Internal Auditing Iatf Dec 2023

12/1/23
Fouryes TQM Consultants
Internal Auditing
IATF 16949: 2016
AG-3, Second Floor, Shanthi Colony, Anna Nagar, Chennai-600040, India

Ph.: +91-04442127102, +91 98410 85984, +91 98414 31336 Email: [email protected], Web: www.fouryestqm.in
Course Objective
The objective of this course is to equip delegates with the

knowledge and skills required to perform audits of automotive
quality management system against IATF 16949:2016 in
accordance with ISO 19011.
ISO 19011:2018 (3rd Edition) – Guidelines for auditing

management systems
© Copyright 2022. Fouryes TQM Consultants. All rights reserved
1
12/1/23
Audit - Basics
IATF 16949: 2016
Definition
Audit:
Systematic, Independent and Documented process for
obtaining audit evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
2
12/1/23
Definition
Combined Audit
§ Audit carried out together at a single auditee on two or

more management systems.
Note: When two or more discipline-specific management

systems are integrated into a single management system
this is known as an integrated management system.
Joint Audit
§ Audit carried out at a single auditee by two or more

auditing organizations
Definition
Auditor - Person who conducts an audit
Auditee – Organization as a whole or parts thereof being

audited
Audit Team – one or more persons conducting an audit,

supported if needed by technical experts
Technical Expert - Person who provides specific knowledge or

expertise to the audit team
Note 1: Specific knowledge or expertise relates to the

organization, the activity, process, product, service, discipline to
be audited, or language or culture.
Note 2: A technical expert to the audit team does not act as an
auditor.
3
12/1/23
Definition
Audit Program - Arrangements for a set of one or more

audits planned for a specific time frame and directed towards
a specific purpose
Audit Criteria - Set of requirements used as a reference

against which objective evidence is compared.
Note: Requirements may include policies, procedures, work

instructions, legal requirements, contractual obligations, etc.
Definition
Audit Evidence - Data supporting the existence or verity of

something
Note: Objective evidence for the purpose of the audit

generally consists of records, statements of fact, or other
information which are relevant to the audit criteria and
verifiable
4
12/1/23
Definition
Audit Scope - Extent and boundaries of an Audit.
Note: The audit scope generally includes a description of the

physical and virtual-locations, functions, organizational units,
activities and processes, as well as the time period covered
Audit Findings - Results of the evaluation of the collected

audit evidence against audit criteria.
Note 1: Audit findings indicate conformity or nonconformity.

Note 2: Audit findings can lead to the identification of risks,
opportunities for improvement or recording good practices.
Definition
Conformity – Fulfillment of a requirement
Nonconformity – Non-fulfillment of a requirement
Requirements - Need or expectation that is stated, generally

implied or obligatory
5
12/1/23
Definition
Competence - Ability to apply knowledge and skills to
achieve intended results
Risk - Effect of uncertainty

Note 1: An effect is a deviation from the expected – positive
or negative.
Note 2: Uncertainty is the state, even partial, of deficiency of
information related to, understanding or knowledge of, an
event, its consequence and likelihood.
Note 3: Risk is often characterized by reference to potential
events and consequences or a combination of these.
Effectiveness - Extent to which planned activities are

realized and planned results achieved
Types of Audits
§ Internal Audits
• First Party Audit
§ External Audits
• Second Party Audits
• Third Party Audits
6
12/1/23
Types of Audits
First Party Audit

§ Conducted by, or on behalf of, the organization itself.
Second Party Audit

§ Conducted by Parties having an interest in the
organization, such as customer or by other individuals on
their behalf
Third Party Audit

• Conducted by Independent auditing Organizations, such
as those providing certification / registration of conformity
or governmental agencies
Principles of Auditing
IATF 16949: 2016
7
12/1/23
INTEGRITY
The Foundation for Professionalism
Auditors and the individual(s) managing an audit programme

should:
— perform their work ethically, with honesty, and responsibility;

— only undertake audit activities if competent to do so;
— perform their work in an impartial manner, i.e. remain fair
and unbiased in all their dealings;
— be sensitive to any influences that may be exerted on their
judgement while carrying out an audit.
FAIR PRESENTATION
The obligation to report truthfully and accurately
- Audit findings, audit conclusions and audit reports should

reflect truthfully and accurately the audit activities.
- Significant obstacles encountered during the audit and

unresolved diverging opinions between the audit team and
the auditee should be reported.
- The communication should be truthful, accurate, objective,

timely, clear and complete.
8
12/1/23
DUE PROFERSSIONAL CARE
The Application of Diligence and Judgments in Auditing
• Auditors should exercise due care in accordance with the

importance of the task they perform and the confidence
placed in them by the audit client and other interested
parties.
• An important factor in carrying out their work with due
professional care is having the ability to make reasoned
judgements in all audit situations.
CONFIDENTIALITY
Security of information
§ Auditors should exercise discretion in the use and

protection of information acquired in the course of their
duties.
§ Audit information should not be used inappropriately for
personal gain by the auditor or the audit client.
§ This concept includes the proper handling of sensitive or
confidential information.
9
12/1/23
INDEPENDENCE
The basis for the Impartiality of the audit and objectivity of

the audit conclusions.
§ Auditors should be independent of the activity being

audited wherever practicable, and should in all cases act
in a manner that is free from bias and conflict of interest.
§ For internal audits, auditors should be independent from
the function being audited if practicable.
§ Auditors should maintain objectivity throughout the audit
process to ensure that the audit findings and conclusions
are based only on the audit evidence.
EVIDENCE – BASED APPROACH
The rational method for reaching reliable and reproducible

audit conclusions in a systematic audit process
§ Audit evidence should be verifiable.

§ It should in general be based on samples of the
information available, since an audit is conducted during
a finite period of time and with finite resources.
§ An appropriate use of sampling should be applied, since
this is closely related to the confidence that can be
placed in the audit conclusions.
10
12/1/23
RISK-BASED APPROACH
An audit approach that considers risks and opportunities
• The risk-based approach should substantively influence the

planning, conducting and reporting of audits in order to
ensure that audits are focused on matters that are significant
for the audit client, and for achieving the audit programme
objectives.
Personal Behaviour
IATF 16949:2016
11
12/1/23
Personal Behaviour
§ Ethical, i.e. fair, truthful, sincere, honest, and discreet;

§ Open-minded, i.e. willing to consider alternative ideas or
points of view;
§ Diplomatic, i.e. tactful in dealing with people;
§ Observant, i.e. actively observing physical surroundings and
activities;
§ Perceptive, i.e. aware of and able to understand situations;
§ Versatile, i.e. able to readily adapt to different situations;
§ Tenacious, i.e. persistent and focused on achieving
objectives;
§ Decisive, i.e. able to reach timely conclusions based on
logical reasoning and analysis;
Personal Behaviour
§ Self-reliant, i.e. able to act and function independently;

§ Open to improvement, i.e. willing to learn from situations,
and striving for better audit results;
§ Culturally sensitive, i.e. observant and respectful to the
culture of the auditee;
§ Collaborative, i.e. effectively interacting with others,
including audit team members and the auditee’s
personnel.
§ Able to act with fortitude, i.e. able to act responsibly and
ethically, even though these actions may not always be
popular and may sometimes result in disagreement or
confrontation
12
12/1/23
Competency & Evaluation of Auditor

Ethical
Objective
Open Minded
Polite
Analytical Positive
Patient
Punctual Attributes
Interested
Positive
Knowledge
Good Listener
Professional
Good Communicator
Prepared
Qualified, Experienced, Trained
Competency & Evaluation of Auditor
Argumentative
Untrained Negative
Jumping to conclusion Attributes
Biased
Lazy
Accepting things at face value
Unable to communicate
Arrogant
13
12/1/23
Knowledge & Skills of Auditors
§ Audit principles, procedures and methods

§ Management system standard requirements
§ Core Tools
§ Product and Process Knowledge
§ Process approach
§ Risk based approach
§ Reference documents used as audit criteria
§ Organizational context
§ Applicable Regulatory requirements
§ Contractual requirements
§ Customer Specific Requirements
Steps in Auditing
IATF 16949:2016
14
12/1/23
Steps in Auditing
• Audit Program
• Preparing Audit Activities
• Opening Meeting
• Conducting an Audit
• Reporting the Audit Findings
• Closing Meeting
• Corrective Action
• Conducting Audit Follow-up
• Evaluation of Auditors
Audit Program
IATF 16949: 2016
15
12/1/23
Audit Program
§ Follow Risk based thinking approach
§ Can include one or more Management System

standards
§ Objectives of an Internal Audit Program should be

based on
• Management System Standard Requirement

• Needs and expectation of interested parties
• Need for evaluation of external providers
• Results of previous audits
• Changes to product, process, service, project, etc.
• Occurrence of Nonconformities and complaints from interested
parties
Audit Program
§ Extent
• Dependent on size, nature and complexity
• The type of risks and opportunities / Status and importance
• The level of maturity of Management System
• Multiple locations / sites and outsourced functions
• Organization Context
• Organizational objectives
• Scope of activities
• Previous audit results
• Consideration to changes
• Covers all processes, activities & shifts
• Consideration to “Customer Specific Requirements &
Regulatory Requirements”
16
12/1/23
Evaluating Audit Program Risks
§ Planning, e.g. failure to set relevant audit objectives and

determine the extent of the audit programme;
§ Resources, e.g. allowing insufficient time for developing the

audit programme or conducting an audit;
§ Selection of the audit team, e.g. the team does not have
the collective competence to conduct audits effectively;
§ Communication, e.g. ineffective external / internal

communication process:
Evaluating Audit Program Risks
§ Implementation, e.g. ineffective coordination or not

considering information security / confidentiality;
§ Control of ineffective documented information, e.g.

ineffective determination of the necessary documented
information, failure to adequately protect audit records to
demonstrate audit programme effectiveness;
§ Monitoring, reviewing and improving the audit

programme, e.g. ineffective monitoring of audit programme
outcomes.
§ Availability and coopration of auditee

17
12/1/23
Managing Internal Audit Program
§ Resources Considerations
• Financial Resources
• Availability of trained Auditors
• Specific Auditor Qualification Requirements
• Availability of process experts
• Duration of audit
• System should address:

• Planning and scheduling audits
• Assuring competency of auditors & audit team
leaders
• Selecting appropriate audit teams and assigning
roles
• Conducting Audits
• Conducting applicable follow-up
• Maintaining Audit program records
• Monitoring the performance and effectiveness of
audit program
• Reporting mechanism to top management
18
12/1/23
§ Implementation
• Appointing the audit team & leader. Consider:
• Audit Objectives, scope & criteria
• Independence / Conflict of interest
• Language
• Special consideration for “Production Process and
Products”
• Provide necessary resources to audit team
• Communicating the audit program, coordinating and
scheduling audits
• Ensuring conduct of audit in accordance to audit
program
§ Implementation
• Establishing and maintaining a process for auditor
evaluation
• Review / Approval and distribution of audit reports
• Ensuring Follow up
19
12/1/23
Conducting an Audit
IATF 16949: 2016
Initiating Audit
§ Initiating audit
§ Establishing contact with auditee
§ Determining feasibility of audit
20
12/1/23
Audit Planning
§ Risk based approach to planning
Ø Based on the information given in audit programme
Ø Based on the documented information provided by

the auditee
Audit Planning
Audit Standard: Date:
Audit Objective: Audit Location:
Process/ Auditor / Auditee Expert / Date Time Scope

Function Team Observer
21
12/1/23
Audit Preparation
§ Off-site Preparation (can consider)

• Manual / Procedures / Risk assessment documents /
Regulatory and CSR documents / Management
System Standards Requirements.
• Process Performance
• Audit Objectives, Scope, Criteria and reference
documents
• Organization context
• Previous audit results
• Responsibilities of team members
Audit Preparation
Auditor Should establish
• Process inputs and outputs
• Process customers and customer requirements
• Customers could be internal or external!
• Process Outsourcing and control techniques
• Process Interactions
• Horizontal – Interactions within a process.
• Vertical – Interactions between processes.
• Criteria for operating and controlling the process
• May include Control Plans, Process Maps, SOPs etc.
• Resources and information required to support the process
• Preparation of work documents
• Checklists and audit sampling plans
• Forms for recording information
22
12/1/23
Audit Checklist
Cl. No Checklist / What to look Compliance Auditor
Requirements for status Notes &
evidences
Opening Meeting
The purpose of the opening meeting is to:
a) confirm the agreement of all parties (e.g. auditee, audit

team) to the audit plan;
b) introduce the audit team;
c) ensure that all planned audit activities can be performed
d) confirmation of audit objectives, scope, communication

channels, language to be used, availability of resources &
facilities needed, matters relating to confidentiality and
information security, relevant access, health & safety,
security, emergency preparedness, etc.
23
12/1/23
On-site Internal Audit Activities
Performing document review while conducting the audit
The auditee’s relevant documentation should be reviewed to:
— determine the conformity of the system, as far as

documented, with audit criteria;
— gather information to support the audit activities.
On-site Internal Audit Activities
Communicating during the audit
• During the audit, it may be necessary to make formal

arrangements for communication within the audit team, as
well as with the auditee
• The audit team should confer periodically to exchange

information, assess audit progress, and reassign work
between the audit team members, as needed.
24
12/1/23
Collecting and Verifying Information

• Interviews
Ø with individuals from appropriate levels and functions
performing activities or tasks within the audit scope;
Ø normally be conducted during normal working hours
Ø attempts should be made to put the individual being
interviewed at ease prior to and during the interview;
Ø the reason for the interview and any note taking should
be explained;
Ø interviews may be initiated by asking individuals to
describe their work;
Ø the type of question used should be carefully selected
(e.g. open, closed)
Collecting and Verifying Information
• Listening
• Summarize
• Confirm
• Clarify
• Observation of activities
• Review of documents & Records
25
12/1/23
Conduct of Audit – PDCA Approach
• Check the planned arrangements

• Check the implementation in accordance with planned
arrangements
Ø Verify through observation, interviews, review of

records etc.
• Check monitoring, measurement and analysis methods used
• Check if the results indicate process effectiveness /

efficiency
• Check if the results relate to the policy & objectives
Conduct of Audit – PDCA Approach
• Check if actions were taken for not achieving planned

results
• Check the effective implementation of those actions
• Check the continual improvement of process
26
12/1/23
Audit Conclusions
• Auditor should verify that Management System

processes result in:
• Achievement of the Policy and Objectives

• Achievement of the planned arrangements
• Achievement of customer / Regulatory requirements
• Achievement of continual improvement
Closing Meeting
§ A closing meeting, facilitated by the audit team leader,

should be held to present the audit findings and
conclusions.
§ Participants in the closing meeting should include the

management of the auditee and, where appropriate, those
responsible for the functions or processes which have
been audited
27
12/1/23
Reporting of Audit Findings

IATF 16949: 2016
Audit Findings
• Audit Report – Objective Information (Result of on site
activity)
• Audit Report should provide a complete, accurate,
concise and clear record of the audit
• Reporting of findings
• Objectives, Scope, Process, Auditor & Auditee team,
Dates, Locations, Criteria, Findings & evidences,
Conclusions, any obstacles, Areas not audited, etc
• Sample Size & Reference
• Document / Record References
• Conformity (C) along with good practices
• Nonconformity (NC)
• Opportunities for Improvement (OFI)
• Evidence of system effectiveness / efficiency
28
12/1/23
Audit Record Form

Process / Function: Date:
Plant Location: Standard Ref:
Auditor Team: Auditee Team:
Audit Observation with evidences Result (C / NC / OFI)
Audit Findings
§ Nonconformity?
• Standard / Organization / Customer

requirement has not been addressed in
the organization ’ s quality management
system.
• Standard / Organization / Customer
requirement has been addressed in the
organization ’ s quality management
system, but the samples selected do not
provide evidence of compliance
• System is in place and selected samples
demonstrate compliance, but the system
is not effective
29
12/1/23
OFI
Nonconformities
• Nonconformities can be graded depending on the context
of the organization and its risks.
• This grading can be quantitative (e.g. 1 to 5) and qualitative

(e.g. minor, major).
• They should be reviewed with the auditee in order to obtain

acknowledgement that the audit evidence is accurate and
that the nonconformities are understood.
• Every attempt should be made to resolve any diverging

opinions concerning the audit evidence or findings.
• Unresolved issues should be recorded in the audit report.

30
12/1/23
Nonconformity Category
MINOR
Single observed lapse in following one item of a company’s

Quality Management System.
MAJOR
The absence of or total breakdown of a system to meet an

IATF 16949 requirements. A number of minor non
conformities against one requirement can represent a total
breakdown of the system and thus be considered as major
Non conformity
Any noncompliance that would result in the probable shipment

of Nonconforming product.
Nonconformity (NC)
Attributes of a well written Non-Conformance
• Will be written using the language of the standard
• Will indicate sample size where applicable
• Will be “verifiable”
• Will answer the question “Why is it a NC”?
31
12/1/23
Nonconformity Statement
Examples of Non conformity
Record of calibration not maintained for the

measuring equipment XF-102
- Is this a good example of writing a non

conformity ?
- If not , why ?
32
12/1/23
Nonconformity Statement - Content

Attribution
- Indicate specific reference to Audit criteria (e.g
reference to Management system standard
requirements, Manual, Procedure, SOP, etc.,
- Clear statement against audit Criteria (e.g. System
Deviation)
- Should be easy to understand
Objective Evidence
- Specific samples which was audited
- Person, part name, equipment, location, report no.
etc.,
NC Writing - Examples
Requirements: IATF 16949, Cl. 7.1.5.2 states that

“Measuring equipment shall be calibrated at specified
intervals, or prior to use ……..”
Nonconformity: The measuring equipment calibration

system and calibration plan is not effectively complied.
Objective Evidence: Measuring equipment XF-102, a

digital caliper, was found out of calibration against
calibration plan 2023-24 in the assembly shop at work
cell 4
33
12/1/23
NC Writing - Examples
Requirements:
IATF 16949, Cl. 8.4.2.4 states that “If provided by the customer,
the organization also include the following, as appropriate, in their
supplier performance monitoring
a.Special status customer notification
b.Dealer returns, warranty, field actions,…..
Nonconformity:
Supplier performance monitoring system does not consider all
appropriate indicators.
Objective Evidence:
In Oct’23, 10 nos. of Part ABC were returned from the filed. There
is no objective evidence that this had any impact on the supplier
performance rating of applicable supplier XYZ Corporation
Corrective Action, Follow up &

Monitoring
IATF 16949: 2016
34
12/1/23
Actions
Correction:
Action to eliminate a detected nonconformity
Corrective Action:
Action to eliminate the cause of a nonconformity and to

prevent recurrence
Reporting & Corrective Action
• Present findings to Auditee for effective closure of non

conformance as per the following steps:
- NC identification by Auditor
- Correction by Auditee
- Cause identification by Auditee (use Why-Why analysis)
- Permanent Corrective Action plan by Auditee
- Action implementation by Auditee / Responsible person
- Follow up by Auditor
• Important input for Management Review
35
12/1/23
Follow-up
Follow-up
• As per procedure
• CA responsibility with Management audited
• Verification of CA implementation / effectiveness
–auditor responsibility
Monitoring the Internal Audit Program
§ Review ability of program to achieve results
§ Identify improvement opportunities
§ Performance indicators to monitor:

• Ability of audit teams to implement audit plan
• Conformity with audit programs and schedules
• Feedback from auditees and auditors
36
12/1/23
Audit Tips
IATF 16949: 2016
Audit Tips
• Ice breaking
• Before starting the audit explain briefly the audit approach
• Emphasize that it is system assessment and not the
individual’s assessment
• Be open and try to be seen as positive
• Use open questions e.g., please explain this process
• Be objective – record facts not opinions
• Try to follow a logical sequence
• Use the triangle, i.e., question – observe – check
• Use time carefully – keep to schedule - cover everything
you are supposed to
37
12/1/23
Audit Tips
• Try to maintain a natural flow – i.e., don’t keep stopping

and starting
• Give feedback to encourage auditee to talk freely and to
put them at ease
• Use “show me” regularly to verify what you are being told
is actually the case
• Use check-lists as aide – memories only
• Bear in mind that smaller companies need less
sophisticated systems
• Be flexible
• Be assertive, not aggressive or passive
• Speak clearly, correctly and politely
Audit Tips
• An audit finding to be written in such a way that it is:

- Complete
- Clear in meaning
- Simple in language
- Easy to understand
- Incorporates audit evidence
- Identifies improvement area
• Listen carefully to what auditees actually say and where
appropriate, base the next question on their last answer
• Talk to the person who actually performs the task being
assessed
• Do not get into an argument
38
12/1/23
Audit Tips
• Test your understanding to confirm that you have the

correct information
• Provide summary at the end of the audit
• Thank auditees for their time and cooperation
39

Internal Auditing Iatf Dec 2023

Uploaded by

Copyright:

Available Formats

Internal Auditing Iatf Dec 2023

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Auditing Iatf Dec 2023

Uploaded by

Copyright:

Available Formats

12/1/23

Fouryes TQM Consultants

AG-3, Second Floor, Shanthi Colony, Anna Nagar, Chennai-600040, India

The objective of this course is to equip delegates with the

ISO 19011:2018 (3rd Edition) – Guidelines for auditing

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

§ Audit carried out together at a single auditee on two or

Note: When two or more discipline-specific management

§ Audit carried out at a single auditee by two or more

Auditee – Organization as a whole or parts thereof being

Audit Team – one or more persons conducting an audit,

Technical Expert - Person who provides specific knowledge or

Note 1: Specific knowledge or expertise relates to the

Audit Program - Arrangements for a set of one or more

Audit Criteria - Set of requirements used as a reference

Note: Requirements may include policies, procedures, work

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

Audit Evidence - Data supporting the existence or verity of

Note: Objective evidence for the purpose of the audit

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

Note: The audit scope generally includes a description of the

Audit Findings - Results of the evaluation of the collected

Note 1: Audit findings indicate conformity or nonconformity.

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

Conformity – Fulfillment of a requirement

Nonconformity – Non-fulfillment of a requirement

Requirements - Need or expectation that is stated, generally

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

Risk - Effect of uncertainty

Effectiveness - Extent to which planned activities are

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

First Party Audit

Second Party Audit

Third Party Audit

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

The Foundation for Professionalism

Auditors and the individual(s) managing an audit programme

— perform their work ethically, with honesty, and responsibility;

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

The obligation to report truthfully and accurately

- Audit findings, audit conclusions and audit reports should

- Significant obstacles encountered during the audit and

- The communication should be truthful, accurate, objective,

DUE PROFERSSIONAL CARE

The Application of Diligence and Judgments in Auditing

• Auditors should exercise due care in accordance with the

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

§ Auditors should exercise discretion in the use and

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

The basis for the Impartiality of the audit and objectivity of

§ Auditors should be independent of the activity being

EVIDENCE – BASED APPROACH

The rational method for reaching reliable and reproducible

§ Audit evidence should be verifiable.

© Copyright 2022. Fouryes TQM Consultants. All rights reserved

An audit approach that considers risks and opportunities

• The risk-based approach should substantively influence the