The November 2025 Sanctioned Interpretations to the IATF Rules, 6th Edition provided additional guidance on the application of existing requirements.
In audits, the real impact shows up in how auditors interpret and apply the clarified expectations, where documentation and evidence gaps tend to surface, and how risk-based thinking increasingly drives audit focus and depth.
To move beyond the text of the updates themselves, we spoke with Jorge Correa, Automotive Sector Manager at DQS Inc. In this role, Jorge works closely with automotive organizations and audit teams, giving him practical insight into how current IATF expectations are being applied and where organizations are most often challenged.
Rather than restating the changes, Jorge shared insight into what auditors are focusing on, where organizations tend to underestimate expectations, and where implementation gaps most often emerge. The following highlights reflect his observations from recent audits and client interactions.
For a detailed overview of the IATF Certification Rules, 6th Edition, and the key structural changes already in effect, readers can refer to our previously published blog, Key Changes to IATF Certification Rules, 6th Edition, as well as the official guidance available through the International Automotive Task Force (IATF)
One of the clearest areas of emphasis in the latest IATF sanctioned interpretations is contingency planning. While the requirement itself is not new, the expectations around scope, testing, and evidence have become more explicit and are now being assessed more rigorously during audits.
In particular, recent IATF sanctioned interpretation revisions and audit practice increasingly emphasize scenarios that were previously implied but not clearly stated, most notably pandemics and cyber-related disruptions.
What is drawing increased attention in audits is not simply whether these risks are listed in a contingency plan, but whether organizations can demonstrate that their plans are tested and actionable.
Auditors are increasingly looking for evidence that testing leads to learning and improvement beyond completion of an exercise.
"They need some type of report or equivalent objective evidence showing what type of testing they did and based on the results of that testing, what actions did they take."
According to Jorge Correa, a common challenge is that organizations often perform meaningful activities but fail to fully document or connect them back to risk-based decision-making.
"Sometimes they don’t take credit for or don’t document things that they’ve done."
For organizations preparing for upcoming audits, this means contingency is assessed as a living process, reflecting current risks, incorporating realistic testing, and demonstrating follow-through.
Another area where organizations are seeing increased audit attention is cybersecurity. While cybersecurity has been part of IATF discussions for some time, the latest interpretations reinforce that it is no longer viewed as an isolated IT concern.
Instead, cybersecurity is increasingly assessed as an operational and business continuity risk, particularly where manufacturing equipment, production systems, or connected technologies are involved.
As Jorge Correa explains, “The cyber-attack is an area that always keeps evolving… that one probably needs a more frequent review just to make sure that everyone’s up to speed.”
From an audit perspective, organizations are expected to demonstrate ongoing awareness and review of cyber-related risks. Auditors are looking for evidence that cybersecurity considerations are integrated into broader risk analysis and contingency planning, especially where disruptions could affect product conformity or delivery.
For organizations, this reinforces that cybersecurity is no longer evaluated solely through policies or IT controls. It is increasingly viewed through the lens of risk-based thinking, operational impact, and preparedness, with expectations that reviews are current, relevant, and connected to real-world scenarios.
Across audits, one of the most common challenges organizations face is a gap between what is being done and what can be demonstrated through objective evidence.
As expectations around risk-based thinking and effectiveness continue to tighten, auditors are placing greater emphasis on documentation that clearly shows what actions were taken, why they were taken, and how effectiveness was evaluated.
According to Jorge Correa, this is an area where many organizations unintentionally create audit risk. In practice, organizations may be addressing issues, running tests, or adjusting controls, but without consistent documentation or equivalent objective evidence, those efforts are difficult to validate during an audit.
“A client will claim, OK, yeah, we’re doing this, but they don’t really have the information to back it up.”
This disconnect often becomes more visible in higher-risk areas, where auditors expect clearer linkage between risk identification, corrective action, and follow-up. When that linkage is missing, non-conformities are more likely, even when the underlying intent or effort is sound.
For organizations preparing for audits, the message is straightforward: good intent is not enough. What matters is the ability to demonstrate decision-making, action, and effectiveness in a way that aligns with risk-based expectations and audit evidence requirements.
A common thread running through the latest IATF interpretations is an increased emphasis on risk-based thinking as a practical driver of audit focus and depth.
Auditors are expected to prioritize time and scrutiny based on where risks are highest and where performance issues have historically occurred.
As Jorge Correa observes, this shift is already creating a clear distinction between organizations that meet minimum requirements and those that manage risk proactively.
“You see two types of organizations: some will do the minimum to comply, and others will go above and beyond.”
From an audit perspective, this means greater attention is given to processes with higher risk, weaker performance, or greater potential impact on product conformity and delivery.
“IATF is always looking to see that organizations are very cognizant of what their risks are.”
Rather than treating all processes equally, organizations are increasingly expected to demonstrate how they establish priorities, allocate resources, and adjust controls based on risk and performance trends.
“Focus on your highest risk. Focus on your areas of poor performance.”
Risk-based thinking is no longer a theoretical principle. It is a practical lens through which audits are planned, conducted, and evaluated, and increasingly differentiates strong systems from weak ones.
The latest IATF sanctioned interpretations do not fundamentally change what organizations are required to do, but they do change how clearly and consistently expectations are applied in audits.
Across contingency planning, cybersecurity, documentation, and risk-based thinking, the message is consistent: organizations are expected to understand their risks, prioritize effectively, and demonstrate follow-through with objective evidence.
For IATF-certified organizations and those considering certification, the start of success is defined by having business processes and procedures in place and realize when those procedures are used effectively to manage real-world risk and drive continual improvement.
In addition to developing engaging learning solutions, Megan trains instructors and coaches presenters to improve their performance and ensure they deliver impactful and effective presentations. Her course development emphasizes achieving targeted learning outcomes, applying clean, user-centric design, and providing an enjoyable, effective experience for learners.
