Responding to Customer Audit

[Golfman25]

We are ISO 9001. Customer does an audit based on ISO 9001. No real issues, but the customer wants a response on a few items. So I am looking for ideas on how to respond to a customer audit where the customer has their own view or requirement beyond what ISO actually requires.

So for example, 9.3 Management Review. They want actions which result from these reviews and cited that we have no "documented" action items -- which wasn't 100% true as we had a note for Purchasing to review some delivery data and update. I think she was looking for corrective actions or something.

Similarly, internal audits didn't have any issues requiring corrective actions. So they want a response regarding the effectiveness of the internal audits. (of course she didn't find anything noteworthy either).

Or as part of 7.2 competency, they wanted annual employee reviews (since I have a senior staff, they are done less frequently). And operator training records that they were trained in inspection, which they don't do.

I don't really want to contest, but I don't want to do extraneous things either. Not sure how I "document" something that wasn't there? So I need some tap dance lessons. Thanks in advance.

 

[Bev D]

I would simply put in writing what you've explained here - maybe a bit more detail or evidence. Maybe explain why you don't think any additional action is required on these specific 'issues'... I would actually treat these as OFIs. Do thank the auditor for their thoughtful suggestions/input...

 

[geoffairey]

For Management reviews, If there are no actions, there are no actions. I’d state as such to the customer.

TBH if I audited a 9001 system and there were no findings from any internal audits, I’d feel like something wasn’t right. If you feel the internal audits are effective, you’ll have to fight your corner.

Does your QMS say you’ll do annual staff reviews? Nothing in 9001 days you must.

and if the Auditor misunderstood your training matrix, make them aware of that. Why would you train people in something that they don’t need for their role.

 

[Golfman25]

For Management reviews, If there are no actions, there are no actions. I’d state as such to the customer.

TBH if I audited a 9001 system and there were no findings from any internal audits, I’d feel like something wasn’t right. If you feel the internal audits are effective, you’ll have to fight your corner.

Does your QMS say you’ll do annual staff reviews? Nothing in 9001 days you must.

and if the Auditor misunderstood your training matrix, make them aware of that. Why would you train people in something that they don’t need for their role.

So we are small company with long term employees. There is no reason to think we would find non-conformances during an internal audit. We hit the big stuff that matters -- lessons learned over the years. We can make up "findings" if that makes people think we are more effective.

The other "requirements" are what they were looking for relative to compliance (not ISO requirements in and of themselves). I.e.; wanted to see annual reviews to verify competency.

 

[Bev D]

stick to your system.
annual reviews are only one way to 'verify' competency. They are actually just a documentation of what was assessed...
I wouldn't expect a small company with long term employees to have many findings at all.

 

[greatwhitebuffalo]

"I wouldn't expect a small company with long term employees to have many findings at all." - We certainly fit this bill as well, we farm out our internal audits and did have some findings for the first time this past year, from a hungry auditor who was excited to visit us for the first time. Even our Registrar has never given us more than a couple of OFI's, and we've been with them since 2018. Objectives are met, customers are happy. If it ain't broke...

 

[geoffairey]

So we are small company with long term employees. There is no reason to think we would find non-conformances during an internal audit. We hit the big stuff that matters -- lessons learned over the years. We can make up "findings" if that makes people think we are more effective.

The other "requirements" are what they were looking for relative to compliance (not ISO requirements in and of themselves). I.e.; wanted to see annual reviews to verify competency.

None of my points were a criticism, like I said. If you’re confident, fight your corner. Don’t make work just to satisfy the auditor.

 

[dramman]

Customer audits are always tricky. Part of dealing with this is understanding your power in the relationship. Can they do anything if refuse to do what the auditor wants and simply justify your position?

 

[Mike S.]

Like dealing with incompetent registrar auditors, dealing with incompetent customer auditors is a frustrating exercise. In a case like this, I usually struggle finding the right (nicey nicey) words to say "there is no requirement in XXXX (whatever standard) for what you are requesting. We handle such situations in this manner...."

 

[Ed Panek]

My perspective is as a medical device start-up. We DO JUMP through customer hoops where it makes sense for us to do so. In medical the QARA folks can hold up a project. Our investors would blow up if they found out we refused to undertake a 3 day project for a multimillion-dollar $ contract. Depending on your industry this approach may not make sense. Also, consider the size of the customer. Refusing addressing items may be a huge headache especially if the company is siloed and gigantic.

Im assuming this is not a risky product.