3rd Party Audits and Clause 8.2.2

#21
Lucinda,

"You can contract this out to an outside auditor. Nothing says that the audit you conduct for your own internal benefit has to be done by the company's own staff members. But you cannot use the registrar!!"

Where is it stated that you cannot use a registrar as an internal auditor, if they agree to accept the responsibility.

"The registrar's function is to verify that your QMS is working as the standard dictates. It cannot participate in the operations of your QMS. (and this is what they would be doing if they are essentially performing the internal audits for you) Remember??? This hits to the core of "vested interest". "

I don't understand your point here. Do they participate differently in a surveillance audit vs an internal audit.

"They are not (supposed) to consult, they are a disinterested third party."

I agree. No auditor; 1st, 2nd, or 3rd party should consult during the audit process. First they are not qualified and second, what ever they offer is only there own personal opinion.

However the standard (QS9000) has overridden the consulting issue by allowing (requiring) the auditors to submit "opportunities for improvement" (consulting tips).
So, the consulting issue, for QS is moot point.

IMHO

:biglaugh: :bigwave: :rolleyes:
 
Elsmar Forum Sponsor
M

MrPhish

#22
Thanks D. Scott/Dave – you got my point - perfectly. Maybe I should have waited until I saw your post, but I’d written the following response in the meantime:

LUCINDA: “The registrar's function is to verify that your QMS is working as the standard dictates.”

MRPHISH: I’ve got no issue with this statement. The registrar’s function is to verify my QMS meets the standard requirements. Yep I agree.

LUCINDA: “It cannot participate in the operations of your QMS. (And this is what they would be doing if they are essentially performing the internal audits for you) Remember???”

MRPHISH: Who said I want them to perform my internal audits for me?? Not me. Maybe I am not making my point clear. I’ll try once again … I am saying why can I not use the information from the registrar’s surveillance audits to help me determine where to concentrate my limited resources when I do conduct my own internal audits as I am required to do by 8.2.2 and fully intend to keep performing? My issue is with the ISO standard requirement of: “an audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits.” Previous audits I say include all types of audits … surveillance, internal, and 3rd party (i.e. the standard does not say “previous audits – except surveillance audits). Therefore I should be able to use the information obtained from these surveillance audits or any audits) to use in my “formula” for determining what areas to audit when I do perform internal audits. I never said I want my surveillance audits to COUNT for the requirement of performing internal audits. I just want to plan my audits based on ALL audit data I have at my disposal, and if the registrar's function is to verify that my QMS is working as the standard dictates”, (and let’s say the audit results are “yes it does meet the requirements”), why should I need to plan to re-audit those areas if I have audit results that indicate everything is OK?

LUCINDA: “This hits to the core of "vested interest". They are not (supposed) to consult, they are a disinterested third party.”

MRPHISH: I would disagree they are a disinterested third party. I pay them to help me improve my QMS by identifying areas I am in compliance with and areas I may need to fix … they had better be very interested in my success ... because if I fail ... they are out of a job.
 
J

JodiB

#23
NO Phish

The registrar is a disinterested party. To be otherwise is contradictory to the role of a registrar.

You consider that you have hired the registrar and that it makes you their boss and they should do as you say. But the registrar performs its work at the discretion and direction of the accreditation bodies. They are the boss of a registrar, not you. What you are purchasing is the certification of your system. You are not purchasing consulting or anything else. Your choice is simply which representative of the accrediation you choose comes out to do the audit.

They are not there to identify for you the failings of your QMS. They are there to identify for themselves the failings of your QMS and whether they can continue to authorize certfication under accreditation for your system. Don't confuse the two.

Whether or not those findings can be used as weight against your own internal audit planning is perhaps an arguable point on your behalf. However, you will not be able to base your internal audit planning solely on the registrar findings, because the registrar auditor is only sampling. You are expected to excuse no part of your system from audit. While you may pay closer attention to areas that have been identified by external sources as problem areas, you must still audit the remaining areas as you normally would.
 
J

JodiB

#24
Originally posted by Sam

Where is it stated that you cannot use a registrar as an internal auditor, if they agree to accept the responsibility.

"The registrar's function is to verify that your QMS is working as the standard dictates. It cannot participate in the operations of your QMS. (and this is what they would be doing if they are essentially performing the internal audits for you) Remember??? This hits to the core of "vested interest". "

I don't understand your point here. Do they participate differently in a surveillance audit vs an internal audit.
The ISO standard is for an org to use. The registrar is doing its job according to its own guidelines. Why are you trying to confuse the two? It's like saying "where does it say that an astronomer doesn't measure fish for a living?" By definition of job, a registrar doesn't participate in your system and if you want to see that in writing then ask for one of the IEC guides.

As far as participating differently - let's just say that there
is no participation in a surveillance audit. The registrar is there to satisfy himself that you are up to speed and that they will continue to certify your system. When that report comes back into the office it is reviewed to determine if they still can call you their client. Do you think the insurance company asks for your medical exam report in order to see how they can help make sure you get the right lab tests ordered???? The information is for their own use!

Conducting an internal audit, which is a fully functioning part of a company's QMS, is participation. The goal of finding weakness is the same, but for complete opposite reasons. Internal audit is participation. Registration audit is at arms-length with no vested interest in whether the company "gets better" or not.
 
A

Aaron Lupo

#25
I see nothing wrong with using your Registrars audit when you are making your audit schedule. In fact that is one tool you should be using when you are determining your audit schedule.

The Registrar is there to do a sample of your system, they are there to find evidence of compliance not where you do not comply. Now on the other hand yes I am looking for compliance when I do IA but I am also looking for the areas that I know are in trouble. It is not that the Registrar is a disinterested party, they are very interested in seeing you maintain your certification, however they can't tell you how you should be doing things because then they lose being INDEPENDENT of your system. I don't know what the rest of you do when you find a N/C during an IA but I give a recommendation on how to fix the problem, if the Registrar does that it becomes consulting.

So IMHO no don't use the Registrar audits as part of your IA, but do use what they report to you when you are determining your IA schedule.
 
Last edited by a moderator:
E

energy

#26
My Man!

Dave, D. Scott

Great post. This subject is one that the "Fans" of the this or any other standard will respond to "by the standard". The stance that there is something flawed with the very thing at which they make their living, is unacceptable (to some). It's O.K. to talk about it. Nothing's perfect. The post was to address those things that the standard imposes on companies that, as you said very well, add no value. You're a breath of fresh air in the smoke filled room! You will see very little response to what is wrong with the system. It goes against the grain. Enjoy your holiday. Oh yeah, everybody else too!:smokin:
 
Last edited by a moderator:
E

energy

#27
Re: Re: Staying with you on this!

Originally posted by Lucinda

Energy, the competency issue is not what you describe. Think of how it is actually used within the organization. It is used to evaluate the employee's skills against the necessary skills for success at a particular task. Then training is provided as necessary. It is one of the most fundamental points of running a business
Well said, but that's how businesses are run and you don't need the "Standard" to tell you that! This particular post involves things that the standard forces you to do that have no percievable benefit for the business. A business would not survive without competent people. It bothers me that the most basic business practices are mandated by the "standard" and subject to some auditor's approval. What gall! :bonk: :ko: :smokin:
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#28
Originally posted by ISO GUY

I see nothing wrong with using your Registrars audit when you are making your audit schedule. In fact that is one tool you should be using when you are determining your audit schedule.
I agree. In fact, with clients I do contract internal audits for, we base the registrar's visits at 1 year and internal audits are 6 months from the registrar's visits. That keeps the audit activity equally spaced.
 

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#29
Re: Re: Re: Staying with you on this!

Originally posted by energy

Well said, but that's how businesses are run and you don't need the "Standard" to tell you that! This particular post involves things that the standard forces you to do that have no percievable benefit for the business. A business would not survive without competent people. It bothers me that the most basic business practices are mandated by the "standard" and subject to some auditor's approval. What gall!
Yeah - but now we're hitting into the Is ISO 9001 Relevant? issue. I plan to start a thread on that soon with (yup - you guessed it) a Poll.

Yes, energy, ISO 9001 is just good business sense and practice. At least in my opinion. That's what is really pissing you off, isn't it?
 
#30
An audit is an audit

Sam and MrPhish,

I might be able to help you out in this with a real life scenario. A client of mine is audited every six months; in January and July. He schedules his internal audits for twice a year; in April and October. The internal audits are scheduled to compliment the external audit. Activities audited internally will not be audited by the previous, or subsequent audit. All audits are samples with the internal audit using a larger sample group. This means the QMS is being audited quarterly, and the entire system is audited yearly. From a performance standpoint, he does not distinguish between 1st and 3rd party audits. Even the 1st party audits are contracted (to me).

The point is; he views auditing as a fundamental tool in the continuous improvement of the business. All audits are reviewed two weeks after the audit, regardless of the audit type. In determining the effectiveness of the QMS, he uses data from all four audits. The end result is the harmonious use of QMS auditing to ensure his QMS works for his operation. The registrar auditor is not conducting internal audits, but audit results are being used as and with regular internal audits.

I once attended a workshop on “out of the box” thinking. It was determined that I think so far out of the box, I can’t recognize the box. One thing I have learned in the past is to ask a different question. Instead of asking if we can use 3rd party audits, ask how can we use 3rd party audits. An audit is an audit. What matters is how we react.

Hope that helps.

Dave B (the other Dave)
 
Thread starter Similar threads Forum Replies Date
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
V TS 16949 3rd Party (Certification Body) Audits of Remote Sites IATF 16949 - Automotive Quality Systems Standard 11
CarolX Definition 1st, 2nd and 3rd Party Audits - Definition Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 29
ScottK Is using a 3rd party auditor for supplier audits a big trend? Supplier Quality Assurance and other Supplier Issues 14
Leaf Fan When do 3rd Party audits turn to 2nd party audits? Customer and Company Specific Requirements 1
A Becoming an ISO27001 3rd Party Auditor Career and Occupation Discussions 4
A Non-Conformances Found After 3rd Party Sorting Supplier Quality Assurance and other Supplier Issues 12
G Do HIPAA Rules Apply to a 3rd Party Logistics Shipper? Other US Medical Device Regulations 2
J Extent of 2017/745: providing 3rd party mass produced devices to NHS patients EU Medical Device Regulations 0
S AIAG CQI Auditor Qualification and 3rd Party Certification Requirements General Auditing Discussions 2
M 3rd Party Sorting and Inspection Company Certification Service Industry Specific Topics 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
M CE self-certify, or needs testing by 3rd party? CE Marking (Conformité Européene) / CB Scheme 12
A CAR from 3rd party AS9100D auditor - Root cause dilemma AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 45
S ISO 9001:2015 Gap Analysis - In-House or 3rd Party? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
O IATF 16949 3rd party auditor training sources IATF 16949 - Automotive Quality Systems Standard 1
M IATF 16949 - Multiple Locations - 3rd party audit scope IATF 16949 - Automotive Quality Systems Standard 1
J 3rd Party Certification and QMS Revisions Registrars and Notified Bodies 4
Sidney Vianna Proposed Change to 3rd Party Audit Process - Limiting Scope of Audit Registrars and Notified Bodies 19
A How to 3rd Party Audit ISO 9001 Clause 7.1.6 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
A How to approach ISO 9001:2015 Clause 7.1.6 when 3rd Party Auditing ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Stijloor Calculating (3rd Party) Audit Days for Company with Seasonal Employees General Auditing Discussions 3
L Release of Audit Results Report to 3rd Party ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
C 60601-1 13.1.2 - Passive Device Energized by 3rd Party Device IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
C Looking for 3rd party audit firm for unique contract, have RFP General Auditing Discussions 1
Manix Should a 3rd Party Auditor Audit against IATF rules and not just the ISO standard? General Auditing Discussions 4
S AAMI EC57 for ECG Medical Device - Seeking 3rd Party Test Laboratory US Food and Drug Administration (FDA) 5
V Is the CQI-9 Heat Treat Assessment performed by a 3rd Party Auditor APQP and PPAP 1
D AS 9104/1 has New Requirements for 3rd Party Auditors AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
A 3rd Party Audit Finding Not Clear - 4.1 Outsourced Processes AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 36
R 3rd Party Audit Comment - Identify ISO Clauses/Sub Clauses to each Process Quality Management System (QMS) Manuals 45
J Contents of DMR (Device Master Record) when manufacturing is by 3rd party 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
C Measuring Equipment on Injection Machine should be Calibrated by 3rd party? General Measurement Device and Calibration Topics 21
C Policy for 3rd Party Auditing of Sequencing Facilities IATF 16949 - Automotive Quality Systems Standard 6
D Using IMDS database with 3rd party Intermediate Trade Company RoHS, REACH, ELV, IMDS and Restricted Substances 2
S ANVISA Audit by 3rd Party? Other Medical Device Regulations World-Wide 4
W Do 3rd party testing labs need NRTL certification to perform testing for FDA conforma ISO 13485:2016 - Medical Device Quality Management Systems 3
Howard Atkins ISO/TS 16949 3rd Party Automotive Auditors Group on LinkedIn ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 1
S Customer Requesting 3rd Party Audit Report (AIB) - Help! Quality Manager and Management Related Issues 17
QMMike Telephone Billing - Cramming Scheme 3rd party billing company Coffee Break and Water Cooler Discussions 5
Howard Atkins Right to Appeal 3rd Party (Registrar aka CB) Findings General Auditing Discussions 23
V 18001 2nd stage 3rd party Top Management Questions (Training Assignment) General Auditing Discussions 8
E Should FDA implement 3rd party (PMAs) reviews? What are the pros and cons of doing so Other US Medical Device Regulations 2
Y 3rd Party Sterilization Validation for Reusable Medical Devices Other Medical Device Related Standards 7
somashekar A question on 3rd Party Sustainability Audit Cost Misc. Quality Assurance and Business Systems Related Topics 5
M Validating 3rd Party Software which Tracks Archived Samples Qualification and Validation (including 21 CFR Part 11) 2
K Pass Thru Calibration Certificates? Out-Sourcing Calibration to 3rd Party General Measurement Device and Calibration Topics 6
J FMEA Evaluation of "User Risk" - Wording FMEA 3rd party advisors ISO 14971 - Medical Device Risk Management 3
J FDA 510K - Justifying Fatigue Test results - 3rd Party Component Failure US Food and Drug Administration (FDA) 7
L IS/TS 16949 Initial Cert. Audit - placed on 3rd party containment with Customer IATF 16949 - Automotive Quality Systems Standard 3

Similar threads

Top Bottom