CB Auditors say the darndest things


Following is a collection of real findings including corrective actions, observations and comments from ISO 9001 Certification auditors, each of which could never possibly be a finding because they are not supported in the standard. All of these findings are taken from various consultants and practitioners that are part of the ISO 9001 Linkedin group. There have been some changes to the findings in order to improve readability.

Interesting to note that some of the non-conformances actually contradict each other.

General findings

  • Consultants cannot attend 3rd party conformity audits.

4.2.1 General (Documentation)

  • All procedures must be documented.
  • Only six written procedures are required.
  • The passive tense is to be used throughout, in order to be as remote and difficult to comprehend as possible.
  • The more shalls you can include, the better.
  • You must liberally plaster the phrases Quality Document and Controlled Document liberally throughout your documentation. If it doesn’t have these, it isn’t a quality document.
  • All company documents, procedures, work instructions, etc. must be written in 10-point Courier (typewriter) font.
  • All normally-used verbs must be expunged and shall be replaced with only three: facilitate, utilize, implement. 

”Shall” shall be utilized as often as necessary. “Must” shall also be utilized as it facilitates implementation and compliance.
  • All processes shall have a documented process flow.
  • All processes, especially non-production processes such as operating the copier, coffee machine or telephone, shall have documented, rev-controlled work aids.
  • The pyramidal documentation model (you know: policy – quality manual – procedure….blah, blah, blah) is the only one approved by ISO to design a QMS

4.2.2 Quality Manual

  • Quality manuals must replicate the prevailing QMS standard.
  • Quality manuals cannot be one or two pages.
  • Quality manuals cannot have a business or operations section.
  • Quality manuals must have “Quality Manual” printed on the cover page.
  • Quality manuals can only be created by the Quality Department

4.2.3 Document control

  • ISO 9001 requires document numbers.
  • Authors cannot review and approve their own documents.
  • All documents must be managed with a cross-reference table.
  • You must have hand-written signatures to approve documents before they are official.
  • All quality documents must be have multi-level numbering
  • Controlled documents shall be and must be electronic to facilitate compliance to QMS.
  • Uncontrolled documents shall display the warning “If Printed, this is uncontrolled.”
  • All signatures for document approval must utilize red ink.
  • Forms must be controlled
  • The only way to approve a document is signing it
  • For documents, records, forms, ext. documents there must exist a master list
  • All forms and checklists, regardless of purpose, must be rev controlled.
  • Training records of all employees must demonstrate competency with using the master document control matrix.
  • All documents of external origin, accessed by the internet, must be placed under rev-control and access control.
  • All documents of external origin must be duplicated into procedures, using only single spaced Courier 10-point font.

4.2.4 Records control

  • Emails are not a sufficient form of record.
  • Forms are required to make valid a record

5.3 Quality Policy

  • The quality policy must be signed by the Managing Director

5.5.1 Responsibility and authority

  • You must have someone with the title of Quality Manager and someone with the title of Management Representative. But one person can do both these roles.
  • Quality representative is the guy who receives the 3rd party audits
  • Just Quality people can be a Quality representative.
  • The Management Representative must be from Quality Management.

5.6 Management review

  • Management review must be a physical meeting.
  • Management reviews must be annual, at least.
  • Management review is a single meeting once a year, at which you must cover all the topics listed under that clause, in the same order.
  • The minutes of MR shall list all the inputs (5.6.2) and outputs (5.6.3) required in the standard.
  • The management review agenda must be numbered in accordance with 5.6

6.2 Human resources

  • ISO 9001 requires a training matrix.
  • The job competency training matrix shall be managed and controlled by the MR
  • Job descriptions are required to evaluate a person’s competence

6.3 Infrastructure

  • Preventive maintenance of equipment is required.
  • All equipment shall display PM (preventive maintenance) stickers.
  • Must have a house-keeping checklist.

6.4 Work environment

  • Work environment is related to occupational safety, labor relations and health topics.

7.3 Design and development

  • Clause 7.3 applies for product / process, then there isn’t valid exclusion of 7.3
  • Doing CAD / drafting, or participating in Customer’s design planning and review, requires us to comply with ISO 9001 “design activity”.

7.4 Purchasing

  • An approved vendor list is required.
  • You must have an Approved Supplier List, even if you don’t buy in any products or services that matter, and your purchasing is limited to office stationery.
  • All incoming materials, including staples, copying paper, and Scotch tape, must have a sample inspection performed to establish conformity of product to purchasing requirements.
  • It is required to classify the suppliers in direct and indirect sources

7.5.1 Control of production and service provision

  • Post delivery support includes warranty repairs.
  • Post delivery support does NOT include warranty repairs.
  • All the operations in the floor / shop requires a work instruction

7.5.2 Validation of processes for production and service provision

  • Welding is always a special process.

7.5.3 Identification and traceability

  • Traceability is always needed to ensure production’s control
  • FIFO system is needed in any warehouse

7.6 Control of monitoring and measuring equipment

  • Anything at all you use to measure anything -no matter how rough the result required – must be calibrated, this includes ordinary desk 1-foot rulers and yes, the egg timers.
  • All measurement devices, including process equipment, must be calibrated.
  • All timepieces that ‘could’ be used for manufacturing processes must be calibrated, including clocks in smartphones, manually wound and battery-operated wristwatches, computers (desktops and laptops), electric wall clocks, battery-operated wall clocks, and any hand-wound egg timers in the cafeteria.
  • When calibrating equipment such as an egg timer and/or wooden 12″ ruler, calibration accuracy shall extend to the finest level to the right of the decimal point.
  • All calibrations must be done by an ISO IEC 17025 accredited lab

8.2.1 Customer satisfaction

  • Customer satisfaction surveys are required.

8.2.2 Internal audit

  • Internal auditors cannot audit their own departments.
  • Internal auditors must be trained through some outside provider.
  • Internal audits must be annual, at least.
  • Internal auditors must attend an auditing course. They cannot be competent if they haven’t.
  • Internal auditors shall only become qualified and certified though attending a short company auditor training class. This facilitates alignment to the QMS.
  • The more internal audit’s findings, the more effective the audit process
  • Supplier audits and internal audits must be clause based
  • Supplier audits and internal audits must be processed based

8.2.3 Monitoring and measurement of processes

  • Inspection records must be handwritten, because electronic forms are not valid

8.3 Control of nonconforming product

  • Nonconforming product must be physically segregated, in a locked cage.
  • All non-conformances require a CAR.

8.5.1 Continual improvement

  • Continuous improvement shall be demonstrated / recorded in a form

8.5.2 Corrective action and 8.5.3 Preventive action

  • Corrective action and preventive action must be separate activities.
  • A procedure for nonconformance must be a separate procedure from the one for corrective action and the one for preventive action.
  • Each procedure must be correctly named, viz, ‘Nonconformance Procedure’, ‘Corrective Action Procedure’ etc.
  • Root cause must include 5 Why analysis.
  • You must use a form called a CAR. And you must keep a log of all your CARs, which of course must be individually numbered.
  • Quality department must fill and follow all the corrective actions
  • CARs must be resolved in XX days
  • A single form to document a CAR is not enough evidence of your actions, so you must attach all evidence possible, even the latest email.