Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

ISO9001 Clauses in audit reports

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by Anna Wagstaffe, Mar 13, 2019.

Tags:
  1. Anna Wagstaffe

    Anna Wagstaffe Member

    Joined:
    May 25, 2017
    Messages:
    17
    Likes Received:
    7
    Trophy Points:
    2
    In my more recent ISO9001 internal auditor training, stating the (singular) clause which is being contravened was identified as a requirement. Since transitioning to ISO9001:2015 I am finding it harder to do this.

    It occurred to me that the standard specifies what should be included in our processes, so by the time a specific non-conformance against our documented processes is raised this is often either split between more than one which is equally valid, or seemingly fairly tenuous so that justifying it can be difficult (even though it is a genuine problem). I was therefore wondering how much value is there in searching through the standard to choose the most appropriate clause?

    Could I have some views on this please?
     
  2. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    530
    Likes Received:
    198
    Trophy Points:
    42
    For an internal audit, you only need to cite the requirement, whether it be the clause, the procedure, the form, etc. and then the non-conformance. So if it's non-compliance with a procedure, just cite the procedure. If there is a question about the procedure and it's applicability to a specific clause that can be mentioned and/or evaluated by the "quality gurus." Good luck.
     
    Anna Wagstaffe likes this.
  3. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,357
    Likes Received:
    1,220
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Yes, indeed! Don't do it! It's not really necessary for you - as an auditor - does it. It could, for example, be done by the "management representative" or "audit process owner" or whomever has responsibility for management review to determine what's what.;)

    IMHO, too many trainers only know one model for teaching QMS auditing - which is the CB process. It's not the right one, but they don't know that, bless 'em. After all, it's the way they were trained and, as if confirmation were needed, their clients NEVER get written up for internal audit problems! :rolleyes:

    Except, the management have no clue what their internal auditors are doing...:confused:
     
  4. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    776
    Likes Received:
    538
    Trophy Points:
    92
    Location:
    Laguna Philippines
    For internal audit, you are not required to identify a clause from the standard to raise an NC. Reading from clause 9.2.1, it says:

    "... conduct internal audits at planned intervals to provide information on whether the QMS... conforms to the:
    • organization’s own requirements for its QMS;
    • requirements of this International Standard"
    From this requirement it is very well possible that an NC can be set against a relevant requirement, without the need to refer to a clause in the standard.
     
  5. Anna Wagstaffe

    Anna Wagstaffe Member

    Joined:
    May 25, 2017
    Messages:
    17
    Likes Received:
    7
    Trophy Points:
    2
    Thanks guys, that makes sense. I am both the primary internal auditor and the "management representative".

    I am fortunate that my top management have bought in sufficiently that they view the standard as guidelines for the business running optimally and I don't get many "where does it say we have to ....?".

    Just for context, this was an NC against our design development process, found during an audit of our procurement process.
     
    Andy Nichols likes this.
  6. Yukon

    Yukon Well-Known Member

    Joined:
    Mar 5, 2019
    Messages:
    119
    Likes Received:
    5
    Trophy Points:
    17
    On the contrary, many clients receive NCs ("written up") related to the internal audit program. The most common issue is they make Recommendations for Improvement in the Audit Report that really are violations of the standard and should be raised as a Non-Conformance. It happens all the time and is usually the result of inexperience.

    If I can help just ask,
    Yukon
     
    tony s likes this.
  7. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    776
    Likes Received:
    538
    Trophy Points:
    92
    Location:
    Laguna Philippines
    Where is it stated in the ISO 9001 standard that recommendations for improvement are prohibited on internal audits?

    Even section 6.4.8 of ISO 19011:2018, in generating audit findings, mentions this statement: "When specified by the audit plan, individual audit findings should include conformity and good practices along with their supporting evidence, opportunities for improvement, and any recommendations to the auditee".

    Further in section 6.4.10, when conducting closing meeting, this is specified: "If specified by the audit objectives, opportunities for improvement recommendations may be presented. It should be emphasized that recommendations are not binding".

    However, in external auditors, this statement from ISO/IEC 17021-1:2015 should be taken into account: Opportunities for improvement may be identified and recorded, unless prohibited by the requirements of a management system certification scheme".
     
    Andy Nichols likes this.
  8. Yukon

    Yukon Well-Known Member

    Joined:
    Mar 5, 2019
    Messages:
    119
    Likes Received:
    5
    Trophy Points:
    17
    T

    Tony,
    Opportunities for Improvement (OFI) are an extremely valuable output of the audit process.
    That being said I believe you have completely misunderstood my comment. Many internal auditors, usually inexperienced, identify issues in their audit report as OFI's when in fact the OFI is a Non-conformance.

    For example:
    OFI - " The competency of persons performing final inspection activities on Line 1 & Line 6 has not been assessed ny the Production Manager ( no documented information available) and the person performing the set up of Wave Soldering machine WS 1 also had not been assessed for competency. Consider assigning trained competent individuals for these activities"

    The above OFI is a clear Non-conformance and should not have been reported as an OFI. During an audit by a CB we would raise a Major NCR. To clear it you would have re-read every internal audit report issued during your audit cycle and if any OFI is found that is a NC you would have to issue a Non-conformance report. We (CB) would return to your facility and review all of your corrective action before Closing the NC - this would be very costly to the client.

    If I can help just ask,
    Yukon
     
    Last edited: Mar 16, 2019 at 12:32 PM
  9. Jennifer Kirley

    Jennifer Kirley Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    711
    Likes Received:
    507
    Trophy Points:
    92
    Location:
    USA
    It may help to view the finding as a type of issue. We have the symptom as objective evidence, but the issue is in a process. Further exploration of the issue may be needed to make a decision.

    For example:

    Corrective action recording activities are being moved from Lotus Notes to a new database. An audit of the corrective action process found that during the transition, several corrective action records (issued from internal audits) were not available in any form. We have 3 clear choices of clauses:
    • 6.3 Planning of changes
    • 9.2.2e take appropriate correction and corrective actions without undue delay (after further review it turns out this does not clearly apply because actions have, after all been taken - just not recorded in any way)
    • 10.2.2 ...shall retain documented information as evidence of...
    It is common to point to 10.2.2 and that would not be incorrect, but there are many databases being moved so this could happen systemically. So I choose 6.3.

    As an option, an audit of change management may be opened based on this finding, which is welcomed as a planning consideration in 9.2.2.

    While I agree that we should refer to internal process documentation whenever possible, there might not be any documented procedure for the subject at hand, as in my example no more requirement for the 6 previously required documented procedures.

    Design-related nonconformities should be considered closely for critical status based on their relation to customer receipt of product conforming to requirements. For that reason I also am skeptical of issuing OFIs to Design. I also agree that the stated OFI is a clear nonconformity, though Minor unless it can show a direct cause-and-effect relationship to nonconforming product shipped to customer.

    I hope this helps!
     
    Anna Wagstaffe likes this.
  10. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    530
    Likes Received:
    198
    Trophy Points:
    42
    Not sure why this is a "major." But this is exactly why owners/top management dislike the whole ISO process. It takes someone's mistake and makes a huge deal out of it, a complete overreaction -- major non-conformance, having to go back thru every audit report, etc. All completely ridiculous based on the finding. The OFI/finding was that competency was not assessed -- actually that is wasn't documented. It was not that the persons were not competent and all sorts of bad parts where being made. Now instead of sitting down with the auditor and making sure they understand (or need some additional training), and making sure the operators in question where in fact competent, we have to "redo" everything. This will have a chilling effect on auditors' future reports -- nobody wants to be "that guy."
     
  11. Yukon

    Yukon Well-Known Member

    Joined:
    Mar 5, 2019
    Messages:
    119
    Likes Received:
    5
    Trophy Points:
    17
    You aren't sure why it's a Major ? Really? The Internal Audit people are reporting process NCs as OFIs and that doesn't warrant a Major NC ?

    If I can help just ask,
    Yukon
     
  12. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    530
    Likes Received:
    198
    Trophy Points:
    42
    No it does not. You have one auditor who made one mistake. Without evidence of multiple auditors making multiple mistakes -- i.e.; a complete breakdown of the internal audit process -- it isn't a major in my book.
     
    John C. Abnet likes this.
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,357
    Likes Received:
    1,220
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Tony: Great points, well made. Our reality is that too many auditors see things in only one way - which in itself is contrary to the attributes in 19011! All audits to these people are created equally, which is very far from the truth, experience shows. When the lines become blurred between these 3 distinct activities (internal, supplier and CB audits) things go right off the rails and management - as you stated earlier - become frustrated by the whole ISO 9001/Certification industry. When all quality management audits are treated as "one-side-fits-all" and zero is done within an internal audit program to report to management in ways they understand, there is NO improvement. Add to that arcane "grading" of audit reports and all that attendant BS (I don't mean British standards, either) then so-called professional auditors should ask themselves what they actually did to improve their clients bottom line - at least to the cost of their audit at a bare minimum. My guess is, the vast majority couldn't quantify that, but can spew clause numbers and other esoteric mumbo-jumbo as if it's meaningful to anyone else.

    At Xerox Corp back as far as the 70s, their internal audit program required the internal auditors to dollarize their findings to ensure management knew what actions were necessary and when...
     
    John C. Abnet and tony s like this.
  14. Yukon

    Yukon Well-Known Member

    Joined:
    Mar 5, 2019
    Messages:
    119
    Likes Received:
    5
    Trophy Points:
    17
    Ok let's look at another example:

    The Internal auditor observes products being tested at Final Test and Inspection and the test equipment is overdue for calibration ( internal documents state all test devices must be calibrated ). The audit report is issued with one OFI reported as follows: "it is recommended that Final Inspectors only use test equipment that is calibrated, it was observed that unclaibrated test equipment was being used"

    As a CB auditor you check the company's overdue calibration report and find that there are 15 devices requiring calibration and this was the only device overdue. Tell me, is this an OFI or Major NC and as a CB auditor would you raise a formal NC ? Consider that the product being tested could end up in a hospital, a school, even a nuclear reactor.

    If I can help just ask,
    Yukon
     
  15. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    776
    Likes Received:
    538
    Trophy Points:
    92
    Location:
    Laguna Philippines
    I re-read your post and I stand corrected.

    Just to add more about converting NCs to OFIs. Section 9.4.5.2 of ISO/IEC 17021-1:2015 has this statement: "Audit findings, however, which are nonconformities, shall not be recorded as opportunities for improvement".
     
    Andy Nichols likes this.
  16. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    776
    Likes Received:
    538
    Trophy Points:
    92
    Location:
    Laguna Philippines
    Reporting NCs as OFIs go against the intentions of clause 10.2.1 where it says "When a nonconformity occurs... react... take action... deal with the consequences... evaluate the need for action to eliminate the cause... etc". Nonconformity as defined by ISO 9000 is "non-fulfillment of a requirement" and must be acted upon. Unlike with OFIs which are not binding (as per 6.4.10 of ISO 19011:2018). However, labeling this issue as "major NC" is a sweeping statement.

    I have a copy of ISO/IEC 17021-1:2015 and looking at section 3.12 of this standard, I fail to see that this issue merits a major NC.
     
    John C. Abnet likes this.
  17. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    2,357
    Likes Received:
    1,220
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Some great points, Tony. Such discussion, (even though I can view only one side of all of it) goes to demonstrate (to me) just how auditing has gone off the rails because of the CB audit(ors) influences. Grading isn't and shouldn't be entertained in internal audits. Thereby, Major, minors and OFI are a moot point. Having an external audit then suggest that internal auditors should be subject to the same "mission creep" of the IAF accreditation bodies (no soft grading) is totally bizarre. Grades mean nothing - you only have to see the rubbish people are left to deal with to know that. What's important is that management see the need for action, not what box got checked off on a NC form.
     
    Last edited: Mar 19, 2019 at 1:33 AM
    John C. Abnet and tony s like this.
  18. Yukon

    Yukon Well-Known Member

    Joined:
    Mar 5, 2019
    Messages:
    119
    Likes Received:
    5
    Trophy Points:
    17
    Gentlemen,
    Please allow me to explain to you both the difference between a Major and Minor NCR from the CB point-of-view. When we (CB) assess an NC we are required to classify a level of severity. Why you ask? It really has nothing to do with the NC itself but has to do with the time you have to make corrections that will be verified by the CB prior to closing it out. In the case of a Minor NC you must perform and document a root-cause-analysis, develop a corrective actin (CA) plan, act on the plan, and send documentation to the CB. We then Clear the NC. At your next audit we will verify the CA and Close the NC, if we find the NC was not corrected it automatically becomes a Major and thevNC is re-issued.

    Everything is the same for a Major except we only give you 60 days after which we return, verify the CA, and Close the NC. If you don't act on the NC within the 60 days your registration is Suspended. I do hope you have a better understand of Major/Minor NCs.

    If I can help just ask,
    Yukon

    p.s. It does surprise me that anyone would not consider NCs being identified as OFIs unworthy of a amajor NC. It really does.
     
  19. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    530
    Likes Received:
    198
    Trophy Points:
    42
    What is your source for that? That scheme was adopted by the automotive people (IATF) several years ago. I have yet to hear it adopted by anyone else.
     
  20. Yukon

    Yukon Well-Known Member

    Joined:
    Mar 5, 2019
    Messages:
    119
    Likes Received:
    5
    Trophy Points:
    17
    My CB has been using it for about four years. I think it was mandated by ANAB.

    If I can help just ask,
    Yukon
     

Share This Page