SAAS

Certification Process Requirements

SAAS Procedure 200

© Social Accountability Accreditation Services,

June 2010

Accreditation Process and Policies

3

SAAS Normative Requirements

• SAAS maintains a set of Procedures and Policies, revised between 2007 and 2008, that it follows in conducting accreditation work:� SAAS Procedure 200 sets out the certification process

requirements for Certification Bodies (CBs) undertaking the assessments of organizations against the SA8000 standard.

� SAAS Procedure 201 sets out the internal policies SAAS must follow in granting and maintaining accreditation of a CB by SAAS.

� SAAS Procedure 203 contains the qualifications and training requirements for accreditation auditors and SAAS staff.

� SAAS has also developed a set of Work Instructions that accreditation auditors must follow in undertaking document reviews, on-site office and witness audits, and review of corrective actions.

4

SAAS Normative Requirements

• In addition, SAAS requires implementation

of several ISO documents:

� SAAS maintains procedures and policies in

compliance with ISO/IEC 17011:2004, the international standard for accreditation bodies

accrediting certification bodies.

� SAAS requires implementation of ISO/IEC

17021:2006 by all accredited CBs. 17021 is the

international standard setting out requirements for bodies providing audit and certification of

management systems.

Certification Process and Policies

6

SAAS Procedure 200

• SAAS Procedure 200 is the document prescribing the procedures, criteria and methodology that a

certification body (CB) must undertake in carrying

out assessment of an organization for compliance with SA8000 certification.

• These requirements deal with CB audit processes, auditor qualifications, procedures and SA8000

certificates.

• Noncompliance to these rules results in the

issuance of corrective action requests (CARs) and, if not corrected, suspension and ultimately

cancellation of accreditation.

7

SAAS Procedure 200

• Written for Certification Bodies.

• Sets out SA8000 certification process requirements.

• Established to provide consistency in SA8000 process.

• Supporting documents include:� SA8000:2008

� Procedure 201: SAAS Accreditation Policies

� Procedure 304: How to Make a Complaint / Appeal

� Procedure 406: Schedule of Fees

� Procedure 426: Use of the Mark

8

SAAS Procedure 200

• Main elements of Procedure 200:� Structural requirements of the CB� Adherence to ISO/IEC 17021:2006� Conflict of interest and consulting restrictions� Records maintenance� Audit process requirements:

• Stage 1 and stage 2 audits

• Scope of certification

• Multi-site auditing

• Audit planning

• Issuance of nonconformities

• Surveillance frequency

� Audit team requirements, training, skills and evaluation� Audit reports� Management of complaints� SA8000 certificate requirements� On-site audit day requirements

9

SAAS Procedure 200

• SA8000 certification authorized for

implementation around the world in any

industry except:• Myanmar (Burma) until the ILO lifts its sanctions.

• Maritime until such a time when SAAS, in consultation with SAI, determines otherwise, in accordance with applicable ILO conventions.

10

CB Requirements

• The CB shall:� Be legally identifiable.

� Be responsible for certification decisions.

� Have SA8000-specific procedures and perform internal audits.

� Have a common management system among offices.

� Conform to ISO/IEC 17021:2006.

� Have a complaints management system.

� Avoid conflicts of interest – related bodies cannot provide consulting to certification clients within 2 years.

� Have documented procedures to ensure continuing effectiveness of its auditors – including witnessed audits and continuing education.

� Maintain records including: audit reports, living wage calculation, audit day quotes, nonconformities, etc.

11

Audit Planning

• The audit plan shall include:• Evaluation of all of the organization’s social

management system requirements.

• Assessment of the effectiveness of the system.

• Evidence of internal audits.

• Information gathered from local and regional experts and stakeholders.

• Pre-planning shall include:• Process for determining sufficient wage level.

• A documented and implemented stakeholder engagement process.

• Appropriate language skills.

• Understanding the history and conditions of the client organization.

12

Audit Days

• Appendix 1 provides the required audit day table the CB shall follow.

• The overall time for the audit (stages 1 and 2) are expressed inauditor days includes the planning, off-site interviews, document review, on-site audit, and report writing.

• The audit days do not include time deemed necessary for engagement with external stakeholders.

• The CB shall calculate the time on the audit based upon:

� Sector complexity

� Perceived risk

� Number of employees

� Off-site worker interviews

• The number of workers is calculated considering the total number of workers paid by the client either directly or through an employment agency including:

� Seasonal

� Part-time

� Temporary workers

� Subcontractors

• Calculation of employees is based on worker totals during the high season.

13

Audit Process

• The certification process must address all elements of the SA8000 standard.

• The certification audit must have a 2 stage audit.

• Certification applies to all parts of a continuous process.

• Multi-site schemes are audited using a sampling process.

• Each on-site SA8000 audit must include these elements:

� Management systems

� Complaints response

� Worker training on SA8000

� Effectiveness of corrective actions

� Health and safety

� Worker representative activities

� Working hours

� Wages

• Each shift must be audited on every audit.

• At least 30% of the audit time shall be used for worker interviews.

14

SA8000 Maintenance

• SA8000 certified facilities must undergo surveillance audits every 3 months.

• CBs must conduct a minimum of 1 unannounced audit in a three year cycle.

• The entire system must be re-assessed once every 3 years.

• The SA8000 certificate shall contain:• Scope of the facility including address and activities

• Edition of the SA8000 standard, date of certification and date of expiration

• Remote sites that are included in the scope.

• The SA8000 mark

• A unique certificate number.

15

Nonconformities

• If fulfillment of a specified SA8000 requirement has not been demonstrated, the finding of a nonconformity (NC) may be reported.

• A corrective action request written as a result of an NC must have 3 parts:

� The statement of nonconformity

� The reference to SA8000

� The objective evidence observed.

• Major NC: absence of or total breakdown of a system to meet an SA8000 requirement or likely to result in the failure of the SA8000 system or reduce the ability to assure control of policies to protect workers.

• Minor NC: an NC that is not likely to result in the failure of the system – not systemic in nature.

• All NCs must be recorded.

• A client cannot be certified to SA8000 with open major NCs

16

Certification Process by CB of SA8000 Applicant

17

Accreditation and Certification Process

18

Audit Team Requirements

• SA8000 Lead Auditors shall be:

� Qualified by an accredited CB

� Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes)

� Trained at SAAS approved/accredited SA8000 courses

� Experienced, demonstrated by having:

• Served as a lead auditor on at least 3 accredited ISO systems audits

• Participated in at least 3 SA8000 certification or surveillance audits.

• SA8000 Team Auditors shall be:

� Employed or under contract to an accredited CB

� Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes)

� Trained at SAAS approved/accredited SA8000 courses

� Experienced, demonstrated by having:

• Participated in at least 3 accredited ISO systems audits

• Participated in at least 1 SA8000 audit.

19

Audit Team Requirements

• Audit Teams shall:

� Consist of qualified SA8000 auditors.

� Have at least one lead auditor.

� Have an expert worker interviewer.

� Have a team member or subject matter expert with relevant sector experience.

� Not have any team member who has provided consultancy for the client in the 2 years prior to the audit.

• Audit teams should have at least one expert with a background in worker rights.

• The CB shall evaluate auditor performance.

• Training Requirements:

� SA8000 basic auditor training course

� SA8000 advanced auditor training course (within 2 years of the basic)

� Continuing education, 12 hours annually, related to management systems auditing, CSR and SA8000 elements.

20

Audit Report

• The audit report shall:

� Include requirements set out in ISO 17021, 9.1.10.

� Address every SA8000 element with specific descriptive notations:

• Overtime

• Control of suppliers

• Wages

• Homework

• Freedom of association

• Health and safety.

� Include an overall description of the facility.

� Note the interview format used along with details.

• Reports must be submitted within 20 working days of the audit.

• The lead auditor is responsible for comprehensive reporting notes and checklists.

21

Complaints Process

• Accredited CBs must have a complaints system in place to accept and investigate complaints.

• The process shall include:� Correspondence with the complainant.

� An investigation of the complaint.

� A report back to the complainant.

• An investigation may be aided by:� An unannounced audit.

� Interviews with stakeholders.

• The investigation shall cover all elements identified in the complaint.

• The report shall include:� The resolution of the complaint.

� The reasons for the conclusion.

� A summary of the documented evidence.

� The corrective action agreed upon and confirmation of evidence.

• Every 6 months, the CB shall report to SAAS a detailed report of all complaints.

22

SAAS Advisories to Procedure 200

• Since the issuance of Procedure 200 in December 2007, SAAS has issued 5 supporting Advisories:

� Advisory 1: Complaints: sets out a more formal structure for CBsto manage complaints from stakeholders.

� Advisory 2: Auditor Training: clarifies the term “equivalent” used in Procedure 200 – lays out the minimum number of audits an SA8000 auditor must experience in order to be qualified.

� Advisory 3 and 7: SA8000:2008: provides the timeline for transitioning all clients from SA8000:2001 to SA8000:2008.

� Advisory 4: Subcontracting: clarifies the provision in Procedure200 for subcontracting SA8000 auditing work.

� Advisory 5: Auditor Training: provides continuing education requirements of SA8000 auditors.

� Advisory 6: Half Day audits: clarifies the requirements of the audit day table.

� Advisory 8: Accreditation Cycle: shifts the accreditation cycle from 3 years to 4 years for CBs.

23

Expected Changes to Procedures

• Since the issuance of Procedure 200 in December 2007, SAAS has also considered and implemented

several changes or improvements to policies.

Changes and pilots that have been considered by the SA8000 Advisory Committee include:

� Allowing facilities that meet risk and performance criteria to be moved from semi-annual surveillance audits to annual surveillance audits.

� Allowing audits in the maritime industry.

� Piloting enhanced stakeholder consultation methodology.

� Developing mixed audit team requirements.

� Piloting traceability or chain of custody certification systems.

� Updating the SA8000 applicant status program.