ISO 9001 Corrective Action Time Window

Schedule, calendar, timeline

Q: We will be audited by a different firm soon to ISO 9001:2008 Quality management systems–Requirements, and I am noticing differences compared to our former auditors.

At the closing of an annual surveillance audit for a three-year certificate if a non-conformance is issued at the closing meeting, what is the expectation of response for:

1. Minor non-conformances

2. Major non-conformances

How many days are expected for the initial response for each?

How many times during the next 12 months should we expect the auditor to come back to the site to verify corrective action for each?

A: Regarding your question about response times for corrective actions, please note the following.

ISO 9001:2008 clause 8.2, Internal audits, does not specify or prescribe any time limits. ISO 9001:2008, clause 8.2.2, only requires the management for the responsible area (process owner) to take corrective action without undue delay. No time limit is identified.

With regard to audit follow up visits — this is strictly dependent upon the registrar or other auditing body. Some auditing bodies will follow up on closed CARs during their next scheduled surveillance audit. This allows enough time to past to evaluate the effectiveness of the corrective action taken.

In most cases, the auditee is required to complete the CAR identifying the root cause and the corrective actions taken to prevent a reoccurrence.

This information is assessed by the auditing body to confirm that a root cause was identified and that action taken match the root cause. This is normally done in the form of a desk review.

Due to the costs involved and other logistics, rarely will any auditing body want to come out to verify each corrective action taken. This is usually something for the internal audit staff to perform as a part of their audit activities.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX

ISO Standard Audit and Confidential Information

Reviewing confidential files, training records, human resources files

Q: During an external audit, what records are we allowed to keep confidential – e.g. human resources records? Certain records pertaining to new business leads or accounting matters? Specifically, my question is related to audits to the ISO 9001:2008 Quality management systems–Requirements and ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes standards.

 A: The “scope” of any audit is the quality management system (QMS) as found in the ISO standard for quality management. Areas such as finance, marketing plans, sales goals, and other business related topics are not part of a QMS audit.

It should be understood that during the audit, potential areas of conflict between the auditor and auditee might exist. The most common is when the auditor wants to see training records and the auditee claims them to be a confidential part of HR records. The auditor need to be a diplomat here and explain that only the training record is needed and not the entire HR record.

Also, it is not uncommon for the auditee to require the auditor to sign a non-disclosure agreement stating that the auditor(s) will keep everything observed during the audit confidential between the parties.

Again, the scope of the audit, usually agreed to ahead of time, is the QMS — not any business related matters.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member