ISO 9001:2015 registrar Auditor requesting copies of procedure prior to audit

[Sidney Vianna]

Why punch him in the nose? If he is actually trying to understand what you do and how, why not help him.

That is a fair question. For those few of us who teach (or taught) management system lead auditor classes, we know that a LOT OF PLANNING AND PREPARATION is paramount for an effective audit. So, a competent, responsible and professional auditor could be asking for process-related documentation, in order to better prepare him/herself for a value added audit.

Unfortunately, there are some unscrupulous people who double up as auditors and consultants, and, many times, use the documents they gain access to, as auditors, for their consulting practices. One has to be aware of this reality before, naively, providing the external auditor any of their command media.

 

[Scanton]

I managed ISO9001, 14001 & 18001 systems for a couple of decades and never received a request like this before however I have been managing a TS (now IATF) system for the last six years and before every (annual) audit I am being asked to provide a copy of our quality manual, associated procedures and the results of our performance metrics for the last 12 months, for a pre-audit off site documentation audit.

I have often wondered if this is standard practice or just a preference thing for our CB because it does feel like I am doing their pre-audit work for them.
The CB I use is one of the big five internationally, and it is standard practice for them, so I would be interested in what other people are experiencing.
I just want to note that my auditor is working 100% for the CB and has not and does not work as a consultant, although I do understand that he could quite easily move into consultancy at a later date with the experience he has gained from being a CB auditor.

 

[Howard Atkins]

There is a requirement in IATF to perform off site preplanning that requires data as to management review, customer satisfaction etc.
In the transition to IATF there must be an OFFSITE review of all the required documentation for this standard or the transition audit cannot be performed
IATF is a scheme that is not run by the national accreditation bodies and as such is not comparable to ISO 9001 etc..

From IATF rules

5.7.1 Client information for audit planning
The certification body shall require the client to provide the following information to be used as input for
developing an audit plan:
a} the number of employees of the site and all associated remote support location{s};
b} the client's quality management system documentation, including evidence about conformity to IATF 16949 requirements and showing the linkages and interfaces to any remote support functions and /or
outsourced processes;
c} customer and intemal performance data since the previous audit;
d} customer satisfaction and complaint summary since the previous audit, including a copy of the latest customer reports andor scorecards;
e} identification of any customer special status condition since the previous audit;
f} notification about any new customers since the previous audit; and
g} results of internal audits and management review since the previous audit.

 

[Pancho]

That is a fair question. For those few of us who teach (or taught) management system lead auditor classes, we know that a LOT OF PLANNING AND PREPARATION is paramount for an effective audit. So, a competent, responsible and professional auditor could be asking for process-related documentation, in order to better prepare him/herself for a value added audit.

Unfortunately, there are some unscrupulous people who double up as auditors and consultants, and, many times, use the documents they gain access to, as auditors, for their consulting practices. One has to be aware of this reality before, naively, providing the external auditor any of their command media.

True. And yet, if it will be a problem providing docs before audit, it will also be so providing docs during the audit. In other words the unscrupulous auditor is a problem independent of whether or not docs are shared ahead of time for audit prep.

 

[Scanton]

Allym, I think it is unanimously agreed that this isn’t a requirement for ISO9001 audits however it may be a something your CB has made standard practice for their auditors. Are we allowed to name our certification companies or will this breach certain rules?

With my current employer I have had 2 certification and 4 surveillance TS audits and a transition/certification audit to IATF, and in every instance the same request for documentation and metrics has been made. I can understand needing this level of audit prep for a certification/transition audit however I wanted to know if this was also a requirement for a surveillance audits?

Personally I found the practice beneficial as the auditor can hit the ground running and not waste time on the first day trying to understand the basic interactions of your QMS. In my experience the end result is a better quality, meaningful assessment/evaluation of the QMS, however I understand the reluctance to hand over digital copies of your documentation to auditors who are also consultants where they could be limited to physical copies or views of digital copies on the day which are controllable/recoverable.

 

[Sidney Vianna]

Be aware that good 3t party auditors will audit your processes to the standard.

This assertion is blatantly incorrect and has to be challenged so people don’t misunderstand the expectations of what competent CB auditors have to do.

Any audit has a scope and criteria. The typical criteria of a CB auditor includes standard(s), the organization own QMS requirements, customer requirements, regulatory requirements, etc. A CB auditor who fails to assess the QMS against the organization’s own command media is incompetent.

 

[Jen Kirley]

Personally I found the practice beneficial as the auditor can hit the ground running and not waste time on the first day trying to understand the basic interactions of your QMS. In my experience the end result is a better quality, meaningful assessment/evaluation of the QMS, however I understand the reluctance to hand over digital copies of your documentation to auditors who are also consultants where they could be limited to physical copies or views of digital copies on the day which are controllable/recoverable.

In theory it should be beneficial, but these days my head is so packed with back-to-back audits that sending documents beforehand is futile. Moreover, I very seldom see a quality manual that is so informative that it would help me in a practical sense. Lastly, the audit time should be adequate to review procedures as needed for the client to demonstrate conformance to requirements or research related issues in a nonconformity.

It seems the auditor means well and this may be a CB policy, but I still would decline.

 

[dsanabria]

This assertion is blatantly incorrect and has to be challenged so people don’t misunderstand the expectations of what competent CB auditors have to do.

Any audit has a scope and criteria. The typical criteria of a CB auditor includes standard(s), the organization own QMS requirements, customer requirements, regulatory requirements, etc. A CB auditor who fails to assess the QMS against the organization’s own command media is incompetent.

Agree - poor choice of words on my part.

There are many requirements than a 3rd party auditors shall review - and some of them are listed. However, do not expect a third party auditors to review all of your internal procedures, work instructions or other literature unless a clarification of additional information is required.

 

[Golfman25]

Allym, I think it is unanimously agreed that this isn’t a requirement for ISO9001 audits however it may be a something your CB has made standard practice for their auditors. Are we allowed to name our certification companies or will this breach certain rules?

With my current employer I have had 2 certification and 4 surveillance TS audits and a transition/certification audit to IATF, and in every instance the same request for documentation and metrics has been made. I can understand needing this level of audit prep for a certification/transition audit however I wanted to know if this was also a requirement for a surveillance audits?

Personally I found the practice beneficial as the auditor can hit the ground running and not waste time on the first day trying to understand the basic interactions of your QMS. In my experience the end result is a better quality, meaningful assessment/evaluation of the QMS, however I understand the reluctance to hand over digital copies of your documentation to auditors who are also consultants where they could be limited to physical copies or views of digital copies on the day which are controllable/recoverable.

The auto world is a different animal. Several years ago they changed the rules and required all sorts of documentation prior to the audit. It was almost as if there was no point to the physical audit.

 

[AndyN]

The auto world is a different animal. Several years ago they changed the rules and required all sorts of documentation prior to the audit. It was almost as if there was no point to the physical audit.

When I were a lad, we used to do a "stage 1" on site, looong before they were ever required by the IATF....