IATF 9.2.2.1 Internal Audit how to determine risk

#1
I've read through a few posts about this clause but I still don't think I quite get it.

Currently we are ISO 9001 and transitioning over to IATF 16949 and I'm trying to make a 3 year audit calendar to spread out a few of our audits over this three year period.
I believe that some processes can be audited every 2 or 3 years due to strong documentation and previous audits showing pretty much the same results for years, while others should be audited 1-2 times a year because that's where most of our nonconformances come from.

Based on the following line, how do you determine or show risk? Should I have some sort of risk chart in our Audit procedure or just label things as high/med/low risk on the audit schedule?
9.2.2.1 - Internal Audit Programme: "The audit programme shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."
 
Last edited:
Elsmar Forum Sponsor

ScottK

Not out of the crisis
Leader
Super Moderator
#2
I would make a simple RPN type chart with 3 columns - Internal Trends, External Trends, Criticality and then write into the procedure that a score of 1 to X is every three years, X+1 to Y is every two years, Y+1 to Z is annual, Z+1 and up is 6 months... something like that.
 
#3
I would make a simple RPN type chart with 3 columns - Internal Trends, External Trends, Criticality and then write into the procedure that a score of 1 to X is every three years, X+1 to Y is every two years, Y+1 to Z is annual, Z+1 and up is 6 months... something like that.
That seems simple enough. I'm probably just overthinking everything due to my limited experience.
Thank you, your answer is much appreciated.
 

John C. Abnet

Teacher, sensei, kennari
Leader
Super Moderator
#4
Should I have some sort of risk chart in our Audit procedure or just label things as high/med/low risk on the audit schedule?
Goo day @Whiskey ;
You've indeed received some valid counsel, but please allow me to prompt some additional consideration...

I always counsel my clients to thinks twice (three times even !) prior to creating anything additional . ESPECIALLY anything that requires someone to maintain/manage. Be careful or your will create the proverbial monster that demands being fed.

Instead, I would advise you consider what analysis is ALREADY taking place in your organization. For example, current metrics likely include IPPM, # of customer complaints, etc..etc... Consider what is ALREADY important to your organization and then if one of those aspects "fails" or Paretos as a "big hitter'' then adjust your internal auditing accordingly. What is on your schedule as "once" in three years may suddenly be determined to need audited NOW and then more frequently. What is on your schedule as "thrice" over three years may be able to be reduced to "once".

And of course don't forget other required primary drivers of priority as stated in 9.2.2 =
"... changes affecting the organization, and the results of previous audits..."
It is NOT possible to include these drivers of priority on a static scheduled because we can not see into the future.

Remember...a static risk ranking register is exactly that. STATIC. And of course we know that risks and opportunities can (do) swing /change through the course of time. Adjusting your "schedule" and not allowing it to become fixed is the true intent of ...
"shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."

Hope this helps.
Be well.
 

ScottK

Not out of the crisis
Leader
Super Moderator
#5
Goo day @Whiskey ;
You've indeed received some valid counsel, but please allow me to prompt some additional consideration...

I always counsel my clients to thinks twice (three times even !) prior to creating anything additional . ESPECIALLY anything that requires someone to maintain/manage. Be careful or your will create the proverbial monster that demands being fed.

Instead, I would advise you consider what analysis is ALREADY taking place in your organization. For example, current metrics likely include IPPM, # of customer complaints, etc..etc... Consider what is ALREADY important to your organization and then if one of those aspects "fails" or Paretos as a "big hitter'' then adjust your internal auditing accordingly. What is on your schedule as "once" in three years may suddenly be determined to need audited NOW and then more frequently. What is on your schedule as "thrice" over three years may be able to be reduced to "once".

And of course don't forget other required primary drivers of priority as stated in 9.2.2 =
"... changes affecting the organization, and the results of previous audits..."
It is NOT possible to include these drivers of priority on a static scheduled because we can not see into the future.

Remember...a static risk ranking register is exactly that. STATIC. And of course we know that risks and opportunities can (do) swing /change through the course of time. Adjusting your "schedule" and not allowing it to become fixed is the true intent of ...
"shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."

Hope this helps.
Be well.
I hear that, but...

One would hope it's not static as part of the review of the health of the QMS and associated processes would be to periodically re-evaluate such criteria. Like an PFMEA is supposed to be a living document, changing with the times and evolution of the process it documents.
 
#6
I've read through a few posts about this clause but I still don't think I quite get it.

Currently we are ISO 9001 and transitioning over to IATF 16949 and I'm trying to make a 3 year audit calendar to spread out a few of our audits over this three year period.
I believe that some processes can be audited every 2 or 3 years due to strong documentation and previous audits showing pretty much the same results for years, while others should be audited 1-2 times a year because that's where most of our nonconformances come from.

Based on the following line, how do you determine or show risk? Should I have some sort of risk chart in our Audit procedure or just label things as high/med/low risk on the audit schedule?
9.2.2.1 - Internal Audit Programme: "The audit programme shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."
John has provided all you need to know.
 
#7
I would make a simple RPN type chart with 3 columns - Internal Trends, External Trends, Criticality and then write into the procedure that a score of 1 to X is every three years, X+1 to Y is every two years, Y+1 to Z is annual, Z+1 and up is 6 months... something like that.
Or you could ask management what keeps them awake at night and go audit that. A LOT simpler...
 
#8
Goo day @Whiskey ;
You've indeed received some valid counsel, but please allow me to prompt some additional consideration...

I always counsel my clients to thinks twice (three times even !) prior to creating anything additional . ESPECIALLY anything that requires someone to maintain/manage. Be careful or your will create the proverbial monster that demands being fed.

Instead, I would advise you consider what analysis is ALREADY taking place in your organization. For example, current metrics likely include IPPM, # of customer complaints, etc..etc... Consider what is ALREADY important to your organization and then if one of those aspects "fails" or Paretos as a "big hitter'' then adjust your internal auditing accordingly. What is on your schedule as "once" in three years may suddenly be determined to need audited NOW and then more frequently. What is on your schedule as "thrice" over three years may be able to be reduced to "once".

And of course don't forget other required primary drivers of priority as stated in 9.2.2 =
"... changes affecting the organization, and the results of previous audits..."
It is NOT possible to include these drivers of priority on a static scheduled because we can not see into the future.

Remember...a static risk ranking register is exactly that. STATIC. And of course we know that risks and opportunities can (do) swing /change through the course of time. Adjusting your "schedule" and not allowing it to become fixed is the true intent of ...
"shall be prioritized based upon risk, internal and external performance trends, and criticality of the process(es)."

Hope this helps.
Be well.
Thanks for that insight. While things have worked for the company so far, I inherited a messy system and our current metrics are in need of some updating. I hoped that this could give me a good starting point.
I suppose that's why the clause also states "The frequency of audits shall be reviewed and, where appropriate, adjusted based on occurrence of process changes, internal and external nonconformities, and/or customer complaints" and reviewed in the management reviews. Wouldn't reviewing this for efficiency make it not as "static"? Or am I interpreting things wrong...
 

ScottK

Not out of the crisis
Leader
Super Moderator
#10
Or you could ask management what keeps them awake at night and go audit that. A LOT simpler...
Not in the manufacturing worlds I've been in for the last 30 years. Management will tell you the symptoms they hear about or are reported in KPIs, not the process details that need monitoring.
 
Thread starter Similar threads Forum Replies Date
B Establishing topics for IATF internal audit processes Internal Auditing 9
J Internal Audit Schedule IATF Internal Auditing 4
M IATF - Internal Audit 3 year span Internal Auditing 4
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
S IATF 16949 Internal Audit Example IATF 16949 - Automotive Quality Systems Standard 20
J Does anyone have an excel IATF 16949 Internal Audit checklist I could use? IATF 16949 - Automotive Quality Systems Standard 7
V IATF 16949 9.2.2.1 Internal Audit Program - "Process Changes" IATF 16949 - Automotive Quality Systems Standard 11
Ashland78 IATF 16949 Internal Audit Checklist Manufacturing and Related Processes 11
T Example wanted - Template for internal audit IATF 16949 IATF 16949 - Automotive Quality Systems Standard 1
H Do you have to perform an full internal prior to IATF 16949 audit? IATF 16949 - Automotive Quality Systems Standard 21
F IATF 16949:2016 transition audit - Internal Audit Closures IATF 16949 - Automotive Quality Systems Standard 13
A IATF 16949 - 9.2.2.1 Internal Audit Programme - looking for example IATF 16949 - Automotive Quality Systems Standard 5
K No Internal Audits For Upcoming IATF Trans Audit IATF 16949 - Automotive Quality Systems Standard 5
B IATF 16949 Cl. 9.2.2.1 - Internal audit program - Types of evidence Internal Auditing 1
D Please share your IATF 16949 Internal Audit Plan and Schedule Internal Auditing 13
P IATF 16949 - Internal Audit Frequency Requirements Internal Auditing 2
tony s TS 16949 Internal Audit Trainer Traceability to IATF General Auditing Discussions 6
Q IATF 16949 9.2 Internal Auditor IATF 16949 - Automotive Quality Systems Standard 13
D What are the IATF rules regarding doing internal audits remotely? IATF 16949 - Automotive Quality Systems Standard 5
L Internal audits for IATF IATF 16949 - Automotive Quality Systems Standard 7
J IATF CB Auditor questions Internal Auditor Competence IATF 16949 - Automotive Quality Systems Standard 19
R IATF 16949 - Outsourcing of internal audits Internal Auditing 11
M Tips on preparing for IATF 16949 Internal Lead Auditor exam Manufacturing and Related Processes 1
M IATF 16949 7.2.3 Internal Auditor Competency - Trainer's competency Internal Auditing 7
S IATF 16949: Is "Certified" Internal Auditor mandatory? IATF 16949 - Automotive Quality Systems Standard 9
J IATF 16949 CAR - Internal Auditor Requirements IATF 16949 - Automotive Quality Systems Standard 15
H Internal laboratory scope requirements - IATF 16949 Cl. 7.1.5.3.1 IATF 16949 - Automotive Quality Systems Standard 1
B Going into IATF 16949 transition without Internal Audits IATF 16949 - Automotive Quality Systems Standard 4
B IATF 16949 - 7.1.5.3.1 Internal calibration laboratory requirements IATF 16949 - Automotive Quality Systems Standard 13
D IATF 16949 - Internal Auditor Training/Certification Requirements Training - Internal, External, Online and Distance Learning 2
C IATF 16949 Cl. - 7.2.3 Internal Auditor Competency IATF 16949 - Automotive Quality Systems Standard 1
C IATF 16949:2016 Cl. 7.2.3 Internal Auditor Competency Requirements IATF 16949 - Automotive Quality Systems Standard 39
Q IATF 16949 Cl. 7.2.3 - Internal Auditor Competency and Records IATF 16949 - Automotive Quality Systems Standard 5
Q How can an Internal Auditor Trainer's Competency be Evaluated - IATF 16949 Cl. 7.2.3 IATF 16949 - Automotive Quality Systems Standard 10
H ISO/IATF Internal Auditor Recommendations For Manufacturer In California, USA Internal Auditing 3
P Problem with IATF 16949 Clause 7.2.3 Requirements (Internal Auditor Competency) IATF 16949 - Automotive Quality Systems Standard 3
B Competency of Trainer for Internal Auditor Training (IATF 16949) IATF 16949 - Automotive Quality Systems Standard 11
Y Auditor Findings - IATF checklist - Supplier PPAP - Internal Auditor Training ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 23
J Internal Auditor Course not an IATF Requirement ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 1
R IATF 3 YEAR CALENDAR PLAN IATF 16949 - Automotive Quality Systems Standard 1
Q IATF / AIAG: Control Plans and CC / SC requirements FMEA and Control Plans 3
Ashland78 IATF Process Control Plans not including customer name Manufacturing and Related Processes 13
R Do I need to get calibration certificate from ISO 17025 for IATF Audit IATF 16949 - Automotive Quality Systems Standard 8
Vader22 INTELEX software for their IATF 16949 QMS IATF 16949 - Automotive Quality Systems Standard 0
L Meeting training requirements for IATF Manufacturing and Related Processes 3
B IATF 7.1.5.1.1 Measurement system analysis (Visual Inspection) IATF 16949 - Automotive Quality Systems Standard 3
D Preparing for IATF 16949 Letter of Conformance Stage 1 audit IATF 16949 - Automotive Quality Systems Standard 4
D Is it required to have the operator initial their work in the IATF 16949:2016 standard? IATF 16949 - Automotive Quality Systems Standard 3
X IATF 16949 Section 3.2 Change of ownership IATF 16949 - Automotive Quality Systems Standard 2
Q MSA requirements for IATF IATF 16949 - Automotive Quality Systems Standard 12

Similar threads

Top Bottom