How to conduct audits, a must-read for internal and external auditors

What is audit effectiveness? Audit effectiveness is not equal to the overall effectiveness of the system operation. A successful audit objectively and fairly identifies audit findings and effectively uses these findings to continuously improve the system and operational performance.
Whether internal or external auditors, it is recommended to save and study this article.

1. Two conditions for effectively conducting audits

Condition 1: You understand the professional activities in the audit area.
If you know nothing about the activities, processes, products, or services you are auditing, no matter how detailed the checklist is, it cannot improve audit effectiveness because you will only read questions from the checklist without daring to ask any extended questions. A qualified auditor should be familiar with the area to be audited.

Condition 2: You are a mature auditor (at least not a nitpicker).
Not being a nitpicker does not mean the audit is just a formality or that 'good enough' is acceptable. Instead, it means always adhering to the concept of "effectiveness" in auditing.

For example, in an ISO9001 internal audit, it is somewhat forced to raise a nonconformity just because a workstation has not established a work instruction. The audit should continue based on risk thinking to confirm the following questions:

① Is the process simple?
② Is it a non-critical process?
③ Do employees clearly know how to operate?
④ Has the process never had quality issues (can check process abnormality lists, etc.)?

If the answers to all four questions above are "yes," it is not recommended to raise a nonconformity. Don't worry about being inappropriate. For simple processes with only 1-2 steps, even if you create a document and hang it there, it may not improve much and may make the auditee think you are overly pedantic.

Note: The above "work instruction" issue does not apply to IATF16949:2016 internal audits because IATF16949:2016 requires a standard work instruction for every process, see 8.5.1.2. It requires employees not only to know how to operate but also to ensure that every employee's work in the process is standardized and consistent.

However, a nonconformity must be raised if a measuring instrument used to inspect products is "past its calibration validity period," as this poses a risk of delivering potentially nonconforming products to customers. If all sampled measuring instruments are expired or uncalibrated, that is a serious nonconformity.

2. Audit Checklists

Stage 1 Audit Checklist
Customer information: including automotive customer list, automotive customer special requirements list, contracts/agreements signed with customers, contract or agreement reviews, and orders for the past 12 consecutive months;

System planning: process control checklist, process matrix diagram, process relationship diagram, risk control plan, procedure document list, manual, record list;

Internal audit: including system audits, all process audits related to automotive product manufacturing, all product audits of automotive products; such as internal audit plans, annual plans, audit schedules, audit reports, etc.;

Management review: review plans, review reports, etc.;

Process performance indicators: statistics and trends of performance indicators for the past 12 consecutive months, including contents specified in the business plan, quality objectives, quality cost analysis, process indicators;

Customer-related performance: customer complaints/returns handling data (summary tables, registration forms, 8D reports/PPM indicators and trends, excess freight, etc.), customer satisfaction evaluations;

Supplier-related performance: supplier PPM indicators and trends, excess freight, etc.;

Automotive product standards, customer drawings, APQP data, customer confirmation records for products/third-party test reports, etc.

Stage 2 Audit Checklist
1. Management
Analysis of internal and external environmental factors of the company: SWOT analysis (competitors, industry benchmarks, etc.), macro factors analysis (political, economic, cultural, etc.), micro analysis (industry, product structure/positioning, development trends, etc.);

Enterprise risk analysis: product safety, production safety, environmental protection, finance, design, manufacturing, supply, industry, etc.;

Company strategy: overall company strategic planning and goals for the next 3-5 years, strategy deployment (functional strategies) and strategic goal deployment;

Annual business/operation plan formulation and statistics: formulate the company-level business plan for the year based on overall company strategic goals and implement it in each department, establish KPI indicators for each department, collect and analyze target achievement results periodically, conduct trend analysis, and propose improvement measures. Submit statistical results for the past 12 consecutive months. The business plan includes performance monitoring for each customer and supplier, quality costs, quality objectives, operational indicators, management indicators, process indicators, etc.

Management review: management review plan → compilation of departmental report materials → management review meeting attendance → management review report → continuous improvement plan → implementation results;

System audit: internal audit implementation plan → audit implementation records → system audit report → nonconformity reports (including cause analysis, corrective actions, and verification) → nonconformity distribution table → first/last meeting attendance sheets;

Process audit: annual process audit plan → process audit implementation plan → audit implementation records → process audit report → nonconformity reports (including cause analysis, corrective actions, and verification) → nonconformity summary table → first/last meeting attendance sheets;

Product audit: annual product audit plan → product audit implementation plan → implementation records (including full dimension reports, various function and performance test reports, material reports) → product audit report;

2. Production
Production planning: customer orders/sales plans → manufacturing feasibility review → production plan → production instructions → production statistics; including capacity analysis;

Production process management: operation preparation verification (first inspection), process parameter monitoring records (if production is not responsible, quality is responsible);

Production process control: shift handover records, production dynamic records (equipment maintenance, mold/tool maintenance, tool/tool replacement, product replacement, material replacement, etc.);

On-site management: area division (production area, qualified area, incoming material placement area, inspection area, nonconforming area, shipping area, passageways, etc.), product identification, the site should be kept clean and tidy;

3. Equipment
Ledger → equipment card → annual maintenance plan → maintenance records → daily inspection records → repair records → performance indicator statistics; meeting predictive maintenance requirements;

New equipment or major overhaul → Equipment acceptance records → Ledger → Equipment history;

Equipment identification: Identification and status signs of environmental protection equipment/safety protection equipment/key equipment (under repair, out of service, normal, etc.);

Special equipment management: List, filing materials, annual inspection records; including: cranes, forklifts, elevators, pressure vessels, boilers, etc.

4. Tooling
New tooling: Development plan → Tooling design (drawings, standards, etc.) → Purchase order/self-made plan → Acceptance form (inspection records, etc.) → Ledger

Daily management: Ledger → Regular inventory inspection records → Maintenance records → Periodic accuracy inspection reports → Tooling history → Disposal application form (must include disposal records)

Tooling identification: Number, ownership and status signs (under repair, out of service, normal, scrapped, etc.);

Note: Tooling includes tools, special gauges, molds, fixtures, cutting tools (including grinding tools), reusable logistics equipment, etc.

5. Quality
New raw materials or new parts → Sample reports (company inspection and test records, production trial reports, etc.; supplier-provided material reports, functional performance reports, reliability test reports, and third-party inspection reports, etc.);

Regularly purchased products → Inspection application form → Incoming inspection records;

Production process: Process parameter monitoring records (if quality is not responsible, then production is responsible), product inspection reports, process quality records (self-inspection, first article inspection, patrol inspection, sequence transfer inspection, warehouse inspection, on-site control charts, periodic Cpk analysis reports, etc.), finished product inspection records (inspection record sheets, reports), identification (must be present on site), customer incoming material inspection records;

Returns or customer complaints: Customer complaint registration form → Summary → 8D report → Change notice + document change notice → Related document revisions (control plans, FMEAs, processes, inspection procedures, etc.); This item is provided by marketing or quality!

Nonconformance control: Nonconformance disposition form, if scrapped then scrapping notice, rework has rework re-inspection records, nonconformance summary table → Regular nonconformance priority reduction plan → Corrective/preventive action verification records → Change notice + document change notice → Related document revisions (control plans, FMEAs, processes, inspection procedures, etc.);

For major nonconformance items → Corrective/preventive action verification records → Change notice + document change notice → Related document revisions (control plans, FMEAs, processes, inspection procedures, etc.);

Monitoring and measuring devices: Ledger → Calibration/verification plan → Calibration/verification records (internal and external calibration records, deviation records, calibration history, etc.) → Validity identification → Pre-use calibration records → Daily inspection records of test equipment → Regular inspection records; These devices include product inspection and test equipment/instruments/gauges and instruments monitoring process parameters (such as pressure gauges, temperature controllers, voltmeters, ammeters, flow meters, time relays, thermocouples, etc.); periodic MSA analysis reports;

Laboratory: Standard sample list → Sample identification cards; Laboratory environmental condition monitoring records (temperature, humidity, cleanliness, etc.);

Test sample registration → Original test records → Test reports → Test sample disposal records, etc.;

6. Technology
New product development: At least one complete set of APQP data for each product series; focus on product standards, customer requirements, development goals, product design verification/review/confirmation records, phased verification reports, etc.;

PPAP data for all automotive products, including drawings, control plans, process documents for all products.

Process validation: Process validation records (PPK, MSA, special processes, capacity, cost, pass rate, etc.);

Design changes: Application form → Pre-change review → Change plan → Change records → Post-change review → Technical notice/document change notice → Related document revisions (drawings, standards, FMEAs, control plans, processes, inspection procedures, etc.) → Change history;

Technical document management: Technical document list → Document archiving records → Copy distribution records → Revision records → Revised receipt and dispatch records → Borrowing records; External document list (standards related to products) → Document archiving records → Copy distribution records → Validity check and update records → Borrowing records;

7. Marketing
Marketing: Market analysis, industry analysis, market positioning, business analysis, competitor and industry benchmark analysis, SWOT analysis, marketing strategies, marketing planning, etc.;

Customer files: Customer list → Customer special requirements list;

Contract management (including sales contracts, technical agreements, quality agreements, drawings, etc.) → Contract review forms;

Order management: Customer orders/sales plans → Manufacturability review records → Monthly order registration → Shipping plans → Order execution tracking records → Shipping records → Sales performance statistics;

Returns or customer complaints: Customer complaint registration form → Summary → 8D report → Change notice + document change notice → Related document revisions (control plans, FMEAs, processes, inspection procedures, etc.); This item is provided by quality or marketing!

Satisfaction management: Customer satisfaction survey forms (sent to customers)/Customer satisfaction evaluations (internal assessments) → Customer satisfaction evaluation reports;

Customer document management: Customer document list (customer standards, drawings, contracts, technical requirements, related agreements, etc.) → Document archiving records → Copy distribution records → Update records → Revised receipt and dispatch records → Borrowing records;

8. Procurement
Supplier information: Acceptable supplier list → Supplier information (basic information survey forms, copies of business licenses, copies of organization code certificates, copies of system certificates (including quality system, environmental system, etc.), copies of special industry production permits/transport permits, hazardous waste disposal qualifications, etc.);

Supplier evaluation: Supplier development plan → Data collection → Potential supplier list → Review plan → Supplier review records → Acceptable supplier list → Purchase agreements (new product development agreements, technical agreements, quality agreements, confidentiality agreements, price agreements, framework purchase contracts, logistics/packaging agreements, environmental agreements, etc.);

Sample Management: New product development → Signing and issuing technical documents (various agreements, drawings, standards, etc.) → OTS sample delivery → Sample approval → PPAP submission (if necessary) → PPAP approval (if necessary) → Mass procurement;

Change Management: Updated documents → Document receipt and dispatch records (old document retrieval, new document issuance) → Sample delivery after part changes → Sample approval → PPAP submission → PPAP approval → Mass procurement switch;

Procurement Management: Material requirements planning → Procurement planning → Purchase orders → Inspection application → Incoming inspection records → Warehouse receipt → Supplier performance evaluation

Nonconformance Control: Nonconformance disposition form → Disposition records (returns, sorting, etc.) → Supplier corrective actions → Corrective action verification records → Supplier performance assessment

Supplier Document Management: List of documents related to suppliers (standards, drawings, contracts, technical requirements, related agreements, etc.) → Document archiving records → Copy distribution records → Update records → Revised receipt and dispatch records

9. Warehouse
Consistency between accounts and cards, clear labeling, neat stacking, protection meeting environmental requirements, complete inbound and outbound records, clear first-in-first-out method, warehouse area division/layout, shipment inspection records, etc.

Management of Interested Party Property (Hardware: equipment, tooling/molds/gauges/logistics tools, materials or parts, etc.): List of interested party property → Arrival notice → Inspection records → Ownership identification → Warehouse management → Shipment/consumption/turnover records → Regular inspection/maintenance/repair records → Damage records (if any) → Records of reporting to interested parties (if any); Specific management according to the company's requirements for equipment, tooling/molds/gauges/logistics tools, materials or parts, etc.;

10. Human Resources
Training: Training needs (proposed by departments, company strategy, job competency evaluation, new employees/transfer employees, safety/environmental protection, new product development, etc.) → Annual training plan → Monthly training plan → Training records (attendance sheets, training records) → Training effectiveness evaluation;

Human Resources Management: Employee roster, new employee probation assessment, special work personnel status form, skill matrix and competency evaluation, employee performance appraisal, job rotation plan, career planning and promotion channels, rationalization proposals/self-improvement/QC team activities.

Satisfaction Evaluation: Employee satisfaction survey → Summary and analysis of employee satisfaction survey → Improvement measures and verification;

11. Document Control/Records
Controlled document list (management list) → Document approval → Distribution records → Revision records → Revised receipt and dispatch records → Borrowing records;

Record list (including prescribed retention periods) → Distribution records → Revision records → Revised receipt and dispatch records;

Explanation:
1. Management documents include manuals, policies and objectives, annual business plans, procedure documents, record formats, management systems, operating procedures, work instructions, etc.

2. Operating procedures and work instructions do not include product manufacturing process documents.

12. Finance
Cost Accounting: At least accounting for product costs at each process step;

Collect data on nonconforming products and scrap in the production process to calculate internal losses.

Collect customer return data and claim data to calculate external losses.

Generate quality cost analysis reports, focusing on trends in quality losses.

III. Steps for Effective Audit Implementation

Audit Planning
Process sequence;
Focus on key points;
Effective time allocation;
Reasonable personnel allocation (requirements for independence and professionalism);
Determination and grasp of audit timing.

Matters to Note
The planning results should be notified to the auditee in advance to avoid surprise attacks;
Allow others sufficient preparation;
Do not seriously disrupt others' normal business operations; audit time should be negotiable and adjustable.

Checklists are important but do not have to be detailed.
They can help you grasp the rhythm and reflect your key focus;
Content expression can be only indicative; the level of detail depends on your experience;
Do not recite mechanically; questioning should be skillful;
Internal audits can provide the audit checklist to the auditee in advance (if needed by the auditee);
The checklist should be a form of audit record.

Three key points for designing checklists
How daily work is handled;
Whether the system still works when some unusual events occur;
Whether things remain under control during a crisis.

Sufficient internal consultation before entering the site is necessary.

The purpose is to communicate audit intentions and coordinate audit steps;
At the same time, further clarify key focuses during the audit;
Mutually remind special matters to pay attention to during the audit.
The biggest challenge for auditors is dealing with people;
Therefore, dealing with people must be very careful;
Do not let the other party feel disgusted, which could lead to audit failure;
Remember: Never turn an audit into an inspection (looking for trouble).

Remember the principles of sample selection
To achieve objectives;
Closely related;
Representative;
Sample size: 3 < n < 12

Effective working methods
Listen: Hear and listen to what you care about;
Look: Be sharp and sensitive, discern the truth of the problem in the subtle details;
Check: Learn to sample and verify;
Ask: Stay on topic and inquire about what you care about.
Record: It is indispensable, especially detailed records should be made for problem points.

Effective audit sequence
Conversation — Questioning
Description — Listening
Documents — Basis
Proof — Valid evidence

Situations leading to failure in on-site audits
Behaving too rigidly in front of colleagues, making people uncomfortable;
Failing to communicate effectively with a calm mind, thinking oneself superior;
Lacking questioning skills, allowing answers to be simple YES or NO;
Lacking confidence, unable to address core issues of others' work;
Unable to effectively use the full audit methods of "listen, look, check, ask," only checking documents and making records;
Unable to use sufficient wisdom to resolve obstacles during the audit;
Acting as a mediator to intervene in others' disputes;
Talking endlessly in a lecturing manner, making people think you are a preacher;
Audit team members cannot coordinate effectively according to their division of labor, each doing their own thing.

Senior management audits are a challenge
Their position is inherently higher than yours, giving you a sense of reverence;
Their knowledge level may be higher than yours;
Their perspective and depth in viewing issues may differ from yours;
But it does not exclude the possibility of low-level or low-awareness individuals.

But it is a key step, requiring you to
Make full preparation in advance;
Standards and documents are your basis;
You should communicate on topics that interest managers and stay on topic;
Learn to use economical language and avoid stiff terms and jargon;
You must let managers feel that such audits truly help promote the system;
You need to be a person who can communicate and has a certain knowledge base

Peer communication is also not easy
Sincerity moves people, never let them feel you are stirring trouble;
It is to improve the system, not to embarrass others, so you should empathize and understand others' difficulties;
Help analyze causes when problems are found, with the fundamental goal of uncovering the iceberg;
Focus on the matter, do not involve interpersonal relationships;
Everyone makes mistakes, never kick someone when they are down, and never snitch or sabotage;
When you make a mistake, apologizing is necessary;
In short, a friendly atmosphere is the foundation of a successful audit.

Communication with operational personnel should pay attention to
Politeness is even more necessary;
Operational personnel are busy on site, so it is not appropriate to spend too much time;
Use language that can be understood;
Do not require workers to recite document requirements;
Observation of the operation process can replace asking workers about their understanding of documents;
Avoid interrupting or contradicting during conversations, be patient with misunderstandings;
Do not make records in front of workers.

On-site audits should have depth
Audit thinking should be consistent from all directions;
Sampling can unfold layer by layer a case of a certain product formation (from order - design - procurement - production - packaging - delivery - service);
Focus must be on key links in the product formation process, supported by sufficient professional ability;
Legal and regulatory requirements should be given special attention;
Confidence in the system comes from self-improvement, which all departments should strengthen and focus on;
Known problem points within the organization should be given key audit attention;
Difficult and key points in management should be identified and judged with sufficient experience;
For the tip of the iceberg found, there should be the ability to explore its root depth and breadth.

Verification is an important step
Do not rely on hearsay;
No-error declarations should be further confirmed;
Error declarations within the scope of responsibility are evidence.

Audit findings should focus on major issues and let minor ones go
Do not be nitpicky, understand continuous improvement, and notify minor issues as reminders;
Focus on major system deficiencies to help others improve after correction;
Repeated minor problems should be raised as system issues and not ignored because they are small.

Audit findings records and reports
Records should be traceable and re-checkable;
Reports should not have quantity limits, otherwise a complete system judgment cannot be made;
Do not be afraid to let the audit body discover all internal audits; corrective actions are crucial;
The formed report should be confirmed by the audited department.

Three elements of a nonconformity report
Requirements of the standards;
Requirements of the system documents;
Key issues concentrated in the last audit;
Key and difficult points in management;
Known management issues that have occurred in the department.

The first step of the audit you should collect

Requirements for writing nonconformance reports
Accuracy;
Completeness;
Clarity;
Conciseness.

The fundamental focus of corrective actions in internal audits
Cause analysis is very important; the root cause must be found;
Distinguish between correction and corrective action;
The auditee is the leader of corrective actions, but the internal auditor should be a coach;
Time-limited inspection (verification) is key.

It is essential to evaluate audit capability and performance
Provide a basis for improvement for the next audit;
Encourage internal auditors to continuously improve their skills and practice;
Make the auditee have a good experience and increase their internal approval of the internal audit;
System audits truly achieve audit value addition.