When audit NC requires only correction

[Jane's]

I was wondering how unusual is it to provide just a correction and no corrective action to an audit NC. The audit NC is minor and it is one of its kind, so there is no trend or multiple occurrences to establish a defined root cause.

TIA for your replies.

 

[Sipes2]

I have never seen that done. I have always used an 8D type of response. Please let us know if your correction was accepted

 

[Jane's]

Will do

Meanwhile it would be nice to know that other ppl have done that too. I should add that risk was calculated as low and our current process allows for this (it's just that we have never used that for an audit NC).

 

[ScottK]

Sure - it's up to the auditor and his organization's policies.

It's still pretty standard practice that if a one-off finding is corrected by the time of the closing meeting it won't count as a finding... whether the auditor makes you follow the full corrective action process is up to them and they would likely make that judgement base on potential risk.

If it's really super simple, like a page missing from a printed document where the pdf version is whole, I would let that go with just a correction... unless I saw a second instance.

 

[qualprod]

It is normal to apply just corrections, moreover for what you say is a minor issue.
It is not recommended to do a full CA for everything.

 

[Jane's]

The NC is minor by definition and calculated risk is low due to low occurrence and high detection, but the issue itself is maybe not minor per se. My problem is that:

1. there is no other occurrence of a similar NC,
2. the NC precedes me (the content which contains an error was written by the former staff), and
3. we already have a mechanism in place to prevent this from happening again - compliance with applicable standards and regulatory requirements is required throughout our processes. The NC was that retention time for certain records was set to be shorter than that required by the EU regs.

Any additional thoughts much appreciated.

 

[Marcelo]

The NC was that retention time for certain records was set to be shorter than that required by the EU regs.

I'm not sure how this is a minor NC. Your company is already required, including by applicable regulations, to comply with regulations. If you are not complying, this is a very serious NC. Why did this happen? Why were your system not complying with something. It should? Did anyone check compliance with all applicable regulatory requirements? If so, why the person did not note this? How many more regulatory requirements is the company not complying with?

we already have a mechanism in place to prevent this from happening again - compliance with applicable standards and regulatory requirements is required throughout our processes.

Doing something that you should already be doing (as mentioned, this is already required by the standard and by the applicable regulations) is not something that controls the risk, and I don't see how it will prevent this from happening again as the NC itself already is a case of this not happening.

 

[AndyN]

I was wondering how unusual is it to provide just a correction and no corrective action to an audit NC. The audit NC is minor and it is one of its kind, so there is no trend or multiple occurrences to establish a defined root cause.

TIA for your replies.

What type of audit is it? External? Internal? When people answer, without knowing this information, it becomes very difficult to provide an accurate, "quality" answer.

 

[Jane's]

I'm not sure how this is a minor NC. Your company is already required, including by applicable regulations, to comply with regulations. If you are not complying, this is a very serious NC. Why did this happen? Why were your system not complying with something. It should? Did anyone check compliance with all applicable regulatory requirements? If so, why the person did not note this? How many more regulatory requirements is the company not complying with?

I agree with you that severity of the NC is high and that is how we evaluated it too, but this is still a minor NC. For all I know, that could have been a typo showing 3 where it should have been 5 in the table which specifies the records retention time. As i said, this was established by former staff, so i can't ask them what happened or re-train them or whathave you.

Note that a major NC/QMS breakdown would be not having any requirement for records retention. How do we know other EU req's are met? We completed the essential requirements checklist, Annex I (we are class II, so self-declared).

Doing something that you should already be doing (as mentioned, this is already required by the standard and by the applicable regulations) is not something that controls the risk, and I don't see how it will prevent this from happening again as the NC itself already is a case of this not happening.

I am not sure I understand what you are saying in this paragraph, but I appreciate the effort.

@AndyN: It's an external. I know, i'm feeling pretty brave just talking about it

 

[AndyN]

Most external auditors look at things as if they are an "iceberg" - by which I mean the auditor thinks "If I found it, it must be that there's much more below the surface". That's instead of them taking time to understand how systemic the issue is. So, they treat everything as if root cause is needed instead of allowing things to be corrected...