Document Review

[Bumpebe1]

I'm looking for comments once again.

Prior to my company's upgrade certification to ISO 9001:2000 audit, our auditor will conduct an off-site review of our documents.

I received notification from the auditor requesting a copy of the company's Quality Manual, Quality Objectives, Quality Policy, Scope of registration, and the 6 mandatory procedures as required by ISO: (Doc Control, Record Control, Internal Audits, NC Product, Corrective Action and Preventive Action.

In addition to the above documents, I was asked to provide objective evidence of:

A. INTERNAL AUDIT RESULTS OF THE NEW REQUIREMENTS OF ISO 9001:2000

B. MANAGEMENT REVIEW MINUTES SHOWING A REVIEW OF THE INTERNAL AUDIT RESULTS.

I'm confused. I think this is going beyond the scope of the document review accessment. I believe I have the right to withhold this information until the actual audit.

Comments please. I would appreciate your insight on this.

 

[Claes Gefvenberg]

Why withhold the information?

Well…. Our registrar asked me for similar details, and I didn’t mind. It helped them to prepare their audit well. It also saved time during the actual audit, making it more efficient, and they would have gone through that material anyway.

After all, we have to audit acc. to the standard and we have to go through the audit results in the MR.

It makes sense to me to give them that information. Why withhold it?

/Claes

 

[Randy]

Read your contract!! I'll bet this is specified. Most registrars will not initiate an audit until the organization has completed an audit cycle & management review. Why do you say? Because the Internal Audit and Management Review have to be audited like everything else, if they haven't taken place and you have no records, they don't exist. Also if you haven't done your audit how can corrective and preventive actions be assessed.

Why would you want to with hold information about your audits and review anyway? If you go into this arrangement with the "I don't have to tell them anything" attitude like you seem to have displayed in your post you'll be destroying or at the minimum diminishing the positive potential of the process when, and I say when not if, your auditors detect it.

 

[RoxaneB]

I agree with Claes and Randy. I don't see a problem in providing this information ahead of time...in fact, I wish my own Auditor had asked for it so I could have had more "bang for my buck" during the actual Audit.

Is it going beyond the scope of a document review? Probably...but, like Claes and Randy, I see no benefit to withholding the information at this time.....unless you haven't done the Audit and reviewed the results? Just asking. :truce:

 

[db]

My only issue is with the "MANAGEMENT REVIEW MINUTES ". I would be satisfyed with "MANAGEMENT REVIEW RECORDS", however. It just bugs me when everyone assumes the standard requires management review meetings. But aside from that, one reason for the doc review is to see if you're ready for the on-site. It is rather expensive for them to go to your site only to find you haven't met the management review requirements. This way they save both organizations both time and money.

...until the organization has completed an audit cycle

Quick question Randy...In your opinion what constitutes an audit cycle? Auditing the entire QMS (EMS) or performing an audit, performing corrective action and verifying the corrective action? Does the word cycle refer to the schedule, or the PDCA of an audit?

 

[Bumpebe1]

Thanks for everyone's comment. The information is available. I didn't mean to sound like I'm hiding or not willing to share information. I have had some tough experiences with auditors and didn't want to be jerked about and that is why I ask for your comments. The first experience I had with document review for my company was on-site and the auditors only looked at our procedures. I am hesitant on the management review information being sent outside the company. But I guess the confidentaility clause will take care of my concerns there. The management review requirements are met through several different meetings at our site. During surveillance audits, we present the minutes from the different meetings to show conformance to the requirement. I'll have to talk to the auditor to determine the best way to present this.

 

[RoxaneB]

Thanks for everyone's comment. The information is available. I didn't mean to sound like I'm hiding or not willing to share information. I have had some tough experiences with auditors and didn't want to be jerked about and that is why I ask for your comments. The first experience I had with document review for my company was on-site and the auditors only looked at our procedures. I am hesitant on the management review information being sent outside the company. But I guess the confidentaility clause will take care of my concerns there. The management review requirements are met through several different meetings at our site. During surveillance audits, we present the minutes from the different meetings to show conformance to the requirement. I'll have to talk to the auditor to determine the best way to present this.

The confidentiality aspect to an Audit is there to keep us from worrying about "dem varmits" telling rival companies about our processes. They may say things like "I have a client who does xyz" but they won't provide a name or specific details/results.

I think we all have war stories from External Audits...and I'm certain that somewhere there exists a therapy group for External Auditors and their horrible experiences auditing us! But, hey, at the end of the Audit, you can make up some shirts for everyone that say "I Survived BSI 2003!"

Good idea to talk to your Auditor. Find out the specifics of what they want so that (a) you don't overwhelm him/her and (b) you don't provide more than is necessary.

Good luck and let us know how it goes!

 

[Randy]

The management review requirements are met through several different meetings at our site. During surveillance audits, we present the minutes from the different meetings to show conformance to the requirement. I'll have to talk to the auditor to determine the best way to present this.

What you're doing is exactly what I look for. MR is identified as a process, not an event. Conducting reviews on a continual basis instead of once a year keeps the flow going and contributes to everyone staying aware and system improvement. Your last statement shows a level of wisdom that some fail to disply. TALK to the auditor, or better yet talk with the auditor. There are some things this person cannot or should not do, but any auditor worth his/her salt will be willing to share what they have seen in other places.

db....the way that I view a cycle is through the standard and across the organization, with the relevent C&P actions. I tell people to not wait until they think their system is in place before doing this. The audit cycle should start during implementation (write it into the audit program/schedule), not after. The audit should also be handled as a continual process and not an event.

 

[db]

What you're doing is exactly what I look for. MR is identified as a process, not an event. Conducting reviews on a continual basis instead of once a year keeps the flow going and contributes to everyone staying aware and system improvement. Your last statement shows a level of wisdom that some fail to disply. TALK to the auditor, or better yet talk with the auditor. There are some things this person cannot or should not do, but any auditor worth his/her salt will be willing to share what they have seen in other places.

db....the way that I view a cycle is through the standard and across the organization, with the relevent C&P actions. I tell people to not wait until they think their system is in place before doing this. The audit cycle should start during implementation (write it into the audit program/schedule), not after. The audit should also be handled as a continual process and not an event.

First, I agree that yearly MR is not the way to go. I do have a QMS client that has a yearly meeting but has several bullets that would automatically trigger a MR within 30 days. Examples of the bullets are such things as adding or subtracting a customer, receiving a major nonconformance, customer complaints (imagine...one customer complaint triggers a MR), etc.

Secondly, I also agree that you need to talk with the auditor. Sometimes I wonder if half the problem is what we tend to enter into the audit with an attitude.

Thirdly, if I read you correctly, your answer on my audit cycle is not an either or, but a both and. (which also I agree with)

 

[Randy]

Now I'm flabbergasted

I don't think this has happened before when so many points I've made were agreeded to at the same time.

Cool!!