Should a Registrar write a NC on something that was found during the Internal Audit

Should the Registrar write a NC for something identified during an Internal Audit?

  • Yes

    Votes: 6 24.0%
  • No

    Votes: 19 76.0%

  • Total voters
    25

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#61
Re: Should the Registrar write a NC on something that was found during the Internal A

Coury,

My initial response would be 'no' to the question, based on years of implementing and being audited to ISO, QS, AS, TS, NADCAP and even some of the oldies such as Ford Q1. To further qualify; the auditor's response depends on his/her level of experience and your ability to defend your position...unfortunate but true. Those of us who are career quality management often are looking for the simple YES/NO response, whereas this specific issue comes preloaded with multiple dynamics.

An external auditor will generally make their findings independent of the internal audit process. If it is later discovered and brought to the attention of the external auditor that a similar finding exists within the internal audit process, then they typically will not write an identical finding. Once again, this depends on the experience of the auditor, the severity of the finding and if evidence suggests that lapses exist in the corrective action process.

Failure to address root cause during the corrective action process is a very serious issue and in fact, demonstrates that corrective action is ineffective. I suspect that other indicators exist to support the auditor's findings as the CA process is not limited to customer complaints or internal audits. Normally, any metric not meeting goal requires some form of corrective action (C&PA, Management Review Inputs & Outputs, Operating Metrics, etc...), consequently there is a target rich environment available to an auditor to determine if root cause is being addressed throughout the organization.

If you can demonstrate to the auditor that this failure is actively and aggressively being addressed, then they would likely view it differently. Evidence may include an immediate increase in audit frequency (a requirement based on severity of issue), output or an action plan demonstrating management committment, immediate inprocess and ongoing root cause training, the use of external resources, etc... If however, there is no evidence of action in progress, then I would tend to vote 'Yes' in support of the auditor and wipe the sweat from my brow knowing how close to a major non-conformance I was...

Ultimately "Should this be allowed?"

As much as it pains me, I think it must be.
Thank for providing your insight, and it is valuable information and I'm sure it will help other Covers.
 
Elsmar Forum Sponsor

BradM

Staff member
Admin
#62
Re: Should the Registrar write a NC on something that was found during the Internal A

Thank for providing your insight, and it is valuable information and I'm sure it will help other Covers.
Agreed. And BTW... welcome to the Cove!:agree1: That is an excellent first post.:yes:
 
#63
Re: Should the Registrar write a NC on something that was found during the Internal A

Let me also welcome you to the Cove, Agamemnon!
:bigwave:

As to the question. My over-simplified thinking is: The reason we do audits (internal and external) is to make sure the system is working and to find ways to make it work better. The reason for issuing NC's is have effective corrective actions, meaning the system will work and work better. Given that, if an internal audit finds a weakness and a corrective action is generated, writing it up again (unless the CA is overdue, or not effective) is wasted energy. What is to be accomplished by the CA?

As Gidget asked:
So, now you will have to open a CAR for something that already has a CAR open (from the internal audit)...:confused:
 
A

Agamemnon

#64
Re: Should the Registrar write a NC on something that was found during the Internal A

Here are two more of the findings. These will be the last ones that I will post.



Now please show me where this is required in AS9100? There is nothing that I see in the standard that requires a reference to AS9100.



Where does it say that I have to exclude something?


As you can see, this is why the findings are subjective/invalid, in my opinion; and the Appeals process will support this.

Any other comments?
SAE AS9100 B Section 4.2.2 "The organization shall establish and maintain a quality manual that includes:
a) The scope of the quality management system, including any details of and justification for any exclusions (see 1.2)

Consequently your quality manual must outline the 'scope' of your business. Here is a basic example that can be included as an introduction prior to your actual scope statement: "This Quality Manual describes the policies, processes, interactions and the quality management system of the <Insert Company Name>. The quality management system described in this manual conforms to the requirements of ISO 9001:2000 and AS9100:2004 international standards."

An actual scope statement: "The Manufacture of Precision <insert applicable product or service> For Aerospace, High Purity, Pharmaceutical, Medical and Nuclear Applications Excluding Design, Development and Service."

Exclusion Table:
Permissible Exclusions:
7.3
<Company Name> does no designing of product; therefore section 7.3 is excluded in its entirety.
7.5.1.5
<Company Name> does no servicing or repair to the product supplied, therefore section 7.5.1.5 is excluded.
7.5.2
<Company Name> can verify the characteristics of the product it supplies, therefore section 7.5.2 is excluded.


Note that the introduction, scope and exclusion table includes the scope of your organizations QMS and lists the appropriate exclusions. Each of these may be expanded or reduced as appropriate to fit your specific application.

Root cause: Inadvertent Omission:notme:

I hope this helps!
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#65
Re: Should the Registrar write a NC on something that was found during the Internal A

What is to be accomplished by the CA?
I would like to have a shot at the answer too.

As I explained previously, if you assume that triggering a corrective action request means that a robust root cause analysis and effective corrective actions will take place, you are not familiar with the real word of certified organizations, where superficial corrective actions are the norm, corrections are mistaken with corrective actions, corrective action requests are ignored by addressees, follow up activities don't take place to verify implementation and effectiveness of CA's....Not everyone will process a corrective action request the way they should, intended by the QMS standards, such as ISO 9001 and AS9100.

If I am an external auditor auditing an organization for the first time, for example, during Stage 2 of the Certification audit, I have no history with that organization. I might have concerns about that organization's corrective action process efficacy. By deciding to maintain "duplicate" corrective action requests, me as the lead auditor, will have some control over the adequacy of the corrective action plan, implementation timeline and follow up activity. If, on the other hand, I decide to forgo my non-conformities, because they were already observed and reported, during an internal audit, I have no way to ensure that the people reviewing the corrective action plans are as demanding as I am of real root cause investigation and corrective action adequacy. I will have no influence over the timeliness of implementation and follow up.

If on the other hand, I have a "history" with that organization and I know that they are serious and have robust processes in place, very likely, I will acquiesce that there is no added value in writing something up, which is already being resolved.

But, the question that I posed and nobody attempt to answer is:

If you are already working on the corrective action for something that was reported during an internal audit, what is the harm with the external auditor NC? That is not really creating any "additional work". Is it? Just to transpose data of a corrective action in progress to some external forms is not too much to ask. Or, is it?
 
D

D.Scott

#66
Re: Should the Registrar write a NC on something that was found during the Internal A

Here are two more of the findings. These will be the last ones that I will post.



Now please show me where this is required in AS9100? There is nothing that I see in the standard that requires a reference to AS9100.



Where does it say that I have to exclude something?


As you can see, this is why the findings are subjective/invalid, in my opinion; and the Appeals process will support this.

Any other comments?
AS9100 B 4.2.2 Quality Manual requires a quality manual that includes:

b) documented procedures established for the quality management system, or reference to them, and when referencing the documented procedures, the relationship between the requirements of this International Standard and the documented procedures is clearly shown.

Without identifying which Standard you are meeting the requirements of, how could you show a clear relationship? Remember, AS9100 is written with ISO 9001 as a base. The wording added for AS will sometimes modify the requirement slightly. In this case, you would need to identify which International Standard you are basing your QMS on. The actual words may not be there but the requirement of showing the relationship between the documents and Standard is clearly required.

Also under 4.2.2 The manual must include:

a) ........ details of and justification for, any exclusions.

You are correct in your statement there is no requirement for you to have an exclusion. The requirement, although it doesn't spell it out, requires your QMS to address every requirement of the Standard. If, for example, you don't do servicing there would be no reason to include it in your QMS BUT you would need to satisfy 4.2.2 (a) by giving the details and justification for not including the element. It appears from the finding that although you do no servicing, you did not address it in your quality manual.

It is certainly possible I am missing something but with my current understanding, I think the findings were both valid.

Just my opinion.

Dave
 
#67
Re: Should the Registrar write a NC on something that was found during the Internal A

If you are already working on the corrective action for something that was reported during an internal audit, what is the harm with the external auditor NC? That is not really creating any "additional work". Is it? Just to transpose data of a corrective action in progress to some external forms is not too much to ask. Or, is it?
It might not be too much to ask, but it may be useless. If the internal audit corrective action is ineffective, so would the external audit (since they both use the same "fix"). This would show up. If only one NC is generated (the internal) and it was ineffective, it too would show up. Regardless of who "owns" or who "controls" the CA, the CA effectiveness will become apparent. And writing a 2nd NC could very well create ill-will between the 3rd party and the organization due to the organization's view that the NC is "nit-picking". It could also cause political issues within the organization.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#68
Re: Should the Registrar write a NC on something that was found during the Internal A

If the internal audit corrective action is ineffective, so would the external audit (since they both use the same "fix").
I have a different opinion. Because, if the registrant does not have efficacious corrective action process and that becomes clear, as a result of my Stage 2 audit, I can (and should) deny certification to that organization. Which would put pressure on the registrant to strengthen their corrective action processes to a level which deserves to be certified.

I would also like to mention that lack of CB auditor involvement with effective corrective action has been identified as one of the "failure modes" under the ICOP scheme. Check page 14 of the ICOP-OPMT - Downs* presentation. CB's who fail to apply the rules of the ICOP Scheme in order to "please" their certified clients will run the risk of being thrown out of the game.
 
A

Agamemnon

#69
Re: Should the Registrar write a NC on something that was found during the Internal A

Here are two more of the findings. These will be the last ones that I will post.



Now please show me where this is required in AS9100? There is nothing that I see in the standard that requires a reference to AS9100.



Where does it say that I have to exclude something?


As you can see, this is why the findings are subjective/invalid, in my opinion; and the Appeals process will support this.

Any other comments?
I would like to have a shot at the answer too.

As I explained previously, if you assume that triggering a corrective action request means that a robust root cause analysis and effective corrective actions will take place, you are not familiar with the real word of certified organizations, where superficial corrective actions are the norm, corrections are mistaken with corrective actions, corrective action requests are ignored by addressees, follow up activities don't take place to verify implementation and effectiveness of CA's....Not everyone will process a corrective action request the way they should, intended by the QMS standards, such as ISO 9001 and AS9100.

If I am an external auditor auditing an organization for the first time, for example, during Stage 2 of the Certification audit, I have no history with that organization. I might have concerns about that organization's corrective action process efficacy. By deciding to maintain "duplicate" corrective action requests, me as the lead auditor, will have some control over the adequacy of the corrective action plan, implementation timeline and follow up activity. If, on the other hand, I decide to forgo my non-conformities, because they were already observed and reported, during an internal audit, I have no way to ensure that the people reviewing the corrective action plans are as demanding as I am of real root cause investigation and corrective action adequacy. I will have no influence over the timeliness of implementation and follow up.

If on the other hand, I have a "history" with that organization and I know that they are serious and have robust processes in place, very likely, I will acquiesce that there is no added value in writing something up, which is already being resolved.

But, the question that I posed and nobody attempt to answer is:

If you are already working on the corrective action for something that was reported during an internal audit, what is the harm with the external auditor NC? That is not really creating any "additional work". Is it? Just to transpose data of a corrective action in progress to some external forms is not too much to ask. Or, is it?
>>I would like to have a shot at the answer too.<<

Bulls Eye!

I would agree that very little additional work is required to answer the external NC. The fact is, you can and should answer 3rd party NC using your organizations established corrective action system (providing it addresses the root cause, corrective and preventive measures).

Slightly off topic: I periodically remind senior managers that third party audits are not opportunities to compete with the registrar, rather, they are value added excercises. An external supplier (read, no conflict of interest) is being paid to audit our QMS for compliance to an established standard. I make the point of having this discussion during opening meetings and it has always been effective in tension elimination and keeping audits on track.
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#70
Re: Should the Registrar write a NC on something that was found during the Internal A

SAE AS9100 B Section 4.2.2 "The organization shall establish and maintain a quality manual that includes:
a) The scope of the quality management system, including any details of and justification for any exclusions (see 1.2)

Consequently your quality manual must outline the 'scope' of your business. Here is a basic example that can be included as an introduction prior to your actual scope statement: "This Quality Manual describes the policies, processes, interactions and the quality management system of the <Insert Company Name>. The quality management system described in this manual conforms to the requirements of ISO 9001:2000 and AS9100:2004 international standards."

An actual scope statement: "The Manufacture of Precision <insert applicable product or service> For Aerospace, High Purity, Pharmaceutical, Medical and Nuclear Applications Excluding Design, Development and Service."

Exclusion Table:
Permissible Exclusions:
7.3
<Company Name> does no designing of product; therefore section 7.3 is excluded in its entirety.
7.5.1.5
<Company Name> does no servicing or repair to the product supplied, therefore section 7.5.1.5 is excluded.
7.5.2
<Company Name> can verify the characteristics of the product it supplies, therefore section 7.5.2 is excluded.


Note that the introduction, scope and exclusion table includes the scope of your organizations QMS and lists the appropriate exclusions. Each of these may be expanded or reduced as appropriate to fit your specific application.

Root cause: Inadvertent Omission:notme:

I hope this helps!
Thanks again for providing this information

I do however disagree with some of your response. The standard allows exclusions, but does not require it. The paragraph that you have mentioned is the same one the Auditor stated. Does the standard state: You shall reference/include any exclusions? No. I still don't see it required. I do agree that the exclusions should be stated, and it was a very good recommendation. But, as a REQUIREMENT, I am still not convinced.

Again, the Scope is defined, but they say it didn't reference the AS9100 Standard. Is there somewhere that I have missed the SHALL in this? I have sometimes overlooked things

I have written many exclusions successfully, in my years. But, thanks for your suggestions.

Just to provide a little background here: This system was written by someone other than me, and as far as I was concerned it was not written well. So, at this point, I was looking at meeting the Requirements (minimum) to AS9100, and that is what I worked at.

You're preaching to the choir here, and I know what is needed; it was a matter of time constraints. This whole system will be revamped to meet the requirements and meet the business needs, which far exceed the current system. Simple as that.


I love these discussions everyone. Continue please.
 
Last edited:
Thread starter Similar threads Forum Replies Date
Robert Stanley Which Registrar Should I Choose for ISO 9001:2015 registration? Registrars and Notified Bodies 10
M Should Potential Customer Complaint Outcome Define Registrar NC Rating? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
P Registrar Auditor's Candid Remarks - Should I report him to his office? Quality Manager and Management Related Issues 9
I Should We Notify Our Registrar - Has Our Scope Changed? IATF 16949 - Automotive Quality Systems Standard 5
Sidney Vianna Should customers influence a supplier's registrar selection? Registrars and Notified Bodies 88
M My site is closing When should I inform my Registrar ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
T Should I contact registrar about major downsize ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Crusader Process Approach beef - Registrar says that we 'should' use the process approach General Auditing Discussions 20
Adriane Am I overthinking this or... Should my Registrar be ISO9001 certified Registrars and Notified Bodies 46
A Choosing a Registrar - What Should We Look For in a Registrar? Registrars and Notified Bodies 81
Sidney Vianna Interesting Discussion Should ISO 9004 be changed from a guidance standard to a requirements standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
A Should I take an online course for a career in Occupational Health and Safety? Career and Occupation Discussions 2
J Should a Class 1 medical device with an option to measure body weight be considered Class 1m? EU Medical Device Regulations 0
K Should APQP/PPAP has its own section in a QM? Quality Management System (QMS) Manuals 1
S What should i choose for "testing procedure" characteristics? (N95) General Information Resources 0
P Should eIFU link per ISO 15223-1:2016 be added to labels out of scope of Reg 207/2012? EU Medical Device Regulations 1
S Which Sampling Plan(s) Should I Use? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
A Document release vs its related training. Which should come first? ISO 13485:2016 - Medical Device Quality Management Systems 18
S Which department should prepare the control plan? could you show me a standard regarding to this matter. FMEA and Control Plans 17
J Help settle a disagreement: Should external providers of preventive maintenance be on your ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
N Master Samples - What should we be keeping? IATF 16949 - Automotive Quality Systems Standard 9
G Supplier delivered recent PPAP, should he deliver yearly layout inspection? IATF 16949 - Automotive Quality Systems Standard 4
John Broomfield Vote - Should ISO9004 Become a Requirements Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
A Capability Study - in the beginning of your career what should you have known about the tool Quality Tools, Improvement and Analysis 11
J Should Loading and Unloading be Included in Cycle Times? Lean in Manufacturing and Service Industries 14
E Manufacturers should develop a testing device for covid19 Service Industry Specific Topics 0
T 510(k) submission - Which name should I use in the submission? Other US Medical Device Regulations 3
N ISO 19011:2018 - 5.4.2 "...audit program should engage in appropriate continual development..." Training - Internal, External, Online and Distance Learning 4
G Should I perform Gage R&R only at the beginning of a new project? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
DuncanGibbons Should the requirements FAA/EASA Part 21 be addressed within the QMS and AS9100D quality manual? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
M Should 510(k) Predicates be Actively Listed Devices? Other US Medical Device Regulations 12
B Why the Greek god Hephaestus should have done a design FMEA (DFMEA) on his giant robot APQP and PPAP 1
J On PFMEA for danger labels - Label always should be assigned severity 10 ? FMEA and Control Plans 3
H Who should be listed as the manufacturer/distributor on the box? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 15
M MDR, RED and LVD - Should our device comply with them? EU Medical Device Regulations 3
BeaBea How Many Processes should be created for each Department? Process Maps, Process Mapping and Turtle Diagrams 5
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
S Should safety checks be included in the Control Plan? IATF 16949 - Automotive Quality Systems Standard 5
M Which incubation condition should be selected to recover both bacteria and fungus effectively Miscellaneous Environmental Standards and EMS Related Discussions 3
D Is there a specific location for PPE such as safety glass holders and glove dispensers should be mounted Occupational Health & Safety Management Standards 10
M Who should receive the bills from suppliers and vendors, account payable or procurement? Consultants and Consulting 4
V IATF 16949 8.4.1 Control of externally provided processes, products and services - Should the CB be on our Approved Supplier List? IATF 16949 - Automotive Quality Systems Standard 10
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Received a Major finding during IATF Surveillance audit for loss of BIQS Level 3 (more than 6 SPPS in 6 months)...how should we address SYSTEMIC CA? IATF 16949 - Automotive Quality Systems Standard 11
J Organization merger. Should we keep two separate ISO 13485 certificates? ISO 13485:2016 - Medical Device Quality Management Systems 6
S Companies that maintain your machine should be in ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
S Use of "Shall" versus "Should" in Procedures ISO 13485:2016 - Medical Device Quality Management Systems 26
D Class II medical device - When should a complaint be closed? Customer Complaints 6
Sidney Vianna IATF 16949 News Presentations from the latest IATF Stakeholder Event - Expectation that IATF 16949 certification should equate with product quality. Misguided? IATF 16949 - Automotive Quality Systems Standard 7

Similar threads

Top Bottom