Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

Information Technology in IATF 16949 audit scope

#1
Hello all,

This is my first time post in the COVE. I have question regarding internal audit for IT dept that need your advise.

I used Turtle diagram when commencing the audit. When we go through the "IT Infrastructure" part, I asked about the server room and the required control condition.

Not only the authorized access, I mean temperature and humidity requirements in the server room. The answer is 25 degree Celsius without reference. "Someone" told them a long time ago !

In case the air conditioning broken down and start to blow warm air, there will be a notification email to IT team, then they will take appropriate actions. Not actions are defined as well. Also, no need to calibrate/verify the temp monitoring system. To add on, there's no company global requirements about it. These are all the answers from our IT team.

My question is what is the scope of auditing IT according to IATF 16949? How deep the auditor should go? There are many comments from our internal auditor team that IATF has no specific requirements about IT and the server room. Just only audit the data back up system and cyber attack is enough. Is that true?

Thanks
Fahsai
 
#4
I'm wondering why you are auditing the server room and asking such questions. IATF 16949 is about product quality and meeting customer requirements, effectively and efficiently. Are you sure WHY you are asking about these (IT) things, relative to those principles?
 
#5
Every activities in manufacturing are relied on it. Server down is very critical for the users. It can lead to not meeting the customer delivery requirements.And it is the “what” in the turtle diagram. Why we should not consider it?
 
#6
Why we should not consider it?
I didn't suggest you shouldn't consider it, however, I'm wondering WHY you are auditing it. Are you there as part of an audit of the contingency plan? I don't recall seeing anything in IATF 16949 which requires the IT Department to be part of the QMS, or for an audit to consider the questions you posted - access, calibration etc. May I ask who required the audit of the IT department?
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#7
I didn't suggest you shouldn't consider it, however, I'm wondering WHY you are auditing it. Are you there as part of an audit of the contingency plan? I don't recall seeing anything in IATF 16949 which requires the IT Department to be part of the QMS, or for an audit to consider the questions you posted - access, calibration etc. May I ask who required the audit of the IT department?
Andy,

Just my opinion on this...I think the IT would be considered resources. Taking that into consideration, ISO9001, para. 7.1 and IATF 16949 para. 7.1.1 would apply.

As to the OP I would say this in my opinion: The IT Department, maintains your computer processes, most likely phone service, and would need to be reviewed to see if the IT Department is maintaining those resources. They would play an important part of your infrastructure. Just my opinion on this.
 

Coury Ferguson

Moderator here to help
Staff member
Super Moderator
#9
It'll be obvious to users if this isn't happening... It won't need an audit.
Wouldn't IT be identified as a process? I think it would. How are they maintaining back-ups, software updates (1st and 2nd Party), maintaining the computers that maybe located out in the manufacturing areas and are being used to read policies, procedures and such... just because it maybe obvious to users, it still would need to be evaluated for risk and importance, in my opinion.
 
#10
IT isn't a process. To answer your question(s) it's going to depend on the organization's approach to addressing the "Context of the Organization" isn't it? I don't see an obvious "requirement" specifically addressing the IT department, other than to "determine, provide and maintain...for the operation of processes and achieve conformity of products."

I'm simply questioning WHY such an audit would be being conducted, against what scope/criteria? When an auditor posts questions pertaining to an audit and there's disagreement (apparently) then, clearly, there's something wrong...
 
Top Bottom