Featured Book of the Month:

Title: The Corrective Action Handbook

Author: Denise E. Robitaille

Publisher: Paton Press

Notes: The Corrective Action Handbook will help you make your corrective action process more organized, more efficient, and more productive. It's a terrific guide to corrective action for anyone involved in a corrective action process.  (Notes from Amazon.com)

You can order this book from internal-auditor.com at: http://www.internal-auditor.com/books.htm

This Month's Feature Article

We've had issues in the past that explained different types of nonconformances, and observations. We've also looked at how to audit for effectiveness. Although what we said was valid, it was before ISO 9001:2000. It was also designed to lay some foundation on which to build more advanced auditing. So, let's start to build another layer.

Nonconformances

First, let's look at what we already know. A nonconformance is a nonfulfillment of a requirement. That requirement will typically come from one of three places:

• The standard (ISO 9001, for example)

• Company level documents (such as a procedure)

• Customer specific requirements

Although these are the most common, there can be others. The requirement can also be from a trade association to which the organization belongs, or perhaps from a governmental or regulatory agency. It really doesn't matter where the requirement originates, it is only important that the organization meets the requirement. When it doesn't a nonconformance exists. 

But what if the organization is in technical compliance, but is not within the intent? Can an auditor write a nonconformance then? More and more auditors are doing just that. It falls into the category of auditing for effectiveness. It is a tougher sell, and will undoubtedly be challenged. That is unless there is a culture shift within the organization. This culture shift will result in nonconformances not being viewed as a "bad" thing and viewed as an "improvement" thing instead. The culture of the organization will view nonconformances as "system" issues, rather than "personal" issues. Every organization needs to go through this shift if they want their QMS to be both effective and beneficial.

Observations

It is important we spend the majority of our time looking at observations, or Opportunities For Improvements (OFI), as they are often called. These are written when there is not a case for a nonconformance, however the internal auditor feels that a particular situation needs to be reviewed. There are typically four times when observations are written:

• When the situation is in compliance, but close. In this scenario, the internal auditor notices a situation that, while conforming, is bordering on nonconformance. Perhaps a procedure is vague, but is being followed. The vagueness of the procedure will undoubtedly lead to nonconformance in the future, although there is no history of nonconformance yet.

• When the internal auditor has an idea for improvement. This is your standard suggestion for improvement. The current activity is conforming, and perhaps even effective, but there might be a better way. In one audit, the organization was monitoring sales (because 4.20 required it). The closing meeting was interrupted due to an emergency. The president of the company inquired about how many times this thing has happened. As internal auditor, I suggested that perhaps this situation should be tracked instead of sales. The president made the change, and now, their 4.20 activities actually helped the organization run better. 

• The third type is when for some reason (such as time), the internal auditor cannot determine if a nonconformance exists or not. There might be reason to suspect that a nonconformance exists, but for some reason, it cannot be verified. Many auditors will write this up as nonconforming, and let the other side prove it is not, however, that might not be the best for the organization.

• There are occasions when an internal auditor discovers something that is "out of scope" of the audit. It might be a clear-cut nonconformance, or it might be just a strong possibility. However, because it is out of scope, the auditor might not be able to pursue the situation. Once again, some auditors will write a nonconformance here as well.

When writing observations, make sure you apply the same rules we taught concerning nonconformances. They should be written so that:

• They are clearly understandable. The auditee must not only understand the observation, but why you made it. Your reasons must be clear and concise, and worded in language that the auditee can understand.

• They must be actionable. An observation is of little value if the auditee cannot take action. In some cases the action might be only to study the activity, and that is not necessarily bad.

• They must be unarguable. This might be less important for observations, but it is still valid. If you do a good job in the understandable part, this part is easy.

One of the key things to remember is that observations, or OFIs, should require some response on the part of the auditee. Observations should not be looked at as "optional". But rather should be reviewed, analyzed and a decision made as to what the response should be. Perhaps the forms use for this should reflect this review and analysis. 

Summary: 

Writing nonconformances and observations are an integral part of the internal auditing program. It is important that as internal auditors, we know when to write each, and how to ensure that both are beneficial to the continual improvement and growth of the organization. When we do write nonconformances and observations, we need to make sure that the auditee knows exactly what you found and how they need to respond. It is also important for us to drive the cultural change away from nonconformances be "bad" things. They are improvement things, and that is always good.

As always...Good Auditing!

top of page

www.nsf-isr.org

Q – Do audit nonconformances and OFIs need their own form, or can we use our standard CAR? ?

A – What form, or forms you use is up to you. However, there is no requirement to use any form what so ever. The standard requires you to determine what records will be kept, and that audit results get reported. The "how" of that is completely up to you. Some audit findings may require formal corrective action, and others might just require correction, with no formal corrective action. The important thing is you have a system, and you use it consistently. See Element Understanding below for related information. 

top of page

There is a growing concern regarding a registrar's ability to look at your financial and accounting practices during an audit. This can be greatly affected by how you lay out your system. For example, the only real way your accounting department interacts with your QMS is by ensuring proper invoicing. In order to do this, they need accurate, timely information from various departments (such as shipping and manufacturing).  The only things the QMS would be concerned with is does the process for getting the right information to accounting at the right time, and is accounting ensuring the invoicing is accurate.

top of page

ISO/TS 9001:2000 Clause 8.2.2 Internal audits

"The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.  "

The only mention of internal audit records is in this sentence. There are a couple of important points here. First, there is no mention as to what records you keep. Typical records kept include the audit checklist, the audit report, and any corrective actions generated as a result of the audit. Audit records may also include the audit schedule, any correspondence involving the audit program (including emails), and auditor records. 

The second point is that 4.2.4 is referenced. This gives some information on what records to keep, namely those which "provide evidence of conformity to requirements and of the effective operation of the quality management system." 

So, what records do you keep? It depends on your system. We've given you some hints above, but this is not an exhaustive list. As you determine what records to keep, bear in mind that you need to includes records of the individual audit, as well as the records of the audit program. 

top of page

April 2003’s question:

You are auditing the sales process, which includes customer-related processes. The sales manager shows you a "process map" of the sales process that includes formal contract review and feasibility studies. Participants of this review are sales, purchasing, maintenance and production. Engineering is only included if there are any special design requirements, something that happens rarely. You are also shown three different types of output document templates, one for each type of job your perform. Because you read the Internal-Auditor.com newsletter, you ask how customer requirements are determined. The sales manager states that customer requirements are determined during the sales process and that information is collected on a checklist. The checklist is part of the formal review. Each person initials their portion of the checklist to ensure all requirements are determined and understood. You notice that every form has initials by engineering. The sales manager states that if the engineer is not involved, the quality manager will initial the form after the meeting.

The answer:

The issue here is  not one of "cheating", but of authority. Does the quality manager have the authority to initial on behalf of engineering? If this is not an issue with the team, then it is not an issue. If the quality manager is initialing to indicate that engineering is not require, it would not even necessarily be an observation, although one could possibly recommend that the quality manager place N/A by engineering, instead of their own initials.

On the other hand, if it is an issue then you have a nonconformance against 5.5.1.  If it has lead to problems, then a nonconformance to either 5.5.1, 7.1, 7.2.1, or even 7.2.2 might apply. 

 top of page

Fighting for Funding

My full-time job is with a not-for-profit organization that is part of the Manufacturing Extension Partnership, or MEP. For the past several years, the federal funding of the MEP system has been in limbo. The budget for this year (2004), was reduced from 106 million dollars to 40 million dollars. Everywhere, every MEP center is lobbying hard to restore the funding. Somehow, I don't think we are alone. 

As the manufacturing sector gets squeezed, many companies are taking second looks to find areas to cut budgets. The Quality Department, and the Quality Management System are two areas under the microscope. It seems we have a fight on our hands, you and I. The question is; how do we prove our worth? The problem is, if we can, every other department and function is doing the same thing. We all want to ensure our slice of the pie, and keep doing our jobs. 

In past issues, we have discussed auditing for impact. As internal auditors, we need to show our management that internal auditing is not a "cost", but an "investment", without saying "because ISO says so".. If we can't show that, then perhaps it is best we are cut, or better still. Perhaps we need to look at auditing in a far different light. 

Dave

...Good auditing!

Copyright notice: internal-auditor.com is fully protected under US and International copyright laws. Copying, or re-transmitting all, or any part of internal-auditor.com is expressly forbidden without prior written consent from Ruth Ellen Carey Communications.
internal-auditor.com is a publication of Ruth Ellen Carey Communications.