After writing, revising, and signing the finalized audit report, most independent auditors move on to their next project. I’ve done many of these solo audits, and I’ll admit that I've often wondered who at the Sponsor* company would communicate the findings to the Auditee and review their responses. But no matter, I've completed the contracted assignment and I'm now off doing something else, right? Not so much anymore.
After the audit report is finalized, Sponsors frequently will ask me to gather up a summary of all the observations and send it to the Auditee in the form of a draft Action Plan. I may also be asked to help the Sponsor review and comment on the Auditee's responses to the observations (i.e., the Auditee's completed Action Plan). After all, since I’m the one who observed the deviation, I’m probably in the best position to assess the Auditee’s plan to remediate it.
The Action Plan that I put together is a table that’s sent to the Auditee for completion. It includes:
- columns containing the audit findings, which is accompanied by a brief description of the problem (along with any examples that could help clarify the situation that was uncovered) and a criticality or prioritization ranking for each finding;
- blank columns for the Auditee to provide its corrective/preventative action(s) as well as a place for the Auditee to specify to whom the action item is assigned and an estimated time frame for completion; and
- blank space for the Sponsor to indicate its acceptance (or rejection) of the Auditee's responses along with any additional comments.
The Auditee only receives an excerpt of the full audit report, and is not privy to context-rich, narrative details that often accompany the observations in the audit report. The Sponsor and auditor(s) must ensure that the observations in the draft Action Plan are clearly written or the Auditee will be unable to provide meaningful, realistic, and actionable responses. It’s beyond the scope of this article to delve into how one effectively documents observations, but I like to keep the observation as brief as possible. If necessary, I will include supporting evidence and specific instances of nonconformities to illustrate the key findings.
Assuming the Sponsor and the auditor(s) have done a thorough review to ensure that observations are clear and unambiguous, it is now up to the Auditee to address the observations and offer a thorough and timely response by completing the Action Plan. The Sponsor's expected turn-around time for receiving the Auditee's responses varies from company to company, but anything from 30 to 60 days is normal.
I've reviewed Auditee Action Plans that are extremely well-done and a pleasure to read, because they:
- acknowledge and address all of the key points and issues being communicated in the observations;
- provide bona fide, "right-to-the-point" proposals to resolve the problem in the form of corrective actions;
- assert their companies’ commitment and full intentions to rectify the root-cause of the problem (preventative actions);
- state the name of the persons in their organizations who I've met at the audit and have been assigned (or who have already performed) the action; and
- offer a realistic time frame for completing the action (including a specific date.
On the other hand, I've also reviewed Action Plans that are downright inadequate. First impressions are often correct, and sloppiness can be telling. Improper grammar, incomplete sentences, and spelling errors are all indications that the Action Plan was hastily prepared and returned to the Sponsor without having undergone a quality review. Generally speaking, problems with Auditee responses fall into one or more of the following categories:
(a) Their response does not acknowledge (or even denies the existence of) the finding. A common response of this type may even have a confrontational or defensive tone, but more often describes a different, and much improved process or procedure, which was not observed or made known to the audit team during the audit. This is a problem as it demonstrates the inability of the Auditee to accept responsibility for the finding.
(b) Their response entirely misses the point, often evidenced by a totally inappropriate, nonsensical, or otherwise ineffective proposed resolution which does not remotely address the stated observation.** It is not uncommon to see that the response was provided by someone who was not even present during the audit and is not likely to have a complete appreciation of the context surrounding the finding
(c) Their response does not provide (or has no semblance of) either a corrective or preventative action. Responses falling into this category frequently take the form of an excuse or rationalization for why the problem exists
(d) Their response is inadequate, often characterized by the use of vague, incomplete, and nonspecific language. It is not uncommon to see "cut-and-paste" responses for this category, which only tends to demonstrate a level of laziness in the responder's efforts
(e) Their response does not assign responsibility to an individual (or at the very least, a named functional group or department on their organizational chart); and/or
(f) Their response does not include a reasonable time frame for completion (e.g., "we are currently working on this...").
It is damaging when a completed Action Plan demonstrates such a low level of effort, as it casts doubt on the abilities, dedication, and diligence of the Auditee's participants, and reflects poorly on the company as a whole. Moreover, it introduces unnecessary delays in closing out the project and it increases the overall costs for both the Sponsor and the Auditee, alike. A QA Director from a large pharmaceutical company recently told me: "vendors and service providers need to understand that poor responses like these can have serious consequences ... it calls into question whether they [the Auditee] are genuinely interested in working with us."
In conclusion, the key points that you can take away from this article are:
- Vendors and suppliers ("Auditees") who host external audits should realize that the Sponsor will be reviewing their Action Plans against a basic set of quality guidelines like items (1) through (5), above. Take ownership of the problem; provide a well thought-out plan of action; make sure your responses exhibit a level of professionalism and due care.
- Auditors who write audit findings must communicate them in simple, clear language. The observation must be concise yet contain enough information to convey the specific concern. The Auditee must be able to read and immediately understand the issue in order to respond appropriately;
- Sponsors need to take special care in reviewing findings of the audit team to ensure that they are complete and accurate, and provide any essential information that will help the Auditee formulate satisfactory responses; and finally,
- The original audit team members should be involved in the review and assessment of responses to audit findings. This provides a valuable level of continuity and consistency during follow-up activities. When Sponsors hire independent consultants to perform audits (especially, solo audits) they should take necessary steps to ensure that the external auditor is available and is willing to commit to participate in these very important follow-on activities.
* For ease of discussion, we’ll call this company “the Sponsor,” even though CROs and other types of companies perform these audits, too.
** It could be argued that the Auditee misinterpreted the key point(s) of the observation because it was poorly phrased or malformed; however, for the sake of argument, we're assuming that the Sponsor (and audit team) have done a thorough review.
Ms. Meehan is the Social Media Manager for Polaris Compliance Consultants, Inc. She writes the company blog and e-newsletter, and manages the company’s website, SOPs. and internal training. She also teaches math at a local university and tutors high school students in math and SAT prep. Prior to joining Polaris in 2008, she worked at a major telecommunication R&D company where she provided consulting and training on telecom services, and spoke at numerous industry forums. Ms Meehan holds a B.A. and an M.S. in Computer Science. She can be reached at firstname.lastname@example.org.
Mr. Janeri is chief consultant at Compliance House, Inc., a "mostly-for-profit" regulatory consulting firm based in Cary, NC. He has over 28 years of experience with high assurance mission critical computer systems, information security, and software engineering. He enjoys making seemingly hard topics easy to understand. Mr. Janeri can be reached at email@example.com