IAFT 16949 audit plan
Sue Tanner
1 Posts
I am working on our three year audit plan and I am wondering if I am required to audit IT and/or Finance. I can see IT being part of the contingency planning, but I am not sure how to incorporate the Finance department. 
Any suggestions would be appreciated. 

Thank you,
Sue Tanner
4 Replies
My experience is in pharmaceutical, biotech, and medical devices, but since no one else has taken a shot at this I figured I'd lend some advice based on what's worked for me.

If IT systems manage anything quality related, they should be covered in your audit program. You got that partially correct in the event that it's not just business continuity but also disaster planning/recovery.

For Finance, it depends on what functions they perform. In most of the companies I have worked for, Procurement is part of Finance. Does finance play a part in approving suppliers? Do business contracts include quality language that should be in quality agreements or are they separate? What about sourcing new suppliers or materials. How do specifications get approved and communicated to purchasing? Who "owns" the ERP system? It's likely also finance, so what quality elements are there in the system and how are they controlled?

Just some suggestions. 
What standard are you auditing against?  If it's 9001:2015, then Finance (Purchasing) is required in Clause 8.4, control of externally provided processes, products and services.  IT would fall under Clause 7.1.6, maintaining corporate knowledge (malware).  Hope that helps.
Since IATF 16949 incorporates the structure and requirements of the ISO 9001, the audit plan may incorporate continual improvement for any department, but before you incorporate IT or Finance, I suggest you ask them if they want to go through the process of being examined, being told that they have opportunities for improvement (issues), if they want to take the steps to correct the issues and prevent recurrence, and consequently become a better IT dept. or Finance dept.
I believe that is the end end result of a good audit process: improvement.
I would definetely audit IT from the perspective of risk, contingency planning and record retention at minimum. How is the department performing to meet the needs of it's customers? The IT department is a vital part of most businesses. After being at a business that suffered a global cyber attack recently, I personally realized that we take many of the IT functions for granted! 

Regarding Finance, I would audit them from the perspective of context of the organization. They get the opportunity to see all the players from suppliers, customers and internal costs through cash flow. This is also potentially a good place to see cost of quality performance which can lead you down other paths during the audit.