Responding to Customer Audit

[ScottK]

We are ISO 9001. Customer does an audit based on ISO 9001. No real issues, but the customer wants a response on a few items. So I am looking for ideas on how to respond to a customer audit where the customer has their own view or requirement beyond what ISO actually requires.

So since there are really no "issues" there are no non-conformances. Seems like they left you with what they consider opportunities for improvement which are always optional. For a softer message I might say that some of these will be considered opportunities for improvement and will be discussed as such in the next management review.

So for example, 9.3 Management Review. They want actions which result from these reviews and cited that we have no "documented" action items -- which wasn't 100% true as we had a note for Purchasing to review some delivery data and update. I think she was looking for corrective actions or something.

I would document that there are no action items to document, thus documenting the lack of output. And that's an output.

Similarly, internal audits didn't have any issues requiring corrective actions. So they want a response regarding the effectiveness of the internal audits. (of course she didn't find anything noteworthy either).

I would respond that your registrar reviews internal audit results in every audit cycle and considers the process effective.

Or as part of 7.2 competency, they wanted annual employee reviews (since I have a senior staff, they are done less frequently). And operator training records that they were trained in inspection, which they don't do.

Periodic employee reviews are not a requirement of the standard so if you do them it's up to your organization how often. Do you have a training matrix or something that shows who needs to be trained in what? If that's up to date then you have nothing to answer for. again... maybe that's an opportunity for improvement that can be brought up at the next management review - increase cross training or someting.

 

[dramman]

OP....You state it is a customer's audit based on ISO9001. I would interpret this (based on experience) as they use ISO9001 as a guide but go beyond the standard in certain topics. Such as adding requirements or viewing some optional requirements as "shalls".

There are not too many companies anymore who perform ISO9001 audits of their suppliers who are ISO9001 certified.

 

[Golfman25]

OP....You state it is a customer's audit based on ISO9001. I would interpret this (based on experience) as they use ISO9001 as a guide but go beyond the standard in certain topics. Such as adding requirements or viewing some optional requirements as "shalls".

There are not too many companies anymore who perform ISO9001 audits of their suppliers who are ISO9001 certified.

Yes exactly. It's based on the standard, but they highlight their "preferred" practices such as annual employee competency reviews.

And yes, this isn't a frequent occurrence. Last one was 5 years ago. And before that, a long time.

 

[ScottK]

OP....You state it is a customer's audit based on ISO9001. I would interpret this (based on experience) as they use ISO9001 as a guide but go beyond the standard in certain topics. Such as adding requirements or viewing some optional requirements as "shalls".

If this is the case then there needs to be an agreement in place between the organizations. Could be in a terms & conditions document or a separate supplier quality agreement. I've dealt with that in the past. I've also pushed back on customers who tried to audit us to standard we did not follow or were not subject to.

 

[dramman]

Yes exactly. It's based on the standard, but they highlight their "preferred" practices such as annual employee competency reviews.

And yes, this isn't a frequent occurrence. Last one was 5 years ago. And before that, a long time.

Seems like one of those situations where you have to respond with that your preferred practices are not ours. Thsi is all depend son how critical and large this customer is to your business. Also, if it makes sense to add an additional employee review process to your management system.

 

[Mike S.]

Current customer or potential new customer?

If the former, did they tell you these "requirements" over and above ISO9001 in advance (before the audit, like in PO flowdowns, etc.?

It may be a case of the SQE being overzealous and it is their personal "requirements" not those of the customer per se. That's where the "can you show me where these requirements are formally flowed-down to us?" question can help.

 

[ED76]

We are also a small company with only long term employees. I did push back against unreasonable customer audit findings occasionally, but have to make a solid case as to why we can justify our position. In some cases we do have additional requirements documented in quality agreements with customers and then that can form part of the audit. Our customers are long term, B2B.

As regards internal audit findings, we always find a few things, although they tend to be minor, they are usually OFIs or observations but we do escalate some to NCs to ensure we improve the processes that caused the event if we can. We don't have major NCs as our systems are long established and our work doesn't change that much. We have monthly management reviews which include design and development progress as well as manufacturing and sales, plus the status of e.g. customer complaints, CAPAs, supplier NCs, so those form actions.