Can we close an audit NCR by not taking any action:

Clause 8.2.2 Internal Quality audit requires action taken without undue delay.

My question is is it neccessary / possible to take corrective action for every NCRs?
If auditee feels the NCR refers to a less priority area as per his scheme of thinking can "inaction" be an action to facilitae closure of an NCR? In such a situation what precautions must be taken by the auditor prior to closing such NCRs?

Looking forward to the experience and comments of list members.


Anilkumar

This is a ticklish situation, not knowing the details........and all depends on the details and such,,,But that said... YES ....a consious decision can be made to do nothing, but must be clearly documented.....and cannot be a NC to a shall of the standard. An example I can site is: A NC was issued where a door to the cleanroon gowning area didn't shut properly ( a slight gap in the seal)...to prelace the door would have cost thousands of $$$. the particle counts were well below the control limit (other factors too, that i left out like they had already tried to fix it) So the company decided to do nothing until triggered by a raise in particle count...taking a calculated risk that the cost of inaction was much lower than the cost of action, and wouldn't effect product... then was bumped up and approved at management review.

Another option is to have the nc proven invalid....if its not an important issue...as in more of a PA from an observation?

Ticklish to say the least.

Here is a thought or two:

First, if an auditor issues a deviation request, the auditor must be certain one exists. As such, corrective action is required.

In Barb's example, the deviation request may have been issued too quickly (taking a risk here without the facts). For instance, the crack existed but did a nonconforming situation exist (were partical counts different than a week/month ago)? Perhaps this is a PA opportunity? If a problem did exist but the cost too excessive and available tracking (back up system) system in place, then a letter to the file stating that operations are minorly impacted and does not present a dangerous environment (controlled environment).

Second, many organizations issue deviation requests too liberally. This generally leads to an overburdened CA program. People are trying to eliminate everything as if each case were caused by a Special Cause. As such, many deviation requests go unanswered and before long, the CA administrator begins to close out the requests without action. Honestly, it is the right thing to do provided each is reviewed for merit and is done after Management Review agrees that this is the right thing to do. Nonetheless, it makes for an awkward moment or two when the registrar comes by for a visit. I should mention that those deviation requests that are closed out are almost always those not related to an audit. As I stated earlier, auditor's need to be sure that a problem exists before issuing a request for action. As Barb noted, those that tie into the standard or your own procedures should never be closed out without action.

Regards,

Kevin

ISO 9001:2000 CL 8.2.2 - .... ACTIONS ARE TAKEN ... TO ELIMINATE DETECTED NON CONFORMITIES..."

So if audit report gives in addition to NCRs other observations - say opportunities for improvement" how is it generally handled?

Anilkumar

No action on an NC is OK so long as the justification is documented and is valid, and possibly accepted by the person raising the NC. If this came out of audit the auditor perhaps should look at how he decides on when to raise NC's, and curb his over zealous pen accordingly.

Jim and Kevin are both right, corrective action should not be required on every single instance of non-conformity detected (whether concessed or not). Pareto analysis is a valid quality method for targeting corrective action. Also as Kevin stated common and special causes of non-conformance are two distinct different animals and require a different approach.

P.S. an opportunity for improvent is by definition not a non-conformity, as such does not HAVE to be tackled in the same way.

anil2187


I agree with the others here. But do be careful.

You stated:
"If auditee feels the NCR refers to a less priority area as per his scheme of thinking can "inaction" be an action to facilitae closure of an NCR?"

I think "inaction" would be the wrong approach however. This implys ignoring the concern. Look at how you review your NCR and use this as your action. For instance (using Barb's "door" example):

"Reviewed NCR with appropriate management personnel. Air quality records have been reviewed. Records indicate low risk in this situation and monitoring schedule is appropriate. No further action is required at this time."

Such an answer demonstrates that you have addressed the concern without actually having to spend a large amount of time and money fixing something that isn't critical.

One thing I learn more about every day is the effective use of verbiage. It is a lot of what all of this is about.

James:thedeal:

anil2187 said:

If auditee feels the NCR refers to a less priority area as per his scheme of thinking can "inaction" be an action to facilitae closure of an NCR? In such a situation what precautions must be taken by the auditor prior to closing such NCRs?

Anilkumar
I agree with James. To me "inaction" means the NCR was given to you and you threw it away without reading it. Reviewing it, and mybe investigating a little, and deciding that no further action or specific corrective action is required is not "inaction". There is a rock and roll song in the US that has the following line which I think applies here "If you choose not to decide you still have made a choice".

We've tackled this one in the Cove before in the last few months -- maybe a search will help you find other info.

anil2187 said:

ISO 9001:2000 CL 8.2.2 - .... ACTIONS ARE TAKEN ... TO ELIMINATE DETECTED NON CONFORMITIES..."

Anilkumar

I think you have this mixed up with 8.3 (a) under Control of nonconforming product. Non-conforming product must be dealt with according to your procedure for this : scrap, rework, repair, use with concession...

Our CA procedure allows for a postponement of "long-term corrective action" which is kin to "no action". After taking short-term corrective action (which is in actuality a correction) , the nonconformance is reviewed for long-term corrective action (to prevent the recurrence - which is what CA is all about). After determining what it would take to accomplish this, the mgt. team can decide to take a "sit back and watch" approach rather than implement the changes. Too $$ or too much effort vs. results...the typical reasons. This is shown on our process chart as well as written into the procedure.

The CA procedure has not been implemented yet (long story), but after reading everyone's posts here in the Cove, I think it is on target and is workable.

Yes Lucinda.

In a previous life we used to escalate corrective actions for which there was no quick fix, due to requiring significant resource or finiancial input, into Quality Improvement Programmes.

It was a bit of a bottomless pit however !

Anil,

Audit 'observations' in relation to minor nonconformances in the program/system are points to be audited on future audits. Not taking action on an observation will likely lead to a deviation.

Jim,

Keep in mind that auditing guidelines requires that the auditor establish objective evidence of the deviation in the program or system. As such, it is safe to assume that the auditor has uncovered a problem. The auditee is afforded the right to contest a finding (minor or major) during the closing meeting and may elect to forward their concern to a higher authority (client or auditor management). After exhausting channels or by not exercising there option at the closing meeting, any deviations issued must be addressed. This means for the most part, closure. However, as others have said here, if cost factors are prohibitive (expending resources will close the plant), one can enter a letter as to why closing the deviation will produce greater immediate harm to the organization than it will be to monitor the issue (place a patch on the leaking tire until you can replace it). Still, you will have to remedy the problem effectively (perhaps 100% inspection until the deviation can be properly closed out). Nonetheless, the deviation remains open despite the innaction. In Anil's case, the deviation was cited by audit, so my assumption is that the auditee had this opportunity to contest.

Deviations noted by other means (not by audit) are typically the type of deviation that I have seen closed out without action taken. I believe that this is, for the most part, because a formal opportunity to contest the finding is generally omitted from the process. I accept this thinking as it isn't always possible to have a meeting. However, in tracking systems I have created, I have created risk rating system that never really closes out the deviation but rather keeps it in an open state with an indefinite due date. I do this normally to track suggested problems to stratify the data and determine if some may point to a system deficiency. When they do, I elevate on request for action and footnote the others. Once this is satisfactorily closed, the rest are too. From my perspective, until a trend can be spotted, events may be more akin to Common Causes than to Special Causes.

Just some thoughts...

Regards,

Kevin

Kevin,

Thanks. It is a good idea .

Anilkumar

Also Kev you seem to talk only in terms of 'deviations'.

A deviation is a disposition of a non-conformance, which might also be rework, repair or scrap.

Also I have never known a deviation issued from an audit finding. :confused:

Jim Wade said:

Hi Kevin

Are we perhaps at cross purposes here?

I THINK we are talking about internal audits (you know, between cooperating colleagues seeking practical improvements).

Your reply is peppered with registrar jargon which, IMO, has no place in internal audits (minor nonconformances, auditee, closing meeting, right to contest a finding, enter a letter, ...) so I assume you are looking at this from a third party angle?

Just an observation.

rgds Jim

Jim,

I know where you are coming in regards to your post. However, two separate Internal Auditing Training Classes I have attended really put emphasis on the "Meeting", the term Auditee and the other things you mention. Giving the Department Mgr. (Auditee) a chance to rebut the findings, having an agenda, time, etc..It's an organized way to approach an Audit. Perhaps it's a way to prepare employees for a third party audit. It's better than adhoc, informal meetings with no regimen. I know, step outside the box. I can't undo the training our Internal Auditors have had and I'm not sure that there is a benefit to it. The more informal, the less serious it becomes. JMHO:) :ko: :smokin:

Jim,

Actually, my point of reference was from the auditor’s responsibility as generally accepted by most authors on the subject. Auditor guidelines require that the nonconformance be established before requesting any action. It may be as part of a third, second, or first -party audit. While the jargon may be “3rd party rich”, the conduct of the auditor should be the same for each audit.

Martin,

Normally I speak in terms of Minor/Major Nonconformance or Observations/Findings. Our Registrar (TUV) uses the terms Minor/Major Deviations and reserves Observations for comments. While a request for a deviation may be made for a nonconformance, the term deviation may be used to indicate a shift from the established norm. Perhaps this will make my post more understandable? Trying to speak “auditor-ease” makes for frustration for me. I never know how to state it where we all might arrive at the same conclusion.

Sidebar;

One thing that I have noticed is the inconsistent jargon used in the auditing field. Studying for the CQA is a nightmare when referencing more than one author. Some use the terms minor/major deviations while others use observations/findings. Some hold Independence as the most important auditor attribute while others hold Objectivity to be more important. Some believe the audit report should be written “as soon as possible” that to me is unhelpful (60 days might be ASAP). Others say that the report should be written ASAP and delivered to the Client within a week. Others say that the report should be prepared and issued within 30 days. Who is right? Who is wrong? How will you answer these question when taking the CQA exam?

Dr. Deming would say that they are all RIGHT in their own respective worlds. This excessive variance drives me nuts!!!:frust:

Regards gentlemen,

Kevin

[QUOTE] Jim Wade said:

Internal auditing is a different process to third party compliance audit.

It is also potentially much more valuable.



I agree to the views of Jim. Indeed internal Quality Audit gives more opportunities for improvement than third party audits. The defence mechanism works less at IQA...

Anilkumar

I would say the process of auditing should be the same whether internal or external.

The advantage the internal auditor has is probably more time, and possibly a better 'common' knowledge of the systems that mean he doesnt have to go over the same old pre-amble every time, but get right down to the nitty gritty.

Internal audit is a far more useful experience than external audit when done properly, in my humble opinion.

I generally agree with the replies to the original question. Let me put another example to you. While working for a registrar (and no I don't hide my head in shame) a customer replied to a Non Conformity raised by one of our auditors and the response was that they would take no corrective action to the N/C.

I was happy to accept their response because the case was well made as to investigations made and reasons for not taking action. As has been mentioned, if the auditor had followed the trail in the time available then the N/ C shouldn't have been raised.

I can't think of an instance when inaction could be acceptable unless 1) the N/C is wrong or 2) further investigation would have resulted in no N / C being raised, can anyone else?

Jim,

Would the criteria used to issue a CAR be different in an internal audit from an external audit?

Kevin

Jim Wade said:

Also, in this ideal world I am describing, no-one would use jargon like CAR (or audit!) ;)



Ah yes. I know that world. Babel, right? Where no one understands what anyone else is saying because they all have their own individual language.....Where the tower to God failed because of the inability to communicate......

In this "non-ideal" world, we use consistent language so that we can communicate the same ideas. In fact, we all rely so much on consistent language that we seek out consistent definitions and even document them.

I don't see how "jargon" that would replace CAR or audit would be any more understandable or provide any advantage. After all, a rose is a rose is a rose. As long as the definition means the same thing, the connotations to the word are the same. Call it dinglefruit or call it nonconformance.

Come on Jim. I know you like bluesky fuzzybunnyslipper idealism but this is just ....well, silly.:p

I think that we have two topics that have gotten mixed up a bit. The point I was making in regard how an auditor determines if a nonconformance exists and how it is reported. When an auditor is electing to report a nonconformance, the auditor must establish that there is in fact, a finding at hand (conduct a good investigation). Being an internal or external audit has no bearing on whether objective evidence is found to issue a nonconformance. It’s there or it isn’t. Albeit that in the nature of an internal audit, many times the auditee is given a “break” where as in an external audit (especially a third party audit) breaks are harder to come by.

The example given above where there may have been insufficient time for the auditor to be as thorough as needed seems plausible to me. Auditors may make mistakes from time to time as we/they are human. However, in the majority of instances, findings require corrective actions. If an auditor is reasonably sure a deviation exists, they should issue an Observation. If the auditor is absolutely sure a deviation exists, they should issue a Finding. In the case of the Observation, a subsequent audit will follow up in this area and the Audit Plan should provide for adequate time to investigate.

In Anil’s case, a finding was found during an audit. In my mind, since the auditor elected to issue a request for corrective action, objective evidence was most probably collected. It is likely a Corrective Action is necessary in this case unless one of the mitigating factors noted by the folks here is involved.

Regards,

Kevin

I would like to point out that 'action' does not necessarily mean doing something physically beyond taking and documenting a decision. The latter is ALSO an action.

That means that, if analysing an NCR we conclude that for some reasons taking any measures would not be necessary or reasonable, we should just stick to the conclusion until another one is made based upon new evidence.

MHO

Anton

Kevin Mader said:

I The point I was making in regard how an auditor determines if a nonconformance exists and how it is reported. ..... Being an internal or external audit has no bearing on whether objective evidence is found to issue a nonconformance. It’s there or it isn’t. e.



Kevin

Kelvin,

Aim of ISO9001:2K being 1) Enhance customer satisfaction, 2) Continual improvement we need to consider how these addressed in internal audits also:

If auditor is rigid in finding only Non conforamnces from documented QMS/other objective evidence , many a times we may be at the lower part of the quality heirarchy and may not be triggered to move up. In my view intenal audit as per ISO 9001:2000 NEED TO AIM IN DISCOVERING opportunities for improvement rather than limiting with mere non conformances. Since the documentation requirement of ISO 9001:2000 BEING LOW COMPARED to its predecessor , a situation may occur that if the company just meets the requiremt of documented procedure coming out with NIL NCR status. While external certification audit is a binary stage audit ie ok/not ok it may for on "conformance " focussed than on "improvement" focussed.
What are the opprtunities available to trigger/deploy continual improvement:
1) seting SMART departmental / process objectives
2) learning from failures/feedbacks/nonconformances/etc
3)customer inputs
4) Supplier inputs
5)Employee feedbacks/suggestion
6)Management reviews
7)FMEA or equivalent / design reviews..
Assume, the company set soft targets, and there is not adequate data collection on 2,3,4,5&7 and company documented QMS doest not call for it explicitly ,what should the auditor do?

Anilkumar

Anil,

First a question for the group: are we moving away from the original question to the point that a new thread should be started? As Marc raised a short time ago, we should try to maintain continuity and relevancy in our responses. This helps when someone runs a search on a particular item. One doesn’t have to read too many digressions in order to find the information one was looking for. Inevitably, we do get off onto tangents from time to time (generally good, important ones).

I agree with you, Anil, that an auditor’s scope should be inclusive of catching organizations doing things right and a more proactive process. In all honesty, I believe the intent of the auditor is to build objective evidence to support organizational conformance, not nonconformance. A lack of objective evidence is suggestive of a problem or potential problem. Through the auditor’s investigation, the determination can be made as to whether the evidence meets established criteria. When it doesn’t, the auditor must make a decision as to how this will (or will not) be recorded or reported. Auditing guidelines are generally specific in regards this aspect, but as pointed out in this thread, the Internal Audit practice is generally “looser” with reporting (and perhaps interpretation). I don’t know what the value of using “kid gloves” is, but admittedly, I have used them. The aim is to improve and if the aim is clear, folks should not view opportunities pointed out to them as negative. This is hard to accomplish in a Command Control environment.

If the organization establishes soft goals (i.e. to reduce Scrap approximately 2%), most auditors I know would not be satisfied (and most notice inadequate definitions, data collection, and analysis). They like the hard numbers to be established as many like to make the go/nogo decision (comparing last year/months number to the new one). From my perspective, it just isn’t that simple. In a predominantly “results-oriented” business culture, I can understand why this is so. However, unless the “objective” or “goal” is a fact of life, setting the goal in the sense we have learned to do here in the Western Hemisphere is mostly unhelpful. A goal without a method is useless as Dr. Deming had so stated. I agree with him. The answers we seek are in the Process, not the Outcome.

Group: have we answered the question originally posed to us by Anil? Or do we still have questions or differences worth pursuing?

Regards,

Kevin

Jim,

Nice summary: I believe it captures most of what we have stated here. As for the ‘Supermoderator’, well, Marc changed my title some time back as a means to let me know that he turned on some additional moderator rights. I never got around to switching it back and for the life of me, can’t remember what it was to start with. I will have to think of something a less generic and something more like me (Jim Finn already has the label as Sox Fan, so I’ll have to figure out another). But I thank you for the kind words.

Skullslike,

I think that we are optimists, in fact, most of the contributors here tend to be. Being such, we are in the minority in the business place, and for the most part, anywhere else (Quality professional trait?). We want to work on processes for overall improvement where as the tendency in many areas is to lay blame. In almost any Auditor Training class a person might take, the ‘old style’ auditor is often juxtaposed to the ‘new style’ auditor. In days of old, it was a-seek-and-destroy attitude. Police the people if you will. Now, the approach has been to change the stereotype to a positive one. Unfortunately, it appears that folks are stuck with the old style mindset even when the new style is being used.

In a thread started by Barb some years ago, she asked the question about Auditing for Improvement (something close to that). I recall it being a good thread. I agree with your assessment that it is the content within the audit that will lead to the improvements themselves. However, after seeing Jim’s question and your answer, a bulb went off in my head. I would have to say that we could audit for improvement by taking the right approach to our auditing. Perhaps ‘attitude’ is a better word. If we audit with the intent to find objective evidence in support of activities as opposed to finding evidence to the contrary to sink the ship, I believe that we can project the correct image. This is especially true during the Internal Audit where we want a more candid dialogue with the auditee. If the auditee fears reprisal, the effectiveness of the audit will be reduced.

Am I stretching things a bit here?

Regards,

Kevin

JIM,

That was an excellent post on Internal Audit...

Anilkumar

So much discussion on 9001 that 9000 and 9004 are often overlooked. They are both important to the success of 9001!

I will browse to see if I can find Barb's original post and post a link here to redirect those wishing to discuss internal audit in relationship to Continual Improvement.

Regards,

Kevin

Clause 8.2.2 of ISO 9001-2000 does not require corrective action for every internal audit nonconformity, it requires management action.

The possible management actions to eliminate the alluded nonconformity are many including:

1. Improving the audit process to stop nitpicking
2. Removing the unimportant "requirement" from the audit criteria
3. Ensuring that audit nonconformities are agreed with someone who understands the management system

One could also argue that these are preventive or corrective actions. Strangely, one has to read the definitions of preventive and corrective actions to realize that clauses 8.5.2 and 8.5.3 require the causes of protential and actual nonconformities to be eliminated.

Ineffective management action could result in this continuing to waste valuable time so please give me a good reason for not eliminating the cause.

Jim Wade said:

Building on what Kevin just said ...

If we literally, blindly and narrowly focus only on the audit requirements of ISO 9001 , then - indeed - the world is boxed in to compliance. And compliance - although often very important - is only part of the picture of a full and healthy system.

But if we allow ISO 9004 to guide us, a whole new world opens up! We get reminded that:

The internal audit is a management tool - a process not only to assess our systems's strengths and weaknesses, but also to evaluate organizational effectiveness and efficiency. It is one method of identifying areas for improvement.......


....."Internal audit reporting sometimes includes evidence of excellent performance in order to provide opportunities for recognition by management and motivation of people".[/i]

So we can choose!

Internal audits can simply mimic the registrar, to help us be prepared for the surveillance visit - and of course to conform to the "shalls".

Or they can be used [in addition to that] as really intended by ISO 9000 - as a management tool for better business,

rgds Jim


A most ineresting thread. I am beginning to feel like Alice trying to navigate Wonderland.

Jim, I agree with what you are saying above. The biggest point of confusion IMHO is the use of the term audit without a modifier, as in internal audit, or third party audit, or compliance audit, etc.

ASQ defines Audit as:
"A planned, independent, and documented assessment to determine whether agreed upon requirements are met."
And herein lies the second problem, "Agreed upon requirements".

I believe that, by definition, an audit must be a compliance audit. The auditor is to audit to the agreed upon requirements period. Are they doing what they said they would do. If a company wishes to include review for improvement as part of their internal program that is fine. But a third party, registration audit must be held to compliance unless a company wishes for their registrar to include improvement opportunities as part of the audit contract.

We have had so many discussions here regarding registration auditors taking liberties with definitions, shalls vs shoulds etc that we should all see the difficulties in mixing compliance with improvement. As I see it, the only way a registrtaion auditor can have any say on improvement is whether you met your stated goals, and your response if the goals were not met. And the only way that an internal auditor has any say is if improvement assessment is part of the internal audit program.

You refer to Internal audits as being management tools to:
"evaluate organizational effectiveness and efficiency. It is one method of identifying areas for improvement..."

I think that the key here is "one tool". Management should have a number of sources to evaluate efficiencies and the internal audit reports should be one of them. But this does not mean that the purpose of the audit should be for the identifying of improvement opportunities. This is like asking an accountant to find the best way to set up a CNC 5 axis machining center. It is the individual departments who need to find ways to improve, driven by management committment.

Sorry, I find I am getting a bit tangential

Perhaps what we need is to do is commit to not saying audit without saying what type. like the old joke about "d@mn quality people" being all one word. For my own part, in the future I will try to avoid using the term audit in these forums without a modifier.

Keep the great posts coming.

James

P.S. I agree with the super-moderator label Kevin.
JRKH

Jim Wade said:

Since the first post in this thread mentioned clause 8.2.2, I assume that we are talking here only about internal audits.

But I agree that the qualifier is needed. Here are another two to add to your list:

Process audit - from ISO 9004/7.1.2

Bloody audit - from lots of busy people

rgds Jim

Jim,
I'm afraid we don't use "bloody audits" on this side of the pond. Actually sounds more pleasant than some descriptive terms I've heard.

James