Pushback on a Nonconformance Found in a Supplier Audit

GStough

Staff member
Super Moderator
#1
During a supplier audit which I led recently, we discovered that the company was not following the procedures they had established in at least 4 instances (4 procedures). When I wrote this up in the audit report as one nonconformance for not following their procedures and citing these 4 instances as the objective evidence, my team leader pushed back and asked why didn't I write it as 4 separate NCs. He thinks it will be easier for the supplier to correct those 4 procedures. My line of thinking is that the supplier should review ALL of their procedures and determine whether they are being followed, not just the 4 that we found.

Which do you think would be the best way to present this finding in the audit report - as one nonconformance or as 4 separate nonconformances (under the same ISO clause)?

TIA!
 

howste

Thaumaturge
Moderator
#2
Based on what you described, I would probably write one NC. The correction should include all four procedures, but the containment should be much broader to include any & all procedures that need to be updated. The corrective action should address how they will ensure that the procedures and practices match in the future.

I would only write multiple NCs if I thought that there were separate causes for each issue identified.
 

qpled

Involved In Discussions
#3
IMHO, I would go by the supplier's response when you asked them why they were not following those 4 procedures - if the same reason for all 4 (ie., their written procedures have to be updated to reflect best practices) then one NC could be used. If for each of the 4 procedures a different reason was given (ie, additional training needed by new employee for one of the procedures, new revision of procedure not communicated to employees for another procedure, etc...) then 4 NC's could be issued.
 

GStough

Staff member
Super Moderator
#4
IMHO, I would go by the supplier's response when you asked them why they were not following those 4 procedures - if the same reason for all 4 (ie., their written procedures have to be updated to reflect best practices) then one NC could be used. If for each of the 4 procedures a different reason was given (ie, additional training needed by new employee for one of the procedures, new revision of procedure not communicated to employees for another procedure, etc...) then 4 NC's could be issued.
The company had recently undergone some changes and turnover of personnel, and procedures had not been followed. However, the new Quality Manager seems dedicated to getting the QMS back on track, but it will take some time, as his staff is quite small.
 

Ninja

Looking for Reality
Trusted
#5
Coming from the new QM position...I would ask him what would or would not help him get back on track best.

If 4 just gives him more paperwork and slows him down...write one.
If 4 gives him more leverage with upper management to provide resources...write 8 (kidding...write 4).

From your side, it seems to make little difference...so help his side if possible.
:2cents:
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#6
During a supplier audit which I led recently, we discovered that the company was not following the procedures they had established in at least 4 instances (4 procedures). When I wrote this up in the audit report as one nonconformance for not following their procedures and citing these 4 instances as the objective evidence, my team leader pushed back and asked why didn't I write it as 4 separate NCs. He thinks it will be easier for the supplier to correct those 4 procedures. My line of thinking is that the supplier should review ALL of their procedures and determine whether they are being followed, not just the 4 that we found.

Which do you think would be the best way to present this finding in the audit report - as one nonconformance or as 4 separate nonconformances (under the same ISO clause)?

TIA!
I agree with Steve. 1 NC should be generated.

As for having the Supplier review all existing procedures for potential change to what they are actually doing. I would also consider any training that was performed to assure that the person or persons not following existing procedures have been trained in one way or another. Also look at possibly identifying, if their procedures requires a annual review of the existing procedures to see if they are applicable to they way they are doing business. This would generate a review of all of their existing procedures, in my opinion.

I think maybe your Team Leader was over zealous.
 
Last edited:

Sidney Vianna

Post Responsibly
Staff member
Admin
#7
When I wrote this up in the audit report as one nonconformance for not following their procedures and citing these 4 instances as the objective evidence, my team leader pushed back and asked why didn't I write it as 4 separate NCs.
Gidget, I also support your line of thought and your audit team leader is making the mistake of putting himself in the position of the auditee, thinking how to respond to the NC.

However, not to be pedantic, if the audit was using ISO 9001:2015 as a criteria, remember one thing: "failure to follow procedures", technically, is not a requirement in the standard. We even have threads at The Cove discussing this. In my opinion, when an organization is not following their procedures, the real problem, vis a vis the standard is: failure to implement the processes and application of the methods needed to ensure effective operation and control of such processes. That is part of what 4.4.1 and 4.4.1.c) requires in 9001:2015.

I am just saying that, so you are never in a position to respond to auditee who asks you in return: Where does it say anywhere that I have to follow my procedures?

Now the challenge will be to reject the CA when they propose "RETRAINING".:cool:
 

GStough

Staff member
Super Moderator
#8
Gidget, I also support your line of thought and your audit team leader is making the mistake of putting himself in the position of the auditee, thinking how to respond to the NC.

However, not to be pedantic, if the audit was using ISO 9001:2015 as a criteria, remember one thing: "failure to follow procedures", technically, is not a requirement in the standard. We even have threads at The Cove discussing this. In my opinion, when an organization is not following their procedures, the real problem, vis a vis the standard is: failure to implement the processes and application of the methods needed to ensure effective operation and control of such processes. That is part of what 4.4.1 and 4.4.1.c) requires in 9001:2015.

I am just saying that, so you are never in a position to respond to auditee who asks you in return: Where does it say anywhere that I have to follow my procedures?

Now the challenge will be to reject the CA when they propose "RETRAINING".:cool:
Thanks, Sidney. I should have mentioned that the standard used in the audit was ISO 13485:2003 (they were scheduled for an upgrade audit to 13485:2016 a few weeks after our audit). 4.1 requires that the company establish, document, implement, and maintain a QMS and maintain its effectiveness in accordance with the requirements of said standard.

Oh, don't *EVEN* get me started on the "RETRAINING" as the CA rant! :mad::mg:
 
#9
Since it was a supplier audit, I would ask "what was not followed" and how does it effect you, the customer. If they are major issues that materially affect your product then you need to make sure you give them something to actually work on so they can correct it. If it's just ticky tak stuff and not relevant to your organization, then its an opportunity at best. Your obligation is to your company to make sure they are doing what you need them to do.
 
#10
Just to add in my $0.02, I would also write it as a single NC, however I would give serious consideration to making it a major - failure to follow 4 of their own procedures (particularly if they are related) could point to a systematic breakdown of their QMS.

Again, I would suggest working with your supplier - the goal of supplier auditing is to DEVELOP them, not to punish them. How can you make this audit finding a 'good' thing for them?
 

Top