I recently conducted an audit on Management Responsibility, and raised a major NC for section 5.6 Management Review. Currently there is no objective evidence of management reviews being conducted, therefore no records being kept either. We are a British company, with an office here in Canada to support DND. The management team believes these reviews are not necessary because we don’t have a stand-alone certificate here in Canada. Although, we do have our own Canadian procedures, and have our own Quality Management System. An auditor from LRQA will be coming to our office this summer for our yearly surveillance audit (re-certification next year). I am afraid he may raise this as an NC as well.
My supervisor is the QA appointed representative, and I maintain the QMS under his watch. We have a monthly QIWT (Quality Integrated Work Team) report that we must submit to our QA representative in the UK on a monthly basis. I write the report, my supervisor reviews it (not documented) and it is then emailed to the UK. This report includes:
- Current year’s objectives (status)
- Documents up-issued within the period
- Audits conducted within the period
- Any open/delinquent nonconformance’s
- Audits planned for the next 3 months
- Any open/delinquent product nonconformance’s
This report is produced by me, my supervisor has a quick look at it, and it is emailed to our QA rep in the UK on a monthly basis. Top management believes this should not have been raised as an NC during the audit, and that this report covers off the requirements listed in the standard for management reviews.
From an internal auditor’s point of view, this report does not cover all of the input/outputs listed in the ISO standard, nor does it include a proper documented management review.
You are correct. The report as described does not constitute evidence of management review. It would count as management review input, but a meeting needs to be held, conclusions drawn, decisions taken, and a record of that meeting retained. An independent certificate is irrelevant – the auditor is coming, likely because you have a corporate certificate, and are one of the sites identified on that certificate.
The good news is that you found this now. The bad news is that you found this well ahead of the audit, with lots of time to correct the issue. If your audit had been closer to that of the registrar, your audit would have been sufficient identification of an issue that was being managed internally. In this case, you have sufficient time to address the issue.
Not having access to your management review procedure is a problem – depending on how it is written, this could be either a major or minor issue. If each location is expected to conduct an independent management review, then you are correct, in that it will be a major non-conformity. If the procedure specifies one management review for the entire corporation / registered entity, then the report may be sufficient input to the management review process. If the procedure is vague, then the non-conformity will likely be a minor.
Have a close look at your management review procedure. At the least, this should open up a constructive discussion regarding the extent and boundaries of the management review process. Well done!
- Ted Uffen, BRC Consultant