Audit by Exception

Audit, audit by exception


I would like information regarding the use of the internal auditing method referred to as “audit by exception”. While this method sounds like it may provide a much more efficient use of my time and my Manager’s/employees time, I have no idea how this is accomplished in a manner that can still be compliant and what proof would be deemed acceptable when going through my external RAB certified audit. I am referring specifically to ISO 9001:2008 in regards to auditing. I currently audit every process/process owner every 6 months in a calendar year and it is a full week of audit time each audit. Thank you.


Thanks for contacting ASQ’s Ask the Expert program. With regard to your inquiry, I suggest that you continue to use an audit methodology that best serves your organization’s requirements. As you are aware, “auditing by exception”, is a practice that is utilized in the financial sector. The terminology “audit exception” in this case, has the same meaning as an “audit finding”. Since internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement their quality management system, auditing by exception may not provide the level of information needed to keep your organization’s top management and it’s process owners adequately informed.
In my opinion, an effective internal audit will focus as much on identifying opportunities for improvement (OFI) as documenting audit findings. A robust internal audit report will identify nonconformances, but will equally focus on areas that can be improved or that have improved. To sustain continual improvement of a new or a matured QMS, the process owners and employees must be kept informed and engaged. One of the ways to accomplish this, is to share audit results that report on findings, OFI and the status of objectives or targets that have been established. Auditing by exception, usually will not provide this level of reporting.

Please note, ISO 9001:2008, clause 8.2.2, does not prescribe any particular audit methods to be used for 1st, 2nd or 3rd party audits. Each organization is expected to select audit techniques that best suit the scope and objective of the audit to be conducted.

I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services
Kingwood, Texas

One thought on “Audit by Exception”

  1. If you belong to a regulated industry (pharmaceutical for example) it is a must to have an annual internal audit program that can be executed by your own or third parties.
    Best regards,
    Néstor Aversa
    Biochemist CQE
    Espiral de Calidad

Leave a Reply