Audit programme & the three audit types (IATF only)
Plain-language summary
IATF demands a documented audit process and three distinct audit layers over each three-year cycle: full QMS audits (CSRs sampled in), manufacturing process audits covering all shifts (with process approach effectiveness, PFMEA/control plan adherence), and product audits at appropriate stages — programme prioritised by risk, performance and changes.
What the clause is really asking
A documented internal audit process: programme covering the whole QMS over (max) three calendar years, prioritised on risk, internal/external performance trends and criticality, with audit frequency reviewed and adjusted. QMS audits include sampling customer-specific requirements for effective implementation. Manufacturing process audits cover all shifts where applicable (including shift handover), audit effective implementation of the PFMEA, control plan and associated documents, and use customer-required approaches where defined. Product audits verify conformity at appropriate production/delivery stages using customer-specified approaches or your own defined method.
What auditors look for
Auditors check the three layers exist and are genuinely different: a QMS audit checklist that never references a CSR, process audits done only on day shift, or 'product audits' that are just final inspection records — each is a finding. Cycle coverage maths gets verified (everything audited within three years), as does frequency adjustment after problems.
Typical evidence
Documented audit procedure; three-year programme matrix; QMS audit records sampling CSRs; process audit reports per shift including handover; product audit reports; programme adjustment evidence after poor performance.
How to comply — recommendations
Build a three-row programme matrix (system/process/product) against the three-year cycle. Send process auditors to night shift at least once a cycle — handover is where systems leak. Product audits: pull packed parts monthly and re-verify against full requirements; it is cheap and customers love seeing it.
Common nonconformities
No manufacturing process audits at all (very common); night shift never audited; CSRs absent from QMS audit scope; product audit confused with routine final inspection; static programme never adjusted after customer complaints.
Related clauses
Builds on ISO 9001 9.2; links IATF 7.2.3 auditor competence
Qlause provides interpretive guidance only and is not a substitute for the standard. Refer to your licensed copy of ISO 9001 / IATF 16949 for the authoritative text.