First of all, John. You owe me one. A Mac user since 1986, I've STILL got an old LCII and Si in the closet - have an 8500 on my desk and a powerbook 1400 I travel with. Bought a lot of Apple stuff over the years including laser printer and several Apple monitors. Heck - I could have bought a house with all I've spent!
Anyway - in respopnse to your post: This thing is all over the map. Some come in, rush through and get out. Others (ahemmm, like me) are snot nosed independent councils - give us money and we'll look far and deep and talk to everyone you ever knew or have ever spoken with looking for a hole. And it is registrar independent. Rewgistrars may think they have their auditors 'calibrated' but they don't.
I don't know a thing about NASI except what you posted here. Sorry I can't help there. All I can say is you cannot plan on their 'support' by giving management 'the boot' on an issue. As you have experienced with couple of auditors you have experience with - each has his/her own way. In some ways it's a view of what is 'appropriate' by each person.
The following is from a person who recently e-mailed me which further points out some 'problems' with ISO and registrars. This person cites an experience with NSAI - read closely.
-------snippo-------
Subject: Re: Registrar Quality
Date: Tue, 16 Feb 1999 02:29:01 +0000
From: Marc Smith
Organization: Cayman Systems
To:
[email protected]
First of all, I want you to know that I *sincerely* appreciate not only your feedback, but the detail into which you have gone as well. I assure you I will keep the source info confidential. I believe this is in response to my saying let the registrar determine whether you're compliant to the spec or not. I am mainly going to respond to the auditing end of it as I am under no delusion that registrars know heck from shine-ola, as my pappy used to say. They are inconsistent, can be (and are every day) bought off in one way or another, and are becoming more and more of a useless entity which basically is a money hole. Your portrayal of FedEx was excellent! And, sadly, typical
Actually, I do agree with you and know of what you speak. In fact, I am at a new client facility this week (QS update) - a UL registration last fall I have to laugh at. No way they were compliant at the time of the audit and they're far from it now. What surprised me was UL's reputation for being sticklers. Geeze - what sleeze. As I have now passed through over 6 years of implementations I find registrars becoming more and more useless, in fact.
And a brief: I have been involved in ISO since 1992-3 and took my first 'Lead Auditor' course in April 1994. I was 'hip' to QS before it was released by a year with my first implementation about 4 years ago. I haven't been at it 'forever' but I've been at it for a while. I have planned implementation at large companies (Motorola - Semi-Conductor sector - some 20,000 souls all in all) and small (Eagle Chemicals - 14 souls at the time). I'm not sure what an 'expert' is, but I do have a bit of experience. My resume is at
http://Elsmar.com/resume.html
So far, none of my implementation clients have had a registrar problem. In large part (IMHO) because I force them to know the spec - all managers. And at least one of them has to fully understand how QS applies across the board. I see compliance with ISO or QS as a function of a management person and I see registration as an exercise after compliance has been achieved.
No - I do not see the registrar as the sole source for compliance confirmation. As I said above, I expect each company / facility to have a local expert. I will not take a contract unless I believe they understand this and I have 'quit' several companies which did not provide the person. My point is that I believe after the major systems are established they should be reviewed for compliance prior to revision by the company expert.
No - I do not see compliance to ISO or QS as the job of an internal auditor. I believe the internal auditor function is being sold with minimal basis for the neccessity. With consideration to the significant problems we 'professionals' have in interpreting QS (and to a lesser degree ISO) I find it amusing that folks want to take floor personnel and managers and make them 'professionals' in ISO or QS. Part of my bias may be in that so many companies are streached so lean that folks have trouble getting their jobs done as it is - not to mention throwing on another 'job'. I would rather have them doing the job they are hired to do well and spending their time there.
I have also been privy to many conversations where the internal auditor admits that s/he 'didn't find problems' in large part due to personal connections with one or more of the folks being audited. "John's group is under the gun and I saw no reason to complicate matters" is not at all uncommon.
My latest client also illustrates what I often find - with so much going on the planned audits just stopped. As one plant manager told me "I'm trying to get product out the door. There won't be a company to audit if I don't get these messes cleaned up." Now I know that's not what we want to hear, but often times it is the 'Real Life' of the situation.
To me, to believe that internal auditors are some kind of saviour is silly. And I simply believe out-sourced audits make good sense. Admittedly some internal auditing scenarios using company personnel work out well - for as far as they go - but I have say that I believe the majority are not what they could be with out-sourced audits.
This said, it is clear that there is an ever increasing legion of 'qualified' auditors who are trash. I always run my clients past an RAB auditor prior to pre-assessment - to check me, actually. Several times I have gotten trash. One guy's big bitch was a confusing procedural numbering system. He was right - it was confusing - but that was not his business. He was an ex- college professor who saw the $ signs in ISO and auditing. He made me look pretty bad with his harping about changing the numbering system (this was a facility of a large multi-national corporation). But - he was 'certified' by the RAB as a QS Lead Auditor!!! And he had never once held a manufacturing job!!!
Your point is well taken. You will get no argument from me on crappy registrars and auditors. But this is all fast becoming a joke. When I started consulting in ISO the registrars checked things and did an 'overly' good job. Now - they are falling into the $ rut. I now see them as a 'baseline' function. This is to say they provide for your facility a base line of what *they* will accept (which in many cases is next to anything). If anything I misspoke by saying registrars should check for compliance to the spec.
My point in pointing to the registrars is that anyone worth his/her salt can pretty much tell after a thorough review of a systems manual and the supporting level 2 procedures whether the company is compliant to ISO or QS (systems design wise). If a registrar does a document review and pronounces everything OK and then comes to me and tells me I have a major nonconformance because the design of 1 or more systems is not compliant during a registration audit, I really want to know what I paid for a document review for. In fact, I council my clients - Your pre-assesment should be limited to document reviews. At Motorola, Guadalajara we had LRQA auditors spend the pre-assessment in separate conference rooms. Not once did we let them out onto the factory floor. They went thorugh level 2's and the called out level 3's - down to control plans and control plan content, etc. Company employees responsible for their documentation went through it and provided 'evidence' through 'runners'. All I want at a pre-assessment is the OK that all the defined systems are compliant and that the entire intent of ISO (or QS) is addressed. *I* will ensure the folks are following the procedures (as will the registrar during the registration and subsequent audits). You give me those level 2 documents and I will tell you whether a company's internal systems are compliant or not to the spec. No - I cannot yet tell if folks are doing what they are supposed to - that's an internal auditing function and a function of the assessment (and subsequent) audits.
If my systems are compliant, my expectation is that any company with any smarts at all will ensure a review of any change to a 'master' system by the company 'knowledge base'. With that said, the only significant change to 'master' systems should be when the spec is updated anyway (unless there is a significant change in the company/facility as a whole).
I stand by my opinion that internal audits should be out-sourced. Companies have enough problems even reactiing to the audit findings when the audit reveals problems. Reaction is where the real meat is anyway. I wouldn't want my employees auditing - I want them out there solving problems whether current (reacting) or possible (preventive actions). I want to let them do their business. I don't want to saddle them with another job to LEARN.
And lets face it - you don't send someone to a lead auditor course and expect a professional. A guy called the other morning - ****, he called me frantic on a Sunday morning at 7:30AM (I can handle it - I'm a professional! Hee hee hee!) - he told me he took the (AIAG?) QS internal auditor course and did well on planning and such but said he screwed up the interpretations part. He wanted to know if that was typical. I told him what I believe - there are grand expectations that internal auditors know and be able to interpret the spec. GIVE me a break. Auditors within registrar firms often do not agree on interpretations and they're supposed to be professionals dealing with QS and/or ISO every day! And we want an inspector (this fella was a line inspector) to interpret it? Give me a break again! Apparently this guy's supervisor is pissed because he didn't pass as didn't another person from his company who went through it. If it was my company, I would want that guy learning more about inspection - I didn't hire him to be an auditor.
A last thought. Take a spreadsheet and figure costs. For many companies it is simply not cost effective. Training, total time off job, total audit hours per year, losses through transfers and turn-over. Often they would be better off hiring someone just to do internal audits. Outsourcing them eliminates burden - you pay only the hours.
My opinion. However, I again want to say I *appreciate* your e-mail. More than you may understand. It *has* helped me calibrate myself to some increasingly troubling realities - registrars are going for the money in this case. It is the case that I believe the push for internal auditors is a $$$$ based push from interested (to say the least) parties. I look to the nuclear / banking / financial models for auditing guidelines - inside audits are for compliance to internal systems / requirements (do what you say) while the meat of compliance to spec is 'company expert' and external audits terratory.
With all this said - it will not change my standard - which is to ensure a client is compliant to the spec and that folks are doing 'what they say' (I will say several have not 'let me do my job'). I will NOT assume the registrar will be bought off and will thus will be 'gentle'. In a recent conversation with a client I said (several times, actually) that they would not have wanted ME as their auditor at registration - that they would not have passed. No way. He agreed this was the case.
We are becoming a world of auditors and audits - and I'm not convinced they are but a temporary step in the long history of manufacturing and providing services. Going back to the trade routes and civilizations of hundreds, nay, thousands of years ago, the auditors were sent by the king (or whatever the local ruler was called). Guess why.
Unfortunately I have some old-school republicanism in me. If I make a good product and it works for you and you want to buy it, then do so. Don't tell me how to make it. If I produce crap or have many 'nonconformances' shipped, you will stop buying from me. It's no one's business how I make or do something. tis is all about LIABILITY IMHO. Nothing more - nothing less.
[email protected] wrote:
> Hello Marc,
> I decided to take this off the list because I thought it in poor taste
> and not necessarily appropriate for all to see.
> I totally disagree with your statement about the jobs being done by
> registrars. I don't mean to say all registrars are either bad or good. Nor
> that all auditors are either bad or good. But I do know of some bad registrars
> and some bad auditors.
>
> I should preface my information by letting you know that my company is a
> consulting firm which specializes in helping companies get and maintain ISO
> along with TQM and a few other things including a software product which helps
> with quality record keeping for both ISO and QS. While I am not asking you to
> go to our web site if you want more information our web site is at
> *** DEAD LINK REMOVED ***. Asie from that I will get on with
> my examples.
>
> I know of 3 companies who have been audited by U.L. which had glaring
> wholes in the system. In each case the auditor just turned their head and
> looked the other way. Additionally in a separate audit of one of the companies
> the auditor said "If I come back tomorrow morning, I'm sure that will be fixed
> so I will audit it then." And he did just that. The worst offender has so
> much conflicting information in their procedures and manual it is an auditors
> nightmare. In their case I only try to teach their internal auditors what to
> look for. However, each class keeps questioning the standard requirements
> since they keep passing their audits. It is impossible to explain to an
> internal auditor why the standard says one thing and the registrar doesn't
> even audit for it or give them a non conformance.
>
> Two of the people in my company did two preassessment audits on a company.
> The first had major non conformances in almost every section so they asked to
> come back after they corrected the first findings and do a much lessor audit
> the second time. We found they still had major non conformances in three
> sections of the standard. The biggest being document control. Mostly a people
> doing their own copying and then having obsolete documents. (A management
> discipline issue.) The company was due to be audited by TUV Rheinland but we
> knew how their auditor audited and indicated they would not pass without
> fixing the problems. A company they knew had used BSI so they decided to use
> BSI instead. BSI passed them even with the major problems. When one of the
> people we know well asked about not being strict, the auditor told him that
> they used to be strict but too many people complained so they didn't want to
> get people mad so they made most things observations instead.
>
> In an audit a couple of years ago by NSAI, one of the auditors spent two whole
> days in an office going over documents and asking the employees if they
> complied. She actually gave them non conformances because the line between the
> header and the text of the procedure was not all the way to the edge of the
> page on some of the procedures. At the same time she never audited three
> sections of the standard. This was their first audit and by NSAI requirements
> all areas were suppose to be audited. She is no longer with the company.
>
> I have personally been on two of the UL audits and an audit by TUV Rheinland
> which has been a waste of money for the company being audited. They got a
> piece of paper on the wall but not a good audit.
>
> At the same time I have seen the auditors go off the other way and require
> things that are not in the standard. The same NSAI auditor when questioned by
> our person indicated that they were not limited to the standard. It was their
> job to help make sure the company had a good system and that it met their
> requirements not just the requirements of the standard. In their case when her
> manager was contacted they played emotional blackmail with the complaint. The
> customer had a deadline from a corporate office for getting registered and
> NSAI said that if they wanted to challange it there would be a delay in their
> registration of several month while the review was done.
>
> As recently as 2 weeks ago I had a client who was audited by an ABS auditor
> who made them call us and have us provide training records for all of our
> trainers. We were qualified as a company by them in 1993 and have provided
> services about once a year ever since. When we provide our lead auditor
> training certificates again along with all our company information which was
> obsoleted several years back since they only need to keep it for two years by
> their procedures, he still gave them an observation because he did not
> recognize one of the companies who provided the lead assessor training.
>
> As you may have seen on the list we have had clients who have gotten minor non
> conformances or observations for nnot having ansi Z540 or Guide 25. WHile I
> agree with the messages about using old documents, it is sometimes hard to get
> the auditor to agree. And some feel they have sole power.
>
> We have written corrective action requests on behalf of our clients or helped
> our client write corrective actions for non conformances which were not valid.
> TUV Rheinland is the only one who has done a good job of reviewing the
> nonconformance and the information provided and gotten back to the client in a
> timely manner. The others either do not reply or like NSAI use blackmail to
> keep the complaint from being addressed.
>
> The funniest response I got was from Lloyd's in regards to FedEX whom I feel
> even today bought their certificate and Lloyd's. Having personally tried to
> obtain a corrective action response from Fedex all the way from the local
> office to their corporate customer service and quality group without response,
> I wrote an action request to Lloyd's. Background: if you have time and want to
> follow up on this try calling you local service rep and ask them if they know
> what ISO is and the company policy. Also what their procedures are for
> corrective action and providing a response when requested by the customer.
> They don't know the policy, don't know what ISO is and can not get or provide
> a response letter no matter what. Our company is small so I thought maybe you
> had to be a big customer to get a response. I asked one of my clients who at
> the time was 12th on the list of American electronic and electromechanic parts
> distributors. They send out numerous packages per day using both UPS and
> FEDEX. They got the same response.
>
> When I talked to an auditor from Lloyd's at a local ISO USer Group he said he
> would look into it for me. Which he did pass on to someone. We got a letter
> from Lloyd's which included a page from FEDEX which said they were registered
> world wide and what the scope was. The letter went on to say they had in fact
> done their audit from the corporate office with calls to selected branches (or
> local offices). So I tried again with some of the major locations such as
> Miami, Los Angeles, San Fransisco, and New Jersey. The results were the same.
> They had no clue as to what I (or my cleints) were asking for.
>
> In summary: for every four good audits I have been in with my clients, I have
> seen one bad. The bad was either not really looking at the system or injecting
> their own standards as opposed to the ISO standards.
This is, and has been, common.
> In my conversation with one registrar, this is expected to get worse since
> more and more of the registrars are going to sub contractors. What they have
> seen is a control issue with the sub's they had used and so they are avoiding
> going that way. In some cases, the sub wants to make a name for themself and
> over audits. In others they feel if the customer is happy they will get more
> work.
>
> Sorry for the length of this message
It is GREAT! Thanks! Not too long. Well detailed, and I appreciate it!
> but I think you should be aware that all
> is not as you seem to think it is.
Sadly, I have been aware of this for some years - it is precisely why I put
up my web site over 3 years ago.
