee must be able to understand what was going on in that dynamic environment when the nonconformity was found to take effective corrective action.
Documenting complete evidence is important, but we don’t want to include extra information that does not support the nonconformance. Don’t include information about what was done correctly when citing a nonconformity statement – that just confuses the issue. This is like what was already discussed – writing nonconformities is not about creative writing. Stick to the facts, including all the facts, and the nonconformity will be written well and will support effective corrective action.
The statement of nonconformance is a brief sentence identifying how the evidence indicates the requirement has not been satisfied. When writing statements of nonconformance, think about what you would need to communicate if you had three seconds to tell the auditee manager what was found as you pass them in the hallway.
For example, “Three travelers were found without QA stamps or initials as required by the production procedure.” That’s it. In the required portion of the nonconformity statement, the precise requirement of the production procedure would be quoted. In the evidence portion of the nonconformity statement the details of exactly which travelers, making what products, found at what stages of production on specified dates would be identified. All that’s left is to tie the evidence to the requirement in a brief statement.
Sometimes the statement of nonconformance can seem hard to write because we are accustomed to using more words than we need to say what we want to say. If you find more than a sentence is required to tie the requirement to the evidence, there may not be a nonconformity (you may be trying to talk yourself into a nonconformance). In that case, it would be prudent to take a step back and consider the possibility that an observation or statement of fact would be more appropriate.
Nonconformity Statements – How to Get Them Wrong
It is worth mentioning how to write a nonconformity in a manner that doesn’t lead to effective corrective action and doesn’t fit the established structure of a well-written nonconformity statement.
A common mistake is to add opinions regarding the cause or severity of the nonconformity. Auditors want to help the management systems they audit, and they want to leave the auditee with a positive feeling at the end of the audit. It is common for auditors to think they understand the causes of the nonconformities they find, so they conclude there is no harm in noting what they believe is the cause in the nonconformity statement. They forget that as an auditor, they are not responsible for operating the management system. The auditor is responsible for determining if the management system is effective, if it conforms to requirements, and if the process is improving. Cause and severity are based upon the investigation that occurs during the corrective action process. I realize a lot of registrars assign major vs. minor values to nonconformities, and these assignments are based upon severity and frequency as reflected in the evidence documented in the nonconformance. In my experience as a Quality Manager, I understood the severity of a nonconformity only after investigating the cause. I have been involved in corrective actions where the severity of the problem was very high, even though the evidence cited in the nonconformity indicated the problem was minor and occurred infrequently. Keep the nonconformity statement straightforward, based upon the evidence observed, citing specific requirements, and tie the two together with a brief statement of nonconformity to help the management system and encourage effective corrective action. Help by being very clear on your requirements, and very complete and precise on your evidence, not by adding opinions related to the cause.
Another way to get nonconformity statements wrong is to include suggestions regarding actions to address the nonconformity. What if the wrong action is suggested? What if they’ve tried the suggestion already and it didn’t work? Would the organization trust the auditor to provide a good assessment when the auditor suggests actions that are invalid, incorrect and none of the auditor’s business? Auditors must allow the people responsible for the management system to run it.
Adding opinions regarding cause or severity, and including suggestions regarding actions to address nonconformities are usually done to help the auditee. The best way to help the auditee is to make sure nonconformity statements are accurate, precise, concise, and complete. High-quality nonconformities will do more for the management system than opinions and suggestions.
Omitting details regarding evidence is very common, and usually caused by auditors who do a good job finding valid nonconformities but not keeping clear and complete notes in their records. If auditors do not keep complete and detailed evidence of what they found along the way, then when it is time to write a nonconformity statement, they don’t have all the evidence to support the nonconformity. Their only option is to write the nonconformity statement based upon half the evidence that they saw while performing the audit. To remedy this problem, it is important for an auditor to slow down and collect evidence, especially if the auditor thinks they are approaching a nonconformity. When in a situation where evidence is beginning to look like a requirement is not satisfied, slow down and document more so when the investigation is overall the evidence is right there. When auditors rush they tend to get sloppy and are then forced to omit details because they did not do a good job recording audit evidence along the way.
Auditors can get nonconformity statements wrong by including unrelated details that don’t provide evidence that the requirement was not satisfied. These are details of the investigation that have nothing to do with the evidence that supports nonconformity, and/or details of the investigation that don’t address the requirement that’s being cited. This is often seen in three or four-paragraph nonconformity statements. Look at some of the long nonconformity statements in your files and look for details that aren’t necessary to support the nonconformity.
While auditees are not responsible for writing nonconformities, they can and should influence the contents to make sure they are precise and accurate. Nonconformity statements become the input to corrective action processes, and garbage in leads to garbage out. The process is not complete when the auditor writes the nonconformity statement – that’s the beginning of a process. Over the course of a long audit, I know it can be difficult to remain engaged. You may just want to get the audit over with, and decide to allow the auditor to write the nonconformity and deal with the details later. You’ll be dealing with the details later alright – figuring out how to take corrective action on a poorly-written nonconformity. Keep in mind how important it is to get the best possible input to the corrective action system.
Be sure the auditor writes nonconformities using the correct structure (requirement, evidence, and statement of nonconformity). It’s extremely important that it be accurate, precise, and complete. You have the recipe so make sure the auditor follows it. If you find the auditor is not following the recipe, you can get the results you need with a conversation as simple as, “Where’s the requirement? Oh, you missed some details. I’d like you to quote it exactly as it is stated in the procedure. I’ll go get the procedure for you…. Right there’s the paragraph, write it just like that… Your evidence says, ‘In several instances…’ How many instances did you look at? OK, let’s go talk to Frank because he was down there in the area, I know you were talking to him when you found the nonconformity. Let’s circle back and make sure we get all that evidence correct.” Help them get it right by helping them be diligent.
Insist on reviewing the nonconformities as they are written, and insist the nonconformities be written the day they are found, on-site. A lot of auditors will tell you, “I’ll get you the nonconformity statement in two days after I get back to the office.” What is going to be improved by allowing the information regarding that nonconformity to age inside the auditor’s brain? Will the nonconformity be better written in the office compared to writing it (by hand if necessary) right where the evidence was seen, while everything is fresh and everybody who’s involved around the issue is present? I insist nonconformities be written on-site when they are found. It does not take much time (if the evidence was recorded correctly during the audit), and that is less time the auditor will have to spend back in the office writing reports.
Involve those who were present when the nonconformity was discovered. Don’t be afraid to include people who don’t do audits for a living – they are the ones who will be asked later what happened to determine the cause of the nonconformance. Bring them in and have them help you understand what happened to make sure the nonconformity statement is accurate.
Well Written Nonconformities Contribute to Effective Corrective Action
Nonconformity statements document evidence when requirements were not fulfilled. When nonconformity statements are accurate, precise, concise, and complete, a full description is provided of the requirement and the audit evidence observed. Nonconformity statements that follow the established structure of requirement, evidence, and statement of nonconformity are easily understood without the need for additional information or supporting data. It is important to remember nonconformity statements are the input to the auditee’s corrective action system, not for the auditor to prove they found something during an audit. The customer of the nonconformity statement is the auditee’s corrective action system. Effective nonconformity statements allow auditees to perform effective cause investigation and take effective action to eliminate causes, preventing the nonconformity from recurring and improving the management system. When considered from that angle, it is clear why auditors need to stick to the structure of an effective nonconformity statement and make sure they are accurate, precise, concise, and complete.
For more information on writing effective nonconformity statements, including a discussion of example nonconformity statements from real audit reports, watch the presentation of this article.