Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay?

GStough

Staff member
Super Moderator
#1
So, I need a reality check from my fellow Covers. First, let me preface this by saying that I work in the medical device industry and have for years. I've been auditing suppliers for 5 years, using both ISO 9001 and ISO 13485, as appropriate. I've always understood that the auditor must use criteria known to the auditee (registered to ISO 9001, audit them to ISO 9001, etc.) and not something with which they are unfamiliar.

In an industry where some suppliers are registered to ISO 9001, some registered to ISO 13485, some registered to both, and still some not registered to either, would you say that it is fair practice to audit a supplier registered to ISO 9001 against ISO 13485 requirements? I'm just curious to see what others may think is appropriate here.

Thanks in advance....:bigwave:
 
Elsmar Forum Sponsor

ScottK

Not out of the crisis
Staff member
Super Moderator
#2
The way I see it, having been an auditee far more than auditor, is that you need some criteria to audit against but you also need to understand the limits you may be facing.
If you were to come to my current organization with an ISO 13485 checklist I'd point out that we're not ISO 13485 registered so I'm not going to be compliant with some of your criteria. But as we are ISO9001 most of the core things will be there and you're free to offer up opportunities for improvement that I may or may not choose to implement if not required by 9001.
And at that point you may point out that some of these requirements are very important to your company and we may lose out on future projects if we don't implement something to satisfy those requirements.

Then it becomes a business decision for my company for my company to implement or not, and a business decision for your company to continue doing business with us knowing we're not meeting your requirements 100%

As an auditee I always ask for a full audit agenda so I can review and be ready with explanations for any gaps in expectations.

I ran into this A LOT with our past employer having pharma companies coming to audit and expecting a full cGMP compliant setup in manufacturing and full GLP compliant setup in the labs. And we just weren't, as you know. More often than not I would get an audit agenda saying that a customer is planning on auditing to Part 210 and Part 211 and would have to put the brakes on. (Not that that stopped some from citing those regs anyway)
 

GStough

Staff member
Super Moderator
#3
The way I see it, having been an auditee far more than auditor, is that you need some criteria to audit against but you also need to understand the limits you may be facing.
If you were to come to my current organization with an ISO 13485 checklist I'd point out that we're not ISO 13485 registered so I'm not going to be compliant with some of your criteria. But as we are ISO9001 most of the core things will be there and you're free to offer up opportunities for improvement that I may or may not choose to implement if not required by 9001.
And at that point you may point out that some of these requirements are very important to your company and we may lose out on future projects if we don't implement something to satisfy those requirements.

Then it becomes a business decision for my company for my company to implement or not, and a business decision for your company to continue doing business with us knowing we're not meeting your requirements 100%

As an auditee I always ask for a full audit agenda so I can review and be ready with explanations for any gaps in expectations.

I ran into this A LOT with our past employer having pharma companies coming to audit and expecting a full cGMP compliant setup in manufacturing and full GLP compliant setup in the labs. And we just weren't, as you know. More often than not I would get an audit agenda saying that a customer is planning on auditing to Part 210 and Part 211 and would have to put the brakes on. (Not that that stopped some from citing those regs anyway)
Spot-on, Scott! Exactly. :agree1::yes: This is what I would expect, as well.
 

Eredhel

Quality Manager
#4
I agree. It's common for our industry, CNC machining, to be audited by customers with typical scope defined audits to a certified standard that can result in occasional findings or opportunities for improvement that are outside those scopes. When it's a customer audit we do that balancing act thing and use political capital to push back when we feel it's necessary. But for certification audits? I'm a "show me the shall" kind of guy.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#5
I'm just curious to see what others may think is appropriate here.
What is the objective of the audit? Identify gaps of conformance? Develop a supplier? Approve a supplier?

The audit criteria is normally set by the audit client, but there is very little benefit in auditing an auditee organization against a criteria they never intend to ascribe to, in my opinion.
 

GStough

Staff member
Super Moderator
#6
What is the objective of the audit? Identify gaps of conformance? Develop a supplier? Approve a supplier?

The audit criteria is normally set by the audit client, but there is very little benefit in auditing an auditee organization against a criteria they never intend to ascribe to, in my opinion.
The objective of the audit could be to qualify a potentially new supplier, routine surveillance, for-cause - these are the usual objectives of an audit here, depending on the scenario.

Thanks for the input, Sidney...:agree1: :cool:
 

Ninja

Looking for Reality
Trusted Information Resource
#7
The objective of the audit could be to qualify a potentially new supplier, routine surveillance, for-cause - these are the usual objectives of an audit here, depending on the scenario.:
I might consider (having never been a formal "auditor", but sending others out to do it):

Table out the results in three columns: Your company requirements, ISO9001, ISO13485.
...especially if you're not sure what basis later decisions may be made upon.

If they pass all three in an area, great.
If they are 9001 but not 13485 in an area, you've established the line.
If they fail all ISO, but still meet your company requirements, you've established the line.
In that way, you have the clearest information for later consideration (perhaps by others) as to whether to use them as a supplier...or what changes to to ask for.
:2cents:

Add: This would likely mean that you DO audit them against a standard they may not know or strive for...but you do not hold them directly accountable for falling short...it is simply used in the decision making process later..."evaluation" instead of "audit" if you will.
 

GStough

Staff member
Super Moderator
#8
I might consider (having never been a formal "auditor", but sending others out to do it):

Table out the results in three columns: Your company requirements, ISO9001, ISO13485.
...especially if you're not sure what basis later decisions may be made upon.

If they pass all three in an area, great.
If they are 9001 but not 13485 in an area, you've established the line.
If they fail all ISO, but still meet your company requirements, you've established the line.
In that way, you have the clearest information for later consideration (perhaps by others) as to whether to use them as a supplier...or what changes to to ask for.
:2cents:

Add: This would likely mean that you DO audit them against a standard they may not know or strive for...but you do not hold them directly accountable for falling short...it is simply used in the decision making process later..."evaluation" instead of "audit" if you will.
I like your approach, Ninja. Thank you very much!
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#9
When doing contracted supplier auditing on behalf of a national organization, I was interested to find it had very little to do with the standard; it was almost wholly about customer requirements.

Since 9001 requires us to determine what the customer expects (in my case cleanliness of operational areas and material-contacting equipment, material traceability, and protection against material cross contamination) and make arrangements to provide, the actual standard turned out to be a distant second where criteria were concerned.

This tends to drive the suppliers wild, but it is after all about contracting to provide product and/or service, which is of course something people agree to try to do so... here we are.
 

GStough

Staff member
Super Moderator
#10
When doing contracted supplier auditing on behalf of a national organization, I was interested to find it had very little to do with the standard; it was almost wholly about customer requirements.

Since 9001 requires us to determine what the customer expects (in my case cleanliness of operational areas and material-contacting equipment, material traceability, and protection against material cross contamination) and make arrangements to provide, the actual standard turned out to be a distant second where criteria were concerned.

This tends to drive the suppliers wild, but it is after all about contracting to provide product and/or service, which is of course something people agree to try to do so... here we are.

Good point, Jen. In situations where there aren't any supplier quality agreements, though, we do the best we can with the tools we have on-hand. There are some suppliers who are not registered to any standard, so when an audit is required (yes, we have criteria for this), we use internal procedures and any documented agreements that may be in place, PO requirements, etc.
 
Thread starter Similar threads Forum Replies Date
R Auditors Auditing Against ISO 9001:2015 Draft ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
D Auditing against a procedure you had input to Internal Auditing 19
P Corrective action against the auditing agency? Written contract is in error AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 17
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 4
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 7
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 0
F AS9100D Internal auditing requirements Internal Auditing 3
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 146
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 7
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
qualprod Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
qualprod Auditing Product and Services doubts ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
R Auditing support and management processes General Auditing Discussions 7
F It is acceptable moving remote locations staff to manufacturing plant for auditing? IATF 16949 - Automotive Quality Systems Standard 3
D MSDS / GHS Walk-through / Auditing Occupational Health & Safety Management Standards 6
Pmarszal Supplier Auditing Services (Audit Needed?) General Auditing Discussions 4
S ISO 9001 Audit Observations - Transitioning my career into auditing Career and Occupation Discussions 16
G AS9101 Rev F - Worksheets for internal auditing AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
N API Q2 clause 6.2.2.1 Auditing Outsourced Suppliers Oil and Gas Industry Standards and Regulations 5
M Auditing processes followed by employees placed on client's site Internal Auditing 4
S ISO 13485:2016 and MDSAP internal auditing ISO 13485:2016 - Medical Device Quality Management Systems 6
M Auditing a Contractor in EMS and Non Conformity Report General Auditing Discussions 1
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
S ISO 9001:2015 - Internal Auditing - Audit to the Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6

Similar threads

Top Bottom