Recent ISO 9001 Re-registration Audit Questions

[mcgilla]

Hello everyone,

I'm actually looking to get some feedback on interpretations of a few things. We've just gone through our re-registration audit late last week. And while we didn't get any findings, our auditor's style is one that he hints towards things he's going to look at during our next surveillance. He was auditing our production processes and asked a few employees what our Quality Policy means to them. I wouldn't have given any better responses than many of my workers, however they didn't mention "continual improvement". Our policy states that, of course, but I feel this is getting to a nit picking stage of auditing our company. I don't see where it can be interpreted as needing to say those exact words. That's what I'm wondering about in your interpretations.. do my employees "HAVE" to say continual improvement. When my workers were questioned by our auditor about continual improvement, they all agreed that's what we do all of the time. It's a normal environment to them.

Second comes to another critical area of the standard.. Internal Auditing. He got hung up on "reporting results" meaning literally writing a report. I interpret that differently in that if I can report on the results in management review, that satisfies the standard. He specifically wanted observations, findings, recommendations, opportunity for improvement all on a report. The dynamic of our management staff is not one of fluff. We tell each other what was found, assign people who handle the task/action items, report the closing date, verify the action and discuss. What was not necessarily captured is our "discussion". Am I being too simplistic in my interpretation of reporting results. We've found that simple really allows for a great system. Our staff wears many hats, as I'm sure most everyone's does, so I'll have a mutiny on my hands if everyone has to read/write a lengthy report outside of management review of our system.

I appreciate any feedback.

Ed

 

[lk2012]

Hi Ed,
your Auditor was having a bit of a grumpy nitpicker day wasn't he?

On the quality policy situation, I'd just add it to your colleague's training - you can even say that it's something the Auditor wants to hear. We have a similar situation, everyone's got to rattle off 'Zero Defect Policy' in that exact wording because that's what Volkswagen and the likes expect people to hear. :ca:

As for the internal audit reports - do your reports clearly show:
- audited department / process
- clauses you audited against
- audit findings
- observations / opportunities for improvement
- non-conformances
- corrective actions (or link to associated corrective action report) incl. responsibility
- sign-off

If yes, that should demonstrate the audit reporting process. You can always show supporting evidence such as minutes of meetings / progress reports / communication in emails... I know it's really difficult when the organisation's quite small and people really have to better things to do at work than fill in reports and forms. Give it a go and see how your Auditor likes it.

Worst-case scenario, you can always ask the Registrar to delegate your audit to a different auditor on the grounds of unprofessional conduct. Don't suffer in silence.
Good luck :
Lil

 

[Jamie_]

Has your auditor mentioned the lack of internal audit reports before? I personally have always had our auditors do audit reports along with issuing C/PARS if needed. IA reports are such an inherent part of the process to me, it never occurred to me that some don't do them - so I'm wondering if they said anything at any previous surveillance audits?

Fwiw audit reports don't have to be a nightmare. I personally write a detailed report, because that's how I like to do it and my handwriting completely illegible so I'd need to type my notes up anyway. But for my auditors who take well organized and legible notes the audit report can be a brief summary and refer to notes.

Questioning about including continuous improvement in their answers is weird to me. When he questioned them they affirmed you have this covered, so why does it need to be in their initial responses? To me that would seem to encourage coaching rather than assessing their genuine responses. Sounds counterproductive to me.

 

[mcgilla]

Lil,

Yes, he was definitely having a grumpy day. The auditor mentioned that after auditing in Asia where, when you ask about the quality policy that is 1 page long, everyone stands at attention and recites it word for word, that there's no excuse for not being able to describe it in their own words. Yes, definitely grumpy.

In terms of Internal Audits, it's been a work in progress, it was cumbersome before and we're definitely leaning it out and trying to make sure we get everything we need, but also that it's something of value. No one wants to do anything that doesn't help the company, that's the thing he hasn't really grasped yet and since he only see's us as a snapshot audit instead of living what we do... ok now I'm writing a book, but the list of things for "reporting" I can see where I can improve things a bit and keep it lean.

Jamie, this was the first mention of it, nothing at previous surveillance audits. About two years ago we updated our procedure to this format and all was well. I won't pick on this particular auditor, we've had several during our registered time that will compliment our process one audit and then pick it apart the next. Probably the most inconsistent lot of people I've ever had to deal with. Had he started mentioning a non-conformance, I would have argued. But in referencing the standard to look to improve our process, it just says "reporting results" that doesn't mean a report to me, just a communication of those results. But I think Lil has got my gears turning for the streamlining of things.

Thanks for responses thus far.
Ed

 

[lk2012]

I know exactly what your auditor meant by people standing up to attention rattling off the policy word-by-word. He forgot to add that they might not always understand the real life use of it though.
As an Auditor, I'd rather see people understanding the gist of the policy and telling it in their own words, or even better in their own actions, than mindlessly regurgitating words.

Good luck with your streamlining, let us know if there's anything I or other Covers can do to help

 

[Jamie_]

A page long and they can recite it? I have ours printed on cards and everyone keeps one in their plastic ID pocket. Ours is 16 words long and I'd quit before I'd attempt to get everyone to memorize it, much less a page. That's terrifying!

I really like your approach to make sure what you're doing has value - nothing will get people to ignore procedures faster than a lot of busy work done solely for the benefit of the registrar - it has to mean something.

 

[pldey42]

If it's any help, clause 5.3.d requires the quality policy to be communicated and understood; it doesn't say, "and recited verbatim."

Clause 8.2.2 does require records of internal audits to be maintained and that's typically done with reports or a spreadsheet or database of findings (nonconformities etc.) not so much for auditors, but to enable corrective actions to be tracked to closure and for trend analysis, for example the same NC recurring; if it's all done verbally (and the OP seems to suggest that it is) there's a risk of things falling between stools, even with the best will in the world. If it takes an hour to interview someone and there's a nonconformity, it surely only takes a few minutes more to write it up - one sentence to quote the requirement and another sentence for the nonconformity. together with the evidence.

E.g. Clause 5.3.d requires the quality policy to be communicated. Of 12 people interviewed, 6 said, "What quality policy?" Not that, in this case, they did.

Pat

 

[mcgilla]

If it's any help, clause 5.3.d requires the quality policy to be communicated and understood; it doesn't say, "and recited verbatim."

Clause 8.2.2 does require records of internal audits to be maintained and that's typically done with reports or a spreadsheet or database of findings (nonconformities etc.) not so much for auditors, but to enable corrective actions to be tracked to closure and for trend analysis, for example the same NC recurring; if it's all done verbally (and the OP seems to suggest that it is) there's a risk of things falling between stools, even with the best will in the world. If it takes an hour to interview someone and there's a nonconformity, it surely only takes a few minutes more to write it up - one sentence to quote the requirement and another sentence for the nonconformity. together with the evidence.

E.g. Clause 5.3.d requires the quality policy to be communicated. Of 12 people interviewed, 6 said, "What quality policy?" Not that, in this case, they did.

Pat

Information in spreadsheets and nonconforming databases exist with regard to any issue. The auditor wanted a written report on the audit, much more than even the few sentences you suggest. I questioned adding a bit more detail to where we already log our internal audit items, actions, completion dates, responsibility, etc. and he wanted a report. He's writing a report to give to my organization, our auditors need to write reports.

I'm not arguing against any suggestions by any means, just his interpretation of what reporting results required. We've had this gentleman for a couple of years now, I know our registrar will circle a new auditor in within the next year or two and I'll get to learn the new person's tendencies. He had just never brought it up as an issue in the past few audits, until last week.

I'll need to ask more questions in the future and not just be the occasional lurker.. great feedback!!

 

[somashekar]

I questioned adding a bit more detail to where we already log our internal audit items, actions, completion dates, responsibility, etc. and he wanted a report.

I am wondering what actions you mean here ...
Are they the audit outputs., the conforming and non-conforming situations with your audited sample information ?
If you do not have these, then you are not having records of audit.

 

[mcgilla]

We do have those, records was not an issue, there are plenty of records, the issue and discussion was lack of a written report. My question to the auditor was basically if I put the information on our spreadsheet instead of in two different electronic formats, if that would satisfy his need for a written report. He really wanted a narrative of every conformance and non-conformance. For instance, he left 8 bullet points with me on our effective processes and areas for potential improvement. I will get no less than a 10 page report from him listing document numbers with revision information and the narrative of his conversation with the people he audited.

Our internal dynamic is not that narrative, we like points of interest, fix them and check their effectiveness. I just have to meld that with a little narrative into our system and I'll argue all day that we absolutely meet the requirement.