External Auditor asking for other Audit Findings

[Big Jim]

Very likely, this would be an ISO 13485 audit(or).

That practice just perpetuates misnomers. Whenever I can, I try to use the proper terminology.

Perhaps we should have asked the OP earlier. We didn't, and we got what we got.

 

[Paul Simpson]

As long as we are talking about the POTENTIAL for bias, we are in agreement. To declare that we cannot look at part of the QMS because we will become biased is just wrong.

Just as well nobody said that then, isn't it?

 

[KingQA]

Perhaps we should have asked the OP earlier. We didn't, and we got what we got.

Sidney is correct, it is a ISO 13485 auditor. And Sidney is also correct, that an FDA or State auditor has only asked for if our management review and internal audits were conducted, and we did not give the findings, and that was acceptable. That's why I'm a little confused with the type of information I should provide an external auditor, whether it's FDA, State or ISO.

I'm happy for the discussion this has created, because I feel like our goal is still trying to get a better understanding of the relationship with external auditors. I personally believe internal audits should be given towards the end of the audit, because of the bias potential. We are all human, so it's hard disregard something that was seen. It's possible, but why take that risk.

FDA and State audits are usually asked for by our ISO auditor. Yes, it's part of our non-conformance/Corrective Action process. Are these audits considered a part of 8.5.1? We don't have any major findings in our internal, FDA, or State audits, but I would like our ISO auditor to find problems within our system independently than base any of his findings on other audits, which can potentially happen.

Bottom line is, I believe I need to show my internal audits, because they are part of the QMS according to 8.2.2., and the timing of when to show it is debatable. Other Audits like FDA or State, I am unsure if they are required to be shown to the ISO Auditor or not based on 8.5.1. This is where my confusion lie, and the debate has been good, but still hasn't given me a confident stance if I am required to provide FDA or State audits.

 

[Sidney Vianna]

Other Audits like FDA or State, I am unsure if they are required to be shown to the ISO Auditor or not based on 8.5.1. This is where my confusion lie, and the debate has been good, but still hasn't given me a confident stance if I am required to provide FDA or State audits.

Remember that, according to ISO 9001 5.6.2.a), your management should be reviewing and taking action on audit results. So, the CB auditor might want to see if this is happening. Further, you should be implementing corrective actions if external audits report nonconformities.

In my opinion, a good auditor could have good reasons to request access to such data. On the other hand, a misguided auditor might ask to see such data to "focus" on problems already reported by others. If the latter happens, you should react accordingly and "fight back".

 

[JaneB]

Remember that, according to ISO 9001 5.6.2.a), your management should be reviewing and taking action on audit results. So, the CB auditor might want to see if this is happening. Further, you should be implementing corrective actions if external audits report nonconformities.

In my opinion, a good auditor could have good reasons to request access to such data. On the other hand, a misguided auditor might ask to see such data to "focus" on problems already reported by others. If the latter happens, you should react accordingly and "fight back".

Excellent advice from Sidney, with which I agree entirely.

I empathise with you - there isn't a simple or plain answer in relation to this. I'm sure it is a bit confusing for you -

You say that "FDA and State audits are usually asked for by our ISO auditor" - as Sidney says, a good auditor (repeat good) could have good reasons for doing this. That would include seeing how your company has responded to their audit reports, and particularly if any issues required consideration or response, how your organisation responded, if you followed your own procedure, if action was effective, etc.

But a misguided (or lazy) auditor might do it for reasons including the one Sidney mentioned.

The tack I would try is to ask for their reasoning. And if you don't find it acceptable - or even if you feel otherwise, you could also request that they look at those audits at the very end of the audit and not early on, and explain that you (as client) would really like for the auditor to make their own independent judgement before seeing what other auditors have found. That's a hard stance for a good auditor to argue with! (And if they insist, take it up with their boss, explain your reasons - and if necessary or if you prefer, ask for them to assign you a different auditor. You can and they will.)

PS - I do empathise with you about the less than edifying diversions in the thread. As a regular poster, I know that the majority of us aim to focus firmly on your needs until the questions is reasonably answered. But alas, not everyone always adheres to that firmly, as in this instance. One of the downsides of a forum.

 

[Big Jim]

Just as well nobody said that then, isn't it?

I certainly saw that flavor in your earlier post. If you feel that was not your intent, I'll certainly accept that.

I can certainly understand your concern about a lazy auditor basing his findings solely or even largely on the internal audit results, and I have seen that abuse. One CB auditor bluntly told the auditee that he expected to see such detail in the internal audit that he could do his entire audit simply by reviewing all that objective evidence. The auditor never left the conference room.

My read on your earlier post is that an auditor who chose to review the internal audit early in the audit was a lazy auditor, which I take exception to. It isn't necessarily so. It could instead be evidence of a thorough auditor.

Since you feel that it is inappropriate to look at the internal audit until late in the audit, we will simply need to agree to disagree on that point.

 

[Paul Simpson]

Could someone explain the "they might be biased" thing to me please ? I've heard it before, too. Our school makes us do a "2nd party" audit at partner companies. The QM first refused to give us access to previous audit reports (made by previous students) as it would, indeed, influence us.<snip>

Think of it this way. If you read an audit report before going onto a factory floor (for example) and the report says: 'No work in progress identified and nobody aware of where there procedures are.' Human nature says that when you go out you'll be looking for identification and asking people where there procedures are. It is the lazy auditor's way of completing their audit.
<snip>
Not naive, no. Again the number of findings is not necessarily important but a biased sample is. If a 3rd party just copies internal audit findings then s/he has not sampled the process themselves and there may be many other findings that the internal audit did not raise but that might be more significant than those s/he has raised.

Similarly some CBs will not duplicate N/Cs (within reason) if they have been raised by internal audit and are being addressed - as there is no point.

3rd parties should do their own independent sample and make a judgement of an effective system on their sample. Part of this is to audit internal audit but that should be at the end of the programme (IMHO)

I certainly saw that flavor in your earlier post. If you feel that was not your intent, I'll certainly accept that.

I can certainly understand your concern about a lazy auditor basing his findings solely or even largely on the internal audit results, and I have seen that abuse. One CB auditor bluntly told the auditee that he expected to see such detail in the internal audit that he could do his entire audit simply by reviewing all that objective evidence. The auditor never left the conference room.

My read on your earlier post is that an auditor who chose to review the internal audit early in the audit was a lazy auditor, which I take exception to. It isn't necessarily so. It could instead be evidence of a thorough auditor.

Since you feel that it is inappropriate to look at the internal audit until late in the audit, we will simply need to agree to disagree on that point.

So just to wrap this up. I am happy to agree to disagree. Hopefully the above multi quote (edited for space) outlines the facts.

A recommendation to all Covers is you should try to manage your auditor and CB so that they do their job properly and carry out an effective sample audit without any undue bias. Once the CB has had a chance to audit your system they will be targetting areas based on the risk that they see and the results they have observed.

You have to be careful with auditors ... sometimes they read things into documents (posts) that aren't even there.

Perhaps someone can enlighten me about 13485 certification scheme rules. Is there a requirement for external auditors to review any external (e.g. FDA) audits?