Once again, we find auditors making up their own interpretations and requirements of the standard. In the past, I have seen auditors decide just how a client needs to do something to meet the standard. This is not the simple “you do it or you don’t do it,” but instead that “you must do it the way I say.” I am not including which CB was involved but I do know that I have personally notified CBs when their auditor is requiring something not in the standard.
I have seen CB auditors who feel you need to record your internal audits the same way they do. I have even seen one auditor tell the client they needed to call the CB and get a copy of the form the CB uses. What? None of the standards I have seen tell you how to record your audit findings. Not even the CBs document their audit findings in exactly the same manner. As long as there is clear evidence of what was audited the form it takes is up to the client not the auditor. (This has occurred more than once by the same auditor.
Risk management is another area that has come up. The standard says you need to consider it but there is no hard and fast way you must do it. A CB auditor told a client they had to have a chart and score the risks. Automotive has a method for product risks and failures, but ISO9001:2015 does not. So, when doing at ISO 9001 audit, this is not a requirement. It may be a good way to keep it all in mind and review at management review meetings but a chart is not required and not a non-conformance.
Recently, I heard of a CB auditor who was intending to write a non-conformance to a company because he did not like the method used for supplier qualification, and specifically the consultant/internal auditor they used. The CB auditor did not complain about the audit records, just how they had qualified the person. The consultant is certified to audit at 2 different CBs and had provided his resume and his auditor certification. But the CB auditor was going to write them up because they could not show the CB auditor a lead auditor certificate for auditing. Where is a lead auditor certificate required by the standard? It requires training, not a certificate.
I have run into CB auditors who have been approved for aerospace auditing and have tried to require a client to meet aerospace requirements not contained in ISO 9001. Had the same experience in the past with a CB auditor who does medical (ISO 13485) who required medical requirements not contained in ISO 9001 that they were auditing.
I had one auditor try to tell a client he was going to write a major if they did not disqualify a vendor. They were a distributor and had tried to work with the supplier. The supplier was non-responsive, so the client had put in safeguards such as incoming inspection and guard banded delivery dates in case they had to get more. The customers had indicated they wanted only this supplier’s product so it would have meant not meeting customer requirements. The client would notify the supplier when there were problems and tried to work with the customer to buy equivalent parts from someone else. They tracked the supplier and worked with supplier and customer and guard banded the potential risks. Standard says to control, not to “disqualify.”
I once had a CB auditor ask where procedures were for a few things. These areas did not even require one in the prior ISO 9001 version and definitely not in the current version. When the client said that the CB auditor said that it was understood in the new version of the standard and she was going to write a non-conformance for it and then she did. The client wrote in response they did not need a procedure and the CB accepted it. Never knew but hope the auditor got some kind of training on it or she is still doing it.
It’s time to stand up to CB auditors who want it their way as long as you meet the standard. Ask them where the standard specifically states what they are asking for. If you do not agree, contact the CB offices and ask for their statement of the requirement. You can also appeal or can go to the AB for help.