An audit day usually has one of the following sequences. Version A: The inspector asks for the test report for part no. X from week 08. Within 90 seconds it is on the table - complete, with measuring equipment reference, inspector ID and approval decision. The inspector nods, makes a note and moves on. Version B: The same inspector asks the same question. Three employees search in three different systems. After 45 minutes, something is found - but without a measuring equipment reference. The examiner writes a finding.
The difference between version A and version B is not the quality of the process. It is the quality of the report infrastructure. Auditors not only evaluate what is documented - they also evaluate how quickly and how complete it is available. Those who search in the audit give the impression that the system has not been mastered.
This article shows which eight reports are really asked for in quality audits - not as a theoretical list, but from the auditor's perspective: what must be included, what looks good, what triggers questions.
THE MOST IMPORTANT POINTS IN BRIEF
|
BRIEFLY SUMMARIZED
|
What auditors really assess - and what annoys them
Auditors are not document collectors. They are system evaluators. When an auditor asks for a report, he doesn't just check the content of the report - he checks whether the company has mastered its own quality process. The submission time, completeness and linking of information are indicators of exactly that.
|
< 5 min. Maximum retrieval time for mandatory reports without finding risk CSP audit analyses 2024/25 |
68 % of all traceability findings are due to missing report linking CSP project data |
8 Reports Core reports that are queried in 90% of all quality audits IATF / ISO 9001 practice benchmark |
3 elements Every report needs: What + Who/When + What after Auditor feedback CSP |
What annoys auditors - three universal audit annoyances
First: Searching. If several people start searching in different systems after a report request, this is an immediate signal that there is no structured quality management system in place. Auditors make a note of this - before they see the results of the search.
Secondly: fragmentation. An inspection report without a measuring equipment reference, a CAPA without proof of efficacy, a batch record without a delivery bill link. Individual documents that do not talk to each other are not a system - they are a collection of documents.
Thirdly: Subsequent additions. 'I'll add this' or 'This wasn't up to date' in the audit are red flags. Auditors want to see documents that have been created during ongoing operations - not those that have been prepared for the audit.
Report matrix: Which report for which audit type
Not every report is needed in every audit. The following matrix shows which of the 8 core reports are mandatory (●●), recommended (●) or optional (○) for which audit type.
|
Audit type |
PP |
SPC |
RV |
CAPA |
CAL |
WE |
LS |
8D |
|---|---|---|---|---|---|---|---|---|
|
IATF 16949 certification audit |
●● |
●● |
●● |
●● |
●● |
● |
●● |
●● |
|
IATF 16949 surveillance audit |
●● |
● |
●● |
●● |
●● |
● |
● |
●● |
|
OEM customer/supplier audit |
●● |
●● |
●● |
●● |
● |
●● |
●● |
●● |
|
MDR authority audit |
●● |
● |
●● |
●● |
●● |
●● |
●● |
●● |
|
ISO 9001 certification audit |
●● |
● |
● |
●● |
●● |
● |
● |
●● |
|
GoBD / tax audit (tax) |
○ |
- |
○ |
- |
- |
●● |
●● |
- |
|
VDA 6.3 process audit |
●● |
●● |
●● |
● |
●● |
● |
● |
● |
|
●● = Mandatory (finding risk without) ● = Recommended ○ = Optional - = Not relevant |
||||||||
Key to the abbreviations: PP = Test report - SPC = Control chart/Cpk - RV = Traceability report - CAPA = CAPA register - KAL = Calibration certificate - WE = Goods receipt - LS = Delivery bill link - 8D = 8D report
The 8 core reports in detail
Each of the following 8 reports has a specific function in the audit. The cards show for each report: which content is mandatory (missing mandatory content = finding risk), which additional content creates confidence, the most common error - and what the auditor thinks when the report is complete.
1. audit report (PP)
| Area | Scope |
|---|---|
| Standards | IATF 16949, ISO 9001, MDR, VDA 6.3 |
| Report type | Inspection report (final inspection / inline) |
| Format | System printout PDF or digital export with time stamp |
| Mandatory content | Part number and serial number or batch numberInspection characteristics with target tolerance and actual measured value per characteristicIO / NIO / REQUIRED decision with dateInspector identificationMeasuring equipment reference of the calibrated measuring equipment used |
| Target content | Calibration status of the measuring equipmentReference to released work instructionStatistical characteristic values (Cpk) |
| Frequent error | Test report without measuring equipment ID. The calibration adjustment is not traceable. |
| Tester reaction | Complete, immediately retrievable, measuring equipment reference available - auditor sets check mark and continues. |
2nd SPC control chart (SPC)
| Area | Content |
|---|---|
| Standards | IATF 16949, VDA 6.3, OEM audits |
| Report type | SPC control chart / Cpk evaluation |
| Report format | Graphical representation with key figure summary |
| Mandatory content | Characteristic designation and tolerance limitsTime series of measured values over at least 25 subgroupsUCL/LCL correctly calculatedCurrent Cpk value |
| Target content | Western Electric RulesDocumented reactions to signalsComparison of Cpk and Ppk |
| Common error | Cpk value without associated control chart and proof of stability. |
| Tester reaction | Cpk ≥ 1.33 and stable control chart - no further testing required. |
3. traceability report (RV)
| Range | Report content |
|---|---|
| Standards | IATF 16949, MDR, OEM, EU PLD |
| Report type | Traceability report |
| Report format | System-generated PDF report with hierarchy display |
| Mandatory content | Serial or batch numberProduction order with routing referenceMaterial batches of all installed materialsTest results and release decisionProof of delivery |
| Target content | Process parameters per production stepCalibration certificatesShift leader identification |
| Frequent error | Traceability ends with the production order instead of the supplier batch. |
| Inspector reaction | Complete chain from raw material to delivery can be called up in less than two minutes. |
4th CAPA register (CAPA)
| Area | content |
|---|---|
| Standards | IATF 16949, ISO 9001, MDR, VDA |
| Report type | Corrective & Preventive Actions Register |
| Report format | System printout or Excel export |
| Mandatory content | List of all open and closed CAPAsDocumented root cause analysisActions with responsible person and dateProof of effectiveness |
| Target content | Recurrence checkLessons learned in FMEA or control planLink to complaints |
| Frequent error | CAPA is closed without effectiveness check. |
| Auditor reaction | Seamless proof of effectiveness shows that a quality system is in place. |
5. proof of calibration (KAL)
| Range | Content |
|---|---|
| Standards | IATF 7.1.5.1, ISO 9001, MDR |
| Report type | Measuring equipment management / calibration certificate |
| Format | Measuring equipment register with status ampels and certificates |
| Mandatory content | Measuring equipment IDCalibration date and validityCalibration resultStandard traceability |
| Target content | Calibration history of the last three yearsReaction certificate for expired calibrationMSA / Gage R&R |
| Common error | Calibration certificate not linked to test report. |
| Tester response | Calibration status can be called up immediately - requirement fulfilled. |
6. goods receipt test report (WE)
| Range | Content |
|---|---|
| Standards | IATF 8.4, ISO 9001, MDR |
| Report type | Incoming goods inspection |
| Format | System document with batch link |
| Mandatory content | Supplier batch numberInternal GR batchRelease or blockInspector ID and date |
| Target content | Supplier certificateInspection plan referenceQuarantine verification |
| Common error | Missing supplier batch number. |
| Inspector reaction | Complete traceability back to the supplier possible. |
7. delivery bill with serial numbers (LS)
| Area | contents |
|---|---|
| Standards | IATF 16949, EU PLD, MDR, OEM audit |
| Report type | Delivery bill with serial numbers |
| Format | ERP delivery bill with serial number list |
| Mandatory content | Delivery bill numberSerial or batch numbersLink to production order and inspection releaseQuantity and article number |
| Target content | CoC documentPacking instructionReceipt confirmation |
| Common error | Serial numbers are missing on the delivery bill. |
| Inspector reaction | Targeted recalls in the field are possible at any time. |
8. 8D report (8D)
| Area | Report content |
|---|---|
| Standards | IATF 10.2, ISO 9001, OEM, VDA |
| Report type | 8D report for customer complaints |
| Report format | Standard form or system 8D report |
| Mandatory content | D0 to D8 fully documentedRoot cause analysisCorrective actionsD7 proof of effectiveness |
| Target content | Update of FMEA and Control PlanRecurrence dataCustomer approval |
| Common error | Missing or undated D7 evidence. |
| Reviewer response | Complete 8D with proof of effectiveness shows a functioning quality system. |
The auditor's perspective: What he thinks when he sees the report
The following table simulates the thoughts of an experienced audit setter in different report situations. It shows which signals a report sends - and which follow-up questions it triggers or prevents.
|
Situation |
Auditor sees ... |
Examiner thinks ... |
Examiner asks next |
|---|---|---|---|
|
Report available in < 1 minute |
System-generated, complete report |
The system is mastered. Next. |
Next feature. |
|
Report after 30 min search |
Pieced together document, multiple sources |
Data is not integrated. What is still missing? |
Show me all reports of this type. |
|
Test report without measuring equipment ID |
Good measured values, but no calibration reference |
Was the measuring equipment calibrated? I cannot prove this. |
Show me the calibration certificate for measuring equipment X. |
|
CAPA without D7 proof of effectiveness |
CAPA report with D1-D6, D7 empty |
Measure was not followed up. Why? |
How did you prove that the measure was effective? |
|
Cpk 1.67 with stable control chart |
SPC chart without signals + Cpk evaluation |
Process mastered. Requirement fulfilled. Next. |
Nothing. Check mark set. |
|
Batch verification without supplier batch |
GR posting with internal batch, no LF batch |
Traceability ends here. Can the material be identified? |
Which raw material does this component come from? |
|
8D complete D1-D8, D7 dated |
Systematically documented problem solution |
Quality system works. Learning takes place. |
Has the problem occurred since then? |
|
Delivery bill with SN array |
Each delivered unit can be identified |
Forward traceability works. Call-back capability available. |
Can you point backwards to the material batch? |
Auditors don't test documents - they test systems. A perfect document that takes 45 minutes to find loses more trust than an incomplete one that is on the table in 60 seconds.
-Korbinian Hermann Managing Director, CSP Intelligence GmbH
Quick export: How long does the retrieval take with and without the integrated system?
The following table shows realistic retrieval times for all 8 core reports - once without an integrated system (manual search in several sources) and once with CSP IPM. The time difference defines the operational leeway in the audit.
|
Report |
Without integrated system |
With CSP IPM |
Time gain |
Audit risk |
|---|---|---|---|---|
|
Audit log (PP) |
15-45 min (system search, export, preparation) |
< 60 sec (enter serial number → PDF) |
-95 % |
HIGH |
|
SPC control chart + Cpk |
30-90 min (Q-DAS export, prepare Excel) |
< 2 min (characteristic + period → graphic + key figure) |
-97 % |
HIGH |
|
Traceability report (RV) |
2-8 hours (3 systems, manual linking) |
< 2 min (enter SN → complete chain) |
-98 % |
HIGH |
|
CAPA register |
20-60 min (update Excel, post-documentation) |
< 1 min (system export current CAPA status) |
-97 % |
HIGH |
|
Calibration certificate (KAL) |
15-30 min (search for folder, scan PDF) |
< 30 sec (measuring equipment ID → certificate + status) |
-97 % |
HIGH |
|
Incoming goods inspection report (WE) |
20-45 min (ERP search, manual batch linking) |
< 1 min (batch number → GR document + LF batch) |
-97 % |
LOW |
|
Delivery bill with SN list (LS) |
10-30 min (ERP export, assign SN manually) |
< 1 min (delivery bill no. → SN array PDF) |
-97 % |
LOW |
|
8D report |
10-30 min (search for file, check completeness) |
< 1 min (complaint ID → complete 8D PDF) |
-97 % |
HIGH |
Common report errors and how to avoid them
The following errors occur regularly in audit practice - regardless of the size of the company. Each one is avoidable if the reporting infrastructure is set up correctly.
|
Report errors |
Audit consequence |
Systemic cause |
Solution |
|---|---|---|---|
|
Test report without gauge ID |
Finding IATF 7.1.5.1 (often Major NC) |
Gauge ID not a mandatory field in the test system |
Gauge ID as NOT-NULL mandatory field; scan at start of test |
|
CAPA without proof of effectiveness (D7) |
Finding IATF 10.2.3 / ISO 9001 10.2 |
CAPA system allows completion without D7 |
Mandatory system stop: no CAPA completion without D7 date |
|
Batch verification without supplier batch reference |
Finding IATF 8.4 |
Supplier batch field optional in the GR system |
Supplier batch ID as mandatory field for GR posting |
|
Cpk without control chart / proof of stability |
Invalid Cpk value |
Cpk is calculated separately, not from SPC system |
Have Cpk calculated automatically from SPC system |
|
Delivery bill without serial numbers |
Forward traceability impossible |
LS is generated from quantity, not from SN list |
Delivery bill generation from production order with SN array |
|
Report after > 5 minutes search |
Loss of trust even if content is correct |
Data in different systems without integration |
Integrated system: all reports can be retrieved from one source |
All 8 core reports at the touch of a button
|
PRACTICAL TIP CSP IPM - 8 audit reports in < 2 minutes CSP IPM is designed so that all 8 core reports are generated as a by-product of the production process - daily, automatically, fully linked. In the audit: enter serial number, select report type, export PDF. Done.
|
Frequently asked questions
What is the maximum duration of a report retrieval in the audit without attracting negative attention?
As a rule of thumb: < 5 minutes for each mandatory report, without searching. If a complete report is not available within 5 minutes, the auditor begins to question the underlying system - regardless of the result. For reports that come at the auditor's request ('Show me ...'), less than 2 minutes is optimal. Anything over 10 minutes systematically creates mistrust and increases the likelihood of follow-up questions in other areas.
Does the 8D report have to be submitted in the OEM's original format?
That depends on the customer. BMW Group, Volkswagen and Mercedes-Benz have their own 8D forms, which must be submitted via customer portals (Q-Portal, MBDC etc.). No OEM-specific formats are required in the internal IATF audit - a complete internal 8D in accordance with the AIAG or VDA standard is sufficient. The content (D1-D8 with proof of effectiveness) is decisive, not the format. Anyone who keeps an OEM 8D for external submission and an internal 8D for audit purposes should ensure that both have the same content and the same status.
Can I submit historical reports for products from before the system was introduced?
For audits, the auditor will ask about the current status of the system, not the completeness of historical data. For an IATF surveillance audit, reports from the last 12 months are typically relevant. If you introduced an integrated system 6 months ago, reports from the time before that will be searched for in the old archive (paper or legacy system). Recommendation: Clearly document the cut-off date for the 'old system' and communicate it transparently in the audit - auditors accept migration if it is traceable.
What should we do if an auditor requests a report that we cannot provide?
Firstly: honesty. 'We don't currently have it in this form' is better than a long search process or an improvised document. Secondly, explanation and action. 'We don't have this report because ... We'll be ... by [date]' shows the auditor that the system is understood and there is a willingness to improve. Thirdly, if the report is a mandatory document according to the standard, this is a finding - in most cases a minor NC if it is not a systemic pattern. The handling of the finding is then more important than the finding itself.
Is Excel-based test report management sufficient for the IATF audit?
Technically yes - IATF 16949 does not prescribe a specific format or system. But Excel-based systems have three systemic weaknesses in the audit: firstly, editability (auditors can argue that data has been subsequently changed), secondly, lack of links (links to gauge ID, serial number and calibration certificate are not created automatically) and thirdly, retrieval time (Excel search is slower than system query). Excel can temporarily suffice for small companies with few inspection characteristics - but for scalable audit readiness, an integrated system is the more robust solution.
Is there a difference between an audit report and a quality record?
Yes - a quality record is the internal document that is created during ongoing operations: the inspection log, the batch booking, the CAPA form. An audit report is the prepared presentation of these records for the auditor - sometimes identical, sometimes a summary of several records. In the IATF context: The auditor usually wants to see the original quality records, not subsequent summaries. A report that acts as a 'summary' can even give the impression that the original data is to be concealed.
How do I store audit reports securely?
Audit reports are quality records and are subject to the same retention rules: IATF practice recommends at least the product life + 1 year (in the automotive industry typically 15 years for safety related parts). EU PLD prescribes 10-25 years for liability-relevant parts. GoBD for accounting-relevant documents 10 years. Recommendation: audit-proof archiving - stored unalterably, with a time stamp, in a format that can still be read in 15 years (PDF/A). Paper archives are technically accepted, but difficult to retrieve and susceptible to loss.
