Bear with me, I'm new to this. We had our first registration audit about a month ago and the auditor found 7 "minor" non-conformances. I've been busily working away at them with much help from the posts on the forums here!:thanx:

I think my lack of experience is really catching up with me though because there are a couple of findings where I think I may have blown it when I signed the bit that said "Auditee's signature indicates acceptance of all Nonconformity Reports written during this audit..."

The one I'm fighting with now says, "The list of controlled records presently is part of training document and not appropriately included or controlled as a key document to the QMS. In addition, the listing does not appear to address all necessary records required by the standard."

But the training document he's referring to was not intended to be a comprehensive list of records, but to aid in training of the staff, and it was correctly labeled as an uncontrolled document. While I can see why an auditor would find a list of all records helpful, I'm not sure I would agree that it is required by the standard. Furthermore, I think creating a list of all of the records is not something we'd benefit from. More likely than not, the list would not be updated if the record location changes, and then THAT would be a finding.

If our other controls for records are adequate for us, must we have a "list of controlled records" and if not, how do I write the correction, root cause, and corrective actions?

Thanks in advance for your input!
Rene'

Hi Rene and welcome to the Cove!!

I think we want to put your question on to the board for the actual standard you were audited against. Was is ISO or TS or AS or something else.

Oops, sorry!

It was ISO 9001:2000

Thanks,
Rene

Bear with me, I'm new to this. We had our first registration audit about a month ago and the auditor found 7 "minor" non-conformances. I've been busily working away at them with much help from the posts on the forums here!:thanx:

I think my lack of experience is really catching up with me though because there are a couple of findings where I think I may have blown it when I signed the bit that said "Auditee's signature indicates acceptance of all Nonconformity Reports written during this audit..."

The one I'm fighting with now says, "The list of controlled records presently is part of training document and not appropriately included or controlled as a key document to the QMS. In addition, the listing does not appear to address all necessary records required by the standard."

But the training document he's referring to was not intended to be a comprehensive list of records, but to aid in training of the staff, and it was correctly labeled as an uncontrolled document. While I can see why an auditor would find a list of all records helpful, I'm not sure I would agree that it is required by the standard. Furthermore, I think creating a list of all of the records is not something we'd benefit from. More likely than not, the list would not be updated if the record location changes, and then THAT would be a finding.

If our other controls for records are adequate for us, must we have a "list of controlled records" and if not, how do I write the correction, root cause, and corrective actions?

Thanks in advance for your input!
Rene'

Records are documents, but not controlled documents, in the sense that the standard requires document control. Why would you need to control something that doesn't (or shouldn't) change? Ask the auditor to show you the "shall."

"The list of controlled records presently is part of training document and not appropriately included or controlled as a key document to the QMS. In addition, the listing does not appear to address all necessary records required by the standard."

Is this list really "part of a training document" or was it just a list someone had?
Is it referenced in a procedure?

Is this list really "part of a training document" or was it just a list someone had?
Is it referenced in a procedure?

It was a hand-out I used in a training class the week before the audit. It included the quality policy, an overview of the interaction of processes, and this list of where folks could find records (so they could produce them if the auditor asked). It was not comprehensive because most of the staff didn't really need to know how to produce internal audit records, for example. The document is not referenced by any procedure, and from my perspective, is NOT a key part of the QMS. As I said, it was just a training aid.

Oops, sorry!

It was ISO 9001:2000

Thanks,
Rene

No problem Rene, and I moved your thread to the ISO9001:2000 board.

The one I'm fighting with now says, "The list of controlled records presently is part of training document and not appropriately included or controlled as a key document to the QMS. In addition, the listing does not appear to address all necessary records required by the standard."

I have had similar situations in the past. I log in the registrar's action item into my system, initiate our internal CAR, then I clearly state that the auditor mistook a document for something that it is not. There is no containment, no corrective action, no nonconformance. There is no requirement for a master record list. The registrar's finding is invalid..close the CAR. I win those everytime. :D

It was a hand-out I used in a training class the week before the audit. It included the quality policy, an overview of the interaction of processes, and this list of where folks could find records (so they could produce them if the auditor asked). It was not comprehensive because most of the staff didn't really need to know how to produce internal audit records, for example. The document is not referenced by any procedure, and from my perspective, is NOT a key part of the QMS. As I said, it was just a training aid.

Then I think the finding is not correct even though you "accepted" it by signing off.
Answer the nonconformance by saying someting along the lines of "upon further review it was determined that the paper in question was not, in fact, part of a training document as documented in the finding.Rather, it was a quick reference used to make a point during a presentation and served no further purpose."
Compare it to a powerpoint presentation, only the old fashioned way - a handout.

I think in this computer age a lot of auditors assume that if it's on paper it's a document and would never question a powerpoint with the exact same information.

Good advice. But in the future, you should use the debriefing and exit meetings as your opportunity to clarify these issues, BEFORE the auditor leaves your premises. It is much better to discuss this with the auditor while s/he is at the site, rather than correspond later via email, or appeal for a NC to be voided.

Good advice. But in the future, you should use the debriefing and exit meetings as your opportunity to clarify these issues, BEFORE the auditor leaves your premises. It is much better to discuss this with the auditor while s/he is at the site, rather than correspond later via email, or appeal for a NC to be voided.

Typically, I dispute the finding right at that moment during the audit! The auditor does not always understand what was presented because the auditees present the facts unclearly to the auditor. But if it gets in the report, then I do what I stated in the previous post.

:thanks:

Thanks for all the speedy replies!

It is my first audit, and like I said, I didn't really get the idea that I could dispute the findings until I started reading the posts here at the Cove. (I'm still not sure I'll get it past "Top Management" who may not want to rock the boat.) But I am of the opinion that it has to work for us, not an auditor. Besides, I'll end up being the one who has to keep up with a master list of records!

And I'll never count on an auditor answering my emails again, I've yet to get a reply from him!:(

Ah well, I've learned a bunch!

:thanx:
Rene'

Having a master list of records is really not all that bad. I have one. I had a choice to eliminate it when we transferred from QS-9000 to ISO 9001:2000. I access it on occasion or when it needs updating. But when I have needed to refer to it, it has been helpful.

First: your signature meant only that you received the NRs from the auditor - not that you agree with them.
In the future, after the auditor has stated his findings in the closing meeting, thank him for performing his audit in a professional manner, and say something like the NRs have brought several things to light that we need to consider. Though we do not agree at this time that all the NRs are correct, we will review our procedures and the standards carefully and provide a written response for each nonconformance written.... After he goes away, sit down and put on your "auditor hat" to look at each thing he wrote and determine if it is correct - if it is, fix it promptly and send him the objective evidence. If he was wrong, document why it was wrong. If he mistook what he was seeing, state that this in not a nonconformity because... and quote chapter and verse. You may need to include a statement about your failure to show the auditor your procedure that covers the requirments. But be politic in your response -- you may get the same guy next year. I have submitted such responses to several certification auditors under ISO 9001, ISO 13485, and ISO 17025 and never had a problem.

About records: you'll need a matrix showing the minimum training requirements for employees/job description. The matrix is a controlled document and that may have been what your auditor was looking for. You also need records showing that the training has been performed. And evidence that you review the matrix on a periodic basis to verify it remains complete and applicable. And evidence that the training for each employee is reviewed on a periodic basis (annual performance review?), and especially when there is a change in job function.
You must have a controlled list of all quality system (SOPs) and product-related procedures/drawings etc. that shows the current revision and where controlled copies have been sent. The list of product-related documents is called the Valid Documents List (VDL) and should be posted where all can verify the document they have in their hand is the correct version.
Even better, but not always appropriate is an online VDL, and make only make current documents available on-line.
Don't be afraid of controlling documents and records. My rule on controlled documents/records: If you might have to show this document to someone in the future, slap a document number & revision indicator on it and file it. The VDL & filing cabinet has saved me more than once!
We assign project-specific numbers followed by a sequential number, database the doc title and number, and print a VDL to keep by the file cabinet so things can be found quickly. (Our quality-system project number is 00000) Setting up such a system takes an investment in time, but inproves efficiency ($$$) in the long run.
If you have the money, buy commercially available document control software. (We wrote our own, but unless you have super software folks that understand quality systems, don't try)

Typically, I dispute the finding right at that moment during the audit! The auditor does not always understand what was presented because the auditees present the facts unclearly to the auditor. But if it gets in the report, then I do what I stated in the previous post.

Just on a lighter note ......

We had a Customer audit last week. This audit team consisted of 2 teams who were auditing their checklist requirements.

One auditor during the closing meeting gave us a NC which was totally baseless. It so happened that the similar point in a slightly different manner was reviewed by another set of auditors.

We were providinf clarifications that its not a NC but this guy was not at all agreeing. Even we had a show where the auditors were internally arguing among themselves.

Finally we gave up and said its ok we take it as a NC as we didnot want to have bitter experiences.

About records: you'll need a matrix showing the minimum training requirements for employees/job description.

You must have a controlled list of all quality system (SOPs) and product-related procedures/drawings etc. )

Sorry RSantos - but where is the shall for this.

Training matrices and lists of controlled documents are not a requirement of the standard.

Don't be afraid of controlling documents and records. My rule on controlled documents/records: If you might have to show this document to someone in the future, slap a document number & revision indicator on it and file it. The VDL & filing cabinet has saved me more than once!


Controlling documents that don't need to be controlled is wasteful. The test you propose--"If you might have to show this document to someone"--could potentially apply to every piece of paper in the building, because if you don't think anyone will ever have to see it, there's no point in even keeping it, let alone controlling it. Formal control procedures should be reserved for documents that can be expected to change (in order to maintain history, and insure that only the most recent versions are used).

Filing systems for records should be designed such that retrieval is simple, in the event that someone does need to see them. No list is required.

Sorry RSantos - but where is the shall for this.

Training matrices and lists of controlled documents are not a requirement of the standard.

List of controlled documents: Not a “direct” Shall. But objective evidence is needed to show compliance with the organization’s procedure that was written to comply with ¶ 4.2.3 (Control of documents)

Also most, not all, companies use documents (drawings, work instructions, etc.) in production and service. If such documents are used, then they will need to be current.

I don’t know of a way to demonstrate compliance without a list of what has been controlled.


Training matrices: True, there is not a “direct” Shall. But objective evidence is needed to show that:
The organization has determined the necessary competence for personnel performing work affecting product quality and has provided training or taken other actions to provide these needs. ¶ 6.2.2 a, b

When the organization has established a matrix of what each job function/description needs for training, then it’s up to the auditor to prove the matrix is incorrect.

Example: Machinists - Most auditors expect each employee who handles product to know how to initiate product Nonconformance Reports. But, if Inspection Personnel initiate all NRs and handle the routing, approval, correction, and verification processes, the machinist won’t need training on those processes.

List of controlled documents: Not a “direct” Shall. But objective evidence is needed to show compliance with the organization’s procedure that was written to comply with ¶ 4.2.3 (Control of documents)

Also most, not all, companies use documents (drawings, work instructions, etc.) in production and service. If such documents are used, then they will need to be current.

I don’t know of a way to demonstrate compliance without a list of what has been controlled.

Note that the subject was records and not controlled documents, per se. There may be times when a list of controlled documents might be useful, but it's not a requirement, and there isn't a good reason that I can think of to control records (the forms used for completing records perhaps, but not the records themselves).


Training matrices: True, there is not a “direct” Shall. But objective evidence is needed to show that:
The organization has determined the necessary competence for personnel performing work affecting product quality and has provided training or taken other actions to provide these needs. ¶ 6.2.2 a, b

Again, a matrix might be helpful, but it's not required, and even if a matrix is used, there's probably no need for control.

Example: Machinists - Most auditors expect each employee who handles product to know how to initiate product Nonconformance Reports. But, if Inspection Personnel initiate all NRs and handle the routing, approval, correction, and verification processes, the machinist won’t need training on those processes.

This sort of thing can be included in job descriptions, without having to keep and maintain a matrix.

So much good advice so far.

But I sense some conflicting messages. Let's clarify the hierarchy of documentation.

1. Standard is the ISO/whatever that you are registering to.
2. System manual (Quality, Environmental, Safety) is the organization's master document. It has the highest altitude description of the system and refers to process documents that comprise the system.
3. Process documents describe the processes. The link to other process documents by listing them in some workable way, and basically explain the process workings and controls.
4. Appendices/Attachments to these documents are shown and describe operational details. Required forms to validate system controls are also listed as Appendices/Attachments. However, not every form in use needs to be listed, arguably unless it serves a critical
purpose.
5. Records show that something has been done. They do not need to be specifically called out in the process documents or appendices, but they could be. They do not need to be controlled unless there's a call out for such control somewhere, or if the absence of that control would cast suspicion on the system's integrity.

The unspoken requirement here is to clarify what document serves what purpose, and has what level of control. If the naming or control hierarchy is unclear, that could be the basis of your auditor's complaint.

As much as I would like to say, "The auditor shouldn't be able to leave without a response to this issue," it's easy to let the moment go by and I would very possibly do the same.

In such a case it's all about recovery:

First, define what these documents were for.
Second, identify what the auditor thought they were for.
Third, write a proposed remedy for the problem--if it's a misunderstanding, write a remedy to clarify the documentation in order to eliminate potential misunderstanding.
Fourth, submit and counter-negotiate, or act on what the registrar says. Please note that I did not merely say "what the auditor says" although that is the first step and should be enough. Start with the auditor, and if those discussions fail you could raise the question with the auditor's company, the registrar.

I hope this helps!