It is important that actions to address findings are completed by the agreed closure date. Failure to complete actions may lead to escalated enforcement action.
If the agreed closure date cannot be met contact ASSI in writing (email) before the closure date explaining the reason(s) the closure date cannot be met proposing a revised date along with any associated risk mitigations.
When responding to an audit finding ASSI generally wants to know, with evidence, the following:
- What did you do to fix the specific thing that was found by the finding? You’ll be surprised how many times people just stop here, when there’s more to do.
- What have you identified as the root cause (here the 5 ‘whys’ is a useful tool, or you may use other similar methods to determine this)?
- What did you do to find and fix other things that were not right because of that root cause?
- Lastly, and importantly, what did you do to prevent that root cause happening again?
Taking such actions and clearly describing what you did in a response will greatly increase the chances of the finding being closed and better still should prevent a repeat finding. Should ASSI, or your own internal audit system identify a repeat finding it is very likely that you have not identified, or adequately addressed the root cause.
Observations are recorded, but are not tracked. Finding actions and any subsequent actions based on observations will be reviewed at the next audit, or as determined.
Severity Level 1 Finding
Any non-compliance with a regulation or requirement or the Service Provider’s own arrangements, processes or procedures which creates a serious safety/security hazard. Urgent and satisfactory corrective action to mitigate the hazard is required in not more than 7 days. This may require the provisional suspension or variation of the Approval or Certificate.
Severity Level 2 Finding
Any non-compliance with a regulation or requirement or the Service Provider’s own arrangements, processes or procedures. A corrective action timescale normally of up to 90 days to be agreed based on the associated potential safety/security hazard.
Note: Where a period of more than 90 days is deemed appropriate or necessary the agreed period should reflect the level of risk judged to be involved.
The potential for a non-compliance to develop if no action is taken, or there is an opportunity for a safety/security improvement.