KAB Accreditation Advisory (2) : IAF Criteria · KAB Accreditation Advisory (2) : IAF Criteria...

of 77/77
KOREA ACCREDITATION BOARD KAB Accreditation Advisory (2) : IAF Criteria Document No.: KAB-A-02 Issue No.: 4 Issue Date: April 26, 2016
  • date post

    26-Apr-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of KAB Accreditation Advisory (2) : IAF Criteria · KAB Accreditation Advisory (2) : IAF Criteria...

  • KOREA ACCREDITATION BOARD

    KAB Accreditation Advisory (2) : IAF Criteria

    Document No.: KAB-A-02

    Issue No.: 4

    Issue Date: April 26, 2016

  • ISSUE No.4 April 26, 2016 2 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Contents

    1. Certification of Multiple Sites Based on Sampling (MD 1:2007)

    2. The Transfer of Accredited Certification of Management Systems (IAF MD 2:2007)

    3. Advanced Surveillance and Recertification Procedures (IAF MD 3:2008)

    4. The use of Computer Assisted Auditing Techniques (“CAAT”) for Accredited Certification of

    Management Systems (IAF MD 4:2008)

    5. Duration of QMS and EMS Audits (IAF MD 5: 2015)

    6. Harmonization of Sanctions to be applied to Conformity Assessment Bodies (MD 7:2010)

    7. Assessment of certification body management of competence in accordance with

    ISO/IEC17021:2011 (MD 10:2013)

    8. The application of ISO/IEC 17021 for audits of integrated management systems (MD

    11:2013)

    9. Assessment of certification activities for cross frontier accreditation (MD 12:2016)

    [Annexes]

    A. IAF-ILAC JGA Sydney Resolution 7 – Certification to accreditation standards

    B. (INFORMATIVE) Examples of intended results from certification functions

    C. Reduction of audit time

    D. (INFORMATIVE) Examples of the type of relationships a CAB may have with its foreign

    entities and subsidiaries

    E. QMS audit time

    F. EMS audit time

    Additional Clause

  • ISSUE No.4 April 26, 2016 3 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Foreword

    1. This guide prepared by KAB to supplement requirements for bodies that provide audits and certification services provides details necessary for KAB’s accreditation activities in accordance with ISO/IEC 17011 (Conformity assessment -- General requirements for accreditation bodies accrediting conformity assessment bodies) and IAF documents.

    2. Certification bodies that wish to be accredited by KAB or maintain accreditation shall comply with the following criteria as well as the applicable accreditation criteria based on ISO/IEC 17021:2011(Conformity assessment -- Requirements for bodies providing audit and certification of management systems) or ISO/IEC 17024 (Conformity assessment -- General requirements for bodies operating certification of persons):

    KAB Accreditation Advisory (1) : KAB Criteria (KAB-A-01)

    KAB Accreditation Advisory (2) : IAF Criteria (KAB-A-02)

    3. IAF published IAF Guidance Documents (GD) and Mandatory Documents (MD) to ensure that accreditation programs are conducted in a consistent and equal way when accreditation bodies accredit certification bodies. Certification bodies accredited by KAB which is an IAF signatory member shall comply with IAF GDs and MDs for the consistent application of international standards.

    4. The term “shall” is used throughout this document are mandatory. Although not mandatory, the term “should” is used to indicate recognised means of meeting the requirements of Mandatory documents set out by IAF.

    5. If a certification body does not follow the criteria developed by KAB or IAF exactly, it may obtain or maintain accreditation only when it can justify its measures satisfy the intention of the criteria. This criteria can be revised anytime as international standards or IAF’s criteria are revised.

  • ISSUE No.4 April 26, 2016 4 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Chapter 1. Certification of Multiple Sites Based on Sampling (MD 1:2007)

    This document is mandatory for the consistent application of Clause 9.1.5. of ISO/IEC

    17021:2006 and this document does not supersede any of the requirements in that standard.

    1.0 INTRODUCTION

    1.0.1 This document is for the audit and, if appropriate, the certification of management

    systems in organizations with a network of sites to ensure that the audit provides adequate

    confidence in the conformity of the management system to the relevant standard across all

    sites listed and that the audit is both practical and feasible in economic and operative terms.

    1.0.2 Normally initial audits for certification and subsequent surveillance and recertification

    audits should take place at every site of the organization that is to be covered by the

    certification. However, where an organization’s activity subject to certification is carried out in a

    similar manner at different sites, all under the organization’s authority and control, a

    certification body may put into operation appropriate procedures for sampling the sites at the

    initial audit and subsequent surveillance and recertification audits. This document addresses

    the conditions under which this is acceptable for accredited certification bodies including the

    calculation of sample size and audit duration.

    1.0.3 This document does not apply to the audits of organizations that have multi-sites where

    fundamentally dissimilar processes or activities are used at the different sites, or a combination

    of sites, even though they may be under the same management system. The conditions under

    which certification bodies can make any reduction in the normal full audit of every site in these

    circumstances have to be justified at each site where a reduction is proposed.

    1.0.4 This document is applicable to accredited certification bodies that employ sampling in

    their audit and certification of multi-site organizations. Nevertheless an accredited

    certification body may exceptionally deviate from this document under condition it is able to

    produce relevant justifications. These justifications shall, under evaluation by the

    accreditation body, demonstrate that the same level of confidence in the conformity of the

    management system across all the sites listed can be obtained.

  • ISSUE No.4 April 26, 2016 5 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1.1 DEFINITIONS

    1.1.1 Organization

    The term organization is used to designate any company or other organization owning a

    management system subject to audit and certification.

    1.1.2 Site

    A site is a permanent location where an organization carries out work or a service.

    1.1.3 Temporary Site

    A temporary site is one set up by an organization in order to perform specific work or a service

    for a finite period of time and which will not become a permanent site. (eg. construction site).

    1.1.4 Additional Sites

    A new site or group of sites that will be added to an existing certified multi-site network.

    1.1.5 Multi-site Organization

    A multi-site organization is defined as an organization having an identified central function

    (hereafter referred to as a central office – but not necessarily the headquarters of the

    organization) at which certain activities are planned, controlled or managed and a network of

    local offices or branches (sites) at which such activities are fully or partially carried out.

    1.2 APPLICATION

    1.2.1 Site

    1.2.1.1 A site could include all land on which activities under the control of an organization at

    a given location are carried out including any connected or associated storage of raw materials,

    by-products, intermediate products, end products and waste material, and any equipment or

    infrastructure involved in the activities, whether or not fixed. Alternatively, where required by

    law, definitions laid down in national or local licensing regimes shall apply.

    1.2.1.2 Where it is not practicable to define a location (e.g. for services), the coverage of the

    certification should take into account the organization’s headquarters activities as well as

    delivery of its services. Where relevant, the certification body may decide that the certification

    audit will be carried out only where the organization delivers its services. In such cases all the

    interfaces with its central office shall be identified and audited.

  • ISSUE No.4 April 26, 2016 6 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1.2.2 Temporary Site

    1.2.2.1 Temporary sites that are covered by the organization's management system may be

    subject to audit on a sample basis to provide evidence of the operation and effectiveness of

    the management system. They may, however be included within the scope of a multi-site

    certification subject to agreement between the certification body and the client organization.

    Where included in the scope, such sites shall be identified as temporary.

    1.2.3 Multi-site Organization

    1.2.3.1 A multi-site organization need not be a unique legal entity, but all sites shall have a

    legal or contractual link with the central office of the organization and be subject to a common

    management system, which is laid down, established and subject to continuous surveillance

    and internal audits by the central office. This means that the central office has rights to

    require that the sites implement corrective actions when needed in any site. Where applicable

    this should be set out in the formal agreement between the central office and the sites.

    Examples of possible multi-site organizations are:

    ㆍOrganizations operating with franchises

    ㆍManufacturing companies with a network of sales offices (this document would apply to the

    sales network)

    ㆍService companies with multiple sites offering a similar service

    ㆍCompanies with multiple branches

    1.3 ELIGIBILITY OF AN ORGANIZATION FOR SAMPLING

    1.3.1 The processes at all the sites have to be substantially of the same kind and have to be

    operated to similar methods and procedures. Where some of the sites under consideration

    conduct similar, but fewer processes than others, they may be eligible for inclusion under

    multi-site certification providing that the sites(s) which conduct the most processes, or critical

    processes are subject to full audit.

    1.3.2 Organizations which conduct their business through linked processes in different

    locations are also eligible for sampling providing all other provisions of this document are met.

    Where processes in each location are not similar but are clearly linked, the sampling plan shall

    include at least one example of each process conducted by the organization (eg. fabrication of

    electronic components in one location, assembly of the same components – by the same

    company in several other locations).

  • ISSUE No.4 April 26, 2016 7 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1.3.3 The organization’s management system shall be under a centrally controlled and

    administered plan and be subject to central management review. All the relevant sites

    (including the central administration function) shall be subject to the organization’s internal

    audit program and all shall have been audited in accordance with that program prior to the

    certification body starting its audit.

    1.3.4 It shall be demonstrated that the central office of the organization has established a

    management system in accordance with the relevant management system standard under

    audit and that the whole organization meets the requirements of the standard. This shall

    include consideration of relevant regulations.

    1.3.5 The organization should demonstrate its ability to collect and analyse data (including but

    not limited to the items listed below) from all sites including the central office and its authority

    and also demonstrate its authority and ability to initiate organizational change if required:

    ㆍSystem documentation and system changes;

    ㆍManagement review;

    ㆍComplaints;

    ㆍEvaluation of corrective actions;

    ㆍInternal audit planning and evaluation of the results;

    ㆍChanges to aspects and associated impacts for environmental management systems (EMS)

    and

    ㆍDifferent legal requirements.

    1.3.6 Not all organizations fulfilling the definition of “multi-site organization” will be eligible for

    sampling.

    1.3.7 Not all management systems standards are suitable for consideration for multi-site

    certification. For example, multi-site sampling would be unsuitable where the audit of variable

    local factors is a requirement of the standard. Specific rules apply also for some schemes, for

    example those including automotive (TS 16949) and aerospace (AS 9100 series) and the

    requirements of such schemes shall take precedence.

    1.3.8 Certification bodies should have documented procedures to restrict such sampling where

    site sampling is inappropriate to gain sufficient confidence in the effectiveness of the

    management system under audit. Such restrictions should be defined by the certification body

  • ISSUE No.4 April 26, 2016 8 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    with respect to:

    ㆍScope sectors or activities (i.e. based on the assessment of risks or complexity associated

    with that sector or activity);

    ㆍSize of sites eligible for multi-site audit;

    ㆍVariations in the local implementation of the management system such as the need for

    frequent recourse to the use of plans within the management system to address different

    activities or different contractual or regulatory systems;

    ㆍUse of temporary sites that operate under the management system of the organization and

    which are not to be included within the scope of certification.

    1.4 RESPONSIBILITY OF THE CERTIFICATION BODY

    1.4.0.1. The certification body shall provide information to the organization about the

    application of this document and the relevant management system standards before starting

    the audit process, and should not proceed if any of the provisions are not met. Before starting

    the audit process, the certification body should inform the organization that the certificate will

    not be issued if during an initial audit nonconformities are found.

    1.4.1 Contract Review

    1.4.1.1 The certification body’s procedures should ensure that the initial contract review

    identifies the complexity and scale of the activities covered by the management system

    subject to certification and any differences between sites as the basis for determining the level

    of sampling.

    1.4.1.2 The certification body shall identify the central function of the organization with which

    it has a legally enforceable agreement for the provision of certification activities.

    1.4.1.3 The certification body shall check, in each individual case, to what extent sites of an

    organization operate substantially the same kind of processes according to the same

    procedures and methods. See clause 1.3.1 for sites which conduct fewer, but similar

    processes than other sites and clause 1.3.2 for sites involving linked processes. Only after a

    positive examination by the certification body that all the sites proposed for inclusion in the

    multi-site exercise meet the eligibility provisions may the sampling procedure be applied to the

    individual sites.

    1.4.1.4 If all the sites of a service organization where the activity subject to certification is

  • ISSUE No.4 April 26, 2016 9 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    performed are not ready to be submitted for certification at the same time, the organization

    shall be required to inform the certification body in advance of the sites that it wants to be

    included in the certification and those which are to be excluded.

    1.4.2 Audit

    1.4.2.1 The certification body shall have documented procedures to deal with audits under its

    multi-site procedure. Such procedures shall establish the way the certification body satisfies

    itself that the same management system governs the activities at all the sites, is actually

    applied to all the sites and that all the eligibility criteria for the organization in clause 1.3 above

    are met. This requirement also applies to a management system where electronic documents,

    process control or other electronic processes are used. The certification body shall justify and

    record the rationale for proceeding with a multi-site approach.

    1.4.2.2 If more than one audit team is involved in the audit or surveillance of the network, the

    certification body should designate a unique audit leader whose responsibility is to consolidate

    the findings from all the audit teams and to produce a synthesis report.

    1.4.3 Nonconformities

    1.4.3.1 When nonconformities, as defined in ISO/IEC 17021 clause 9.1.15 (b), are found at

    any individual site, either through the organization’s internal auditing or from auditing by the

    certification body, investigation should take place to determine whether the other sites may be

    affected. Therefore, the certification body should require the organization to review the

    nonconformities to determine whether they indicate an overall system deficiency applicable to

    other sites or not. If they are found to do so, corrective action should be performed and verified

    both at the central office and at the individual affected sites. If they are found not to do so, the

    organization should be able to demonstrate to the certification body the justification for limiting

    its follow-up corrective action.

    1.4.3.2 The certification body shall require evidence of these actions and increase its

    sampling frequency and/or the size of sample until it is satisfied that control is re-established.

    1.4.3.3 At the time of the decision making process, if any site has a nonconformity, as

    defined in ISO/IEC 17021 clause 9.1.15 (b), certification shall be denied to the whole network

    of listed sites pending satisfactory corrective action.

  • ISSUE No.4 April 26, 2016 10 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1.4.3.4 It shall not be admissible that, in order to overcome the obstacle raised by the

    existence of a nonconformity at a single site, the organization seeks to exclude from the scope

    the "problematic" site during the certification process. Such exclusion can only be agreed in

    advance (See clause 1.4.1.4).

    1.4.4 Certification Documents

    1.4.4.1 Certification documents can be issued covering multiple sites provided that each site

    included in the scope of certification has either been individually audited by the certification

    body or audited using the sample approach outlined in this document.

    1.4.4.2 The certification body shall provide certification documents to the certified client by

    any means it chooses. Such certification documents shall comply in all respects with ISO/IEC

    17021.

    1.4.4.3 These documents shall contain the name and address of the central office of the

    organization and a list of all the sites to which the certification documents relate. The scope or

    other reference on these documents shall make clear that the certified activities are performed

    by the network of sites on the list. If the certification scope of the sites is only issued as part of

    the general scope of the organization, its applicability to all the sites shall be clearly stated. .

    Where temporary sites are included in the scope, such sites shall be identified as temporary in

    the certification documents.

    1.4.4.4 Certification documents may be issued to the organization for each site covered by

    the certification under condition that they contain the same scope, or a sub-scope of that

    scope, and include a clear reference to the main certification documents.

    1.4.4.5 The certification documentation will be withdrawn in its entirety, if the central office or

    any of the sites does not fulfill the necessary provisions for the maintenance of the certification.

    1.4.4.6 The list of sites shall be kept updated by the certification body. To this effect, the

    certification body shall request the organization to inform it about the closure of any of the sites

    covered by the certification. Failure to provide such information will be considered by the

    certification body as a misuse of the certification, and it should act consequently according to

    its procedures.

  • ISSUE No.4 April 26, 2016 11 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1.4.4.7 Additional sites can be added to an existing certification as the result of surveillance

    or recertification activities or enhancement of scope. The certification body shall have

    documented procedures for the addition of new sites.

    1.5 SAMPLING

    1.5.1 Methodology

    1.5.1.1 The sample should be partly selective based on the factors set out below and partly

    non-selective, and should result in a representative range of different sites being selected,

    without excluding the random element of sampling.

    1.5.1.2 At least 25% of the sample should be selected at random.

    1.5.1.3 Taking into account the provisions mentioned below, the remainder should be selected

    so that the differences among the sites selected over the period of validity of the certificate is

    as large as possible.

    1.5.1.4 The site selection may include among others the following aspects:

    ㆍResults of internal site audits and management reviews or previous certification audits;

    ㆍRecords of complaints and other relevant aspects of corrective and preventive action;

    ㆍSignificant variations in the size of the sites;

    ㆍVariations in shift patterns and work procedures;

    ㆍComplexity of the management system and processes conducted at the sites;

    ㆍModifications since the last certification audit;

    ㆍMaturity of the management system and knowledge of the organization;

    ㆍEnvironmental issues and extent of aspects and associated impacts for environmental

    (EMS) management systems;

    ㆍDifferences in culture, language and regulatory requirements; and

    ㆍGeographical dispersion.

    1.5.1.5 This selection does not have to be done at the start of the audit process. It can also

    be done once the audit at the central office has been completed. In any case, the central office

    shall be informed of the sites to be included in the sample. This can be on relatively short

    notice, but should allow adequate time for preparation for the audit.

  • ISSUE No.4 April 26, 2016 12 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1.5.2 Size Of Sample

    1.5.2.1 The certification body shall have a documented procedure for determining the sample

    to be taken when auditing sites as part of the audits and certification of a multi-site

    organization. This should take into account all the factors described in this document.

    1.5.2.2 The certification body shall have records on each application of multi-site sampling

    justifying it is operating in accordance with this document.

    1.5.2.3 The following calculation is an example based on the example of a low to medium risk

    activity with less than 50 employees at each site. The minimum number of sites to be visited

    per audit is:

    ㆍInitial audit: the size of the sample should be the square root of the number of remote sites:

    (y=√x ), rounded to the upper whole number.

    ㆍSurveillance audit: the size of the annual sample should be the square root of the number of

    remote sites with 0.6 as a coefficient (y=0.6 √x), rounded to the upper whole number.

    ㆍRe-certification audit: the size of the sample should be the same as for an initial audit.

    Nevertheless, where the management system has proved to be effective over a period of three

    years, the size of the sample could be reduced by a factor 0.8, i.e.: (y=0.8 √x), rounded to the

    upper whole number.

    1.5.2.4 The certification body should define within its management system the risk levels of

    activities as applied above

    1.5.2.5 The central office shall be audited during every initial certification and recertification

    audit and at least annually as part of surveillance.

    1.5.2.6 The size or frequency of the sample should be increased where the certification body’s

    risk analysis of the activity covered by the management system subject to certification

    indicates special circumstances in respect of factors such as:

    ㆍThe size of the sites and number of employees (eg. more than 50 employees on a site);

    ㆍThe complexity or risk level of the activity and of the management system;

    ㆍVariations in working practices(eg. shift working);

    ㆍVariations in activities undertaken;

    ㆍSignificance and extent of aspects and associated impacts for environmental management

    systems (EMS);

  • ISSUE No.4 April 26, 2016 13 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    ㆍRecords of complaints and other relevant aspects of corrective and preventive action;

    ㆍAny multinational aspects; and

    ㆍResults of internal audits and management review.

    1.5.2.7 When the organization has a hierarchical system of branches (e.g. head (central) office,

    national offices, regional offices, local branches), the sampling model for initial audit as defined

    above applies to each level.

    Example:

    1 head office: visited at each audit cycle (initial or surveillance or recertification) 4 National

    offices: sample = 2: minimum 1 at random

    27 regional offices: sample = 6: minimum 2 at random

    1700 local branches: sample = 42: minimum 11 at random.

    1.5.3 Audit Times

    1.5.3.1 The audit time to spend for each individual site is another important element to

    consider, and the certification body shall be prepared to justify the time spent on multi-site

    audits in terms of its overall policy for allocation of audit time.

    1.5.3.2 The number of man-days per site, including the central office, should be calculated for

    each site using the most recently published IAF document for the calculation of man-days for

    the relevant standard.

    1.5.3.3 Reductions can be applied to take into account the clauses that are not relevant to the

    central office and/or the local sites. Reasons for the justification of such reductions shall be

    recorded by the certification body.

    Note: Sites which carry out the most or critical processes are not subject to reductions (clause

    1.3.1).

    1.5.3.4 The total time expended on initial assessment and surveillance is the total sum of the

    time spent at each site plus the central office and should never be less than that which would

    have been calculated for the size and complexity of the operation if all the work had been

    undertaken at a single site (i.e. with all the employees of the company in the same site).

    1.5.4 Additional Sites

  • ISSUE No.4 April 26, 2016 14 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1.5.4.1 On the application of a new group of sites to join an already certified multi-site network,

    each new group of sites should be considered as an independent set for the determination of

    the sample size. After inclusion of the new group in the certificate, the new sites should be

    cumulated to the previous ones for determining the sample size for future surveillance or

    recertification audits.

  • ISSUE No.4 April 26, 2016 15 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Chapter 2. The Transfer of Accredited Certification of Management

    Systems (IAF MD 2:2007)

    This document is mandatory for the consistent application of Clause 9.1.1. of ISO/IEC

    17021:2006 and this document does not supersede any of the requirements in that standard.

    2.0 INTRODUCTION

    2.0.1 This document provides normative criteria on the transfer of accredited management

    system certification between certification bodies. The criteria may also be applicable in the

    case of acquisitions of certification bodies accredited by an IAF MLA signatory.

    2.0.2 The objective of this document is to assure the maintenance of the integrity of accredited

    management system certifications issued by one certification body if subsequently transferred

    to another such body.

    2.0.3 The document provides minimum criteria for the transfer of certification. Certification

    bodies may implement procedures or actions which are more stringent than those contained

    herein provided that a client organization's freedom to choose a certification body is not unduly

    or unfairly constrained.

    2.1 DEFINITION

    2.1.1 Transfer of Certification

    The transfer of certification is defined as the recognition of an existing and valid management

    system certification, granted by one accredited certification body, (hereinafter referred to as the

    “issuing certification body”), by another accredited certification body, (hereinafter referred to as

    the “accepting certification body”) for the purpose of issuing its own certification.

    Note: Multiple certification, (concurrent certification by more than one certification body), does

    not fall under the definition above, and is not encouraged by IAF.

    2.2 MINIMUM REQUIREMENTS

    2.2.1 Accreditation

  • ISSUE No.4 April 26, 2016 16 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Only certifications which are covered by an accreditation of an IAF MLA signatory shall be

    eligible for transfer. Organizations holding certifications that are not covered by such

    accreditations shall be treated as new clients.

    2.2.2 Pre-Transfer Review

    A competent person from the accepting certification body shall carry out a review of the

    certification of the prospective client. This review shall be conducted by means of a

    documentation review and should, normally, include a visit to the prospective client. Reasons

    for not conducting a visit shall be fully justified and documented and a visit shall be conducted

    if no contact can be made with the issuing certification body. The review should cover the

    following aspects and its findings shall be fully documented:

    • confirmation that the client’s certified activities fall within the accredited scope of the

    accepting certification body;

    • the reasons for seeking a transfer;

    • that the site or sites wishing to transfer certification hold an accredited certification that

    is valid in terms of authenticity, duration and scope of activities covered by the

    management system certification. If practical, the validity of certification and the status

    of outstanding nonconformities should be verified with the issuing certification body

    unless it has ceased trading. Where it has not been possible to communicate with the

    issuing certification body, the accepting certification body shall record the reasons;

    • A consideration of the last certification or recertification audit reports, subsequent

    surveillance reports and any outstanding nonconformities that may arise from them.

    This consideration shall also include any other available, relevant documentation

    regarding the certification process i.e. handwritten notes, checklists. If the last

    certification, recertification or subsequent surveillance audit reports are not made

    available or if the surveillance audit is overdue then the organisation shall be treated

    as a new client;

    • complaints received and action taken;

    • the stage in the current certification cycle. See Clause 2.2.3.4 of this document; and

    • any current engagement by the organisation with regulatory bodies in respect of legal

    compliance.

  • ISSUE No.4 April 26, 2016 17 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    2.2.3 Certification

    2.2.3.1 Normally, only valid accredited certification should be transferred. In cases where

    certification has been granted by a certification body which has ceased trading or whose

    accreditation has expired, been suspended or withdrawn, the accepting certification body may

    consider such a certification for transfer at its discretion. In such cases, before it proceeds with

    the transfer, the accepting certification body shall obtain agreement from the accreditation

    body, whose mark it intends to place on the certificate. In the case of acquisitions the acquiring

    certification body should, where practical, fulfil the contractual obligations of the acquired

    certification body.

    2.2.3.2 Certification which is known to have been suspended or under threat of suspension

    shall not be accepted for transfer. If the accepting certification body has not been able to verify

    the status of the certification with the issuing certification body, the organisation shall be

    required to confirm that the certificate is not suspended or under threat of suspension.

    2.2.3.3 Outstanding nonconformities should be closed out, if practical, with the issuing

    certification body, before transfer. Otherwise they shall be closed out by the accepting

    certification body.

    2.2.3.4 If no further outstanding or potential problems are identified by the pre-transfer review

    a certification may be issued following the normal decision making process. The programme of

    ongoing surveillance should be based on the previous certification regime unless the

    accepting certification body has conducted an initial or recertification audit as a result of the

    review.

    2.2.3.5 Where doubt continues to exist, after the pre-transfer review, as to the adequacy of a

    current or previously held certification, the accepting certification body shall, depending upon

    the extent of doubt, either:

    ㆍtreat the applicant as a new client

    or

    ㆍconduct an audit concentrating on identified problem areas.

    The decision as to the action required will depend upon the nature and extent of any problems

    found and shall be explained to the organization and the justification for the decision shall be

    documented and the records maintained by the certification body.

  • ISSUE No.4 April 26, 2016 18 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Chapter 3. IAF Mandatory Document for Advanced Surveillance and

    Recertification Procedures (IAF MD 3:2008)

    This document provides normative criteria for advanced surveillance and recertification

    procedures (ASRP) for consistent application of clause 9.1.1 of ISO/IEC 17021:2006 for

    determining subsequent adjustments to the audit program. This document addresses only

    Quality Management Systems (QMS) and Environmental Managements Systems (EMS), in

    which IAF members have had experience of implementing ASRP or its predecessor

    methodologies. The use of ASRP is not mandatory, but if an accreditation body wishes to

    permit their accredited certification body and its client(s) to opt for the use of ASRP, it is a

    requirement of IAF that the certification body and its client(s) conform to this document and be

    able to demonstrate conformity to the accreditation body.

    3.0 INTRODUCTION

    3.0.1 For a client organization that has established confidence in its management system

    (QMS and/or EMS) by consistently demonstrating effectiveness over a period of time, the

    certification body, in consultation with the organization, may choose to apply the Advanced

    Surveillance and Recertification Procedures (ASRP) provided for in this document. Such an

    advanced surveillance and recertification program may place greater (but not total) reliance on

    the organization’s internal audit and management review processes, include targeted

    surveillance topics, take into account specific design input from the organization and/or use

    other methods as appropriate, to demonstrate conformity of the management system.

    3.0.2 The objective of this document is to assure the provision of more effective and efficient

    audits to organizations that have a proven performance record while at the same time

    maintaining the integrity of the accredited management system certificates they hold.

    3.0.3 This document states minimum requirements for the application of the ASRP.

    Certification bodies may implement procedures or actions which are more stringent than those

    contained herein provided that an organization's justifiable request for the ASRP is not unduly

    or unfairly constrained.

  • ISSUE No.4 April 26, 2016 19 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    3.1 MINIMUM REQUIREMENTS

    3.1.1 Prerequisite

    In order to utilize the ASRP, the certification body shall first demonstrate to an IAF MLA

    signatory accreditation body:

    a) That it has been operating an accredited certification scheme for the relevant management

    system (QMS and/or EMS) for a minimum of one complete accreditation cycle.

    b) That it is competent to design an ASRP program for each individual organization in the

    relevant management system (QMS and/or EMS), in accordance with the requirements of ISO

    9001:2000 clause 7.3 and using the design input criteria mentioned in clause 3.1.3.2 below.

    NOTE: Reference is made here to ISO 9001 since this specifies the requirements for the

    certification body to design a program for ASRP regardless of whether it is operating

    certification of QMS or EMS.

    3.1.2 Accreditation Scope

    The competence of the certification body to meet clause 3.1.1 (b) above shall be assessed by

    the accreditation body after which, if successful, specific reference to the approval for ASRP

    for QMS and/or EMS, as appropriate, shall be included in the certification body’s accreditation

    scope.

    3.1.3 Eligibility and Design Input Criteria

    The certification body shall inform the accreditation body prior to every new utilization of ASRP

    for each specific organization, and shall be able to demonstrate that the following criteria in

    clauses 3.1.3.1 and 3.1.3.2 have been satisfied:

    3.1.3.1 Eligibility Criteria

    a) The certification body shall confirm that the organization’s management system has been in

    demonstrated conformity with the requirements of the applicable standard(s) for a period of at

    least one complete certification cycle including initial, surveillance and recertification audits.

    NOTE: The certification body may base this confirmation of demonstrated conformity on the

    outcome of the first recertification audit (non-ASRP) of the organization conducted at the end

    of a three-year certification cycle.

    b) All nonconformities raised during the certification cycle immediately prior to the utilization of

  • ISSUE No.4 April 26, 2016 20 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    ASRP shall have been successfully resolved.

    c) For an EMS, the certification body shall confirm that the organization has established

    compliance with applicable legal requirements and has not had any sanctions imposed by the

    relevant regulatory authority(ies) for the period of a) above.

    d) The certification body shall have agreed suitable performance indicators with the

    organization, on which to judge the ongoing effectiveness of the management system, and

    shall ensure that the organization is consistently meeting agreed performance targets.

    (i) For a QMS, these performance indicators shall address, as a minimum, the organization’s

    demonstrated ability to consistently provide product that meets customer and applicable

    regulatory requirements (see ISO 9001:2000 clause 1.1), and shall incorporate requirements

    for the continual improvement of the effectiveness of the QMS. NOTE: For a QMS, “indicator”

    means the characteristic to be measured and “target” means the quantitative/qualitative

    requirements to be met.

    (ii) For an EMS, these performance indicators shall address, as a minimum, the organization’s

    demonstrated ability to achieve its environmental policy, objectives and targets and comply

    with applicable legal and other requirements related to its environmental aspects (see ISO

    14001:2004 clause 4.3.2), and shall incorporate requirements for the continual improvement

    and prevention of pollution.

    NOTE: For an EMS, “indicator” means the characteristic to be measured and “target” used in

    the context of performance target means the quantitative/qualitative requirements to be met,

    which is considered to be identical with “environmental target” as defined in ISO 14001.

    e) The certification body shall have enforceable arrangements with the organization to provide

    for access to relevant information. For a QMS, this information is all customer satisfaction data

    collected or otherwise available. For an EMS, this information is all relevant communication

    from external interested parties, and in particular the relevant regulatory authority(ies). When it

    becomes necessary for the certification body to communicate directly with the source of such

    information in order to validate the information, mutually agreed confidentiality policies and

    procedures shall be applied.

  • ISSUE No.4 April 26, 2016 21 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    f) The certification body shall verify that the organization’s internal audit process is being

    managed in accordance with the guidance of ISO 19011, with particular reference to auditor

    competence defined in clause 7. The internal audit process shall be sufficiently coordinated

    and integrated so as to provide an evaluation of the management system as a whole, not only

    the performance of individual components.

    g) The certification body shall have contractually enforceable arrangements to enable it to

    increase the scope, frequency and duration of its audits in the event of a deterioration of the

    organization’s ability to meet agreed performance targets.

    3.1.3.2 Design Input Criteria

    In addition to organization-specific input criteria, the design of each individual ASRP shall

    address the following:

    a) The frequency and duration of the certification body audits shall be sufficient to allow the

    certification body to conform with this criteria document including the following b) and c),

    among others.

    For each proposed utilization of ASRP, the certification body shall determine the base level

    (non-ASRP) auditor time using relevant IAF Guidance or Normative Criteria Documents, and, if

    applicable, IAF MD 1 for sampling of multi-sites. If the certification body plans an individual

    ASRP program that reduces the auditor time to less than 70% of this base-level, the

    certification body shall justify such reductions and seek specific approval from the accreditation

    body prior to its implementation.

    NOTE: IAF Mandatory Documents applicable to auditor time for QMS and EMS are under

    development. Until such documents become available, Annex 2 of IAF GD2 (and, where

    applicable, Annex 3) and Annex 1 of IAF GD6 (and, where applicable, clause G5.3.6) should

    continue to be applied to define the total audit time (Phase 1 + Phase 2).

    b) In addition to auditing a statistically significant number of samples of the organization’s

    management system processes to confirm the adequacy and effectiveness of the internal audit

    process, the certification body itself shall continue to carry out the following activities at each

    on-site surveillance and recertification audit, as a minimum (with other activities defined by the

    ASRP; see clause 4.1.4 below):

  • ISSUE No.4 April 26, 2016 22 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    ㆍinterview top management and the management representative;

    ㆍevaluate management review inputs and outputs, including a verification of the

    organization’s ability to meet the agreed performance targets;

    ㆍreview the internal audit process, including the procedures and records of internal audits,

    and the competence of internal auditors; and

    ㆍreview corrective and preventive actions plans, and verify their effective implementation.

    c) The certification body shall ensure that all the requirements for accredited certification

    (including the requirements of ISO/IEC 17021:2006 and any applicable sector scheme)

    continue to be met.

    3.1.4 Design Output

    The design output for each application of the certification body’s ASRP program shall include

    the following (a) – (f):

    a) The extent to which the certification body will utilize the organization’s internal audit and

    management review processes to complement the certification body’s activities;

    b) Criteria for witnessing the organization’s internal audits, including sampling of both auditors

    and processes to be audited;

    c) Criteria for accepting and monitoring the competence of the organization’s internal auditors

    and the method of reporting internal audit results;

    d) Criteria for ongoing adjustments to the audit program, taking into account the organization’s

    demonstrated ability over time to meet the agreed performance targets;

    e) The components of the management system that will necessarily be audited by the

    certification body at each surveillance and recertification audit (see clause 3.1.3.2 b); and

    f) Specific competence criteria for certification body auditors and, where applicable, for

    technical experts.

    3.1.5 Certificates

  • ISSUE No.4 April 26, 2016 23 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    The certification body shall not differentiate between ASRP and non-ASRP methodologies on

    the certificates it issues.

  • ISSUE No.4 April 26, 2016 24 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Chapter 4. The use of Computer Assisted Auditing Techniques (“CAAT”)

    for Accredited Certification of Management Systems (IAF MD 4:2008)

    This mandatory document is to provide for the consistent application of ISO/IEC 17021:2006

    when computer assisted auditing techniques are used as part of the audit methodology. The

    use of CAAT is not mandatory, but if a certification body and its client opt to use CAAT, it is

    mandatory that they conform to this document and are able to demonstrate conformity to the

    accreditation body.

    4.0 INTRODUCTION

    4.0.1 As information and communication technologies become ever-more sophisticated, it is

    important for certification bodies to be able to use “Computer Assisted Auditing Techniques” to

    enhance audit effectiveness and efficiency, and to support and maintain the integrity of the

    audit process.

    NOTE: Guidance on the use of Computer Assisted Auditing Techniques can be obtained from

    the website of the ISO/IAF Auditing Practices Group

    www.iso.org/tc176/ISO9001AuditingPracticesGroup

    4.0.2 Such “Computer Assisted Auditing Techniques” (“CAAT”) may include, for example:

    ㆍTeleconferencing,

    ㆍWeb meetings,

    ㆍInteractive web-based communications,

    ㆍRemote electronic access to the management system documentation and/or management

    system processes.

    4.0.3 The objectives for the effective application of CAAT are:

    a) To provide a methodology that is sufficiently flexible and non-prescriptive in nature to satisfy

    the needs of industry, by allowing client organizations and their respective certification bodies

    to use CAAT to enhance the conventional audit process, and

    b) To ensure that adequate controls are in place with sufficient accreditation body oversight to

    avoid abuses and to prevent excessive commercial pressures that could compromise the

    integrity of the certification process.

  • ISSUE No.4 April 26, 2016 25 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    4.1 REQUIREMENTS

    4.1.1 Confidentiality

    In accordance with ISO/IEC 17021, clause 8.5.1, the security and confidentiality of electronic

    or electronically-transmitted information is particularly important when a certification body is

    using CAAT. The certification body should agree on mutually acceptable information security

    measures with its client before using CAAT.

    4.1.2 Process requirements

    4.1.2.1 In addition to the requirements in ISO/IEC 17021, clause 9.1.2, the audit plan shall

    identify any computer-assisted auditing techniques that will be utilized.

    4.1.2.2 In addition to the requirements in ISO/IEC 17021, clause 9.1.3, when using CAAT,

    specific attention shall be given to the auditors’ ability to understand and utilize the information

    technologies employed by the client organization to manage its management system

    processes.

    4.1.2.3 In addition to the requirements in ISO/IEC 17021, clause 9.1.4, if a certification body

    uses CAAT, it may be considered as partially contributing to the total on-site auditor time. If

    remote auditing activities represent more than 30% of the planned on-site auditor time, the

    certification body shall justify the audit plan and obtain specific approval from the accreditation

    body prior to its implementation.

    NOTES:

    1) It is expected that this "specific approval" will initially be done on a case-by-case basis, but

    does not preclude a "blanket approval" from the accreditation body for the certification body to

    go over a 30% reduction once the certification body has demonstrated that its process is

    robust.

    2) On-site auditor time refers to the on-site auditor time allocated for individual sites. Electronic

    audits of remote sites are considered to be remote audits, even if the electronic audit is

    physically carried out from another of the client organization’s premises.

  • ISSUE No.4 April 26, 2016 26 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    4.1.2.4 In addition to the requirements in ISO/IEC 17021, clause 9.1.10, audit reports shall

    indicate the extent to which CAAT has been used in carrying out the audit, and how it

    contributes to audit effectiveness and efficiency.

    4.1.2.5 In addition to the requirements in ISO/IEC 17021, clause 9.2.2.1 (a) when the

    certification body is proposing to use CAAT for part of the audit, the application review shall

    include verification that the client organization has the necessary infrastructure to support this

    approach.

    4.1.2.6 In addition to the requirements in ISO/IEC 17021, clause 9.3.2.2, regardless of the use

    of CAAT, the organization shall be physically visited at least annually.

    4.1.2.7 In addition to the requirements in ISO/IEC 17021, clause 9.9.2, records shall indicate

    the extent to which CAAT has been used in carrying out the audit and certification.

  • ISSUE No.4 April 26, 2016 27 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Chapter 5. Duration of QMS and EMS Audits (IAF MD 5: 2015)

    This document is mandatory for the consistent application of Clause 9.1.4.1 of ISO/IEC

    17021:2011 for audits of quality and environmental management systems and is based upon

    guidance previously provided in IAF GD2:2005 Annex 2 and GD6: 2006 Annex 1. All clauses

    of ISO/IEC 17021:2011 continue to apply and this document does not supersede any of the

    requirements in that standard. Although personnel numbers (permanent, temporary and part

    time) of the client are used as the starting point when considering the audit duration, this is not

    the sole consideration and account shall be taken of other factors affecting audit duration.

    5.0 INTRODUCTION

    5.0.1 The correct determination of the audit time for an initial audit (Stage 1 plus Stage2) is an

    integral part of the application review for any client organization.

    5.0.2 This document provides mandatory provisions and guidance for CABs to develop their

    own processes for determining the amount of time required for the auditing of clients of

    differing sizes and complexity over a broad spectrum of activities. It is intended that this will

    lead to consistency of the determination of audit time of management systems between CABs,

    as well as between similar clients of the same CAB.

    5.0.3 CABs shall identify the audit time of the Stage 1 and Stage 2 initial audit and of

    surveillance and re-certification audits for each applicant and certified client.

    5.0.4 This mandatory document provides a framework that shall be utilized within a CAB’s

    processes to determine appropriate audit time of management systems, taking into account

    the specifics of the client to be audited.

    5.0.5 Although this document is set up for EMS/QMS certification, a number of elements may

    be used for other 17021-1 based certification schemes. Examples of these elements are the

    application of audit time duration or audit day and effective personnel.

    5.0.6 Notwithstanding the guidance provided by this document, the time allocated for a specific

    audit should be sufficient to plan and accomplish a complete and effective audit of the client's

    management system.

  • ISSUE No.4 April 26, 2016 28 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    5.1 DEFINITIONS

    5.1.1 Management Systems Certification scheme

    Conformity assessment system related to management systems to which the same specified

    requirements, specific rules and processes apply.

    5.1.2 Client organization

    Entity or defined part of an entity operating a management system.

    5.1.3 Permanent site

    Location (physical or virtual) where a client organization (5.1.2) performs work or provides a

    service on a continuing basis.

    5.1.4 Virtual Site

    Virtual location where a client organization performs work or provides a service using an on-

    line environment allowing persons irrespective of physical locations to execute processes.

    Note 1: A virtual site cannot be considered where the processes must be executed in a

    physical environment, e.g., warehousing, manufacturing, physical testing laboratories,

    installation or repairs to physical products.

    Note 2: A virtual site (e.g. company intranet) is considered a single site for the calculation of

    audit time.

    5.1.5 Temporary site

    Location (physical or virtual) where a client organization (5.1.2) performs specific work or

    provides a service for a finite period of time and which is not intended to become a permanent

    site (5.1.3).

    5.1.6 Audit time

  • ISSUE No.4 April 26, 2016 29 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Time needed to plan and accomplish a complete and effective audit of the client organization’s

    management system (ISO IEC 17021-1).

    5.1.7 Duration of management system certification audits

    Part of audit time (5.1.6) spent conducting audit activities from the opening meeting to the

    closing meeting, inclusive.

    Note: Audit activities normally include:

    • conducting the opening meeting

    • performing document review while conducting the audit

    • communicating during the audit

    • assigning roles and responsibilities of guides and observers

    • collecting and verifying information

    • generating audit findings

    • preparing audit conclusions

    • conducting the closing meeting

    5.1.8 Audit Day

    The duration of an audit day is normally 8 hours and may or may not include a lunch break

    depending upon local legislation.

    5.1.9 Effective Number of Personnel

    The effective number of personnel consists of all personnel involved within the scope of

    certification including those working on each shift. When included within the scope of

    certification, it shall also include non-permanent (e.g. contractors) and part time personnel.

    Refer to 5.2.3 for calculation of effective number of personnel.

    5.1.10 Risk Category (QMS only)

    For QMS, the provisions in this document are based on three categories, dependant on the

    risks posed by failure of the product or service of the client organization. These categories can

    be considered as high, medium or low risk. High risk activities (e.g. nuclear, medical,

  • ISSUE No.4 April 26, 2016 30 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    pharmaceutical, food, construction) normally require more audit time. Medium risk activities

    (e.g., simple manufacturing) are likely to require the average time to carry out an effective

    audit and low risk activities less time. (See Annex E, Table QMS 2)

    5.1.11 Complexity Category (EMS only)

    For environmental management systems, the provisions specified in this document are based

    on five primary complexity categories of the nature, number and gravity of the environmental

    aspects of an organization that fundamentally affect the audit time. (See Annex F, Table EMS

    2)

    5.2 APPLICATION

    5.2.1 Audit Time

    5.2.1.1 The audit time for all types of audits includes the total time on-site at a client's location

    (physical or virtual) (5.1.7) and time spent off-site carrying out planning, document review,

    interacting with client personnel and report writing.

    5.2.1.2 The duration of a management system certification audit (5.1.7) should typically not be

    less than 80% of the audit time calculated following the methodology in Section 3. This applies

    to initial, surveillance and recertification audits.

    5.2.1.3 Travel (en-route or between sites) and any breaks are not included in the on-site

    duration of management system certification audits.

    Note: See 5.1.8. There may be a local legal requirement to include lunch breaks.

    5.2.2 Audit Day(s)

    5.2.2.1 Tables QMS 1 and EMS 1 present the average audit time of management systems

    certification audits calculated in audit days. National adjustments on the number of days may

    be needed to comply with local legislation for travel, lunch breaks and working hours, to

    achieve the same total number of days of auditing from Tables QMS 1 and EMS 1.

  • ISSUE No.4 April 26, 2016 31 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    5.2.2.2 The number of audit days allocated shall not be reduced at the planning stages by

    programming longer hours per working day. Consideration can be made to allow efficient

    auditing of shift activities which may require additional hours in a working day.

    5.2.2.3 If after the calculation the result is a decimal number, the number of days should be

    adjusted to the nearest half day (e.g. 5.3 audit days becomes 5.5 audit days, 5.2 audit days

    becomes 5 audit days).

    5.2.2.4 To help ensure the effectiveness of the audit, the CAB should also consider the

    composition and size of the audit team (e.g. ½ day with 2 auditors may not be as effective as a

    one day audit with 1 auditor or 1 audit day with one lead auditor and one technical expert is

    more effective than 1 auditor day without the technical expert).

    Note 1: ABs may require a CAB to demonstrate that the average audit time of specified clients

    is neither significantly more nor less than the audit time calculated from tables QMS1 and

    EMS1.

    Note 2: CABs that work primarily in high risk or complex industries are likely to have an

    average higher than the tables and CABs that work primarily in low risk industries are likely to

    have an average lower than the tables.

    5.2.3 Calculation of the Effective Number of Personnel

    5.2.3.1 The effective number of personnel as defined above is used as a basis for the

    calculation of audit time of management systems. Considerations for determining the effective

    number of employees include part-time personnel and employees partially in scope, those

    working on shifts, administrative and all categories of office staff, repetitive processes and the

    employment of large numbers of unskilled personnel in some countries.

    5.2.3.2 The justification to determine the effective number of personnel shall be available to

    the client organization and to the Accreditation Body for review during their assessments and

    on request from the Accreditation Body.

    5.2.3.3 Part time personnel and employees partially in scope

  • ISSUE No.4 April 26, 2016 32 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Dependent upon the hours worked, part time personnel numbers and employees partially in

    scope may be reduced or increased and converted to an equivalent number of full time

    personnel. (e.g. 30 part time personnel working 4 hours/day equates to 15 full time personnel.)

    5.2.3.4 Repetitive process within scope

    When a high percentage of personnel perform certain activities/positions that are considered

    repetitive (e.g. cleaners, security, transport, sales, call centers, etc) a reduction to the number

    of personnel which is coherent and consistently applied on a company to company basis within

    the scope of certification is permitted. The methods incorporated for the reduction shall be

    documented to include any consideration of the risk of the activities/positions.

    5.2.3.5 Shift work employees

    The CAB shall determine the duration and timing of the audit which will best assess the

    effective implementation of the management system for the full scope of the client activities,

    including the need to audit outside normal working hours and various shift patterns. This shall

    be agreed with the client.

    5.2.3.6 Temporary unskilled personnel

    This issue normally only applies in countries with a low level of technology where temporary

    unskilled personnel may be employed in considerable numbers to replace automated

    processes. Under these circumstances a reduction in effective personnel may be made, but

    the consideration of processes is more important than employee numbers. This reduction is

    unusual and the justification for doing so shall be recorded and made available to the AB at

    assessment.

    5.3 3 METHODOLOGY FOR DETERMINING AUDIT TIME OF MANAGEMENT SYSTEMS

    5.3.1 The methodology used as a basis for the calculation of audit time of management

    systems for an initial audit (Stage 1 + Stage 2) involves the understanding of tables and figures

    in Annex E and Annex F for QMS and EMS audits respectively. Annex E (QMS) is based upon

    the effective number of personnel (see Clause 2.3 for guidance on the calculation of the

    effective number of personnel) and the level of risk, but does not provide minimum or

  • ISSUE No.4 April 26, 2016 33 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    maximum audit time. In addition to effective number of personnel, Appendix F (EMS) is based

    also on the environmental complexity of the organization and does not provide minimum or

    maximum audit time.

    Note: Normal practice is that time spent for Stage 2 exceeds time spent for Stage 1.

    5.3.2 Using a suitable multiplier, the same tables and figures may be used as the base for

    calculating audit time for surveillance audits (Clause 5) and recertification audits (Clause 6).

    5.3.3 The CAB shall have processes that provide for the allocation of adequate time for

    auditing of relevant processes of the client. Experience has shown that apart from the number

    of personnel, the time required to carry out an effective audit depends upon other factors for

    both QMS and EMS. These factors are explored in more depth in Clause 5.8.

    5.3.4 This mandatory document lists the provisions which should be considered when

    establishing the amount of time needed to perform an audit. These and other factors need to

    be examined during the CAB’s application review process and after Stage 1 and throughout

    the certification cycle and at recertification for their potential impact on the determination of

    audit time regardless of the type of audit. Therefore the relevant tables, figures and diagrams

    for both QMS and EMS which demonstrate the relationship between effective number of

    personnel and complexity, cannot be used in isolation. These tables and figures provide the

    framework for audit planning and therefore required adjustments for the determination of audit

    time for all types of audits.

    5.3.5 For QMS audits, Figure QMS 1 provides a visual guide to making adjustments from

    the audit time calculated from Table QMS 1 and provides the framework for a process that

    should be used for audit planning by identifying a starting point based on the total effective

    number of personnel for all shifts.

    5.3.6 For an EMS audit it is appropriate to base audit time on the effective number of

    personnel of the organization and the nature, number and gravity of the environmental aspects

    of the typical organization in that industry sector. Tables EMS 1 and EMS 2 provide the

    framework for the process that should be used for audit planning. The audit time of

    management systems should then be adjusted based on any significant factors that uniquely

    apply to the organization to be audited.

  • ISSUE No.4 April 26, 2016 34 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    5.3.7 The starting point for determining audit time of management systems shall be

    identified based on the effective number of personnel, then adjusted for the significant factors

    applying to the client to be audited, and attributing to each factor an additive or subtractive

    weighting to modify the base figure. In every situation the basis for the establishment of audit

    time of management systems including adjustments made shall be recorded. The CAB should

    ensure that any variation in audit time does not lead to a compromise on the effectiveness of

    audits. Where product or service realization processes operate on a shift basis, the extent of

    auditing of each shift by the CAB depends on the processes done on each shift, and the level

    of control of each shift that is demonstrated by the client. To audit effective implementation, at

    least one of the shifts shall be audited. The justification for not auditing the other shifts (e.g.

    those outside of regular office hours) shall be documented.

    5.3.8 The audit time of management systems determined using the tables or figures in

    Annexes E and F shall not include the time of “auditors-in-training”, observers or the time of

    technical experts.

    5.3.9 The reduction of audit time of management systems shall not exceed 30% of the times

    established from Tables QMS 1 or EMS 1.

    Note: Clause 5.3.9 may not apply to the situations described in IAF MD1 for the individual sites

    in multi-site operations where sampling of sites is permitted. In this situation a limited number

    of processes may be present in such sites and the implementation of all relevant requirements

    of the management system standards(s) can be verified.

    5.4 4 INITIAL MANAGEMENT SYSTEMS CERTIFICATION AUDITS (STAGE 1 PLUS

    STAGE 2)

    5.4.1 Determination of audit time of management systems involved in combined offsite

    activities (Clause 5.2.1) should not reduce the total on-site duration of management systems

    audits to less than 80% of the audit time calculated from the tables following the methodology

    in Section 3. Where additional audit time is required for planning and/or report writing, this will

    not be justification for reducing the on-site duration of management systems certification

    audits. .

  • ISSUE No.4 April 26, 2016 35 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    5.4.2 Table QMS 1 and Table EMS 1 provide a starting point for estimating the audit time of

    an initial audit (Stage 1 + Stage 2) for QMS and EMS respectively.

    5.4.3 The audit time determined by the CAB and the justification for the determination shall

    be recorded. This calculation shall include details on the time to be allocated to cover the

    entire scope of certification.

    5.4.4 The CAB shall provide the audit time determination and the justification to the client

    organization as part of the contract and make it available to its Accreditation Body upon

    request.

    5.4.5 Certification audits may include remote auditing techniques such as interactive web-

    based collaboration; web meetings, teleconferences and/or electronic verification of the client’s

    processes (see IAF MD4). These activities shall be identified in the audit plan, and the time

    spent on these activities may be considered as contributing to the total duration of

    management systems audits. If the CAB plans an audit for which the remote auditing activities

    represent more than 30% of the planned on-site duration of management systems audits, the

    CAB shall justify the audit plan and maintain the records of this justification which shall be

    available to an Accreditation Body for review (see MD4).

    Note 1: Duration of management system certification audits refers to the audit time allocated

    for individual sites. Electronic audits of remote sites are considered to be remote audits, even if

    the electronic audit is physically carried out on the client organization’s location (physical or

    virtual).

    Note 2: Regardless of the remote auditing techniques used, the client organization shall be

    physically visited at least annually where such a physical location exists.

    Note 3: It is unlikely that the duration of a Stage 2 audit will be less than one (1) audit day.

    5.5 SURVEILLANCE

    During the initial three year certification cycle, audit time for surveillance audits for a given

    organization should be proportional to the audit time spent on the initial certification audit

    (Stage 1 + Stage 2), with the total amount of time spent annually on surveillance being about

  • ISSUE No.4 April 26, 2016 36 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    1/3 of the audit time spent on the initial certification audit. The CAB shall obtain an update of

    client data related to its management system as part of each surveillance audit. The planned

    audit time of a surveillance audit shall be reviewed at least at every surveillance and

    recertification audit to take into account changes in the organization, system maturity, etc. The

    evidence of review including any adjustments to the audit time of management systems audits

    shall be recorded.

    Note: It is unlikely that a surveillance audit will take less than one (1) audit day.

    5.6 RECERTIFICATION

    The audit time for the recertification audit should be calculated on the basis of the updated

    information of the client and is normally approximately 2/3 of the audit time that would be

    required for an initial certification audit (Stage 1 + Stage 2) of the organization if such an initial

    audit were to be carried out at the time of recertification (i.e. not 2/3 of the original time spent

    on the initial audit). The audit time of management systems shall take account the outcome of

    the review of system performance (ISO/IEC 17021-1). The review of system performance does

    not itself form part of the audit time for recertification audits.

    Note: It is unlikely that a recertification audit will be less than one (1) audit day.

    5.7 INDIVIDUALIZED SECOND AND SUBSEQUENT CERTIFICATION CYCLES

    For the second and subsequent certification cycles, the CAB may choose to design an

    individualized surveillance and recertification program (see IAF MD3 for Advanced

    Surveillance and Recertification Procedures – ASRP) with approval by the Accreditation Body.

    If an ASRP approach is not chosen the audit time of management systems should be

    calculated as indicated in Clauses 5.5 and 5.6.

    5.8 FACTORS FOR ADJUSTMENTS OF AUDIT TIME OF MANAGEMENT SYSTEMS (QMS

    AND EMS)

    The additional factors that need to be considered include but are not limited to:

    Increase in audit time of management systems:

  • ISSUE No.4 April 26, 2016 37 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    • Complicated logistics involving more than one building or location where work is

    carried out. e.g., a separate Design Centre must be audited.

    • Staff speaking in more than one language (requiring interpreter(s) or preventing

    individual auditors from working independently).

    • Very large site for the number of personnel (e.g., a forest).

    • High degree of regulation (e.g. food, drugs, aerospace, nuclear power, etc.).

    • System covers highly complex processes or relatively high number of unique activities.

    • Activities that require visiting temporary sites to confirm the activities of the permanent

    site(s) whose management system is subject to certification.

    • Outsourced functions or processes.

    Increase in audit time of management systems for QMS only:

    • Activities considered to be of high risk (see Annex E, Table QMS 2).

    Increase in audit time of management systems for EMS only:

    • Higher sensitivity of receiving environment compared to typical location for the industry

    sector.

    • Views of interested parties.

    • Indirect aspects necessitating increase in audit time.

    • Additional or unusual environmental aspects or regulated conditions for the sector.

    • Risks of environmental accidents and impacts arising, or likely to arise, as

    consequences of incidents, accidents and potential emergency situations, previous

    environmental problems that the organization has contributed to.

    Decrease in audit time of management systems:

    • Client is not "design responsible" or other standard elements are not covered in the

    scope (QMS only).

    • Very small site for number of personnel (e.g. office complex only).

    • Maturity of management system.

    • Prior knowledge of the client management system (e.g., already certified to another

    standard by the same CAB).

  • ISSUE No.4 April 26, 2016 38 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    • Client preparedness for certification (e.g., already certified or recognized by another

    3rd party scheme).

    • Note: if audit is conducted in accordance with IAF MD 11 this justification is invalid as

    reduction will be calculated from the level of integration.

    • High level of automation.

    • Where staff include a number of people who work “off location” e.g. salespersons,

    drivers, service personnel, etc. and it is possible to substantially audit compliance of

    their activities with the system through review of records.

    • Activities considered to be of low risk (see Annex E, Table QMS 2 for examples and

    Table EMS 1). Low complexity activities, e.g.:

    - Processes involving similar and repetitive activities (e.g., Service only).

    - Identical activities of low complexity performed on all shifts with appropriate

    evidence of equivalent performance on all shifts.

    - Where a significant proportion of staff carry out a similar simple function.

    Repetitive process within scope (when employees perform repetitive activities).

    All attributes of the client’s system, processes, and products/services should be considered

    and a fair adjustment made for those factors that could justify more or less audit time for an

    effective audit. Additive factors may be off-set by subtractive factors.

    Note 1: Subtractive factors may be used once only for each calculation for each client

    organization.

    Note 2: Additional factors to consider when calculating the audit time of integrated

    management systems are addressed in IAF MD 11.

    5.9 TEMPORARY SITES

    5.9.1 In situations where the certification applicant or certified client provides their product(s)

    or service(s) at temporary sites, such sites shall be incorporated into the audit programs.

    5.9.2 Temporary sites could range from major project management sites to minor

  • ISSUE No.4 April 26, 2016 39 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    service/installation sites. The need to visit such sites and the extent of sampling should be

    based on an evaluation of the risks of the failure of the QMS to control product or service

    output or the EMS to control environmental aspects and impacts associated with the client's

    operations. The sample of sites selected should represent the range of the client’s scope of

    certification, competency needs and service variations having given consideration to sizes and

    types of activities, and the various stages of projects in progress and associated environmental

    aspects and impacts.

    5.9.3 Typically on-site audits of temporary sites would be performed. However, the following

    methods could be considered as alternatives to replace some on-site audits:

    - Interviews or progress meetings with the client and/or its customer in person or by

    teleconference.

    - Document review of temporary site activities.

    - Remote access to electronic site(s) that contains records or other information that is

    relevant to the assessment of the management system and the temporary site(s).

    - Use of video and teleconference and other technology that enable effective auditing to

    be conducted remotely.

    5.9.4 In each case, the method of audit should be fully documented and justified in terms of

    its effectiveness.

    5.10 AUDIT TIME OF A MULTI-SITE MANAGEMENT SYSTEM

    5.10.1 In the case of a management system operated over multiple sites it is necessary to

    establish if sampling is permitted or not.

    5.10.2 For certification of multiple sites where sampling is not permitted, detailed

    requirements will be covered in more detail in a new IAF MD when it is available. The starting

    point for calculating audit time of the management system is the total involved on all of the

    sites, consistent with Table QMS 1 and Table QMS 2 for quality management systems and

    Table EMS 1 and Table EMS 2 for environmental management systems.

    The proportion of the total time spent on each site shall take into account situations where

    certain management system processes are not relevant to the site.

  • ISSUE No.4 April 26, 2016 40 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    5.10.3 For certification of multiple sites where sampling is permitted, detailed requirements

    are covered in more detail in IAF MD1. The starting point for calculating audit time of the

    management system is the total involved on each of the sampled sites. MD1 shall be used to

    select sites to be sampled prior to applying MD5 to each selected site. The total time should

    never be less than that which would have been calculated for the size and complexity of the

    operation if all the work had been undertaken at a single site (MD1 – clause 5.3.4).

    5.11 CONTROL OF EXTERNALLY PROVIDED FUNCTIONS OR PROCESSES

    (OUTSOURCING)

    5.11.1 If an organization outsources part of its functions or processes, it is the responsibility of

    the CAB to obtain evidence that the organization has effectively determined the type and

    extent of controls to be applied in order to ensure that the externally provided functions or

    processes do not adversely affect the effectiveness of the MS, including the organization’s

    ability to consistently deliver conforming products and services to its customers or to control its

    environmental aspects and commitments to compliance with legal requirements.

    5.11.2 The CB will audit and evaluate the effectiveness of the client's management system in

    managing any supplied activity and the risk this poses to the delivery of objectives, customer

    and conformity requirements. This may include gathering feedback on the level of

    effectiveness from suppliers. However auditing the supplier’s management system is not

    required, considering that it is included in the scope of the organization’s management system

    only the control of the supplied activity, and not the performance of the activity itself. From this

    understanding of risk any additional audit time shall be determined.

    5.12 Reference

    [Annex E] QUALITY MANAGEMENT SYSTEMS

    [Annex F] ENVIRONMENTAL MANAGEMENT SYSTEMS

  • ISSUE No.4 April 26, 2016 41 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    Chapter 6. IAF Mandatory Document for Harmonization of Sanctions to

    be applied to Conformity Assessment Bodies (MD 7:2010)

    This document is mandatory for the consistent application of Clause 7.13 of

    ISO/IEC17011:2004 under specific circumstances described in this document. This document

    does not supersede any of the requirements of that standard.

    6.0 INTRODUCTION

    6.0.1 Under ISO/IEC 17011, Accreditation Bodies (ABs) are required to have procedures for

    suspension, withdrawal or reduction of the accreditation scope (refer to ISO/IEC 17011 Clause

    7.13.1).

    6.0.2 The intention of this document is to clarify the situations where the sanctions shall be

    applied to applicant or accredited Conformity Assessment Bodies (CABs) and the subsequent

    necessary communication which shall be taken by ABs.

    6.0.3 The following are applicable not only to the scope of the IAF MLA but also to any other

    IAF accreditation activities, not just the management system certification. Other situations are

    at individual AB’s discretion.

    6.0.4 Clause 6.2 states some situations that frequently lead to sanctions by an AB and Clause

    3 describes sanctions that are normally applied progressively by an AB.

    6.0.5 6.4 and 6.5 describe specific instances in which there shall be a harmonized approach

    by all ABs.

    1) ISO/IEC 17011 Conformity assessment – General requirements for accreditation

    bodies accrediting conformity assessment bodies.

    2) IAF-ILAC JGA 2007 Sydney Resolution 7 (Refer to Annex A)

    6.2 INITIATION OF SANCTIONS

    Situations that lead to sanctions being applied to applicant or accredited CABs include, but are

  • ISSUE No.4 April 26, 2016 42 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    not limited to the following:

    ㆍFailure to resolve nonconformities in accordance with an AB’s procedures;

    ㆍNegative outcome of a complaint investigation;

    ㆍMisuse/misrepresentation of an accreditation symbol (see ISO/IEC 17011 clause 8.3.3 and

    NOTE);

    ㆍNon-payment of fees.

    6.3 SANCTIONS AVAILABLE

    Sanctions available include, but are not limited to:

    ㆍIntensification of surveillance (office, witness or document review);

    ㆍReduction of accreditation scope (including geographical scope);

    ㆍSuspension;

    ㆍWithdrawal;

    ㆍPublic notice of scope reduction/suspension/withdrawal/misrepresentation of accreditation;

    ㆍLegal actions.

    NOTE 1: Application of sanctions outlined in this document does not preclude legal action by

    third parties, regulators, public authorities or any other interested parties.

    NOTE 2: Under ISO/IEC 17011 Clause. 8.1.1.(g), there is provision for an AB to refuse

    services if an AB perceives that any known violation of laws and regulations by the CAB would

    bring the AB into disrepute.

    6.4. SPECIFIC HARMONIZED SANCTIONS

    The following are situations requiring specific sanctions by the AB:

    6.4.1 Where there is proven evidence of fraudulent behavior, or the CAB intentionally

    provides false information, or the CAB deliberately violates accreditation rules, the AB shall

    initiate its process for withdrawal of accreditation.

    6.4.2 Where a CAB is providing certification to any standard used as a basis for accrediting

    CABs (e.g. ISO/IEC 17025 or ISO 15189), the AB shall initiate its process for suspension of

    accreditation, as this behaviour of the CAB will put the AB, against its will, in the condition of

  • ISSUE No.4 April 26, 2016 43 / 77

    KAB Accreditation Advisory (2) : IAF Criteria KAB-A-02

    providing the same service that a CAB performs, in viola