Home » Compliance Management Blog- ESG, EHS, EHSQ » Best Practices: Automotive Internal Quality Audits Based on IATF 16949: 2016

Best Practices: Automotive Internal Quality Audits Based on IATF 16949: 2016

Jonathan Brun

Free Webinar

IATF 16949: 2016
Creation, Implementation, Maintenance and Improvement

Tuesday, October 31, 2017

Presenter: Michael Wolfe, IATF 16949: 2016 Auditor and expert, McDaeGroup

(Note: Please send any questions related to the IATF: 16949 to info@nimonik.com anytime before October 31, 2017. The expert will answer the questions after the presentation on a first come first served basis)

IATF16949 Quality audits, car safety, toy car safely held in hands

Successful organizations in the automotive supply chain are now required to comply with the IATF 16949: 2016 standard, which is heavily based on the ISO 9001: 2015 standard. One of the critical requirements of the IATF 16949 is “Regular Internal Audits”.

This post addresses some of the best practices for internal audits as required by IATF 16949: 2016

The topics covered are as follows:

  • Audit procedures
  • Audit program
  • Planning quality audits
  • Audit objectives
  • Audit plan
  • Determining the effectiveness of the QMS
  • Scheduling quality audits
  • Independence of auditors
  • Collecting audit evidence
  • Reporting audit results
  • Corrective actions
  • Follow-up audits
  • Auditor qualification
  • Auditor responsibility
  • Principles auditors must adhere to

As important as they are, internal audits are often frowned upon for being time and resource consuming. With modern technology like Nimonik you can reduce both audit planning time and audit time, reducing the challenge of internal audits at your organization.


The purpose of quality audits is to establish, by unbiased means, factual information on quality performance. Installing a quality management system without some means of being able to verify whether it is doing its intended job is a waste of time and effort – hence the importance of internal audit requirement.

Internal audits should be conducted by all organizations if they wish to maintain and improve the quality of their products, whether or not they are aiming for certification.

An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. The term systematic means that the company must plan and document its system for auditing. It must have management support and resources (sufficient auditors, time, tools to prepare records like checklists, findings, audit reports etc.) behind it. Evaluating the extent to which the audit criteria are being fulfilled involves an assessment of both implementation and effectiveness.

Audits should not be performed to find faults, to apportion blame, or to investigate problems.

A few of the benefits of internal quality audits are:

  • Feedback to management
  • Correction of nonconformities before external bodies find them
  • Continual improvement of the organization
  • Improved personnel awareness, participation, and motivation
  • Improved customer confidence and satisfaction
  • Increased operational performance

Audit Procedures

The 16949 standard requires the supplier to establish and maintain documented procedures for planning and implementing internal quality audits.

Procedures for planning and implementing audits should cover the following:

  • Preparing the annual audit program
  • Selection of auditors
  • Planning audits
  • Conducting an audit
  • Recording observations
  • Determining corrective actions
  • Reporting audit findings
  • Implementing corrective actions
  • Confirming the effectiveness of corrective action

Internal Quality Audit Process

      Quality Audit Plan

The Audit Program

An organization must plan, establish, implement, and maintain an audit program.

An audit program includes all activities necessary for planning and organizing the types and number of audits, and for providing resources to conduct them effectively and efficiently within the specified time frame.

While making an audit program, consideration must be given to the importance of concerned processes, changes impacting the organization, and the results of previous audits. It must:

  • Define audit criteria and scope for each audit
  • Select auditors
  • Conduct audits for impartial and objective audit process
  • Ensure results of audits are reported to relevant management
  • Ensure necessary correction and corrective action without delay
  • Retain evidence of audit program implementation and audit results

The scope of an internal audit program must cover the:

  • Operation processes to determine conformity of both product/services and their processes to customer and applicable regulatory requirement
  • The QMS to determine conformity to the ISO 9001: 2015 standard
  • The QMS to determine conformity to organizational requirements
  • The QMS processes and their interaction to determine if the QMS has been effectively implemented and maintained

In determining the time frame of the audit program one should consider:

  • Organization size
  • Complexity of product and processes
  • Health of the QMS
  • Customer
  • Regulatory requirements

The complete QMS must be audited at least once a year. The audit program can be presented as a calendar chart showing where and when the audits will take place or as a list of dates.

The responsibility to manage the audit program should be assigned to one or more individuals who have  a general understanding of audit principles and the application of audit techniques.

Lead auditors are required to:

  • Establish the extent of the audit program (which depends on the size and complexity of an organization, significant changes in its operations, results of past audits etc.)
  • Establish procedures (planning and scheduling audits, selecting audit teams, conducting audits etc.)
  • Ensure sufficient resources are provided
  • Ensure maintenance of audit program records ( audit plan, audit team selection, auditor competence and evaluation, and reports related to nonconformity, corrective action etc.)

Audit program implementation should address:

  • Communicating audit program to relevant parties
  • Scheduling audits
  • Establishing  a process for auditor evaluation and training
  • Ensuring conduct of audits, control of records, review of audit records by specified parties etc.

The implementation of the audit program should be monitored at appropriate intervals and reviewed to assess whether its objectives have been met and to identify opportunities for improvements. Results of audit program reviews can lead to corrective and preventive actions and the improvement of the audit program.

Planning Quality Audits

The main substance of an audit plan includes what is to be audited, against what requirements and by whom.

More specifically, the specific requirements to be checked should be identified based upon risks, past performance and when it was last checked.

Detailed plans are best presented as checklists.

A well planned audit with a checklist designed to discover pertinent facts quickly is far better than a rambling audit which jumps from area to area looking at this and that without any obvious direction. Checklists help the auditor ensure the depth and continuity of the audit as well as maintain the pace of the audit by saving time during an audit to come to an informed judgement. Experienced auditors sometimes believe a checklist is burdensome and not necessary, however even highly trained medical surgeons and airline pilots use checklists every day to ensure nothing is forgotten.

Other work documents to prepare before an audit are a copy of ISO 9001:2015 standard, forms for recording information, supporting evidence, and audit findings. These work documents should be retained until audit completion. Confidentiality of these documents should be maintained at all times.

Audit Objectives

It is a best practice to establish the audit objectives as they help determine the scope and depth of the audit as well as the resources needed. Being clear on the objectives provides focus and prevents the auditor from going off on unnecessary detours beyond the scope of the audit. Audit objectives may include:

  • Evaluating conformity to requirements of ISO 9001
  • Evaluating conformity of documentation to ISO 9001
  • Judging conformity of implementation to documentation
  • Meeting regulatory requirements etc.

Audit plan

The audit plan provides the basis of agreement between the audit team and the auditee regarding the conduct of the audit. The plan should facilitate scheduling and coordination of audit activities. Some of the things that an audit plan is expected to cover are as follows:

  • Audit objectives and scope
  • Place of audit
  • Dates of audit with expected time and duration
  • Roles and responsibilities of audit team members
  • Audit report topics
  • Confidentiality requirements
  • Audit report distribution date

Determining the Effectiveness of the System

The standard requires internal audits to determine the effectiveness of the quality management system.

Even when one has verified that policies are being met, documenting procedures are implementing policies and the procedures are being implemented etc. one still needs to determine whether the system is being effective.

The best method to determine the effectiveness of the quality system is a quality audit.

Quality audits should provide the management with knowledge they don’t possess. The audit and not the customer should be the first to reveal any problem. If audits only report historic facts, they are ineffective or reveal facts that should have been detected during previous audits, measures should be taken to adjust the method or the audit plan.

Effectiveness is concerned with doing the right things rather than doing things right. Quality costs can help reveal the effectiveness of the system as spending 50% on appraisal and corrective activities is a clear indication that the operations are not effective or efficient.

Scheduling Quality Audits

The standard requires the supplier to schedule audits based on the basis of status and importance of the activity.

There is little point in conducting in depth audits on activities that add little value. There is also little point in auditing activities that have just commenced as auditors need to gather objective evidence of compliance that may take some time to build up.

Depending on the results of past audits, the frequency of audits can be increased in areas that have had higher than average non-conformities and decreased in areas that have had zero non-conformities for past several audits, though all areas should always be audited.

Importance of the activity can be determined in three ways:

  • Effect of non-compliance
  • Establishing for whom the activity is important: customer, public, or supervisor
  • Whether the activity is in the design/planning phase (if left uncorrected, it would lead to major problems downstream)

Audits should verify that appropriate controls are in place before it is too late.

The Independence of Auditors

The standard requires that internal quality audits be carried out by personnel independent of those having direct responsibility for the activity being audited. By being independent of the audited activities the auditor is unaware of the pressures and excuses and can examine operations objectively without bias and without fear of reprisals.

Collecting Audit Evidence

During the audit, information relevant to the objective, scope and criteria should be collected by appropriate sampling and should be verified. The evidence must be capable of being verified and can be:

  • Information, records or statements of fact
  • Qualitative or quantitative
  • Based on observation, measurement or test

Audit evidence should be evaluated against the audit criteria to generate the audit findings. Audit findings can indicate either conformity or nonconformity with audit criteria. Nonconformities may be graded or classified. They should be reviewed with the auditee to obtain acknowledgement that the audit evidence is accurate and understood.

Auditors should take notes while conducting an audit as informed judgement can only be made with an adequate set of notes containing considerable facts. Notes need to be taken of references to documents, item identification, batch numbers, job numbers, statements, who said them, job titles, relevant questions asked etc. The information should be easily retrievable as it will be used in reports to auditees for the purpose of defining areas of nonconformity or raising points for discussion. Also, the information recorded might be referenced in subsequent audits.

In order to classify the nonconformity into minor or major nonconformities, an auditor can ask the following three key questions:

  • What could go wrong if the deficiency remains uncorrected
  • What is the likelihood of such a thing going wrong
  • Is it likely that the system would detect it before the customer is affected

It is important to record nonconformities in a way that the person assigned the corrective action is able to fully understand the nonconformity by the written records and visual evidence (i.e. photos). Some of the rules to be followed while recording nonconformities are:

  • Exact observation of the facts
  • Where it was found
  • What was found
  • Why it was a nonconformity and which requirement does it violate
  • What is the objective evidence of nonconformity
  • Who was involved (job titles instead of names)

It is highly critical to make this information easily retrievable.

An internal audit is also a chance for auditors to raise opportunities for improvement or points of concern for which there is insufficient objective evidence to raise a nonconformity.

Reporting Audit Results

The standard requires the results of the audits to be recorded and brought to the attention of the personnel having responsibility in the area audited.

Audits of practice against procedure or policy should be recorded as they are observed and preferably not after the audit as facts can be disputed with time. Therefore it is better to get the auditee’s endorsement to the facts at the time they are observed.

The audit report should state a balanced picture of the whole audit, conformities as well as nonconformities and should provide a summary of the nonconformities and suggestions of corrective actions or improvements.

The report should be presented to manager of the area audited and should only be presented to the manager’s superior with his/her knowledge and agreement.

The report should be sent as soon as possible, but no later than 3 days after the audit. This is quite challenging if notes are taken with pen and paper, a digital software with mobile capabilities dramatically reduces report writing time. All records of the audit and the report should be retained.

Taking Timely Corrective Action

The standard requires the management personnel responsible for the area to take timely corrective action on the deficiencies found during the audit. Therefore the auditor’s policy manual should define what timely means as what is timely to one person can be untimely to another. An example we have seen in the automotive industry is that all major non-conformities must be closed within two weeks or else the employee’s year end bonus is impacted.

In most cases the auditee’s manager should determine the corrective actions required.

Although not explicitly stated in the standard, the manager in addition should:

  • Search for other examples of non-conformity and establish how widespread is the problem.
  • Establish the root cause of the non-conformity and prevent its recurrence. This can be done by conducting effectiveness assessments after a long period of time (6 months or 1 year) to determine if the corrective action had the desired long term impact.

Target dates should be set for all corrective actions in a way that they match the magnitude of the deficiency. Small deficiencies that can be corrected within minutes should be dealt with at the time of the audit. Others that may take longer should be dealt with within a day or so. Big problems may take months to resolve and they could require an orchestrated program to implement.

A corrective action when implemented should restore compliance. A corrective action should not be limited to generating another form or procedure as it can be generated by another manager, thereby leaving the deficiency unresolved.

Follow-up Audits

The standard does not require follow-up audits but it is a good practice to follow up to determine if the corrective action was taken and if the nonconformity was eliminated by the corrective action.

The verification of corrective action could be a part of the subsequent audit or done with a specific effectiveness assessment.

Auditor Qualification

The standard requires the supplier to comply with customer requirements for internal system and process auditor qualification.

Some of the technical and soft skills expected from an auditor are:

  • Knowledge of the purpose of the audit
  • Quality specific knowledge
  • Use of test and inspection specifications
  • Knowledge of handling nonconformities
  • Reporting skills
  • Knowledge of QMS processes and their interaction
  • Knowledge of customer requirements
  • Knowledge of regulatory requirements
  • Knowledge of QMS standards and their application to the organization

Auditor Responsibility

  • Stay prepared
  • Keep to the timetable and audit scope
  • Document and support all findings
  • Keep audit team leader and auditee informed
  • Safeguard all documents
  • Maintain confidentiality
  • Verify corrective actions

Additional responsibilities of a Lead Auditor are:

  • Planning and managing all phases of the audit
  • Conducting all meetings of the team and the auditee
  • Reporting audit results without delay
  • Reporting critical nonconformities immediately

Principles Auditors Must Adhere

  • Ethical conduct: auditor behaviour that reflects trust, integrity, discretion
  • Fair representation: of audit findings, reports, obstacles
  • Independence: objective and free of bias
  • Evidence based approach: audit findings should be verifiable


Internal audits should be exhaustive not exhausting. With technology like Nimonik, you can perform 10 thorough audits in the time it takes to perform 1 audit using excel or pen and paper. Not only does Nimonik save time, it is much more efficient as you can:

  • dictate or type audit finding and notes
  • take pictures to better communicate finding and maintain evidence
  • issue correcting actions with due dates
  • assess the effectiveness of correction actions
  • assess past audit reports
  • scheduling audits
  • generate instant reports compete with charts

But at the end of the day even Nimonik is just a tool. The real power lies with you, the internal auditor.

Free Webinar

IATF 16949: 2016
Creation, Implementation, Maintenance and Improvement

Tuesday, October 31, 2017

Presenter: Michael Wolfe, IATF 16949: 2016 Auditor and expert, McDaeGroup

(Note: Please send any questions related to the IATF: 16949 to info@nimonik.com anytime before October 31, 2017. The expert will answer the questions after the presentation on a first come first served basis)