Internal and external auditor competency to CSR's

[bailey1998!]

Hi was recently audited on our second SV for IATF and was written for not showing auditor competency as it pertains to Customer SPeficis Requirements (CSR's) . Kinds of a difficult area since they are ever-changing other that reviewing with the person performing the audit of the specific area before the audit occurs. Does anyone have any insight or helo on this one?

 

[Sidney Vianna]

Does anyone have any insight or helo on this one?

ask the CB auditor, who wrote you up, how does s/he demonstrate competence to audit against the OEM CSR's....

 

[Golfman25]

This one completely sucks, written by a no nothing auditor who thinks internal auditors can't read. Like you said, they keep changing and you could have several of them to address. We would review the existing CSRs prior to audit and note any areas we wanted to look at. Auditor came in and said "nope, you have to be trained." So he wanted us to read the CSRs as they where updated and mark it in our training log as being "trained" to the CSR. As if the internal auditors would remember 6-12 months from now during and audit. It was a complete farce, but that's what we did -- everyone was "trained."

 

[bailey1998!]

This one completely sucks, written by a no nothing auditor who thinks internal auditors can't read. Like you said, they keep changing and you could have several of them to address. We would review the existing CSRs prior to audit and note any areas we wanted to look at. Auditor came in and said "nope, you have to be trained." So he wanted us to read the CSRs as they where updated and mark it in our training log as being "trained" to the CSR. As if the internal auditors would remember 6-12 months from now during and audit. It was a complete farce, but that's what we did -- everyone was "trained."

Yeah I can't beleive it at all. I have never been questioned on this and again its the 3rd time being audited to IATF and was never brought up the other two times by the other auditor. Just absolutely makes no sense. Thanks for your feedback. Actually during the audit he kept having me pull up CSR's and checking on them to see if there were any specific CSR he needed to cover... Man

 

[bailey1998!]

ask the CB auditor, who wrote you up, how does s/he demonstrate competence to audit against the OEM CSR's....

ENd of our 3 year contract and I will be leaving my current registrar that i have had since 1996

 

[Bran]

You could have the training be a powerpoint slideshow, explaining what CSRs are, how to use them, and how to locate the latest revisions. Documenting the training that includes the explanation of what they are plus how to use them has satisfied our auditors up to this point.

If you are already down the road of having a "prescribed" approach (example, the CB Auditor says that auditors must read the CSR and sign off on it), it may be worth questioning.

 

[Sebastian]

There is 7.2.3 b) where obviously records are not required, but objective evidence must exist.
There is 4.3.2 and 7.5.1.1 d) which shall create an input to individual audit planning.
Looking at reports from full cycle of internal audits, where no NC were issued on CSR, require asking "Do they know there is such a thing as CSR?"`

I wasn't there, I've not seen documents presented, but if I were you, I would ask myself, whether everything really is ok.

 

[Mikey324]

We have a CSR log. Many of our the specific requirements from our customers are already IATF requirements, but those that are actually specific to a particular customer goes into the log. There is a column showing what processes are impacted by the CSR. So the auditors here check the log to see if there are any applicable CSR's prior to the audit. If so, they audit them as part of their internal audit. This process has work for me for 3 years now.

 

[Sidney Vianna]

but objective evidence must exist.

Agreed. What about interviewing the person managing the internal audit program and the internal auditors themselves about their awareness and knowledge level of the CSR's? That would be MUCH BETTER than expecting a meaningless "record" piece of documented information "blessing" internal auditors as "competent to audit CSR's".

Actually, the typical CB approach to audit the internal audit process of organizations is, overwhelmingly focused on records. There is almost ZERO interaction with the internal auditors in that capacity. CB auditors should be able to observe internal auditors "in action". Maybe, the effectiveness of the internal audit process would improve, then....

 

[Sebastian]

Records are not required, but they are an easiest objective evidences.
I've presented example when audit reports are evidence of effective implementation of CSR in internal audit process.
But when NC are not welcomed in organization, it's hard to show it.

3rd party auditors can question it, when CSR are available to them in advance and they made own observations, which don't match internal audit results. When CSR are available only for suppliers, e.g. in case of some Tier-1, it is hard to have own assessment, so they switch to asking during audit "Is there anything about ...?" and focus on CSR training records.

"Rules" section 5.7.1 does not require organization to submit CSR as part of inputs for Certification Body audit planning. Then section 5.7.2 f) requires CB auditor to identify in audit plan, which CSR will be audited. Good.