by Andy Hofmann
As most are aware, third-party auditors must occasionally have their audit methods reviewed by a peer. Sometimes this can be in the form of a skills examination, as is conducted by RABQSA International Inc. In the world of third-party automotive auditors, periodic assessments are conducted by representatives from the International Automotive Task Force (IATF). The most common method, however, is a review by a colleague from his or her organization’s certification body (CB). November is the month during which this occurs in my organization.
It’s normal for the CB auditors to meet before a round of witnessed audits. Part of the agenda for this meeting is to review the concerns of the international accreditation bodies (ABs). Of late, the ABs have been paying more attention to the thoroughness of third-party auditor follow up. The ABs have noted an increasing number of incomplete corrective actions. Still, many CBs and their auditors are accepting these incomplete actions as submitted.
As a result of this trend, the ABs requested that CBs remind auditors about the need for consistent corrective action in support of continual improvement. Wanting to do my part for improvement, I will use this article to capture the essence of what was presented by the ABs.
When an auditor issues a nonconformity during an audit, he or she is required to write the nonconformity in three parts. Such a nonconformity might look like this:
The system for managing training and competency is not totally effective.
In response to the requirements of clause 6.2.2 to ISO 9001:2008, Company Delta has documented its method for determining competency in Procedure HR-001. This procedure at paragraph 7.2 requires that all temporary personnel receive the same training that a new full-time associate receives, which includes: lockout/tagout, confined space, WHIMIS, transportation of dangerous goods, and operation of the machine.
The records for hiring temporaries from The Terrific Temporary Agency revealed that in September, seven temporary employees were hired. The only record on file documenting training for any of these personnel was operation of the machine, which was in place for all seven individuals. None of the other required training events described in procedure HR-001 had been documented for any of the September temps. Four of these individuals have received full-time employment offers at the time of the audit (December).
The first part of the nonconformance statement is simply a summary of the subject of the nonconformity. The next paragraph is the expected condition. Finally, the auditor is to identify the condition he or she found, which will vary from the expected condition contained in the second paragraph.
The rationale for writing nonconformities in this fashion is that it forces the auditor to relate the situation to a requirement. More important, it makes it easier for the organization responding to the nonconformance. There is a clear difference in the above example between the expected condition (temporary employees are to be fully trained) and the found condition (training documentation missing for seven employees for health and safety training). By writing the nonconformity this way, the organization can determine why personnel were put to work without complete training documentation.
Although ISO 9001 doesn’t require the use of formal problem-solving methods for root causes, clause 8.5.2 does require the determination of the cause of a nonconformity. Clause 8.5.2 goes on to require the organization to evaluate the need for action to preclude recurrence of the issue. It’s important to consider carefully what the standard is saying here. The organization must determine the cause, and, depending upon what that cause is, it must decide whether there is a need for additional action to preclude recurrence.
This is one of the significant points that was made during our AB presentation. The decision as to what nonconformity causes warrant action to preclude recurrence rests with the organization. ABs recently noted that some of the files they reviewed showed auditors expecting action on every corrective action, but it’s up to the organization to decide where it will invest in root cause elimination.
In the above example, the organization knows that seven employees were permitted to start work with incomplete training records. It must investigate to determine if the training occurred and was simply not documented, or the training never occurred and was therefore not documented. I think that you will agree that depending upon what the investigation finds, there will be a different need for action to preclude recurrence.
Let’s assume first that the organization finds that all the required training took place, but it had, for some reason, not been recorded. The organization might look at several other training events over the year and determine that this was the only event that missed recording the training. However, because it was safety training and thus critical to employee safety, the action to be taken is to have the four now-permanent employees re-do the training. The organization might also decide that the internal audit where training records are to be assessed is to be expanded to three audits per year and increase the number of training files assessed per audit. This might form the basis for the response to the external audit nonconformity.
However, if we assume that the training did not take place at all, the organization has a different need for cause analysis. The mechanism by which the organization brings people into its operations was apparently bypassed for seven employees. Furthermore, when the four temporary employees became permanent, there was no retroactive evaluation performed to ensure their training was up to date. The organization will have significant work to do to determine the cause for this double failure and what action is needed to eliminate future opportunities to create the same result.
In reality, this second scenario was what occurred. The auditor had received the following response from Company Delta:
Company Delta has reviewed the nonconformity and determined that the root cause was the speed at which hiring was accomplished. In addition to the seven temporary employees described in the nonconformity, 20 full-time personnel were also added on the same day. Company Delta was not prepared to train 27 people in all the subjects detailed in procedure HR-001.
Company Delta has now provided the four September temporary employees with the additional required training. The training record for this activity is attached as evidence. These personnel have also been quizzed by the Joint Occupational Health and Safety Committee and found satisfactory.
As the third-party auditor, do you accept the response as conforming with the requirements of ISO 9001:2008? I hope that you said “No” under your breath, and here is why. To satisfy ISO 9001:2008, the response from Company Delta would have to determine the cause of the nonconformity. In its response, Company Delta indicated that the cause was speed of hiring. This is an interesting conclusion, but it cannot be the root cause.
The auditor need look no further than the words that are being used compared with the observation. For an issue that dealt with the subject of records—a noun—the company responded with a root cause that is an adverb, speed. Surely the root cause for not having records cannot be the speed at which something occurs.
So, if the response is not addressing the root cause, what additional information can the auditor provide so Company Delta understands how to respond? The auditor might try the following approach:
- Indicate that the response given has not identified the root cause of why mandatory regulatory training was not delivered to the seven employees and consequently not fully recorded.
- There are two avenues of investigation: how the required training documentation was missed when the temporary workers were hired and then again when four of them were hired full-time.
- The training for which the documentation is missing is regulatory and as such presents a risk to the organization beyond ISO 9001:2008.
- The action taken does not include any assessment of other files outside of the 20 other employees hired on the same day. The organization has not determined how widespread the issue might be.
- There has been no assessment of the adequacy of the controls contained in procedure HR-001.
Although this is additional work for the auditor, it will enhance the organization’s understanding of what is required for proper corrective action. The next time an auditor issues a nonconformance at this organization, it will be better equipped to respond. Additionally, when it’s working on internal audit nonconformities, the ability to address the issues will be improved. Through this action, the auditor has contributed to continual improvement in the organization.
During my organization’s pre-witnessed audit training session, the reason that this robust approach to corrective action is not always taken was also openly discussed. The biggest fear that auditors expressed was being guilty of consulting. Although this is always something that needs to be considered, the response in our fictional example doesn’t direct the client as to what it must change to comply with the standard. It goes back over the facts of the situation and expresses them in a clear and simple way. Rather than consulting, this is the auditor’s job.
The discussion then quickly turned to the need to ensure that the path to the root cause and needed action is well understood during the closing meeting. This was a very good observation. The reason the audited organization may not have responded to the original nonconformity fully in the first instance may have been due to lack of information during the closing meeting. Auditors can influence the quality of responses to nonconformities if they explain them well during the closing meeting.
Finally, we discussed the time constraints that auditors operate under. Audit days are full; we need to cover the audit plan, create a report, and meet the timeline for a closing meeting. It was clear that from time to time, auditors don’t plan enough time to make a full closing meeting possible. Thus, sometimes we are guilty of creating a rushed closing meeting where clear communication of the corrective action process isn’t possible. We then are the root cause for the incomplete responses we receive.
The foregoing session was very well received by our audit team. In our busy lives of driving here or flying there, we can lose sight of the process that we are part of. Having the opportunity to discuss the process slowly and methodically is a great way to refresh the batteries. In summary, we learned that:
- ISO 9001 clause 8.5.2 requires determination of cause for a nonconformity and a decision as to the need for action on the cause.
- Writing nonconformities can assist in their understanding. You must provide a clear statement of deficiency, the expected audit condition, and the found audit condition.
- Action on the cause of a nonconformity will be dependent upon its risk to the organization. The decision as to what resources and actions will be deployed belongs to the organization. Where statutory and regulatory requirements are involved, there is a clear call to action.
- A clear explanation of the corrective action process must be provided at the closing meeting. Make sufficient time to accomplish this.
- Although auditors can’t consult, full explanation of the requirements of the standard doesn’t breach this prohibition.
By capturing the session on corrective action in this column, I hope that in a small way we have generated thought around this important subject.
About the author
Andy Hofmann has been involved with management systems for more than 30 years. He has audited more than 2,500 systems, giving him a unique opportunity view of organizations that are performing well and those that struggle. A regular contributor to American Society for Quality management systems conferences and publications, Hofmann’s intellectual property has received wide acceptance. Currently the president of ICS Certification Services, Hofmann continues to work with management systems professionals throughout North America. He has an MBA from the University of Toronto and is a Certified Engineering Technologist.
Tags: corrective action.