Recent ISO 9001 Re-registration Audit Questions

[pldey42]

Lil had some great comments about audit reports.

Whether your internal audits are done by trained employees or consultants, a report is required (ISO 9001:2008, para. 8.2.2 b). You may create a form to guide your functional dept?s on what is needed in the report.

I totally agree with Pat.

ISO 9001:2008 shows repeatedly the words ?continuous improvement.? The wording should be in your Quality Manual. There are numerous objective evidence instances which show ?continuous improvement.? Since your auditor suggests that he will view this Quality Policy wording situation next time he comes, I would either 1) delete the words from your quality policy and retrain all employees and/or 2) ensure that you have objective evidence in your Quality Manual (para. 4.1 f), Management Review (para 5.6) and 4) prove through your quality objectives (para. 5.1 c) that these are all evidence of continuous improvement.

It's nice to hear you totally agree with me; I don't at all totally agree with this post.

I said it's typically done with reports - but "report" can mean many things, and the standard only requires "records" which, as Jim notes, aren't necessarily the same as reports. OP's description of the records that are kept meets the requirement. Auditor is stating an opinion and is not allowed to do that, according to the rules that govern certification bodies.

On the quality policy, the substantive issue was not the wording but the ability of interviewees to recite it. According to the OP the QP refers to continual (note, not continuous which is incorrect) improvement and the auditor was concerned that people didn't say it. This again is not a requirement of the standard. Removing "continual improvement" from the QP would create a nonconformity against 5.3.b; retraining everyone just to appease an auditor who's wrong is an unnecessary expense and would undermine everyone's confidence in the QMS. The QMS is supposed to serve the business and the people in it, and the auditor's job is to assure that happens by auditing objectively against the standard.

Pat

 

[Helmut Jilling]

I do the audit assignment and audit summary on one page. Our audit program says we will audit all clauses annually, so this form also helps to track conformance to that requirement. We conduct 16 audits each year, so this template is saved with assigned elements checked off for each audit. When the audit comes back completed, I quickly check off if the element was addressed. Since auditors are allowed leeway, the second check is necessary. I am not convinced that a report is necessary, but this is really quick and easy once initially set up.

You are supposed to audit in a process approach. Not by the elements. Unfortunately, the standard has been weak on making that clear. You also must have evidence of the audit, such as notes, what was audited, etc. to demonstrate how meaningful your audits were.

 

[Helmut Jilling]

I advise you strongly: do not acquiesce to the auditors personal preferences. Very likely when he comes back for the next round of audits he will have forgotten what he told you this time.

If you call the registrars office and ask them what is the minimum level of internal audit reporting considered acceptable they will not have a clear answer for you. So and once again do not design your system to satisfy the personal preferences on an external auditor. Their preferences change as well as the auditors themselves.

Sidney, ...yes, but...let's take this with a grain of salt. Yes, an auditor cannot insist on a certain style on method or personal preference. But, an auditee is required to demonstrate that the internal audits are suitable and effectively implemented in practice. A single page summery, frequently showing zero findings, is likely to not quite reach that level of evidence. ISO 19001 gives Guidance, and is not normative, but certainly gives a lot more detail than a one page report.

 

[qualityfox]

The report summary is not the entire report. The auditor's notes are included, as is any relevant evidence such as pages from an instruction or photos taken, as well as Corrective Action Requests. We are auditing processes; the checklist on the summary page ensures we eventually cover all requirements of the standard. I transfer the data from individual audits to a master form. I know it's not necessary but it helps me at audit time to show that we have covered all of the standard.
Sorry for any confusion on the process. I only showed one small detail and I know it may not work for others, but it works for me.

 

[Sidney Vianna]

But, an auditee is required to demonstrate that the internal audits are suitable and effectively implemented in practice. A single page summery, frequently showing zero findings, is likely to not quite reach that level of evidence.

In my opinion, internal audit effectiveness is much more important than the "quality" of the records associated with the audit and I would hope that seasoned, experienced, competent third-party auditors would raise above the threshold from assessing the internal audit records and focus more closely on internal audit results.

I have seen external auditors complaining about the "frugality" of an organization's internal audit records, but his audit report was not better. As for internal audit reports, as you described, I used to assess the internal audit results against external audit results, customers and third-parties. If the internal audit results consistently showed zero nonconformities, while external audit results reported significant discrepancies and ineffectiveness and, further, customer dissatisfaction was high and quality indicators were poor, I would write up the internal audit process as ineffective. That stopped a few organizations thinking that they could either forge records or "go through the motions" of pretending to perform internal audits.

As I said many times here, internal auditing could be one of the most impacting processes any organization could have if properly planned and executed. Unfortunately, too many organizations out there have highly ineffective internal auditors and their CB's give them a pass. Continuously.

When will organizations start paying attention to internal audit measures of effectiveness?

 

[tpresnell]

We recently went through our re-registraion audit and we received a NCR on Internal Audits. Apparently since we say that "A non-conformity is a non-compliance to the standard, codes, quality plan or documented procedures and is recorded as such."
The statement of Non-Conformance: Statements of non-compliance were not recorded as non-conformities, as required.
The evidence of the Non-Conformance: Indicated findings on non-compliance were recorded as observations, rather than as non-conformities.

I don't even know where to begin on answering this NCR. Can someone please help me.

Thanks

 

[Reg Morrison]

Can someone please help me.

Let's start with the first question of a series:

Why were the nonconformities found in your internal audits softgraded as observations? Can you ask the auditor(s) who reported the observations why they did so, even though, they have (apparently) observed situations where requirements were not being complied with?

Maybe, together, we can do a 5-why session....

 

[Mark Meer]

Apparently since we say that "A non-conformity is a non-compliance to the standard, codes, quality plan or documented procedures and is recorded as such."
The statement of Non-Conformance: Statements of non-compliance were not recorded as non-conformities, as required.
The evidence of the Non-Conformance: Indicated findings on non-compliance were recorded as observations, rather than as non-conformities.

Geez... This, to me, seems like nothing more than semantic nit-picking.

Unless you have some policy for handling what are "observations" versus "non-conformities", I don't see it being a big deal what you call them (perhaps "observed non-conformities"? ).

As Sidney Vianna points out, the auditor should really focus on effectiveness (i.e. how you handle observations/non-conformities/findings - whatever you want to call them - rather than what you call them).

But, to address the auditor finding, perhaps a simple definition statements in the procedure could be added?

 

[Reg Morrison]

Unless you have some policy for handling what are "observations" versus "non-conformities", I don't see it being a big deal what you call them (perhaps "observed non-conformities"?

According to ISO 9001, a nonconformity would typically lead to a corrective action request, while an observation (which is not mentioned anywhere in ISO 9001) doesn't. So, softgrading a nonconformity and calling it an observation goes against the intent of ISO 9001.

 

[Big Jim]

We recently went through our re-registraion audit and we received a NCR on Internal Audits. Apparently since we say that "A non-conformity is a non-compliance to the standard, codes, quality plan or documented procedures and is recorded as such."
The statement of Non-Conformance: Statements of non-compliance were not recorded as non-conformities, as required.
The evidence of the Non-Conformance: Indicated findings on non-compliance were recorded as observations, rather than as non-conformities.

I don't even know where to begin on answering this NCR. Can someone please help me.

Thanks

I can understand why this is hard to respond to. It is very poorly written. Badly written nonconformances are almost always hard to respond to.

I recommend you contact your certification body and ask for help in understanding the nonconformance. Once they see how badly written it is they may ask the auditor to re-write it or to withdraw it.

I agree with what others have posted here that internal audit nonconformances should not be "soft graded". However, I can't tell if that is what happened here as it is not written specifically enough. It almost looks like he is trying to build a case for the difference between conformance and compliance, which another poster pointed out is mostly a matter of semantics.