An auditee has opted to keep his records as Google Docs since our IT people moved us from Lotus Notes to Google mail. I wrote a nonconformance based on their losing records during the switch. They dug up paper copies and scanned them in. Now I am refusing to close the CA based on a lack of system corrective action: their not having a written procedure that addresses the requirements of TS16949, 4.2.4. My auditee has obtained the attached Google paper and wants to use it as a procedure.
I have said it isn't good enough because it does not go into enough specifics on how the data is protected and how my people might go about retrieval from backups (even if that is simply who we contact in Google) should a data loss occur.
My auditee says "Well, Google is certified SAS 70," to which I respond that's great, but the IT group has not yet established that as a proxy for providing specifics about how data will be protected.
Bottom line is, neither corporate or internal procedures yet exist for supplier control of contracted data management; they just haven't thought of it yet and were unlucky enough to have me audite them and bring it up as an issue.
Am I being too hard on my auditee?
I have said it isn't good enough because it does not go into enough specifics on how the data is protected and how my people might go about retrieval from backups (even if that is simply who we contact in Google) should a data loss occur.
My auditee says "Well, Google is certified SAS 70," to which I respond that's great, but the IT group has not yet established that as a proxy for providing specifics about how data will be protected.
Bottom line is, neither corporate or internal procedures yet exist for supplier control of contracted data management; they just haven't thought of it yet and were unlucky enough to have me audite them and bring it up as an issue.
Am I being too hard on my auditee?
Attachments
Last edited: