Auditor Confidentiality vs. Liability

J

JShell55

#1
Hi, forum: I'd be interested in your reaction to this hypothetical:

As part of the ISO9001 requirement for compliance to regulatory and customer requirements, let's say hypothetically I audit a chemical storage area. I see some chemicals stored, and look up the MSDS, and find that some chemicals with a potential explosion hazard are being improperly handled, plus being stored very near some improperly stored flammable materials... are you with me? Imminent potential of a major disaster. Could happen in 20 years, could happen in 20 minutes.

I am under confidentiality to the company, my certifying body, and the consulting company that I am sub-contracting for.

However, I've hypothetically uncovered a situation which is an imminent safety danger. Of course, I would hypothetically communicate this to management first.

What would be my hypothetical responsibility to report a situation like this to the local authorities, ex: fire marshal, EPA or OSHA?

If the company decides not to fix it, and there is a catastrophe, there will be plenty of finger pointing and the argument can be made that I, as an agent of the company, could be sued at some point by some grieving widow, or even end up in jail if it is later discovered that laws were violated and I detected the situation and did not report it.

However, it would be outside my confidentiality agreement, as an agent of the company to do so.

So, what would you do.... hypothetically...?
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
Welcome to the Cove!

Is this an internal audit? If it is the auditor first tells the immediate manager, and does not fail to inform higher management in specific terms what was found, the risks and the codes being violated. If you are not convinced the problem is at once rectified, placing a call to the authorities is supposed to be protected under the Whistle Blower Act.

I welcome input about 2nd and 3rd party auditor responses to this upsetting kind of scenario. :mg:
 

Jim Wynne

Staff member
Admin
#3
Hi, forum: I'd be interested in your reaction to this hypothetical:

As part of the ISO9001 requirement for compliance to regulatory and customer requirements, let's say hypothetically I audit a chemical storage area. I see some chemicals stored, and look up the MSDS, and find that some chemicals with a potential explosion hazard are being improperly handled, plus being stored very near some improperly stored flammable materials... are you with me? Imminent potential of a major disaster. Could happen in 20 years, could happen in 20 minutes.

I am under confidentiality to the company, my certifying body, and the consulting company that I am sub-contracting for.

However, I've hypothetically uncovered a situation which is an imminent safety danger. Of course, I would hypothetically communicate this to management first.

What would be my hypothetical responsibility to report a situation like this to the local authorities, ex: fire marshal, EPA or OSHA?

If the company decides not to fix it, and there is a catastrophe, there will be plenty of finger pointing and the argument can be made that I, as an agent of the company, could be sued at some point by some grieving widow, or even end up in jail if it is later discovered that laws were violated and I detected the situation and did not report it.

However, it would be outside my confidentiality agreement, as an agent of the company to do so.

So, what would you do.... hypothetically...?
With the obligatory "I'm not a lawyer" out of the way, I would think that confidentiality agreements between auditors (and their management) and auditees are mainly intended to discourage sharing of intellectual property, trade secrets, and generally information regarding processes and operations thereof. I can't imagine a situation in which a person who sees and reports a "clear and present danger" being found liable for violating a business confidentiality agreement.

That being said, anyone who does report such thing had better be durned sure of what she's reporting, because if she's wrong, it could lead to a lot of trouble. The best thing to do if you're concerned about this sort of thing beyond the idle speculation level is to talk to an attorney about it.
 

harry

Super Moderator
#4
If 'hypothetical' means it had not happened, you should discuss with the party who contracted you, who is also the one having a direct contract with the customer.

If it had already happened, I would record it in black and white, inform the party who contracted my service also in black and white and let them handle the issue from thereon.

I recognized that laws in other countries like the US might be different.
 

RoxaneB

Super Moderator
Super Moderator
#5
I recall in my ISO 14001 lead auditor training a case study regarding a compliance finding. I believe that we, the students, all said that we would write up the find to the effect of "Regulation XXX-123 is not being adhered to" and we were promptly told we were wrong by the trainer.

We are not compliance auditors (or experts)....we are ISO 14001 auditors. We were not conducting a compliance audit...we were conducting an ISO 14001 audit. There was also the issue of opening ourselves up professionally to liability issues.

Apparently we were to write up the finding indicating an issue with the organization's internal process for verifying compliance to applicable regulations or something to that effect.

It's pretty much aligned with Jim's comment about being 100% confident of the issue.
 
G

Geoff Withnell

#6
Given I are sure of my facts (and I would document in great detail, including sketches, etc if I couldn't take actual photos), I would be guided by Article 1 of the ASQ Code of Ethics:

Article 1 – Hold paramount the safety, health, and welfare of the public in the performance of their professional duties.

Again with the caveat that I am not a lawyer, I believe the legal term for a confidentiality agreement to remain silent about the violation of the law is "conspiracy", a crime in itself. Certainly work within organizational channels first, but if one has reason to believe that's not working, go public. Those here who have professional licenses, e.g. PE, are even more duty bound to report. Whistle blowers do get negative consequences sometimes, may even often. But it is the right thing to do. We are not talking about writng up non-compliances, or revealing confidential information. We are talking about possibly saving lives! It is a little disturbing to me that there is this much doubt on the issue.

Geoff Withnell
 

Stijloor

Staff member
Super Moderator
#7
Friends,

In my Motherland there's a saying:

Hij die zwijgt, stemt toe.

meaning:

He who keeps silent, agrees.

Very tragic examples in the news lately....

Stijloor.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#9
I recall in my ISO 14001 lead auditor training a case study regarding a compliance finding. I believe that we, the students, all said that we would write up the find to the effect of "Regulation XXX-123 is not being adhered to" and we were promptly told we were wrong by the trainer.

We are not compliance auditors (or experts)....we are ISO 14001 auditors. We were not conducting a compliance audit...we were conducting an ISO 14001 audit. There was also the issue of opening ourselves up professionally to liability issues.

Apparently we were to write up the finding indicating an issue with the organization's internal process for verifying compliance to applicable regulations or something to that effect.

It's pretty much aligned with Jim's comment about being 100% confident of the issue.
Eh? Since following regulations is part of the ISO 14001 standard I do not understand the position your instructor took because following regulations is part of the requirements under 14001.

But there is the process approach. A fire or explosion would be bad because it could result in airborne escape of chemicals under control of the EMS, so the organization's risks of explosion or fire should be identified as aspects and operational controls should be designed based on those aspects and risks, to avoid explosion or fire. Chemical storage is of course an important part of an EMS and should be treated as a process/functional area. Chemicals should not be stored in such a way that they could react to each other, for example acids and solvents should be separated. Adequate ventilation should be in place to prevent buildup of toxic/combustible gases.

In my view a good auditor should be able to understand these things and can observe the storage arrangement and examine the process used to identify and control risks. If a sound process exists but is not being followed an auditor should be able to call out a nonconformance that is urgent enough to require immediate action. If no process exists or there is no evidence it's been used for this area the auditor can call that out as a nonconformance. I am absolutely interested in what our CB members say about this.

I am wondering if this is a registration audit or a consultant's audit on independent contract.
 

Randy

Super Moderator
#10
If you are in the US and are an employee of the company you have an absolute (and protected by anonymity) right to file a complaint with OSHA... http://www.osha.gov/workers.html

If you are a 3rd party, like me, you have an obligation to report the information to the organization, and in my case to my employer as well.

There are many, many variables in a situation like this.
 
Thread starter Similar threads Forum Replies Date
B External Auditor Confidentiality Agreement General Auditing Discussions 8
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
W Redacting Info Before Giving to Auditor ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
T Quality auditor legal right to see Board meeting minutes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
V Certified Auditor - Need of additional certification specific to industry ( GMPs) ASQ vs ECA vs others Professional Certifications and Degrees 1
V Internal Auditor Competency KPI IATF 16949 - Automotive Quality Systems Standard 14
R American Petroleum Institute - Becoming an API Auditor Professional Certifications and Degrees 2
B Lowest cost way to pass Lead Auditor exam ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
B Internal Auditor Competency - Product Auditors Internal Auditing 9
U Internal Auditor not trained but done Audit for some process Nonconformance and Corrective Action 5
Z Auditor Findings ISO 14001:2015 vs. 45001:2015 ISO 14001:2015 Specific Discussions 6
B IATF16949 audit requirement - Auditor request UCL and LCL must be show Xbar-R, IATF 16949 - Automotive Quality Systems Standard 7
A Becoming an ISO27001 3rd Party Auditor Career and Occupation Discussions 4
L ASQ's Biomedical Auditor Course Test ASQ - American Society for Quality 1
M Tips on preparing for IATF 16949 Internal Lead Auditor exam Manufacturing and Related Processes 1
G Same parts but new customer - What will the auditor ask me? IATF 16949 - Automotive Quality Systems Standard 2
Gun46 ISO 9001 : 2015 Lead Auditor Exam General Auditing Discussions 16
K %GRR was between 10-30% so we have to have a "backup plan" per auditor IATF 16949 - Automotive Quality Systems Standard 15
S ISO 13485 Lead Auditor - Debate between our Quality Team and Regulatory Auditor - Internal Auditor Training ISO 13485:2016 - Medical Device Quality Management Systems 17
R ISO 45001 Lead Auditor Exam paper Training - Internal, External, Online and Distance Learning 1
B Internal and external auditor competency to CSR's IATF 16949 - Automotive Quality Systems Standard 20
A Our auditor told if we didn't have a patent we would have to do a validation or verification ISO 13485:2016 - Medical Device Quality Management Systems 6
W Certification for IATF Lead Auditor will expire in 2020 IATF 16949 - Automotive Quality Systems Standard 2
D Impartiality of Internal Auditor ISO 9001/13485 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
Ed Panek Auditor driving us nuts - ESD requirements ISO 13485:2016 - Medical Device Quality Management Systems 23
A OHSAS 18001 external auditor finding personal interpretation? Occupational Health & Safety Management Standards 5
S IRCA Lead Auditor training and Exam tips Training - Internal, External, Online and Distance Learning 5
L ASQ CBA biomedical auditor - CBA primer material is enough to study? ISO 13485:2016 - Medical Device Quality Management Systems 6
B VDA 6.3 Qualification as Process Auditor training course and exam VDA Standards - Germany's Automotive Standards 0
F ISO 21001 Educational Organizations Management - How to become an auditor Other ISO and International Standards and European Regulations 1
J Getting training either from ASQ or from SAI Global - ISO 9001 Lead Auditor training Training - Internal, External, Online and Distance Learning 1
P ASQ Certified Biomedical Auditor (CBA) Certification Preparation 2019 ASQ - American Society for Quality 3
M Medical Device Design Control Auditor Recommentations General Auditing Discussions 19
G Third party auditor mentions no grace period for calibration Calibration Frequency (Interval) 22
D Where (in US) can I get the VDA Auditor Edition book? VDA Standards - Germany's Automotive Standards 3
S AIAG CQI Auditor Qualification and 3rd Party Certification Requirements General Auditing Discussions 2
M IATF 16949 7.2.3 Internal Auditor Competency - Trainer's competency Internal Auditing 7
C Recommendations for UK-based ISO 13485 internal auditor training ISO 13485:2016 - Medical Device Quality Management Systems 1
Sidney Vianna AS9100 News July 2019 AAQG/RMC CB Auditor Workshop - Presentation Materials AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
D Scope of Facility - Our auditor asked us last week for our "Scope of the Facility" AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
A ISO 9001 lead auditor as Full time career India Career and Occupation Discussions 2
J Manufacturing Process Auditor Requirements - IATF 16949 IATF 16949 - Automotive Quality Systems Standard 9
GreatNate ISO 9001:2015 Lead Auditor Course? (who to take with) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
A External Auditor issue with Internal Audits Internal Auditing 7
Q Internal Auditor competence for ISO 14001 ISO 14001:2015 Specific Discussions 11
S IATF 16949: Is "Certified" Internal Auditor mandatory? IATF 16949 - Automotive Quality Systems Standard 9
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
J Your opinion on the better training org for IATF16949 Internal auditor and Lead Auditor IATF 16949 - Automotive Quality Systems Standard 3
K Turtle diagram or process interaction chart - Making it easier for an auditor Process Maps, Process Mapping and Turtle Diagrams 23
C TL-9000 Certifying Body Issue - Auditor failed to find an issue for 10 years TL 9000 Telecommunications Standard and QuEST 16

Similar threads

Top Bottom