Audit Nonconformity on Defining 'Outsourced' Infrastructure Maintenance

[klcuellar]

we're having a hard time identifying the appropriate corrective action for our nonconformity during our last external audit.

the nonconformity states that the control to be applied to outsourced process (Infrastructure Maintenance) was not defined within our Quality Management System.

Infra which includes the Building Maintenance and Housekeeping, and the Maintenance of Vehicles. these two were not currently included in our documented QMS. and as our correction, we'll be including these in our current documentation/QMS Manual.

however, we're having a hard time on what will be our long-term action or corrective action. we need to identify this asap as we have deadline for its submission to our certifying body.

please do comment and share your insights. thanks!

 

[harry]

1. I edited the title of the thread to reflect the nonconformity on your handling of the outsourced process rather than the process itself.

2. 4.1 (General Requirements) of the standard is quite clear on this issue. You would normally extend control to such a process through a service agreement or contract and all you need to mention in your QMS is that control of this process is through a service agreement or contract.

 

[isoalchemist]

Great advice from Harry!

Let me add that they are a supplier so some evaluation is required. Also make sure they are on the Approved Supplier List

 

[John Broomfield]

we're having a hard time identifying the appropriate corrective action for our nonconformity during our last external audit.

the nonconformity states that the control to be applied to outsourced process (Infrastructure Maintenance) was not defined within our Quality Management System.

Infra which includes the Building Maintenance and Housekeeping, and the Maintenance of Vehicles. these two were not currently included in our documented QMS. and as our correction, we'll be including these in our current documentation/QMS Manual.

however, we're having a hard time on what will be our long-term action or corrective action. we need to identify this asap as we have deadline for its submission to our certifying body.

please do comment and share your insights. thanks!

klcuellar,

A Service Level Agreement can work very well where no contract exists.

The SLA specifies the objectives and what each party commits to do in fulfilling the objectives such as points of contact, providing access and reviewing costs before doing any work over a certain amount.

The SLA is a controlled document that may comprise the following sections:

A. Purpose
B. Scope
C. Objectives
D. Party A Responsibilities and deliverables
E. Party B Responsibilities and deliverables
F. Corrections and improvements
G. Audit and review

...or just C thru E.

The root causes for lacking this or similar tool are for you to determine but usually include something along the lines of "outsourced services provided without any problems to date".

Best wishes,

John

 

[Jim Wynne]

we're having a hard time identifying the appropriate corrective action for our nonconformity during our last external audit.

the nonconformity states that the control to be applied to outsourced process (Infrastructure Maintenance) was not defined within our Quality Management System.

Infra which includes the Building Maintenance and Housekeeping, and the Maintenance of Vehicles. these two were not currently included in our documented QMS. and as our correction, we'll be including these in our current documentation/QMS Manual.

however, we're having a hard time on what will be our long-term action or corrective action. we need to identify this asap as we have deadline for ts submission to our certifying body.

please do comment and share your insights. thanks!

You don't say what standard is involved here. In ISO 9001:2008, 4.1 says in part:

Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

Before there's a nonconformity, a determination must be made as to whether the processes in question "...[affect] product conformity to requirements..." A reasonable argument could be made in many cases that the two processes you mention don't apply to this requirement.

 

[Jim Wynne]

klcuellar,

A Service Level Agreement can work very well where no contract exists.

The SLA specifies the objectives and what each party commits to do in fulfilling the objectives such as points of contact, providing access and reviewing costs before doing any work over a certain amount.

The SLA is a controlled document that may comprise the following sections:

A. Purpose
B. Scope
C. Objectives
D. Party A Responsibilities and deliverables
E. Party B Responsibilities and deliverables
F. Corrections and improvements
G. Audit and review

...or just C thru E.

The root causes for lacking this or similar tool are for you to determine but usually include something along the lines of "outsourced services provided without any problems to date".

Best wishes,

John

A "service level agreement," as you describe it, is a contract.

 

[somashekar]

A "service level agreement," as you describe it, is a contract.

I will go one step further.
A Service level agreement or Contract in itself are not controls. These contract papers rest in file and do not exercise any control.
What you have put into the contract in terms of proof that the tasks are done to your satisfaction by the outsourced agency (the Building Maintenance and Housekeeping, and the Maintenance of Vehicles.) periodically and your accepting the same after your review and satisfaction are your controls.
While the agreement may be accepted as a corrective action, the dynamic controls ongoing will be such of these periodic records which also will have your intervention in terms of your review and acceptance.
Make a list of all such records which you wish to periodically review in the agreement, and these will be the records of your control over the outsourced process.

 

[Big Jim]

You don't say what standard is involved here. In ISO 9001:2008, 4.1 says in part:

Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system.

Before there's a nonconformity, a determination must be made as to whether the processes in question "...[affect] product conformity to requirements..." A reasonable argument could be made in many cases that the two processes you mention don't apply to this requirement.

I absolutely agree. This nonconformance looks to have been written by an over zealous auditor. You should open discussion with the auditor and if need be with your certification body as soon as possible to see about having it withdrawn.

 

[Big Jim]

A "service level agreement," as you describe it, is a contract.

Indeed it is. For the most part, agreement = contract.

 

[somashekar]

I absolutely agree. This nonconformance looks to have been written by an over zealous auditor. You should open discussion with the auditor and if need be with your certification body as soon as possible to see about having it withdrawn.

Wait a while .....
We are concluding here and we even have no idea of the OP's business.
In all fairness I believe these are processes that are integral in the OP's QMS and they fairly outsource. The lacking perhaps was identification and needed controls within the QMS.