External Auditor asking for other Audit Findings

[KingQA]

I apologize if this question has been asked before. I did a search and couldn't find the response. My ISO auditor is asking for the findings of my internal audit, as well as my state and federal audit. I was always taught never to give the findings of any other audit to another auditor, because it might bias their audit. They should be able to find any issues on their own. I thought we are only required to show that an audit was conducted. Please advise and cite the section that supports your argument.

Thank you in advance.

 

[Randy]

I apologize if this question has been asked before. I did a search and couldn't find the response. My ISO auditor is asking for the findings of my internal audit, as well as my state and federal audit. I was always taught never to give the findings of any other audit to another auditor, because it might bias their audit. They should be able to find any issues on their own. I thought we are only required to show that an audit was conducted. Please advise and cite the section that supports your argument.

Thank you in advance.

As for the internal audit, he has to audit the effectiveness of the internal audit and the results of the findings are just part of that process.

But what's with state and federal? What kind of QMS areas are audited by the state and fed's?

I'm doing a QMS right now, I did a couple last week and I'll be doing another next week and I'm sure not asking about state and fed audits.

 

[Colin]

The auditor has to look at the content of the internal audits to verify that they are being carried out to an acceptable standard e.g. recording of findings, raising and clearing N/C's (where applicable), suitable coverage of the systems, etc.

This is taken from ISO 17021:2011:

9.1.9.6 Identifying and recording audit findings
9.1.9.6.1 Audit findings summarizing conformity and detailing nonconformity and its supporting audit
evidence shall be recorded and reported to enable an informed certification decision to be made or the
certification to be maintained

 

[Stijloor]

The auditor has to look at the content of the internal audits to verify that they are being carried out to an acceptable standard e.g. recording of findings, raising and clearing N/C's (where applicable), suitable coverage of the systems, etc.

This is taken from ISO 17021:2011:

9.1.9.6 Identifying and recording audit findings
9.1.9.6.1 Audit findings summarizing conformity and detailing nonconformity and its supporting audit
evidence shall be recorded and reported to enable an informed certification decision to be made or the
certification to be maintained

Colin,

Doesn't this apply to external (3rd Party) audits?

Stijloor.

 

[Colin]

Yes, that is what he is referring to isn't it? His 'ISO auditor' wants to see the details contained in his internal audits. I was pointing out that 17021 requires the 3rd party auditor to record evidence of what was seen and if not, certification cannot proceed.

It is unfortunate that we are talking about the audit of an audit rather than the audit of say sales or purchasing!

 

[Paul Simpson]

Agree with all of the points raised by others.

I apologize if this question has been asked before. I did a search and couldn't find the response. My ISO auditor is asking for the findings of my internal audit, as well as my state and federal audit. I was always taught never to give the findings of any other audit to another auditor, because it might bias their audit.

Now I first heard this one from my first QA Manager in about 1983! He refused to hand over the audits until the last thing on the programme for this reason. BTW Fed and State audits (and even customer audits are outside the scope f a QMS audit but might come in to an EMS / OHSMS audit as they might demonstrate legal compliance (or otherwise) but again the reason for looking at them needs to be justified.

They should be able to find any issues on their own. I thought we are only required to show that an audit was conducted. Please advise and cite the section that supports your argument.

Thank you in advance.

As Colin has mentioned you do need to allow the 3rd party to test the effectiveness of your audit system through review of your audit programme, results of audits and effectiveness of communication and close out.

 

[Sidney Vianna]

I thought we are only required to show that an audit was conducted.

Apparently you think that a CB auditor should behave like an FDA auditor. Wrong expectation.

The main thing is to understand WHAT your external auditor wants to do with the results of other audits. Technically, your system is required to respond to both internal and external audit findings, INCLUDING nonconformities. Your management review has to assess results of audits, your corrective action process should prevent recurrence of nonconformities observed by internal and external auditors, etc.

We can only speculate what your CB auditor wants to do with the knowledge s/he might gain from other audit results, but, absolutely, they should have the right to access such data, in order to determine how effective your system is. If you don't trust your CB auditor, the relationship is dysfunctional and neither party will benefit from it.

 

[Bonhomme]

Could someone explain the "they might be biased" thing to me please ? I've heard it before, too. Our school makes us do a "2nd party" audit at partner companies. The QM first refused to give us access to previous audit reports (made by previous students) as it would, indeed, influence us.

Either
- internal findings have been solved, the auditor will note the improvement
- internal issues still exist, he will only be able to write something down if it is actually nonconforming/sensible, not copy/pasting stuff for the sake of it.
Actually he then may write a NC for the existing stuff, and add one for lack of internal audits performance, I guess ?

May the "risk" be that the auditor might find more NC with access to internal audits reports, than he would by himself (lack of time, etc.) ?

Wouldn't that be a GOOD thing ? Isn't the important thing to find problems in order to solve them, no matter if the auditor was a big boy and found them alone, or if he read reports then followed the trails ?

Am I being too naive ?

 

[Paul Simpson]

Could someone explain the "they might be biased" thing to me please ? I've heard it before, too. Our school makes us do a "2nd party" audit at partner companies. The QM first refused to give us access to previous audit reports (made by previous students) as it would, indeed, influence us.

Think of it this way. If you read an audit report before going onto a factory floor (for example) and the report says: 'No work in progress identified and nobody aware of where there procedures are.' Human nature says that when you go out you'll be looking for identification and asking people where there procedures are. It is the lazy auditor's way of completing their audit.

Either
- internal findings have been solved, the auditor will note the improvement
- internal issues still exist, he will only be able to write something down if it is actually nonconforming/sensible, not copy/pasting stuff for the sake of it.
Actually he then may write a NC for the existing stuff, and add one for lack of internal audits performance, I guess ?

There are a couple of issues here. In auditing the audit process the 3rd party must make sure that it is effective, so:

• Audits should be carried out to programme
• Audits should accurately record findings
• The audit follow up systems should be carried out in accordance with procedures

Now if all of these are OK there is a final check and that is - does the internal audit pick up on N/Cs that exist? If the 3rd party is finding loads of N/Cs and the internal audits show a clean bill of health then the internal audit process is ineffective.

But this was not the original question.

May the "risk" be that the auditor might find more NC with access to internal audits reports, than he would by himself (lack of time, etc.) ?

Wouldn't that be a GOOD thing ? Isn't the important thing to find problems in order to solve them, no matter if the auditor was a big boy and found them alone, or if he read reports then followed the trails ?

Am I being too naive ?

Not naive, no. Again the number of findings is not necessarily important but a biased sample is. If a 3rd party just copies internal audit findings then s/he has not sampled the process themselves and there may be many other findings that the internal audit did not raise but that might be more significant than those s/he has raised.

Similarly some CBs will not duplicate N/Cs (within reason) if they have been raised by internal audit and are being addressed - as there is no point.

3rd parties should do their own independent sample and make a judgement of an effective system on their sample. Part of this is to audit internal audit but that should be at the end of the programme (IMHO)

 

[AndyN]

I can't agree that it's a lazy auditor's way, Boris! You and I both know, auditors should be looking for the actions taken after audit nc's to be effective. We both know, previous audit findings should be factored into 'this audit', especially since we know that corrective actions are often subject to the "Hawthorne Effect".

That degree of bias should be observable as a competency (or lack thereof), and not confused as an effective auditor trait, following up on previous result...