Welcome to Amtivo in the United States, formerly Orion Registrar and ASR

Orion Logo ASR Logo

IATF 9.2.2.1 Audits Explained

Get Started Today

  • Customized certifications
  • Located nationwide
  • Save time & money
  • No extra or hidden fees
Get a Quote

Audit Program

IATF 9.2.2.1 requires developing and implementing an internal audit program that includes system, manufacturing process, and product audits.

That’s great, but…..what exactly is an audit program? Many believe it’s simply a schedule where they plot all the QMS processes and assign an annual frequency.

ISO 19011: 2018 defines an audit program as “arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose”

To completely fulfill that definition, an IATF audit program needs to include the following:

  • At a minimum, all types of audits: system, manufacturing process, and product audits.
  • A schedule based on risk and changing factors
  • Scope, objectives, and criteria for each type of audit
  • Auditor competency requirements, both for new auditors and ongoing demonstration of competency
  • Audit methodology includes required inputs, outputs, and working documents.
  • Reporting requirements for Management Review

Audit Types

The scope of the audit program must include all types of applicable audits required by IATF:

  • System
  • Manufacturing Process
  • Product

Customer-dictated approaches to audits, as defined in applicable Customer Specific Requirements (CSR), will impact the scope of the audit program, e.g., CQI audits, LPAs, ongoing control plan requirements, annual layouts, etc.

Risks

IATF identifies some risk factors, such as:

  • Internal and external nonconformances from all audit types, internal metrics, etc
  • Customer complaints, concerns, or feedback, including field/warranty issues

But other risk factors could/should also be considered, including (but not limited to):

  • Process changes due to launches, changes in production volumes, new production or inspection equipment, new suppliers, shutdowns, overhauled equipment or tooling, etc.
  • Significant changes in internal or external issues or interested parties
  • Changes in legal or accreditation requirements

Scope, Objectives & Criteria

The audit program needs to identify the scope, objectives, and criteria for each type of audit and should answer these questions:

  • What is the purpose of this audit type?
  • How is the effectiveness of this audit type to be measured?
  • What are the management system boundaries of this audit type?

Audit Program – Competency

IATF 16949 7.2.3 contains requirements for the system, manufacturing process, and product auditor competency. Still, competencies for all types of auditors would be included in the audit program, including the person(s) managing the audit program.

Competencies may be defined in the required documented process, per the IATF requirements, in a supplemental training checklist, in roles & responsibilities document, etc.

Competency requirements would include an ongoing demonstration of competency via a minimum number of audits, refresher training, and updates to revised requirements via Sanctioned Interpretations, FAQs, or complete standard revisions.

Audit Program – Methods

Audit methodology includes the “how” of the actual audit and should follow ISO 19011 guidelines, as referenced in ISO 9001, 9.2.2

Methods may include:

  • Document Review / Planning
  • Assignments
  • Opening/Closing Meetings
  • Information collection, review, and conclusions
  • Preparing Findings
  • Generating the audit report
  • Follow-up

Results of Management Review

IATF 16949 9.2.2.1 requires Management Review to include a review of the audit program effectiveness.

This can be evaluated against not only the metric assigned to the internal audit process, if it’s defined as a process but also other indirect metrics, such as scrap, customer PPM, launch metrics, etc.

The review of the internal audit program’s effectiveness is not simply reviewing audit results; it’s an evaluation of whether the internal audits are achieving desired outcomes, pushing the management system forward, and reducing adverse risks within the company.

Types of Audits

IATF 16949 identifies three unique types of audits. All should be included on the schedule and considered when the client develops their audit program.

System Level audits:

This is the audit of the QMS processes, as defined in the client’s Quality Manual, as required by IATF 7.5.1.1c. These audits must touch all elements of the IATF standard.

IATF 9.2.2.2 requires that all QMS processes be audited at least once in a 3-year calendar period, although the frequency is up to the client based on risk.

System-level audits must be conducted using the process approach. In addition, they must include a sampling of customer-specific requirements to confirm effective implementation.

There is nothing prohibiting a company from auditing all processes every year. Still, it raises the question of whether they’ve considered the risks associated with each process and changing conditions within their business.

Manufacturing Process Audits:

All manufacturing processes must be audited over a 3-year calendar period to analyze their effectiveness and efficiency. These audits must be done using customer-dictated approaches if they exist.

The purpose of these audits is to confirm process controls as designed and implemented.

Examples of customer approaches include CQI audits, such as CQI-9 for heat treatment or CQI-15 for welding, or layered process audits (LPA).

If the customer does not have a specified method for conducting manufacturing process audits, the company must define its approach, e.g., control plan audit, CQI audit, etc.

Regardless of the approach, these audits must include:

  • Auditing on all shifts where they occur
  • An appropriate sampling of shift transition
  • Usage of the process documents, such as PFMEA, control plan, and work instructions

Product Audits:

These audits focus on product characteristics to confirm that the measurement system, manufacturing process, and associated controls can produce a part that meets the customer and/or internal specifications.

As with manufacturing process audits, customers may have a designated approach to confirming ongoing product conformance.

Methods prescribed by the customer may include:

  • Annual layouts
  • Job Audits in CQI documents
  • Specific Control Plan checks

If the customer doesn’t specify, clients must define their own approaches, such as ongoing quality audits, inspections, annual verifications, or dock audits.

Some customers have requirements for LPA (Layered Process Audits) that include both process and product elements.

Some customers, such as GM or Stellantis, require additional elements, such as charting results or daily quality checks as part of the LPA process.

Auditing Internal Audits:

Start with the audit program to understand the various types of audits identified, the structure of the schedule, competencies, methods, and changes based on risk.

For manufacturing process and product audits, we must ask whether there are customer-specified approaches and verify whether those requirements have been implemented.

If there are customer-defined methods, ensure those are included in the audit program.

If there are no customer-defined methods, then the next step would be to verify the client’s approach to their audit program, including:

  • Identification of all audit types in the audit program
  • Audit program rationale and updates based on risks or changes
  • Inclusion in the required documented process for internal audits
  • Auditor competency
  • Documentation and Records

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.

footerCta amtivo group