Now that you know when to call a finding a non-conformity, the next step is making sure that the non-conformity (or issue or observation) has been closed out. This will usually fall to the internal auditor to do, as being someone who can provide an independent assessment of the effectiveness of the action taken.
I believe best practice is not just to note if an action has been taken, but to also assess if that action has been effective, thus minimising the risk of future non-conformances. This might involve some time spent on a follow-up audit or desktop review. To me it's time well spent - I would rather continue to follow up an issue than write about the same issue occurring in report after report.
The first step in the process is to give people a clear idea of what the issue is and why it's an issue. A statement like the following makes things really clear: "The service is not currently reviewing client support plans within the timeframes set out in the Client Review procedure, i.e. every six months, as monitoring of review timeframes has not taken place regularly."
At this stage you might like to give a direction for action - at the very least, you should give a timeframe for completion, such as: "The service should ensure that all clients that are overdue for review have one completed in the next four weeks."
You could extend this to ensure minimisation of ongoing non-conformity: "The service should ensure that the client review report is monitored weekly and reminders set in relevant staff calendars to ensure that reviews are conducted on time."
You then need to let the service know how their non-conformity will be closed out: "Manager to provide the client review report to the internal auditor by (date)."
Now the most important part is actually following up - mark it in your calendar and keep your word. Sticking to your own rules is a fundamental part of being an internal auditor.
If someone has not been able to close out a non-conformity, set a new follow up time and keep going back until the issue is resolved; also ensure that you follow your escalation processes, particularly if you feel the issue is high risk.
Thanks for reading,
The Quality Nerd loves all things Quality Management and Internal Audit...too much is never enough!