1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

ISO9001 Clauses in audit reports

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Anna Wagstaffe, Mar 13, 2019.

Tags:
  1. Anna Wagstaffe

    Anna Wagstaffe Member

    Joined:
    May 25, 2017
    Messages:
    24
    Likes Received:
    10
    Trophy Points:
    2
    In my more recent ISO9001 internal auditor training, stating the (singular) clause which is being contravened was identified as a requirement. Since transitioning to ISO9001:2015 I am finding it harder to do this.

    It occurred to me that the standard specifies what should be included in our processes, so by the time a specific non-conformance against our documented processes is raised this is often either split between more than one which is equally valid, or seemingly fairly tenuous so that justifying it can be difficult (even though it is a genuine problem). I was therefore wondering how much value is there in searching through the standard to choose the most appropriate clause?

    Could I have some views on this please?
     
  2. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    For an internal audit, you only need to cite the requirement, whether it be the clause, the procedure, the form, etc. and then the non-conformance. So if it's non-compliance with a procedure, just cite the procedure. If there is a question about the procedure and it's applicability to a specific clause that can be mentioned and/or evaluated by the "quality gurus." Good luck.
     
    Anna Wagstaffe likes this.
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Yes, indeed! Don't do it! It's not really necessary for you - as an auditor - does it. It could, for example, be done by the "management representative" or "audit process owner" or whomever has responsibility for management review to determine what's what.;)

    IMHO, too many trainers only know one model for teaching QMS auditing - which is the CB process. It's not the right one, but they don't know that, bless 'em. After all, it's the way they were trained and, as if confirmation were needed, their clients NEVER get written up for internal audit problems! :rolleyes:

    Except, the management have no clue what their internal auditors are doing...:confused:
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    For internal audit, you are not required to identify a clause from the standard to raise an NC. Reading from clause 9.2.1, it says:

    "... conduct internal audits at planned intervals to provide information on whether the QMS... conforms to the:
    • organization’s own requirements for its QMS;
    • requirements of this International Standard"
    From this requirement it is very well possible that an NC can be set against a relevant requirement, without the need to refer to a clause in the standard.
     
  5. Anna Wagstaffe

    Anna Wagstaffe Member

    Joined:
    May 25, 2017
    Messages:
    24
    Likes Received:
    10
    Trophy Points:
    2
    Thanks guys, that makes sense. I am both the primary internal auditor and the "management representative".

    I am fortunate that my top management have bought in sufficiently that they view the standard as guidelines for the business running optimally and I don't get many "where does it say we have to ....?".

    Just for context, this was an NC against our design development process, found during an audit of our procurement process.
     
    Andy Nichols likes this.
  6. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Where is it stated in the ISO 9001 standard that recommendations for improvement are prohibited on internal audits?

    Even section 6.4.8 of ISO 19011:2018, in generating audit findings, mentions this statement: "When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee".

    Further in section 6.4.10, when conducting closing meeting, this is specified: "If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be emphasized that recommendations are not binding".

    However, in external auditors, this statement from ISO/IEC 17021-1:2015 should be taken into account: Opportunities for improvement may be identified and recorded, unless prohibited by the requirements of a management system certification scheme".
     
    Andy Nichols likes this.
  7. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    It may help to view the finding as a type of issue. We have the symptom as objective evidence, but the issue is in a process. Further exploration of the issue may be needed to make a decision.

    For example:

    Corrective action recording activities are being moved from Lotus Notes to a new database. An audit of the corrective action process found that during the transition, several corrective action records (issued from internal audits) were not available in any form. We have 3 clear choices of clauses:
    • 6.3 Planning of changes
    • 9.2.2e take appropriate correction and corrective actions without undue delay (after further review it turns out this does not clearly apply because actions have, after all been taken - just not recorded in any way)
    • 10.2.2 ...shall retain documented information as evidence of...
    It is common to point to 10.2.2 and that would not be incorrect, but there are many databases being moved so this could happen systemically. So I choose 6.3.

    As an option, an audit of change management may be opened based on this finding, which is welcomed as a planning consideration in 9.2.2.

    While I agree that we should refer to internal process documentation whenever possible, there might not be any documented procedure for the subject at hand, as in my example no more requirement for the 6 previously required documented procedures.

    Design-related nonconformities should be considered closely for critical status based on their relation to customer receipt of product conforming to requirements. For that reason I also am skeptical of issuing OFIs to Design. I also agree that the stated OFI is a clear nonconformity, though Minor unless it can show a direct cause-and-effect relationship to nonconforming product shipped to customer.

    I hope this helps!
     
    Anna Wagstaffe likes this.
  8. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    Not sure why this is a "major." But this is exactly why owners/top management dislike the whole ISO process. It takes someone's mistake and makes a huge deal out of it, a complete overreaction -- major non-conformance, having to go back thru every audit report, etc. All completely ridiculous based on the finding. The OFI/finding was that competency was not assessed -- actually that is wasn't documented. It was not that the persons were not competent and all sorts of bad parts where being made. Now instead of sitting down with the auditor and making sure they understand (or need some additional training), and making sure the operators in question where in fact competent, we have to "redo" everything. This will have a chilling effect on auditors' future reports -- nobody wants to be "that guy."
     
  9. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    No it does not. You have one auditor who made one mistake. Without evidence of multiple auditors making multiple mistakes -- i.e.; a complete breakdown of the internal audit process -- it isn't a major in my book.
     
    John C. Abnet likes this.
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Tony: Great points, well made. Our reality is that too many auditors see things in only one way - which in itself is contrary to the attributes in 19011! All audits to these people are created equally, which is very far from the truth, experience shows. When the lines become blurred between these 3 distinct activities (internal, supplier and CB audits) things go right off the rails and management - as you stated earlier - become frustrated by the whole ISO 9001/Certification industry. When all quality management audits are treated as "one-side-fits-all" and zero is done within an internal audit program to report to management in ways they understand, there is NO improvement. Add to that arcane "grading" of audit reports and all that attendant BS (I don't mean British standards, either) then so-called professional auditors should ask themselves what they actually did to improve their clients bottom line - at least to the cost of their audit at a bare minimum. My guess is, the vast majority couldn't quantify that, but can spew clause numbers and other esoteric mumbo-jumbo as if it's meaningful to anyone else.

    At Xerox Corp back as far as the 70s, their internal audit program required the internal auditors to dollarize their findings to ensure management knew what actions were necessary and when...
     
    John C. Abnet and tony s like this.
  11. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    I re-read your post and I stand corrected.

    Just to add more about converting NCs to OFIs. Section 9.4.5.2 of ISO/IEC 17021-1:2015 has this statement: "Audit findings, however, which are nonconformities, shall not be recorded as opportunities for improvement".
     
    Andy Nichols likes this.
  12. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Reporting NCs as OFIs go against the intentions of clause 10.2.1 where it says "When a nonconformity occurs... react... take action... deal with the consequences... evaluate the need for action to eliminate the cause... etc". Nonconformity as defined by ISO 9000 is "non-fulfillment of a requirement" and must be acted upon. Unlike with OFIs which are not binding (as per 6.4.10 of ISO 19011:2018). However, labeling this issue as "major NC" is a sweeping statement.

    I have a copy of ISO/IEC 17021-1:2015 and looking at section 3.12 of this standard, I fail to see that this issue merits a major NC.
     
    John C. Abnet likes this.
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Some great points, Tony. Such discussion, (even though I can view only one side of all of it) goes to demonstrate (to me) just how auditing has gone off the rails because of the CB audit(ors) influences. Grading isn't and shouldn't be entertained in internal audits. Thereby, Major, minors and OFI are a moot point. Having an external audit then suggest that internal auditors should be subject to the same "mission creep" of the IAF accreditation bodies (no soft grading) is totally bizarre. Grades mean nothing - you only have to see the rubbish people are left to deal with to know that. What's important is that management see the need for action, not what box got checked off on a NC form.
     
    Last edited: Mar 19, 2019
    John C. Abnet and tony s like this.
  14. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    What is your source for that? That scheme was adopted by the automotive people (IATF) several years ago. I have yet to hear it adopted by anyone else.
     
  15. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    I guess you only explained the differences on HOW an organization and its CB will deal on both types of NCs. I'm more interested in their differences on WHY an NC is a major or minor for you and your CB. Because most of the issues that we discussed here and in other threads you are involved you always label them as major NCs, and I keep on asking your definition of a major NC.

    Can you enlighten us?
     
    John C. Abnet likes this.
  16. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    1,071
    Likes Received:
    722
    Trophy Points:
    112
    Location:
    USA
    We (DQS) do it for all standads. We are additionally expected to issue a minor nonconformance for corrective action based on the evidence of failure. I don't think that is strictly required, but my ANAB witness auditor approved of the practice when we came across it.