Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay?

GStough · Sep 18, 2018

So, I need a reality check from my fellow Covers. First, let me preface this by saying that I work in the medical device industry and have for years. I've been auditing suppliers for 5 years, using both ISO 9001 and ISO 13485, as appropriate. I've always understood that the auditor must use criteria known to the auditee (registered to ISO 9001, audit them to ISO 9001, etc.) and not something with which they are unfamiliar.

In an industry where some suppliers are registered to ISO 9001, some registered to ISO 13485, some registered to both, and still some not registered to either, would you say that it is fair practice to audit a supplier registered to ISO 9001 against ISO 13485 requirements? I'm just curious to see what others may think is appropriate here.

Thanks in advance.... :bigwave:

ScottK · Sep 18, 2018

The way I see it, having been an auditee far more than auditor, is that you need some criteria to audit against but you also need to understand the limits you may be facing.
If you were to come to my current organization with an ISO 13485 checklist I'd point out that we're not ISO 13485 registered so I'm not going to be compliant with some of your criteria. But as we are ISO9001 most of the core things will be there and you're free to offer up opportunities for improvement that I may or may not choose to implement if not required by 9001.
And at that point you may point out that some of these requirements are very important to your company and we may lose out on future projects if we don't implement something to satisfy those requirements.

Then it becomes a business decision for my company for my company to implement or not, and a business decision for your company to continue doing business with us knowing we're not meeting your requirements 100%

As an auditee I always ask for a full audit agenda so I can review and be ready with explanations for any gaps in expectations.

I ran into this A LOT with our past employer having pharma companies coming to audit and expecting a full cGMP compliant setup in manufacturing and full GLP compliant setup in the labs. And we just weren't, as you know. More often than not I would get an audit agenda saying that a customer is planning on auditing to Part 210 and Part 211 and would have to put the brakes on. (Not that that stopped some from citing those regs anyway)

GStough · Sep 18, 2018

ScottK said:
The way I see it, having been an auditee far more than auditor, is that you need some criteria to audit against but you also need to understand the limits you may be facing.
If you were to come to my current organization with an ISO 13485 checklist I'd point out that we're not ISO 13485 registered so I'm not going to be compliant with some of your criteria. But as we are ISO9001 most of the core things will be there and you're free to offer up opportunities for improvement that I may or may not choose to implement if not required by 9001.
And at that point you may point out that some of these requirements are very important to your company and we may lose out on future projects if we don't implement something to satisfy those requirements.

Then it becomes a business decision for my company for my company to implement or not, and a business decision for your company to continue doing business with us knowing we're not meeting your requirements 100%

As an auditee I always ask for a full audit agenda so I can review and be ready with explanations for any gaps in expectations.

I ran into this A LOT with our past employer having pharma companies coming to audit and expecting a full cGMP compliant setup in manufacturing and full GLP compliant setup in the labs. And we just weren't, as you know. More often than not I would get an audit agenda saying that a customer is planning on auditing to Part 210 and Part 211 and would have to put the brakes on. (Not that that stopped some from citing those regs anyway)

Spot-on, Scott! Exactly. :agree1:

This is what I would expect, as well.

Eredhel · Sep 18, 2018

I agree. It's common for our industry, CNC machining, to be audited by customers with typical scope defined audits to a certified standard that can result in occasional findings or opportunities for improvement that are outside those scopes. When it's a customer audit we do that balancing act thing and use political capital to push back when we feel it's necessary. But for certification audits? I'm a "show me the shall" kind of guy.

Sidney Vianna · Sep 18, 2018

GStough said:
I'm just curious to see what others may think is appropriate here.

What is the objective of the audit? Identify gaps of conformance? Develop a supplier? Approve a supplier?

The audit criteria is normally set by the audit client, but there is very little benefit in auditing an auditee organization against a criteria they never intend to ascribe to, in my opinion.

GStough · Sep 18, 2018

Sidney Vianna said:
What is the objective of the audit? Identify gaps of conformance? Develop a supplier? Approve a supplier?

The audit criteria is normally set by the audit client, but there is very little benefit in auditing an auditee organization against a criteria they never intend to ascribe to, in my opinion.

The objective of the audit could be to qualify a potentially new supplier, routine surveillance, for-cause - these are the usual objectives of an audit here, depending on the scenario.

Thanks for the input, Sidney... :agree1:

Ninja · Sep 18, 2018

GStough said:
The objective of the audit could be to qualify a potentially new supplier, routine surveillance, for-cause - these are the usual objectives of an audit here, depending on the scenario.:

I might consider (having never been a formal "auditor", but sending others out to do it):

Table out the results in three columns: Your company requirements, ISO9001, ISO13485.
...especially if you're not sure what basis later decisions may be made upon.

If they pass all three in an area, great.
If they are 9001 but not 13485 in an area, you've established the line.
If they fail all ISO, but still meet your company requirements, you've established the line.
In that way, you have the clearest information for later consideration (perhaps by others) as to whether to use them as a supplier...or what changes to to ask for.
:2cents:

Add: This would likely mean that you DO audit them against a standard they may not know or strive for...but you do not hold them directly accountable for falling short...it is simply used in the decision making process later..."evaluation" instead of "audit" if you will.

GStough · Sep 18, 2018

Ninja said:
I might consider (having never been a formal "auditor", but sending others out to do it):

Table out the results in three columns: Your company requirements, ISO9001, ISO13485.
...especially if you're not sure what basis later decisions may be made upon.

If they pass all three in an area, great.
If they are 9001 but not 13485 in an area, you've established the line.
If they fail all ISO, but still meet your company requirements, you've established the line.
In that way, you have the clearest information for later consideration (perhaps by others) as to whether to use them as a supplier...or what changes to to ask for.

Add: This would likely mean that you DO audit them against a standard they may not know or strive for...but you do not hold them directly accountable for falling short...it is simply used in the decision making process later..."evaluation" instead of "audit" if you will.

I like your approach, Ninja. Thank you very much!

Jen Kirley · Sep 18, 2018

When doing contracted supplier auditing on behalf of a national organization, I was interested to find it had very little to do with the standard; it was almost wholly about customer requirements.

Since 9001 requires us to determine what the customer expects (in my case cleanliness of operational areas and material-contacting equipment, material traceability, and protection against material cross contamination) and make arrangements to provide, the actual standard turned out to be a distant second where criteria were concerned.

This tends to drive the suppliers wild, but it is after all about contracting to provide product and/or service, which is of course something people agree to try to do so... here we are.

GStough · Sep 18, 2018

Jen Kirley said:
When doing contracted supplier auditing on behalf of a national organization, I was interested to find it had very little to do with the standard; it was almost wholly about customer requirements.

Since 9001 requires us to determine what the customer expects (in my case cleanliness of operational areas and material-contacting equipment, material traceability, and protection against material cross contamination) and make arrangements to provide, the actual standard turned out to be a distant second where criteria were concerned.

This tends to drive the suppliers wild, but it is after all about contracting to provide product and/or service, which is of course something people agree to try to do so... here we are.

Good point, Jen. In situations where there aren't any supplier quality agreements, though, we do the best we can with the tools we have on-hand. There are some suppliers who are not registered to any standard, so when an audit is required (yes, we have criteria for this), we use internal procedures and any documented agreements that may be in place, PO requirements, etc.

Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay?

GStough

ScottK

Not out of the crisis

GStough

Eredhel

Quality Manager

Sidney Vianna

Post Responsibly

GStough

Ninja

Looking for Reality

GStough

Jen Kirley

Quality and Auditing Expert

GStough

Similar threads