What are the rules regarding coverage in internal audits?

[DariusPlumdon]

Can anyone advise what are the rules regarding coverage in internal audits for IATF16949?

The context is that I have been on 2 separate internal audit training courses (one ISO9001 & one ITAF) both with very well known and respected European external certification bodies; these were both over 5 years ago ... so things may have changed.

In both training courses it was explained that the audit starts when you arrange the audit, so work you do as an auditor reviewing and checking documentation (company Quality Policy, Manuals, Processes etc.) is very much included as part of the audit, as even before the opening meeting you may find something the means a finding will be raised, or more likely have questions on particular issues found during the documentation audit. The 'audit' does NOT only start with the opening meeting and is NOT limited to just the interviews and the summary discussion at the end.

In reality in most cases you will cover clauses in both the audit of the documentation AND the interviews; but at occasionally a particular clause may not be discussed/covered during an interview; e.g. coverage focused on other areas in the time allowed with the interviewee, or none of those interviewed worked in that particular area (e.g. engineers interviewed worked on Requirement Generation, Design Specifications and Software Coding, but not Testing)

Both the external certification bodies who provided training said that whilst an auditor should aim to cover these in the documentation audit and the interviews .... in these cases where the auditor has covered the clause(s) in the documentation audit, but not in the interviews that this is acceptable and that you CAN record that the clause has been covered. Is this still the case, or has something changes so all applicable causes to the group be audited must now be covered in interviews?

The reason this is important is that our external auditor wants to check our matrix to ensure we have covered all applicable clauses in our internal audits, but as there are some clauses that are completed by a single department in our organization (e.g. Procurement and Warehouse) they do not get covered in another internal audit.

I am not disputing that the aim/best practice is to cover all applicable audits in the documentation audit AND the interviews or trying to do only a documentation audit and skip the interviews; I want to be practical and honest whilst still meeting the standard requirements.

 

[Jen Kirley]

Hello DariuPlumdon, I am sorry for the delay in this response.

It is true that the audit starts during the initial review of documentation. You can hold an opening meeting that informs the process owner of this, but it has been my experience that a review of documentation prior to tour(s) and interview(s) can take place before the opening meeting as long as the process owner understands this is happening.

Since there are three essential types of inputs: documentation, observed conditions and/or what auditees say, all (though not always will all three be present) should be recorded as evidence. For internal audits I would start with the documentation first, so as to better understand what to expect during tour(s) and interview(s). There will very possibly be a return to that same documentation, especially if you sense some disconnect or problem.

Is this what you wanted to know?

 

[DariusPlumdon]

Hi Jen,

Thanks for your reply. You have confirmed my understanding regarding 'a review of documentation prior to tour(s) and interview(s) can take place before the opening meeting ....' & the need to record evidence in interviews; This is exactly as I have always done, and I think it is standard good practice, so all clear and all good

Can I rephrase the second part of my question regarding recording coverage (of clauses), as I would still appreciate your advice ....

When we are externally audited our external auditor checks how we cover the clauses of the standard (IATF 16949) during are internal audit program, as most external auditors have done over many years, this I am fine with and understand. I have 2 parts to my question:

1) We look to cover all relevant clauses during the documentation audit, it helps the auditor understand the process and gives us a chance to prepare questions for interviews. We then also look to cover each relevant clause in the interviews. When we cover all relevant clauses in the documentation element & the interview element all is fine & we can mark in our coverage matrix that we have covered each relevant clause. In reality interviewees can become unavailable, or interviews can (rightly) spend a lot of time on some sticky points, which getting to the bottom of really helps the group being audited .. all good. As a result there can be 1 or 2 clauses that you have covered and satisfied all is fine during the documentation element of the audit, BUT as there is not time, or an interviewee that works on the clause available to asks question on during the interview. Of course this is not the aim, but it is auditing in the real business world. In two training sessions I attended by certified accreditation bodies currently on the IATF website (admittedly over 10 years ago) this topic came up and BOTH said that if a clause was covered in the documentation element of the audit then you could fairly mark/tick this in the coverage matrix; is this still correct, or have the IATF changed things/the rules so you have the cover a clause during the interview to mark it a covered?

2) We have our re-certification audit every 3 years, with a surveillance audit every year (we are a remote site). Do we have to cover all clauses relevant to us every year, OR do we only need to cover them all (at least) once every 3 years?
*Currently we cover every clause each year, but as some clauses relate to a single department only it is tricky, so if we only had to cover them every 3 years this would reduce some bureaucracy and enable us to focus more on adding value elsewhere
**I write relevant as there are elements of Design & Production where we have zero activity on our (remote) site

Any help will be appreciated, thank you in advance

 

[Jen Kirley]

Hello Darius,

(1) It is good to do a thorough review of process documentation, but although we certainly want to make sure the documentation is accurate, complete and up-to-date, procedures are not process control and even the most beautiful procedures are not by themselves evidence of process effectiveness. The process control and effectiveness can be found in execution, and audited through a tour and/or interviews. Control of non-conforming output is an example. The same clause/subclause might end up getting covered dozens of times. So it is. Back when I was a full-time Internal Auditor I developed the Audit mgmnt II Excel tool and attached it in the thread Managing and Reporting Audits with an Excel .xls spreadsheet. It takes a good deal of upkeep but could help keep track of potential gaps - once it's updated, of course.

(2) The standard does not say that all clauses must be audited every year. It does say the quality management system is audited for effectiveness, and since your certificate runs on a 3-year cycle it is implied that the system gets completely audited in that time.

I say implied because I once received an OFI (not an NC, remember there is no shall for this) because some clauses were getting audited 5 years apart. It was gently suggested that we switch to a 3-year cycle as per (2). We did so.

 

[DariusPlumdon]

Many thanks for taking the time to reply.

We have a spreadsheet of our own that does a similar thing to yours (in a slightly different way) so good to see someone else taking this approach.

Interestingly from another source I got some information from someone directly working for one of the national accreditation bodies of the IATF. They agreed with your take on on '(2)' regarding coverage in the 3 year cycle

With (1) above they felt that the current revised IATF training allows more flexibility so whilst in most cases documentation was unlikely to be enough (e.g. the perfect example you give above), that in others (e.g. confirmation of a recorded required input to management review) that documentation alone was sufficient to give coverage.

I think overall I am realises that what I thought was correct is indeed a correct interpretation of the standard, but that from you (and a couple of others) I now realise that I have more flexibility than I realised.

Thanks again

 

[malasuerte]

Many thanks for taking the time to reply.

We have a spreadsheet of our own that does a similar thing to yours (in a slightly different way) so good to see someone else taking this approach.

Interestingly from another source I got some information from someone directly working for one of the national accreditation bodies of the IATF. They agreed with your take on on '(2)' regarding coverage in the 3 year cycle

With (1) above they felt that the current revised IATF training allows more flexibility so whilst in most cases documentation was unlikely to be enough (e.g. the perfect example you give above), that in others (e.g. confirmation of a recorded required input to management review) that documentation alone was sufficient to give coverage.

I think overall I am realises that what I thought was correct is indeed a correct interpretation of the standard, but that from you (and a couple of others) I now realise that I have more flexibility than I realised.

Thanks again

Just a final add, here is the requirement:

1. The audit program shall be prioritized based upon risk, internal and external performance trends, and the criticality of the process(es).
2. The organization shall audit all quality management system processes over each three-year calendar period, according to an annual program
3. The organization shall audit all manufacturing processes over each three-year calendar period
4. The organization shall audit products using customer-specific required approaches at appropriate stages of production

So basically, your audit program should have audits every year; you have 3 years to cover all the clauses and all the mfg process. Your program may audit things more or less frequently within that 3 years.

Using a matrix helps you capture where you audited certain items. As noted by Jen - you will definitely cover items in multiple places; in some places, you will possibly only audit certain things; and only certain things will be audited in certain places:

i.e.
Change Management - multiple places
Supplier Management - possibly only 1 place - your supplier team
Labs - only in Labs