IATF 16949® & Internal Auditing: What You Need To Know
Guide to Performing an Effective and Compliant
IATF 16949® Internal Audit
Introduction to IATF 16949® Internal Audits
One of the most critical and valuable activities performed within an IATF 16949® quality management system (QMS) is your company’s internal audit events. A well-planned, conducted, and reported internal audit will allow the QMS to continually improve. An effective internal audit process will also provide evidence of compliance to all of the IATF 16949® components, as well as provide evidence of the effectiveness of your company’s processes and practices. The purpose of this document is to provide guidance on planning and performing an IATF 16949® internal audit. It is our hope that this information and the helpful auditing tools will provide value to your company’s QMS.
Components of the IATF 16949® Internal Audit
There are several components that comprise an IATF 16949® QMS. All of these components need to be included within your company’s internal audit process. If any of these components are not included in your company’s internal audits, then the internal audit process is not fully compliant nor is the internal audit fully effective. These components include:
- The current IATF 16949® Standard, the current IATF 16949® Rules, and the current IATF Sanctioned Interpretations (located at IATFglobaloversight.org)
- The AIAG core tools (APQP, PPAP, SPC, FMEA, MSA)
- All of your company’s customer-specific requirements (CSRs)
- All applicable statutory and regulatory requirements (from your customer as well as legislative bodies such as National Highway Traffic Safety Administration (NHTSA) or Federal Motor Vehicle Safety Standards (FMVSS)
- Your company’s internal processes, procedures, and practices
Types of IATF 16949® Internal Audits
According to IATF 16949® (section 9.2), there are 3 types of required internal audits:
- QMS audit – this is a full internal system audit that includes the main manufacturing site as well as any support locations. This internal audit must include the five components identified above. Many CSRs include additional requirements than those identified in the IATF 16949® Therefore, be sure to consult all CSRs to determine your company’s requirements.
- Manufacturing process audit – this is an audit of the manufacturing (and manufacturing support) activities. This audit must include all manufacturing shifts, include evidence of shift handover, and include APQP output such as FMEAs and Control Plans. Many CSRs include additional requirements for the process audits (such example is the FCA CSR 220.127.116.11 requiring Layered Process Audits). The CSRs may require Layered Process Audits (LPA), Error Proofing Audits, Control Plan Audits, New Launch Audits. It is critical to consult the CSRs and ensure compliance with the customer’s requirements.
- Product Audit – this audit is a check of production and delivery (packaging/labeling) to ensure requirements are being met. Some organizations refer to these audits as “dock audits”. Again, consult CSRs to determine the product audit approach that may be required by your customer.
Knowledge. Expertise. Experience.
Outsource Your Internal Audits
Selecting Internal Auditors
According to IATF 16949® (section 7.2.3), there are defined competency requirements for your company’s internal auditors. Of course, your company’s internal audits will only be as strong as the auditor(s) conducting the audit. Although the standard lists minimum competency requirements, an organization may desire to have a higher level of competency required for the internal auditor(s). Thus, providing greater benefits to your company. The minimum QMS auditor competency requirements defined are:
- Understanding the automotive process approach for auditing, including risk-based thinking—this is NOT a checklist audit. Use your internally developed process flow diagrams and turtles (if you use them) to conduct a process-based audit. Also using internal and customer data to drive the direction of the audit trails (a more detailed discussion in the “Performing the Audit” section below).
- Understanding of applicable CSRs (i.e., applicable to your company) – CSRs must be sampled and utilized during the internal audit process.
- Understanding of applicable ISO 9001 and IATF 16949® requirements related to the scope of the audit.
- Understanding of applicable core tool requirements related to the scope of the audit-including APQP, FMEA, PPAP, MSA, and SPC.
- Understanding how to plan, conduct, report, and close-out findings.
These are minimum requirements with the expectation that the auditor has a technical understanding of your company and its processes as well as an improvement plan to build the auditor’s skills. Also, consider the Sanctioned Interpretations (SI number 4) with respect to process and product auditor competencies.
An important consideration is the internal auditor’s initial training. Ensure any trainer has the required competencies identified above (and obtain evidence of those competencies). Also, retain evidence of the internal auditor(s) competencies (e.g., certifications or exam completions). An interested party may ask to review those competency records during an external audit.
Scheduling the Internal Audits
According to IATF 16949® (section 9.2), there are 3 types of required internal audits and each audit needs to be scheduled according to requirements:
- QMS audit-schedule this audit as a full internal system audit that includes the main manufacturing site as well as any support locations. Many CSRs include additional requirements than those identified in the IATF 16949® Therefore, ensure to consult all CSRs to determine your company’s requirements. For example, some German customers may require an internal audit with VDA requirements (VW CSR 9.2).
The schedule must be risk and performance-based. The schedule must be updated on an annual basis and the full system must be audited within 3 years (again based upon risk and performance—may need to audit more frequently if required). Always audit all processes and all of the components of IATF 16949®.
Some important scheduling tips:
- Be sure to include top management and their processes in the schedule.
- Do not forget to include an audit of the internal audit process.
- Ensure that auditors assigned to conduct the audit are independent of the area being audited. They can audit their own department if they can maintain impartiality, but can’t audit their own work.
- The schedule must also include a sample of the CSRs (using the matrix developed to comply with 18.104.22.168d is a useful guide).
- Manufacturing process audit-this is a schedule of the manufacturing (and manufacturing support) activities. This schedule must include all manufacturing shifts, and include shift handover. The schedule should be updated on an annual basis and all manufacturing processes must be audited within 3 years (again based upon risk and performance—may need to audit more frequently if performance is low and/or risk is high).
Many CSRs include additional requirements for the process audits (one such example is the FCA CSR 22.214.171.124 requiring LPAs). The CSRs may require Layered Process Audits (LPA), Error Proofing Audits, Control Plan Audits, New Launch Audits. It is critical to consult the CSRs and ensure compliance with the customer’s requirements and schedule according to the customer’s process.
- Product Audit-schedule this audit to check the production output and delivery criteria (including packaging/labeling) of the product to ensure requirements are being met, again according to risk and performance.
Again, consult CSRs to determine the product audit approach that may be required by your customer.
The schedule (see examples) needs to include the area/process to be audited, the requirements included in the audit, the auditor assigned (remember to maintain independence), the timeframe of the audit, and any other important information. The area’s responsible process owner(s) need to have the schedule before the audit is conducted. This courtesy allows for the area to plan and prepare for the audit event. Remember, the better-prepared everyone is for this event, the less likely significant problems will occur. Also, update the schedule if events change. The best practice is to capture notes with explanations and justification for any schedule changes. The schedule becomes important evidence to support the audit report. Retain the final version of the schedule with the audit records for easy retrieval during an external audit.
Performing the Audit
The focus of this section is the QMS audit event. The process audits and product audits are typically a straight-forward audit process using defined check sheets or APQP output (e.g., control plans and FMEAs).
As with most significant events, starting the internal audit needs a little up-front planning. The automotive process approach requires the review of data to help select the appropriate audit trails for the audit. Start with a desk audit (not auditing anyone face-to-face). Collecting information and data prior to establishing the audit trail. The review should include:
- Review of current CSRs and other components of IATF 16949® for familiarization and to develop questions for the process areas. We have prepared an example of a manufacturing process audit checklist so you can see how many clauses of IATF 16949® form a thread to link different aspects of the standard to ultimately assess the overall effectiveness and performance of the manufacturing process.
- All customer scorecards or customer feedback reports—focusing on your company’s performance and selecting areas of weak performance as audit trails.
- Review of customer complaints and actions taken-selecting trails from known customer issues.
- Review of corrective actions-using the reports to follow up on the effectiveness of actions taken.
- Review the internal metrics or KPIs to determine how each process is performing-again, the trail needs to look at actions to address process performance issues.
- Review any recent launches to set appropriate trails.
- Review any new customers and their respective requirements and processes.
Once data has been reviewed and trails established, the time has come to interview employees and review processes, again using the automotive process approach:
- Start the process path with the defined process owner. Have the process owner explain the process flow (inputs and outputs), review how the process is measured, review the current measures and any actions taken for negative measures, and process risks and opportunities. Use the data collected at the desk audit to complement the information gathered by the process owner.
- Using information from the process owner, the desk review, and internal process control documents, review the process being performed. Always review the inputs, outputs, and expected outcomes. Compare the defined process control and expected outcomes to the actual process and outcomes. Any discrepancy should be considered for a non-conformance.
- Always engage the employees at the process areas, not just the process owner or supervisor.
- Ensure the audit includes the components of IATF 16949® and have a copy of these requirements available to reference during the audit activity:
- The current IATF 16949® Standard, the current IATF 16949® Rules, and the current IATF® Sanctioned Interpretations (located at IATFglobaloversight.org).
- The AIAG core tools (APQP, PPAP, SPC, FMEA, MSA)
- All of your company’s customer-specific requirements (CSRs)
- All applicable statutory and regulatory requirements (from your customer as well as governmental bodies)
- Your company’s internal processes, procedures, and practices
- Keep detailed notes of the audit activity that includes the processes audited, what evidence was reviewed, who was interviewed, which standard section/component requirement was verified, and any other important information (including trails to review in other processes such as supplier information for purchasing, employee names for HR, gage identification for calibration, etc.).
- Manufacturing note: always carry a copy of the control plan, FMEA, and PPAP file (if possible) to compare the observed manufacturing process against the defined process requirements.
- Any discrepancies against an expected outcome, internal process or one of the IATF 16949® components needs to be considered a non-conformance.
- Ensure all non-conformances are written in the trail notes and explained to the process owner before leaving a process area.
Report Creation (including Non-conformances)
At the completion of the audit event, a report should be generated and distributed. The importance of the trail notes becomes apparent at this stage of the process. The trail notes should be used as references to create the audit report and summary. Also, any non-conformances identified during the audit process can be transferred from the audit notes to the corrective action report. The audit reporting activity should include the following steps:
- Use the trail notes and supporting evidence to create the audit summary. The audit summary needs to include what processes were audited, the people interviewed, a reference to what was reviewed (e.g., part number, engineering drawing, purchase order number, etc.), trails that were followed, and the follow-up trails that occurred.
- The summary needs to include output from the desk audit review that defined the trails that were included in the audit.
- Include a copy of the audit schedule with the audit report.
- Summarize any non-conformances identified.
- Record the non-conformances on the corrective action report including:
- Statement of non-conformance (e.g., “the process of product inspection is not fully effective”)
- Requirement the non-conformance is written against (from one of the five components mentioned throughout this report—in this example Honda SQAM 5.2, Procedure 22)
- Process area where the non-conformance was found (e.g., Honda welding line 3)
- Objective evidence to support the non-conformance (e.g., after reviewing the weld nut break test inspection sheet for December 2020, it was identified that the break test was not performed every hour (as required by procedure 22 and Honda SQAM requirement 5.2) -missing 3 hourly checks on 12/11/20 2nd shift).
- When the audit report and corrective action entries are completed, present the report to your company’s management for their review and comment. Ensure that a copy of the report is retained as a quality record.
- The corrective actions should be directed to the responsible process owner for completion.
Management Review and Continuous Improvement
The internal audit results (all three types: QMS, process and product) and the corresponding corrective actions are used as an input into management review (see IATF 9.3.2). Top management needs to fully trust that the internal audits are being completed to schedule and are being performed effectively. If done correctly, the resources being supplied to conduct the internal audits should pay multiple dividends to your company.
Trending some of the important data (recurring non-conformities, similar issues within many processes, top processing concerns, etc.) can also be used to identify systemic issues and apply organizational actions. Thus, internal audits and the corresponding data (including trending of critical measures) create an important input into your company’s continuous improvement activity.
Effective IATF 16949® Internal Audit
Although not comprehensive, the intent of this document is to provide some guidance with your company’s IATF 16949® internal audit process and activities. A well-defined and executed internal audit process will benefit your company by:
- Improving accuracy (and compliance) within your company’s QMS.
- Helping to avoid or eliminate potential customer issues and problems.
- Uncovering any areas of non-conformance, redundancy, and waste…thus adding value to your company.
- Ensuring policies and practices of your company are being implemented effectively.
- Ensuring compliance to the interested parties’ requirements.
Effective internal auditing will provide your company with real value for the resources utilized when you use competent internal auditors. (If you’re interested in determining the cost of conducting your own internal audits, we’ve developed an Audit Cost Calculator that’s free to use.)
If your internal auditors need training to bring their IATF® knowledge and qualifications up to speed, simpleQuE offers onsite IATF 16949® Internal Auditor Training. Or if you don’t have the resources to conduct an effective and compliant internal audit, our automotive quality experts, have the auditing expertise and certified resources to offer true value to your business. Whether you need help with problematic supplier assessments, sourcing evaluations, ongoing supply chain strategy assessments and audits, automotive 2nd party audits (including MAQMSR – Minimum Automotive Quality Management System Requirements), or corporate quality audits – simpleQuE can deliver. Contact us to discuss a customized strategy.
We Can Help: IATF 16949® Experts a Click Away
If you’re searching for an IATF 16949:2016 consultant, our team at simpleQuE is well-positioned to support your IATF 16949® and MAQMSR consulting (Minimum Automotive Quality Management System Requirements), certification, maintenance, training and internal auditing needs. Our consultants are qualified, certified, and are experts on the automotive standards, customer-specific requirements, and AIAG or VDA core tools. In addition, many are current or former 3rd party auditors who bring valuable insight because of the knowledge gained from auditing for certification bodies.
SimpleQuE also offers a full line-up of IATF 16949 training courses which includes AIAG and VDA Core Tools, Root Cause Analysis and Problem Solving, Requirements and Implementation. With IATF® also putting a major focus on internal auditor competency, it is essential to have IATF 16949® Internal Auditor Training. Our IATF 16949® auditor training utilizes the process audit approach. Contact Our IATF® consultants to learn more about the customized services offered to match your certification and training needs.
Obtaining and maintaining IATF 16949®, and meeting all of the related Customer Specific Requirements (CSRs), is difficult, which is why we’ve created free IATF 16949® tools, checklists and resources for your use.
Learn More About The simpleQuE Advantage