Minor Audit Nonconformance Against Determining the scope of QMS

[wandah]

I need help understanding this nonconformance that my organization was written up for in our IATF audit. I do not know how to answer this corrective action because I don't agree with it but disputing it didn't work so now I have to figure out what it is that the external auditor wants. Here's the requirement and finding/evidence that was written up.

Requirement: 4.3.1 Determining the scope of the QMS
Supporting function, whether on-site or remote (such as design centers, corporate headquarters, and distribution centers) shall be included in the scope of the Quality Management System (QMS).
The only permitted exclusion for the Automotive QMS Standard relates to the product design and development requirements within Section 8.3. The exclusion shall be justified and maintained as documented information (see Section 7.5).

Finding: Remote location external audit reports did not show evidence of auditing the support interfaces with the organization for all functions.

So the certification and audit report of my organization shows all of our remote locations and the functions that they support us with but I do not see where in the audit reports of our remote locations would they list my organization and the functions they support for us. I thought that if all the processes of our remote locations were audited to the standard, then that should be enough to justify that those support functions have in fact been audited? Really confused on how to answer this.

 

[AndyN]

Wow this auditor has had a brain fart! How the heck does the requirement cited 4.3.1 have any relationship to the finding? This finding, whatever you did or didn't apparently do, is totally messed up. Reject it because it's technically unsound.

 

[wandah]

Wow this auditor has had a brain fart! How the heck does the requirement cited 4.3.1 have any relationship to the finding? This finding, whatever you did or didn't apparently do, is totally messed up. Reject it because it's technically unsound.

I tried to but it didn't work. The boss of the external auditor reviewed the finding, and the audit reports of the remote locations and she decided that it was a valid nonconformance. Now I'm just trying to figure out how they want me to answer this.

 

[AndyN]

Don't do that. You should ask them for their appeals process and file a formal appeal. If that doesn't work, take it up with the IATF/IAOB. Citing an issue of 9.2.2 and citing 4.3.1 is totally wrong. PLUS 9.2.2.1 doesn't even USE the words "support interfaces with the organization for all functions". The CB auditor is reading across what THEY are supposed to do! They cannot flow down to you, their requirements! DO NOT do anything to rectify YOUR QMS audits. The CB is wrong PLUS their management response was very poor.

 

[wandah]

Can you please clarify who is the external source that issued the remote location audit report? Was an internal audit of the remote location performed with the internal audit report showing all the processes and functions being audited?

Our organization lists 5 remote locations on our scope and 4 of the 5 locations are audited by the same CB that audits us. The audit reports that they reviewed were external audit reports that they conducted.
I am wondering if my company needs to be more thorough in auditing those interfaces with our remote locations. Would that suffice as a response to this nonconformance?

 

[Sidney Vianna]

Our organization lists 5 remote locations on our scope and 4 of the 5 locations are audited by the same CB that audits us. The audit reports that they reviewed were external audit reports that they conducted.

So, if I understood this, your IATF CB is writing you up for something that they failed to properly conduct and/or report.

Surreal... I would have your organization CEO (top honcho) calling the CB top honcho (not the person in charge of the auditor) and unload his feelings about the absurdity of the nonconformity. I am sure your CB has a quality policy and they promise to be committed to their customer satisfaction, bla bla bla....After that, the only recourse I can think of, is for you to bring this up to the IAOB. Never funny when Dilbert's boss pops up in real life scenario.

 

[Golfman25]

What does "support interfaces with the organization for all functions" mean? Can they (did they) give you a specific example?

If they audited the remote locations, why did they fail to audit the "support interfaces?" What is missing here?

 

[AndyN]

Our organization lists 5 remote locations on our scope and 4 of the 5 locations are audited by the same CB that audits us. The audit reports that they reviewed were external audit reports that they conducted.
I am wondering if my company needs to be more thorough in auditing those interfaces with our remote locations. Would that suffice as a response to this nonconformance?

Please. You can only "fix" what's broken and the CB auditor hasn't reported what's broken. They haven't done that, so anything you do will become, in effect, a "wild goose chase". Trust me (and @Sidney Vianna ) here. Both of us have significant (management) experience of CB audits and can - with some authority - confirm the auditor is flat out wrong!

 

[Sebastian]

Certification Rules 5.7.1 point b) says

the client's quality management system documentation, including evidence about conformity to IATF 16949 requirements and showing the linkages and interfaces to any remote support function and/or outsourced processes.

You say what remote supporting functions are.
Certification Rules 5.5 option 2 point 4) says

the information (audit report from remote supporting location) confirms that all the interfaces between the remote supporting location and the site were audited by other certification body

Other certification body, same certification body, does not matter, the report must say what supporting functions were audited.

Probably your CB has reviewed both informations and there was no problem, but during auditing your organisation, auditors discovered another supporting function, which was not listed in report from your remote supporting location. This probably was a reason, why NC was issued.

Your CB can't issue NC to your remote supporting function, but only to you. Root cause and corrective actions probable are piece of cake. One of corrections might be a problem. It is audit of remote supporting location to cover this missing supporting function. When it can be done by same CB, maybe this is not a problem, but in case of other CB it might be a problem. Additionally, remote supporting function might be not so happy to have special audit focused only on this.

Companies I know have two scenarios. One is hiding supporting functions they don't want to be audited and another one is saying to own CBs they support each other inside corporate group, just in case auditor of any manufacturing site of corporate group would ask.

 

[AndyN]

^^^^ I don't see what this has to do with the OP's situation. They have a bogus NC statement. Period.