So much good advice so far.
But I sense some conflicting messages. Let's clarify the hierarchy of documentation.
1. Standard is the ISO/whatever that you are registering to.
2. System manual (Quality, Environmental, Safety) is the organization's master document. It has the highest altitude description of the system and refers to process documents that comprise the system.
3. Process documents describe the processes. The link to other process documents by listing them in some workable way, and basically explain the process workings and controls.
4. Appendices/Attachments to these documents are shown and describe operational details. Required forms to validate system controls are also listed as Appendices/Attachments. However, not every form in use needs to be listed, arguably unless it serves a critical
purpose.
5. Records show that something has been done. They do not need to be specifically called out in the process documents or appendices, but they could be. They do not need to be controlled unless there's a call out for such control somewhere, or if the absence of that control would cast suspicion on the system's integrity.
The unspoken requirement here is to clarify what document serves what purpose, and has what level of control. If the naming or control hierarchy is unclear, that could be the basis of your auditor's complaint.
As much as I would like to say, "The auditor shouldn't be able to leave without a response to this issue," it's easy to let the moment go by and I would very possibly do the same.
In such a case it's all about recovery:
First, define what these documents were for.
Second, identify what the auditor thought they were for.
Third, write a proposed remedy for the problem--if it's a misunderstanding, write a remedy to clarify the documentation in order to eliminate potential misunderstanding.
Fourth, submit and counter-negotiate, or act on what the registrar says. Please note that I did not merely say "what the auditor says" although that is the first step and should be enough. Start with the auditor, and if those discussions fail you could raise the question with the auditor's company, the registrar.
I hope this helps!
But I sense some conflicting messages. Let's clarify the hierarchy of documentation.
1. Standard is the ISO/whatever that you are registering to.
2. System manual (Quality, Environmental, Safety) is the organization's master document. It has the highest altitude description of the system and refers to process documents that comprise the system.
3. Process documents describe the processes. The link to other process documents by listing them in some workable way, and basically explain the process workings and controls.
4. Appendices/Attachments to these documents are shown and describe operational details. Required forms to validate system controls are also listed as Appendices/Attachments. However, not every form in use needs to be listed, arguably unless it serves a critical
purpose.
5. Records show that something has been done. They do not need to be specifically called out in the process documents or appendices, but they could be. They do not need to be controlled unless there's a call out for such control somewhere, or if the absence of that control would cast suspicion on the system's integrity.
The unspoken requirement here is to clarify what document serves what purpose, and has what level of control. If the naming or control hierarchy is unclear, that could be the basis of your auditor's complaint.
As much as I would like to say, "The auditor shouldn't be able to leave without a response to this issue," it's easy to let the moment go by and I would very possibly do the same.
In such a case it's all about recovery:
First, define what these documents were for.
Second, identify what the auditor thought they were for.
Third, write a proposed remedy for the problem--if it's a misunderstanding, write a remedy to clarify the documentation in order to eliminate potential misunderstanding.
Fourth, submit and counter-negotiate, or act on what the registrar says. Please note that I did not merely say "what the auditor says" although that is the first step and should be enough. Start with the auditor, and if those discussions fail you could raise the question with the auditor's company, the registrar.
I hope this helps!