AS and TS Additions for Internal Audit

The aerospace (AS9100) and automotive (ISO/TS 16949) industry versions of ISO 9001:2000 add requirements beyond those in clause 8.2.2 for internal audit. You should examine these extra requirements to see if they might be good additions for your internal audit policies and procedures.


AS9100:2004 (Revision B)

The aerospace standard expands on ISO 9001:2000 with these additional internal audit requirements:

8.2.2 Internal Audit

Detailed tools and techniques must be developed, such as checksheets, process flowcharts, or any similar method to support auditing the quality management system requirements. The acceptability of the selected tools will be measured against the effectiveness of the internal audit process and the overall organization performance. Internal audits must also meet contract and/or regulatory requirements.


ISO/TS 16949:2002
The automotive standard expands on ISO 9001:2000 with these additional internal audit requirements:

8.2.2.1 Quality Management System Audit

The organization must audit its quality management system to verify compliance with this Technical Specification and any additional quality management system requirements.

8.2.2.2 Manufacturing Process Audit

The organization must audit each manufacturing process to determine its effectiveness.

8.2.2.3 Product Audit

The organization must audit products at appropriate stages of production and delivery to verify conformance to all specified requirements (such as product dimensions, functionality, packaging, and labeling) at a defined frequency.

IATF Guidance for ISO/TS 16949:2002 adds for 8.2.2.1, 8.2.2.2, and 8.2.2.3: There are many approaches to analyze quality management system, product quality, and process performance. Internal audit for the organization should be independent of those having direct responsibility for the work performed. Personnel should not audit their own work.

8.2.2.4 Internal Audit Plans

Internal audits must cover all quality management related processes, activities, and shifts, and be scheduled according to an annual plan. When internal or external nonconformities or customer complaints occur, the audit frequency must be appropriately increased.

Note: Specific checklists should be used for each audit.

IATF Guidance for ISO/TS 16949:2002 adds: Relevant input from the area to be audited, as well as, from other interested parties, should be considered in the development of the internal audit plan, including definition of the key customer-oriented processes. Additional planning input may include:

  • Adequacy and adequacy of performance measures
  • Analysis of quality cost data
  • Capability of processes and use of statistical techniques
  • Effective and efficient implementation of processes
  • Opportunities for continual improvement
  • Process and product performance results and expectation
  • Relationships with customers

8.2.2.5 Internal Auditor Qualification

The organization must have internal auditors who are qualified to audit the requirements of this Technical Specification (refers reader to 6.2.2.2).

IATF Guidance for ISO/TS 16949:2002 adds: The organization should define the minimum qualification requirements for personnel responsible for performance of internal audits, taking into account any customer-specific requirements.


ISO 14001:2004
Although not an industry scheme based on ISO 9001:2000, the environmental standard (ISO 14001:2004) is closely aligned with ISO 9001:2000. Section 4.5.5 of ISO 14001:2004 describes internal audit requirements that are expressed in a very similar manner to those in clause 8.2.2 of ISO 9001:2000. The key differences are:

ISO 9001 says the organization must conduct internal audits, but ISO 14001 says the organization must ensure internal audits are conducted. ISO 9001 says internal audits are conducted to determine if the system is effectively implemented and maintained. However, ISO 14001 says internal audits are conducted to determine if the system is properly implemented and maintained.

ISO 9001 says the audit program must be planned taking into consideration the status and importance of the processes and areas to be audited. ISO 14001 says to take into consideration the environmental importance of the operations concerned. ISO 9001 says internal auditors are selected to ensure objectivity and impartiality, and must not audit their own work. ISO 14001 doesn’t mention not being able to audit your own work.

ISO 14001 doesn’t mention that management must ensure actions are taken without undue delay to eliminate detected nonconformities and their causes. It relies on clause 4.5.3 on Nonconformities, Corrective Action, and Preventive Action to address this subject. ISO 14001 also doesn’t address the need for follow-up activities to verify the actions taken and the reporting of verification results.

Clause 4.5.2 of ISO 14001:2004 identifies requirements for the evaluation of compliance. Although Annex B of ISO 14001:2004 relates 4.5.2 to clauses 8.2.3 and 8.2.4 of ISO 9001:2000, some organizations may use their internal audit program to address these requirements:

4.5.2.1 Consistent with its commitment to compliance, the organization must establish, implement, and maintain a procedure(s) for periodically evaluating compliance with applicable legal requirements.

4.5.2.2 The organization must evaluate compliance with other requirements to which it subscribes. The organization may wish to combine this evaluation with the evaluation of legal compliance referred to in 4.5.2.1 or to establish a separate procedure(s). The organization must keep records of the periodic evaluations.

Annex A of ISO 14001:2004 provides guidance on the use of the standard. Section A5.5 states that internal audits of an environmental management system can be performed by personnel from within the organization or by external persons selected by the organization, working on its behalf. In either case, the persons conducting the audit should be competent and in a position to do so impartially and objectively. In smaller organizations, auditor independence can be demonstrated by an auditor being free from responsibility for the activity being audited.


The telecommunication (TL 9000) and medical device (ISO 13485) industry schemes have accepted the basic internal audit requirements of ISO 9001:2000 and do not include any additional audit requirements.