Missing image

Asking the Auditor: The Corrective Action Process

corrective action
Auditors must never cross the consulting line.

by Denise Robitaille

I’ve long been an avid advocate of auditor objectivity. I firmly believe that auditors should refrain from suggesting or recommending solutions to potential problems, and, of course, consulting. The role of the auditor is not to be the problem solver. Ownership of corrective action should reside with the auditee.

However, there are times when auditors get asked questions. What kinds of questions should they answer? Auditors shouldn’t respond to questions that sound like: “What do you want us to do?” or “What would you like to see?” Instead, the auditor should make it clear that those kinds of questions border on consulting and are outside of the scope of his or her role. Auditors cannot insinuate their own personal preferences or desires on any part of the corrective action process. If they do, they end up usurping the auditee’s right and responsibility to choose how he or she will apply the requirements of the standard and/or solve the problem.

Sometimes individuals genuinely don’t understand the intent of a requirement. It’s within the auditor’s purview to explain it. For example, there was a lot of confusion over the definition and requirements for outsourced processes found in section 4.1 of ISO 9001:2000. (This was one of the clarifications in the 2008 revision.) It was appropriate for the auditor to explain the difference between the supplier of a component and the contractor who performed secondary operations, such as heat-treating. Additionally, the auditor might point the auditee to the notes that are also found in section 4.1. What would not have been appropriate would be for the auditor to give tips on how the organization could fulfill the requirements for control of its outsourced process.

The second kind of question that warrants an answer is one in which the auditee says, “If we do this and and that, will it fulfill the requirements of the standard?” The auditor can answer yes or no. Or, the auditor could add a comment like, “Only if you provide evidence that you’ve done the things you just mentioned.” However, the auditor can’t go on to say what a consultant might suggest, which would be: “Make sure that you revise the following documents, communicate the changes to affected parties, conduct any necessary training, and follow up to verify the results.” The expectation is that auditees should understand all the peripherals that accompany the requirements for effective corrective action. If they don’t, well then, there’s another potential nonconformance.

Occasionally, auditors may drop hints. This goes back to the need for correct and complete articulation of a nonconformance. A nonconformance relating to outsourced processes might read: “There is no evidence that the outsourced processes (heat-treating, hardening, and painting) have been defined within the quality management system or that the organization has established methods to ensure the control of the processes, as required in section 4.1 of the standard.” The client now knows that to address the nonconformance, the organization needs to add outsourced process into its quality management system documentation and it needs to say how it controls the process. Its managers know to refer to section 4.1 in ISO 9001:2008, where there are a couple of guidance notes to help them out. Through the wording of the nonconformance, the auditor has helped the auditee understand the requirement and has given the client hints on what is expected. However, the auditor has not told the auditee how to apply the requirement or how to address the nonconformance.

Audits should be a learning event. Providing information that helps the auditee better understand and apply the standard effectively is a legitimate output of the audit. Going beyond that is still a no-no.

About the author

Denise Robitaille is the author of 10 books on various quality topics. She’s an internationally recognized speaker who brings years of experience in business and industry to her work in the quality profession. As the principal of Robitaille Associates, she has helped numerous companies in diverse fields to achieve ISO 9001 registration and to improve their quality management systems. Robitaille is vice chair of the U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She’s also a RABQSA-certified lead assessor, an ASQ Certified Quality Auditor, and a fellow of ASQ.

Her books include The Corrective Action Handbook, The Management Review Handbook, The Preventive Action Handbook, Root Cause Analysis, Managing Supplier-Related Processesand Document Control, all published by Paton Professional. She also co-authored The Insiders’ Guide to ISO 9001:2008.

Her newest book, 9 Keys to Successful Audits, is available now.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.