KAB Accreditation Advisory (2) :IAF Criteria issue no.2.pdf · KAB Accreditation Advisory (2) : IAF...

KOREA ACCREDITATION BOARD

KAB Accreditation Advisory (2) : IAF Criteria

Document No.: KAB-A-02

Issue No.: 2

Issue Date: April 15, 2015

ISSUE No.2 April 15, 2015 2 / 64

KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

Contents 1. Certification of Multiple Sites Based on Sampling (MD 1:2007) 2. The Transfer of Accredited Certification of Management Systems (IAF MD 2:2007) 3. Advanced Surveillance and Recertification Procedures (IAF MD 3:2008) 4. The use of Computer Assisted Auditing Techniques (“CAAT”) for Accredited Certification of Management Systems (IAF MD 4:2008) 5. Duration of QMS and EMS Audits (IAF MD 5: 2013) 6. Harmonization of Sanctions to be applied to Conformity Assessment Bodies (MD 7:2010) 7. Assessment of certification body management of competence in accordance with ISO/IEC17021:2011 (MD 10:2013) 8. The application of ISO/IEC 17021 for audits of integrated management systems (MD 8:2011) 9. Assessment of certification activities for cross frontier accreditation (MD 12:2013) [Annexes] A. IAF-ILAC JGA Sydney Resolution 7 – Certification to accreditation standards B. Examples of intended results from certification functions – INFORMATIVE C. Reduction of audit time D. Examples of the type of relationships a CAB may have with its foreign entities and subsidiaries – INFORMATIVE Additional Clause

ISSUE No.2 April 15, 2015 3 / 64


Foreword

1. This guide prepared by KAB to supplement requirements for bodies that provide audits and certification services provides details necessary for KAB’s accreditation activities in accordance with ISO/IEC 17011 (Conformity assessment -- General requirements for accreditation bodies accrediting conformity assessment bodies) and IAF documents.

2. Certification bodies that wish to be accredited by KAB or maintain accreditation shall comply with the following criteria as well as the applicable accreditation criteria based on ISO/IEC 17021:2011(Conformity assessment -- Requirements for bodies providing audit and certification of management systems) or ISO/IEC 17024 (Conformity assessment -- General requirements for bodies operating certification of persons):

KAB Accreditation Advisory (1) : KAB Criteria (KAB-A-01)

KAB Accreditation Advisory (2) : IAF Criteria (KAB-A-02)

3. IAF published IAF Guidance Documents (GD) and Mandatory Documents (MD) to ensure that accreditation programs are conducted in a consistent and equal way when accreditation bodies accredit certification bodies. Certification bodies accredited by KAB which is an IAF signatory member shall comply with IAF GDs and MDs for the consistent application of international standards.

4. The term “shall” is used throughout this document are mandatory. Although not mandatory, the term “should” is used to indicate recognised means of meeting the requirements of Mandatory documents set out by IAF.

5. If a certification body does not follow the criteria developed by KAB or IAF exactly, it may obtain or maintain accreditation only when it can justify its measures satisfy the intention of the criteria. This criteria can be revised anytime as international standards or IAF’s criteria are revised.

ISSUE No.2 April 15, 2015 4 / 64


Chapter 1. Certification of Multiple Sites Based on Sampling (MD 1:2007) This document is mandatory for the consistent application of Clause 9.1.5. of ISO/IEC 17021:2006 and this document does not supersede any of the requirements in that standard. 1.0 INTRODUCTION 1.0.1 This document is for the audit and, if appropriate, the certification of management systems in organizations with a network of sites to ensure that the audit provides adequate confidence in the conformity of the management system to the relevant standard across all sites listed and that the audit is both practical and feasible in economic and operative terms.

1.0.2 Normally initial audits for certification and subsequent surveillance and recertification audits should take place at every site of the organization that is to be covered by the certification. However, where an organization’s activity subject to certification is carried out in a similar manner at different sites, all under the organization’s authority and control, a certification body may put into operation appropriate procedures for sampling the sites at the initial audit and subsequent surveillance and recertification audits. This document addresses the conditions under which this is acceptable for accredited certification bodies including the calculation of sample size and audit duration. 1.0.3 This document does not apply to the audits of organizations that have multi-sites where fundamentally dissimilar processes or activities are used at the different sites, or a combination of sites, even though they may be under the same management system. The conditions under which certification bodies can make any reduction in the normal full audit of every site in these circumstances have to be justified at each site where a reduction is proposed. 1.0.4 This document is applicable to accredited certification bodies that employ sampling in their audit and certification of multi-site organizations. Nevertheless an accredited certification body may exceptionally deviate from this document under condition it is able to produce relevant justifications. These justifications shall, under evaluation by the accreditation body, demonstrate that the same level of confidence in the conformity of the management system across all the sites listed can be obtained. 1.1 DEFINITIONS

ISSUE No.2 April 15, 2015 5 / 64


1.1.1 Organization The term organization is used to designate any company or other organization owning a management system subject to audit and certification. 1.1.2 Site A site is a permanent location where an organization carries out work or a service. 1.1.3 Temporary Site A temporary site is one set up by an organization in order to perform specific work or a service for a finite period of time and which will not become a permanent site. (eg. construction site). 1.1.4 Additional Sites A new site or group of sites that will be added to an existing certified multi-site network. 1.1.5 Multi-site Organization A multi-site organization is defined as an organization having an identified central function (hereafter referred to as a central office – but not necessarily the headquarters of the organization) at which certain activities are planned, controlled or managed and a network of local offices or branches (sites) at which such activities are fully or partially carried out. 1.2 APPLICATION 1.2.1 Site 1.2.1.1 A site could include all land on which activities under the control of an organization at a given location are carried out including any connected or associated storage of raw materials, by-products, intermediate products, end products and waste material, and any equipment or infrastructure involved in the activities, whether or not fixed. Alternatively, where required by law, definitions laid down in national or local licensing regimes shall apply. 1.2.1.2 Where it is not practicable to define a location (e.g. for services), the coverage of the certification should take into account the organization’s headquarters activities as well as delivery of its services. Where relevant, the certification body may decide that the certification audit will be carried out only where the organization delivers its services. In such cases all the interfaces with its central office shall be identified and audited. 1.2.2 Temporary Site 1.2.2.1 Temporary sites that are covered by the organization's management system may be

ISSUE No.2 April 15, 2015 6 / 64


subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system. They may, however be included within the scope of a multi-site certification subject to agreement between the certification body and the client organization. Where included in the scope, such sites shall be identified as temporary. 1.2.3 Multi-site Organization 1.2.3.1 A multi-site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central office of the organization and be subject to a common management system, which is laid down, established and subject to continuous surveillance and internal audits by the central office. This means that the central office has rights to require that the sites implement corrective actions when needed in any site. Where applicable this should be set out in the formal agreement between the central office and the sites. Examples of possible multi-site organizations are: ㆍOrganizations operating with franchises ㆍManufacturing companies with a network of sales offices (this document would apply to the sales network) ㆍService companies with multiple sites offering a similar service ㆍCompanies with multiple branches 1.3 ELIGIBILITY OF AN ORGANIZATION FOR SAMPLING 1.3.1 The processes at all the sites have to be substantially of the same kind and have to be operated to similar methods and procedures. Where some of the sites under consideration conduct similar, but fewer processes than others, they may be eligible for inclusion under multi-site certification providing that the sites(s) which conduct the most processes, or critical processes are subject to full audit. 1.3.2 Organizations which conduct their business through linked processes in different locations are also eligible for sampling providing all other provisions of this document are met. Where processes in each location are not similar but are clearly linked, the sampling plan shall include at least one example of each process conducted by the organization (eg. fabrication of electronic components in one location, assembly of the same components – by the same company in several other locations). 1.3.3 The organization’s management system shall be under a centrally controlled and administered plan and be subject to central management review. All the relevant sites (including the central administration function) shall be subject to the organization’s internal audit program and all shall have been audited in accordance with that program prior to the

ISSUE No.2 April 15, 2015 7 / 64


certification body starting its audit. 1.3.4 It shall be demonstrated that the central office of the organization has established a management system in accordance with the relevant management system standard under audit and that the whole organization meets the requirements of the standard. This shall include consideration of relevant regulations. 1.3.5 The organization should demonstrate its ability to collect and analyse data (including but not limited to the items listed below) from all sites including the central office and its authority and also demonstrate its authority and ability to initiate organizational change if required: ㆍSystem documentation and system changes; ㆍManagement review; ㆍComplaints; ㆍEvaluation of corrective actions; ㆍInternal audit planning and evaluation of the results; ㆍChanges to aspects and associated impacts for environmental management systems (EMS) and ㆍDifferent legal requirements. 1.3.6 Not all organizations fulfilling the definition of “multi-site organization” will be eligible for sampling. 1.3.7 Not all management systems standards are suitable for consideration for multi-site certification. For example, multi-site sampling would be unsuitable where the audit of variable local factors is a requirement of the standard. Specific rules apply also for some schemes, for example those including automotive (TS 16949) and aerospace (AS 9100 series) and the requirements of such schemes shall take precedence. 1.3.8 Certification bodies should have documented procedures to restrict such sampling where site sampling is inappropriate to gain sufficient confidence in the effectiveness of the management system under audit. Such restrictions should be defined by the certification body with respect to: ㆍScope sectors or activities (i.e. based on the assessment of risks or complexity associated with that sector or activity); ㆍSize of sites eligible for multi-site audit; ㆍVariations in the local implementation of the management system such as the need for frequent recourse to the use of plans within the management system to address different

ISSUE No.2 April 15, 2015 8 / 64


activities or different contractual or regulatory systems; ㆍUse of temporary sites that operate under the management system of the organization and which are not to be included within the scope of certification. 1.4 RESPONSIBILITY OF THE CERTIFICATION BODY 1.4.0.1. The certification body shall provide information to the organization about the application of this document and the relevant management system standards before starting the audit process, and should not proceed if any of the provisions are not met. Before starting the audit process, the certification body should inform the organization that the certificate will not be issued if during an initial audit nonconformities are found. 1.4.1 Contract Review 1.4.1.1 The certification body’s procedures should ensure that the initial contract review identifies the complexity and scale of the activities covered by the management system subject to certification and any differences between sites as the basis for determining the level of sampling. 1.4.1.2 The certification body shall identify the central function of the organization with which it has a legally enforceable agreement for the provision of certification activities. 1.4.1.3 The certification body shall check, in each individual case, to what extent sites of an organization operate substantially the same kind of processes according to the same procedures and methods. See clause 1.3.1 for sites which conduct fewer, but similar processes than other sites and clause 1.3.2 for sites involving linked processes. Only after a positive examination by the certification body that all the sites proposed for inclusion in the multi-site exercise meet the eligibility provisions may the sampling procedure be applied to the individual sites. 1.4.1.4 If all the sites of a service organization where the activity subject to certification is performed are not ready to be submitted for certification at the same time, the organization shall be required to inform the certification body in advance of the sites that it wants to be included in the certification and those which are to be excluded. 1.4.2 Audit 1.4.2.1 The certification body shall have documented procedures to deal with audits under its multi-site procedure. Such procedures shall establish the way the certification body satisfies itself that the same management system governs the activities at all the sites, is actually

ISSUE No.2 April 15, 2015 9 / 64


applied to all the sites and that all the eligibility criteria for the organization in clause 1.3 above are met. This requirement also applies to a management system where electronic documents, process control or other electronic processes are used. The certification body shall justify and record the rationale for proceeding with a multi-site approach. 1.4.2.2 If more than one audit team is involved in the audit or surveillance of the network, the certification body should designate a unique audit leader whose responsibility is to consolidate the findings from all the audit teams and to produce a synthesis report. 1.4.3 Nonconformities 1.4.3.1 When nonconformities, as defined in ISO/IEC 17021 clause 9.1.15 (b), are found at any individual site, either through the organization’s internal auditing or from auditing by the certification body, investigation should take place to determine whether the other sites may be affected. Therefore, the certification body should require the organization to review the nonconformities to determine whether they indicate an overall system deficiency applicable to other sites or not. If they are found to do so, corrective action should be performed and verified both at the central office and at the individual affected sites. If they are found not to do so, the organization should be able to demonstrate to the certification body the justification for limiting its follow-up corrective action. 1.4.3.2 The certification body shall require evidence of these actions and increase its sampling frequency and/or the size of sample until it is satisfied that control is re-established. 1.4.3.3 At the time of the decision making process, if any site has a nonconformity, as defined in ISO/IEC 17021 clause 9.1.15 (b), certification shall be denied to the whole network of listed sites pending satisfactory corrective action. 1.4.3.4 It shall not be admissible that, in order to overcome the obstacle raised by the existence of a nonconformity at a single site, the organization seeks to exclude from the scope the "problematic" site during the certification process. Such exclusion can only be agreed in advance (See clause 1.4.1.4). 1.4.4 Certification Documents 1.4.4.1 Certification documents can be issued covering multiple sites provided that each site included in the scope of certification has either been individually audited by the certification body or audited using the sample approach outlined in this document.

ISSUE No.2 April 15, 2015 10 / 64


1.4.4.2 The certification body shall provide certification documents to the certified client by any means it chooses. Such certification documents shall comply in all respects with ISO/IEC 17021. 1.4.4.3 These documents shall contain the name and address of the central office of the organization and a list of all the sites to which the certification documents relate. The scope or other reference on these documents shall make clear that the certified activities are performed by the network of sites on the list. If the certification scope of the sites is only issued as part of the general scope of the organization, its applicability to all the sites shall be clearly stated. . Where temporary sites are included in the scope, such sites shall be identified as temporary in the certification documents. 1.4.4.4 Certification documents may be issued to the organization for each site covered by the certification under condition that they contain the same scope, or a sub-scope of that scope, and include a clear reference to the main certification documents. 1.4.4.5 The certification documentation will be withdrawn in its entirety, if the central office or any of the sites does not fulfill the necessary provisions for the maintenance of the certification. 1.4.4.6 The list of sites shall be kept updated by the certification body. To this effect, the certification body shall request the organization to inform it about the closure of any of the sites covered by the certification. Failure to provide such information will be considered by the certification body as a misuse of the certification, and it should act consequently according to its procedures. 1.4.4.7 Additional sites can be added to an existing certification as the result of surveillance or recertification activities or enhancement of scope. The certification body shall have documented procedures for the addition of new sites. 1.5 SAMPLING 1.5.1 Methodology 1.5.1.1 The sample should be partly selective based on the factors set out below and partly non-selective, and should result in a representative range of different sites being selected, without excluding the random element of sampling. 1.5.1.2 At least 25% of the sample should be selected at random.

ISSUE No.2 April 15, 2015 11 / 64


1.5.1.3 Taking into account the provisions mentioned below, the remainder should be selected so that the differences among the sites selected over the period of validity of the certificate is as large as possible. 1.5.1.4 The site selection may include among others the following aspects: ㆍResults of internal site audits and management reviews or previous certification audits; ㆍRecords of complaints and other relevant aspects of corrective and preventive action; ㆍSignificant variations in the size of the sites; ㆍVariations in shift patterns and work procedures; ㆍComplexity of the management system and processes conducted at the sites; ㆍModifications since the last certification audit; ㆍMaturity of the management system and knowledge of the organization; ㆍEnvironmental issues and extent of aspects and associated impacts for environmental (EMS) management systems; ㆍDifferences in culture, language and regulatory requirements; and ㆍGeographical dispersion. 1.5.1.5 This selection does not have to be done at the start of the audit process. It can also be done once the audit at the central office has been completed. In any case, the central office shall be informed of the sites to be included in the sample. This can be on relatively short notice, but should allow adequate time for preparation for the audit. 1.5.2 Size Of Sample 1.5.2.1 The certification body shall have a documented procedure for determining the sample to be taken when auditing sites as part of the audits and certification of a multi-site organization. This should take into account all the factors described in this document. 1.5.2.2 The certification body shall have records on each application of multi-site sampling justifying it is operating in accordance with this document. 1.5.2.3 The following calculation is an example based on the example of a low to medium risk activity with less than 50 employees at each site. The minimum number of sites to be visited per audit is: ㆍInitial audit: the size of the sample should be the square root of the number of remote sites: (y=√x ), rounded to the upper whole number. ㆍSurveillance audit: the size of the annual sample should be the square root of the number of remote sites with 0.6 as a coefficient (y=0.6 √x), rounded to the upper whole number.

ISSUE No.2 April 15, 2015 12 / 64


ㆍRe-certification audit: the size of the sample should be the same as for an initial audit. Nevertheless, where the management system has proved to be effective over a period of three years, the size of the sample could be reduced by a factor 0.8, i.e.: (y=0.8 √x), rounded to the upper whole number. 1.5.2.4 The certification body should define within its management system the risk levels of activities as applied above 1.5.2.5 The central office shall be audited during every initial certification and recertification audit and at least annually as part of surveillance. 1.5.2.6 The size or frequency of the sample should be increased where the certification body’s risk analysis of the activity covered by the management system subject to certification indicates special circumstances in respect of factors such as: ㆍThe size of the sites and number of employees (eg. more than 50 employees on a site); ㆍThe complexity or risk level of the activity and of the management system; ㆍVariations in working practices(eg. shift working); ㆍVariations in activities undertaken; ㆍSignificance and extent of aspects and associated impacts for environmental management systems (EMS); ㆍRecords of complaints and other relevant aspects of corrective and preventive action; ㆍAny multinational aspects; and ㆍResults of internal audits and management review. 1.5.2.7 When the organization has a hierarchical system of branches (e.g. head (central) office, national offices, regional offices, local branches), the sampling model for initial audit as defined above applies to each level. Example: 1 head office: visited at each audit cycle (initial or surveillance or recertification) 4 National offices: sample = 2: minimum 1 at random 27 regional offices: sample = 6: minimum 2 at random 1700 local branches: sample = 42: minimum 11 at random. 1.5.3 Audit Times 1.5.3.1 The audit time to spend for each individual site is another important element to consider, and the certification body shall be prepared to justify the time spent on multi-site

ISSUE No.2 April 15, 2015 13 / 64


audits in terms of its overall policy for allocation of audit time. 1.5.3.2 The number of man-days per site, including the central office, should be calculated for each site using the most recently published IAF document for the calculation of man-days for the relevant standard. 1.5.3.3 Reductions can be applied to take into account the clauses that are not relevant to the central office and/or the local sites. Reasons for the justification of such reductions shall be recorded by the certification body. Note: Sites which carry out the most or critical processes are not subject to reductions (clause 1.3.1). 1.5.3.4 The total time expended on initial assessment and surveillance is the total sum of the time spent at each site plus the central office and should never be less than that which would have been calculated for the size and complexity of the operation if all the work had been undertaken at a single site (i.e. with all the employees of the company in the same site). 1.5.4 Additional Sites 1.5.4.1 On the application of a new group of sites to join an already certified multi-site network, each new group of sites should be considered as an independent set for the determination of the sample size. After inclusion of the new group in the certificate, the new sites should be cumulated to the previous ones for determining the sample size for future surveillance or recertification audits.

ISSUE No.2 April 15, 2015 14 / 64


Chapter 2. The Transfer of Accredited Certification of Management Systems (IAF MD 2:2007) This document is mandatory for the consistent application of Clause 9.1.1. of ISO/IEC 17021:2006 and this document does not supersede any of the requirements in that standard. 2.0 INTRODUCTION 2.0.1 This document provides normative criteria on the transfer of accredited management system certification between certification bodies. The criteria may also be applicable in the case of acquisitions of certification bodies accredited by an IAF MLA signatory. 2.0.2 The objective of this document is to assure the maintenance of the integrity of accredited management system certifications issued by one certification body if subsequently transferred to another such body. 2.0.3 The document provides minimum criteria for the transfer of certification. Certification bodies may implement procedures or actions which are more stringent than those contained herein provided that a client organization's freedom to choose a certification body is not unduly or unfairly constrained. 2.1 DEFINITION 2.1.1 Transfer of Certification The transfer of certification is defined as the recognition of an existing and valid management system certification, granted by one accredited certification body, (hereinafter referred to as the “issuing certification body”), by another accredited certification body, (hereinafter referred to as the “accepting certification body”) for the purpose of issuing its own certification. Note: Multiple certification, (concurrent certification by more than one certification body), does not fall under the definition above, and is not encouraged by IAF. 2.2 MINIMUM REQUIREMENTS 2.2.1 Accreditation Only certifications which are covered by an accreditation of an IAF MLA signatory shall be eligible for transfer. Organizations holding certifications that are not covered by such

ISSUE No.2 April 15, 2015 15 / 64


accreditations shall be treated as new clients. 2.2.2 Pre-Transfer Review A competent person from the accepting certification body shall carry out a review of the certification of the prospective client. This review shall be conducted by means of a documentation review and should, normally, include a visit to the prospective client. Reasons for not conducting a visit shall be fully justified and documented and a visit shall be conducted if no contact can be made with the issuing certification body. The review should cover the following aspects and its findings shall be fully documented: (i) confirmation that the client’s certified activities fall within the accredited scope of the accepting certification body; (ii) the reasons for seeking a transfer; (iii) that the site or sites wishing to transfer certification hold an accredited certification that is valid in terms of authenticity, duration and scope of activities covered by the management system certification. If practical, the validity of certification and the status of outstanding nonconformities should be verified with the issuing certification body unless it has ceased trading. Where it has not been possible to communicate with the issuing certification body, the accepting certification body shall record the reasons; (iv). A consideration of the last certification or recertification audit reports, subsequent surveillance reports and any outstanding nonconformities that may arise from them. This consideration shall also include any other available, relevant documentation regarding the certification process i.e. handwritten notes, checklists. If the last certification, recertification or subsequent surveillance audit reports are not made available or if the surveillance audit is overdue then the organisation shall be treated as a new client; (v) complaints received and action taken; (vi) the stage in the current certification cycle. See Clause 2.2.3.4 of this document; and (vii) any current engagement by the organisation with regulatory bodies in respect of legal compliance. 2.2.3 Certification 2.2.3.1 Normally, only valid accredited certification should be transferred. In cases where certification has been granted by a certification body which has ceased trading or whose accreditation has expired, been suspended or withdrawn, the accepting certification body may consider such a certification for transfer at its discretion. In such cases, before it proceeds with the transfer, the accepting certification body shall obtain agreement from the accreditation

ISSUE No.2 April 15, 2015 16 / 64


body, whose mark it intends to place on the certificate. In the case of acquisitions the acquiring certification body should, where practical, fulfil the contractual obligations of the acquired certification body. 2.2.3.2 Certification which is known to have been suspended or under threat of suspension shall not be accepted for transfer. If the accepting certification body has not been able to verify the status of the certification with the issuing certification body, the organisation shall be required to confirm that the certificate is not suspended or under threat of suspension. 2.2.3.3 Outstanding nonconformities should be closed out, if practical, with the issuing certification body, before transfer. Otherwise they shall be closed out by the accepting certification body. 2.2.3.4 If no further outstanding or potential problems are identified by the pre-transfer review a certification may be issued following the normal decision making process. The programme of ongoing surveillance should be based on the previous certification regime unless the accepting certification body has conducted an initial or recertification audit as a result of the review. 2.2.3.5 Where doubt continues to exist, after the pre-transfer review, as to the adequacy of a current or previously held certification, the accepting certification body shall, depending upon the extent of doubt, either: ㆍtreat the applicant as a new client or ㆍconduct an audit concentrating on identified problem areas. The decision as to the action required will depend upon the nature and extent of any problems found and shall be explained to the organization and the justification for the decision shall be documented and the records maintained by the certification body.

ISSUE No.2 April 15, 2015 17 / 64


Chapter 3. IAF Mandatory Document for Advanced Surveillance and Recertification Procedures (IAF MD 3:2008) This document provides normative criteria for advanced surveillance and recertification procedures (ASRP) for consistent application of clause 9.1.1 of ISO/IEC 17021:2006 for determining subsequent adjustments to the audit program. This document addresses only Quality Management Systems (QMS) and Environmental Managements Systems (EMS), in which IAF members have had experience of implementing ASRP or its predecessor methodologies. The use of ASRP is not mandatory, but if an accreditation body wishes to permit their accredited certification body and its client(s) to opt for the use of ASRP, it is a requirement of IAF that the certification body and its client(s) conform to this document and be able to demonstrate conformity to the accreditation body. 3.0 INTRODUCTION 3.0.1 For a client organization that has established confidence in its management system (QMS and/or EMS) by consistently demonstrating effectiveness over a period of time, the certification body, in consultation with the organization, may choose to apply the Advanced Surveillance and Recertification Procedures (ASRP) provided for in this document. Such an advanced surveillance and recertification program may place greater (but not total) reliance on the organization’s internal audit and management review processes, include targeted surveillance topics, take into account specific design input from the organization and/or use other methods as appropriate, to demonstrate conformity of the management system. 3.0.2 The objective of this document is to assure the provision of more effective and efficient audits to organizations that have a proven performance record while at the same time maintaining the integrity of the accredited management system certificates they hold. 3.0.3 This document states minimum requirements for the application of the ASRP. Certification bodies may implement procedures or actions which are more stringent than those contained herein provided that an organization's justifiable request for the ASRP is not unduly or unfairly constrained. 3.1 MINIMUM REQUIREMENTS 3.1.1 Prerequisite In order to utilize the ASRP, the certification body shall first demonstrate to an IAF MLA

ISSUE No.2 April 15, 2015 18 / 64


signatory accreditation body: a) That it has been operating an accredited certification scheme for the relevant management system (QMS and/or EMS) for a minimum of one complete accreditation cycle. b) That it is competent to design an ASRP program for each individual organization in the relevant management system (QMS and/or EMS), in accordance with the requirements of ISO 9001:2000 clause 7.3 and using the design input criteria mentioned in clause 3.1.3.2 below. NOTE: Reference is made here to ISO 9001 since this specifies the requirements for the certification body to design a program for ASRP regardless of whether it is operating certification of QMS or EMS. 3.1.2 Accreditation Scope The competence of the certification body to meet clause 3.1.1 (b) above shall be assessed by the accreditation body after which, if successful, specific reference to the approval for ASRP for QMS and/or EMS, as appropriate, shall be included in the certification body’s accreditation scope. 3.1.3 Eligibility and Design Input Criteria The certification body shall inform the accreditation body prior to every new utilization of ASRP for each specific organization, and shall be able to demonstrate that the following criteria in clauses 3.1.3.1 and 3.1.3.2 have been satisfied: 3.1.3.1 Eligibility Criteria a) The certification body shall confirm that the organization’s management system has been in demonstrated conformity with the requirements of the applicable standard(s) for a period of at least one complete certification cycle including initial, surveillance and recertification audits. NOTE: The certification body may base this confirmation of demonstrated conformity on the outcome of the first recertification audit (non-ASRP) of the organization conducted at the end of a three-year certification cycle. b) All nonconformities raised during the certification cycle immediately prior to the utilization of ASRP shall have been successfully resolved. c) For an EMS, the certification body shall confirm that the organization has established compliance with applicable legal requirements and has not had any sanctions imposed by the relevant regulatory authority(ies) for the period of a) above.

ISSUE No.2 April 15, 2015 19 / 64


d) The certification body shall have agreed suitable performance indicators with the organization, on which to judge the ongoing effectiveness of the management system, and shall ensure that the organization is consistently meeting agreed performance targets. (i) For a QMS, these performance indicators shall address, as a minimum, the organization’s demonstrated ability to consistently provide product that meets customer and applicable regulatory requirements (see ISO 9001:2000 clause 1.1), and shall incorporate requirements for the continual improvement of the effectiveness of the QMS. NOTE: For a QMS, “indicator” means the characteristic to be measured and “target” means the quantitative/qualitative requirements to be met. (ii) For an EMS, these performance indicators shall address, as a minimum, the organization’s demonstrated ability to achieve its environmental policy, objectives and targets and comply with applicable legal and other requirements related to its environmental aspects (see ISO 14001:2004 clause 4.3.2), and shall incorporate requirements for the continual improvement and prevention of pollution. NOTE: For an EMS, “indicator” means the characteristic to be measured and “target” used in the context of performance target means the quantitative/qualitative requirements to be met, which is considered to be identical with “environmental target” as defined in ISO 14001. e) The certification body shall have enforceable arrangements with the organization to provide for access to relevant information. For a QMS, this information is all customer satisfaction data collected or otherwise available. For an EMS, this information is all relevant communication from external interested parties, and in particular the relevant regulatory authority(ies). When it becomes necessary for the certification body to communicate directly with the source of such information in order to validate the information, mutually agreed confidentiality policies and procedures shall be applied. f) The certification body shall verify that the organization’s internal audit process is being managed in accordance with the guidance of ISO 19011, with particular reference to auditor competence defined in clause 7. The internal audit process shall be sufficiently coordinated and integrated so as to provide an evaluation of the management system as a whole, not only the performance of individual components. g) The certification body shall have contractually enforceable arrangements to enable it to increase the scope, frequency and duration of its audits in the event of a deterioration of the

ISSUE No.2 April 15, 2015 20 / 64


organization’s ability to meet agreed performance targets. 3.1.3.2 Design Input Criteria In addition to organization-specific input criteria, the design of each individual ASRP shall address the following: a) The frequency and duration of the certification body audits shall be sufficient to allow the certification body to conform with this criteria document including the following b) and c), among others. For each proposed utilization of ASRP, the certification body shall determine the base level (non-ASRP) auditor time using relevant IAF Guidance or Normative Criteria Documents, and, if applicable, IAF MD 1 for sampling of multi-sites. If the certification body plans an individual ASRP program that reduces the auditor time to less than 70% of this base-level, the certification body shall justify such reductions and seek specific approval from the accreditation body prior to its implementation. NOTE: IAF Mandatory Documents applicable to auditor time for QMS and EMS are under development. Until such documents become available, Annex 2 of IAF GD2 (and, where applicable, Annex 3) and Annex 1 of IAF GD6 (and, where applicable, clause G5.3.6) should continue to be applied to define the total audit time (Phase 1 + Phase 2). b) In addition to auditing a statistically significant number of samples of the organization’s management system processes to confirm the adequacy and effectiveness of the internal audit process, the certification body itself shall continue to carry out the following activities at each on-site surveillance and recertification audit, as a minimum (with other activities defined by the ASRP; see clause 4.1.4 below): ㆍinterview top management and the management representative; ㆍevaluate management review inputs and outputs, including a verification of the organization’s ability to meet the agreed performance targets; ㆍreview the internal audit process, including the procedures and records of internal audits, and the competence of internal auditors; and ㆍreview corrective and preventive actions plans, and verify their effective implementation. c) The certification body shall ensure that all the requirements for accredited certification (including the requirements of ISO/IEC 17021:2006 and any applicable sector scheme) continue to be met.

ISSUE No.2 April 15, 2015 21 / 64


3.1.4 Design Output The design output for each application of the certification body’s ASRP program shall include the following (a) – (f): a) The extent to which the certification body will utilize the organization’s internal audit and management review processes to complement the certification body’s activities; b) Criteria for witnessing the organization’s internal audits, including sampling of both auditors and processes to be audited; c) Criteria for accepting and monitoring the competence of the organization’s internal auditors and the method of reporting internal audit results; d) Criteria for ongoing adjustments to the audit program, taking into account the organization’s demonstrated ability over time to meet the agreed performance targets; e) The components of the management system that will necessarily be audited by the certification body at each surveillance and recertification audit (see clause 3.1.3.2 b); and f) Specific competence criteria for certification body auditors and, where applicable, for technical experts. 3.1.5 Certificates The certification body shall not differentiate between ASRP and non-ASRP methodologies on the certificates it issues.

ISSUE No.2 April 15, 2015 22 / 64


Chapter 4. The use of Computer Assisted Auditing Techniques (“CAAT”) for Accredited Certification of Management Systems (IAF MD 4:2008) This mandatory document is to provide for the consistent application of ISO/IEC 17021:2006 when computer assisted auditing techniques are used as part of the audit methodology. The use of CAAT is not mandatory, but if a certification body and its client opt to use CAAT, it is mandatory that they conform to this document and are able to demonstrate conformity to the accreditation body. 4.0 INTRODUCTION 4.0.1 As information and communication technologies become ever-more sophisticated, it is important for certification bodies to be able to use “Computer Assisted Auditing Techniques” to enhance audit effectiveness and efficiency, and to support and maintain the integrity of the audit process. NOTE: Guidance on the use of Computer Assisted Auditing Techniques can be obtained from the website of the ISO/IAF Auditing Practices Group www.iso.org/tc176/ISO9001AuditingPracticesGroup 4.0.2 Such “Computer Assisted Auditing Techniques” (“CAAT”) may include, for example: ㆍTeleconferencing, ㆍWeb meetings, ㆍInteractive web-based communications, ㆍRemote electronic access to the management system documentation and/or management system processes. 4.0.3 The objectives for the effective application of CAAT are: a) To provide a methodology that is sufficiently flexible and non-prescriptive in nature to satisfy the needs of industry, by allowing client organizations and their respective certification bodies to use CAAT to enhance the conventional audit process, and b) To ensure that adequate controls are in place with sufficient accreditation body oversight to avoid abuses and to prevent excessive commercial pressures that could compromise the integrity of the certification process.

ISSUE No.2 April 15, 2015 23 / 64


4.1 REQUIREMENTS 4.1.1 Confidentiality In accordance with ISO/IEC 17021, clause 8.5.1, the security and confidentiality of electronic or electronically-transmitted information is particularly important when a certification body is using CAAT. The certification body should agree on mutually acceptable information security measures with its client before using CAAT. 4.1.2 Process requirements 4.1.2.1 In addition to the requirements in ISO/IEC 17021, clause 9.1.2, the audit plan shall identify any computer-assisted auditing techniques that will be utilized. 4.1.2.2 In addition to the requirements in ISO/IEC 17021, clause 9.1.3, when using CAAT, specific attention shall be given to the auditors’ ability to understand and utilize the information technologies employed by the client organization to manage its management system processes. 4.1.2.3 In addition to the requirements in ISO/IEC 17021, clause 9.1.4, if a certification body uses CAAT, it may be considered as partially contributing to the total on-site auditor time. If remote auditing activities represent more than 30% of the planned on-site auditor time, the certification body shall justify the audit plan and obtain specific approval from the accreditation body prior to its implementation. NOTES: 1) It is expected that this "specific approval" will initially be done on a case-by-case basis, but does not preclude a "blanket approval" from the accreditation body for the certification body to go over a 30% reduction once the certification body has demonstrated that its process is robust. 2) On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out from another of the client organization’s premises. 4.1.2.4 In addition to the requirements in ISO/IEC 17021, clause 9.1.10, audit reports shall indicate the extent to which CAAT has been used in carrying out the audit, and how it

ISSUE No.2 April 15, 2015 24 / 64


contributes to audit effectiveness and efficiency. 4.1.2.5 In addition to the requirements in ISO/IEC 17021, clause 9.2.2.1 (a) when the certification body is proposing to use CAAT for part of the audit, the application review shall include verification that the client organization has the necessary infrastructure to support this approach. 4.1.2.6 In addition to the requirements in ISO/IEC 17021, clause 9.3.2.2, regardless of the use of CAAT, the organization shall be physically visited at least annually. 4.1.2.7 In addition to the requirements in ISO/IEC 17021, clause 9.9.2, records shall indicate the extent to which CAAT has been used in carrying out the audit and certification.

ISSUE No.2 April 15, 2015 25 / 64


Chapter 5. Duration of QMS and EMS Audits (IAF MD 5: 2013) This document is mandatory for the consistent application of Clause 9.1.4.1 of ISO/IEC 17021:2011 for audits of quality and environmental management systems and is based upon guidance previously provided in IAF GD2:2005 Annex 2 and GD6: 2006 Annex 1. All clauses of ISO/IEC 17021:2011 continue to apply and this document does not supersede any of the requirements in that standard. Although personnel numbers (permanent, temporary and part time) of the client are used as the starting point when considering the audit duration, this is not the sole consideration and account shall be taken of other factors affecting audit duration. 5.0 INTRODUCTION 5.0.1 This document provides mandatory provisions and guidance for CABs to develop their own documented procedures for determining the amount of time required for the auditing of clients of differing sizes and complexity over a broad spectrum of activities. It is intended that this will lead to consistency of audit duration between CABs, as well as between similar clients of the same CAB. 5.0.2 CABs shall identify the audit duration for the Stage 1 and Stage 2 initial audit, surveillance audits, and re-certification audits for each applicant and certified client. 5.0.3 This mandatory document does not stipulate minimum/maximum times but provides a framework that shall be utilized within a CAB’s documented procedures to determine appropriate audit duration, taking into account the specifics of the client to be audited. 5.0.4 For accreditation purposes, it should be noted that nonconformity with this document (and/or the included tables) in individual instances does not automatically lead to nonconformity against ISO/IEC 17021. However, this situation could be grounds for further investigation into the completeness of the audit. Special consideration should be given to investigating the grounds for deviation from this mandatory document. 5.0.5 If inconsistencies to this mandatory document are found on a more regular basis, this could form the basis for nonconformity against ISO/IEC 17021 on the grounds that the CAB cannot give a reasonable assurance that it gives its audit teams the time to perform a sufficiently complete audit as part of the certification process.

ISSUE No.2 April 15, 2015 26 / 64


5.1 DEFINITION 5.1.1 Audit Duration Audit duration for all types of audits is the effective time measured in auditor days required to carry out auditing activity. 5.1.2 Auditor Day The duration of an auditor day is normally 8 hours and may or may not include travel time or lunch depending upon local legislation. 5.1.3 Effective Number of Personnel The effective number of personnel consists of all full time personnel involved within the scope of certification including those working on each shift. Non-permanent (seasonal, temporary, sub-contractors and contracted personnel) and part time personnel who will be present at the time of the audit shall be included in this number. 5.1.4 Temporary Site A temporary site is one set up by an organization in order to perform specific work or a service for a finite period of time and which will not become a permanent site. (e.g. a construction site). 1.5 Complexity Category (EMS only) For environmental management systems, the provisions specified in this document are based on five primary complexity categories of the nature, number and gravity of the environmental aspects of an organization that fundamentally affect the auditor time. 5.2 APPLICATION 5.2.1 Audit Duration Audit duration for all types of audits includes on site time at a client's premises and time spent off-site carrying out planning, document review, interacting with client personnel and report writing. It is expected that the audit duration involved in these combined activities (irrespective of

ISSUE No.2 April 15, 2015 27 / 64


whether the activities are undertaken off-site or on-site) should not typically reduce the total on-site audit duration to less than 80% of the time calculated following the methodology in Section 3. This applies to initial, surveillance and recertification audits. Where additional time is required for planning and/or report writing, this will not be justification for reducing on-site audit duration for any audit. 5.2.2 Auditor Day Tables QMS 1 and EMS 1 present audit durations calculated in auditor days on the basis of 8 hours per day. National adjustments on the number of days may be needed to comply with local legislation for travel, lunch breaks and working hours, to achieve the same total number of hours of auditing of Tables QMS 1 and EMS 1. The number of auditor days allocated shall not be reduced at the planning stages by programming longer hours per working day. 5.2.3 Effective Number of Personnel The effective number of personnel is used as a basis for the calculation of audit duration. Dependent upon the hours worked, part time personnel numbers may be reduced and converted to an equivalent number of full time personnel. Appropriate reduction should be made to the temporary unskilled personnel who may be employed in considerable numbers in some countries due to low level of technology and automation. Appropriate reduction of number of personnel also should be made where significant proportion of staff carry out a similar simple function for instance: transport, line work, assembly lines, etc. A CAB shall agree with the organization to be audited the timing of the audit which will best demonstrate the full scope of the client activities. Note: Timing of the audit to best demonstrate the full scope may include the need to audit outside normal working hours or suit the shift pattern employed. 5.3 METHODOLOGY FOR DETERMINING AUDIT DURATION 5.3.1 The methodology used as a basis for the calculation of audit duration of an initial audit (Stage 1 + Stage 2) involves the interpretation of tables and figures in Annex A and Annex B for QMS and EMS audits respectively. Annex A (QMS) is based solely upon the effective number of personnel (see Clause 5.2.3 for guidance on the calculation of the effective number of personnel) but does not provide minimum or maximum duration. In addition to effective number of personnel, Appendix B (EMS) is based also on the environmental complexity of the

ISSUE No.2 April 15, 2015 28 / 64


organization and does not provide minimum or maximum duration. 5.3.2 Using a suitable multiplier, the same tables and figures may be used as the base for calculating audit duration for surveillance audits (Clause 5.5) and recertification audits (Clause 5.6). 5.3.3 The CAB shall have procedures that provide for the allocation of adequate time for auditing of relevant processes of the client. Experience has shown that apart from the number of personnel, the time required to carry out an effective audit depends upon other factors for both QMS and EMS. These factors are explored in more depth in Clause 5.8. 5.3.4 This mandatory document lists the provisions which should be considered when establishing the amount of time needed to perform an audit. These and other factors need to be examined during the CAB’s contract review process for their potential impact on the audit duration regardless of the type of audit. Therefore the relevant tables, figures and diagrams for both QMS and EMS which demonstrate the relationship between effective number of personnel and complexity, cannot be used in isolation. These tables and figures provide the framework for further audit planning and for making adjustments to audit duration for all types of audits. 5.3.5 For QMS audits, Figure QMS 1 provides a visual guide to making adjustments from the basic audit times and provides the framework for a process that should be used for audit planning by identifying a starting point based on the total effective number of personnel for all shifts. Where product or service realization processes operate on a shift basis, the extent of auditing of each shift by the CAB depends on the processes done on each shift, and the level of control of each shift that is demonstrated by the client. The justification for not auditing each shift shall be documented. 5.3.6 For an EMS audit it is appropriate to base audit duration on the effective number of personnel of the organization and the nature, number and gravity of the environmental aspects of the typical organization in that industry sector. The audit duration should then be adjusted based on any significant factors that uniquely apply to the organization to be audited. The CAB should exercise discretion to ensure that any variation in audit duration does not lead to a compromise on the effectiveness of audits. Where product or service realization processes operate on a shift basis, the extent of auditing of each shift by the CAB depends on the processes done on each shift, and the level of control of each shift that is demonstrated by the client. The justification for not auditing each shift shall be documented.

ISSUE No.2 April 15, 2015 29 / 64


5.3.7 The starting point for determining audit duration shall be identified based on the effective number of personnel, then adjusted for the significant factors applying to the client to be audited, and attributing to each factor an additive or subtractive weighting to modify the base figure. In every situation the basis for the establishment of audit duration including adjustments made shall be recorded. 5.3.8 Audit duration determinations using the tables or figures in Annexes A and B shall not include the time of “auditors-in-training” or the time of technical experts. 5.3.9 The reduction of audit duration shall not exceed 30% of the times established from Tables QMS 1 or EMS 1 5.4 INITIAL AUDIT DURATION (STAGE 1 PLUS STAGE 2) 5.4.1 Audit duration involved in combined offsite activities (Clause 5.2.1) should not reduce the total on-site audit duration to less than 80% of the time calculated following the methodology in Section 3. Where additional time is required for planning and/or report writing, this will not be justification for reducing on-site audit duration. 5.4.2 Table QMS 1 and Figure QMS 1 and Tables EMS 1 and EMS 2 provide a starting point for estimating the duration of an initial audit (Stage 1 + Stage 2) for QMS and EMS audits respectively. For each client, the CAB shall determine the time needed to plan and accomplish a complete and effective audit of the client’s management system. The audit time determined by the certification body and the justification for the determination shall be recorded. Where a CAB has applied a reduction or an increase to the times established in Tables QMS 1 or EMS 1, it shall make the justification available to their Accreditation Body for review during Accreditation Body assessments and on request from the Accreditation Body. 5.4.3 Certification audit duration may include remote auditing techniques such as interactive web-based collaboration; web meetings, teleconferences and/or electronic verification of the client’s processes (see IAF MD4). These activities shall be identified in the audit plan, and the time spent on these activities may be considered as contributing to the total “on-site audit duration”. If the CAB plans an audit for which the remote auditing activities represent more than 30% of the planned on-site audit duration, the CAB shall justify the audit plan and maintain the records of this justification which shall be available to an Accreditation Body for

ISSUE No.2 April 15, 2015 30 / 64


review. It is unlikely that the remote auditing activities represent more than 50% of the total on-site auditor time. Notes: 1. On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic audits of remote sites are considered to be remote audits, even if the electronic audit is physically carried out on the organization’s premises. 2. Regardless of the remote auditing techniques used, the client organization shall be physically visited at least annually. 3. It is unlikely that the duration of a Stage 2 audit will be less than one (1) auditor/day. 5.5 SURVEILLANCE During the initial three year certification cycle, surveillance audit duration for a given organization should be proportional to the time spent on initial certification audit (Stage 1 + Stage 2), with the total amount of time spent annually on surveillance being about 1/3 of the time spent on the initial certification audit. An update of client data related to certification shall be available for the planning of each surveillance audit. The planned surveillance audit duration shall be reviewed from time-to-time, at least at every surveillance audit and always at the time of recertification, to take into account changes in the organization, system maturity, etc. The evidence of review including any adjustments to audit duration shall be recorded. 5.6 RECERTIFICATION The duration of the recertification audit should be calculated on the basis of the updated information of the client and is normally approximately 2/3 of the time that would be required for an initial certification audit (Stage 1 + Stage 2) of the organization if such an initial audit were to be carried out at the time of recertification (i.e. not 2/3 of the original initial certification audit duration). The audit duration shall take account of the outcome of the review of system performance (ISO/IEC 17021 cl. 9.4.1.2). The review of system performance does not itself form part of the audit duration for recertification audits. 5.7 INDIVIDUALIZED SECOND AND SUBSEQUENT CERTIFICATION CYCLES For the second and subsequent certification cycles, the CAB may choose to design an individualized surveillance and recertification program (see IAF MD3 for Advanced

ISSUE No.2 April 15, 2015 31 / 64


Surveillance and Recertification Procedures – ASRP). If an ASRP approach is not chosen the audit duration should be calculated as indicated in Clauses 5.5 and 5.6. 5.8 FACTORS FOR ADJUSTMENTS OF AUDIT DURATION (QMS AND EMS) The additional factors that need to be considered include but are not limited to: Increase in audit duration:

• Complicated logistics involving more than one building or location where work is carried out. e.g., a separate Design Centre must be audited; • Staff speaking in more than one language (requiring interpreter(s) or preventing individual auditors from working independently); • Very large site for the number of personnel (e.g., a forest); • High degree of regulation (e.g. food, drugs, aerospace, nuclear power, etc); • System covers highly complex processes or relatively high number of unique activities; • Activities that require visiting temporary sites to confirm the activities of the permanent site(s) whose management system is subject to certification.

Increases in audit duration for EMS only:

• Higher sensitivity of receiving environment compared to typical location for the industry sector; • Views of interested parties; • Indirect aspects necessitating increase in auditor time; • Additional or unusual environmental aspects or regulated conditions for the sector.

Decrease in audit duration:

• Client is not "design responsible" or other standard elements are not covered in the scope (QMS only); • Very small site for number of personnel (e.g. office complex only), • Maturity of management system; • Prior knowledge of the client management system (e.g., already certified to another standard by the same CAB); • Client preparedness for certification (e.g., already certified or recognized by another 3rd party scheme); • Low complexity activities, e.g. • Processes involve a single generic activity (e.g., Service only); • Identical activities performed on all shifts with appropriate evidence of equivalent

ISSUE No.2 April 15, 2015 32 / 64


performance on all shifts based on prior audits (internal audits and CAB audits); • Where a significant proportion of staff carry out a similar simple function;

Note: For EMS, low complexity processes are captured in Table EMS 1. • Where staff include a number of people who work “off location” e.g. salespersons, drivers, service personnel, etc. and it is possible to substantially audit compliance of their activities with the system through review of records. All attributes of the client’s system, processes, and products/services should be considered and a fair adjustment made for those factors that could justify more or less auditor time for an effective audit. Additive factors may be off-set by subtractive factors. Note: Additional factors to consider when calculating the duration of audits of integrated management systems are addressed in IAF MD 11. 5.9 TEMPORARY SITES 5.9.1 In situations where the certification applicant or certified client provides their product(s) or service(s) at temporary sites, such sites shall be incorporated into the audit programs. 5.9.2 Temporary sites could range from major project management sites to minor service/installation sites. The need to visit such sites and the extent of sampling should be based on an evaluation of the risks of the failure of the QMS to control product or service output or the EMS to control environmental aspects and impacts associated with the client's operations. The sample of sites selected should represent the range of the client’s competency needs and service variations having given consideration to sizes and types of activities, and the various stages of projects in progress and associated environmental aspects and impacts. 5.9.3 Typically on-site audits of temporary sites would be performed. However, the following methods could be considered as alternatives to replace some on-site audits: − interviews or progress meetings with the client and/or its customer in person or by teleconference; − document review of temporary site activities; − remote access to electronic site(s) that contains records or other information that is relevant to the assessment of the management system and the temporary site(s); − use of video and teleconference and other technology that enable effective auditing to be conducted remotely.

ISSUE No.2 April 15, 2015 33 / 64


5.9.4 In each case, the method of audit should be fully documented and justified in terms of its effectiveness. 5.10 MULTI-SITE AUDIT DURATION 5.10.1 In the case of multi-site audits, the starting point for calculating audit duration for each site shall be consistent with Table QMS 1, and Figure QMS 1 for quality management systems and Table EMS 1 for environmental management systems. However reductions can be made taking into account situations where certain management system processes are not relevant to the site and are the primary responsibility of the controlling site. 5.10.2 Requirements for multi-site audits are covered in more detail in IAF MD1 for certification of multiple sites based on sampling. In this case, MD1 shall be used to select sites to be sampled prior to applying MD5 to each selected site. 5.11 QUALITY MANAGEMENT SYSTEMS

Table QMS 1 – Quality Management Systems Relationship between Effective Number of Personnel

Effective Number of Personnel

Audit Duration Stage 1 + Stage 2

(days)


Audit Duration Stage 1 + Stage 2

(days) 1-5 1.5 626-875 12

6-10 2 876-1175 13 11-15 2.5 1176-1550 14 16-25 3 1551-2025 15 26-45 4 2026-2675 16 46-65 5 2676-3450 17 66-85 6 3451-4350 18

86-125 7 4351-5450 19 126-175 8 5451-6800 20 176-275 9 6801-8500 21 276-425 10 8501-10700 22 426-625 11 >10700 Follow progression

above Note 1: The numbers of employees in Table QMS 1 should be seen as a continuum rather than a stepped change.

ISSUE No.2 April 15, 2015 34 / 64


Note 2: The CAB’s procedure may provide for audit duration for a number of employees exceeding 10700. Such audit duration should follow the progression in Table QMS 1 in a consistent fashion. Figure QMS 1 – Relationship between Complexity and Audit Duration

────▶

O

rgan

izat

ion

Dis

tribu

tion

────▶

Large Simple Multi-site Few processes Repetitive processes Small scope

Large Complex Multi-site Many processes Large scope Unique processes Design responsible

Starting point from Auditor Time Chart

Few processes Small scope Repetitive processes Small Simple

Many processes Design responsible Large scope Unique processes Small Complex

───────▶ Client System Complexity ───────▶

ISSUE No.2 April 15, 2015 35 / 64


5.12 ENVIRONMENTAL MANAGEMENT SYSTEMS Table EMS 1 – Relationship between Effective Number of Personnel,

Complexity and Audit Duration (Initial Audit only)


Audit Duration Stage 1 + Stage 2 (days)


Audit Duration Stage 1 + Stage 2 (days)

High Med Low Lim High Med Low Lim 1-5 3 2.5 2.5 2.5 626-875 17 13 10 6.5

6-10 3.5 3 3 3 876-1175 19 15 11 7 11-15 4.5 3.5 3 3 1176-1550 20 16 12 7.5 16-25 5.5 4.5 3.5 3 1551-2025 21 17 12 8 26-45 7 5.5 4 3 2026-2675 23 18 13 8.5 46-65 8 6 4.5 3.5 2676-3450 25 19 14 9 66-85 9 7 5 3.5 3451-4350 27 20 15 10

86-125 11 8 5.5 4 4351-5450 28 21 16 11 126-175 12 9 6 4.5 5451-6800 30 23 17 12 176-275 13 10 7 5 6801-8500 32 25 19 13 276-425 15 11 8 5.5 8501-10700 34 27 20 14 426-625 16 12 9 6 >10700 Follow progression above

Note 1: Audit duration is shown for high, medium, low and limited complexity audits. Note 2: The numbers of personnel in Table EMS 1 should be seen as a continuum rather than a stepped change. Note 3: The CAB’s procedure may provide for audit duration for a number of personnel exceeding 10700. Such audit duration should follow the progression in Table EMS 1 in a consistent fashion.

ISSUE No.2 April 15, 2015 36 / 64


Table EMS 2 – Examples of Linkage between Business Sectors and Complexity Categories of Environmental Aspects

Complexity Category

Business Sector

High – mining and quarrying – oil and gas extraction – tanning of textiles and clothing – pulping part of paper manufacturing, including paper recycling processing – oil refining – chemicals and pharmaceuticals – primary productions – metals – non-metallics processing and products covering ceramics and cement – coal-based electricity generation – civil construction and demolition – hazardous and non-hazardous waste processing, e.g. incineration, etc. – effluent and sewerage processing

Medium – fishing/farming/forestry – textiles and clothing except for tanning – manufacturing of boards, treatment/impregnation of wood and wooden products – paper production and printing, excluding pulping – non-metallics processing and products covering glass, clay, lime, etc. – surface and other chemically-based treatment for metal fabricated products, excluding primary production – surface and other chemically-based treatment for general mechanical engineering – production of bare printed circuit boards for electronics industry – manufacturing of transport equipment – road, rail, air, ships – non-coal-based electricity generation and distribution – gas production, storage and distribution (note: extraction is graded high) – water abstraction, purification and distribution, including river management (note: commercial effluent treatment is graded as high) – fossil fuel wholesale and retail – food and tobacco processing – transport and distribution by sea, air, land – commercial estate agency, estate management, industrial cleaning, hygiene cleaning, dry cleaning normally part of general business services

ISSUE No.2 April 15, 2015 37 / 64


– recycling, composting, landfill (of non-hazardous waste) – technical testing and laboratories – healthcare/hospitals/veterinary – leisure services and personal services, excluding hotels/restaurants

Low – hotels/restaurants – wood and wooden products, excluding manufacturing of boards, treatment and impregnation of wood – paper products, excluding printing, pulping, and paper making – rubber and plastic injection moulding, forming and assembly, excluding manufacturing of rubber and plastic raw materials that are part of chemicals – hot and cold forming and metal fabrication, excluding surface treatment and other chemical-based treatments and primary production – general mechanical engineering assembly, excluding surface treatment and other chemical-based treatments – wholesale and retail – electrical and electronic equipment assembly, excluding manufacturing of bare printed circuit boards

Limited – corporate activities and management, HQ and management of holding companies – transport and distribution management services with no actual fleet to manage – telecommunications – general business services, except commercial estate agency, estate management, industrial cleaning, hygiene cleaning, dry cleaning – education services

Special Cases

– nuclear – nuclear electricity generation – storage of large quantities of hazardous material – public administration – local authorities – organizations with environmental sensitive products or services, financial institutions

ISSUE No.2 April 15, 2015 38 / 64


Complexity Categories of Environmental Aspects The provisions specified in this document are based on five primary complexity categories of the nature and gravity of the environmental aspects of an organization that fundamentally affect the auditor time. These are: High – environmental aspects with significant nature and gravity (typically manufacturing or processing type organizations with significant impacts in several of the environmental aspects); Medium – environmental aspects with medium nature and gravity (typically manufacturing organizations with significant impacts in some of the environmental aspects); Low – environmental aspects with low nature and gravity (typically organizations of an assembly type environment with few significant aspects); Limited – environmental aspects with limited nature and gravity (typically organizations of an office type environment); Special – these require additional and unique consideration at the audit planning stage.

Table EMS 1 covers the above four top complexity categories: high, medium, low and limited. Table EMS 2 provides the link between the five complexity categories above and the industry sectors that would typically fall into that category. The CAB should recognise that not all organizations in a specific sector will always fall in the same complexity category. The CAB should allow flexibility in its contract review procedure to ensure that the specific activities of the organization are considered in determining the complexity category. For example, even though many businesses in the chemical sector should be classified as “high complexity”, an organization which would have only a mixing free from chemical reaction or emission and/or trading operation could be classified as “medium” or even “low complexity”. The CAB shall document all cases where they have lowered the complexity category for an organization in a specific sector. Table EMS 1 does not cover the “special complexity” category and the audit duration shall be developed and justified on an individual basis in these cases.

ISSUE No.2 April 15, 2015 39 / 64


Chapter 6. IAF Mandatory Document for Harmonization of Sanctions to be applied to Conformity Assessment Bodies (MD 7:2010) This document is mandatory for the consistent application of Clause 7.13 of ISO/IEC17011:2004 under specific circumstances described in this document. This document does not supersede any of the requirements of that standard. 6.0 INTRODUCTION 6.0.1 Under ISO/IEC 17011, Accreditation Bodies (ABs) are required to have procedures for suspension, withdrawal or reduction of the accreditation scope (refer to ISO/IEC 17011 Clause 7.13.1). 6.0.2 The intention of this document is to clarify the situations where the sanctions shall be applied to applicant or accredited Conformity Assessment Bodies (CABs) and the subsequent necessary communication which shall be taken by ABs. 6.0.3 The following are applicable not only to the scope of the IAF MLA but also to any other IAF accreditation activities, not just the management system certification. Other situations are at individual AB’s discretion. 6.0.4 Clause 6.2 states some situations that frequently lead to sanctions by an AB and Clause 3 describes sanctions that are normally applied progressively by an AB. 6.0.5 6.4 and 6.5 describe specific instances in which there shall be a harmonized approach by all ABs. 6.1 REFERENCES 1) ISO/IEC 17011 Conformity assessment – General requirements for accreditation bodies accrediting conformity assessment bodies. 2) IAF-ILAC JGA 2007 Sydney Resolution 7 (Refer to Annex A) 6.2 INITIATION OF SANCTIONS Situations that lead to sanctions being applied to applicant or accredited CABs include, but are

ISSUE No.2 April 15, 2015 40 / 64


not limited to the following: ㆍFailure to resolve nonconformities in accordance with an AB’s procedures; ㆍNegative outcome of a complaint investigation; ㆍMisuse/misrepresentation of an accreditation symbol (see ISO/IEC 17011 clause 8.3.3 and NOTE); ㆍNon-payment of fees. 6.3 SANCTIONS AVAILABLE Sanctions available include, but are not limited to: ㆍIntensification of surveillance (office, witness or document review); ㆍReduction of accreditation scope (including geographical scope); ㆍSuspension; ㆍWithdrawal; ㆍPublic notice of scope reduction/suspension/withdrawal/misrepresentation of accreditation; ㆍLegal actions. NOTE 1: Application of sanctions outlined in this document does not preclude legal action by third parties, regulators, public authorities or any other interested parties. NOTE 2: Under ISO/IEC 17011 Clause. 8.1.1.(g), there is provision for an AB to refuse services if an AB perceives that any known violation of laws and regulations by the CAB would bring the AB into disrepute. 6.4. SPECIFIC HARMONIZED SANCTIONS The following are situations requiring specific sanctions by the AB: 6.4.1 Where there is proven evidence of fraudulent behavior, or the CAB intentionally provides false information, or the CAB deliberately violates accreditation rules, the AB shall initiate its process for withdrawal of accreditation. 6.4.2 Where a CAB is providing certification to any standard used as a basis for accrediting CABs (e.g. ISO/IEC 17025 or ISO 15189), the AB shall initiate its process for suspension of accreditation, as this behaviour of the CAB will put the AB, against its will, in the condition of providing the same service that a CAB performs, in violation of Clause 4.3.6 of ISO/IEC 17011. Further decisions shall be based on the actions taken by the CAB.

ISSUE No.2 April 15, 2015 41 / 64


NOTE: The action detailed in this mandatory document does not override the CABs right to appeal against a decision as described in ISO/IEC 17011 Clause 7.10 IAF MD 7:2010 International Accreditation Forum, Inc. IAF Mandatory Document for Harmonization of Sanctions Page 7 of 9 Issue 1, Ver 2 to be applied to Conformity Assessment Bodies 6.5 COMMUNICATION In each of the situations mentioned in Clauses 6.4.1 and 6.4.2 that lead to suspension or withdrawal of accreditation and after any appeal decision in accordance with the AB’s appeals procedures, the AB shall notify the IAF Secretariat of this decision and the reasons. The IAF Secretary shall then communicate the decision and status to all IAF Member ABs in the following format: “[Name of AB] [state the action as ‘withdrew’ or ‘suspended’] accreditation of [Name of CB] on [date] for [state the proven offence]”. 6.6 Reference Annex A. IAF-ILAC JGA Sydney Resolution 7 – Certification to accreditation standards

ISSUE No.2 April 15, 2015 42 / 64


Chapter 7. ASSESSMENT OF CERTIFICATION BODY MANAGEMENT OF COMPETENCE IN ACCORDANCE WITH ISO/IEC17021:2011 (MD 10:2013) 7. 1 INTRODUCTION The aim of this document is to provide a harmonised approach to how Accreditation Bodies assess a Certification Body (CB)’s management of competence in accordance with ISO/IEC 17021:2011. 7. 2 DEFINITIONS For the purposes of this document the following definitions shall apply: 7.2.1 Certification process the entirety of functions relating to certification from receipt of application to the granting and maintenance of certification 7.2.2 Certification function a stage of the certification process, for example, application review, audit, certification decision (ref; ISO/IEC 17021:2011 Annex A) 7.2.3 Intended results the outputs of a certification function that comply with the requirements of ISO/IEC 17021:2011 and the objectives of the CB’s certification process 7.3 GENERAL 7.3.1 The AB shall verify that the CB can demonstrate that all personnel involved in performing certification functions have the required competence. 7.3.2 The AB shall verify that the CB has defined its certification process and the intended results to be achieved for each certification function. The AB’s evaluation of the CB’s competence shall be based on: (a) the CB’s documented process for determining competence criteria; (b) the outcomes of the process for determining competence criteria; (c) the CB’s evaluations of its personnel; and

ISSUE No.2 April 15, 2015 43 / 64


(d) taking account of the intended results of each certification function and whether, or not, these have been achieved. 7.3.3 The certification functions for which the AB shall verify that the CB has determined competence criteria, include, but are not limited to, the following: (a) Application review (see example in 3.5 below); (b) Establishing the audit program; (c) Scheduling of audits; (d) Allocation of audit teams; (e) Auditing and reporting; (f) Report reviews and certification decisions; and (g) Maintenance of certification. Annex B of this document is informative and provides examples of intended results from the above certification functions. The CB may identify other intended results from these certification functions. 7.3.4 The AB shall verify that the CB has determined competence criteria for: (a) Management overseeing the certification process; (b) Members of its committee for safeguarding impartiality; (c) Personnel performing internal audits; and (d) Personnel responsible for evaluating and monitoring the competence and performance of personnel performing certification functions. 7.3.5 The AB shall regard objective evidence of the CB achieving the intended results for all certification functions (see Annex A of this document) as an indication of the effectiveness of its processes for determining and evaluating competence. The AB shall regard objective evidence of the CB failing to achieve intended results for any certification functions as an indication that the processes for determining and evaluating competence may be ineffective. Note: The failure of the CB to achieve the intended results for a particular certification function could also be an indication that the CB’s procedures for that function are ineffective or have not been implemented. For example, in the case of the application review, to determine that the CB has competent audit team members, it can allocate and to determine the audit time, the AB shall verify that

ISSUE No.2 April 15, 2015 44 / 64


the CB: a) has defined the intended results (see (d) below) for this function of the certification process; b) has defined effective competence criteria for the personnel performing this function; c) can provide objective evidence that the staff performing this function have demonstrated that they meet the competence criteria; and d) that the output from this function of the certification process has achieved the intended results, by:

i) providing evidence that the technical area(s) of the organisation to be audited has/have been correctly allocated; ii) providing evidence that the assigned auditors have the required competence for the appropriate technical area(s); and iii) providing evidence that adequate time has been allocated for the audit, based on the review of information provided by the applicant/certified client and from previous audits.

7.3.6 The AB shall assess the process and procedures established by the CB to determine competence criteria and to evaluate competence to verify that personnel evaluated as competent consistently achieve the intended results for all certification functions. 7.3.7 The AB shall verify that the CB has appropriate records of the implementation of its processes for determining and evaluating competence and that the CB can demonstrate its evaluation methods are effective and achieve intended results consistently. 4. TECHNICAL AREAS 7.4.1 The AB shall verify that the CB has defined the technical areas for which it provides accredited certification and that these cover the total scope of the CB’s accreditation. It is the responsibility of the CB to determine the technical areas in which it operates, based on commonality of processes, environmental impacts and aspects, risk, etc. (a) Technical areas do not necessarily need to be defined using scopes of accreditation. It is possible that a single scope of accreditation may comprise more than one technical area, for example QMS scope 38* Health and Social Work could comprise: - Veterinary services - Hospital services - Medical and dental practices

ISSUE No.2 April 15, 2015 45 / 64


- Care services - Social work Similarly, QMS scope 28* Construction may need to take account that it comprises activities ranging from painting and decorating to major construction and civil engineering projects. * See IAF ID1:2010 Informative Document for QMS Scopes of Accreditation (b) In some cases, a single technical area may relate to more than one scope of accreditation For example, the manufacture of plastic bags for use in packaging could relate to both QMS scope 9 printing companies and QMS scope 14 rubber and plastics products. 7.4.2 The AB shall verify whether the documented technical area competence criteria of the CB: (a) have been formulated in terms of competence (i.e. what are the required knowledge and skills for that technical area); Note: In certain instances, for example in the case of a medical doctor, evidence of qualification and professional registration with the relevant national authority may be considered as part of the evidence of technical area competence. (b) cover all the relevant aspects of that technical area; i.e. has all relevant knowledge (for example, legal requirements, processes, products, control techniques) for that technical area been identified. 7.4.3 The AB shall seek evidence that the CB is able to demonstrate competence in all certification functions across the whole of a technical area, by achieving the intended results for each certification function. The AB shall seek evidence that the CB has processes in place to ensure it can do so consistently. 7.5 DETERMINATION OF COMPETENCE CRITERIA 7.5.1 The AB shall verify that the CB has documented the expertise needed to establish and maintain the competence criteria for each technical area. This expertise may be provided by an external resource.

ISSUE No.2 April 15, 2015 46 / 64


7.5.2 The AB shall verify that the CB’s process for determining competence criteria identifies the knowledge and skills necessary for personnel performing all certification functions in each of its technical areas and for each management system standard or specification. (a) For some certification functions allocated to particular individuals, competence may be embedded in the design of the process. For example, the CB’s IT system may contain details of auditors and the technical areas for which they have been evaluated as competent and can nominate which auditors are competent to perform an audit of a particular organisation. Where this is the case, the AB shall verify that the CB’s process is appropriately controlled and capable of achieving intended results. Note: Appropriate controls may include defining authority levels, password control etc. (b) It is not necessary for personnel involved in reviewing applications, selecting audit teams, determining audit times, reviewing reports and making certification decisions to have the same depth of competence, in all areas, as auditors. For example, referring to Annex A of ISO/IEC 17021, personnel reviewing reports and making certification decisions are required to have equivalent competence to that of auditors in knowledge of the CB’s processes, but not in knowledge of the client’s business sector or knowledge of audit principles, practices and techniques. (c) Individuals assigned to perform certification functions need not necessarily each have all the required competencies, providing the CB can demonstrate that it has the collective competence to perform those functions. For example, the certification decision maker may not be competent in all of the client’s business sector, but if the report has been reviewed by an independent technical expert the collective competence may be evident. (d) The competence required in an audit team may differ depending on the scope of the audit. For example, the scope of a surveillance visit may be narrower than that for an initial assessment. The AB shall verify that the CB has a process which ensures audit teams have the collective competence necessary to audit for particular visits. 7.6 EVALUATION PROCESSES 7.6.1 The AB shall verify that the CB has documented processes for initially evaluating the competence and evaluating the continued competence of all personnel involved in the management and performance of all certification functions. The AB shall seek objective

ISSUE No.2 April 15, 2015 47 / 64


evidence that the CB has evaluated these personnel in accordance with its own documented processes. (a) Annex B of ISO/IEC 17021, being informative and not normative, provides useful guidance on some methods that may be used by a CB to evaluate competence. However, the CB is free to use other methods of evaluating competence. Whichever methods the CB uses to evaluate competence, the AB shall verify that the CB can demonstrate that these methods are effective in demonstrating competence. (b) The CB may take into account, but not solely rely on, a history of proven ability of personnel achieving intended results for the tasks they have been assigned. The AB shall verify that this proven ability is based on the CB performing an evaluation of the outputs from the appropriate certification function, for example, records, reports or other information, which can contribute to the evidence that personnel have the knowledge and skills required by the documented competence criteria. 7.6.2 The AB shall verify that where the CB employs external and new personnel who may have been evaluated as competent by another accredited CB, it performs its own evaluation of those personnel against its own competence criteria. However, the CB may take the evaluation (when the complete records of the evaluation are available) by the other accredited CB into account, but not solely rely on it, when performing its own evaluation. 7.6.3 Certification in a personnel certification scheme, accredited to ISO/IEC 17024 may be used as demonstrating the competence of personnel, to the extent covered by the scope of the scheme. The AB shall seek evidence that the CB has determined which of its competence criteria are not covered by the scope of the personnel certification scheme and that the CB has performed its own evaluation against these criteria. 7.6.4 Where a personnel certification scheme is not accredited it may be used only as an indication that personnel have certain knowledge and skills, and the AB shall verify that the CB has performed its own evaluation of competence against the criteria covered by the scheme. 7.6.5 The AB shall verify the CB is able to identify where an individual ceasing to be available to the CB has an impact on the overall competence of the CB. For example, it is possible that an auditor, competent in a specific technical area, leaving the employment of a CB could result in it no longer being able to demonstrate competence in a particular technical area. Under such circumstances the AB shall seek evidence that the CB has identified the limitations to its

ISSUE No.2 April 15, 2015 48 / 64


overall competence and the effect on existing certifications. 7.7. Reference ANNEX B. Examples of intended results from certification functions – INFORMATIVE

ISSUE No.2 April 15, 2015 49 / 64


Chapter 8. IAF MANDATORY DOCUMENT FOR THE APPLICATION OF ISO/IEC 17021 FOR AUDITS OF INTEGRATED MANAGEMENT SYSTEMS (MD 8:2011) This document is mandatory for the consistent application of ISO/IEC 17021 by Cer-tification Bodies (CBs) for planning and delivery of Audits of Integrated Management Systems (IMS). 8.0 INTRODUCTION 8.0.1. This document provides requirements for the application of ISO/IEC 17021 for the planning and delivery of audits of IMS and, if appropriate, the certification of an organization’s management system(s) against two or more sets of audit crite-ria/standards. All clauses of ISO/IEC 17021 continue to apply and this document does not add to or supersede any of the requirements in that standard. 8.0.2 This document may not be applicable to ISO 9001 based sector-specific standards. 8.0.3 It shall be noted that the Annex at the end of this document is also part of the requirements and shall be read as such. 1. DEFINITIONS For the purposes of this document, the following definitions apply: 8.1.1 Audit of Integrated Management System An audit of an organization’s management system against two or more sets of audit criteria/standards conducted at the same time. 8.1.2 Integrated Management System A single management system managing multiple aspects of organizational performance to meet the requirements of more than one management standard, at a given level of integration (8.1.3). A management system may range from a combined system adding separate management systems for each set of audit criteria/standard, to an Integrated Management System, sharing in single system documentation, management system elements, and responsibilities.

ISSUE No.2 April 15, 2015 50 / 64


8.1.3 Level of Integration The level to which an organization uses one single management system to manage multiple aspects of organizational performance to meet the requirements of more than one management system standard. Integration relates to the management system being able to integrate documentation, appropriate management system elements and responsibilities in relation to two or more sets of audit criteria/standards. Note: Audit criteria are intended to mean management system standards used as a ba-sis for conformity assessment and certification (e.g. ISO 9001, ISO 14001, ISO/IEC 20000, ISO 22000, ISO/IEC 27001, etc.). 8.2. APPLICATION 8.2.1 The Certification Body shall ensure that: 8.2.1.1 In establishing the audit program the level of integration of the management system(s) is considered. 8.2.1.2 Audit plans cover all areas and activities applicable to each management system standard/specification covered by the scope of the audit and are addressed by competent auditor(s). 8.2.1.3 The audit team as a whole shall satisfy the competence requirements, established by the Certification Body, for each technical area, as relevant for each management system standard/specification covered by the scope of the audit of an IMS. 8.2.1.4 The audit shall be managed by a team leader, competent in at least one of the audited standards/specifications. 8.2.1.5 Sufficient time is allocated to accomplish a complete and effective audit of the organization’s management system for the management system stand-ards/specifications covered by the scope of the audit. 8.2.1.5.1 To determine the audit time for an audit of an IMS covering two or more management system standards/specifications, e.g. A + B + C, the Certification Body shall: a) calculate the required audit time for each management system standard/specification

ISSUE No.2 April 15, 2015 51 / 64


separately (applying all relevant factors provided for by the relevant application documents and/or scheme rules for each standard, e.g., IAF MD5, ISO/TS 22003, ISO/IEC 27006); b) calculate the starting point T for the duration of the audit of the IMS by adding the sum of the individual parts (e.g. T = A + B + C); c) adjust the starting point figure by taking into account factors that may increase or reduce (see Annex 1) the time required for the audit. The factors for reduction shall include but are not limited to:

i) The extent to which the organization’s management system is integrated; ii) The ability of the organization’s personnel to respond to questions concerning more than one management systems standard; and iii) The availability of auditor(s) competent to audit more than one management system standard/specification.

The factors for increases shall include but are not limited to:

i) The complexity of the audit of an IMS compared with single management system audits. d) inform the client that the duration of an IMS audit based on the declared level of integration of the organisation’s management system may be subject to adjustment on the basis of confirming the level of integration at stage one and subsequent audits. 8.2.1.5.2 Audit of an IMS could result in increased time, but where it results in re-duction, it shall not exceed 20% from the starting point T (2.1.5.1b). 8.2.1.5.3 The starting point figure and justification for increase or reduction shall be documented. 8.2.2 Existing application documents (e.g., IAF Mandatory Documents) relating to audits of management systems standards/specifications need to be considered when developing audit program and audit plans for an IMS.

ISSUE No.2 April 15, 2015 52 / 64


8.2.3 All applicable requirements of each management system stand-ard/specification relevant to the scope of the IMS shall be audited. 8.2.4 Audit reports can be integrated or separate, with respect to the management systems audited. Each finding raised in an integrated report shall be traceable to the applicable management system standard(s)/specification(s). 8.2.5 The Certification Body shall consider the impact that a nonconformity found for one of the management system standard(s)/specification(s) has on the compliance with the other management system standard(s)/specification(s). 8.3. INITIAL AUDIT AND CERTIFICATION 8.3.1 Client Application This shall include information relating to the level of integration, including the level of integration of documents, management system elements and responsibilities (see Annex C). 8.3.2 Stage One Audit During a Stage One Audit, the audit team shall confirm the level of integration of the IMS. The Certification Body shall review and modify, as necessary, the audit dura-tion that was based on information provided at the application stage. 8.4. SURVEILLANCE AND RECERTIFICATION ACTIVITIES The Certification Body shall confirm that the level of integration remains unchanged throughout the certification cycle to ensure that the established audit durations are still applicable. 8.5. SUSPENSION, REDUCTION, WITHDRAWAL If certification to one or more management system standard(s)/specification(s) is subject to suspension, reduction or withdrawal the Certification Body shall investi-gate the impact of this on the certification to other management system stand-ard(s)/specification(s). 8.6 Reference Annex C. Reduction of audit time

ISSUE No.2 April 15, 2015 53 / 64


Chapter 9. IAF MANDATORY DOCUMENT FOR ASSESSMENT OF CERTIFICATION ACTIVITIES FOR CROSS FRONTIER ACCREDITATION (MD 12:2013) 9.1. INTRODUCTION 9.1.1 This document is mandatory for the consistent application of Clause 7 of ISO/IEC 17011:2004 regarding an Accreditation Body (AB)’s assessment of Conformity Assessment Bodies (CAB)’s that provide certification in countries outside the country in which their head office is located. Aspects of cross frontier accreditation relating to cooperation between IAF Multilateral Recognition Arrangement (MLA) AB’s are covered by IAF ML 4. 9.1.2 Clauses 7.5.7 and 7.5.8 of ISO/IEC 17011 prescribe requirements for ABs assessment of locations from which key activities are performed. Key activities are defined in IAF/ILAC A5 Clause 7.5. This document takes account of the AB’s responsibility for establishing that all of the CAB’s activities, within its scope of accreditation with that AB, not only key activities, conform to all requirements of the relevant conformity assessment standards, irrespective of where in the world these activities are performed. 9.1.3 This document takes account of the fact that some activities may not be performed at fixed office locations, but by remote personnel using the CAB Information Technology (IT) system. 9.2 DEFINITIONS 9.2.1 Accreditation Body An accreditation body that is a member of IAF. 9.2.2 Fixed Office Location The permanent premises where certification activities are performed and/or managed for the CAB, regardless of location and relationship with the CAB. 9.2.3 Other Activities Certification functions that are not key activities 9.2.4 Remote Personnel

ISSUE No.2 April 15, 2015 54 / 64


The individuals, who may be internal or external that perform certification activities for a CAB and do not work at a fixed office location. 9.3. IMPLEMENTATION 9.3.1 Data Collection The AB shall require its accredited CAB’s to identify: • Countries into which accredited certificates are issued and the number of certificates issued in each country; • Countries in which the CAB operates from a fixed office location that performs any certification activities; • Countries in which the CAB has remote personnel that perform any certification activities; • Which fixed office locations are responsible for performing and/or managing key activities as defined in IAF/ILAC A5, or from where remote personnel performing key activities are managed; and • The CAB’s arrangements for managing all activities that are performed from a foreign fixed office location or by remote personnel. Note: The recording of this information is not for the purpose of granting prior permission to the CAB to issue certificates in a particular country, but to enable the AB to plan its assessment program for the CAB based on up-to-date knowledge of the full geographic scope of the CAB’s accredited activities. 9.3.2 Assessment Program The AB shall have an assessment program, covering the current accreditation period that enables it to confirm the CAB’s conformity with the requirements of the relevant conformity assessment standard(s), within the CAB’s scope of accreditation, irrespective of where certification activities are performed. . Note: as a consequence of the assessment output the AB may decide to limit or restrict the scope of a CAB’s accreditation to certain geographical areas or fixed office locations. The program shall be developed to identify the activities and key activities to be assessed and the countries where these are performed and/or managed, taking account of the following:

ISSUE No.2 April 15, 2015 55 / 64


• The relationship between the CAB and its foreign entities and subsidiaries; • The CAB’s arrangements for managing its foreign certification activities; • Whether the CAB holds accreditation from the local AB; • The number of fixed office locations, undertaking certification activities, in each country; • The number of remote personnel, undertaking certification activities, in each country; • Where key activities are performed and managed or from where remote personnel

performing key activities are managed; • The range of certification activities performed, where they are performed and from where remote personnel are managed; • The effectiveness of the CAB’s management controls of its certification activities; • The accessibility of the CAB’s records; • The availability of selected CAB personnel (internal and external) for interview; • The number of certificates issued through a particular fixed office location; • Schemes for which certification is granted through a particular fixed office location; • Where a fixed office location manages other fixed office locations or remote personnel outside of their national boundaries; • The number of different countries covered by remote personnel and how they are managed. • The risks posed by the activities performed and/or managed and where they are performed and/or managed. (Note: these may be non-key activities.) • The capability of the AB to conduct remote assessments; • Social and cultural aspects of each country; • The number and type of complaints; • The effectiveness of the CAB’s oversight in controlling its foreign certification activities, including internal audits it performs on fixed office locations; and • Where there is evidence of malpractice, such as misrepresentation by sales personnel, inappropriate relationships with consultants or ineffective oversight by the CAB. The AB’s assessment program shall be reviewed annually to take account of changes to the information in 9.3.1 and changes to the above factors. The personnel performing and managing certification activities are more important than where they are performed. The assessment program should include provision for interviews with a representative sample of the CAB’s personnel (internal and external) to enable the AB to confirm that the CAB’s certification activities, irrespective of where they are performed, meet the requirements of the relevant conformity assessment standard(s). Remote assessment can be utilised instead of conducting on-site assessments, providing the

ISSUE No.2 April 15, 2015 56 / 64


outcomes of such assessments are equivalent to those of on-site assessments. 9.3.3 Initial Assessment The initial assessment of the CAB shall include assessment of all fixed office locations, whatever the relationship with the CAB, where key activities are performed and/or managed, or from which remote personnel performing key activities are managed, and/or where records are maintained. Where appropriate, the initial assessment shall also include assessment of selected fixed office locations, whatever the relationship with the CAB, where other activities covered by the requirements of the relevant conformity assessment standard(s) are performed, or from which personnel performing these activities are managed. For extensions of scope, the AB shall determine an assessment program taking account of the factors in 3.2 and whether the extension is for a new main scope, a new sub-scope or within an accredited sub-scope. The assessment program does not necessarily need to include visits to each fixed office location. 9.3.4 Surveillance and Reassessment For surveillance and reassessment, each fixed office location, whatever the relationship with the CAB, at which key activities are performed and/or managed or from which remote personnel performing key activities are managed and/or records are maintained, shall be assessed at least once in each accreditation cycle and in accordance with the AB’s assessment program. The AB shall have the procedure for sampling fixed office locations, including remote personnel, where other activities are performed or from which personnel performing these activities are managed. The procedure shall ensure that a representative number of these locations are assessed within a defined timeframe. 9.4 Reference D. Examples of the type of relationships a CAB may have with its foreign entities and subsidiaries – INFORMATIVE

ISSUE No.2 April 15, 2015 57 / 64


[Annex A] IAF-ILAC JGA Sydney Resolution 7 – Certification to accreditation standards The IAF and ILAC Joint General Assembly, acting on the recommendation of the JCCC, resolves that when a Conformity Assessment Body (CAB), accredited by an Accreditation Body (AB), is providing certification to any standard used as a basis for accrediting CABs (e.g. ISO/IEC 17025 or ISO 15189), the AB shall initiate its process for suspension of accreditation, as this behaviour of the CAB will put the AB, against its will, in the condition of providing the same service that a CAB performs, in violation of clause 4.3.6 of ISO/IEC 17011. Further decisions shall be based on the actions taken by the CAB. All IAF and ILAC AB members shall include a suitable provision on such a possibility in their contracts with CABs.

Note: It is accepted that a CAB may have to assess subcontractors to confirm that they meet the CABs’ requirements, which may include accreditation standards e.g. ISO/IEC 17025. Documentation issued to subcontractors as a result of a successful assessment should clearly state that this is only for the purposes of the subcontract and is not certification or accreditation in accordance with ISO/IEC 17011.

ISSUE No.2 April 15, 2015 58 / 64


[Annex B] Examples of intended results from certification functions – INFORMATIVE CERTIFICATION FUNCTION INTENDED RESULTS

Application review · the scope falls within the competence of the CB; · the proposed scope is accurately defined consistent with the products/service of the applicant and the management system; · the technical area(s) of the organisation to be audited has/have been correctly identified and allocated; · sufficient auditors have been assigned; · the assigned auditors have the required competence for:

i) the audit functions they are assigned, e.g. audit team leader; ii) the processes and operations they are assigned; iii) the relevant management system standard(s); iv) the certification scheme, where appropriate.

· adequate time has been allocated and justified for the audit, in line with IAF MD1 and IAF MD5 (for QMS and EMS) or other specific requirements for particular certification schemes, based on the review of information provided by the applicant/certified client. · applications for transfer of certification are processed in line with the requirements of IAF MD 2.

Establishing the audit programme

· the schedule for surveillance and recertification audits is in line with ISO/IEC 17021; · correct application of IAF MD 1 for multiple sites.

Scheduling of audits · the audit program complies with ISO/IEC 17021; · audit duration and dates have been agreed with the client.

Allocation of audit teams · the collective competence of the audit team is consistent with the products and processes of the client.

Audit planning · the audit plan is consistent with the proposed scope of certification and the type of audit and reflects the client’s organisation, processes and operation; · the audit plan allocates sufficient time for a thorough audit; · the audit team members are allocated tasks appropriate to their competence.

ISSUE No.2 April 15, 2015 59 / 64


CERTIFICATION FUNCTION INTENDED RESULTS

Auditing and reporting · audit execution is performed effectively: o opening and closing meetings are held; o audit evidence collection techniques are effective; o audit team members take adequate notes of audit evidence; o sampling techniques are used effectively; o audit team members reach conclusions consistent with the audit evidence. · the content of the audit report fulfills the requirements of ISO/IEC TS 17022:2012. · reaudits are performed when necessary. · the certification recommendation is consistent with the audit findings, the audit scope and the scope of certification.

Report reviews and certification decisions

· checking for any changes since the application review; · confirming that the audit duration was correct; · confirming that audit team members have been allocated audit tasks appropriate to their competence; · confirming that the audit report fulfills the requirements of ISO/IEC TS 17022:2012; · confirming that the recommendation is consistent with the audit findings; · documentary evidence is available where the independent reviewer has had cause to discuss/clarify any aspect of the report content. or associated recommendation.

Maintenance of certification · the audit program has been followed and surveillance and recertification functions have been performed in a timely manner; · adequate sampling of surveillance reports for review; · any changes have been reviewed and verified as not adversely affecting the certification; · demonstrated escalation in the event of nonconformities that could lead to suspension or withdrawal of certification; · timely recertification audits and recertification decisions prior to expiry.

ISSUE No.2 April 15, 2015 60 / 64


[Annex C] REDUCTION OF AUDIT TIME

Figure C.1

Leve

l of i

nteg

ratio

n %

100 0 0 10 15 20

80 0 5 10 15 15

60 0 5 10 10 10

40 0 5 5 5 5

20

0

0 0 0 0 0

0 20 40 60 80 100

Ability to perform combined audit %

Figure C.1: This figure illustrates the reduction (%) in integrated audit duration and its relationship to:

Vertical axis: the level of integration of an organization’s management system (see below), which should include a consideration of the auditee’s ability to respond to multi-aspect questions. An Integrated Management System results when an organization uses one single management system to manage multiple aspects of organizational performance. It is characterized by (but not limited to): 1. An integrated documentation set, including work instructions to a good level of development, as appropriate; 2. Management Reviews that consider the overall business strategy and plan; 3. An integrated approach to internal audits; 4. An integrated approach to policy and objectives;

ISSUE No.2 April 15, 2015 61 / 64


5. An integrated approach to systems processes; 6. An integrated approach to improvement mechanisms, (corrective and preventive action; measurement and continual Improvement); and, 7. Integrated management support and responsibilities. The Certification Body must decide the percentage level of integration based upon the extent to which the organization’s management system meets the above criteria. And Horizontal axis: The extent, given as a ratio to be multiplied by a factor of 100 in order to achieve the extent given as percentage, to which individual audit team members are qualified: 100 ((X1-1) + (X2-1) + (X3-1) + (Xn-1)) Z(Y-1) Where X1, 2, 3…n is the number of standards for which an auditor is qualified relevant for the scope of the integrated audit; Y is the number of management system standards to be covered by integrated audit; Z is the number of auditors. Example: An integrated audit team of three auditors covering three different management system standards. One auditor is qualified for all three standards; one auditor is qualified for two of the standards and the other auditor is qualified for one standard. The percentage figure to be used for the horizontal axis is: 100 ((3-1) + (2-1) + (1-1)) = 50 % 3(3-1)

Due to available competence of each auditor to more than one set of audit criteria/standards, efficiencies are gained and go into the calculation of the possible reduction of time in the formula above. These include:

ISSUE No.2 April 15, 2015 62 / 64


1. Time saved due to one opening and one closing meeting; 2. Time saved as one integrated audit report is produced; 3. Time saved in optimized logistics; 4. Time saved in auditor team meetings; and, 5. Time saved auditing common elements simultaneously, e.g. document control.

ISSUE No.2 April 15, 2015 63 / 64


[Annex D] Examples of the type of relationships a CAB may have with its foreign entities and subsidiaries – INFORMATIVE

This informative Annex provides some examples of the type of relationships a CAB may have with its foreign entities and subsidiaries:

- A wholly or majority (partly) owned regional subsidiary which controls and manages a

number of subsidiaries; Note: This may be a separate entity which is wholly or majority (partly) owned by the CAB.

- A wholly or majority (partly) owned subsidiary or branch of the CAB, either in its own

country or in another country; Note: This may be a separate entity which is wholly or majority (partly) owned by the CAB.

- A joint venture company, in which the CAB is a partner; - A wholly or majority (partly) owned subsidiary of a joint venture company;

Note: This may be a separate entity which is wholly or majority (partly) owned by the joint venture company.

- A representative, agency, franchisee or sales office of the CAB, a wholly or majority

(partly) owned subsidiary of the CAB or a joint venture company; - Any separate entity that has contractual relationship with the CAB for performing

certification activities.

ISSUE No.2 April 15, 2015 64 / 64


Additional Clause

1. This document takes effect from the announcement date.

Additional Clause <Notification no.2015-27, April 15, 2015>

1. This guide shall come into effect from April 15, 2015

KAB Accreditation Advisory (2) :IAF Criteria issue no.2.pdf · KAB Accreditation Advisory (2) : IAF...

Documents

Transcript of KAB Accreditation Advisory (2) :IAF Criteria issue no.2.pdf · KAB Accreditation Advisory (2) : IAF...