Auditor Confidentiality vs. Liability

pkost

Trusted Information Resource
#11
Again with the same disclaimer - I have no legal training or qualification

I suppose the first question I would ask is: Is the act criminal? or is it one that you deem to be too risky and therefore criminal? My understanding of health and safety legislation is that it is largely risk based and therefore who are you to say that it isn't safe...have you done a risk assessment and are you competent?

Regardless the answer to these questions I would certainly report it to the company and your employer (assuming you are a 3rd party auditor). I would expect immediate or at least very prompt action and would document what I send

Most countries have whistle-blowing laws, I'd consult that and my lawyer if I was very sure of my position and dissatisfied by the response to my informing the different parties.
 
Elsmar Forum Sponsor

Sidney Vianna

Post Responsibly
Staff member
Admin
#12
As part of the ISO9001 requirement for compliance to regulatory and customer requirements, let's say hypothetically I audit a chemical storage area. I see some chemicals stored, and look up the MSDS, and find that some chemicals with a potential explosion hazard are being improperly handled, plus being stored very near some improperly stored flammable materials... are you with me? Imminent potential of a major disaster. Could happen in 20 years, could happen in 20 minutes.

I am under confidentiality to the company, my certifying body, and the consulting company that I am sub-contracting for.

So, what would you do.... hypothetically...?
Welcome to The Cove and thanks for the interesting hypothetical ;) scenario.

Based on what you describe above, I understand that you are a consultant/auditor doing an audit on behalf of a CB against ISO 9001. I mention this because roles, audit criteria and scope are important aspects to be considered.

ISO 9001 does not have requirements for occupational safety, so you can't write this up against ISO 9001 (in my opinion). Nevertheless, safety is paramount and a hazard, as described, cannot be ignored.

As indicated by others, this situation MUST definitely be reported (immediately to the site management) verbally and in writing as a finding (once again, not an NC) in your audit report. If you truly believe that the risk of a major accident is imminent, you have the right to, (after communicating to the client and the CB), stop your audit and leave the premises, if the organization does not take immediate correction. Certainly that would have serious implications.

The audit report is also protected by the confidentiality clauses and you would not breach them if you were to record the finding in there. You want to make sure that the finding is worded strongly enough to catch people's attention. If you believe that the risks are too high, you can request not to be assigned to this registrant anymore, and, if the CB is serious, they would also take appropriate actions to protect their representatives. After all, there is a liability exposure to a CB who knowingly sends an auditor to an unsafe work environment.

Before all of that, you must be darn sure of your concerns. You can create a serious upheaval for the CB and the registrant. Make sure the risks are really as high as you indicated, before taking down this path.
 

Randy

Super Moderator
#13
Sidney is correct about raising concerns, you'd better make sure you got your ducks in a row. There are many times that a layman can see and think one thing when if fact reality is something totally different....Now a story to illustrate

Way back, many years ago when I was an aircraft mechanic working on an Army contract for Lockheed we got a new Leadman who caused a heck of an uproar...Now this guy was experienced in military aircraft maintenance (20+ years USAF jet aircraft), but he didn't know &hit from shinola about helicopters (which we worked on). Well this maintenance "expert" tried to get about 4 of us fired and filed an official complaint against an ARMY CW4 Maintenance Test Pilot because of our..."Horse-a&&ing around"....Here's the deal.....Many years ago before modern computerization and electronics helicopters had to have their main and tail rotor blades manually tracked with flags and grease-pencils...Track and balance are absolutely critical for rotary winged aircraft, and if you don't believe me try flying on Russian MI-8's and MI-24's without it...HORRIBLE!

Anyway what you do is this...For main rotor tracking (2 bladed system like a UH-1) the outboard tips of the main rotor tiedowns are marked with different colored grease pencils (normally red and black, but any 2 colors would work). Then you have to get a long pole (about 10-12 ft long) that has 2-horizontal arms about 2 feet apart at the top. Between the 2 arms you wrap a couple wraps of a white or other light colored cloth material (kinda like tape without the adhesive). This is called the "Flag". The pole and a mechanic have to be in the direct front of the aircraft, just outside the main rotor path...the pole is lying on the ground. During this process, by Army regulation, a qualified MTP (maintenance test pilot) has to operate the aircraft. The aircraft is started and brought to full flight rpm (appx 330 main rotor rpm) and the main rotor is held at flat pitch on the ground. Once the MTP signals that the RPM and pitch is correct he signals the mechanic in the front with the pole. The mechanic picks up the pole so that it is pointed straight up, keeping it out of the path of the main rotor, and while stabillizing it against his foot he slowly rotates the "Flag" into the outer tip of the main rotor path allowing the tie downs to lightly tap the tape leaving their individual colors.

While all this is going on, there is a 2nd mechanic also standing in front of the aircraft who is armed with what amounts to a broomstick (sans the broom) that has had a grease pencil taped to one end of it...This is for tailrotor tracking (this is the job that can get you killed fast).

Once the main rotor has been tracked the MTP motions to the 2nd mechanic to go ahead...The job of the MTP is critical because at this time if he were to wiggle the tail pedals, someone can die rather messily and also damage the aircraft. The 2nd mechanic enters under the main rotor path and walks to the right-rear of the aircraft, but while doing so quickly passes the grease pencil taped to the broomstick into the engine exhaust to soften the lead. Continuing to the rear the 2nd mechanic lines the broomstick/grease pencil up under the right side of the taillight and slowly runs the grease pencil into the rotating tail rotor on the other side of the tailboom and does so until he feels a light tap-tap-tap (the tail rotor is spinning appx 1800 rpm). The 2nd mechanic then proceeds to the right-front of the aircraft and gives the MTP a thumbs-up and the aircraft is then shut down. From this point forward adjustments are made and the process continues until tracking is acceptable.

Now I know the story is long, but here's the point...To an unknowledgeable person groundtracking could look like people screwing around, and that's what happened. This new "supervisor" (Leadman), who knew his way around F-4's reported all of us and created a hailstorm for a couple days.

Make sure you know what you are talking about, before you do so.
 

RoxaneB

Super Moderator
Super Moderator
#14
Eh? Since following regulations is part of the ISO 14001 standard I do not understand the position your instructor took because following regulations is part of the requirements under 14001.
I think the trainer's point of view was that we were doing a conformance audit (to ISO 14001 requirements) and not a compliance audit (to legislation and regulations) and that such a finding was (a) outside of the scope of the audit and (b) who was to say that we were experts in the field.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#15
I think the trainer's point of view was that we were doing a conformance audit (to ISO 14001 requirements) and not a compliance audit (to legislation and regulations) and that such a finding was (a) outside of the scope of the audit and (b) who was to say that we were experts in the field.
That's correct. The Expected Outcomes of Accredited ISO 14001 Certification document reminds us:
The ISO 14001 accredited certification process does not include a full regulatory compliance audit and cannot ensure that violations of legal requirements will never occur, though full legal compliance should always be the organization’s goal.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#16
I think the trainer's point of view was that we were doing a conformance audit (to ISO 14001 requirements) and not a compliance audit (to legislation and regulations) and that such a finding was (a) outside of the scope of the audit and (b) who was to say that we were experts in the field.
That's why I offered the process path. Although I am nowhere near the scene of this hypothetical audit, and indeed it is not a 14001 audit (that is important) I can spot many hazards and ask for the process to control them without reciting the codes.
 

RoxaneB

Super Moderator
Super Moderator
#17
That's why I offered the process path. Although I am nowhere near the scene of this hypothetical audit, and indeed it is not a 14001 audit (that is important) I can spot many hazards and ask for the process to control them without reciting the codes.
How would you phrase the finding though? I believe that was the intent of how I was trained...not to ignore the issue (i.e., confidentiality versus liability), but rather how to phrase it within the scope of the audit without lessening the risk potential.

I think that there is a way for the OP to word the finding in such a way that it is officially documented, without creating a possible breach of confidentiality or opening himself up to a liability issue.
 

optomist1

A Sea of Statistics
Trusted Information Resource
#18
Although I am not presently an auditor, this is an great thread. Professional ethics being at the fore front of our current economic situation.

The responses are great...especially, once the condition is in fact verified...."he or she who does nothing in effect becomes part of the problem"....well said
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#19
How would you phrase the finding though? I believe that was the intent of how I was trained...not to ignore the issue (i.e., confidentiality versus liability), but rather how to phrase it within the scope of the audit without lessening the risk potential.
Not clear yet: I would look at the process of identifying and assessing aspects for risks, then developing and caarying out controls to mitigate the risks the apparent hazards present.
I think that there is a way for the OP to word the finding in such a way that it is officially documented, without creating a possible breach of confidentiality or opening himself up to a liability issue.
I think so too. I liked Sidney's input the best, especially as this is an ISO 9001 audit.
 
J

JShell55

#20
I am glad I got some good discussion started.

Let's just say that it's not entirely hypothetical, there are some details omitted in the above case, names changed or omitted to protect the innocent.

You are right, it's not a compliance audit, and I cannot cite the section of the code that it violates. I also do not have any measurements of the actual ventilation conditions, it is only a suspicion on my part, based on many years of experience in industrial environments so there is some risk on my part that I could be wrong. I have asked for objective evidence that the level of ventilation in the area is sufficient for proper storage of the various chemicals that are sitting around, based on the MSDS of the chemicals.

They are being cooperative for the moment but do not have the evidence, so for ISO purposes I can already do a finding, based on "preservation of product" no objective evidence that the storage conditions are appropriate for either the powder or the solvent or both, and not gone melodramatic on them about the fact that the combination of these two findings could potentially lead to a really serious problem.

I will run it by the people I am subcontracting for so that they understand the situation and of course provide documentation of everything, and rely on their guidance as to how they want to handle it.

My confidentiality agreement with my contractee makes it clear that I am not an employee, and have one level of inoculation because I am working as a consultant, and it's an internal audit, which the customer can do with what they want. It is ultimately up to the company or companies involved as to whether they take my good-faith advice. However, the grieving widows may not see it that way and we all know that this sort of thing is only as good as your lawyer.

I will allow it to run for a few days and see if they take some kind of action. I have hinted to them that I do have the recourse of reporting it to the authorities, I have recommended that they remove the flammable solvent immediately, and then bring in an environmental person to do the ventilation measurements and determine exactly what they need to do (as promptly as possible).

So, we'll see. Interesting stuff.




 
Thread starter Similar threads Forum Replies Date
B External Auditor Confidentiality Agreement General Auditing Discussions 8
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
W Redacting Info Before Giving to Auditor ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
T Quality auditor legal right to see Board meeting minutes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
V Certified Auditor - Need of additional certification specific to industry ( GMPs) ASQ vs ECA vs others Professional Certifications and Degrees 1
V Internal Auditor Competency KPI IATF 16949 - Automotive Quality Systems Standard 14
R American Petroleum Institute - Becoming an API Auditor Professional Certifications and Degrees 2
B Lowest cost way to pass Lead Auditor exam ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
B Internal Auditor Competency - Product Auditors Internal Auditing 9
U Internal Auditor not trained but done Audit for some process Nonconformance and Corrective Action 5
Z Auditor Findings ISO 14001:2015 vs. 45001:2015 ISO 14001:2015 Specific Discussions 6
B IATF16949 audit requirement - Auditor request UCL and LCL must be show Xbar-R, IATF 16949 - Automotive Quality Systems Standard 7
A Becoming an ISO27001 3rd Party Auditor Career and Occupation Discussions 4
L ASQ's Biomedical Auditor Course Test ASQ - American Society for Quality 1
M Tips on preparing for IATF 16949 Internal Lead Auditor exam Manufacturing and Related Processes 1
G Same parts but new customer - What will the auditor ask me? IATF 16949 - Automotive Quality Systems Standard 2
Gun46 ISO 9001 : 2015 Lead Auditor Exam General Auditing Discussions 16
K %GRR was between 10-30% so we have to have a "backup plan" per auditor IATF 16949 - Automotive Quality Systems Standard 15
S ISO 13485 Lead Auditor - Debate between our Quality Team and Regulatory Auditor - Internal Auditor Training ISO 13485:2016 - Medical Device Quality Management Systems 17
R ISO 45001 Lead Auditor Exam paper Training - Internal, External, Online and Distance Learning 1
B Internal and external auditor competency to CSR's IATF 16949 - Automotive Quality Systems Standard 20
A Our auditor told if we didn't have a patent we would have to do a validation or verification ISO 13485:2016 - Medical Device Quality Management Systems 6
W Certification for IATF Lead Auditor will expire in 2020 IATF 16949 - Automotive Quality Systems Standard 2
D Impartiality of Internal Auditor ISO 9001/13485 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
Ed Panek Auditor driving us nuts - ESD requirements ISO 13485:2016 - Medical Device Quality Management Systems 23
A OHSAS 18001 external auditor finding personal interpretation? Occupational Health & Safety Management Standards 5
S IRCA Lead Auditor training and Exam tips Training - Internal, External, Online and Distance Learning 5
L ASQ CBA biomedical auditor - CBA primer material is enough to study? ISO 13485:2016 - Medical Device Quality Management Systems 6
B VDA 6.3 Qualification as Process Auditor training course and exam VDA Standards - Germany's Automotive Standards 0
F ISO 21001 Educational Organizations Management - How to become an auditor Other ISO and International Standards and European Regulations 1
J Getting training either from ASQ or from SAI Global - ISO 9001 Lead Auditor training Training - Internal, External, Online and Distance Learning 1
P ASQ Certified Biomedical Auditor (CBA) Certification Preparation 2019 ASQ - American Society for Quality 3
M Medical Device Design Control Auditor Recommentations General Auditing Discussions 19
G Third party auditor mentions no grace period for calibration Calibration Frequency (Interval) 22
D Where (in US) can I get the VDA Auditor Edition book? VDA Standards - Germany's Automotive Standards 3
S AIAG CQI Auditor Qualification and 3rd Party Certification Requirements General Auditing Discussions 2
M IATF 16949 7.2.3 Internal Auditor Competency - Trainer's competency Internal Auditing 7
C Recommendations for UK-based ISO 13485 internal auditor training ISO 13485:2016 - Medical Device Quality Management Systems 1
Sidney Vianna AS9100 News July 2019 AAQG/RMC CB Auditor Workshop - Presentation Materials AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
D Scope of Facility - Our auditor asked us last week for our "Scope of the Facility" AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
A ISO 9001 lead auditor as Full time career India Career and Occupation Discussions 2
J Manufacturing Process Auditor Requirements - IATF 16949 IATF 16949 - Automotive Quality Systems Standard 9
GreatNate ISO 9001:2015 Lead Auditor Course? (who to take with) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
A External Auditor issue with Internal Audits Internal Auditing 7
Q Internal Auditor competence for ISO 14001 ISO 14001:2015 Specific Discussions 11
S IATF 16949: Is "Certified" Internal Auditor mandatory? IATF 16949 - Automotive Quality Systems Standard 9
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
J Your opinion on the better training org for IATF16949 Internal auditor and Lead Auditor IATF 16949 - Automotive Quality Systems Standard 3
K Turtle diagram or process interaction chart - Making it easier for an auditor Process Maps, Process Mapping and Turtle Diagrams 23
C TL-9000 Certifying Body Issue - Auditor failed to find an issue for 10 years TL 9000 Telecommunications Standard and QuEST 16

Similar threads

Top Bottom