Audit Findings Management - Track, Fix & Close Issues

Share with

Contents

Every safety audit produces findings. The real test is what happens after - how quickly findings are logged, assigned, investigated, and resolved. That is what audit findings management is about.

In a health and safety management system, audit findings management is the process of capturing, classifying, and closing issues identified during safety audits. It connects audit activity to real corrective action - making sure that findings do not get buried in spreadsheets or forgotten between audit cycles.

Poor audit findings management is one of the leading reasons organizations fail re-certification audits. A finding that is logged but not closed is as good as one that was never found. This page covers how to manage audit findings properly, from classification through closure verification.

What Are Audit Findings in a Safety Context?

Audit findings are documented observations from a safety audit that indicate a gap, failure, or area of concern within the management system. They can come from internal audits, external audits, or regulatory inspections.

What Are Audit Findings in a Safety Context?

Findings typically fall into three categories:

Non-conformances (major): A significant failure that affects the integrity of the management system or creates a direct safety risk. For example, a complete absence of a required procedure or a repeated failure to address a known hazard.

Non-conformances (minor): An isolated lapse or gap that does not break the management system but still needs correction. For example, a single record that is missing a required sign-off.

Observations and opportunities for improvement: These are not failures, but they highlight areas where the system could be strengthened. They do not require mandatory corrective action but should be reviewed.

Understanding the difference between these categories matters because the response and timeline for each should differ. A major non-conformance requires immediate action. An observation can be scheduled into the next improvement cycle.

The Audit Findings Management Process

Step 1 - Capture and Document Findings

Every finding must be documented clearly at the time of the audit. This means recording the specific clause or requirement that was not met, the location or process involved, the evidence observed, and the auditor's name and date.

Vague findings like "safety records are incomplete" are hard to action. A better finding would state: "Training records for 6 of 12 workers in the Dispatch unit were not updated following the Q3 induction session - reference ISO 45001 Clause 7.2."

Specificity at this stage saves significant time during the investigation and closure stages.

Step 2 - Classify and Assign

Once documented, each finding should be classified as a major non-conformance, minor non-conformance, or observation. It should then be assigned to a specific owner - the person or team responsible for investigating and resolving it.

Unassigned findings are a common failure point. If no one owns it, no one fixes it.

The assignment should include a target closure date based on the severity of the finding. Major non-conformances often require resolution within 30 days for certification purposes, while minor findings may have a 60-90 day window depending on the audit body's requirements.

Step 3 - Root Cause Analysis

Before taking corrective action, the root cause of the finding must be understood. Treating the symptom without addressing the cause leads to repeat findings - a pattern that auditors flag directly.

For safety-related findings, root cause analysis methods such as 5 Whys or fishbone diagrams are commonly used. The analysis should identify whether the finding stems from a process gap, a training failure, a resource issue, or a breakdown in communication.

This step is what separates a compliant response from a genuinely effective one.

Step 4 - Corrective Action and Implementation

With the root cause identified, a corrective action plan should be created. The plan should specify what will be done, who will do it, and by when.

Corrective actions should be proportionate to the finding. A minor record-keeping gap does not need a full process redesign. A major non-conformance related to emergency response procedures may require retraining, procedure revision, and a follow-up drill.

Actions should be documented throughout. Evidence of implementation - updated records, photos, revised documents, sign-off sheets - will be required during the closure review.

Step 5 - Verification and Closure

Closure is not simply marking a finding as done. It requires verification that the corrective action was implemented and that it addressed the root cause effectively.

This verification is typically carried out by the audit team or a designated reviewer. If the action was effective, the finding is formally closed. If the issue persists or the action was incomplete, the finding remains open and escalates.

Closure evidence should be retained as part of the audit record for future reference and external auditor review.

Common Reasons Audit Findings Stay Open

Several patterns explain why findings are not closed on time:

No clear ownership assigned at the point of logging
Root cause analysis skipped, leading to ineffective actions
Corrective actions planned but not followed through due to competing priorities
No system in place to track status and send reminders
Evidence of completion not collected or retained

Organizations that manage findings manually - through spreadsheets or email chains - are particularly vulnerable to these gaps. The volume of findings across multiple audits quickly becomes unmanageable without a structured tracking system.

Reviewing internal audit practices regularly helps identify whether your current approach is creating these bottlenecks.

Audit Findings Management and ISO 45001

ISO 45001 places specific requirements on how organizations handle nonconformities and corrective actions, covered under Clause 10.2. The standard requires that when a nonconformity occurs - including one identified through an audit - the organization must react to it, evaluate the need for action to eliminate the root cause, implement action where necessary, review the effectiveness of that action, and update risks and opportunities if needed.

This means audit findings management is not just a quality practice - it is a compliance requirement under ISO 45001. Organizations preparing for certification or recertification need a verifiable process for managing every finding from identification through to closure.

Auditors will look for evidence that findings were properly documented, investigated, and resolved - and that the actions taken actually worked.

Linking Findings to Preventive Measures

Well-managed audit findings do more than close individual gaps - they feed into broader improvement activity. Patterns across multiple findings can indicate systemic weaknesses that need to be addressed through preventive measures rather than one-off fixes.

For example, if three separate audits surface findings related to contractor inductions, that pattern points to a process gap in contractor safety management rather than isolated human error. Addressing it at the system level - by revising the induction process or adding a verification step - will prevent the same finding from recurring.

This kind of trend analysis turns audit findings into safety intelligence.

How Effivity Supports Audit Findings Management

Effivity's occupational health and safety management system software includes a dedicated module for managing audit findings and corrective actions. It allows safety teams to log findings directly during the audit, classify them, assign ownership, set due dates, and track closure status - all in one place.

Automated reminders keep assigned owners accountable. Evidence can be uploaded against each finding. Management can view real-time status across all open findings, making it easier to prioritize and allocate resources.

For organizations managing safety audits across multiple sites or departments, having a centralized system removes the risk of findings falling through the cracks.

Get a Free Personalized Demo to see how Effivity handles audit findings from capture to closure.

Free Demo →

Frequently Asked Questions

A major finding indicates a significant failure in the management system that poses a direct risk or compliance failure. A minor finding is an isolated gap that needs correction but does not compromise the overall system.

Closure requires documented proof that the corrective action was implemented and effective - such as updated procedures, training records, photographs, or review sign-offs.

Observations are not mandatory to resolve, but ignoring them consistently can lead to more serious findings in future audits. They are best treated as early warning signals.

Root cause analysis ensures the corrective action targets the actual cause of a finding, not just its visible symptoms. Without it, the same issue is likely to recur.

Unclosed findings can result in audit failure, loss of certification, or regulatory penalties. They also signal to external auditors that the management system lacks effective follow-through.

Share with