IATF 16949:2016 Clause Internal audit programme

Internal audit is a tool to gauge the health of your QMS. You must have a documented procedure for your internal audit process. Your procedure must address the following control requirements:   The scope of your internal audit program must cover:  Audit of the QMS – to determine conformity to the IATF 16949 standard;  Audit of the QMS – to determine conformity to organizational requirements; Audit of QMS processes and their interaction – to determine if the QMS has been effectively implemented and maintained;Audit of each manufacturing process to determine its effectiveness; Audit of product across all stages of production and delivery- to determine conformity to requirements specified by the customer and regulatory bodies. All shifts involved in activities affecting product or process quality. Note that there may be shifts for manufacturing processes as well as support processes.   You must adjust the audit frequency (and perhaps even the audit scope), of specific QMS processes; manufacturing processes; shifts; and products when:

  • You experience internal or external nonconformities 
  • Get customer complaints 
  • Have critical or high risk processes 
  • Have frequent or significant changes to processes and product 

    OEM customers may also specify the scope, frequency, criteria, responsibility, etc of internal audits. Your annual internal audit program should consider the following:

  • Input from audited area and related areas
  • Key customer oriented processes
  • Process and product performance results and expectations
  • Analysis of quality cost data
  • Capability of processes and use of statistical techniques
  • Effective and efficient implementation of processes (lean manufacturing techniques)
  • Opportunities for continual improvement
  • Relationships with customers 

Over the Certification Body’s (or Registrar) audit cycle (3 years), the CB must audit all of your organization’s processes and their applicable customer-specific requirements.  Your internal audit program should be more detailed and exhaustive than the external CB audit. With this outlook in mind, your internal audit program should consider auditing all your QMS processes at least once within the CB 3 year audit cycle (preferably once a year) and some processes more often based on the criteria covered above.  The design process (whether onsite of off-site) should be audited at least once within each consecutive 12 month period. Your internal QMS audit program should include all off-site processes and subcontract ‘sites’ that support your facility. These audits may be done by others, such as head office, sister facility or qualified subcontract auditors.Audit criteria , refers to the specific QMS policies, objectives; IATF  requirements; documentation; customer and regulatory requirements, etc., that the audit is referenced to or conducted against. Audit criteria may relate to the whole audit program as well as each individual audit. Audit methods refer to the specific techniques that auditors use to gather objective audit evidence that can be evaluated to determine conformity to audit criteria . Examples of audit methods include – interview of personnel, observation of activities; review of documents and records; etc.The qualification/training requirements may vary for the different types of audits required by this standard. You must define the minimum qualification/training requirements for internal auditors for each type of audit : 

  • Personnel performing QMS audits or manufacturing process audits must have adequate training on
    • the requirements of the IATF 16949 standard;
    • training on the automotive process to auditing;
    • audit practices and audit experience as defined by ISO 19011 and IATF guidance;
    • QMS processes and their interaction; customer requirements and applicable regulatory requirements.
  • Personnel performing product audits must have training on
    • production and delivery processes;
    • audit practices and techniques; p
    • product specific customer requirements and
    • applicable regulatory requirements.

Product specific auditors do not necessarily need training on the requirements of the TS 16949 Standard.  You must have appropriate resources to carry out your annual audit program. These include – having sufficient trained auditors available to conduct scheduled audits; sufficient time to perform audits; availability of process personnel to be audited; time and tools to prepare audit records and reports; etc.  

Auditor Independence – Auditors can audit their own department provided their objectivity and impartiality is not compromised, but they cannot audit their own work. You must ensure auditor independence when assigning personnel to specific audits.  

Process owners must take timely corrective action on nonconformities found in their area. They should use the corrective action procedure (clause 8.5.2) to determine root cause, take action and follow-up to determine if results indicate that the root cause has been eliminated.

Audit results must be summarized and reported for management review . The Management Representative must also report any opportunities for QMS improvement . The MR must analyze the results of each audit as well as the annual audit program to determine strengths and weaknesses in QMS processes, interactions, functions, products, etc., to identify and prioritize opportunities for improvement.  Audit records include – annual audit schedule; audit planning- (criteria, scope, frequency, methods, auditor selection and assignment, etc); auditor competence and training; audit checklists and forms; audit notes and other evidence gathered; audit findings; nonconformity reports; audit reports; corrective actions and follow-up of internal audit nonconformities; analysis of audit program performance indicators and trends; and identified improvement opportunities.  Like all QMS processes , you must have performance objectives (indicators) to measure the effectiveness of your internal audit process and monitor trends in these indicators, to continually improve your audit program. Performance indicators may include reducing the number of – late or delayed audits; incomplete audits; incomplete audit records and late reports; auditor errors; auditee complaints; and use of untrained auditors; etc.  T Internal audit programme

The organization must have a documented internal audit process. The process is to include the development and implementation of an internal audit program that covers the entire quality management system including quality management system audits, manufacturing process audits, and product audits. The audit program are to be prioritized based upon risk, internal and external performance trends, and criticality of the process(es). Where the organization is responsible for software development, the organization must include software development capability assessments in their internal audit program. The frequency of audits are to be reviewed and, where appropriate, adjusted based on occurrence of process changes, internal and external nonconformities, and/or customer complaints. The effectiveness of the audit program is to be reviewed as a part of management review.

The standard requires the supplier to establish and maintain documented process for planning and implementing internal quality audits. The standard requires process for both planning and implementing audits and these should cover the following:

  • Preparing the annual audit program
  • The selection of auditors and team leader if necessary
  • Planning audits Of each type
  • Conducting the audit
  • Recording observations
  • Determining corrective actions
  • Reporting audit findings
  • Implementing corrective actions
  • Confirming the effectiveness of corrective actions
  • The forms on which you plan the audit
  • The forms on which you record the observations and corrective actions
  • Any warning notices you send out of impending audits, overdue corrective actions,
    escalation actions

Certain activities such as the opening and closing meeting have been omitted for clarity because they are not always needed for internal audits. The product audit process would be somewhat different but the principles would be the same. There audits should be comprehensive and there is a need to ensure that the audit program covers all aspects of the quality system in all areas where it is to be employed. The coverage of the audit program should be designed so that it obtains sufficient confidence in operations to be able to declare that the system is effective. There may be a need for different types of audit programs depending on whether the audits are of the quality system, processes, products, or services. The audit program should be presented as a calendar chart showing where and when the audits will take place. All audits should be conducted against a standard for the performance being measured. Examinations without such a standard are surveys, not audits. Audits can also be conducted against contracts, project plans, specifications — in fact any document with which the organization has declared it will comply. The standard now requires system audits to be conducted to verify compliance with IATF 16949 and any other system requirements. In order to ensure that your audit program is comprehensive you will need to draw up a matrix showing what policies, procedures, standards, etc. apply to which areas of the organization. The program also has to include shift working so your auditors need to be very flexible.

Internal audit for entire Quality management system

Developing and implementing an internal audit program for the entire quality management system, including quality management system audits, manufacturing process audits, and product audits, is a crucial step in ensuring that an organization maintains a high level of quality and compliance. Define the scope of the internal audit program, which should cover all aspects of the quality management system, including manufacturing processes and products. Clearly outline the objectives of each type of audit, such as ensuring compliance with regulations, identifying process improvements, and verifying product quality. Assemble a team of skilled and knowledgeable individuals from different departments who will conduct the internal audits. The team should include personnel who are independent from the areas being audited. Develop audit criteria and checklists based on applicable standards, regulations, company policies, and industry best practices. These will serve as guidelines for the auditors during the assessment process. Develop an audit schedule, identifying the frequency and timing of audits for different areas of the quality management system. Prioritize high-risk areas and critical processes for more frequent audits. Perform the internal audits according to the established schedule and using the criteria and checklists. The audit team should conduct interviews, review documentation, observe processes, and collect objective evidence to assess compliance and effectiveness. During the audits, document any non-conformities or deviations from the established criteria. Also, identify opportunities for improvement in processes or products. Prepare detailed audit reports that clearly outline the findings, including both positive aspects and areas for improvement. Communicate the results to the relevant stakeholders, such as process owners and management. Work with the respective departments to develop and implement corrective actions for identified non-conformities. Ensure that appropriate actions are taken to address the issues raised during the audits. Follow up on the implementation and effectiveness of the corrective actions. Use the findings from the internal audits to drive continuous improvement in the quality management system. Identify systemic issues and develop plans to address them. Regularly present the results of the internal audit program to top management during management review meetings. Seek feedback and support from management in addressing identified issues and improving the quality management system. Provide training to the audit team to enhance their auditing skills and knowledge. Ensure that auditors are competent and up-to-date with relevant regulations and standards. Continuously monitor the effectiveness of the internal audit program and make adjustments as necessary. Keep the program up-to-date with changes in regulations, company processes, and best practices.By following this process, an organization can ensure that its internal audit program contributes to the improvement of the quality management system, manufacturing processes, and product quality, ultimately leading to enhanced overall performance and customer satisfaction.

Prioritizing the audit program

Prioritizing the audit program based on risk, internal and external performance trends, and criticality of the processes is a strategic approach to ensure that resources are allocated effectively and that audits focus on the areas that have the most significant impact on the organization. Conduct a comprehensive risk assessment of the organization’s processes, products, and quality management system. Identify areas with the highest risks, such as those that could lead to safety hazards, compliance violations, or significant financial losses. Allocate more frequent and thorough audits to high-risk areas. Analyze internal performance data and metrics to identify trends and areas of concern. This could include data on customer complaints, product defects, process deviations, and internal non-conformities. Focus audits on areas that consistently show performance issues or have experienced recent declines in performance. Monitor external performance data, including customer feedback, industry benchmarks, and regulatory compliance reports. Identify any external indicators of potential problems and include relevant areas in the audit program. Determine the criticality of each process within the organization. Critical processes are those that have a significant impact on the overall quality of products or services, customer satisfaction, or regulatory compliance. Prioritize audits for critical processes to ensure they are functioning optimally. Seek input from top management and relevant stakeholders to understand their concerns and priorities. Take into account their perspectives when prioritizing audits, as they may have insights into critical areas that require attention. Ensure that audits are scheduled to meet regulatory and certification requirements. Prioritize audits that are necessary for maintaining compliance with relevant standards and regulations. Consider the availability of resources, including personnel and time, when setting the audit schedule. Optimize the use of resources by aligning them with the areas of highest priority. Assess the potential impact of conducting audits on risk mitigation and improvement opportunities. Prioritize audits that offer opportunities for significant improvement and efficiency gains. Adjust the frequency of audits based on the factors mentioned above. High-risk areas or critical processes may require more frequent audits to ensure continuous monitoring and improvement. Continuously review and adapt the audit program based on the changing risk landscape and performance trends. Flexibility is crucial to respond to emerging issues and new priorities.By employing this prioritization approach, the organization can focus its internal audit efforts on areas that matter most, resulting in a more effective and efficient audit program that contributes significantly to the improvement of the quality management system and overall organizational performance.

Including software development capability assessments in audit program

Including software development capability assessments in the organization’s internal audit program is crucial for several reasons. As the organization is responsible for software development, ensuring the effectiveness and maturity of its software development processes is paramount to delivering high-quality software products and maintaining a competitive edge in the market. By conducting software development capability assessments, the organization can evaluate the efficiency and compliance of its development practices, identify areas of improvement, and mitigate potential risks.Firstly, software development capability assessments enable the organization to gauge the proficiency of its development teams and processes. It helps in assessing whether the teams possess the necessary skills, tools, and resources to carry out their tasks effectively. By identifying any gaps or deficiencies, the organization can invest in targeted training and development initiatives, thus enhancing the overall competency of its software development workforce.Secondly, these assessments contribute to the improvement of software development processes. By evaluating the software development lifecycle, code quality, and adherence to best practices, the organization can identify bottlenecks and inefficiencies. This empowers them to implement process improvements, streamline workflows, and adopt industry-standard methodologies, leading to faster delivery cycles and higher-quality software.Thirdly, software development capability assessments assist in ensuring compliance with relevant standards and regulations. Regular assessments help in verifying compliance, mitigating potential legal and financial risks, and building trust with customers and stakeholders.Moreover, these assessments provide valuable insights into the security and reliability of the software being developed. By conducting code reviews, vulnerability assessments, and security audits, the organization can proactively identify and address security flaws before software products are deployed to customers.Ultimately, integrating software development capability assessments into the internal audit program reinforces the organization’s commitment to continuous improvement. It fosters a culture of quality, innovation, and risk management within the development teams, enabling the organization to deliver cutting-edge software solutions that meet customer expectations and drive business success.

Review in MRM

Reviewing the effectiveness of the audit program as part of the management review is a critical aspect of maintaining a robust and successful internal audit process. The management review is a strategic and high-level meeting where top management assesses the overall performance of the organization, including its quality management system and related processes. By including the audit program in the management review, the organization ensures that audits are aligned with the company’s objectives and contribute effectively to continuous improvement. The audit program’s effectiveness is evaluated during the management review to determine how well it is achieving its intended goals. This includes assessing whether the audit program is identifying areas of non-conformity, opportunities for improvement, and whether corrective actions are being implemented in a timely manner. Management review provides an opportunity to assess whether the resources allocated to the audit program, such as personnel, time, and tools, are adequate and properly utilized. Any adjustments needed to optimize resource allocation can be addressed during this review. The management review allows the organization to analyze whether the audit program adequately addresses high-risk areas identified in the risk assessment. It ensures that the most critical processes and areas are audited more frequently and with greater rigor. Top management can review the audit program’s performance in meeting regulatory requirements and industry standards. This helps to ensure that the organization remains compliant with relevant regulations and maintains any necessary certifications. Management review provides insights into how the audit program contributes to the organization’s overall improvement efforts. It helps identify areas where the audit process can be enhanced, and it ensures that audit findings are used effectively to drive positive change.Management review includes an assessment of the effectiveness of corrective actions taken in response to audit findings. This ensures that identified issues are adequately addressed and that improvements are sustained over time. Reviewing the audit program during management review allows top management to hold responsible parties accountable for the execution and outcomes of audits. It encourages open communication and commitment to the audit process across the organization. By integrating the audit program into the management review, the organization ensures that audits are aligned with its strategic objectives. It helps focus audits on areas that have the most significant impact on achieving organizational goals.

Leave a Reply