Recent ISO 9001 Re-registration Audit Questions

[Sidney Vianna]

He really wanted a narrative of every conformance and non-conformance. For instance, he left 8 bullet points with me on our effective processes and areas for potential improvement. I will get no less than a 10 page report from him listing document numbers with revision information and the narrative of his conversation with the people he audited.

I advise you strongly: do not acquiesce to the auditors personal preferences. Very likely when he comes back for the next round of audits he will have forgotten what he told you this time.

If you call the registrars office and ask them what is the minimum level of internal audit reporting considered acceptable they will not have a clear answer for you. So and once again do not design your system to satisfy the personal preferences on an external auditor. Their preferences change as well as the auditors themselves.

 

[Jamie_]

I was thinking about this and pulled out the standard. If you have a process which meets the planned interval requirement and you are keeping track of the action items/findings from previous audits so your IAs can reference them (which satisfies 8.2.2) it seems to me you're meeting the standard.

And he must think so, too, otherwise you're have gotten an NC, right?

IME there is sometimes a weird disconnect between the auditor and auditee where even when the standard is being met the external auditor doesn't like the method so it becomes a bone of contention. Possibility here?

I just got a minor NC this month on a method for tracking calibration records on something that all previous auditors really liked. I absolutely think we meet the standard as is, but the process owner liked the suggested way better and it's an easy resolution so it's not a hill to die on for me. Although part of me wants to appeal on principle, he was over all very reasonable and I've got other very real issues to worry about.

When it comes down to interpretation it's difficult because reasonable people can see things differently; but that you didn't get an NC suggests to me that he probably knows you meet the standard as is. Because it's not like you had some audit reports and not all - you had none per his definition so if that was required for the standard in his interpretation that's an NC not an OFI.

If you have an otherwise good relationship and you want to give him what he's looking for you could have an audit form in which the header has the basic audit info and just instruct your auditors to list CPAR numbers and put "see notes" in the body - and scan and save their notes. That's how about half of my IAs do theirs and it's never been an issue. Or you could just use the fact that it's never drawn an NC before to support your appeal should he give you one next time.

 

[mcgilla]

There is no way I could do that. I'd lose my internal auditors if that level of detail was a requirement. Can it be improved, sure it can, all in one system instead of several to begin with.

I've used the standard to develop our internal processes since our last re-registration audit. I liked that he spent more time documenting how we do things than I had to spend answering them. We spent time looking at our past non-conformances and how to eliminate paper (paper is our enemy because someone always hides an old copy somewhere) and show our customers and auditor how we comply in 30 seconds rather than searching out 50 documents on the floor.

But we approach things objectively. I wanted (and I'm sure more will come) a few outside opinions and input on how other companies handled the reporting results and some insight on quality policy being committed to memory. Quite honestly, this is the first time our quality policy came up in an audit since our initial registration and the following few surveillance audits.. I looked at my boss and commented that our auditor just went old school on us. I'm happy our people answered the way they did and didn't need coaching.

I've received such a great level of input on the matter. Thank you to everyone.

 

[mcgilla]

Sorry Jamie, my response was for Sidney and I was a little long in the amount of time I took to respond.

I agree, no NC. So we'll approach it as a review to see where we can improve the system. Thanks again!!

 

[qualityfox]

I do the audit assignment and audit summary on one page. Our audit program says we will audit all clauses annually, so this form also helps to track conformance to that requirement. We conduct 16 audits each year, so this template is saved with assigned elements checked off for each audit. When the audit comes back completed, I quickly check off if the element was addressed. Since auditors are allowed leeway, the second check is necessary. I am not convinced that a report is necessary, but this is really quick and easy once initially set up.

 

[Big Jim]

On the internal audit records issue, the auditor is clearly stepping beyond the requirements of the standard.

The standard is very clear as to what is required:

"Records of the audits and their results shall be maintained"

It is up to the organization to determine how they will meet that requirement, not the auditor. If you have a reasonable method of meeting that requirement, which from your description you surly do, the auditor has no room to complain. He does not have the right to make up his own rules.

On the quality policy issue, there is some legitimacy to his comments.

5.3 b says: "Top management shall ensure that the quality policy . . . includes a commitment to comply with requirements and continually improve the effectiveness of the quality management system . . . "

As an auditor, I look to see if the quality policy includes something to that effect, and I would expect that someone telling me about the quality policy would include that in their answer. Sometimes they may need a hint though.

 

[Detailed]

Lil had some great comments about audit reports.

Whether your internal audits are done by trained employees or consultants, a report is required (ISO 9001:2008, para. 8.2.2 b). You may create a form to guide your functional dept?s on what is needed in the report.

I totally agree with Pat.

ISO 9001:2008 shows repeatedly the words ?continuous improvement.? The wording should be in your Quality Manual. There are numerous objective evidence instances which show ?continuous improvement.? Since your auditor suggests that he will view this Quality Policy wording situation next time he comes, I would either 1) delete the words from your quality policy and retrain all employees and/or 2) ensure that you have objective evidence in your Quality Manual (para. 4.1 f), Management Review (para 5.6) and 4) prove through your quality objectives (para. 5.1 c) that these are all evidence of continuous improvement.

 

[Big Jim]

Lil had some great comments about audit reports.

Whether your internal audits are done by trained employees or consultants, a report is required (ISO 9001:2008, para. 8.2.2 b). You may create a form to guide your functional dept?s on what is needed in the report.

Let's make sure this is accurate information.

8.2.2b does not require an audit report.

"The organization shall conduct internal audits at planned intervals to determine whether the quality management system . . . b) is effectively implemented and maintained."

Nothing there about a report. Nothing about it further down where record keeping is invoked either.

"Records of the audits and their results shall be maintained."

 

[Detailed]

Big Jim,
You did not read your ISO 9001:2008 correctly to misquote me. Actually, you used exactly what I cited in ISO 9001:2008 to take credit for what I said. Your post is timed way after mine.

 

[Big Jim]

Big Jim,
You did not read your ISO 9001:2008 correctly to misquote me. Actually, you used exactly what I cited in ISO 9001:2008 to take credit for what I said. Your post is timed way after mine.

What I took exception to was:

"a report is required (ISO 9001:2008, para. 8.2.2 b"

A report is not required anywhere in 8.2.2. Nothing about a report shows up anywhere in 8.2.2, and most certainly not in 8.2.2 b.

No offense intended, but when you cite the standard you should not be making stuff up.