ISO Audit

Audit programme

An audit programme for the full certification cycle shall be developed to clearly identify the audit activity (ies) required to demonstrate that the client's management system fulfils the requirements for certification to the selected standard(s) or other normative document(s).
The audit programme shall be conducted in stages within a 3-year certification cycle as follows; 
· Initial audit: Two stage process
· Surveillance audit: Conducted in the first and second years, and 
· Recertification audit: In third year prior to certificate expiry date.


In determining the audit programme for a particular client consideration shall be given to;
· Client size of organization 
· Scope and complexity of the management system 
· Products and processes 
· Demonstrated level of management system effectiveness 
· Results of previous audits, including those from other accredited certifications 
· The number of visits per year 
· The approximate dates of the proposed visits 
· The requirement to that any non-conformances must be addressed prior to the date of the expiry of the certificate. 
During the closing meeting in stage 2/recertification the lead assessor will inform the client of the proposed 3-year surveillance audit programme . The auditors shall send the completed to ICERT. Overseas offices upload the programmer to the ECMS for ICERT review.

Audit planning

ICERT establishes an audit plan for each audit identified in the audit programme and provides this to the client as a basis for agreement regarding the conduct and scheduling of assessment activities. The client’s application and scope request are used as the basis for the audit plan 1 Audit Plan stage 1, Standard 17021 2 Audit Plan stage 2, Standard 17021 3 Audit Plan surveillance or Standard 17021 4 Audit Plan recertification).
 
The audit plan shall be appropriate to the objectives and the scope of the audit. The audit plan shall at least include or refer to the following:

a) the audit objectives; 
b) the audit criteria; 
c) the audit scope, including identification of the organizational and functional units or processes to be audited; 
d) the dates and sites where the on-site audit activities are to be conducted, including visits to temporary sites, as appropriate; 
e) the expected time and duration of on-site audit activities; 
f) The roles and responsibilities of the audit team members and accompanying persons. 

Notes:

· Where the Client’s scope includes site work or installation the Audit Plan is to reflect this activity. 
· Audit plan containing the names of the team members will be sent to Client in sufficient time for the organization to object to the appointment of any particular Auditor or Expert 
· The audit team shall be reconstituted in response to any valid objection. 
· The audit plan information can be contained in more than one document. 

Conducting on-site audits

4.3.1 Initial audit - Stages 1 & 2 [9.2.3] [9.2.4] [9.2.5] 

The initial assessment process shall be conducted in TWO stages. In conclusion of the assessment, records must demonstrate that all applicable requirements of ISO 9001 have been addressed and included within a representative section of the organization, within the agreed scope of certification. 

Note:

Conversion assessments may be undertaken as a result of an application from the Client to convert its quality system certification from another accredited certification body – See Note 1 for particular requirements.


4.3.1.1 Stage 1 audit shall be performed to; 

a. Audit the client’s management system documentation 

b. Evaluate location and site specific conditions and to determine through discussion with the client their preparedness for a Stage 2 audit 

c. Review client’s status and understanding of the management system standard, including key processes, objectives, performance measures and system operation. 
d. Determine proposed scope of certification, client location and processes, and related statutory and regulatory requirements. 
e. Review resource allocation for Stage 2 audit and to communicate details of the Stage 2 audit process 
f. Gain sufficient understanding of the client’s management system and site operations in the context of possible significant aspects or business risk 
g. Evaluate if internal audits and management review are being planned and performed, and that the level of management system implementation indicates that the client is ready for a Stage 2 audit. 

4.3.1.2 Stage 2 audits shall be performed to evaluate the implementation, including effectiveness, of the client’s management system. It shall take place at the client’s site and include at least the following; 

a. Information and evidence about conformity to all requirements of the applicable management standard (or normative document) 

b. Evidence of performance monitoring, measuring, reporting and reviewing against key performance objectives and targets 

c. The client’s management system and performance regarding legal compliance 
d. Operational control of processes 

e. Internal audit and management review 
f. Management responsibility for the client’s policies 

g. Demonstrable audit trails between the above (a – f)

4.3.2 Surveillance Audits [9.3] 
Following on from a Company achieving ISO 9001 certification a planned programme of surveillance visits commences. The frequency and duration of the visits are based on the type and complexity of the Client’s business. Surveillance visits will be calculated from the date of the Stage 2 audit and may be carried out at 6 or 12 month intervals but no less than once per year - See Note 2 for particular requirements.


Visits will be initiated as per the Client Application Procedure (SP-004) and conducted on-site in accordance with protocols which ensure that;
· Representative areas and functions of the client’s management system covered by the scope of the management system are monitored on a regular basis, and 

· Any changes to the client (e.g. organization) and to the management system are taken into account. 

Certification & Admin Manager will then review annual Surveillance Visit Reports and Client’s corrective action response (where required) to confirm the validity of the initial certification decision. 

Notes:

a) The Auditors may recommend that the frequency of surveillance assessments be: 

· Extended, depending upon the demonstration of good performance.
· Reduced upon the demonstration of poor performance or increased company size & activity 
b) Surveillance visits will not usually be less than 1 day’s duration. 
c) At each surveillance visit the following areas must be addressed: - 

· System maintenance, i.e. internal audit, management review and preventive and corrective actions 
· A review of action taken on non-conformities identified during the last audit 
· Customer complaints 
· Changes to the system 
· Other selected areas to ensure adequate coverage over the certification cycle 
· Use of marks 
· Records of appeals, complaints and disputes brought before the certification body, and where any non-conformity or failure to meet the requirements of certification is revealed, that the organization has investigated its own systems and procedures and taken appropriate corrective action. 
· The lead auditor will agree a timescale with the client depending on the severity of the NCR 


4.3.3 Recertification audits [9.4] 

A recertification audit shall be planned and conducted to evaluate the continued fulfillment of all of the requirements of the relevant management system standard or other normative document. The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification.
· The lead auditor will produce an audit plan taking in to account the reason for the audit (see below). The plan will address all the required elements of the standard, the company’s processes and any significant areas that have shown concern during the review of the previous assessments. 
· Where there have been significant changes to: - 

i) ICERT certification scheme 
ii) The standard to which the Client has been assessed 

iii) Ownership, management or activity of the Client 
· Upon expiry of the Client’s certificate: 

Routine (3 yearly) reassessments shall be conducted at the expiry of an existing certificate are conducted to verify overall continuing effectiveness of the client’s quality system in its entirety, and provide for a review of past performance of the system over the period of certification. This is recorded on the form Doc041. 
Notes:
The reassessment will also be used to ensure: -

· the effective interaction between all elements of the system 
· the overall effectiveness of the system in its entirety in the light of any changes in operation
· demonstrated commitment to maintain the effectiveness of the system 
· the performance of the company’s management system over the 3-year period will be considered looking al complaints, corrective and preventive actions, non-conformities  
· A review of all surveillance visits performed during the certification period will be made looking for trends and necessary root cause analysis and timely corrective action. 
· The re-issue of the certificate, information contained thereon and the subsequent surveillance cycle all to be generally as per the initial certification and surveillance period. Auditors will ensure that the ICERT reporting methods will clearly document all evidence obtained during the re assessment visit.


4.3.4 Special audits [9.5] 

Extensions to Scope may be undertaken as a result of an application from a ICERT certificated Client to additional activities, areas or sites that form part of their quality system be assessed. Where such a request is made then the Lead Auditor will: - 

· Extend the next surveillance visit, if required, to allow sufficient time to assess the additional areas, or 

· Authorize an additional surveillance visit to specifically assess these areas, or 
· An interim visit purely for the scope extension 

Any additional costs will be agreed with the Client before the visit and an invoice raised. Where required a quotation shall be raised for the Client identifying: -
· Cost of the additional visit or the additional time required to assess the areas, and 
· Budgetary cost of the additional time to be allocated for future surveillance visits 

All auditors & lead auditors will be appointed by the Certification & Administration Manager / Director after he/she has reviewed the competence of available assessors.

The Auditor’s competence is determined by reviewing the ICERT competence requirements, the CV and records of the auditors experience as defined in.

Certification & Admin Manager will: -

a) Raise an Extension to the Scope Request form identifying the additional areas to be assessed. 
b) Maintain records, including site file, master card, database and assessor authorization 
c) Send revised Certificate to the Client with a letter detailing any resulting increased frequency or duration of surveillance 
Conversion assessments may be undertaken as a result of an application from the Client to convert its quality system certification from another Accredited Certification Body. The following areas must be addressed during the conversion assessment: -

· Any changes to management structure or Company representative 
· Minutes of the last management review meeting 
· Any changes to the Quality Manual 
· Customer complaints and corrective/preventive actions 
· Internal quality audits 
· Corrective actions resulting from the non-conformities raised by the previous certification body’s last visit. 

Note: 

Where this report is not available, or where no non-conformities were raised, the Lead Auditors will cover as many areas as time-scales permit to ensure that the quality system is being maintained and that no major problems exist. 

Short notice audits may be undertaken; these visits would only take place in exceptional circumstances;
· Where complaints have been received by ICERT about the Company 
· Following a recommendation made by an Auditor during a surveillance visit e.g. 
· As a result of a breakdown in the Client’s quality system, or a trend within a certain area being identified 
· Due to a significant change in the Client’s management, ownership or quality system 
· Where Certification & Admin Manager has identified a significant problem with the 
· Client’s quality system or has been informed of a significant change in the Client’s management, ownership or quality system. 
· As a result of misuse of the Certificate or the Certification Mark. 
The client will be informed by Telephone, fax or email at least 7 days prior to the visit. The client will be informed in writing of the reason for the visit.

The audit format will be as that of the surveillance visit, but Auditor(s) shall concentrate on areas of deficiency. The outcome of a Short notice audit will be continuation, suspension or withdrawal of certification.

Audit reports

Certification & Admin Manager will: -
· Review Audit Report and related documentation received from the Auditor 
· Progress receipt of the Client’s corrective action plan within the agreed timescale (using diary) as necessary 
· Review acceptability of Client’s proposed remedial action utilizing Auditor and/or 
· Certification & Admin Manager as appropriate 
· Up-date the Client/Site file and database 
Access to ECMS or original assessment reports shall be submitted to the Client with an explanation of any differences from previous report(s).
Reports shall include the following information as a minimum;
· Date(s) of the audit(s)
· Name(s) of person(s) responsible for the report
· Names and addresses of all sites audited
· audited cope of certification
· Summary of overall findings, including Conclusions regarding the client’s capability of meeting agreed requirements for product/service, 
· Extent of QMS conformity with ISO 9001:2015 registration requirements, 
· The degree of reliance that can be placed on the internal audit’
· Any Observations regarding QMS implementation 
· Conclusions reached by the audit team,
· Comparison with the results of previous surveillance audits where applicable.
· Performance of the company’s management system over the complete certification period (re-certification audits) 
· The qualification, experience and authority of the Client’s staff encountered  
· The adequacy of the Client’s QMS, including its organization and procedures
· Any actions taken to correct previous nonconformities

Client corrective action

The client is required to analyze the cause and describe the specific correction and corrective actions taken, or planned to be taken, to eliminate detected nonconformities, within defined timeline. The auditor agrees the timeline with the client in the closing meeting.
Certification & Admin Manager will: -
· Review Assessment Report and related documentation received from the Assessor 
· Progress receipt of the Client’s corrective action plan within the agreed timescale (using diary) as necessary. 
· Review acceptability of Client’s proposed remedial action utilizing the Auditor and/or Certification & Admin Manager as appropriate, and resolve any problems by telephone or fax. Details of agreed resolution shall be recorded. 
· Acknowledge acceptability of proposed remedial action to the Client in writing. 
· Endorse a copy of the Client’s corrective action plan. 
· Pass a copy of the report to the Certification & Admin Manager or Governing Board representative(s) for review. 
· Up-date the Client/Site file and database. 

Note:
Corrective action response dates will be set to ensure that the corrective actions can be implemented prior to the expiry of the certificate.

Corrective action review and verification

Minor non-conformances (NCR) shall be checked for effectiveness of corrective action at the next surveillance visit.

All minor NCRs raised during stage 2 audits will require a written response detailing a meaningful corrective action and reasonable timescales for completion. All minor NCR responses shall be detailed within a relevant section of ECMS by the client entering such details via the use of their unique password within maximum 30 days from the visit.

In the event of major NCR to been raised it shall be necessary for the Certification Body to carry out a return visit normally within 30 days but no longer than 90 days to ensure that necessary corrective action has been taken. Major NCRs are serious and require the input from the operations director.

Such return visits will be invoiced separately to the client and must be paid prior to visit taken place. Minor NCR maybe closed out with submission of documented evidence to demonstrate adequate corrective action has taken place. If NCR is to be closed-out by post, the Client must provide adequate documented evidence to demonstrate the non-compliance has been addressed and corrective action implemented.

Minor NCRs shall only be accepted by the Auditor upon the receipt of corrective action that has demonstrated the root cause analysis and action plan to prevent occurrence.

If a NCR has not been satisfactorily addressed, the Auditor shall endorse it to this effect and raise a new NCR to cover the area of non-compliance.

Certification & Admin Manager will review the reports and either: -
· Approve the extension to scope by endorsing request form (Doc021) and make relevant changes to the Certificate, or 
· Initiate appropriate follow-up action with the Client. 

Short notice audits to verify the effectiveness of clients’ proposed corrective action shall be conducted prior to the expiry date of the certificate.

Certification decision

Following assessment of the Client’s management system and return of the Site File or up loading of the report on to the electronic data base;

Certification & Administration Manager / Director will review the Assessment and related documentation received from the Auditor, including the client’s corrective action report if required, to ensure completeness.

Certification & Administration Manager / Director will review the reports and client’s corrective action response (where required) and either: -
· Approve the issue of certification in according with our document
· Initiate appropriate follow-up action with the client 
The person making the certification decision shall always be different from those who carried out the audit.

Certification & Administration Manager / Director will then: -
· Allocate a certificate number from the ECMS system 
· Raise the certificate on the database 
· Send the following documentation to the Client electronically or by post 
· Supplement to the Regulations describing the use of the Certification Mark 
· A bromide of the appropriate Certification Mark (accredited or unaccredited)

The Client shall be informed of ICERT’s accredited status. The Client is permitted to display the Accredited Certification Mark only where ICERT has been accredited by AS for the Client’s activities, and in accordance with the rules given in the supplement to the regulations. Where this is not the case then the Client will only be able to use the ICERT Certification Mark.

Information to be included on the Certificate: -
· Certificate Number (unique sequential number from ICERT certificate log) 
· Date of issue and expiry 
· Company or Group name 
· Company address, or main site/holding Company in the case of a Group 
· Standard to which the Company/Group is approved 
· Scope of registration including details of any excluded clauses 
· Address of ICERT Certification 
· Any other information required to define the certification status or reference to any other documents used in the assessment 
· Certificate issue is identified by date 

Additional Information to be included on the Database:
· Surveillance Visit Programme 
· Target month and duration for each surveillance over the three years 
· Target month for the reassessment 
· Classification codes appropriate to the scope of certification 
· Classification codes for which ICERT has been accredited 

Suspension, withdrawal or reducing scope of certification

ICERT may suspend, withdraw or reduce the scope of certification as a result of an investigation following: -
· Recommendation made during a surveillance or special visit 
· Failure to comply with the Regulations and supplements 
· Significant change in the quality system, management or ownership 
· Significant complaint from any third party 
· Significant or recurring non-conformities or complaints 
· Nonpayment of fees 
· Request from the client 

The decision to suspend or withdraw a Certificate and/or an Appendix is made by the Certification & Administration Manager / Director depending impartiality, and full details of the reason are recorded in the ECMS & Client/Site file.

Certification & Administration Manager / Director will: -
· Inform the Client of the decision in writing Letter Doc, and of their right of appeal 
· Withdraw the certificate 
· If required, authorize a special visit on the Client to ensure that the Client has ceased using the Certificate or Certification Mark 




Certification & Administration Manager / Director will;
· File the Site file 
· Amend the Monthly Surveillance Register and Assessor Authorization, as applicable. 

Where the entire certificate is being withdrawn then the Client and Site file(s) are endorsed with the words “withdrawn” and archived into the appropriate area of the filing system.

Note:
If the recommendation is to “DECLINE CERTIFICATION” then the Lead Assessor is to outline the Appeals Procedure to the Client. 

Impartiality


The certification / registration process shall only be managed by persons employed or contracted to ICERT Certification.

To maintain impartiality of the certification scheme Certification decisions shall not be delegated to an outside person or body, including a person who has a vested interest in the outcome of the assessment, e.g. involvement in the: -
· Design, supply, implementation or maintenance of the client’s quality system 
· Certification assessment, or re-assessment activities, or 
· Some other factor which may affect their judgment