Giving copy of external audit report to customer

[Meggsy]

As a part of a tender submission to a customer, we have been asked to provide copies of internal and external audit reports. I assume this includes our LRQA surveillance report...

Is it appropriate for customers to ask for this? Dont they just need to know we were approved and have a certificate?

Sorry if this is a basic question, but it doesn't seem right to me.

Thanks

 

[Stijloor]

Meggsy,

The fact that the Customer requests it, does not mean that you need to provide it to them. You can politely state that you consider this proprietary information. Have you asked what the purpose is of their request?

Stijloor.

 

[DannyK]

I have heard customers asking for external audit reports.

Some provide them and others decline.

Some ask that they be reviewed on-site with no photocopies made.

Some customers ask for everything such as financial information and their requests are politely declined.

 

[arios]

I have seen that some customers require those audit reports. It will be up to your management if you send those over. One thing to remember is that some registrars require that if you provide a copy of an audit report all the pages must be included.

Hopefully you can find a way to go around that petition but definitely you will have to use diplomacy, otherwise relationships and the perception mutual support can be affected.

If you have other customers besides the one that is requesting your reports you could probably use that as a valid rationale for not sending what they are requesting as they may contain proprietary information of those other customers. Instead you could offer your client an screened summary of which audits were done over the processes of interest, a summary of the results and the status of any relevant Corrective Actions associated with them. They may buy this approach.

Take care

 

[Sidney Vianna]

Is it appropriate for customers to ask for this? Dont they just need to know we were approved and have a certificate?

Assuming that there is meaningful information in the audit report, your customer might have a good insight into how robust your QMS is, by accessing the audit reports. It is a well known fact that lousy systems attain and maintain certification. It is like having a driver's license. It does not tell your driving record...I would think a customer would ask for several consecutive audit reports, if they want to make a fair assessment. The latest audit report, alone, might not be very representative of the system, after all.

An interesting point is the fact that ISO 17021 states that the CB must maintain ownership of the audit reports. In my opinion, it does not make much sense; after all, the audit report is one of the few tangible results of an audit. Since the registrant is paying for the service, the audit report should be their property, not the CB's.

 

[Marc]

An interesting point is the fact that ISO 17021 states that the CB must maintain ownership of the audit reports.

Interesting tidbit of info.

 

[JaneB]

Yes, as others have pointed out, some ask for it and don't get it, others do. It depends on your management whether they choose to provide them or not. You can hedge conditions around it, including getting them to sign an agreement not to disclose them to anyone else (I would) and/or offering to give them access to them (eg, on your premises) but not giving them the actual reports.

Taking the other party's point of view, I'd be one of the people who would ask to see them, and as Sidney says, I'd ask for a few consecutive ones. Assuming they're done by a reasonable auditor (vs a tuppence halfpenny dubious cheapo firm) they'd give me a very good idea of how much their system is actually in use (which is probably what they really wanna know) vs a system that is continually 'only just' scraping by and stuffing up, time after time.

Also, if someone declined to supply/give me access with any of those reports, I'd take that as a pointer to watch also. I'd wonder: why not?

 

[Phiobi]

I must admit that I am one of those customers that asks to see the last CB audit report.
I find that it gives a lot of insight into the company, how they have performed and how they respond to NC's etc.

The shock for me is how often companies will have been audited by their CB 2 or 3 months before I audit them and I find the exact same issues!!

There have been many occasions when a supplier has refused my request to see the previous audit and EVERY single time i have audited them myself I have found that the QMS is very poor and I have not approved them in the first instance!

Personally I let my customers see them.

 

[Sorin]

Personally, it's a big NO.
Professionally, an argumentative big NO.

1.Proprietary information
2.Other customers proprietary information.
3.EC-LR (export controlled - license required) aka ITAR/EAR.
That should be enough.

Edit:
I forgot. All external audits are subject to a confidentiality agreement. So...
There is one exception. If our company is doing an external audit on a supplier who is sub-contracted on an item for the customer. The customer in question have the right to see the audit, if the audit was conducted on his parts. The same if our company is the supplier in question.

 

[db]

.... It is like having a driver's license. It does not tell your driving record...

I often use the driver's license as an illustration of the difference between qualified and competent. The driver's license qualifies you to drive, it does not make you a competent driver.

I never really thought of the same analogy for the QMS. But you got me thinking (and that is a dangerous thing to do). The registration would be qualification, then could the audit reports show competence? I know this is not a competence thing, but I think there is something parallel here. Got to think about this more.