Information Technology in IATF 16949 audit scope

[Sidney Vianna]

Just only audit the data back up system and cyber attack is enough. Is that true?

Welcome to The Cove, Fahsai.

As the standard is kind of non-granular concerning the aspect of infrastructure, what includes IT, use the risk based thinking mind set and previous past performance to determine the scope and focus areas of that part of your business system. For example, if parts have been manufactured using obsoleted NC programs because operators uploaded the software from a hard disk drive instead of the server due to previous, network outages, audit your system taking that into account and how the risk is being mitigated.

In the lack of granular requirements, use the "freedom" of determining the scope of the audit to your advantage. If an external auditor ever questions the scope and comprehensiveness of the internal audit, don't vere be afraid of challenging him/her with the "show me the shall" approach.

Good luck.

 

[Mr.Ruiz]

Hello all,

This is my first time post in the COVE. I have question regarding internal audit for IT dept that need your advise.

I used Turtle diagram when commencing the audit. When we go through the "IT Infrastructure" part, I asked about the server room and the required control condition.

Not only the authorized access, I mean temperature and humidity requirements in the server room. The answer is 25 degree Celsius without reference. "Someone" told them a long time ago !

In case the air conditioning broken down and start to blow warm air, there will be a notification email to IT team, then they will take appropriate actions. Not actions are defined as well. Also, no need to calibrate/verify the temp monitoring system. To add on, there's no company global requirements about it. These are all the answers from our IT team.

My question is what is the scope of auditing IT according to IATF 16949? How deep the auditor should go? There are many comments from our internal auditor team that IATF has no specific requirements about IT and the server room. Just only audit the data back up system and cyber attack is enough. Is that true?

Thanks
Fahsai

Well, when I first came to my current job, they used to have an IT Process declared in their Quality Manual and all the iterations. I choose to cut that process from our QMS, but, I let an IT Procedure, this procedure states all the appropriate and required controls to have a good IT response, for equipment, communication, software and hardware, and of course all the contingency plans for cyber attacks, system failure etc.

As many of the guys already said, IT rely on Clause 7.1.3 infrastructure and 6.1.2.3 Contingency Plans. Think of IT as an add-on more within your plant, at least that the generation of your product has to carry a kind of programming (embedded software) then, a more detailed control you might need, in such case, perhaps if it would be convenient to name it as a process or inside of production process, but, if IT is just like regular IT for all of us, you don't need to dig deeper.

As far as I know, IT already has a numeral of regulations to comply, like Sarbanes Oxley and more, so, if IT is not that big deal, I suggest to cut it from your Processes.

 

[Rameshwar25]

1. I wonder why IT will not be considered as supporting process and will not be audited like other processes. ISO 9001 clauses 7.1.3 has given very clear explanation for IT. It is part of infrastructure. If we have to audit maintenance, stores, logistics; we shall also have to audit IT.
2. The initiator of this post Mr Fahsai was not asking whether IT should be audited or not. His question is 'How IT may be audited and what may be input questions'.
I will appreciate if someone posts some questions which may be asked during internal audit of IT process.