Classification of Findings in Audits to the new standard


VickiC - 2006

From an auditing standpoint, I never want to issue a corrective action request (CAR) unless I can clearly identify an element from the standard relative to what I observed. Now, I understand and subscribe to the concept that most often if an employee is observed to be operating inconsistently with documented procedures, that somehow it is a "system" issue. It appears that the structure of the new 2000 std supports this concept tremendously because I cannot comfortably identify a clause to use if I really wanted to issue a CAR for this situation. Any thoughts, suggestions, or ideas?

Rick Goodson

Hi Vicki,

A couple of thoughts.

4.1.c) "The organization shall determine the criteria and methods needed to ensure that both the operation and control of these processes are effective,...", with emphasis on the control.

7.5.1 Control of production and service provision, The organization shall plan and carry out production and service provision under controlled conditions. Controlled conditions shall include, as applicable....7.5.1.b) the availability of work instructions, as needed...

The standard allows the organization some latitude in implementation but does require 'control of processes'. If the organization decides that operators need to use documented procedures then not using them is evidence of lack of control.



I don't see it specifically stated in ISO 9K2K that "thou shall follow documented procedures", but how about 8.2.2.a "The organization shall conduct internal audits at planned intervals to determine whether the quality management system a) conforms to planned arrangements (see 7.1) ..." Planned arrangements under 7.1 include documented procedures.

You might also look at 6.1.a - "...provide the resources needed to a) implement and maintain the quality management system ..."

It is strange that 7.5 requires availability of information and work instructions, but not compliance with them.

If the nonconformance did not fit some other specific section of ISO, I would probably just reference 7.1 and failure to follow planned arrangements. I tend to worry more about the problem than what part of ISO it fits into.



tomvehoski said:

It is strange that 7.5 requires availability of information and work instructions, but not compliance with them.

I missed the words "carry out" under 7.5.1, so I guess ISO does require compliance with instructions.

VickiC - 2006

Thanks for all the feedback. Good ideas and thoughts.

I agree with your last statement, Tom, regarding focus on the problem vs the ISO clause. However, I am relatively new in this company and I don't think some of the people I visited in my first audit were used to an internal auditor approaching them and they "put up a fight" for identified concerns or issues (not saying I wouldn't do the same :) ), but I have a stronger leg for discussion with an identified ISO reference.

Nosmo King

Re: finding classification

VickiC said:
I never want to issue a corrective action request (CAR) unless I can clearly identify an element from the standard relative to what I observed. ?

Just for interest, Vicki, what is the purpose of linking CAs to the standard?

What business benefit does that give to your organization?

VickiC - 2006

I hesitate to say this because it sounds like I am slamming my company, when actually we have a lot of good systems in place. However, I came in very new to this auditing position about 5 months ago and actually started with the company a little over a year ago in a position that had little exposure until this. So, perhaps its my delivery (although I would hope not), but the culture here is very requirement oriented and if it (whatever the expectations is) is not spelled out in writing like a PO, statement of work, specification, or....ISO 9000, there is a lot of resistance to even accepting responsibility for a corrective action request. So, I tie them into ISO since I am the designated ISO 9000 corporate quality auditor. I must say, I welcome suggestions as I find I learn and grow all the time by this type of dialogue!

My quality heart, and some others in our organization, understand that what we are really striving for is an effective business system that focuses on profits AND customer satisfaction and not just an ISO compliant system. Then, there are some who seem to not understand the big picture. Does this make sense?



Here is what I recommend. All CAR's need three components. First, they need to be understandable. The auditee must be able to determine what was wrong and how it needs to be fixed.

Secondly, CAR's need to be actionable, that is they must be written in a manner where the auditee can take action.

Thirdly, they must be unarguable (yes, I know that isn't a word). This is where we link to the requirement. It might not always be to the standard, but quite often to a specific procedure or work instruction.

A good CAR will give the auditee enough information, so he/she will know how the requirment has been violated, and what to do to meet the requirement. (this may involve changing the requirement in some cases).

Hope this helps!

VickiC - 2006

Well here is another element to the quality system I am "designing" - tell me what you all think of this:

In an effort to quantify, chart, monitor, and measure results of the audit function and any other system issues that enter the CAR system, I have developed a "defect code" to capture and create a database of information. This is helpful to present a summary of the results to upper management as required every other month.

What are some of the other ways you auditors are capturing your audit results?
Hi, Vicki,

Sounds good. Here are some of our ways and means:

We use a home made Access application to manage the entire audit process.

I post the following data from it to our intranet and to the management review):

Lists of:
  • All current CAR's
  • CAR's with a deadline within a month (Early warning)
  • Overdue CAR's (Somehow people seem to dislike ending up on this list ;))
and graphs covering the above. That way the trends can be easily spotted.

All audit reports are accessible via the intranet. Every coworker can read them.

I keep trying to improve the audit process at all times and once a year I evaluate it all the way through.

Top Bottom