IATF 9.2.2.1 Internal Audit how to determine risk

Whiskey

Info Seeker
I've read through a few posts about this clause but I still don't think I quite get it.

Currently we are ISO 9001 and transitioning over to IATF 16949 and I'm trying to make a 3 year audit calendar to spread out a few of our audits over this three year period.
I believe that some processes can be audited every 2 or 3 years due to strong documentation and previous audits showing pretty much the same results for years, while others should be audited 1-2 times a year because that's where most of our nonconformances come from.

Based on the following line, how do you determine or show risk? Should I have some sort of risk chart in our Audit procedure or just label things as high/med/low risk on the audit schedule?
9.2.2.1 - Internal Audit Programme: "The audit programme shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."
 
Last edited:

ScottK

Not out of the crisis
Leader
Super Moderator
I would make a simple RPN type chart with 3 columns - Internal Trends, External Trends, Criticality and then write into the procedure that a score of 1 to X is every three years, X+1 to Y is every two years, Y+1 to Z is annual, Z+1 and up is 6 months... something like that.
 

Whiskey

Info Seeker
I would make a simple RPN type chart with 3 columns - Internal Trends, External Trends, Criticality and then write into the procedure that a score of 1 to X is every three years, X+1 to Y is every two years, Y+1 to Z is annual, Z+1 and up is 6 months... something like that.
That seems simple enough. I'm probably just overthinking everything due to my limited experience.
Thank you, your answer is much appreciated.
 

John C. Abnet

Teacher, sensei, kennari
Leader
Super Moderator
Should I have some sort of risk chart in our Audit procedure or just label things as high/med/low risk on the audit schedule?

Goo day @Whiskey ;
You've indeed received some valid counsel, but please allow me to prompt some additional consideration...

I always counsel my clients to thinks twice (three times even !) prior to creating anything additional . ESPECIALLY anything that requires someone to maintain/manage. Be careful or your will create the proverbial monster that demands being fed.

Instead, I would advise you consider what analysis is ALREADY taking place in your organization. For example, current metrics likely include IPPM, # of customer complaints, etc..etc... Consider what is ALREADY important to your organization and then if one of those aspects "fails" or Paretos as a "big hitter'' then adjust your internal auditing accordingly. What is on your schedule as "once" in three years may suddenly be determined to need audited NOW and then more frequently. What is on your schedule as "thrice" over three years may be able to be reduced to "once".

And of course don't forget other required primary drivers of priority as stated in 9.2.2 =
"... changes affecting the organization, and the results of previous audits..."
It is NOT possible to include these drivers of priority on a static scheduled because we can not see into the future.

Remember...a static risk ranking register is exactly that. STATIC. And of course we know that risks and opportunities can (do) swing /change through the course of time. Adjusting your "schedule" and not allowing it to become fixed is the true intent of ...
"shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."

Hope this helps.
Be well.
 

ScottK

Not out of the crisis
Leader
Super Moderator
Goo day @Whiskey ;
You've indeed received some valid counsel, but please allow me to prompt some additional consideration...

I always counsel my clients to thinks twice (three times even !) prior to creating anything additional . ESPECIALLY anything that requires someone to maintain/manage. Be careful or your will create the proverbial monster that demands being fed.

Instead, I would advise you consider what analysis is ALREADY taking place in your organization. For example, current metrics likely include IPPM, # of customer complaints, etc..etc... Consider what is ALREADY important to your organization and then if one of those aspects "fails" or Paretos as a "big hitter'' then adjust your internal auditing accordingly. What is on your schedule as "once" in three years may suddenly be determined to need audited NOW and then more frequently. What is on your schedule as "thrice" over three years may be able to be reduced to "once".

And of course don't forget other required primary drivers of priority as stated in 9.2.2 =
"... changes affecting the organization, and the results of previous audits..."
It is NOT possible to include these drivers of priority on a static scheduled because we can not see into the future.

Remember...a static risk ranking register is exactly that. STATIC. And of course we know that risks and opportunities can (do) swing /change through the course of time. Adjusting your "schedule" and not allowing it to become fixed is the true intent of ...
"shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."

Hope this helps.
Be well.

I hear that, but...

One would hope it's not static as part of the review of the health of the QMS and associated processes would be to periodically re-evaluate such criteria. Like an PFMEA is supposed to be a living document, changing with the times and evolution of the process it documents.
 

AuditFan

Retired
I've read through a few posts about this clause but I still don't think I quite get it.

Currently we are ISO 9001 and transitioning over to IATF 16949 and I'm trying to make a 3 year audit calendar to spread out a few of our audits over this three year period.
I believe that some processes can be audited every 2 or 3 years due to strong documentation and previous audits showing pretty much the same results for years, while others should be audited 1-2 times a year because that's where most of our nonconformances come from.

Based on the following line, how do you determine or show risk? Should I have some sort of risk chart in our Audit procedure or just label things as high/med/low risk on the audit schedule?
9.2.2.1 - Internal Audit Programme: "The audit programme shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."

John has provided all you need to know.
 

AuditFan

Retired
I would make a simple RPN type chart with 3 columns - Internal Trends, External Trends, Criticality and then write into the procedure that a score of 1 to X is every three years, X+1 to Y is every two years, Y+1 to Z is annual, Z+1 and up is 6 months... something like that.

Or you could ask management what keeps them awake at night and go audit that. A LOT simpler...
 

Whiskey

Info Seeker
Goo day @Whiskey ;
You've indeed received some valid counsel, but please allow me to prompt some additional consideration...

I always counsel my clients to thinks twice (three times even !) prior to creating anything additional . ESPECIALLY anything that requires someone to maintain/manage. Be careful or your will create the proverbial monster that demands being fed.

Instead, I would advise you consider what analysis is ALREADY taking place in your organization. For example, current metrics likely include IPPM, # of customer complaints, etc..etc... Consider what is ALREADY important to your organization and then if one of those aspects "fails" or Paretos as a "big hitter'' then adjust your internal auditing accordingly. What is on your schedule as "once" in three years may suddenly be determined to need audited NOW and then more frequently. What is on your schedule as "thrice" over three years may be able to be reduced to "once".

And of course don't forget other required primary drivers of priority as stated in 9.2.2 =
"... changes affecting the organization, and the results of previous audits..."
It is NOT possible to include these drivers of priority on a static scheduled because we can not see into the future.

Remember...a static risk ranking register is exactly that. STATIC. And of course we know that risks and opportunities can (do) swing /change through the course of time. Adjusting your "schedule" and not allowing it to become fixed is the true intent of ...
"shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."

Hope this helps.
Be well.

Thanks for that insight. While things have worked for the company so far, I inherited a messy system and our current metrics are in need of some updating. I hoped that this could give me a good starting point.
I suppose that's why the clause also states "The frequency of audits shall be reviewed and, where appropriate, adjusted based on occurrence of process changes, internal and external nonconformities, and/or customer complaints" and reviewed in the management reviews. Wouldn't reviewing this for efficiency make it not as "static"? Or am I interpreting things wrong...
 

ScottK

Not out of the crisis
Leader
Super Moderator
Or you could ask management what keeps them awake at night and go audit that. A LOT simpler...

Not in the manufacturing worlds I've been in for the last 30 years. Management will tell you the symptoms they hear about or are reported in KPIs, not the process details that need monitoring.
 
Top Bottom