What are general examples of audit findings with ISO 9001:2015?

[Albert G.]

Greetings.

Our quality department is preparing for incoming audits, and our quality manager and I would be interested to learn about the kinds of audit findings that you have discovered so far with ISO 9001:2015. Generally speaking, what are the discrepancies/issues encountered during your audits? Since communication processes (i.e. 7.4) and risk-based thinking (i.e. 6.1) are such important newer requirements, I would particularly like to get a sense of your experience with these.

If this can help in formulating your response, we do containments, inspections and logistics for automotive OEMs.

Thank you.[FONT=&quot]

PS: Please note that I am a novice in Quality.[/FONT]

 

[LUV-d-4UM]

Our quality department is preparing for incoming audits, and our quality manager and I would be interested to learn about the kinds of audit findings that you have discovered so far with ISO 9001:2015. Generally speaking, what are the discrepancies/issues encountered during your audits? Since communication processes (i.e. 7.4) and risk-based thinking (i.e. 6.1) are such important newer requirements, I would particularly like to get a sense of your experience with these.

If this can help in formulating your response, we do containments, inspections and logistics for automotive OEMs.

We have just completed an upgrade to the new ISO9001:2015. There was a zero findings. If you are going through this process the first time, here are the findings that I have experience from other audits:

1. Management Review - must include all the agenda items in ISO9001:2015

2. Internal Audits- must be completed for all the processes identified in the audit schedule/plan. Auditors will not be allowed to audit their own work. After completion of audits, someone else, must audit the Internal Audit process.

3. Corrective Actions must be verified for effectiveness before closure.

4. ISO9001:2015 awareness training to all employees in the system; must provide sign in sheet to show evidence that they are trained.

5. Supplier performance-must be included in Management Review

6. Of course other things like calibration, risk-based thinking will be demonstrated.

The Top Management of your organization SHALL be present during your audit. He has to explain the Quality objectives, and he has to answer the whole of section 5 of the ISO9001:2015 standard.

A quality manual is not mandatory but it is good to have one as source of exploratory questions by the auditor. GOOD LUCK

 

[Marc]

<snip> A quality manual is not mandatory but it is good to have one as source of exploratory questions by the auditor.

I suggest a cross reference matrix as well to simplify audits.

I also encourage others to post in this thread, and don't forget Audit Nonconformances and Findings

 

[LUV-d-4UM]

The preparation for upgrade to ISO9001:2015 is not easy. To get a Zero finding is possible only with 100% commitment from Leaders and employees. Our auditor went on overtime because of digging the process, score cards, spending time with top management etc...Good luck to everyone.

 

[Randy]

I've done a over a dozen audits already including some multi-locations and the most common nonconformity has been control of documentation (7.5).

 

[Sidney Vianna]

I've done a over a dozen audits already including some multi-locations and the most common nonconformity has been control of documentation (7.5).

I mean nothing negative, but it makes me wonder if that represents the real problems or is this the "comfort zone" of the auditors? When a standard brings fluff and "hard to audit" issues such as leadership, context, knowledge management, risk and opportunities, etc. I suspect many auditors will avoid the discomfort and converge to their safe zones of tangible, "black&white" requirements such as calibration, document control, records, etc.

As I said several times, here and elsewhere, it does not matter if a requirement exists in a standard or not, until the organization is held accountable to comply with it, by an auditor, either internal or external.

I can guarantee that the majority of organizations already certified to 9001:2015 don't comply with the requirement to have the QMS integrated in the organization business processes, but very few auditors would have the intestinal fortitude to write that "failure mode" up in an audit. Until the conformity assessment practices are aligned with the standard, it does not matter what the standard says.

IAF, and ISO/CASCO when are you going to wake up?

 

[LUV-d-4UM]

I have another upgrade coming up soon. Hoping that we prepared well.

 

[Big Jim]

The most common thing I have seen is not altering their management review agenda to include all the new management review topics.

As for integrating the quality management system to the business management system, I have had a few comment that ever since implementation of their quality management system they have always been integrated. And indeed, it appears that they have. This is more common with newer and smaller companies. Those burdened with the old school thinking that if it involved quality it was the responsibility of the quality manager and no one else needs to worry about it have not found their way in the new reality yet.

 

[ReworkIT]

The consultant we are using tells me that his clients struggle most with the Context of the Organization and how to link that to having a strategic plan of some kind and how to change the quality management system to implement the plan. They say the auditors who are doing the upgrade audits aren't hardly spending any time on that, but write up calibration and other things they've seen in previous visits.

A friend recently attended a quality conference and one of the speakers said that the Certification Body audit findings data didn't come close to addressing the product quality issues in their industry. I think Mr. Vianna posted a chart which showed that the #1 Major finding was auditor training.

 

[Jen Kirley]

I've had one audit (to 2008 version) in which I issued a major for resources (not) provided by management. The new standard's 5.1.1 requirements would have made it easier to write the action request, based on its more actionable language.

Writing legitimate action requests requires clear evidence to point to, in order to declare a requirement is ineffectively implemented. That is more difficult when time is limited, forcing a more superficial approach to auditing (mile wide and inch deep) and documented information for the requirements is not required. An auditor would need to be able to point to a recognized issue and say ____ is happening because of (fluff and "hard to audit" clauses). It is true that it is very difficult to train auditors to provide the needed in-depth analysis to correlate such clauses in a cause-and-effect manner that would add real value. It requires analysis and often process excavation. I try, often at the expense of another subject as I run over my time slot. When clients insist on staying within time slots, this opportunity sometimes slips by. I regret that but I cannot solve it.

The new standards are difficult for auditors who were used to a list of Shalls but those of us who have been in environmental and safety standards are sufferning somewhat less confusion. Auditors will need to up their game and learn the difference between leadership and management. Good luck with that, as many boast MBAs that I wonder left them with the ability to distinguish the two.