Update of the IATF Rules

Update of the IATF Rules.

What are the Implications for Organizations?

Surveillance audit frequency and planning: The 3rd edition formalizes the options for surveillance audit frequency, shown below:
6 monthly visits - 5 in 3 year cycle with a tolerance of -1 month/ +1 month
9 monthly visits - 3 in 3 year cycle with a tolerance of -2 months/ +1 month
12 monthly visits - 2 in 3 year cycle with a tolerance of -3 months/ +1 month

The frequency needs to be agreed between an organization and their certification body, and once agreed the frequency must then be fixed for the three year cycle (i.e. cannot change within the cycle) In the 2nd edition of the rules a lot of emphasis was placed on the auditor doing effective audit planning for the stage 2 audit. In rules 3rd edition a lot more emphasis is placed on planning surveillance and recertification audits. Prior to the audit, the auditor should request from the organization information to help in the planning of the audit. This should include details of any changes since the last visit (new customers, change in employee numbers etc), data related to performance against quality objectives, and customer satisfaction and complaint data. This will allow the auditor to prioritize areas to focus on during the audits, taking into account risk to the customer. For example, if an organization has three manufacturing processes, and data indicates that one process has more issues, the auditor should schedule time to investigate this, even if this process was not in the original audit plan. If the required information is not provided to the auditor by the organization, this could result in the certificate suspension process being instigated.

Auditor Rotation

Whereas Rules 2nd edition gave some flexibility on the requirement related to auditor rotation, the 3rd edition mandates that at the end of each three year audit cycle, a new auditor/auditors must be used for the next cycle. This has been reinforced to ensure continuing impartiality in the audit process, and ensure that auditors do not become "over familiar" with the organization being audited. Any deviation to this has to be agreed between the Certification Body and the relevant Oversight office.

Undertaking Audits

Rules 3rd edition does not identify any significant changes in the way an audit should be undertaken, and still mandates that auditors utilize the process approach to auditing. Further clarification is given regarding opportunities for improvement and is defined as:"An opportunity for improvement is a situation where the evidence presented indicates a requirement has been effectively implemented, but based on auditor experience and knowledge, additional effectiveness or robustness might be possible with a modified approach" There needs to be clear evidence recorded by the auditor that the situation in question meets the requirements of ISO/TS164949 (i.e. is not nonconforming). The auditor cannot recommend specific solutions as this may be seen as consulting. For the recertification audit, the 3rd edition of the Rules stress the auditor should look at the performance of the management system over the period of certification, and include the review of previous surveillance audit reports. Whereas surveillance audits would have sampled the processes of the management system, the recertification audit looks at:

The effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification

The demonstrated commitment from Top Management to maintain the effectiveness and improvement of the management system in order to enhance overall performance
Whether the operation of the certified management system contributes to the achievement of the client's policy and objectives

The effective interaction between all the processes defined in the quality management system and the overall effectiveness of the management system

Timing of the recertification audit is critical. It has to be timed in such a way that allows an organization to complete corrective action, to address any non-conformance found, prior to the expiration date of the certificate. The visit should be scheduled by the Certification Body three years from the date of the stage 2, or last recertification audit, +/- 3 months.

Transfer of Registration

The rules 3rd edition gives clear requirements in the event that an organization wants to transfer registration to another certification body. This includes:

The certification body shall ensure that clients applying for transfer have not transferred from another IATF recognized certification body within the previous three (3) year period

The new certification body shall be recognized by IATF, the existing certificate shall be valid, with all existing nonconformities considered to be 100% resolved

The client cannot be in any IATF OEM special status condition, or have their current ISO/TS 16949:2002 certification in suspension, cancelled or withdrawn status

The client shall provide the new certification body with the previous audit report and all findings issued by the existing certification body for the site and any remote support functions

The new certification body shall perform a review of the provided audit report and all findings

The new certification body shall perform a basic document review and a review of key indicators of quality management system performance

The new certification body should ensure the audit team members, if subcontracted, have not previously audited the client

The new certification body shall complete all transfer activities and a transfer audit including closure of any nonconformities and a certification decision prior to the next scheduled surveillance audit with the previous certification body or the expiration of the existing valid certificate

The new certification body shall conduct the transfer audit, which is equivalent in audit days to a recertification audit
Upon satisfying all the requirements for certification a certificate is issued by the new certification body and a new Three (3) year audit certification cycle begins

Conclusion

In summary most of the changes in the Rules affect the certification bodies, not directly an organization. However organizations should be familiar with the Rules and it is strongly recommended that certified organizations read a copy.