I was told when you raise an Observation during an audit that would require corrective or preventive action, you do not need to investigate the cause of the problem.
My understanding is that whether it is corrective or preventive action you need to investigate the cause of the problem because understanding the cause helps us in the evaluating the need for action to ensure that nonconformities do not recur or to prevent occurrence of nonconformities.
Correct my understanding also that this is why both ISO 9001:2008 and API Spec Q1 8th Edition has written the requirements in Section 8.5.2 and 8.5.3 of the respective standards in this way.
I can only speak to ISO9001:2008, which indicates that you are required to conduct internal audits at a prescribed interval (typically once a year) but does not explain how to conduct internal audits. The standard for detail on conducting audits is ISO 19011, recently updated to 19011:2011.
An observation is just a statement of fact. We should be gathering information (observations) to support all of our audit activities – positive and negative. When an observation indicates that a “nonfulfillment of requirements” has occurred, it should be considered to be addressed as a nonconformity. What if you looked at 20 purchase orders and 1 that was supposed to be signed was not? There is a need to evaluate the impact on the organization’s ability to address its system and organizational requirements. While in this case 1 unsigned purchase order may technically be a nonconformity – is there actual value in writing a nonconformance – which would then lead to corrective action?
It is the auditor’s responsibility to make a determination as to an adequate response. In this case I would probably leave it as an observation and document it as such on my audit report. When the observation (20 unsigned purchase orders) is sufficiently serious – then there is a need to write up a nonconformance – which leads to a corrective action request – and root cause analysis. There is and always should be judgment – by the auditor – in the appropriateness of response. I do not ignore anything – every nonconformity should have correction – but not necessarily corrective action.
Correction should be taken to correct the problem. Corrective action should be taken to understand the cause of the problem when there is the potential for the nonconformity to recur. There is a subtlety that is important. Preventive action may never be necessary during an audit but I do look for proactive activities as part of any audit. Preventive action is to address POTENTIAL nonconforming situations to prevent it from occurring in the first place.
– Michael Haycock, Sr. BRC Quality Consultant