What Makes a Good Finding in a Compliance Monitoring Audit?

Monday, May 20, 2024

Written by Senior Consultant, Nick Laughton.

In this blog, I discuss the significance of delivering a 'good' finding as an auditor.

The prime objective of the compliance monitoring audit is to assure compliance with the applicable requirements, policies, procedures, and other standards. This forms the audit criteria. The internal audit is an important part of assuring the compliance with these criteria. For any non-conformance against this audit criteria, this should result in a finding being raised. If the finding cannot be referenced to any of the audit criteria, then it should only be reported as an observation or an opportunity for improvement. In summary, the objective of the audit is to assure the Work as Imagined (WAI) is the same as the Work as Done (WAD).

Findings should not be seen as a criticism of either the organisation or the individual, rather they should be treated as a learning opportunity for the continuous improvement of the management system as required by the basic regulation. The same applies to any other published standard where continuous improvement is a requirement of the standard.

Compliance Monitoring: What is a Finding?
Where evidence exists that the organisation has not complied with any of the audit criteria, then a finding should be raised. For example, if during the planning phase the procedure(s) do not reflect the intent of a regulation, then a non-compliance should also be raised.

This is where audit planning provides a robust and solid foundation using the audit criteria as the base line. 

In the aviation environment findings are defined as:

Level 1Any finding of significant non-compliance with the requirements of this regulation which lowers the safety standard and seriously endangers flight safety.

Level 2Any non-compliance with a regulation or requirement, or the service provider's own arrangements, processes or procedures.

It is important that the finding, regardless of severity, is communicated in a way to avoid misinterpretation as the regulations require the recipient to identify the root cause(s) and define an effective corrective action plan. It follows the better the finding is written, the more effective the root cause analysis and corrective action should be. If the finding is not communicated in a clear manner, there may be a danger that the owner of the finding (the Nominated Postholder) expending nugatory effort addressing how they interpret the finding and not the reality.

A consistent structure for the writing of findings can be useful and the following is an example of how to draft an acceptable finding. 

WhyHere is the the opportunity to explain to the recipient why it is a finding. This should include reference to the audit criteria, which the finding was assessed against. It may also be useful at this stage to paraphrase some of the wording directly from the criteria, so it can be clearly shown what is expected to demonstrate compliance.

WhatDetail what was identified during the audit process. The more detail that can be included here, the better. This should assist the recipient with the subsequent investigation, root cause analysis and determining the corrective action(s) to be taken.

WhereIdentify where the finding was found. It should be recognised by stakeholders that the audit is only a sample and there may be the possibility of similar findings in other parts of the business. This should be considered as part of the preventive actions taken to eliminate any future potential findings.

EvidenceThe provision of evidence is a key step in the writing of findings. It serves two main purposes:

1. It supports the Why and What of the finding
2. Providing as much evidence as possible will allow the recipient to investigate, ensure robust root cause analysis and the development of an effective corrective action plan.

An example could be:

Regulation CAMO.A.200(a)(5)... documentation of all management system key processes...

During the audit, a review of procedure ORG/M/006 Rev 4 (Weight & Balance control) the following were evidenced:

- No procedure owner could be identified
- No evidence of the annual review taking place
- Incorrect information contained within the procedure (form numbers missing)
- Procedure does not reflect current working practice

Grouping Findings: ExplainedAnother best practice is to 'group' findings where possible. Findings that relate to the same audit criteria should be grouped to provide focus that there is an issue with the system supported by a number of non-conformances. Remember the intent is to continuously improve the system. The danger if findings are reported individually is that the link between findings may not be established, especially if they are identified in different areas of the business, and consequently robust and effective corrective actions to the system may not be developed. This may not become apparent until future audits identify repeat findings. 

An example could be:

Regulation 145.A.42(b)(ii); The organisation shall establish procedures to ensure that components, standard parts and materials shall only be installed on an aircraft or a component when they are in satisfactory condition. 

There was evidence during the audit that elastomeric seals were not subject to control evidenced by the following:

- Knowledge of Elastomeric life groups was weak throughout the organisation.
- A number of elastomeric seals stored within the Hydraulic Bay carousel were identified as having exceeded their approved life.
- An out of life seal Part Number: 9876-54321 Cure Date 4Q97 Life: 15 years had been installed in the actuator serial no. 1234ABC.

Compliance Monitoring Audits from Baines SimmonsBy following the relatively simple approach to writing findings, and grouping where possible, should allow the recipient to conduct robust root cause analysis, develop effective corrective action(s) and continuously improve the system without assigning blame.

This should lead to an increase in the benefits related to effective compliance (do you know the true cost of poor quality?) which in turn will provide the organisation with improved performance.

Ultimately good findings allow audits to add value to the organisation.

If you'd like to develop your auditing skills and knowledge, we would recommend our TQ02 - Practical Skills for Auditors course.

For more information on compliance monitoring our TQ06 - Effective Compliance Monitoring course will help develop your understanding of this topic.

To find out how our experienced audit and compliance monitoring team can help your organisation with airworthiness, compliance, and safety risk management audits, contact us at hello@bainessimmons.com