3rd Party Audit Finding Not Clear - 4.1 Outsourced Processes

Need a little insight:
Requirement: 4.1 Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.
Finding: The QM does not identify the processes that are outsourced.
Question: Is the auditor looking for outsources to be defined IN the manual? That just doesn’t sound right… Thoughts, suggestions?
Thanks in advance

Re: 3rd Party Audit Finding Not Clear

Why didn't you ask the auditor?

There's nothing wrong with asking the auditor questions, it happens to me all the time...48 times this week alone at least

Re: 3rd Party Audit Finding Not Clear

azsportsfan said:

Need a little insight:
Requirement: 4.1 Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.
Finding: The QM does not identify the processes that are outsourced.
Question: Is the auditor looking for outsources to be defined IN the manual? That just doesn’t sound right… Thoughts, suggestions?
Thanks in advance

Click to expand...

That is a really interesting finding.

It seems that many auditors from several certification bodies think that you need to define the controls for outsourcing in the quality manual. I truly wonder where it is coming from. The standard DOES NOT require it.

First of all, the standard says that this definition needs to be somewhere within the QUALITY MANAGEMENT SYSTEM. Last time I checked your quality manual was not your quality management system.

Second, the standard says that it needs to be defined. Defined does not necessarily mean documented.

How should an auditor determine that you are fulfilling a requirement when it doesn't require that it be a documented procedure or or that records be kept? Well for sure he should not be asking for a documented procedure or records now should he?

What he should be doing is determining what your PRACTICE is through observation and interview. Did he do that?

Now on a practical matter, it does need to be defined, and a good place to do it is either in you quality manual or your procedures. It is often included along with purchasing however that is handled.

This is a protestable finding. You may find resistance in trying to protest it though since it seems to be deeply ingrained. If you choose to just roll with the punches then simply describe how you control outsourcing through purchasing. The clue for that is in the notes 2 & 3, especially note 3 c. The hard part is going to be to come up with an appropriate root cause for a bogus nonconformance.

Good luck.

Re: 3rd Party Audit Finding Not Clear

Thank you Big Jim for your detailed response.

I personally was not present during the audit and cannot offer the auditor's frame of mind. I've been directed to figure it out so that the finding can be closed, but it is the RC where I'm stalled. The company's wishes are to roll with it as I made a similar assessment ("The standard DOES NOT require it").

The company does not include NOTES of the standard so there is no mention of the extent of controls in the QM. Since there were findings for lack of Risk Management detail (Purchasing included), I'm sure the auditor was taking a serious look while auditing the purchasing process. I think the go-forward is to better describe the controls (ref. the procedure adjacent to 4.1 in QM) in the Purchasing procedure but it is the wording that has me scratching my head... I plan to have a conversation with the auditor but I thought I'd put the question to this fourm 1st.

Thanks for reading.

azsportsfan said:

Need a little insight:
Requirement: 4.1 Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.
Finding: The QM does not identify the processes that are outsourced.
Question: Is the auditor looking for outsources to be defined IN the manual? That just doesn’t sound right… Thoughts, suggestions?
Thanks in advance

Click to expand...

It does occur to me to ask if this was a "stage 1" audit? If so, it has a little more credibility. I'm guessing it wasn't, so you could rightly ask your CB management why something so clearly obvious wasn't reported to you earlier - how long have you been certified?

Of course we need to know if you have any outsourced process(es)? It would be a totally bogus finding if you didn't have any, wouldn't it? I see nothing as evidence in the NC statement to suggest that the auditor even spent any time discovering that you HAD outsourced something and didn't have some arrangements in place to control them!

If not at a stage 1 audit, this is a poor, weak, 'gotcha' kind of finding, frankly, which you should reject on the basis of no 'objective evidence' which all, good auditors knows has to be present in an NC statement to make it useful!

I'm guessing that your organization is paying the suppliers of your outsourced processes. If so, there are probably purchase orders or contracts describing what you are asking them to do. These are part of your quality management system and should describe the controls for the outsourced processes. If they don't describe the controls adequately then there should be a nonconformity against the purchasing clause. If they do describe the controls then there is no nonconformity.

Re: 3rd Party Audit Finding Not Clear

azsportsfan said:

Thank you Big Jim for your detailed response.

I personally was not present during the audit and cannot offer the auditor's frame of mind. I've been directed to figure it out so that the finding can be closed, but it is the RC where I'm stalled. The company's wishes are to roll with it as I made a similar assessment ("The standard DOES NOT require it").

The company does not include NOTES of the standard so there is no mention of the extent of controls in the QM. Since there were findings for lack of Risk Management detail (Purchasing included), I'm sure the auditor was taking a serious look while auditing the purchasing process. I think the go-forward is to better describe the controls (ref. the procedure adjacent to 4.1 in QM) in the Purchasing procedure but it is the wording that has me scratching my head... I plan to have a conversation with the auditor but I thought I'd put the question to this fourm 1st.

Thanks for reading.

Click to expand...

You should verify if it is only a documental issue or it is really a problem.
However it is not absolutely a requirement the control on outsourcing shall be documented in QM.
You should ask if the auditor collect other evidences in order to verify how you control outsourcing.
I think that this nsc could be appealed. Pls, indicate which clause violeted.

Re: 3rd Party Audit Finding Not Clear

I apologize for taking so long to respond, there's that whole work thing going on in the background.

It was written against Purchasing (Mr. Howste's assumption is correct).

The actual NCR write-up is: The QM does not identify the processes that are outsourced.

Personally, I think the auditor is way off base but as I mentioned when I originated this thread - I wasn't there. The auditor also wrote an NCR for metrics of those outsourced processes (which was correct) but I'm not connecting the dots with this one...

Re: 3rd Party Audit Finding Not Clear

Are there purchase orders or contracts describing the controls?