Have you ever felt a feeling of insecurity and stress hearing that an audit is coming? Moreover you must take part in it as an auditee? Unfortunately, it is not well remarked because it means a verification/control. Consequently, it may reveal a non-compliance with the requirements against which it is carried out.
But is it really to be feared? To answer this question one has to realize firstly, what it is and secondly, what its role is. In fact, only then it can be appreciated as an effective tool to prevent any nonconformity and to help top management achieve the organisation’s goals.
Audit – what is it?
The word audit comes from the Latin verb “audire” and means to hear, to listen.
In my first article on the QualityWise.pl blog, I emphasized that the ISO 9000:2015 terminology standard should not be ignored. You will find in it the basis for understanding the definitions related to quality management system.
Therefore, I will refer to the definition contained in this standard:
Audit is a systematic, independent and documented process of obtaining objective evidence and evaluating it objectively to determine the extent to which audit criteria are met.ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.1
Consequently, it shall be scheduled at planned intervals. It is performed by an auditor who shall be independent from the audited area. This means that he/she does not audit his/her work. In other word the auditor cannot be responsible for /coming from the audited area. At the same time the audit requires documenting i.e. report.
Thus audit shall confirm that all the requirements constituting its criteria are met. As a result, the auditor shall not look for nonconformity!
The organization shall conduct internal audits to provide information on its quality management system. That is to say if it conforms to the organization’s own requirements for QMS and to the requirements of standard.
In fact organization gets an information if quality management system is effectively implemented and maintained.
Audits in the organization are conducted in accordance with the audit program.
An audit program is one or more audits planned for a specific time frame and with a specific purpose.ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.4
ISO 9001: 2015 in clause 9.2.2 a) requires the organization to plan, establish, implement and maintain the audit program(s) including the frequency, methods, responsibilities, planning requirements and reporting taking into account the importance of processes, changes affecting the organization and the results of previous audits.
In contrast, IATF 16949 in clause 220.127.116.11 requires the organization to have a documented internal audit process. The process shall include the development and implementation of an internal audit program that covers the entire quality management system including quality management system audits, manufacturing process audits and product audits (I’ll talk about it in a moment).
In addition audit program priorities shall be based on risks, internal and external performance trends, and process criticality.
Being more precisely:
According to the basic definition of an audit, it is performed on the basis of the criteria required in ISO 9001: 2015 clause 9.2.2 b) …
Audit criteria – a set of policies, procedures, or requirements that are referenced for obtaining objective evidence (i.e. data that confirms the existence or truth of something) from an audit.ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.7
… to obtain evidences / findings / conclusions.
Audit evidence – records, statements of fact or other information that is relevant to the audit criteria and that is verifiable.ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.8
Audit findings – results of the evaluation of the collected audit evidence against the audit criteria.ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.9
Audit conclusion – audit result after considering the audit objectives and all audit findings.ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.10
There are following categories of audits:
- internal audit, i.e. first party audit,
- external audit, i.e. second and third party,
- combined audit,
- joint audit.
Internal audits are called first party audits and are carried out by or on behalf of the organization itself. Such audits serve as input data for a management review. They can also be helpfull for other internal purposes, e.g. gap analysis, management decision making, etc.
External audits are for second and third party audits. In the case of the other party, such audits are carried out by customers or at suppliers. In IATF 16949, 18.104.22.168.1, you can find the requirements for these audits as part of supplier monitoring. Third party audits, on the other hand, are carried out by independent auditing organizations. Examples are such as certification / compliance bodies or government agencies. Such audits may be used for certification, granting a license or award, verification of claims, etc.
Combined audits concern the auditing of two or more management systems carried out simultaneously at one auditee [ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.2].
Joint audits are in turn carried out on one auditee by two or more audit organizations [ISO 9000:2015, Quality management systems — Fundamentals and vocabulary, p.3.13.3].
Types of audits
Within the auditing categories listed above, the following types of audits are also distinguished in the quality management system:
System audit is an audit of the system implemented in the organization e.g. quality, environment, health and safety etc. It checks its suitability, adequacy and effectiveness of all activities in the area of the entire system.
IATF 16949 in clause 22.214.171.124 requires the management system audit to be performed over a three-year audit cycle and during the audits the organization shall take into account the customer-specific requirements for the quality management system to verify their effective implementation.
Firstly process audit is to verify whether it is carried out in accordance with its design. Usually, secondly it is performed in accordance with process flow description.
IATF 16949 in 126.96.36.199 requires the organization to audit all manufacturing processes over a period of three calendar years to determine their effectiveness and efficiency using customer-specific required approaches for process audits i.e. VDA 6.3 approach. However, if not specified by the customer, the organization shall define the approach to be used.
Additionally, each production process shall be audited on all working shifts it occur taking into account the shift handover.
Moreover, the manufacturing process audit shall include an audit of the effective implementation of the process risk analysis such as (PFMEA), control plan and related documents.
Product audit focuses only on monitoring products ready for shipment against the requirements set out in technical specifications, drawings, standards and statutory regulations.
IATF 16949 in Clause 188.8.131.52 requires a product audit, using a customer-specific required approach, at the appropriate stages of production and delivery to verify conformity to specified requirements. Again, where not defined by the customer, the organization shall define the approach to be used i.e. VW requires VDA 6.5 approach.
How to conduct an audit?
The guidelines for auditing management systems are included in the ISO19011 standard. The scope of this standard clearly defines the principles of auditing, managing the audit program, conducting audits of management systems and assessing the competence of auditors.
ISO 19011: 2015 defines the steps for conducting an audit as shown in the figure below.
According to ISO 9001 in clause 9.2.2. relevant to audit stages is:
- ensure that audit results are reported to relevant management,
- take appropriate correction and corrective actions without undue delay,
- retain documented information as evidence of the implementation of the audit program and the audit results.
Unfortunately, we have a nonconformity!
If the auditor collects objective evidence of non-compliance with the requirement, the audit results in nonconformity (NC). It shall be written down along with the supporting evidences.
In case of QMS certified for compliance with ISO 9001: 2015 and the IATF 16949 standard, there is no requirement to establish major or minor nonconformity.
But there is some valuable guidance in ISO19011, which is a guideline applicable to the above mentioned standards. Nonconformity can be graded depending on the context of the organization and its risks! This grading can be quantitative e.g. from 1 to 5 or qualitative like a minor or major nonconformity.
Thus, the gradation of nonconformity is an individual matter to the organization. However, established in internal procedure in the quality management system will already become a mandatory requirement.
Non-compliance on IATF 16949 third party audit
The subject of nonconformity raised during the third-party audit of IATF 16949 is a bit different. The type of nonconformities is clearly defined by Rules for achieving and maintaining IATF Recognition 5th Edition for IATF 16949. It contains a clear definition of minor and major nonconformity
- minor nonconformity – failure to meet the requirements of IATF 16949, which, based on experience, does not lead to failure of the quality management system or limitation of its ability to provide supervised processes and products. It could be one of the following situations:
– the reliability of the part of the quality management system related to compliance with IATF 16949;
– individual failure to meet one of the elements of the organization’s quality management system.
- critical nonconformity – meeting one or more of the following conditions:
– Absence of a system or failure of the existing system to meet the requirements of IATF 16949. Several minor nonconformities in relation to one requirement may lead to a system failure and is thus considered a critical nonconformance.
– Any nonconformity that is likely to lead to the delivery of a non-compliant product. A condition that may lead to the unreliability of products or services or significantly reduce the fitness of the products for their intended purpose.
– Nonconformity which, based on experience, may lead to a failure of the quality management system or significantly reduce its ability to provide supervised processes and products.
Contrary to ISO 9001: 2015, IATF 16949 standard in section 7.2.3 describes in detail the requirements for auditors, also referring to ISO 19011. First of all, the organization shall have a documented process of verifying whether internal auditors are competent, taking into account any requirements defined by the organization and/ or customer-specific requirements. The organization shall maintain a list of qualified internal auditors.
Quality management system auditors
Quality management system auditors shall be able to demonstrate the following competencies in understanding:
- the process approach to automotive audit, including risk-based thinking;
- applicable customer-specific requirements;
- ISO 9001 and IATF 16949 requirements related to the scope of the audit;
- core tool requirements related to the scope of the audit;
- how to plan, conduct, report, and close out audit findings.
Manufacturing process auditors
In addition, manufacturing process auditors shall demonstrate a technical understanding of the relevant manufacturing processes to be audited. Also process risk analysis (e.g. PFMEA) and control plan are included.
At a minimum, product auditors shall demonstrate competence in understanding of product requirements and the use of relevant measurement and test equipment to verify product conformity.
Maintaining and improving the competences of the internal auditor shall be demonstrated through:
- executing a minimum number of audits per year as agreed internally by the organization;
- maintaining knowledge of relevant requirements based on internal changes (e.g. process technology, product technology) and external changes (e.g. ISO 9001, IATF 16949, core tools and specific customer requirements).
Requirements for second party auditors are described separately in IATF 16949 Clause 7.2.4. For them, the most important supplement to the above is having knowledge of the processes audited. Moreover knowledge of the requirements of their own organizations towards suppliers is also required.
Auditor’s bane – customer specific requirements (CSR)
Why a bane?In automotive CSRs are a very broad issue, especially when you have many OEMs. I also once got a nonconformity on a third party IATF audit. It refered to planning CSRs auditing on internal audits over the entire three-year audit cycle. Unfortunately, this nonconformity was not easy to close…
IATF 16949 in Clause 184.108.40.206 requires that during its audits, the organization shall take into account the specific requirements of the customers for the quality management system in order to verify their effective implementation.
So, what are Customer Specific Requirements, so called CSRs?
CSRs are interpretations or supplementary requirements related to a specific part of the IATF 16949 standard for the quality management system in the automotive industry.
Therefore, if we have any customer requirements that do not refer to the IATF 16949, then we only speak about “Customer Requirement”, e.g. requirements contained in contracts.
Above all, CSR shall be considered when auditing the quality management system processes, focusing on all IATF OEM members. Nevertheless, the CSRs of customers who are not IATF members are also audited. Although in the case of an IATF third party audit, they will not be prioritized. The organization’s internal audit process shall provide CSR sampling to verify its effective implementation.
In conclusion audit as an independent verification of activities in the organization in terms of its criteria. It leads to an assessment of the organization condition and (if nonconformity occurs) to the corrective actions. The results of the audits are the input for the management review in accordance with ISO 9001: 2015 point 9.3.2. Therefore, internal audit may be helpful in achieving organizational goals. Thus it is a systematic and methodical approach to assessing the suitability, adequacy and effectiveness of organization management. Similarly, it can be treated as a tool to improve the organization and bring it value added.
Hope you found the article interesting. Let me know in the comment!
Thank you for your presence.
Agata Lewkowska Ph.D.
PS. If I can help you with quality management issues, please contact me. You may also join me in my private group on Facebook: ISO 9001 & IATF 16949 QualityWise Group.
This article was based on the following literature:
- ISO 9000:2015 Quality management systems — Fundamentals and vocabulary
- ISO 9001:2015 Quality management systems — Requirements
- IATF 16949: 2016 Requirements for quality management systems in serial production and the production of spare parts in the automotive industry, 1st edition, 2016
- Rules for achieving and maintaining IATF Recognition 5th Edition for IATF 16949
- ISO 19011:2018 Guidelines for auditing management systems
All content on the qualitywise.pl website is a private interpretation of publicly available information. Any convergence of the described situations with people, organizations, companies is accidental. The content presented on the website qualitywise.pl does not represent the views of any companies or institutions.