Why don’t registrar auditors audit clause 7.4 Purchasing of ISO 9001 when it comes to purchasing their services? After all, they’re providing a service that affects the quality of your operations, processes, and eventually, products.ISO 9001 states that your company “Shall evaluate and select suppliers based on their ability to meet your requirements.” Do you ever state your requirements to your registrar? Probably not, because it’s their contract that you sign. And even if your company issues a contract to the registrar in the form of a purchasing order, it’s unlikely that you add any of your requirements. The registrar normally has complete control of the contractual relationship, and you have no way out until the contract is up. Have you ever thought about what you and your company really want from an audit? Do you just go through the motions?
What if you wanted to try out a registrar’s services for only the initial audit? A company may evaluate sample parts from a potential supplier as part of the initial selection process. Why does your company have to be locked in to a three-year contract? What if you don’t like your supplier’s performance? How can you get out of a contract that doesn’t even state your specific needs?
During the selection process of a registrar, your company should define criteria for acceptable audit performance before you bring them on board and before you sign a long-term contract. I’ve never heard of this being done, yet I can’t imagine that a registrar would turn the work down.
How to evaluate a registrar’s performance
Clause 7.4 also states that “the selection, evaluation, and re-evaluation criteria shall be established,” I challenge you to evaluate your registrar’s performance based on defined criteria. Some of the criteria that you might consider include:
Registrar—home office:
- On-time shipment of certificate
- Lead time to receive the certificate
- Expediency in answering questions
- Contract clarity
- Document control
Auditor:
- Legibility of audit records
- Value-added audit
- Percentage of time spent auditing (rather than discussing personal stories)
- Quality of nonconformities recorded (clear reference to requirement not met and clear identification of non-conforming evidence)
- Easily understandable
- Percentage of nonconformities issued/ nonconformities stated (100 percent = best)
- Number of times the auditor provided advice (0 = best)
- And/or, from clause 7.2 Personal Attributes of ISO 19011
- Open-minded
- Perceptive
- Versatile
- Tenacious
- Decisive
Of course, a rating scale would need to be developed for each criterion your company chooses (from the above list or elsewhere), as well as criteria for acceptability and the consequences of a contractor’s failure to meet your requirements.
If the registrar is sub-par, I challenge you to issue a corrective action report (CAR) to them. If they don’t respond to your CAR “without undue delay,” Issue another CAR.
I’ve only seen one company evaluate its registrar’s performance on an ongoing basis. They also evaluate my performance as their internal auditing provider.
Issue a purchase order to your registrar
Clause 7.4 of ISO 9001 also states that “purchasing information shall describe the product to be purchased, including … requirements for approval of product, procedures, processes.”
I challenge you to issue a purchase order to your registrar that states, “Registrar to conduct ISO 9001 certification audit, pass us, and issue no nonconformities.” Then at the closing meeting, when the auditor recommends you for certification and issues three minor nonconformities, you reveal the purchase order the auditor never read and say “Thanks for the freebie!” I say this as a joke, yet, I say it to make a point.
The point I’m trying to make is more of a question: “What does top management really want from an audit and how would you state your requirements in a purchase order?” The requirements should be reflective of and consistent with the criteria that you choose to evaluate your registrar. Following are a few examples:
- Does top management want a value-added audit in which the auditor issues many preventive actions originating from the identification of nonvalue-added processes, steps, activities, documents, that could or do lead to excessive waste and nonconformances? Then let your registrar know.
- Do you want the auditor to focus on suspect processes? Then let your registrar know.
- Do you want a tough and tenacious auditor? Then let your registrar know.
- Do you want your certificate in one week instead of 4 or six weeks? Let your registrar know.
- Do you want all nonconformities recorded as CARs? Let your registrar know.
- Do you want the CARs to better cite evidence and do you want the auditor to record the nonconformities on your internal CARs? Let your registrar know.
Your company is paying for a service. Unless your top management only wants a certificate and is accustomed to wasting money, you should be stating your requirements in the spirits of ISO 9001 and ISO 9004 in order to improve the effectiveness of this process.
When registrars don’t meet the contractual requirements
I recently participated in a two-day Stage 1 assessment as an observer for my client. The lead auditor didn’t realize until just before the end of the two-day period that it was a Stage 1 assessment. He’d thought he was doing a Stage 1 pre-assessment audit, even though we had shown him the signed contract. My client and I were very disappointed in the auditor’s performance throughout the entire two-day audit. We complained to headquarters, had a lengthy teleconference and they rectified the situation in the short-run.
However, I was concerned with what they were doing to identify and eliminate the root cause so that this type of problem wouldn’t happen in the future. I prepared a CAR thinking that my client would forward this on to the registrar. My client’s managers still haven’t done so and they probably won’t. They’re a little gun-shy, because they feel they’d be shooting themselves in the foot by issuing a CAR to a company that issues CARs for a living. They should not feel this way.
Voice of the customer
What’s the voice of the customer? What are you asking for? Are the registrars providing you with what you want? Too often, the customer’s voice, either directly stated or implied, is that they only want the certificate because their customers are demanding it. This is exactly what registrars provide—a certificate, often even when a company hasn’t earned it. Such registrars are simply meeting the requirements of their customers.
So who’s at fault? Is it the registrar’s fault? It’s the clients’ fault for not expressing their voice and their requirements properly. Owners and top management are responsible for developing the systems, philosophies, and policies within the company. If these aren’t developed adequately, owners and top management are to blame.
If you just wanted a certificate from your auditor, you paid an awful lot for a piece of paper.
If you believe in the spirit of ISO 9001 and ISO 9004, and if you built an ever-improving Quality System, you would then demand tough audits, both internally and from your Registrar.
Who is the real customer?
The real customer is ISO 9001, and if it were real, it’d be crying because so many companies don’t fulfill the requirements, yet they bear its name.
The registration system is at fault, and no one is fixing it. Yet, every five years, the standard is subject to an overhaul. How about an overhaul of the registration system? When are we going to improve its effectiveness continually?
One way for your company to start is to demand more from your registrar.
Add new comment