Non-addressed Minor Finding elevated to Major Finding

[Ninja]

Internal Audits are a part of continual improvement, but to be able to improve, you first need to know what needs improving. In other words, what needs fixing.

Well said...much better than I did...

All the same, Internal audits should not be the primary, or even secondary thing looking for what needs fixing. When an internal audit finds something that hadn't been noted earlier, there should be a feeling of "how did we miss that?" IMO.

FWIW, I'm not sure I would use your audit system as a lever to force behavior. Surely there's a more friendly tool...
The end result of using an audit to force behavior is negativity toward the auditors.

 

[Golfman25]

Well said...much better than I did...

All the same, Internal audits should not be the primary, or even secondary thing looking for what needs fixing. When an internal audit finds something that hadn't been noted earlier, there should be a feeling of "how did we miss that?" IMO.

FWIW, I'm not sure I would use your audit system as a lever to force behavior. Surely there's a more friendly tool...
The end result of using an audit to force behavior is negativity toward the auditors.

Yep. Whenever you use ISO, audits, corrective actions to force behavior you play into the ISO sucks mindset. That's why arguing about whether this is a "major" or a "minor" finding is useless. Find your issue, then get together and determine the best way to fix. Every problem isn't a nail and every solution isn't a hammer.

 

[Tyler C]

Thanks Coury. That does sound like an effective method, however the issue is that this particular auditor, and the auditee (area manager) are both part of top management. The next level would be to go to the owners of the company, which brings an issue on its own, which is in regard to Big Jim's post. The owners' presence is very intermittent, and if I were to wait for them, I would jeopardize our Internal Audit procedure which states that each area needs audited at a minimum of once a year.

Big Jim, that is why I can't get away from the major/minor issue. That would require a change in the Internal Audit procedure, which I am already waiting for a change in from that audit which happened three months ago. They are the final approval signature, and if I waited, again, I would jeopardize meeting the required audit frequency.

Ninja/Golfman25, I agree with both of you. However, if I don't force behavior, then it will never get done. It was an argument trying to convince this auditor that office personnel (shipping clerk, capacity scheduler, etc.) training records need to be maintained. They have this false perception that we are perfect and the standard is wrong. When this happens, the only course of action I can see is to break it down to the point that if we don't meet [requirement], we will lose certification.

I know, this sounds like a lack of Leadership commitment. The issue with this is if I write a finding around this, I will get argued with and told that it is all my responsibility, and if it fails, it is my fault. So, my options are to either do everyone's job, or force behavior to get the job done by the appropriate people. [Rock]me[Hard place].

 

[Randy]

Randy, I see your point, but I respectfully disagree. As you pointed out in the ISO 9001:2008 standard, it says, "The organization shall conduct internal audits at planned intervals to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and...".

From my perspective, if the organization determines that internal audits are to be used for the reasons listed in the standard, in addition to finding what needs fixed, then there is no NC here, because the organization determined this to be an use of the audits.

I would also like to point out that by the standard explicitly stating that internal audits are to be used to determine whether the QMS conforms, it is implicitly stating that internal audits are to be used to determine whether the QMS doesn't conform. That's actually the other side of 'whether' (whether, or not).

Internal Audits are a part of continual improvement, but to be able to improve, you first need to know what needs improving. In other words, what needs fixing.

Now, on the other side of this, I do agree that this can be abused which would be a nonconformance to "...ensure objectivity and impartiality..." As an internal auditor, I know what "needs to be fixed", and I could use the audit as a way of "getting at the manager" of the process. So, instead of showing them that they have an issue that needs fixing, I instead allow them to defend their stance on not needing to fix the non-issue. If they can defend it, then it's not an issue, but if they can't then all parties agree to fix it. Whether or not it actually gets fixed is another story.

Hey whatever but other than having created and having had certified QMS Lead and other auditor training courses, teaching about 200 or so certified lead auditor courses and having done 3rd party certification audits for about 17 years now I may have been wrong all this time.

Go for it

 

[Tyler C]

I'm not saying you're wrong Randy, just saying I disagree with your interpretation, as you obviously disagree with mine. That's what I love about ISO, it's open to interpretation (for the most part) so that it is applicable to all businesses. For example, the external auditor who certified our company said template documents don't need to be controlled, but our consultant auditors told us they disagree with him. No one is wrong, just different interpretations.

I do appreciate you sharing your perspective, as it broadens my experience with what other auditors look for.

 

[Big Jim]

Thanks Coury. That does sound like an effective method, however the issue is that this particular auditor, and the auditee (area manager) are both part of top management. The next level would be to go to the owners of the company, which brings an issue on its own, which is in regard to Big Jim's post. The owners' presence is very intermittent, and if I were to wait for them, I would jeopardize our Internal Audit procedure which states that each area needs audited at a minimum of once a year.

Big Jim, that is why I can't get away from the major/minor issue. That would require a change in the Internal Audit procedure, which I am already waiting for a change in from that audit which happened three months ago. They are the final approval signature, and if I waited, again, I would jeopardize meeting the required audit frequency.

Ninja/Golfman25, I agree with both of you. However, if I don't force behavior, then it will never get done. It was an argument trying to convince this auditor that office personnel (shipping clerk, capacity scheduler, etc.) training records need to be maintained. They have this false perception that we are perfect and the standard is wrong. When this happens, the only course of action I can see is to break it down to the point that if we don't meet [requirement], we will lose certification.

I know, this sounds like a lack of Leadership commitment. The issue with this is if I write a finding around this, I will get argued with and told that it is all my responsibility, and if it fails, it is my fault. So, my options are to either do everyone's job, or force behavior to get the job done by the appropriate people. [Rock]me[Hard place].

Obviously top management isn't ready to accept their leadership responsibilities as required by ISI 9001:2015. Very sad.

They make you responsible, but they also keep the authority for themselves keeping your hands tied.

 

[Marc]

<snip> ISO 9001:2015
9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:
a) conforms to:
1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;
b) is effectively implemented and maintained.

Nowhere is it stated that internal audits are to find what needs fixing!!! That statement in and of itself eliminates objectivity and impartiality from the process (Another NC I'd write) <snip>

What am I missing? The standard requires the above. They are done to find "what needs fixin". If not, what is their purpose? A nonconformance identified during an audit is something which "needs fixin". Whether it is that a requirement of ISO 9001 (or what ever standard) is not being met, or if it is a process audit, or if it is the organizations own requirements, are internal audits not to identify what is broken/not compliant (what is broken and "needs fixin")?

Let's get away from the standard. In a few sentences, what is the intent of internal audits (other than whether the company is compliant to a/the standard)? What is the benefit of doing internal audits? Are internal audit nonconformances "what needs fixin"?

Let's also not in this sense get into, for example, process improvement in which (for example) a special team is assigned how to improve a process (or a part there of) in which one could say that team is there to "find what needs fixin" (i.e.: improvement opportunities).

I am really hung up on this statement:

Nowhere is it stated that internal audits are to find what needs fixing!!! That statement in and of itself eliminates objectivity and impartiality from the process (Another NC I'd write)

For one thing, what, specifically, would you write the non-conformance against (what clause of a/the standard)?

 

[Tyler C]

Obviously top management isn't ready to accept their leadership responsibilities as required by ISI 9001:2015. Very sad.

They make you responsible, but they also keep the authority for themselves keeping your hands tied.

You nailed it Big Jim. Here's how the audit went:
8/5/16, during the last audit, the two auditors (one of them being the plant manager) wrote this finding, signed it, and the area manager signed it saying she agreed with the nonconformance.
Earlier this week, the audit team wrote up the questions, and by standard operating procedure, the first question was addressing the previous audit's finding. The plant manager, who is not an auditee or auditor decided to join us (for the first time this year). This is not an issue on its own. However, when this question was asked, he did not allow the auditees to answer, instead answering himself. He stated the job descriptions list the competencies. I asked to see one and was presented with the production assembler job description. I asked if the competencies to be an assembler were the same as trainer competencies, to which he said no. I asked if we had a trainer job description to which he said no. I said if they are not the same then the production assembler job description does not list them. He then talked about how hard it is to list them, as they would be things like "ability to transfer knowledge" and "emotional intelligence". I stated that he just identified two that were not documented. That got no where. I stated that his signature verified that it was a nonconformance and the area manager's signature verified that she agreed to fix it. I told him it needed to be addressed, but it was not. We moved on as we had all of the rest of the questions to go through. Later in the discussion, he let slip that the auditor who has been arguing this the entire time went to him with the questions before the audit took place. I feel that is why he decided to show up to this one and went as far as answering the questions for the auditee.

Now, I'm at the place that I am thinking about voiding this audit and disqualifying both the auditor and plant manager from participating in future audits due to what Randy was saying. Breaching clause 8.2.2 (2008), specifically the sentence that says something along the lines of "auditors shall remain objective and impartial", and maybe even a lack of competence of how the internal audit process works.

Thoughts? Sorry for any typos as I am on mobile.

 

[Tyler C]

O, the other thing he said was, "[owner] always says 'how can it be a nonconformance if we got certified with it?' so I disagree it is a nonconformance." I'm like, "you realize your are arguing with your past self right?" Without even justifying that stupid statement with a response.

 

[Big Jim]

One of the things I cover in opening meetings for both CB audits and internal audits goes something like this.

"Auditing is a sampling technique. There is no way to review every transaction that has taken place since the last audit so there is no choice but to sample. That means that a nonconformance may exist that I won't see because it was not part of the sample. That means that another auditor following up after me might see it because it was part of the sample. It also means that I might uncover something on this audit that no one has seen before."

Additionally, obtaining certification has never been a full assurance that there are no nonconformances present. It is assurance that either none were found or that those found were fixed. That manager that thinks otherwise is showing his lack of understanding or he is simply trying to put his spin on things to his advantage. Such ignorance is dangerous.