Need Help With Auditing Suppliers Against ISO 9001

[Karen_marie]

I am new to this forum and am searching for permissible questions to be asked in an ISO 9001 audit. I am very familiar with ISO 13485, but ISO 9001 seems so vague that I am having a difficult time auditing it. Where in the procedure does it state it is permissible for the auditor to review procedures and quality manuals. How can I verify that the supplier is following their procedures if I cannot see the procedure in its entirety? thanks for your guidance

 

[Jim Wynne]

If your supplier is registered to ISO 9001, why do you feel the need to audit them against the standard?

 

[Kronos147]

An errant question, does not one audit to the requirements of ISO 9001, rather than 'against' it?

Some auditors have the mentality of 'against' and like writing large numbers of non-conformances, rather than say, find the central theme and issue it there.

I think auditors should be looking for conformity, and then, when non-conformity is identified it, classify it minor or major. Heck, in audits it is more frequent to hear the client say "well that's not right" follow by me saying, "well I'm gonna classify that as a minor NC" more than the other way around.

 

[Karen_marie]

great question- I have been auditing to ISO13485:2016 for over 6 years and always have been audited by customers and have audited customers (to 13485:2016) as with Medical device it is appropriate. Now I am getting push back from suppliers who are ISO9001 and I am wondering if I am being too controlling. and yes I should have said "to" and not "against". I have never had issues when auditing to 13485 to review their quality manual and procedures, but with 9001 I am now. Thanks for the guidance

 

[Jim Wynne]

An errant question, does not one audit to the requirements of ISO 9001, rather than 'against' it?

Auditing "against" a standard is common usage and does not imply any sort of negativity, no more than me putting a ladder against my house means that my ladder has formed some kind of negative relationship with the house.
Added in edit: I moved the OP's post to its own thread, and in so doing titled it, including the "against" thing. Not the OP's doing.

 

[Jim Wynne]

great question- I have been auditing to ISO13485:2016 for over 6 years and always have been audited by customers and have audited customers (to 13485:2016) as with Medical device it is appropriate. Now I am getting push back from suppliers who are ISO9001 and I am wondering if I am being too controlling. and yes I should have said "to" and not "against". I have never had issues when auditing to 13485 to review their quality manual and procedures, but with 9001 I am now. Thanks for the guidance

You still haven't explained why you feel you need to do this. If you want to audit suppliers, you will of course need their cooperation, and if you're asking suppliers to send you all of their documentation prior to the audit, I can understand the reluctance. Talk with suppliers, not as a dictator but as a partner, and find out with them the best way to go about this.

 

[Kronos147]

Now I am getting push back from suppliers who are ISO9001 and I am wondering if I am being too controlling.

The seven management principles includes the concept to develop strategic relationships. Whatever can be done to not create an 'us vs. them' mentality may be helpful to that end, IMHO.

 

[Jen Kirley]

Welcome Karen!

We audit suppliers to the requirements of the standard, but also to our own requirements as customers. This tends to allow more of what you are used to; it is true that the revised ISO 9001 has fewer "shalls" which has not been well received by all auditors.

The differences between 2nd party and 3rd party auditing have been a sore spot for a long time. We in 2nd party audits are asked "Where is the requirement?" and the supplier reasonably has a right to an answer to that. I recently issued a nonconformity to a supplier for lack of evidence they had been inspecting their forklifts that I observed in use. When pushed back, I pointed out that the forklifts were moving our product around and the inspection was for things that could impact our product quality: up, down, steering, brakes... My supplier was not happy but I stood my ground and I know my management would approve.

The revised standard starts with risk based thinking. If you see a lack of control with no clear "shall" to point to, you can ask about how they had considered risk in that process/area, and go from there. Be ready to discuss why the issue you raise is important. All of this is less about the standard and more about the end result: consistent good product and service, hopefully with a minimum of waste so we can all get back to happier pursuits like counting profits.

I hope this helps.

 

[chris1price]

After coming from ISO13485, you'll find many ISO9001 suppliers may have very brief procedures which make it difficult to audit against (or to). Similarly there is no requirement to have a Quality Manual under ISO9001. Others may use a Quality Manual in place of procedures.

It may be better to consider what you want to achieve from the supplier audit. Typically, this will be to identify significant risks, either to the supplier or to your own company. Follow the typical processes paths (change control, CA, PA, production, inspection, etc) and see how the supplier behaves. Whether or not they have procedures, if they are consistently doing the right things, that is good. If they are inconsistent or missing the obvious steps that you would expect, then that is a problem. If you then go back to the standard, you can usually find a clause that applies.

 

[Jim Wynne]

The differences between 2nd party and 3rd party auditing have been a sore spot for a long time. We in 2nd party audits are asked "Where is the requirement?" and the supplier reasonably has a right to an answer to that. I recently issued a nonconformity to a supplier for lack of evidence they had been inspecting their forklifts that I observed in use.

Was there a requirement? As we all know, the standard definition of "nonconformity" is "non-fulfillment of a requirement."