What is an audit program?
According to the international standards for management systems, an audit program is an overall plan to list and organize the audits to be performed, define the schedule, assign the auditors (depending on the audit type and reference to be used -i.e. ISO9001-) during a period or time frame.
This is the second article about auditing. Please refer to the previous ones if you want to read about the quality standards, the quality management systems or the first article on auditing the QMS.
The ISO19011 is the standard called “guide for auditing management systems” and defines the audit programme as “the arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose”.This standard describes the audit process as PDCA cycle, outlines auditing activities from the audit program through execution and monitoring up to the auditor evaluation and development.
This standard also sets 7 principles to make the audit process effective and reliable. These principles are:
Seven audit principles
- Integrity. Auditors should perform their work ethically, with honesty and responsibility, be impartial and only undertake the audit activities if they are competent to do it.
- Fairness. The obligation to report truthfully and accurately. Communication should be accurate, objective, timely, clear and complete.
- Due professional care: application of diligence and judgement in auditing.
- Confidentiality. Auditors should exercise discretion in the use and protection of information acquired during the process.
- Independence. Auditors shold be independent of the activity being audited (not to audit themselves) to avoid bias or conflict of interest.
- Evidence based. Audit evidence should be verifiable as per the sample of the information used to draw conclusions.
- Risk based approach. To be considered during the process with the aim to focus on matters relevant for the audit client, adjusting or adapting as per the risks to achieve the intended results.
Content of the audit program
As you may remember, the automotive industry requires the IATF16949 as standard for the QMS but, the IATF16949 as many other standards, is based on the ISO9001. The ISO19011 is a general guide similar to the ISO9001 as “relative” and member of the ISO9000 family and therefore is a standard of universal use meaning that can be used for any kind of organization, product, world region, etc.
The general content of the audit program can be seen in the image below and basically covers the set of required audits (based on context of the company, interested parties, requirements, risk and opportunities, objectives, resources, etc.), reference standard and audit types, physical facilities where the audits will occur, assigned auditors and schedules or time frame.
What about the IATF16949 and CSR?
The IATF16949 refers to the ISO19011 as overall guideline for the planning and executing of audits but, also describes the required audits to be performed and the time frame. The program content is:
System audits. The organization may have as many business processes as needed to fulfill the IATF16949 and relevant customer specific requirements (CSR). Those processes are normally graphically depicted in a process map like the example shown below. The IATF16949 requires that all the BUSINESS PROCESSES which integrate the QMS are audited in a 3 year cycle. This means that depending on size, complexity, physical location, etc. the organization can opt to audit only once each process in that period of time, for instance, process 1-3 during the first year, 4-6 during the second and 7-9 during the third year. So, an audit program based on the IATF16949 should consider this requirement.
Process audits. The processes described here are the manufacturing processes of the organization like foundry, machining, plastic injection, etc. The IATF16949 has a big focus on this since the realization of the product is 100% related to the product conformity. Similar to the requirement of system audits, the requirement here is to audit all MANUFACTURING PROCESSES in all shifts and the transition among shifts in a cycle of 3 years. This also means that the organization can opt to make for example 1/3 of all audits every year during the total time period.
Product audits. As mentioned in the part one of these series of articles, the product audit is made to assess conformity of the parts. The IATF16949 does not really define quantity or frequency but states: “…. to be performed using customer-specific required approaches at appropriate stages of production and delivery…” The organization shall define the approches when the customer does not specify it. This means that we are not only supposed to audit end products but perhaps half-finished products in different stages of the realization process. German customers like VW require to use the VDA 6.5 for product audits. We will cover this in one next coming article.
Layout inspection and funcional testing or Requalification. In the IATF16949 this is not described as audit but as inspection and testing, however, companies may be required to either depict the requalification in the control plan or in the audit program. The layout inspection refers to a complete dimensional measuring report of all characteristics called in the technical design records (similar to the PPAP requirement) and functional verification refers to the material and performance standards as per the control plan. Please note that this does not automatically mean that all the tests made in the DVP/PV (design validation plan/ product validation) must be made again but what you “negotiate” with your customer during the APQP. The extent of testing may be “greater than stated in the control plan” and/ or “less than the DVP”. Since material and performance testing can be time and cost intensive, please define the “test plan” for requalification with your customer and whether it should be an item of the control plan or your audit plan (quantity and frequence).
Special audits. Some customers may have additional requirements like FIAT for instance, who requires a yearly audit on content and status of PFMEA and control plan.
Note: There is no requirement for the document type (paper or electronic), structure (columns, lines, etc.) and layout of the audit program. It is not required either that all these audits are listed in the same document or form. However, all audits types must be planned, organized, etc. and the auditor competence must be guaranteed as per the IATF16949 or the corresponding customer requirement.
Do you need a graphic aid? a form?
No worries. Since there is no required form or looks of the program, you can try your own way. I can also show you a basic structure that I have used. I hope you can use the basic idea for your own purposes. Please find the form below which can also be downloaded as excel file.
Wish you a lot of succes with your audit program.
0 Comments