>CSR+ Login
System Notice

This application only runs on Windows 7 or later with Microsoft .NET-Framework (Version 4.6.2).


As you know, a fundamentally proven certification-oriented approach is to present the results of system audits by main and minor deviations as well as potential for improvement. However, you may also have asked yourself in some audits to what extent the logging of these deviations can contribute to a successful improvement of the organization.

Audits are a matter for the boss and should be reported in the language of the management

The classic audit report with its main / minor deviations and improvement potentials is often only of limited value to top management. The legibility and perspective of the audit report play a major role. This is especially true for personnel who have no training in quality management or auditing. For a managing director or process owner, the reading of the audit report typically leads directly to the question of the effects associated with the deviations. Or rather risks!

Let's assume that the auditor of your organization has identified two main deviations in the internal system audit. The first deviation was identified because the scope of the quality management system is not documented in writing. The second major deviation was identified because no traceability system is implemented for the parts produced and the associated records. In the audit report, these deviations appeared at first glance to be of equal importance, as both are major deviations. However, it will soon become clear to any reader that non-compliance with these IATF 16949 requirements will entail varying degrees of risk for your organisation. The subsequent documentation of the QMS application area is created with relatively little effort and will have only a weak or no direct influence on customer satisfaction. A non-functioning traceability system, on the other hand, can mean that in the event of a field failure, the affected production lots cannot be effectively narrowed down and recall costs could rise to existentially threatening levels. This is a good reason, therefore, why the risks resulting from the deviations should be reported transparently in the audit report and clearly presented to management.

The optimized process- and risk-oriented audit report

In principle, it should be made clear that the distinction between main and minor deviations in a classical audit report refers solely to the fulfilment of the standard requirement. A sufficiently precise quantification of the relevance of the deviations is simply missing for a meaningful weighting. Therefore, if we want to obtain an audit report that is optimised in this respect, we first need an evaluation scale that allows for reasonable comparability and helps us to understand whether the company under consideration has performed better or worse compared to the audit of the previous period. You may already be familiar with something similar from the levels of fulfilment in the VDA 6.3 process audit. The second thing we need is the information about the potential risk of a finding. If this requirement is also met, only now does a meaningful picture emerge, which makes the audit report a very useful and important tool - even for non-specialist personnel.

Through the risk determined, combined with the degree of fulfilment of the management system maturity, different locations become comparable with each other and it becomes immediately visible which measures should be prioritised. The perspective and horizon of your colleagues and employees will change! The audit is no longer just a requirement of the standard or a customer, it will become indispensable to assess how sustainable an organisation is and how it perceives its risks and opportunities.

Little choice on the audit system market

With regard to these requirements for an audit system, it is not easy to find appropriate solutions on the current market. There may be promising approaches, but most of the time the acceptance of such systems fails due to a lack of awareness and the resulting lack of establishment. A system that has supported me personally in my work and several of my customers over the last years and with which I have already carried out numerous audits is RPAS™. The name is short for "Risk and Process-oriented Audit System" and describes a system which, as its name suggests, always takes into account the risk for an organization in the assessment, in addition to standard and customer requirements. Thus, in the run-up to the audit, requirement sheets are defined which refer directly to risk factors of certain organisation-specific elements of the company. This makes it possible to draw directly on lessons learned or, for example, best practices and to incorporate them systematically into the audit. The audit thus becomes an instrument that dynamically adapts to the further development of the company and its processes.

In addition to the various ISO standards (ISO 9001, ISO 14001, etc.), industry standards such as IATF 16949 or VDA regulations (e.g. VDA Volume 6.3) can also be integrated into the audit. The integration of the latter is particularly useful if you carry out process audits according to VDA anyway. If you carry out the RPAS™ audit, further system or process audits can be regularly omitted due to its highly customizable degree of coverage - a saving of time and costs.

In the chart below, the RPAS™ results matrix is a good illustration of how the individual levels of compliance are translated into an assessment that compares the system maturity level and weighted risk factors and thus represents a meaningful audit result.

Risk-Matrix in RPAS™

Extract from GUKSA RPAS™ audit report (risk matrix)

So far, my customers have always found the graphic presentation of the RPAS™ results to be extremely successful. In fact, the clustered risk elements (here exemplarily nos. 1 - 13) of this system show at a glance which deviations from audits represent greater risk potential.

We can therefore see that there is still great potential in the audit system if we manage to systematically incorporate the risk-oriented approach there as well. So you should make sure that you get a meaningful result that everyone understands and that, like RPAS™ for example, in the best case also enables objective benchmarking, regardless of which audit system you ultimately use.

By the way, you can find an example of how my colleagues from the engineering office MCS have successfully implemented RPAS™ under this link: RPAS™ (Risk and process-oriented auditing) at ZF suppliers

If you found my article helpful or interesting, I would be very happy if you share it with others.

Your feedback is also very welcome, please simply send it to the following e-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it.

Your Bastian Krebs

Project manager
Ingenieurbüro MCS GmbH

Portrait Bastian Krebs (MCS GmbH)     Bastian Krebs

For more than 5 years I have been working as a project manager for various OEM and subcontractors in the automotive sector around the world. Among other things, I support companies with solutions for a practice-oriented setup and further development of management systems according to e.g. ISO 9001 and IATF 16949.

I have many years of experience in auditing (IATF 16949, VDA 6.3) as well as the application of various Q-methods, such as the automotive core tools and the VDA damage part analysis.

With my articles I would particularly like to draw attention to new developments in the world of management systems, but I also want to give all newcomers and career changers a good insight.

Share This