1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

9.2.2.1 Internal audit program

Discussion in 'IATF 16949:2016 - Automotive Quality Systems' started by bkirch, Oct 3, 2017.

  1. bkirch

    bkirch Active Member

    Joined:
    Jun 24, 2016
    Messages:
    73
    Likes Received:
    13
    Trophy Points:
    7
    IATF 16949 section 9.2.2.1 has a requirement that states "The audit program shall be based upon risk, internal and external performance trends, and criticality of the process(es)."

    Could anyone share what types of evidence that they might share with an auditor to show that this requirement is being met?
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    It's really just putting into words what the previous ISO 9001 8.2.2 stated: "An audit programme shall...based on status and importance". Risks are usually associated with:

    Poor performance (aka "status")
    New/changes in process/technology/people/requirements/suppliers/products and so on.

    Who knows what any one particular auditor may ask for - but I can tell you this, they SHOULD have been asking for that all along and NOT accepting one, two or four (etc) audits a year which just covered the whole standard once a year...based on some (arbitrary) calendar.
     
  3. Quality Kari

    Quality Kari Member

    Joined:
    Oct 3, 2017
    Messages:
    9
    Likes Received:
    4
    Trophy Points:
    2
    My thoughts are your audit findings are to be discussed during Management Review. There it the results or findings will be discussed and based on those findings (non-conformance, acceptance) it should be determined if there are risks to your customers, and if that particular process or system needs to be audited more frequently.
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    That may be waaaaay too late. Indeed, it's part of the management review process to revisit risk and opportunities, however, based on a lot of what's common, how can an annual review effectively consider risks uncovered in an audit 11 months before. To be effective, internal audits MUST be planned based on risk as it states in the 9.2.2 additional requirements. So, planning when to do audits MUST (IMHO) consider the things which are risk factors.
     
  5. Quality Kari

    Quality Kari Member

    Joined:
    Oct 3, 2017
    Messages:
    9
    Likes Received:
    4
    Trophy Points:
    2
    Our upper management does a full management review meeting once a month!
     
  6. bkirch

    bkirch Active Member

    Joined:
    Jun 24, 2016
    Messages:
    73
    Likes Received:
    13
    Trophy Points:
    7
    Thanks for the replies. I am currently working on my 2018 audit plans and I going to show that this plan was constructed based on risk and opportunities. The risk are going to be based on internal and external issues that I am aware of through 2017 audits and maybe issues at our customers. I am not sure what the format of all this will end up being, but that is the approach that I am thinking about at this point.
     
  7. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Don't overlook that risks come from the future, too. If you only look at past risks, you'll be always reacting to issues...
     
    normzone and Jennifer Kirley like this.
  8. KalomS

    KalomS New Member

    Joined:
    Aug 17, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Audit programs should be scheduled around the risks to the business.
    For example:Within the same time frame- One audit could be scheduled for a low risk process. Two to three audits for medium risk processes and three plus audits for high risk processes.
    What people fail to realise is that one of the benefits of an audit is to protect the business and continually improve.
    Take into consideration the potential failures of a system and their resulting effects.
    The stakeholders want to have confidence that you are protecting their interests.
    Therefore, by creating and complying to a focused audit schedule, that will be amended throughout the year dependant on risk, you will comply with the requirements of section 9.2.2.1. and provide confidence, to all stakeholders, that you are focused on improving the business.
     
  9. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    This sounds good - what's the reasoning behind it?
     
  10. KalomS

    KalomS New Member

    Joined:
    Aug 17, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    The reasoning is: You can clearly demonstrate, to key stakeholders, that the audits are viewed as a business tool not just an ISO/IATF requirement. When planned effectively you focus on the weaknesses within your QMS with a view to monitoring / improving such processes.
     
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Thanks for this. Can you help me with the number of audits you described? For example why would one process be audited 2 or 3 or more times? What data is used to decide?
     
  12. BradM

    BradM Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    394
    Likes Received:
    314
    Trophy Points:
    62
    Location:
    Arlington, TX
    So say you have an internal audit schedule/ procedure/ etc. Let's suppose you choose to audit the calibration department every three years. Why three years and not every six months? The statement may be that due to the nature of the instruments used their risk of non-compliance is low, the previous internal audits have yielded satisfactory or better ratings, there are three customer audits that occur every year that inspect the calibration department, etc.".

    So... what is their risk of non-compliance?
    What is their previous performance?
    Any major changes that might necessitate a review of processes and management?
    Is a particular function/area already being looked at by other functions? Take the calibration for example. If nothing related to calibration is ever looked at, maybe a shorter interval than three years would be warranted. However, if the other processes are audited (like a mfg line and the equipment on it) and the calibration records are reviewed/audited, then, maybe three years is fine.

    Just realize that there aren't unlimited internal audit resources. So you have to classify which areas have the highest risk and audit more often there.
     
    normzone and RoxaneB like this.
  13. normzone

    normzone Well-Known Member

    Joined:
    Aug 3, 2015
    Messages:
    137
    Likes Received:
    77
    Trophy Points:
    27
    My logic for this matter is not documented in my internal audit procedure, but does get referenced in the audit report(s).

    When we have somebody leave the company and their duties are either assumed by a new hire or distributed among others I re-audit that process group, since I view it to be at a higher risk than others.

    When one of our processes is the origin of drama or corrective action than it gets re-audited.

    So, effectively I arbitrarily evaluate risk and audit accordingly. Again, not referenced in the governing documentation, but probably should be.
     
    BradM likes this.
  14. RoxaneB

    RoxaneB Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    926
    Likes Received:
    1,081
    Trophy Points:
    92
    Location:
    Ontario, Canada
    I have a feeling that we're mainly speaking about "one dimensional" internal audits (i.e., typically the audits conducted against the standard's requirements). In a previous job, we had layered internal audits. Yes, there were the normal process audits that were usually conducted to ensure there were no gaps between the requirements of the standard and the processes we had implemented to ensure we met stakeholder requirements. But we also had routine audits - these were typically done out in production and fell within the realm of our routine facilitators and operational supervisors. These audits focused on conformity to the documented work instructions and happened more frequently (i.e., usually 3-5 a week depending on other demands). These audits generated results that allowed for on-the-job training (if it was required) and highlighted some quick wins to improving the process. Analayzing the overall results of these routine audits did provide input into how we planned the higher level audits, but it was an excellent way for production to take on some of the responsiblity in demonstrating our committment to meeting requirements (be it for the standard, the company, or our stakeholders).
     
  15. Serious Man

    Serious Man Active Member

    Joined:
    Oct 24, 2017
    Messages:
    79
    Likes Received:
    28
    Trophy Points:
    17
    In my opinion it is all about answering a question: "How do we determine frequency of internal audits?"
    So, what are inputs, how often we review and maybe revise programs, etc..

    This year I've tried "mathematic" approach to determine frequency of manufacturing process internal audit.
    A - quantity of working shifts of manufacturing process depending on production volume (schedule)
    B - minimum quantity of internal audits per shift
    C - quantity of nonconformities found for individual manufacturing process during last year internal audits
    D - weight of C (50%)
    E - quantity of customer claims related to individual manufacturing process occurred during previous year
    F - weight of E (50%)

    So, internal audit frequency for process 1 was calculated as follows:
    Frequency 1 = A1 (B + (D x C1 / Sum of C) + (F x E1 / Sum of E))

    Not specially sophisticated, but better than personal intuition.
    So in this case program review is performed once per year, but it can be each half year or quarterly.
    Then you shorten period analysed for C and E elements.
     
  16. MCW8888

    MCW8888 Well-Known Member

    Joined:
    Aug 17, 2015
    Messages:
    642
    Likes Received:
    198
    Trophy Points:
    42
    As what Andy said, the requirement was always there - implied. However, the new IATF strengthened the need to drive a risk-based approach to the development and deployment of an organization-wide internal audit programme. So if you have a process that has a lot of problem, then you must audit it more often than the others because this process is a risk to the achievement of your overall Quality Objectives.
     
  17. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    220
    Likes Received:
    160
    Trophy Points:
    42
    I usually present a risk priority matrix in with the management review to show what the audit plan for the coming year will look like. I use the number of findings per audited system, along with repeat problem areas, to generate the risk number.
     
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Historical stuff is good, but risks also come from planned (and unplanned) changes. What then?
     
  19. hogheavenfarm

    hogheavenfarm Well-Known Member

    Joined:
    Jul 30, 2015
    Messages:
    220
    Likes Received:
    160
    Trophy Points:
    42
    We state that any changes to the processes trigger an immediate first priority audit. Followup is scheduled in 3 months. We never have any unplanned changes, but occasionally there is new equipment put online or new procedures, and that will trigger an audit. I wrote the policies in such a way that I can be pretty flexible to address any changes that may happen.
     
    Andy Nichols likes this.