Sounds like your auditor is trying to insert him/herself into your company's business. Nowhere in the standard does it or will it ever say anything about "deep enough", which is clearly a subjective thing. He/She probably needs to be reminded that your company is the customer of his/her company, and by extension, he/she is a supplier to you and your company. This is obviously not so easily communicated, but it is still valid. Nothing says you cannot challenge the auditor. If he/she tries that major NC threat nonsense, he/she will need to enumerate exactly what aspect of the standard you are failing to meet.
The final statement in 10.2.1 is, "Corrective actions shall be appropriate to the effects of the nonconformities encountered."
As long as you can provide evidence that your company has met the requirements of 10.2.1 a-f, he will be hard pressed to issue a nonconformance.
Also notice that 10.2.1 e and f state that (paraphrased), (e) the organization will update risks and opportunities determined during planning (RCA) as necessary, and (f) make changes IF necessary – meaning that, if you have identified risks, you should communicate them (like the cost of action vs. the benefit and probability of compliance from vendors) and IF actions are necessary, based on all factors (including risk), take them.
Don't let him or her push you guys around.
Director of Quality
Pierce Distribution Services
815-963-2841 (EXT 2229) - Office
815-298-1053 - Cell
www.PierceDistribution.com P Please consider the environment before printing this e-mail.
The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.
You hit it on the head, David.
The organization not the auditor, the organization ensuring the effectiveness of the actions taken, and the lack of "ROOT" all speak to the fact that the auditor is NOT in charge of ANYTHING.
Loved idea of reversing the why-why analysis on him for the nonconformance.