1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Feedback on experience with external auditor

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Velvet, Nov 17, 2016.

  1. Velvet

    Velvet New Member

    Joined:
    Nov 17, 2016
    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    2
    Hello to all,

    this is my first post and I apologise in advance for the lengthy text and any mistakes (I am not a native speaker).

    We are a small company consisting of 7 employees and are in the process of getting certified according to ISO 9001:2015 and 14001:2015. The first audit took place in April and the second by the end of October. We now have to hand in some additional documents before we hopefully get certified. My experience with these two external audits were so bad (I am tempted to say traumatizing) that I would like to get some feedback from you. I am already dreading any re-occuring audits in the next year(s).

    I have worked on our QM / EM documentation over the course of the past 2.5 years. I would therefore argue that I do have some experience with regards to QM / EM systems but I have no experience with external auditors (except one who performed our internal audit) so I would like to ask for your opinion about my experience with this auditor as I do not know if his behavior is common practice or not. Personally, I am extremely unhappy with how both audits went.

    Things that bugged me in particular:

    - He was working on his audit report while performing the audit. I understand that there is a need to take notes but I would expect that the auditor finalizes the report once the audit is over based on the notes that he took. I found this to be a particularly unpleasant situation because the auditor was practically, at least mentally, absent during his typing process while we had no idea what it actually was that he typed. Also, he simply started typing (no announcement), which didn’t give us the chance to say much more and meant that the rest of us was sitting in a dead-silent room not being able to do much else while we waited for him to finish typing. The actual audit was interrupted every half hour for a good few minutes.

    - After the first day I asked him, if he found any major deviation, which he denied. The next day, after 4 hours he said that there are so many deviations and our system is not conform to the Standards at all that another (third!) audit will be necessary because we would not be competent enough (I explain this in more detail below). I was absolutely shocked. A few days later he said that it will be sufficient to hand in some more documents and that he doesn't need to audit us again. Ehh?!

    - During the first audit, he criticized that I have no records of qualification in order to be competent enough to implement and maintain a QM / EM system. This was a major deviation and explained as follows: “The QM officer is not appropriately trained in the field of 9001/14001 - evidence: no records”. I agree that it makes sense to have received some sort of training but I do not find anywhere in the Standard that it is compulsory. In the end, it is us – the company – who decide who is qualified or not – and not the auditor?! Especially considering that I am not responsible for the QM / EM system of a giant company that has some zillion processes to maintain, I find this deviation very critical. Funnily enough, I then pursued a very expensive QM course and got a degree. While it was good for the exchange with others, I did not have to change a single document due to any new insight that I might have gained, which is evidence enough for me that the system was fine before.

    - The same issue now applies to the 14001 Standard. Again, my competence is being criticized. We have almost zero environmental aspects to consider as we only have office work to do and a very small production line. The only things we have to deal with is waste of paper, toner cartridge and electricity. The auditor agrees with that and even said in the first audit that he doesn’t understand the need to get certified against 14001 (it’s due to some customers’ requests) because there is just not much to consider from an environmental point of view. Yet the auditor thinks I need to have some record of EM skills and very clearly stated that I am not competent enough. [“There is a reason why “Environmental Engineering is a field of study.”] I now pursue another distance-course but feel like it’s a complete waste of time and money.


    - He went through the same topics over and over again. This concerned topics that we agreed we would need to have a look at again but he also criticized the non-existence of mandatory procedures although they very clearly existed and although I showed him the documents several times (supplier evaluation, for example). In the end when he wanted to include their non-existence in the audit report, he seemed very surprised when at this point I got a little upset and said that I already showed them to him a couple of times. It was only then that he realized “Oh hey, they are there.” It seemed like half of the time he didn't pay attention.


    - As we operate exclusively in the automotive industry, he was also not very happy that we have no (record of) knowledge of ISO/TS 16949, PPAP, VDA. He argued that it is very likely that we could not meet our customers’ requirements according to ISO 9001 and therefore the 9001 certification would be problematic. No customer requires us to have records of these competences and we don’t plan to get certified against ISO/TS 16949 either. I don't see why we need ISO/TS 16949 trainings to get certified against 9001. Of course, we sent some employees to trainings and lo and behold, the pure existence of these training records is suddenly efficient to meet our customers’ requirements.


    - I was pretty flabbergasted at the amount of times he interrupted and said “Listen to me now!” It happened whenever we tried to explain why we do certain things the way we do. Isn’t an auditor supposed to…well, listen rather than asking to be listened to?

    I appreciate when someone external has a look at our processes and provides a new sight on things but this auditor made me question my entire right to exist in this position, especially because he openly questioned my competence so often. I want to work with the auditor and not have the feeling that he works against us and this form of interrogation (it really didn’t feel like a dialogue) made me feel very much at unease.

    During my trainings, I spoke to two other auditors and raised some concerns about our auditor. They agreed that his expectations and demands are over the top but I was worried that they only said that to get some new business, and if it’s just as external auditor who performs internal audits. Also, our internal audit was performed by an external auditor. He had no doubt that we would easily pass the certification and that everything was according to the standards except for some minor things that he would improve.

    Can you please give me some feedback as to what you think about this auditor? Is he right in his jugment? We would like to ask the certification body to get another one next time but I am really afraid that the new guy might be even worse or that indeed, this is common practice and I just have to get used to this sort of police interrogation.

    Thanks in advance!

    Best regards
     
    etorresg likes this.
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Velvet - welcome and we understand your frustration! Some of us have shared a similar experience. Sadly, with the ISO 9001:2015 standard it has really "sorted the men from the boys" in the auditor's world. Too many, IMHO, ride roughly over client, like they know more, when, in fact they know much, much less, having never been responsible for implementation of a QMS in recent history.

    Bottom line is that you should reject the auditor and his "findings" (and his attitude) and either demand a repeat with a better auditor, or find another CB to take over, making sure you interview the auditor beforehand.
     
    etorresg and MCW8888 like this.
  3. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    Hey, I know that guy. I had him last year. In the end, it cost his company a client. Many just don't know how to handle a small company like yours.

    As to working on the audit report, that's ok. You want him to do that so he can leave you with a completed report at the end of the closing meeting. Also, the more time he spends typing the report, the less questions, investigation, and trouble he is causing. Just sit there quietly and know that each minute that passes is one less minute of auditing.

    As to the major/minor non-conformances, it sounds like you didn't have a single big one, but many small ones, which turned it into a major. It happens. Fix them and move on.

    As to records of competence, I don't think the standard requires any specifics. You can gain competence without a "certificate." Now as a small company, he can't expect you to have a level of competence that he does - someone who spends his life looking at these things. It sounds like you struggled a little bit. It's not uncommon. I always felt that the auditors had all of this "secret" information - which they did thru their employer resources, conferences, etc. You'll learn more each year. It's a process.

    As for mandatory procedures, sometimes auditors fall into the "everybody does it this way mentality." So they don't see the obvious when it is right in front of them. Also, sometimes they don't communicate their request as well as they should, so we struggle to find what it is that they are looking for even though it is right there, plain as day.

    TS requirements are beyond the scope of his audit. He has no business there. Heck, even you don't want to go there. :)

    We have had some real doozy auditors over the years. Like I said, they get into a "this is how you do it" mentality. I had one even tell me "we should do it like everyone else to make it easy for her." I suppose if you adopt a "best practice" and do it like everyone else they don't have to think and justify why your way is sufficient to meet the standard. Some of them like to talk and spout off about this and that. Thing is, we being as old as we are, we considered and tried most of what they said in the past and many "suggestions" aren't viable or value added for us. Your best bet is to take notes, take their suggestions under advisement, and then do what is best for your organization.

    Here's the real frustration. You'll do a bunch of stuff the auditor wanted so you'll "pass" and get certified. Then a year or two later, you'll get a new auditor who will shake his head and ask "why are you doing that?" Our answer is usually "if you don't think we have to, we'll be more than happy to stop."

    So summing up, you experience isn't unheard of. I don't think it is regular. But every so often you get one. We have had 2 like that in 12 years. Just ask your CB not to send him again. Hopefully the next one will be better. Good luck.
     
    etorresg and Candi1024 like this.
  4. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    Welcome to the club Velvet!!! One of the facility passed the upgrade to ISO9001:2015. It was such a bumpy ride that resulted in appealing all the findings - except 2. Furthermore the manufacturing facility filed a complaint. The CB auditor will be replaced next year. From my perspective, this standard is new even the CB auditors are finding it hard to do audits. The lesson that I learned from this experience: be familiar with the standards and during the closing, the auditor have to articulate the "SHALL" requirements and the nonconformities and the client have to accept it. During our audit, the auditor already knew that we will appeal the results. Bottom line is this: you are not alone. If you really want to know how to implement this standard, get a copy of ISO/TS9002. This is a guideline for implementing ISO9001:2015. I accidentally found it somewhere is the website.
     
  5. Velvet

    Velvet New Member

    Joined:
    Nov 17, 2016
    Messages:
    2
    Likes Received:
    2
    Trophy Points:
    2
    Thank you for your responses!

    I can report now that our auditor passed on his recommendation to the CB for us to get certified.

    Now I have got a question with regards to the rejection of audit reports. What would this process look like in practice? During the audit I very often found myself in a situation where I would not agree with the auditor but he would not accept my disagreement or evidence that I showed. I had (still have) the impression that once there is a disagreement, you can not win so I can not imagine what an official rejection would look like. I assume we would inform the auditor and he would send the rejection to the CB but then for some reason I think that they are much more likely to trust the auditor’s opinion rather than ours and that our rejection would simply not be accepted. I presume though from what I read so far that sometimes the rejection will be accepted. Can someone please give me an example of what the procedure normally looks like?! They probably don’t just say “Okay, you’re right, forget about the finding”?!

    I also have concerns about the “observations” mentioned in our auditor’s report. It is stated in the appendix of the CB’s report template that only major and minor deviations need to be sorted out. In the process of the follow-up audit the auditor however informed me that even his observations need to be sorted out until the monitoring audit takes place. And not just in a “We considered this but don’t agree and don’t find it applicable”-way but in a “Okay, here is the evidence that we addressed and corrected the root of your observation”- way. According to him we need to treat the observations just like the minor / major deviations but instead of having only 90 days’ time, we have a year to sort them out. I suppose at the end of the day we can rely on the terms of the CB and will not be forced to sort out all observations as well just because the auditor thinks that’s the way to go?

    We were also informed that we can not get another auditor for the follow-up audit… apparently the auditor got in touch with the CB to check up on that question. I am now a bit surprised by the CB's attitude as well. I have not heard from them since March. Once it was certain who would audit us, they completely withdrew. They didn't catch up with us after the first audit, not after the second audit and not after the follow-up audit. Maybe this is not common practice but since we are new customers, have not been certified before (and are therefore completely new to this whole procedure) I expected they would show a little more interest. Or any interest. Wouldn't they at least want to know why things apparently went so badly that we want another auditor? I feel pretty much left out in the rain by both the auditor and the CB. Even now that we get certified (something we should be happy about) I feel like I still don't know anything about the CB's internal procedures (how the auditor's recommendation will be handled? By who? Have they even received it? What's the time span for us to receive the certificate?), what the next steps are once we get certified etc. No plans, no information, no nothing. Again, is this the normal procedure? Of course, I could simply ask them these questions but I don't feel like it should be our responsibility to ask them questions that they should know are so generic and essential that they should be addressed by themselves and without being requested to do so...
     
    Andy Nichols likes this.
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hi Velvet:

    Thanks for taking the time to share more information. According to the ISO/IEC 17021 requirements - which IAF member accredited CBs are required to follow (is yours an ANAB or similar accredited CB?) the CB has to have and publish an appeals process. Use that to reject the findings and also tell them their auditor didn't meet the requirements laid out in ISO 19011 (I can provide a list of attributes from here if you need).

    It occurs to me that, because the CB hasn't been in touch, plus they have this meathead on their books, they might not be best placed to serve you, now or in the long term. As messy as it sounds, you can still change your CB to one who is empathetic and will give good service - they ARE out there, believe it or not.!

    You can - and I wish more would - lodge a complaint directly with the accreditation body (ANAB if you are in the USA for example - here: http://anab.org/programs/isoiec-17021/feedback/complaints/ ) once you've been through the process with the CB, I'd suggest.

    If you'd give me some "inside" info at my private email address anicholsqa@gmail.com I'd be happy to see if there's someone I know in the industry who can help you. After all, they say it's not what you know but whom...
     
  7. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    Velvet,

    I can help a little bit. My experience is with TS which is a little more stingy, but still my be relevant.

    1) "Arguing" with certain auditors during the audit is useless. They see the evidence as they see it and it seems get paid by the non-conformance. Really good auditors will at least consider your point of view. Sometimes they will agree after "sleeping on it." Other times they will at least give you an articulated justification for their view.

    2) As for appealing to the CB, be careful. Like you said, they are likely just to accept the auditor's view. I had an appeal and it was worse than the audit itself. The person who handled it didn't even read my submissions. Their basic response was "I'll need to check with the auditor." It basically went nowhere. And as Andy indicated, they have their appeal process "published" somewhere.

    3) Observations are not findings. Throw them where they belong - in the trash. I am not even aware that auditors even bother with observations these days.

    4) You have every right to request a new auditor for the next audit. And it is apparent your CB sucks, just like mine. They are really bad at communicating. I am done with ours. I would rather let our certification expire and start fresh with someone new than deal with their BS. Take Andy up on his offer and good luck.
     
  8. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    We are now in the 2015 version and there is no requirement about "mandatory procedures". Even the word "procedure" no longer exist in the 2015. In 2008, there are 6 procedures that are mandated to be documented. In ISO/TS 16949, there are 7.
    Findings of deviations can only exist if there are requirements that you've deviated and evidences of deviations. NC is defined as non-fulfillment of a requirement. So your auditor must present them to you.
    There is no requirement that QM Officers or Management Representatives must have records of training. As long as he/she can demonstrate that his/her assigned responsibilities are being fulfilled - he/she is competent. Competence is defined as the "ability to apply knowledge and skills to achieve intended results". Records of training do not and cannot be equated to competence.

    Your CB might be offering training and seminars on Management Representatives of QMS/EMS or the automotive core tools, so findings for not having these courses is, IMHO, a sales pitch.
     
    Andy Nichols likes this.
  9. Daniel Padilla T

    Daniel Padilla T Member

    Joined:
    Jun 14, 2018
    Messages:
    44
    Likes Received:
    17
    Trophy Points:
    7
    Is it possible to reject an NC after the external audit has ended (e.g. two days later)? Or it has to be appealed before or during the closing meeting?
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    An NC should always be (carefully) reviewed with the auditor before they close the audit. However, there are some situations where the auditor believes they have recorded the facts and won't close the NC. In that case, the CB has to have a resolution process (under ISO/IEC 17021) so feel free (as long as you can substantiate your version of the facts) to reject the NC
     
    Daniel Padilla T likes this.
  11. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Yes, there's no prohibition. Section 9.7 of ISO/IEC 17021-1:2015 has provisions on handling appeals by the CB client.
    Should be, while the audit participants are there to defend their positions. However, there's no "shall" in the auditing standards that appeals are no longer acceptable after the closing meeting.
     
    Daniel Padilla T likes this.