1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Your advice, please

Discussion in 'ISO 19011 - Auditing Management Systems Guidelines' started by Andy Nichols, Nov 9, 2020.

  1. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    An internal audit is going to be conducted on an organization, currently ISO 9001:2015 Certified. During a desk audit, it is discovered that:
    1. The whole system has NOT been updated since the 2015 version was released and many requirements of 2015 cannot be located. Indeed, the QMS is still numbered per the 2008 version, so items such as section 4 are not mentioned, nor is section 6.
    2. The scope includes "design", but the organization doesn't have a design process and the quality manual states if design is required, it'll be subcontracted.
    3. There are references to ISO 9001:2000 in the documentation.
    The organization has been certified by an ANAB-Accredited Certification Body since before 2000.

    Should the internal auditor go ahead with the audit (to satisfy the procedure and ensure continuing Certification) and report all the apparent non-conformities to the ISO 9001:2015 requirements? What risk is there that the CB auditor will be alerted to the fact the management now realize he/she's totally incompetent and their Certification is meaningless? How should the company respond to the CB auditor?
     
    Last edited: Nov 9, 2020
  2. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Is this a hypothetical to start a discussion? Or a real thing you are facing?

    My advice:
    1. Internal auditor should audit the areas they were brought in to audit, auditing against the 2015 version, and write the findings. (In short, do their job)
    2. Sounds like they do have a design process...in short, it reads "Find an outsource partner".
    3. So what? Is it bad to have references to fried chicken as well? Does the 2015 version require that no references to 9001:2000 may exist? The question is whether or not the documentation satisfies 2015.

    Go ahead with the audit.
    Write the findings.
    Risk to the CB auditor is nil if they do their job. Risk is high if the company reports them (they wont)... but who cares? People tend to be at high risk when they don't do their jobs.
    Company "should" respond by updating to the degree needed to meet the requirements of 9001:2015.
    Company likely "will" respond differently given the anecdotal evidence already given.
    So someone found that BG auditor ... I'm the last one that would ding them for it.
     
  3. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    I do a bit more research so I knew what I was stepping into. I would want to see the last few CB audit reports. Maybe the stuff is there but I am missing it? If it is, then problem solved. If not, then audit and document findings. Go from there.
     
  4. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    709
    Likes Received:
    510
    Trophy Points:
    92
    Location:
    Upper Midwest- USA
    Well @Andy Nichols ;
    Shall we assume you are "asking for a friend" or is this, sadly, a real world situation ? ;)

    My professional opinion is simply "do the right thing". "Swallow the medicine", "rip off the band-aid" and any other applicable metaphors.

    The purpose of the QMS (as you well know) is not to please the CB, but to benefit the organization and its customers in a manner which meets the requirements of the standard. To do that, diligence, transparency, and (sometimes) bravery is needed.

    If I came into a leadership role in an organization, and on my first day my team came to me with this exact scenario, the aforementioned is what I would tell them.

    Hope this helps.
    Be well.
     
  5. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It's a real situation. The audit will be done. They don't have a product, there is no design process (they can't sub-contract it and claim design responsibility! And yes, it matters, unlike fried chicken, requirements change! How can an organization "perform internal quality management audits to ensure the ISO 9001:2000 are being maintained", here in 2020? Nice try, but the fried chicken thing is just that. Fried. Chicken.
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Not worth the paper they were written on. Auditor spent most of the time in a conference room (that's like doing a "remote/virtual" audit isn't it?) or pontificating about how to do proof tests on the lifting gear they used to move tools.

    The risk is how to write up all the issues which could be viewed by the CB auditor as a warning that the client has "rumbled" them to the last 5 or so years of ineffective CB audits...and the potential repercussions for them
     
  7. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    ??? no idea where to go with that one
    Which bullet point or clause is that violating?
    If they outsource all aspects of design, and take responsibility for the result...they are design responsible.
    The question is whether the internal audits ensure compliance to 9001:2015.
    It's easy enough to rev that document to say "9001" instead of "9001:2000" and be done with it...the document isn't the point, the internal audit function is.
     
  8. Miner

    Miner Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    576
    Likes Received:
    492
    Trophy Points:
    62
    Location:
    Greater Milwaukee USA
    Do you mean they have no physical product? Do they provide a service or an intangible product such as information? Otherwise, why is ISO 9001 even applicable?
     
  9. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    IDK. To me it seems like something else is going on. Are you saying they are certified to 2015 but have nothing related to the updated 2015 standard implemented? If so, it would seem like some type of fraud is going on.
     
  10. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    At the end of the day, I typically default to...do it right, whatever it is you are charged to do or paid to do.
    If someone else was cutting corners (or committing the above mentioned fraud) and me doing it right shines a light on it...at least it wasn't me committing fraud, or intentionally doing it wrong.

    Pertinent question: Do you have a dog in this fight? Or are you just hired to do a job right? If it hits the fan, are you part of the splatter-mess?
    I might suggest a different approach if that answer is "yes".
     
  11. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Sounds to me like the company has excellent 'auditor handling skills'. I applaud them.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    No, not fraud, just an incompetent auditor...
     
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Possibly, but the auditor is clearly incompetent. So not much skill involved...
     
  14. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    They don't have a product they can be design responsible for.
     
  15. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    The about about having a system and processes and applicability - section 4. You can't claim design responsibility in your scope and then sub-contract it! The scope would have to say so... Just like you can't claim "manufacturing" and them sub-contract it. This isn't some kind of shell game. It's supposed to describe what the company does. Or doesn't do.
    You're missing the point - especially when going off on a tangent about fried chicken. It's not about FIXING things. The point is, WTAF has the CB auditor being doing/thinking in 20 YEARS auditing this place, that they never even made a small point of "hey fix that will ya?" The auditor has been taking the client's money and been worse than a thief. More to the point, being presented with this year's internal audit report which will show copious ccs for basic 2015 requirements not even close to being met, how will he react? It's like someone is pointing out the Emperor's new clothes...
     
  16. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    How about this? Rather than doing it thru an internal audit, do it thru a gap analysis. Go in and fix the known issues, then do the audit. Fixes the issue without the CB auditor "knowing" about it. Obviously, the conversation eventually has to be regarding a new auditor.
     
    Andy Nichols likes this.
  17. Eric Twiname

    Eric Twiname Well-Known Member

    Joined:
    Jul 31, 2015
    Messages:
    329
    Likes Received:
    232
    Trophy Points:
    42
    Location:
    Northeast USA
    Not sure how to reply, or even whether to...but here it is so that's one decision made...

    I've seen, admired, agreed with, disagreed with, applauded, etc. many of your posts and advice over the years...I think I know where you're coming from, what you want to see in a healthy company and some of your pet peeves.
    FWIW, it seems (on a typed forum, so who knows?) that you are reacting out of some of those pet peeves...so I'm showing some of the other side as the advice you asked for.

    I'm not trying to tangent onto anything...simply pointing out that obsolete references not being updated are not 'non-compliance'. It took us years to remove all the references to QS9000 when that went away. The old references didn't hurt anything.

    From what you describe, the documentation in the company has not been effectively updated for decades. My ask is simply whether the documentation is effective enough for running the business the way the company chooses to run the business.

    We will disagree on design responsibility, so there's no point hashing any deeper into that one.

    You say this is a real world situation, and you are asked to perform an internal audit.
    I (safely) assume that this is your first internal audit for this company, else stuff would have been fixed already and you wouldn't be asking for advice.
    Not knowing the reason they called you, instead of using whomever they have been using (if any)...I advise to do the job they are paying you to do, and to help them retain/regain/establish compliance to the standard against which you are auditing. The end.
    I have oft stated that I WANT internal auditors to do "consulting" along the way if they feel it warranted...this one seems like a case in point...they need more than an internal audit.

    If some other has been dropping the ball for a decade or more, and finally gets caught...that's not your problem (unless it was you, which I doubt).
    If the company learns valuable information about their CB auditor(s), I say good.
    If someone who has been charging these folks for a decade, but not doing their job gets fired/sued/reprimanded...that also is not your problem (unless it was you, which I doubt).

    So you're really down to two options: Do the job right, or don't take the job.

    I hope I haven't offended, either in this post or above, it certainly was not the intent.
     
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Everyone, all good, technically accurate and on-point answers! Let's apply some "risk-based thinking" to the situation. Let's say the internal audit is complete and 10 or more non-conformities were reported, all for significant issues: multiple requirements of ISO 9001:2015 have never been defined or included in the QMS.

    What's the risk of an adverse reaction a) by the client and b) by the CB auditor?

    The client believes their system meets the 2015 requirements - they have a Certificate, after all

    The CB auditor's last surveillance visit reported ZERO issues.
     
  19. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    The surveillance audit happened. It was terrible. The auditor exhibits all the behaviors of someone with passive-aggressive traits. The verbal discussion was all over the place and down right misleading. The auditor confused the crap out of the customer. The auditor left without leaving a clear picture of what actions were needed, if any. 2 weeks later, still no audit report. Disgusting!
     
  20. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Were the results of the internal audit affected the surveillance audit?