What objective evidence can/can't be supplied during a customer audit?

[rwp_kennedy]

Hello,

I would like to know how members of this forum safeguard their confidential information during an external customer audit. For example, if the auditor requests to see objective evidence of your company's CAPA, internal audit or management review processes, what do you provide them with? Would showing them your documented procedure and forms suffice or should you supply redacted versions of a record?

With regard to management review, I would be leery to allow them to read through our managment review meeting minutes as they may contain information about our customer base which we would not want to disclose.

Additionally, I have heard that it's not a good idea to let an auditor read through your internal audit reports during a customer audit. Instead, it was relayed to me that a speadsheet should be created to show the auditor the status of planned audits, number of nonconformances generated and if the associated CARs have been closed out.

I appreciate any feedback the group has to share. Thanks in advance for your input!

 

[Ninja]

Howdy Kennedy.

Welcome to the Cove.

First order of business is to set expectations before the auditor arrives.
Surprising them with "We won't show you that" typically leaves a bad impression.

Before they arrive, let the auditor know directly that what is shown during the audit will be edited to protect proprietary information.

We typically set aside CA, PA, Mgmt review items dealing specifically with that specific customer ... things that they already know about...and show them those.

If none exist, find a CA that you are comfortable showing...and show that.

Letting a customer read through the log and pick what he want's to read?...not gonna happen.

In my experience, the customer's auditors are used to viewing edited info and have no issue with it (as long as they know from the start that it will be handled this way...again, surprises are bad)

From your question, I gather that this may be your first customer audit.
Discuss the scope and agenda with the auditor (or at least with the customer in writing) before they arrive.
If this is your first customer audit ever...you may even consider telling the auditor that so they can cut you some slack. I told my first auditor that it was my first time and he actually led me through what other companies do...it was pretty nice.
The auditor is not your enemy (even if they seem like one sometimes)...they are people doing their job.

I get audited a couple dozen times a year by customers...it's no big deal if you keep your wits about you. Getting all worked up about it is probably the most dangerous thing.

Good luck!

 

[Moonlight17]

Hi rwp

We have many client audits at our company and provide the auditor with policies/procedures/work instructions/forms, but never divulge sensitive or confidential information.

Our incident reports contain information on clients as do man review minutes and as we are registered as Data Controllers, we would be in breach by allowing this.

We have always found auditors are satisfied with:

• Audit schedules
• NCF/OBS summary
• Status of NCF/OBS

Hope this helps ya!

 

[John Broomfield]

Hello,

I would like to know how members of this forum safeguard their confidential information during an external customer audit. For example, if the auditor requests to see objective evidence of your company's CAPA, internal audit or management review processes, what do you provide them with? Would showing them your documented procedure and forms suffice or should you supply redacted versions of a record?

With regard to management review, I would be leery to allow them to read through our managment review meeting minutes as they may contain information about our customer base which we would not want to disclose.

Additionally, I have heard that it's not a good idea to let an auditor read through your internal audit reports during a customer audit. Instead, it was relayed to me that a speadsheet should be created to show the auditor the status of planned audits, number of nonconformances generated and if the associated CARs have been closed out.

I appreciate any feedback the group has to share. Thanks in advance for your input!

rwp_kennedy,

Only information that belongs solely to you or your customer as necessary to fulfill the audit objective.

The auditor must inform the auditee of the audit objective before the audit.

Of course you'll not provide any information regarding other customers but we must remember the definition of QA:

"providing confidence that requirements will be fulfilled".​

Being too guarded about the evidence of your management system's workings may not provide the confidence necessary for the customer to continue doing business with your company.

John