AS9100 & Internal Auditing: What You Need To Know
Guide to Performing an Effective and Compliant
AS9100 Internal Audit
When done effectively, one of the most critical and valuable activities performed within an AS9100 quality management system (QMS) is your company’s internal audits. A well-planned, conducted and reported internal audit will allow the QMS to continually improve. An effective internal audit process will also provide evidence of compliance to all of the AS9100 components, as well as provide evidence of the effectiveness of your company’s processes and practices. The purpose of this article is to provide guidance on planning and performing an AS9100 internal audit. It is our hope that this information and the helpful audit tools will provide value to your company.
Components of the AS9100 Internal Audit
There are several components that comprise an AS9100 QMS. All of these components need to be included within your company’s internal audit process. If any of these components are not included in your company’s internal audits, then the internal audit process is not fully compliant nor is the internal audit fully effective. These components include:
- The current AS9100 Standard and the current AS9101 Audit Requirements that apply to your company.
- All of your company’s customer-specific requirements (CSRs) which are flowed down on your customer’s purchase order or contract. The higher up in the supply chain typically result in more CSR’s imposed (such as counterfeit parts prevention program, AS9145 for Advanced Production Quality Planning and Production Part Approval Process, etc.)
- All applicable statutory and regulatory requirements (from your customer as well as legislative bodies, such as the FAA)
- Your company’s internal processes, procedures, and practices
Selecting Internal Auditors
AS9100 leaves auditor competency requirements up to your company to define. Of course, your company’s internal audits will only be as strong as the auditor(s) conducting the audit. Your company may desire to have a higher level of competency required for the internal auditor(s). Thus, providing greater benefits to your company. The minimum QMS auditor competency requirements should be:
- Understanding of applicable AS9100 requirements related to the scope of the audit.
- Understanding the process approach for auditing, including risk-based thinking—this is NOT a checklist audit based on a single clause of the standard. Use your internally developed process flow diagrams and turtles (if you use them) to conduct a process-based audit. Also using internal and customer data to drive the direction of the audit trails (more details are covered below in the “Performing the Audit” section).
- Understanding of applicable customer requirements applicable to your company. Customer flow down requirements must be sampled and utilized during the internal audit process.
- Understanding how to plan, conduct, report and close out findings.
These are minimum requirements with the expectation that the auditor has technical understanding of your company and its processes as well as an improvement plan to build the auditor’s skills.
Scheduling the Internal Audits
The QMS internal audit(s) need to be planned and scheduled. The internal audit must be a full internal system audit that includes the main manufacturing site as well as any support locations. Many CSRs include additional requirements beyond those identified in the AS9100 standard. Therefore, ensure to consult all CSRs to determine your company’s requirements.
The schedule must be risk and performance-based. The schedule must be updated on an annual basis and the full system must be audited within 3 years (again based upon risk and performance—and may need to audit more frequently, if required). Always audit all process and all of the components of AS9100. Most companies audit the full system annually.
Some important scheduling tips:
- Be sure to include top management and their processes in the schedule.
- Do not forget to include an audit of the internal audit process.
- Ensure that auditors assigned to conduct the audit are independent of the area being audited. They can audit their own department if they can maintain impartiality, but can’t audit their own work.
- The schedule must also include a sample of the CSRs.
The schedule (see examples) should include the area/process to be audited, the requirements included in the audit, the auditor assigned (remember to maintain independence), the timeframe of the audit, and any other important information. The area’s responsible process owner(s) needs to have the schedule before the audit is conducted. This courtesy allows for the area to plan and prepare for the audit event. Remember, the better prepared everyone is for this event, the less likely significant problems will occur. Also, update the schedule if events change. Best practice is to capture notes with explanation and justification for any schedule changes. The schedule becomes important evidence to support the audit report. Retain the final version of the schedule with the audit records for easy retrieval during an external audit.
Performing the Audit
As with most significant events, starting the internal audit needs a little up-front planning. The process approach requires the review of data to help select the appropriate audit trails for the audit. Start with a desk audit (not auditing anyone face-to-face), collecting information and data prior to establishing the audit trail. The review should include:
- Review current CSRs and other components of AS9100 for familiarization and to develop questions for the process areas. We have prepared an example of a manufacturing process audit checklist so you can see how many clauses of AS9100 form a thread to link different aspects of the standard to ultimately assess the overall effectiveness and performance of the manufacturing process.
- All customer scorecards or customer feedback reports—focusing on your company’s performance and selecting areas of weak performance as audit trails.
- Review of customer complaints and actions taken-selecting trails from known customer issues.
- Review of corrective actions-using the reports to follow up on the effectiveness of actions taken.
- Review the internal metrics or key performance indicators (KPIs) to determine how each process is performing – again, the trail needs to look at actions to address process performance issues.
- Review any recent product launches to set appropriate trails.
- Review any new customers and their respective requirements and processes.
Once data has been reviewed and trails established, the time has come to interview employees and review processes, using the process approach:
- Start the process path with the defined process owner. Have the process owner explain the process flow (inputs and outputs), review how the process is measured, review the current measures and any actions taken for negative measures, and process risks and opportunities. Use the data collected at the desk audit to complement the information gathered by the process owner.
- Using information from the process owner, the desk review, and internal process control documents, review the process being performed. Always review the inputs, outputs, and expected outcomes. Compare the defined process control and expected outcomes to the actual process and outcomes. Any discrepancy should be considered for a non-conformance.
- Always engage the employees at the process areas, not just the process owner or supervisor.
- Ensure the audit includes the components of AS9100, and have a copy of these requirements available to reference during the audit activity:
- The current AS9100 Standard.
- All of your company’s customer-specific requirements (CSRs) related to your audit trails.
- All applicable statutory and regulatory requirements (from your customer as well as governmental bodies)
- Your company’s internal processes, procedures, and practices
- Keep detailed notes of the audit activity that includes the processes audited, what evidence was reviewed, who was interviewed, which standard section/component requirement was verified, and any other important information (including trails to review in other processes such as supplier information for purchasing, employee names for HR, gage identification for calibration, etc.). Notes can be kept on a blank sheet of paper, a turtle diagram template, checklists, etc.
- Any discrepancies against an expected outcome, internal process or one of the AS9100 components needs to be considered a non-conformance.
- Ensure all non-conformances are written in the trail notes and explained to the process owner before leaving a process area.
Report Creation (including Non-conformances)
At the completion of the audit event a report should be generated and distributed. The importance of the trail notes becomes apparent at this stage of the process. The trail notes should be used as reference to create the audit report and summary. Also, any non-conformances identified during the audit process can be transferred from the audit notes to the corrective action report. The audit reporting activity should include the following steps:
- Use the trail notes and supporting evidence to create the audit summary. The audit summary needs to include what processes were audited, the people interviewed, reference to what was reviewed (e.g., part number, engineering drawing, purchase order number, etc.), trails that were followed and the follow up trails that occurred.
- The summary needs to include output from the desk audit review that defined the trails that were included in the audit.
- Include a copy of the audit schedule with the audit report (good practice).
- Summarize any non-conformances identified.
- Record the non-conformances on the corrective action report including:
- Statement of non-conformance (e.g., “the process of product inspection is not fully effective”)
- Requirement the non-conformance is written against (from one of the five components mentioned throughout this report—in this example Procedure 22)
- Process area where the non-conformance was found (e.g., Lockheed Martin welding line 3)
- Objective evidence to support the non-conformance (e.g., after reviewing the weld nut break test inspection sheet for December, 2020, it was identified that the break test was not performed every hour [as required by procedure 22 and Lockheed Martin requirement 5.2] –missing 3 hourly checks on 12/11/20 2nd shift).
- When the audit report and corrective action entries are completed, present the report to your company’s management for their review and comment. Ensure that a copy of the report is retained as a quality record.
- The corrective actions should be directed to the responsible process owner for completion.
- Certification body auditors for AS9100 must complete a document called a PEAR (Process Effectiveness Assessment Report). It is nearly identical to the turtle diagram, just a different appearance and layout. The primary difference is the PEAR’s final assessment and scoring of the process to determine the level of compliance with requirements and the overall performance effectiveness against key performance indicators. The PEAR assesses whether management is aware of the performance and whether anything is being done to improve poor performance. This is not required for internal audits, but it helps emphasize the importance of the internal audit effectiveness if the same type of process effectiveness is also evaluated as part of the internal audit.
Management Review and Continuous Improvement
The internal audit results and the corresponding corrective actions are used as an input into the management review (see AS9100 clause 9.3.2). Top management needs to fully trust that the internal audits are being completed to schedule and are being performed effectively. If done correctly, the resources being supplied to conduct the internal audits should pay multiple dividends to your company.
Trending some of the important data (recurring non-conformities, similar issues within many processes, top processing concerns, etc.) can also be used to identify systemic issues and apply organizational actions. Thus, internal audits and the corresponding data (including trending of critical measures) creates an important input into your company’s continuous improvement activity.
Although not comprehensive, the intent of this article is to provide some guidance with your company’s AS9100 internal audit process and activities. A well-defined and executed internal audit process will benefit your company by:
- Improving accuracy (and compliance with AS9100) within your company’s QMS.
- Help avoid or eliminate potential customer issues and problems.
- Uncover any areas of non-conformance, redundancy, and waste…thus adding value to your company.
- Help ensure policies and practices of your company are being implemented effectively.
- Help ensure compliance to the interested parties’ requirements.
Effective internal auditing will provide your company with real value for the resources utilized when you use competent internal auditors. (If you’re interested in determining the cost of conducting your own internal audits, we’ve developed an Audit Cost Calculator that’s free to use.)
Serving aerospace and defense manufacturers, suppliers and distributors since 2005, simpleQuE offers customized AS9100, AS9110 and AS9120, or ASA-100 (FAA AC00-56) consulting and internal auditing services. If your internal auditors need training to bring their AS9100 knowledge and qualifications up to speed, simpleQuE offers onsite AS9100 Internal Auditor Training. Or if you don’t have the resources to conduct an effective and compliant internal audit, our aerospace quality experts, have the auditing expertise and certified resources to offer true value to your business. Contact us for a free quote.
Learn More About The simpleQuE Advantage