Update of the IATF Rules

Update of the IATF Rules.

What are the Implications for Organizations?

Surveillance audit frequency and planning: The 3rd edition formalizes the options for surveillance audit frequency, shown below:
6 monthly visits - 5 in 3 year cycle with a tolerance of -1 month/ +1 month
9 monthly visits - 3 in 3 year cycle with a tolerance of -2 months/ +1 month
12 monthly visits - 2 in 3 year cycle with a tolerance of -3 months/ +1 month

The frequency needs to be agreed between an organization and their certification body, and once agreed the frequency must then be fixed for the three year cycle (i.e. cannot change within the cycle) In the 2nd edition of the rules a lot of emphasis was placed on the auditor doing effective audit planning for the stage 2 audit. In rules 3rd edition a lot more emphasis is placed on planning surveillance and recertification audits. Prior to the audit, the auditor should request from the organization information to help in the planning of the audit. This should include details of any changes since the last visit (new customers, change in employee numbers etc), data related to performance against quality objectives, and customer satisfaction and complaint data. This will allow the auditor to prioritize areas to focus on during the audits, taking into account risk to the customer. For example, if an organization has three manufacturing processes, and data indicates that one process has more issues, the auditor should schedule time to investigate this, even if this process was not in the original audit plan. If the required information is not provided to the auditor by the organization, this could result in the certificate suspension process being instigated.

Auditor Rotation

Whereas Rules 2nd edition gave some flexibility on the requirement related to auditor rotation, the 3rd edition mandates that at the end of each three year audit cycle, a new auditor/auditors must be used for the next cycle. This has been reinforced to ensure continuing impartiality in the audit process, and ensure that auditors do not become "over familiar" with the organization being audited. Any deviation to this has to be agreed between the Certification Body and the relevant Oversight office.

Undertaking Audits

Rules 3rd edition does not identify any significant changes in the way an audit should be undertaken, and still mandates that auditors utilize the process approach to auditing. Further clarification is given regarding opportunities for improvement and is defined as:"An opportunity for improvement is a situation where the evidence presented indicates a requirement has been effectively implemented, but based on auditor experience and knowledge, additional effectiveness or robustness might be possible with a modified approach" There needs to be clear evidence recorded by the auditor that the situation in question meets the requirements of ISO/TS164949 (i.e. is not nonconforming). The auditor cannot recommend specific solutions as this may be seen as consulting. For the recertification audit, the 3rd edition of the Rules stress the auditor should look at the performance of the management system over the period of certification, and include the review of previous surveillance audit reports. Whereas surveillance audits would have sampled the processes of the management system, the recertification audit looks at:

The effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification

The demonstrated commitment from Top Management to maintain the effectiveness and improvement of the management system in order to enhance overall performance
Whether the operation of the certified management system contributes to the achievement of the client's policy and objectives

The effective interaction between all the processes defined in the quality management system and the overall effectiveness of the management system

Timing of the recertification audit is critical. It has to be timed in such a way that allows an organization to complete corrective action, to address any non-conformance found, prior to the expiration date of the certificate. The visit should be scheduled by the Certification Body three years from the date of the stage 2, or last recertification audit, +/- 3 months.

Transfer of Registration

The rules 3rd edition gives clear requirements in the event that an organization wants to transfer registration to another certification body. This includes:

The certification body shall ensure that clients applying for transfer have not transferred from another IATF recognized certification body within the previous three (3) year period

The new certification body shall be recognized by IATF, the existing certificate shall be valid, with all existing nonconformities considered to be 100% resolved

The client cannot be in any IATF OEM special status condition, or have their current ISO/TS 16949:2002 certification in suspension, cancelled or withdrawn status

The client shall provide the new certification body with the previous audit report and all findings issued by the existing certification body for the site and any remote support functions

The new certification body shall perform a review of the provided audit report and all findings

The new certification body shall perform a basic document review and a review of key indicators of quality management system performance

The new certification body should ensure the audit team members, if subcontracted, have not previously audited the client

The new certification body shall complete all transfer activities and a transfer audit including closure of any nonconformities and a certification decision prior to the next scheduled surveillance audit with the previous certification body or the expiration of the existing valid certificate

The new certification body shall conduct the transfer audit, which is equivalent in audit days to a recertification audit
Upon satisfying all the requirements for certification a certificate is issued by the new certification body and a new Three (3) year audit certification cycle begins

Conclusion

In summary most of the changes in the Rules affect the certification bodies, not directly an organization. However organizations should be familiar with the Rules and it is strongly recommended that certified organizations read a copy.

Is an “eAudit” in Your Company’s Future?

With the increasing use of the internet for the operation and control of management systems, first, second and third party auditors need to consider new ways to efficiently and effectively verify conformity to quality & environmental management system criteria.

The most obvious example would be multi-site organizations. Audits could include remote access to electronic documents and records to save travel time and dollars. Furthermore, the remote access can be carried out without taking the time of anyone at that remote facility.

Some organizations are already conducting remote audits using collaboration tools like Plexus Online and eAuditPack (TM). To evaluate how these e-Audits work, we can see how a remote audit would examine the four primary types of evidence: Documents, Observations, Records and Interviews:

Documents: With the proper authorization, auditors are reviewing the remote location's electronic documents while planning the audit and also see them during the execution of the audit. However, use of a collaboration tool and/or a teleconference does not allow the auditors to see if any uncontrolled or obsolete documents are in use.

Observations: Since the audit is remote and cameras are not be available for full viewing of the facility, auditors are not be able to see if the work is being done per the organization’s planned arrangements and, just as important, what’s going on around the area being audited. So, evaluating conformity is limited to what can be judged through interviews and electronic records. Auditors do not see poor housekeeping at the site or observe body language during interviews.

Records: If an organization creates electronic records and scans hardcopy records into electronic format, these records are available for remote access by the auditor. However, some companies may have a significant number of completed forms that are kept as hardcopy records. Even if the auditor requests some of these hardcopy records be scanned for the audit, the auditor would not be actually selecting the sampled records.

Interviews: In many traditional audits, the employee being interviewed can be reluctant to have their answers recorded electronically. As a result, an auditor will write an abbreviated version of the comments in the audit notes.

In the case of the remote audit I conducted from Dayton of an organization in Brazil, we used a telephone to speak to each other and electronic transmission of records. The conversation was not recorded. I captured the responses in my notes, as with a traditional audit. However, I wasn’t able to observe the body language during the interview. Even if a video feed had been available, what could have been gained through observation would have been limited.

Auditor Competence
The auditors must have the necessary competence to carry out an e-Audit. They will need time allocated to familiarize themselves with the electronic management system and collaboration tool. The auditors must be given the access instructions and security clearances needed to view the relevant documents and records. And, the auditors must be reminded of the need to protect the confidentiality of the electronic data during and after the audit (Client property!).

Third Party Audits
What about the use of e-Audits by certification bodies? Will the duration of third-party surveillance audits be reduced by, or in some cases be replaced by, remote audits? Let's look at what the ANAB accrediting body has to say on the subject:

ANAB Advisory 1
The ANSI-ASQ National Accreditation Board (ANAB) has issued an Advisory that states it supports a certification body (CB) applying the Advanced Surveillance and Reassessment Procedures (ASRP) and Computer-Assisted Audit Techniques (CAAT) described in the International Accreditation Forum (IAF) guidance documents.The Advisory explains that the application of ASRP and/or CAAT will vary for each CB and for each client depending upon the capabilities of the CB and client; therefore, each application must be reviewed and approved by the Accreditation Committee of the Accreditation Council.

1. The CB must document its proposed ASRP or CAAT audit program for the client, consistent with the applicable IAF guidance.
2. The CB must document how the audit program varies because of ASRP or CAAT (i.e., how it varies from an audit program for the same client without ASRP or CAAT).
3. The proposal must be reviewed and accepted by the ANAB executive assessment team leader prior to its submission to an Accreditation Committee of the Accreditation Council.
4. The CB and its client must make a presentation to the Accreditation Committee at a face-to face meeting or by electronic means explaining the program and answering any questions.
5. Immediately following the presentation, the CB and its client will be dismissed, and the Accreditation Committee will make its decision, which may or may not include conditions, to accept or reject the ASRP and/or CAAT program for the CB's client.

The decision and any conditions will be promptly communicated to the CB. The ASRP and/or CAAT process must not be used for any industry sector program unless the industry group has specifically stated it may be used for its program.

So, ANAB supports e-Auditing, but certification bodies have a detailed process to follow to gain approval for its use.

We can see what the International Accreditation Forum (IAF) says on the subject.

IAF GD2:2005
According to the IAF guidance document GD2:2005, if remote auditing techniques such as interactive web-based collaboration, web meetings, teleconferences and/or electronic verification of the organization's processes are used to interface with the organization, these activities should be identified in the assessment plan and may be considered as partially contributing to the total on-site auditor time.

If the certification body (CB) prepares an audit plan for which the remote auditing activities represent more than 30% of the planned on-site auditor time, the CB must justify the audit plan and obtain specific approval from their accreditation body prior to its implementation.

On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out on the organization's premises. Regardless of the remote auditing techniques used, the organization must be physically visited at least annually.

Is an eAudit in your company’s future? Absolutely! However, there is still a lot of planning and thought that must go into the implementation of eAudits to ensure their effectiveness.

Outsourced ISO Internal Auditing, Audits

Outsourced ISO Internal Audits, Auditing, Audit
Does your organization struggle keeping required ISO internal audits on schedule and productive?

Typical internal challenges include:

• Your internal auditors lack time and/or experience to make audits value added.
• Auditor training over and over again and auditor turnover.
• Auditors are not independent enough from the process to audit objectively.
• Auditors are not up to speed on the requirements of multiple Standards.
• Auditors do not know how to do a process audit.
• Auditors do not understand “core tools” as required by the automotive and aerospace industries.
• Your audit plans do not focus on customer requirements and satisfaction.
• Your audit results are not viewed as a tool for improvement.
• Your audit review and corrective action plan is ineffective.
• Your registrar has issued Corrective Action Request(s) and/or you are struggling with re-certification.

IQC can put your internal audit program back on track.

IQC’s CEO is on the US TAG to ISO/TC 176, the U.S. committee that drafts ISO 9001:2000 as well as the ISO Interpretations Committee. IQC provides trained and certified auditors who are knowledgeable, objective, and experienced in process audits. Our style of auditing looks at the effectiveness of the process and seeks out opportunities for improvement. IQC provides outsourced auditing to companies of all sizes and in many industries.

IQC offers the industry leading program for internal auditing outsourcing.

You may request a complete internal audit program; a single audit; coach led audits with your team; pre-assessments; or outsource ISO system management. Our auditors can audit and offer consultation at the same time. Take advantage of input on proven approaches, best practices, and benchmarking that your Registrar can not provide. IQC provides every client with a robust on-line audit management and corrective action portal for detailed communication, audit scheduling, documentation and “on demand” information concerning audit results and actions.

Benefits from Outsourcing Internal Audits:

• Professional auditors will provide complete documentation of internal audits for your Registrar or supplier audit.
• Our auditors will ensure that your system stays in conformance with changing requirements.
• Save on training costs.
• Achieve a robust quality and/or environmental management system.
• Reduce your internal audit costs by as much as 50%.... and enjoy superior results!

Please fill out and submit our RFQ page for a free cost/benefit analysis of outsourcing ISO internal audits specific to your organization.

Standards available for outsourced internal auditing include:
ISO 9001:2000
ISO/TS 16949:2002
ISO 14001
ISO 17025
ISO 13485
AS9100
OHSAS 18001