Closing internal audit corrective action requests

[SteelMaiden]

Ok, got a question...

We just finished our preassessment. The lead auditor told us in our closing meeting (notice that there was no discussion of this during the audit, this was out of the blue with no notice of any concerns) that the registrar expects all of our internal audit corrective action requests to be closed out within two months of the date of issuance.

I told them that I would take issue to that requirement. I explained that they could expect our investigation and corrective action plan within our documented time frame (generally 10 working days except for the very most serious). but if we ever choose to have a long range action, maybe the purchase of a new piece of equipment, or custom software design, we would not close out our corrective action request until every action was fully implemented and verified. I explained that for long term actions, we would also have some sort of short range action that would control the problem in the interim. I also explained that in some cases, it might be impossible to implement and verify in 60 days.


Have any of you faced this type of requirement? How did you handle it? The lead auditor told me that they (registrar) expects us to complete those long term under internal corrective actions, not audit corrective actions. Where is the value in having two types of corrective actions to handle one problem, especially since I want to track all of my audit stuff without having to bounce back and forth between internal audit corrective actions, and internal corrective action?

Do registrars really think about this stuff? I see absolutely nothing in the standard that says I have to close out corrective action requests in ANY length of time. All that is said is that we ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. So, if I submit my investigation and order that new piece of equipment (or whatever, remember this is all theoretical, they did not write a nonconformance) and now have to wait for delivery - 12 weeks, installation - 4 weeks, shakedown and proving of equipment capability - 2 weeks, I am not unduely delaying anything, I'm just being realistic in my scheduling of completion of the action, right?

OK, so I'll get off the soapbox, but this just really griped my goat! All feedback welcomed!

 

[Jimmy Olson]

I must say that this sounds like total B.S.

Now, with that said, I would ask the auditor to show me where in the standard it states anything to support his side. I would then listen to his lame excuse and tell him that he is to make sure we comply with the standard and not their own rules. I would probably even point out that there are plenty of other registrars who will audit to the standard instead of making up their own rules. But that's just me

 

[Douglas E. Purdy]

Steel Maiden,

I believe I had a similar situation with a QS System Audit with QSR in 2001. Our System Procedure for Internal Quality Audits linked to the System Procedure for Corrective and Preventive Actions where a CPAR would be generated for all known nonconformances and those concerns that may be potential nonconformances. We did not dictate any time frame to complete, just had the phrase that it would be performed in a timely manner. The auditor expressed concern that some CPARs had open items for 3 to 4 months and it was a minor nonconformance.

My corrective action was to take Internal Quality Audits out of the CPAR System and just document the corrective and preventive actions as Management Actions on the Schedule (see sample schedule), and then document when the completed actions were effectively verified. The basic premise for the change was that Global 8D as a problem solving method is only required when the cause for the nonconformance is unknown. Well most of the causes for the known nonconformances and potential nonconformances were known. The established process or procedure was not followed for a number of given reasons. The Management Action was to change and better the previously established process or procedure. A CPAR would only be generated when the cause was not known.

 

[M Greenaway]

Steel

You are absolutely right, and your assessor is absolutely wrong.

Did he give any reason for 2 months, or was this just his perception of a reasonable time.

I have had audit actions open for over a year !!

 

[D.Scott]

Steel -

Sounds like your auditor is quoting the IASG requirement to close audit corrective actions within 60 days. An interpretation sometime last year (sorry, no date) stated that when a nonconformance was found in a surveillance audit, it must be closed within 60 days. This has nothing to do with internal audits and would be an interpretation of your registrar to try to insist on it. I have been down this road with our auditor as well and you are right, there is nothing stating that you are restricted to a time limit.

By the way, you don't really need two systems to shift an audit finding over to an ICA. Just put it in your procedure that any CA designated by an "X" has been reviewed and, having management approval, it is considered closed for the internal audit but remains open for ICA.

Good luck.

Dave

 

[M Greenaway]

Dave

Are we just 'cooking the books' with these two systems, one which closes an NC in an audit and another that carries the corrective action ?

 

[Randy]

I can assure you that I didn't have anything to do with that person's ISO Auditor training.

The only corrective action plan you need is yours (period). You determine what actions you need to take and whoever is on the other end should make a determination if they are going to be effective in correcting the problem. Of course there may be some provisions in the Registrar's contract language about time periods for corrective actions, but if not, your requirements become the primary ones, not the auditors.

 

[tomvehoski]

I've set up systems both ways. Now I usually use a separate system for audit nonconformances - I normally don't see a point in a full 8D for most of the simple problems found during audits. I do state in the audit procedure that if a major issue is found it can be elevated to a full CA per the CA procedure. If I get into a database for tracking CARs, I usually integrate the system to prevent having to track two systems - the ability to query helps me find just the audit issues when I want to review them.

Auditors cannot dictate a timeframe to close actions. If it takes a year to get it done, due to valid constraints such as equipment purchase, that is perfectly acceptable. Make sure you have documentation of progress so that it does not look like the CA was forgotten or ignored. I had a similar one years ago with purchase of new equipment. It took over a year to get the capital expenditure approval, design, build, install and test a coating chamber. My boss kept asking me to close the CA because he thought he looked bad because it was open so long. I had him give me periodic updates on status which I attached to the CA. My ISO auditor thought I had a mistake in my database because it stayed open so long when most were closed in under 30 days. I showed him a 30 page CA with all of the backup information. He loved the fact that I would not close the CAR until I saw the chamber installed and we ran 20+ loads of parts without a problem.

On the other hand I did have a client get an audit NC for not taking timely action on audit findings. Cleanliness of the shop was written up on three internal audits over eight months. The plant manager did not clean the place up until a few days before the audit. It was spotless at that time, but the auditor found the three old findings and wrote it up since it was a simple issue that should have been fixed. There is no way I could argue it and had no problem with it.

Tom

 

[SteelMaiden]

Thank you everyone for your input. I feel a little better today. Just choosing my battles, gotta have my ducks in a row. In reply to some of the post, yep, I got no problem following their requirements for surveillance type audits. I can give them corrective actions that will meet any requirements and have them in place within the 60 days. BUT, that doesn't mean that is where we will stop. I have no problem with just giving them our interim measures and continuing our own long range corrective actions as internal measures. I just don't or won't have someone telling me I have to close our internal audits out before I am 100% satisfied that we have completed our plan.

For those who ask about the seperation of audit and internal corrective actions, I feel that all corrective action requests from any "process" are at the same level of importance once they have been prioritized. i.e. if it is a high risk CAR who cares if it was found in an external, internal audit or if it was found by an operator. The goal is to keep the nonconforming stuff in house.

 

[D.Scott]

Are we just 'cooking the books' with these two systems, one which closes an NC in an audit and another that carries the corrective action ?

You bet we are!! I am in 100% agreement with Steel

I feel that all corrective action requests from any "process" are at the same level of importance once they have been prioritized.

If the auditor wants to make silly rules, I will make silly solutions to them.

Dave