ISO 19011:2018 Guidelines

TRANSITIONING from
ISO/TS
Overview 16949:2009
of Changes to
and Connection
IATF
to 16949:2016
the Automotive Industry Perspective
Introduction
As part of the systematic review process of ISO1 , a decision was
appropriated in 2016 to revise ISO 19011:2011.

Organizations in different sectors are implementing more than one ISO

management system standard (MSS) as part of their strategic direction.
Management system standards have demonstrated that they can contribute to
achieving greater results through increasing customers’ and other interested
parties’ satisfaction, as well as assuring legal compliance.

In the automotive industry, implementing quality management systems (QMS)

has been common practice since 1994. Recently, automotive organizations
are implementing environmental (EMS) and occupational health and safety
management systems (OHSMS), among others. The current automotive quality
management systems standard, IATF 16949, recommends the use of ISO 19011
to support the internal and second party audit specific requirements.

As defined in ISO 9000:20152 , a management system is a set of interrelated or

interacting elements of an organization to establish policies and objectives, and
processes to achieve those objectives.

The new ISO 19011 is intended to provide guidance for auditing management
systems. It will continue supporting the auditing processes (internal and
external) of organizations implementing one or more management system
standards as well as organizations involved in conformity assessment of
management systems.

1 International Organization for Standardization

2 Quality management systems — Fundamentals and vocabulary
Copyright © 2018 Plexus International
www.plexusintl.com
Almost 30 years of Evolution
ISO 19011 has been a valuable companion of ISO 9001 since its first edition
(1990).

The first set of standards on auditing was published as

ISO 10011-1, Auditing
ISO 10011-2, Qualification criteria for quality systems auditors
ISO 10011-3, Management of audit programs

At that time, ISO 9001 was the only MSS published by ISO and ISO 10011 was
fully aligned to it.

The second revision was a joint effort between experts from the ISO/TC 176
(quality) and ISO/TC 207 (environmental) technical committees. This revision
combined the three parts of ISO 10011, along with the environmental auditing
standards (ISO 14010, ISO 14011 and ISO 14012), into one standard and its
guidance was applicable for auditing both QMS & EMS. The resulting new
standard, ISO 19011, was published in 2002.

One positive result of ISO 19011:2002 was the alignment of the audit process
for QMS & EMS. This enabled combined internal audits to be conducted, with
both ISO 9001 and ISO 14001 compliance being assessed by a single audit team.
Similarly, combined certification audits have become established practice.
Copyright © 2018 Plexus International
www.plexusintl.com
By the time that ISO 19011 was revised in 2011, further MSS had been published
by ISO, bringing the number up to 11 MSS in total. Consequently, the scope of the
standard was expanded to take auditing all ISO MSS into account, and no longer
limited to just ISO 9001 and ISO 14001. The revision process involved experts from the
different technical committees of ISO, of whom were responsible for standards such as
ISO 9001, ISO 14001, ISO 22000, ISO/IEC 27001, ISO 50001, among others.

By the time that ISO 19011 was reviewed in 2016, the number of MSS published by ISO
had risen to 39, along with various sectoral MSS being produced outside of ISO. In light
of these developments, ISO decided to establish a new Project Committee on Auditing,
ISO/PC 302. A key issue that was considered during the revision was the High-Level
Structure (HLS) of MSS3 , which has been adopted by the current versions of ISO 9001,
ISO 14001, ISO 45001, ISO/IEC 27001, among others.

The revision work in the PC involved the participation of experts from a broad
spectrum of ISO technical committees responsible for MSS development, along with
experts from the ISO Committee on Conformity Assessment (ISO/CASCO).

The official version of ISO 19011:2018 was published in July 2018.

A Brief Overview of the

New ISO 19011 Standard
The basic structure of the new ISO 19011 remains generally the same as the 2011
version.

• Principles of auditing
• Managing an audit program
• Conducting an audit
• Competence and evaluation of auditors
• Annex with additional guidance

The guidance is aimed primarily at internal audits (first party) and audits conducted by
organizations on their external providers and other external interested parties (second
party). Requirements for those involved in certification, or third-party audits are
provided in ISO/IEC 17021-1:2015, but ISO 19011 still offers useful guidance for persons
involved in the third-party certification audit process.

3 See ISO Directives, Part 1, Annex SL

Copyright © 2018 Plexus International
www.plexusintl.com
Linkage between ISO 19011 and Other
Standards: Automotive Industry Perspective

All Auditors 1st Party (Internal) 3rd Party Auditors

(Internal & External) & 2nd Party (External) (External)
Auditors

Guidance for management Requirements for audit Requirements for audit

systems audit planning,
implementing, monitoring
and improving:
• ISO19011 clauses 5, 6
planning, implementing,
monitoring and improving:
• IATF 16949, clauses
8.4.2.4.1, 9.2.1, 9.2.2,
9.2.2.1, 9.2.2.2, 9.2.2.3,
9.2.2.4
• AIAG CGI on special
Processes and Layered
Process Audits
planning, implementing,
monitoring and improving
certification audits:
• ISO/IEC 17021-1 clause 9
• IATF Rules 5, clauses 5, 6, 7,
8, 9

Guidance for auditor

competence:
• ISO 19011 clauses 4, 7
IATF Auditor Guide
Auditor competence
requirements:
Auditor competence • ISO/IEC 17021-1 clauses
requirements: 4, 7
• ISO/IEC 17021-3
• IATF 16949, clauses 7.2, • IATF Rules 5, clause 4
7.2.3, 7.2.4 • IATF Auditor Guide

• ISO 19011 provides guidance for managing internal and external audits and can be
useful for any auditor of management systems.
• IATF 16949 (including ISO 9001 requirements) include specific requirements
for managing first and second party audits, including auditor competence
requirements. ISO 19011 and the IATF Auditor Guide are refearenced as guidance
documents in IATF 16949.
• ISO/IEC 17021, parts 1 and 3, and Rules for obtaining and maintaining IATF
recognition, 5th Edition, include specific requirements for managing third party
audits, including auditor competence requirements. These requirements can be

Copyright © 2018 Plexus International

www.plexusintl.com
• useful for first and second party auditors.
• The IATF Auditor Guide, complements the competence requirements
of IATF Rules and can be useful for first and second party auditors of
management systems.
• AIAG has published specific documents where auditing competence are
essential. The CQI guides for special processes assessment and layered
process audits are linked with the IATF 16949 requirements related to
manufacturing process audits and auditor competence. Some IATF OEMs
mandate the use of this guides in their customer specific requirements
(CSR).
• As exhibited above, there is a close interrelationship between IATF
16949 auditing requirements and other auditing standards. The
guidance provided in ISO 19011 is intended to be generic and useful
for any management system audit. The automotive requirements for
auditing management systems benefit from the guidance of ISO 19011,
becoming a consistent and complementing set of standards. Therefore,
understanding the changes of the new ISO 19011 is critical in maintaining
the competence of any auditor in the automotive industry.

Copyright © 2018 Plexus International

www.plexusintl.com
ISO 19011:2018 KEY CHANGES

Updated terms and definitions

Several terms were modified and some notes to entries were modified, deleted
or added. Users will need to be aware of these changes, as some of which
create misalignments with the definitions included in ISO 9000.

Example of added term and definition:

Combined Audit
audit (3.1) carried out together at a single auditee (3.13) on two or more
management systems (3.19)

Note 1 to entry: When two or more discipline-specific management systems

are integrated into a single management system this is known as an integrated
management system.

[SOURCE: ISO 9000:2015, 3.13.2, modified]

A new principle of
auditing: risk-based approach
The audit process should focus on what can have a positive or negative impact
on the audit client.

The risk-based approach is a key factor to consider during the establishment of

the audit program and the individual audit planning activities.

The audit process should focus on what can have a positive or negative impact
on the audit client.

The risk-based approach is a key factor to consider during the establishment of

the audit program and the individual audit planning activities.

During the activities for reviewing and improving the audit program, one key
input is the effectiveness of the actions taken to address risks and opportunities
as well as the internal and external issues associated with the audit program.

Copyright © 2018 Plexus International

www.plexusintl.com
Additional commentary for

IATF 16949:2016
Risk mitigation takes center stage in IATF 16949, as it does in ISO 9001:2015. IATF 16949 brings a number of
specific risk-related requirements to minimize the likelihood of failure during new program development and
maximize the potential realization of planned activities. These additions are the result of industry best practices
intended to make businesses safer and more stable by identifying and mitigating risk.

To ensure risk-based thinking is pervasive throughout the organization, it’s imperative that top management
remains actively engaged. Responsibilities include:
• Conducting contingency planning reviews
• Identifying and supporting of process owners
• Participating in the escalation process related to product safety
• Ensuring achievement of customer performance targets and quality objectives
• Implementing corporate responsibility initiatives including an anti-bribery policy, an employee
code of conduct, and an ethics escalation policy (“whistle-blowing policy”)

IATF 16949 requires that “organizations shall ensure conformance of all products and processes, including
service parts and those that are outsourced.” This use of the word “ensure” implies that the organization needs
to establish and maintain a system that mitigates the risk of nonconformance throughout the supply chain. The
organization is ultimately responsible for all conformity and must cascade all applicable requirements down the
supply chain to the point of manufacture.

Survival in the automotive industry requires continuous evolvement to address internal and external issues.
Organizations need to adopt a process to assess the risk of changes and take appropriate action. To manage
change, IATF 16949 requirements include adjusting the frequency of internal audits based on occurrence of
process changes.

8.4.2.4.1 Second-party audits

This section aligns customer-specific requirements to the IATF 16949 standard. Second-party audits should
consider issues relevant to the organization beyond the maturity of their QMS development. Examples of
situations that could trigger a second-party audit include: input from supplier performance indicators; risk
assessment results and follow-up of open issues from process and product audits; and new development
launch readiness. The organization’s criteria for determining the need, type, frequency, and scope of second-
party audits must be based on risk analysis. This analysis must include, at a minimum, product safety/regulatory
requirements, performance of the supplier, and QMS certification level. This risk assessment criterion implies
that the organization should be constantly monitoring information and data related to the processes that
interact with, or are related to, suppliers and the supply chain. This assessment could drive the need for second-
party audits. When auditing the supplier’s quality management system, the approach must be consistent with
the automotive process approach, which suggests that the competencies should be, at a minimum, the same as
those required for internal auditors.
Copyright © 2018 Plexus International
www.plexusintl.com
 Using the HLS (Annex SL)
to improve the guidance
PDCA is the foundation of the HLS; therefore, PDCA becomes the foundation
of all the audit processes. The new Figure 1, exhibiting process flows for the
management of an audit program, is more concise and includes the main steps for
conducting an audit.

The wording in the standard has been aligned with the terms introduced by the
HLS, such as risks and opportunities, or documented information, among others.

Changes have been introduced to highlight

a more logical sequence of some subclauses
The subclauses in clauses 5 and 6 have been adjusted for a more logical
sequence and to align with Figure 1. Also, some titles of the subclauses are
readily more consistent with common practices.

Managing an audit program

and conducting an audit
The guidance for managing an audit program has
been expanded, specifically in the auditing program risk
capacity. Similarly, guidance for conducting an audit has
been expanded, particularly as it relates to audit planning.

Copyright © 2018 Plexus International

www.plexusintl.com
Additional commentary for

IATF 16949:2016
9.2.2.1 Internal audit programme
This section strengthens the need to drive a risk-based approach to the development and deployment
of an organization-wide internal audit program. Internal audit activities are considered a process,
which implies a clear definition of expected inputs, planned activities, intended outputs, and
monitored performance. The process would need to first identify and evaluate the level of risk related
to each QMS process, internal and external performance trends, and process criticality. Then, the
process would need to continuously monitor this information to trigger special internal audits and/or
to plan periodic internal audits. The process would adjust audit frequency, where appropriate, based
on process changes, internal and external nonconformities, and/or customer complaints. Finally,
the effectiveness of the process would be reviewed as part of management review. The capacity to
anticipate and/or address QMS process failures could be used as a metric to measure the effectiveness
of an internal audit program.

Internal audits must also consider software development capability assessments, when applicable.
This implies that auditor competencies should include knowledge of the models used by the
organization and the impact on the organization’s product and manufacturing process development
activities. (Software process assessment manuals referred to in IATF 16949 Annex B should be
considered in the internal auditor qualification process for organizations responsible for software
development and validation.)

9.2.2.2 Quality management system audit

The section strengthens the quality management system audit and the use of process approach, which
further drives process improvements organization-wide. The three-year calendar period requirement
should be considered a minimum, given that the audit program is continuously monitoring
information that could trigger the need for an unplanned internal audit (see IATF 16949 9.2.2.1). The
use of the automotive process approach, including risk-based thinking, needs to be applied during
the audit. The internal audit must also sample customer-specific QMS requirements for effective
implementation; this sampling could also aim to address all customers during the three-year period,
but should focus on CSRs related to the organization’s current customer satisfaction issues.

9.2.2.3 Manufacturing process audit

IATF 16949 also strengthens the formal approaches to ensure organizations achieve the benefits of
effective manufacturing process audits. As with requirements for quality management system audits,

Copyright © 2018 Plexus International

www.plexusintl.com
the three-year calendar period would be influenced by the continuous monitoring of information. The
internal audit manuals referred to in IATF 16949 Annex B should be considered during the internal
auditor qualification process if the customer does not determine any specific audit approach. Shift
handover should be considered a significant process event (see Section IATF 16949 9.1.1.1); internal
auditors should look for objective evidence of an effective process to communicate and address
relevant information. The audit must also evaluate the effective implementation of the process risk
analysis, control plan, and associated documents.

9.2.2.4 Product audit

The strengthened product audit requirements in IATF 16949 require the use of customer-specified
approaches, when applicable. If not applicable, the organization shall define their process; the internal
audit manuals referred to in IATF 16949 Annex B should be considered.

Auditor competency
requirements and auditor evaluation
Improvements have been made to the guidance related to the
competence and evaluation of auditors (clause 7). The guidance
related to the generic competence requirements for auditors
has been expanded.

The guidance for evaluating auditor competence is not only

valuable for auditors, it can also be used by organizations for
evaluating the competence of all persons performing activities
on behalf of their management system.

Copyright © 2018 Plexus International

www.plexusintl.com
Additional commentary for

IATF 16949:2016
7.2.1 Competence – supplemental
This section adds a requirement of “awareness,” which includes knowledge of an organization’s
(client’s) quality policy, quality objectives, personnel contribution to the QMS, benefits of improved
performance, and implications of not conforming with QMS requirements. It also further emphasizes
the customer requirements for on-the-job training, not just quality requirements. Note that the use of
the term “process” rather than “procedure” implies that these activities need to be managed (via the
plan-do-check-act cycle), and not merely performed.

7.2.2 Competence - on-the-job training

IATF 16949 enhances the emphasis of on-the-job training and its importance in meeting customer
requirements, including other interested parties. The process would consider any relevant interested
party requirements as an input in determining the need for on-the-job training, and then consider the
level of education and complexity of the tasks in determining the method used. This training must also
include contract or agency personnel, and convey the consequences of nonconformity to customer
requirements to all persons whose work affects quality.

7.2.3 Internal auditor competency

This section features enhanced requirements to the organization’s internal auditor competency to
ensure a more robust internal audit process. Organizations need to establish a documented process
that considers the competencies required by this section, takes actions to address any deficiencies,
assesses the effectiveness of actions taken, and records a list of the approved auditors. The section
differentiates between quality management system auditors, manufacturing process auditors, and
product auditors, and clarifies the competence requirements for each type of audit. This section also
outlines possible criteria to demonstrate continuing competence, including minimum numbers of
audits (defined by the organization) and maintaining knowledge of relevant requirements based on
internal and external changes.

7.2.4 Second-party auditor competency

This section outlines requirements for second-party auditors ensuring they are properly qualified to
conduct those types of audits, with customer specific requirements being a main focus. The same
core competencies that apply to internal auditors should, at a minimum, also apply to second-party
auditors.

8.2.1.1 Customer communication — supplemental

This section includes a requirement that the communication language (written or verbal) must be
agreed with the customer. This should be considered when determining the necessary competence for
roles that require customer communication.

Copyright © 2018 Plexus International

www.plexusintl.com
Significant changes
to the Annexes
The previous Annex A has been deleted, and the previous Annex B revised and
re-labelled as Annex A in the new version. The previous Annex A was deleted
as it was considered impractical to provide specific guidance on competence
for auditing every management system discipline.

The new Annex A (previous Annex B) has been expanded to include guidance
on additional auditing concepts that are relevant to the audit process, such as
organization context, leadership and commitment, virtual audits, compliance,
and supply chain. Some of the previous concepts included in the previous
Annex B were also improved.

A1 Applying audit methods

A2 Process Approach
A3 Professional judgement – NEW
A4 Performance results – NEW
A5 Verifying information - NEW
A6 Sampling – some additional guidance
A7 Auditing compliance within a MSS – NEW
A8 Auditing context – NEW
A.9 Auditing leadership and commitment - NEW
A.10 Auditing risks and opportunities – NEW
A.11 Life cycle – NEW
A.12 Audit of supply chain - NEW
A 13 Preparing work documents
A 14 Selecting sources of information
A.15 Visiting auditee’s location
A.16 Auditing virtual activities and locations – NEW
A.17 Conducting interviews
A18 Audit findings

Copyright © 2018 Plexus International

www.plexusintl.com
 TRAINING
OPPORTUNITIES
Plexus designs, develops, and
delivers training and certification
for automotive and aviation, space,
and defense third party auditors,
OEMs and suppliers worldwide.

Plexus will be offering a full

curriculum of updated first- and
second-party auditor training
courses based on ISO 19011:2018
for both new and existing auditors.
Plexus training courses are carefully
designed to aligned with the
requirements and key expectation
of OEMs and industries as a whole.

Visit the Plexus website or contact

us directly for more information on
available training solutions to meet
your needs.

www.plexusintl.com
training@plexusintl.com
1 (888) 753-9871

Copyright © 2018 Plexus International