How to Write Non-Conformities (With example)
Introduction:
The goal is to improve the auditor's ability to create findings such that the language is accurate and easy to understand, and that no one sort of finding should be inferred from another. Furthermore, the finding language is accurate.
Writing Nonconformities:
A nonconformity is simply an opportunity for the management system to improve. It should not be viewed as an indictment of any person or group, but rather as a factual statement that drives improvement. Before we get any further, it’s helpful to provide a clear definition of what a nonconformity is. A nonconformity is the failure to meet a requirement.
It’s a short definition, but it packs a lot of power. The first thing as an auditor you should notice is the prerequisite. You need a requirement before you can ever have a nonconformity along with the reference of correct clause/ sub-clause of the management system standard.
While writing a nonconformity, one should always write the requirement first. It sets the tone for everything else. If you can’t find a requirement for a particular situation, then categorically you can’t have a nonconformity. You might have a concern, observation, remark, or opportunity, but it’s not a nonconformity unless it’s clearly tied to a requirement and referring to the management system standard clause.
The second part of a nonconformity is the failure. The failure states exactly what the auditor saw, heard, read, or experienced that contradicted the requirement. The objective evidence is factual and traceable, but it is stated as concisely as possible. We can’t write a book detailing every minute thing that happened. A good auditor simply cites the failure that fails to meet the requirement.
The third part of a nonconformity is the evidence. The evidence can be the reference of client organisation documentation/ procedure/ manual or can be a photograph of machine/ product/ service where the non-conformity is observed.
Matching the requirement with concise evidence:
This is the single most important key. State the requirement and then provide the evidence that shows that the requirement was not met.
Write in complete sentences:
Complete sentences, in both the requirement and the evidence, provides the customer of the audit with a complete product. This complete product is more likely to be understood, and thus more likely to be acted upon.
Include all applicable identifiers (what, who, when, where):
It is critical that your evidence is fully traceable. This is achieved by including all identifiers: what the nonconformity was, who was involved, when it happened, where was it located, and how much was involved. This builds credibility in the evidence and allows the auditee to know exactly what needs to be done to remedy the situation. The only identifier that is not clearly stated are people’s names. We use job titles in the evidence because we want to remind everybody involved that the audit is about the process, not people.
Use an economy of words:
Writing a nonconformity is a balancing act. We need to include all identifiers, but we need to use an economy of words. Ironically, including more words rarely increases anybody’s understanding of what you’re trying to communicate. Keep your nonconformity statement nice and tight. If you can remove a few words, while still communicating the essential message, then by all means do it.
State the facts, not your opinions:
The audit is about facts. There is no need to editorialize as part of the evidence. This happens when the auditor tries to explain why the nonconformity is harmful or what the effects could be. This is not necessary. Just state the evidence and no more.
Here is an example of a well written nonconformity:
Requirement: SOP #ǪOP-32, revision 3 states in section 6.5 that employees must wear white gloves when handling finished product.
We state exactly where the requirement comes from. In this case, it’s a procedure written by the organization being audited. We provide the procedure number, revision, and even the section. Some auditors also include the procedure name, and this can add value too. Once we say where the requirement comes from, we state exactly what the requirement is. We don’t paraphrase it or get creative; we repeat the requirement word for word.
Failure: The auditor observed two employees in the warehouse handling finished product without wearing white gloves.
The language in the failure mimics the language in the requirement. The organization committed to wearing white gloves when handling finished product, but the auditor observed two people not wearing white gloves. Cut and dry.
Evidence: Contradiction between SOP #ǪOP-32, revision 3, section 6.5 requirement C visual observation during site tour.
Here is an example of a poorly written nonconformity:
Requirement: All products must be identified.
There is no traceability to this requirement. Where did it come from? There is a similar requirement in ISO S001:2015, but that source is not referenced under requirement. Always cite where the requirement is coming from, and never paraphrase it. It is permissible to add ellipsis (…) if the requirements is taken from a long passage and the entire section is not needed.
Failure: Returned goods were missing the nonconforming materials tags, which greatly increases the chance of accidentally shipping bad material.
This failure has a lot of problems, most of which can be summarized by saying the evidence is not traceable. Firstly, there’s no indication of where the returned goods were located. The returned goods are also not identified in any unique way. The quantity of returned goods is also not indicated—there could be 3 or 300, it’s not clear. Finally, the auditor included a lot of editorial opinion at the end of the evidence. This opinion is not needed and only serves to inffame the auditee. Stick to the facts when you write evidence and make sure the facts are fully traceable.
Evidence: Not written
These are the conditions that usually result in a nonconformity being removed and not being
provided as part of the final report:
- Requirement does not actually exist.
- Requirement exists, but it’s outside the scope of the audit.
- Evidence is not traceable and it’s too late in the audit to gather the details.
- Evidence relies on hearsay, rumours, or second/third hand information.
- Auditee has presented evidence (after the original interview) that shows the requirement was met.
Disclaimer:
The information contained within is available for educational and communication purposes.
Normative References:
BSCIC Procedures
www.iaf.nu
www.iso.org/tc176/ISO9001AuditingPracticesGroup
Craig Cochran blog