Q: What information and documents are lead auditors not allowed to request from a supplier during a supplier audit?
A: While there is no rule or requirement that prevents an auditor from requesting certain information from a supplier, it is not part of auditing protocol to ask questions that are irrelevant to the purpose and scope of the audit, and the purchasing requirements1 (such as contracts, specifications and purchase order requirements).
You can expect suppliers to be unwilling to provide sensitive information prior to engaging in an official contract, or in some cases, even after signing the contract. Questions that may go unanswered include: Who are your top customers? What percentage of revenue is attributed to these top customers? What is your gross margin? What is your net profit?
You may be able to research some of these answers for publicly listed companies. Privately held companies may not be inclined to disclose such information. Suppliers also may deny access to documents that they believe contain their intellectual property, trade secrets or key competitive information.
For information that falls within the scope of your purpose, you may wish to use a supplier pre-audit survey or questionnaire, rather than asking during the audit, especially if you have concerns that your supplier will challenge the relevance. There are details you as a customer would genuinely want to know, such as the supplier’s strategic long-term plan for three to five years, a technology roadmap, key suppliers, total inventory of raw materials and overall financial health. This information is required to assess potential collaboration, and opportunities and risks to business continuity. The supplier might perceive this information to be too sensitive to share; however, with your management’s support, you should be able to negotiate access to the facts you need.
Detailed audit planning—coupled with pre-audit meetings with suppliers—should surface any controversial areas ahead of time. For example, consider a supplier audit in which your main focus is to cover a process that happens to be proprietary. There will be no point in visiting the supplier until you have worked out all of the details around the extent of your access.
For instance, you may be interested in auditing process recipe controls, but the supplier may not want to show them to you. You will have to decide if this is a deal breaker. Instead of arm-twisting the supplier to show the recipe, would you be willing to audit several other non-sensitive documents and corresponding controls to make an educated assessment of the supplier’s overall document and records control? Or is it essential that you see the controls exercised in their process recipe?
Remember, effective negotiation is a two-way street. Mutual trust and a solid relationship with the supplier will help enhance access to information. A litmus test might be to ask yourself: Would you provide this information to your customer if asked during an audit? If your answer is yes, you can move forward with confidence. If you have to admit that you would not release similar information about your own organization, you might have to reassess how essential the information is.
As further guidance, ask yourself the questions in Table 1 and consider whether your answers conform to auditing protocol.
Director, quality assurance
SunPower Corp., San Jose, CA
- American National Standards Institute, ANSI/ISO/ASQ QE19011S-2008: Guidelines for Management Systems Auditing—U.S. Version with Supplemental Guidance Added—Section S6.3.3, Second Party Supplier Audits, 2008.
- ASQ Customer-Supplier Division and James L. Bossert, ed, The Supplier Management Handbook, Appendix B, ASQ Quality Press, 2008, p. 253, http://asq.org/quality-press/display-item/?item=H1190 (case sensitive).
- Kausek, Joe, The Management System Auditor’s Handbook, ASQ Quality Press, 2008, p. 28.
- Okes, Duke, “Changing the Boundaries of Supplier Audits,” http://asq.org/cs/2005/07/auditing/changing-the-boundaries-of-supplier-audits-en.html?shl=088186.
- Russell, J.P., ed, The ASQ Auditing Handbook,
third edition, ASQ Quality Press, 2005.
Q: Can a contract include a requirement stating that the manufacturer of the materials that will be installed as part of the job must be ISO 9001 and ISO 14000 listed? My question is in reference to a contract I received that is requiring this.
From ASQ’s “Ask the Experts” blog
A: In general, contracts between business entities are enforceable unless they violate laws or are contrary to public policy. Private businesses entering into commercial contracts have a great deal of freedom in establishing contract terms.
One of the common uses of ISO standards is to clearly delineate requirements in commercial contracts. This can, and often does, include requirements for third-party certification of suppliers to ISO 9001:2008—Quality management systems—Requirements and ISO 14001:2004—Environmental management systems—Requirements with guidance for use.
This requirement is usually met by providing a copy of the certificate issued by a third-party certification body (registrar) that lists the name of the organization certified and the scope of the certification.
Based on the information provided with your question, it appears that the question actually relates to a material specification that was included as part of a request for proposal (RFP) from a governmental entity.
The authority of governmental contracting officers is more limited. They must comply with applicable purchasing statutes and regulations. Whether a requirement for certification to ISO 9001 and ISO 14001 is permissible would be determined by reviewing these contracting rules. These rules also often provide mechanisms for contesting the award of a contract if it is believed to be unfair.
There are often opportunities to request clarification of information included in a government-issued RFP. This may be something to consider in this situation because the requirements in this RFP appear to be unclear, such as:
- There is no comprehensive list of certified companies so there is no mechanism for a manufacturer to be listed.
- There is no ISO 14000 standard. There are more than 20 different standards in the ISO 14000 family—each with a different number. I assume the RFP is referring to ISO 14001.
- It is not clear which of the materials specified in the contract must be manufactured by an organization that is certified to the ISO 9001 and ISO 14001 standards.
Chair, ASC Z1-Audit Subcommittee
ENLAR Compliance Services Inc., Largo, FL