What do you do when an auditee says "No thank you"

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#51
Jennifer:

I've been out walking the dog and giving this some serious thought! (No comments about Mad Englishmen and their dogs in the midday sun, please;))

What were the:-

* Scope
* Objectives &
* Criteria

of this audit? Reading your post #37 makes me wonder why he would say that training doesn't need to be audited. So, I have that question for you, why were you auditing training?

As much as we here recognize dysfunctionality of organizations, audit can still be used to take that objective and impartial look at the QMS in this guy's area of responsibility. While out walking, it also ran through my head that I wonder what any documentation might actually say is the responsibility of this support function and it's management?

If such things are clearly defined the audit should go more smoothly. If not (and ISO 19011 talks to this) maybe that aspect could have been sorted before the audit took place - I guess it depends on those three things above!
I find that taking a walk is a perfect way to work through these things. :agree1:

Scope involved the controls, activities and records for the things this group did as support for the sites, specifically rolling out enterprise software applications. Objectives were to verify the activities and controls set out in their internal process documents. Criteria included downstream effects in the sites. We sought to understand how it all worked.

We didn't audit training, but pointed out to the auditee in our last meeting that, like control of documents, auditors may also ask about training for the process people - but that questions are limited to the extent of their responsibility. That means the majority of training questions are dealt with in the audit with HR & Training but that we may ask what competency means for these people, how it's achieved and how we know it's been achieved. If my auditees can't answer these questions it's my habit to work through it together and coach them on how to answer the question if a registrar asks it. No one comes from the egg knowing all this stuff.

The corporate Document Control system is the default for process documentation, but groups do have the right to manage their own documents as long as they do so in accordance with 4.2.3. In past audits this group was found to have no such controls, and developed the controls as a response to an audit finding. The documents having been established, my objective here was to verify that the defined controls were effective and that 4.2.3 were being followed. He simply didn't agree he should have to do so.
 
Elsmar Forum Sponsor
J
#52
I find that taking a walk is a perfect way to work through these things. :agree1:

Scope involved the controls, activities and records for the things this group did as support for the sites, specifically rolling out enterprise software applications. Objectives were to verify the activities and controls set out in their internal process documents. Criteria included downstream effects in the sites. We sought to understand how it all worked.

We didn't audit training, but pointed out to the auditee in our last meeting that, like control of documents, auditors may also ask about training for the process people - but that questions are limited to the extent of their responsibility. That means the majority of training questions are dealt with in the audit with HR & Training but that we may ask what competency means for these people, how it's achieved and how we know it's been achieved. If my auditees can't answer these questions it's my habit to work through it together and coach them on how to answer the question if a registrar asks it. No one comes from the egg knowing all this stuff.

The corporate Document Control system is the default for process documentation, but groups do have the right to manage their own documents as long as they do so in accordance with 4.2.3. In past audits this group was found to have no such controls, and developed the controls as a response to an audit finding. The documents having been established, my objective here was to verify that the defined controls were effective and that 4.2.3 were being followed. He simply didn't agree he should have to do so.
So are we correct in assuming that part of this audit involved a follow-up from a finding on a previous audit? If that is the case, then by what logic would he think that you should not audit their process to 4.2.3?

Another thing that bothers me about this whole issue is that the QMS at this site is "new" and there (apparently) have been problems in how they relate to other sites, not recognizing how their work effects others. At least that is the impression I got from an earlier post.

So we have a manager in a "new" and developing QMS telling the experienced and well established auditor what they should and should not be auditing?
This makes no sense to me.

Since this is "corporate" and there is "no strong leader", I'd say there are some pretty serious problems that need to be addressed.
As others have said, it may just be a matter of teaching, but I have concerns that Corporate does not have strong leadership...Sounds like trouble. Sounds like a culture much more concerned with politicking than with cooperation.

I know this post is kind of jumbled and perhaps not very helpful but I just had to chime in...

Peace
James
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#53
So are we correct in assuming that part of this audit involved a follow-up from a finding on a previous audit? If that is the case, then by what logic would he think that you should not audit their process to 4.2.3?

Another thing that bothers me about this whole issue is that the QMS at this site is "new" and there (apparently) have been problems in how they relate to other sites, not recognizing how their work effects others. At least that is the impression I got from an earlier post.

So we have a manager in a "new" and developing QMS telling the experienced and well established auditor what they should and should not be auditing?
This makes no sense to me.

Since this is "corporate" and there is "no strong leader", I'd say there are some pretty serious problems that need to be addressed.
As others have said, it may just be a matter of teaching, but I have concerns that Corporate does not have strong leadership...Sounds like trouble. Sounds like a culture much more concerned with politicking than with cooperation.

I know this post is kind of jumbled and perhaps not very helpful but I just had to chime in...

Peace
James
Your insights are not at all jumbled, in fact they are all accurate. :agree1:

This was a "legacy issue" of not understanding what was required of them. First, that they must have a documented process for their activities; second, that this would need to be verified. Since they had chosen to make their own, independent system, we'd need to verify that it was going according to plan. If they had chosen to climb onboard with corporate document control protocols, the in-person validation wouldn't have been necessary because the audit team could have verified the controls were being followed based on our both being Document Control Admins. We could have just done a "desk audit" by looking in the system and verifying things like revision control.

Several times in the last meeting the auditee described his people as only a support function, but I assured him they are critical: the manufacturing sites would grind to a halt without this group (IT). This strongly infers the process people don't know their relevance in the QMS, which is a conclusion not resolved by a non-conformance to this group. It isn't their fault.

I think what we have at the root here is an issue of preparing people to understand their roles in the QMS. That's a leadership issue I have no control of, and can only allude to as a process audit finding. If the organization is astute it will recognize a need for action, but that's not assured in this particular audit. It can explain, however, why I enthusiastically signed up to do the audit on management review and business planning process. :D
 
#54
I've encountered IT groups with such a philosophy! They seem to think and behave a little like "techie-geeks" and many have never woken up to the fact that in today's business environment, little would get done without them. Plus, they hope since no-one talks their language, they can 'get away' with not playing by the same rules as everyone else.

I would have thought it wasn't too difficult to find some hard performance data on this organization and the effects of their apparent lack of support - IT issues aren't too difficult to unearth - trouble tickets not addressed in a timely manner or unresolved, email outages, poorly supported applications, you know what goes on.

I am somewhat empathetic to their response in some ways: an audit of training may (whether it was done or not) not be appropriate unless something changed recently. Same crew? Same technology, same process? Why bother?

Maybe they did get gigged in the past for document controls not being in place etc., but given their position it's a big leap to suggest that such controls are high on their agenda! Internal audit should, IMHO, try to get at hot buttons they deal with.

In one experience I had, an IT group had a punch list of 20 IT related programs they were rolling out. #13 - was the writing of the report software for the NC reporting tool, they'd written years ago! Yet the company were hemorrhaging an estimated $8M in non-conforming product processing! What was #1 on their list? Getting cell phones and pdas for the staff!

When the fact that because reports couldn't be run and the actual cost was actually unknown (we took a SWAG at it, they couldn't challenge, no data!) was brought to the senior management's attention, it made the IT department swiftly re-align it's objectives to that of the main processes of making products...
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#55
I've encountered IT groups with such a philosophy! They seem to think and behave a little like "techie-geeks" and many have never woken up to the fact that in today's business environment, little would get done without them. Plus, they hope since no-one talks their language, they can 'get away' with not playing by the same rules as everyone else.

I would have thought it wasn't too difficult to find some hard performance data on this organization and the effects of their apparent lack of support - IT issues aren't too difficult to unearth - trouble tickets not addressed in a timely manner or unresolved, email outages, poorly supported applications, you know what goes on.

I am somewhat empathetic to their response in some ways: an audit of training may (whether it was done or not) not be appropriate unless something changed recently. Same crew? Same technology, same process? Why bother?

Maybe they did get gigged in the past for document controls not being in place etc., but given their position it's a big leap to suggest that such controls are high on their agenda! Internal audit should, IMHO, try to get at hot buttons they deal with.

In one experience I had, an IT group had a punch list of 20 programs they were rolling out. #13 - was the writing of the report software for the NC reporting tool! Yet the company were hemorrhaging nearly $8M in non-conforming product processing! #1 on the list? Getting cell phones and pdas to the staff!

When this was brought to the senior management's attention, it made the IT department swiftly re-align it's objectives to that of the main processes of making products...
I think we are aligned in our thinking of why IT is a part of the QMS. :agree1:

Certainly document control is not high on this group's agenda, yet the audit team decided it was important to verify this group's controls over their documentation because that documentation included data security and backup policies.
 

Wes Bucey

Quite Involved in Discussions
#56
I've often thought that validating COMPETENCE is more valuable to an organization than validating TRAINING (which training validation is often nothing more than attendance records.) Not everyone needs training to perform a function, just as not everyone needs a college degree to pass an ASQ certification. The training, if any, could have been

  1. conducted at a prior employer
  2. done by independent study
  3. learned by informal on-the-job practice
The crucial factor is periodic evaluation of that competency, for the same reason we have periodic audits:
"It is not a once-and-done proposition, else there would be no need for the platoons of auditors traveling around the world."
 
J
#57
Jennifer,
Thanks for clarifying.
Based on this, Id' say you handled the situation extremely well. It sounds like there is a big-ole learning curve involved here...and hopefully things will settle out.

I think Andy makes some good points about IT folks. While I don't have a lot of experience with these types and have never audited an IT group, I can certainly vouch for their operating in a different world from many of us. Still I think it odd that in this day and age there are still IT people who think they are "just support people"...:bonk:

Peace
James
 
J

JaneB

#58
In one experience I had, an IT group had a punch list of 20 IT related programs they were rolling out. #13 - was the writing of the report software for the NC reporting tool, they'd written years ago! Yet the company were hemorrhaging an estimated $8M in non-conforming product processing! What was #1 on their list? Getting cell phones and pdas for the staff!

When the fact that because reports couldn't be run and the actual cost was actually unknown (we took a SWAG at it, they couldn't challenge, no data!) was brought to the senior management's attention, it made the IT department swiftly re-align its objectives to that of the main processes of making products...
Very nice example of a useful internal audit, and how critically important it is to gather data (or identify lack of same!) and report the facts, and at times the consequences/impact.

I've had a fair bit to do with IT groups also and yes, many don't really see what they do as having much else to do with anyone else. Unless their senior person is very aligned to the business (some are, some aren't), it can be a challenge keeping them in that space. And they're accustomed to everyone wanting heaps of things from them and to solving problems, and not always terribly good at following procedures or systems (while wanting/insisting that everyone else does!).

But one thing they do usually respond well to is data and objectivity.
 
Last edited by a moderator:

Wes Bucey

Quite Involved in Discussions
#59
In the discussion about IT folks and even department heads of IT, let's not leave out the fact many senior managers regard IT as support. It is rare that an IT manager has a seat at the senior managers planning table. Many managers are of the mind "IT is there to support our plans."

When an entire department is treated as a bunch of geeks who exist solely to install software and/or spy on unauthorized internet browsing, it's no wonder the IT folks get a little bit defensive.

When my son-in-law was a System Administrator, he said it seemed like 90% of his after hours "emergency" calls were calls in which RTFM* would have been the most appropriate response. However, since these calls were often from senior officers privy to his private number, his job-saving response was to talk them through their crisis.

On the other side of the coin, it is often true that user operating documentation created by IT folks is anything but user friendly. Often, the documentation is simply non-existent. I lay the fault for that solely at the door of senior managers who do not realize the importance of clear documentation to the orderly, efficient, and effective operation of the organization and therefore do not make it a priority when hiring IT managers, nor in evaluating the effectiveness of currently-employed IT folks.


*RTFM = Read The Freakin' Manual!
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#60
100% agree, Wes. :agree1: More than once I commented to him, "I don't think you realize how important your group is. Our factory would grind to a halt without you." It could be just an intellectual dance, because I'm sure he knows how important they are but is not told as much. I know the feeling, and I'm sure his feelings are validated. I have been told a past plant manager used to call us support people barnacles.

It's one of the things I would do if I had more influence: I would work to establish an understanding that we all have a role in the QMS, right down to the janitorial staff. But even though I don't have much influence, I still get a chance to send this message - I just do it one auditee at a time.
 
Thread starter Similar threads Forum Replies Date
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11
K Tips for Auditee Training ISO 13485:2016 - Medical Device Quality Management Systems 4
S Experiences as a female auditor / auditee Career and Occupation Discussions 36
S Why auditee names are not mentioned in Audit Report? General Auditing Discussions 2
L How to deal with resistance from auditee(s) Internal Auditing 20
somashekar Internal Audit without a person as auditee Internal Auditing 6
S Internal Audit Findings Summary Rewrite by an Auditee ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
F How to Calm a Nervous Auditee Internal Auditing 14
K Sending Audit Questions to the Auditee in Advance Internal Auditing 20
Howard Atkins What you as an auditee should know about your CB (Certification Body) Registrars and Notified Bodies 0
P What to do when an Auditee Falsifies or Cheated on Records Internal Auditing 6
A What do you do if you have the feeling that your auditee could be lying? Internal Auditing 58
M What to do when Auditee refuses to sign Audit Report General Auditing Discussions 91
J Auditee offered help with anything in nonconformities Internal Auditing 16
P Internal Audit Finding - Root Cause Analysis: Auditor or an Auditee Responsibility? Internal Auditing 24
B Could ISO 22000 auditee hold Auditor Responsible for subsequent safety breaches? Food Safety - ISO 22000, HACCP (21 CFR 120) 16
V Can the Management Representative represent top management as the sole auditee? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
L Corrective action following a wrong answer of the auditee ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
B Providing Auditee with Checklist prior to Audit General Auditing Discussions 48
M Auditee Evaluation of Auditors Example, Form or Template General Auditing Discussions 6
E Being IQA Team Leader and auditee - Auditor Independence General Auditing Discussions 9
Claes Gefvenberg The Ideal Auditee General Auditing Discussions 22
J Can I issue a NCR if the auditee did not comply what he is suppose to do? General Auditing Discussions 6
Marc GM says no more tailpipe emissions by 2035, carbon neutrality by 2040 World News 45
T What does AS9100 mean when it says you must establish a process to do X? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 24
Marc NASA Says Oregon Company Metals Fraud Caused $700 Million Satellite Failure - 2019 World News 16
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
shimonv 21 CFR 820.20(d) says: Each manufacturer shall establish a Quality Plan 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
J jwmuola says Hello Coffee Break and Water Cooler Discussions 1
Marc FCC boss says he'll SHAME broadband firms for fibbing on speeds After Work and Weekend Discussion Topics 0
bobdoering Who says you can't calibrate a steel rule! Funny Stuff - Jokes and Humour 14
J Auditor says 5.6.3 should be discussed in Management Review Management Review Meetings and related Processes 62
Wes Bucey "Back Doors" to Encryption - NY times says NSA has them After Work and Weekend Discussion Topics 20
Wes Bucey A Headhunter says he has job hunt secrets Career and Occupation Discussions 7
O Is it an Assignable Cause only if the Control Chart says so? Statistical Analysis Tools, Techniques and SPC 16
S Auditor says a Minor Nonconformance will become a Major Nonconformance General Auditing Discussions 8
H 'You've got to find what you love,' Jobs says Career and Occupation Discussions 2
Marc Threat analyst says medical devices can be hacked remotely Other Medical Device and Orthopedic Related Topics 6
P Control of Monitoring and Measurement Devices - ISO 13485 Clause 7.6 says ... ISO 13485:2016 - Medical Device Quality Management Systems 3
J Quality Pros? Salaries on the Upswing, ASQ Salary Survey Says Career and Occupation Discussions 4
Stijloor IKEA US Says Thank You to All Its 12,400 Co-Workers World News 5
D Found Watch - Watch is "Element" and says "New York" Coffee Break and Water Cooler Discussions 16
G Dangerous Act - Auditor says major nonconformance for safety (risk) issue Occupational Health & Safety Management Standards 21
C Calibration Laboratory Location - GMP says in a secure bonded area General Measurement Device and Calibration Topics 5
Stijloor Ford Says It Made $2.7 Billion in 2009 World News 8
E FMEA Action Plan Threshold (RPN) - Auditor says Action Plan for an RPN > 84 IATF 16949 - Automotive Quality Systems Standard 21
J Modern man a wimp says anthropologist Coffee Break and Water Cooler Discussions 0
bobdoering Wheeler is back again! He says it is the last volley! Statistical Analysis Tools, Techniques and SPC 7
J Immortality only 20 years away says scientist Coffee Break and Water Cooler Discussions 20
P Attribute Control Chart in my Process - Black Belt says Not Appropriate Quality Tools, Improvement and Analysis 11

Similar threads

Top Bottom