Proposed Change to 3rd Party Audit Process - Limiting Scope of Audit

[Sidney Vianna]

As someone who's been involved with accredited management system certification for almost 30 years, I've seen a lot of things changing in the sector. As some of us know, the questioning about the efficacy of accredited certification is ongoing. Some people don't believe that a CB would deliberately decertify an organization, as this, basically means that revenue stream will disappear for the CB. I beg to differ, as I have been involved in decertification proceedings a number of times.

Nevertheless, without a question, the accredited management system certification process could certainly benefit from some evolutionary and some revolutionary changes. On the evolution front, one of the changes I strongly support is to limit scope of audits to product/service lines related to customers that require 3[sup]rd[/sup] party certification from suppliers. Let's remember: the primary beneficiary of ISO 9001 and a registrant's certification is/are the registrant's customers.

The current process where an audit team shows up and "randomly" audit business processes to ascertain compliance, is not proper. If a registrant's customer does not value nor require a supplier to attain certification, why should 3[sup]rd[/sup] party auditors waste their time with that product line? Auditors should, instead, focus their effort and time with the business processes related to the product lines for customers that value and require suppliers to be certified.

Do you agree? Comments?

 

[Marc]

My opinion is yes. However, there are processes such the non-conformance system. How do you approach that type of process?

Years ago in automotive I went through QS-9000 and TS 16949 where companies would only have certain lines audited and which were part of the certification. In those cases, for example, lines which did not run automotive products were excluded from the audit and the registration. None the less, processes such as calibration, the non-conformance and corrective action systems, etc. were company wide and there was no way to "separate" them.

 

[Ron Rompen]

I am of much the same mind as Marc when it comes to this. It is difficult enough to create a single QMS for the customers who require one; to have another one (even a non-formal one) for those customers who don't require registration only causes chaos and confusion.

When I started in quality (back when we were building parts for the dinosaurs) the company that I was with made parts for both automotive and non-automotive customers. When QS9000 was foisted on us, we at first thought to have it ONLY for those customers (automotive) who required it, and to just continue on the way we were going with all the others. But with flexible manufacturing cells, multi-purpose tooling, and crosstrained operators, it was causing a lot of confusion and error trying to remember which 'rule' was to be followed with which part.

In my opinion, it is much easier to develop your system to meet the most stringent of your customer requirements, and implement it across the board. Yes, its a little more work to create and maintain it, but it prevents those horrible moments in the middle of an audit that we all dread.

 

[Sidney Vianna]

My opinion is yes. However, there are processes such the non-conformance system. How do you approach that type of process?

All relevant QMS processes would be audited. The major difference is that the samples used during the audit would be limited to the products/services ordered by customers that require the registrant to be certified.

It is difficult enough to create a single QMS for the customers who require one; to have another one (even a non-formal one) for those customers who don't require registration only causes chaos and confusion.

I am NOT proposing different processes/systems. I am proposing a focus by the CB audit team on the processes/systems as they relate to customers which require certification. If the primary beneficiary of 9001 and certification are the registrant's customers as very appropriately mentioned by Dr. Nigel Croft, CB auditors should focus on the products related to the customers which value (and require) certification.

 

[Golfman25]

All relevant QMS processes would be audited. The major difference is that the samples used during the audit would be limited to the products/services ordered by customers that require the registrant to be certified.

Yes, so in regards to something like Corrective Action, you only look at applicable parts. That's what our TS auditors do. They only want to see CA for automotive parts. We could have a dozen for other and it didn't matter.

 

[Marc]

They may only look at "applicable" parts, but I bet their sample size is the same as if they looked at other parts as well. I doubt any time is gained.

 

[Sidney Vianna]

The goal is not to save time either. The goal is to focus on the orders from the customers who require certification from their suppliers. One of the typical complaints we hear comes from customer organizations that have problem certified suppliers. Well, a possible reason might be that customer has requirements which were never assessed by a CB team, as the random sample might mean somebody's else orders were audited.

And, I should have mentioned, this would apply to the "vanilla" certification, not the industry augmented schemes, as those already have additional requirements associated with the scope of the audit. Another aspect of the proposal is the fact that this would only work in B[sub]2[/sub]B scenarios. For organizations involved with consumer goods, B[sub]2[/sub]C, this would not apply.

 

[Marc]

Yes, so in regards to something like Corrective Action, you only look at applicable parts. That's what our TS auditors do. They only want to see CA for automotive parts. We could have a dozen for other and it didn't matter.

It's kind of weird when you think of it. By doing that I would think you can't claim to be ISO 9001 unless they limit the scope of your certification.

I don't know how it works these days. I thought it used to be that the company got both an ISO 9001 cert and a TS 16949 cert. I must be mis-remembering.

The goal is not to save time either. The goal is to focus on the orders from the customers who require certification from their suppliers. One of the typical complaints we hear comes from customer organizations that have problem certified suppliers. Well, a possible reason might be that customer has requirements which were never assessed by a CB team, as the random sample might mean somebody's else orders were audited.

And, I should have mentioned, this would apply to the "vanilla" certification, not the industry augmented schemes, as those already have additional requirements associated with the scope of the audit. Another aspect of the proposal is the fact that this would only work in B[sub]2[/sub]B scenarios. For organizations involved with consumer goods, B[sub]2[/sub]C, this would not apply.

Like I say - All in all I don't have a problem with limiting the scope of a certification. I have seen companies go so far as to exclude certain internal lines/processes completely and treating them as an external supplier even though they're in the same building.

I'm not convinced it would make much difference with companies having problems with certified suppliers, though. A company either makes "quality" products, or it doesn't. I have a hard time thinking "Well, the company makes good XXX products for customers X, Y and Z, but not for customers A, B and C." I come back to my belief that ISO 9001 certification is rather useless. If a company is having problems with a supplier ISO 9001 registration isn't going to solve that.

If I was running a company I would never put in a requirement for a supplier to be registered to ISO 9001. I'd want data on the company as a whole, and if it was that important I'd do a supplier audit to my own criteria in the supplier approval process.

And I think that it probably isn't unusual that some customers have requirements which are never assessed by a CB team. What about companies that have 100 or more customers? Would the CB check to see if customer requirements are met for all customers?

 

[Sebastian]

1. One of our second party auditors during auditing supplier's manufacturing premises had noticed few containers with parts without any identification. Supplier representatives asked replied: "These are not parts manufactured for you."

2. I had visited one of our customer's plants due to claims they have regarding quality of our products. I suspected it was caused by dirty games of receiving department & sorting companies members, so I have asked them, why the same product manufactured by the same our Production Operator supplied to other plant of their group is not claimed. They told me: "We have here higher quality level than other plants."

Why I am saying this. Establishing separated system for subscribed OEM and separate one for non-subscribed OEM, telling people (especially production line members) they must follow strictly requirements because this product is intended for automotive customer and in other case "take it easy", as it goes for ISO 9001 one will result in significant problems in company automotive business.

Sidney already mentioned this subject in other place and I give example of company I work for, certified according to ISO/TS 16949 for several years without having subscribed customer. Currently we have and I still found satisfactory praxis that activities related to subscribed customers have highest priority during planning and performing 3rd part audits, but activities related to other customers are also audited, due to e.g. significant sales share, quantity of claims and existence of newly implemented projects.

 

[Big Jim]

I see value in what Nigel Croft and Sydney are saying, but I also see some potential snags in application. I think it could be worked out though. I would think you could do that for certain elements of the standard, and others would need to be applied universally. Determining which to do what with could be a headache, but with with some actual cases to work with it could become reasonably smooth.

I must add though, that this can be done now depending on how the organization handles their scope statement.

I have a client that mixes production with items that are part of their ISO scheme with some that are not. Only about 10% of production falls into the ISO scheme. They have red job cards for the ISO product to help tell them apart.

I have a machine shop client with 10 work cells. Two of them are dedicated to AS9100 and eight of them to ISO. Again, they use different colored travelers to tell the jobs apart.

I have a machine shop client that feels he can live with all the AS9100 requirements for all of his work with the exception of first article so he has a statement with his scope statement that he only does first article for AS9100 customers and not for customers that have no such requirement. They don't want to worry about a first article for the part that farmer John brings in to have a replacement made for his antique tractor.