Stage 1 Audit
Stage 1 Audit is a part of the registration process and not an optional activity. Terms like Adequacy audit or Document Review may also be used for Stage 1.
During the Stage 1, it is to be established that the requirements of the standard(s) are being met by the auditee organisation. This can be done by review of the available evidence. This evidence may take many forms and some cases need not be “documented”. However, this does not alter the need to adhere to the requirements for documentation contained in the EMS Standard ISO 14001 or ISO 45001
The objective of the Stage 1 audit is to provide:
- review the client’s management system documented information;
- evaluate the client’s site-specific conditions and to undertake discussions with the client’s personnel to determine the preparedness for stage 2;
- review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
- obtain necessary information regarding the scope of the management system, including:
- the client’s site(s);
- processes and equipment used;
- levels of controls established (particularly in case of multisite clients);
- applicable statutory and regulatory requirements;
- review the allocation of resources for stage 2 and agree the details of stage 2 with the client;
- provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative document;
- Evaluate if the internal audits and management reviews are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for stage 2.
The stage 1 audit is normally done on-site. However, an offsite audit may be considered if the auditor is familiar with the client’s activities (e.g. certified to other management system standards), provided the objectives of Stage 01 are met.
Conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage 2 shall be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2. This is done through a Stage 01 Report.
For Companies requiring to transfer from another certification body
If the company has an accredited certificate by another body then the auditors need only carry out a partial (brief) Document Review in ISOQAR office. However, all of the paperwork still needs to be completed using the combined Stage 1 Review and Audit Schedule form.
If the company has a non-accredited certificate, then ISOQAR normal procedures must apply in full.
Stage 1 audit is intended to:
- Assess that the auditee has a documented management system, which is compliant to applied standard.
- Ensure that the EMS includes an adequate process for identification of environmental aspects, impacts and determination of their significance.
- Ensure that the system includes a procedure for identification of applicable regulatory requirements and that all the required environmental licenses, permits and approvals are in place.
- Ensure that the management system is designed to achieve defined policy, objectives and targets.
- Establish that internal audit conform to the requirements of respective standard and the internal audits are effective and relied upon. Seeking evidence for competence, experience, training & independence of internal auditors (ISO 19011); auditing procedure & methodology; reference & standards; resource availability; organization & planning of audits; checks & reports; timeliness & effectiveness of corrective / preventive action and management of audit follow-up.
- Establish that management reviews are conducted and cover continuing suitability, adequacy and effectiveness of management system.
- Establish that relevant communication from customers / external interested parties is documented and responded
- Establish that the management system is designed to realize the concept of continual improvement.
- Establish that the proposed scope of registration is appropriate to the auditee organization’s business activities.
- Confirm the auditee organization’s readiness for registration audit.
- Work hours and schedules
- Size and complexity of the organization
- Special safety requirements
- Applicable statutory requirements & licenses
- Security clearance requirements
- Technology expertise necessary
- Logistics
- Prepare a detailed program including audit trails for the upcoming Stage 2 audit.
- Review the adequacy of audit time for Stage 2 audit. Increase the time duration if required based on the findings of audit; complexity / volume of processes; variation found from the data provided by the client in F080 Questionnaire.
When carrying out a review the auditor shall note his/her findings in the Stage 1 audit report (F091) and record this against the relevant topic if such fails to satisfy the requirement of the standard. Special requirements are listed in the Stage 1 audit report (F091) for that company i.e. guidance documents, legislation etc. for reference at the audit.
The Document review is a part of the stage 1 audit and shall include at least the following:
- Documentation including procedures with links to related requirements of respective standard. If client has integrated systems (e.g. QMS, OHSMS), the documentation shall be reviewed w.r.t. interfaces with other systems.
- The documentation must have been issued and would normally have been in place for a minimum of three months.
- Description of organization and its on-site processes
- Environmental aspects, impacts and determination of significant aspects (for EMS).
- Means and system for realizing continual improvement.
- An overview of applicable regulations and agreements with authorities.
- Internal audit program, identified nonconformities and records.
- Records of incidents, breach of regulation and relevant correspondence and EMS related communications with action taken.
- Records for management review
Details of identified nonconformities and CAPA taken in last 1 year
Registration Audit (RA) (Stage 2 Audit)
The objective of the Registration Audit (Stage 2 Audit) is:
- information and evidence about conformity to all requirements of the applicable management system standard or other normative documents;
- performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
- the client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
- operational control of the client’s processes;
- internal auditing and management review;
- Management responsibility for the client’s policies.
The following activities will be carried out to meet the objectives of Stage 2 Audit:
- Assess that the auditee organization’s quality management system has been implemented and objective evidence is available to demonstrate its effective implementation in line with its policies, objectives and procedures.
- Establish that all requirements of the standard are addressed where they apply to the activities covered by the scope of registration.
- Confirm that quality management system is appropriate to the product, process or service provided by the auditee, with the capability of managing and improving performance.
- Encourage auditee organizations to improve their management system on an on-going basis.
While accomplishing this, the registration audit must be conducted to satisfy the needs of the auditee organisation and maintain the integrity of the registration process as a whole. The team leader is responsible for managing and documenting the results of the registration audit. He may delegate specific responsibilities for conduct of audit activities to assigned audit team members.
The registration audit (Stage 2 audit) addresses the implementation of all the elements in the standard and focuses on-
- identification of environmental aspects & its effectiveness, defined criteria/procedure for significance and subsequent determination of their significance (for ISO 14001)
- Procedures to ensure compliance with legal & other requirements
- Inconsistencies between organization’s policy, objectives & targets and its procedures to achieve them or the results of their application. The registration audit team shall appreciate that it is for the organization to define the means by which its policy commitment to continual improvement, customer satisfaction and prevention of pollution is achieved and to develop processes for achieving / measuring performance.
- Auditee’s procedure & application for investigation / development of opportunities for improvement and programs for improvement.
- Auditee’s process for achieving continual improvement and its effectiveness.
- Operational control to maintain consistent performance and compliance to procedures
- Performance monitoring, measuring, reporting & reviewing against the legislative requirement, objectives and targets.
- Internal auditing, identification / evaluation of non-conformities and completion of effective corrective / preventive actions.
- Management review and management responsibility for quality management system.
- Interfaces and links between policy, aspects & impacts, objectives & targets, responsibilities, programs & procedures, performance data, internal audit and management review.
- Register of regulatory requirements (for ISO 14001)
- Seeking evidence for competence, experience, training & independence of internal auditors; auditing procedure & methodology; reference & standards; resource availability; organization & planning of audits; checks & reports; timeliness & effectiveness of corrective / preventive action and management of audit follow-up.
- Staff awareness of environmental requirement
If there are combined systems in place, e.g. QMS and EMS, then emphasis must be placed to ensure that both standards are adequately addressed and monitored. Records and auditor notes must demonstrate that adequate time has been given to each standard.
Stage 2 Audit
- Manager Operation’s or designee schedules the audit and informs the Audit team leader (TL). A set of necessary documents like client details, Stage 1 audit report etc is given to TL. On receiving the audit schedule from the AE, TL discusses the logistics and audit plan with auditee organisation. The Audit Plan, this is normally given along with the Stage 01 Audit Report and this is reconfirmed with the client normally a week before the planned audit date and the same is agreed upon prior to the audit. In case of any changes required by the client to the audit plan then the TL prepares a fresh audit plan and sends and confirms with the client. In case of any changes in the audit plan during the audit the same is captured as part of the audit report. Auditor background details are provided to client on request.
- During the audit planning the critical processes are identified as per the EA Case. It is desirable that at least 50% of audit time shall be used for auditing critical processes.
- Where the assignment is complex (multi-site, has specific technological requirements, and/or utilizes a large audit team etc.), a team briefing may be planned before the scheduled audit date to coordinate details.
- An opening meeting is held to advise the auditee organisation of the objectives of registration audit, details of the audit and schedule and obtain for the auditee organization’s cooperation.
- Where more than one person has been assigned, daily team meeting may be scheduled after the auditee organisation meeting / site visit to plan the day’s strategy and cover any points not included in the pre-visit team meeting.
- Changes to the auditee organization’s documentation since the previous visit is reviewed and outstanding non-conformance(s) followed-up. The auditee organization’s quality management system is assessed according to the schedule and audit trails identified during adequacy audit. Documents reviewed, personnel interviewed and other pertinent data is recorded in the auditor’s note pads / audit report. Non-conformances are raised after proper investigation against activities found non-compliant. The Observations are issued identifying areas of improvement only. The caution will be observed in recording the Observations so that the issues pertaining to non-conformance are not reflected as observations and vice versa. The recording of observations will be strictly confined to areas of improvement only. Where the available audit evidence indicates that the audit objectives are unattainable or suggests the presence of an immediate and significant risk (e.g. safety), the audit team leader shall report this to the client and, if possible, to the certification body to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope, or termination of the audit. The audit team leader shall report the outcome of the action taken to the certification body. The audit team leader shall review with the client any need for changes to the audit scope which becomes apparent as on-site auditing activities progress and report this to the certification body.
- When audit is for more than a day, daily team debrief meeting is used to discuss findings, followed by auditee organisation debrief to present the findings of day.
- On the final day of the audit, the team discusses overall performance during the audit, review of stage 1 report, agree on audit scope, audit criteria, audit findings including classification of non-conformances, conclusions, agree any necessary follow-up actions, confirm the appropriateness of the audit program or identify any modification required for future audits (e.g. scope of certification, audit time or dates, surveillance frequency, audit team competence).
- And prepares the audit report (F092). The team decision to approve or defer registration is recorded in the report. Program for the next visit is also prepared (follow-up visit / surveillance plan). An organization can be recommended only if no major non-conformance is found. In case of a major non-conformance complete / limited audit is necessary and the audit time requirement is estimated by the auditor in discussion with Manager – Operations. The audit schedule for the special audit is detailed and agreed upon with the client. The audit team leader shall attempt to resolve any diverging opinions between the audit team and the client concerning audit evidence or findings, and unresolved points shall be recorded.
- The visit ends with a Closing Meeting where the recorded findings and team recommendations are formally presented to the auditee organisation and any follow-up actions agreed upon. Auditee submits the corrective action plan for all non-conformances issued. Also, during the Closing Meeting the Team Leader informs the Client for submitting the evidences of Corrective Action taken for review and closure of the Minor Non-Conformances identified. In case of major non-conformances identified the client is informed whether an additional full audit or an additional limited audit is necessary depending on the impact of the major non-conformance identified.
- The report (F092) is handed to the auditee organisation and a copy forwarded to Head Office for review and processing. The program (audit plan) for next visit along with a three-year audit program covering the entire certification cycle and auditor notes (if in hard copy) is forwarded to Client and AE with the report. Adequacy audit report issued is also returned to AE. The audit-trails are exclusive notes strictly for use of auditors to carry out the audit and the team leader shall ensure that they are never given out to the auditee.
- The report is submitted only after satisfactory verification of corrective actions taken for the non-conformance(s). The client shall submit the evidences of corrective actions taken within 3 months of the audit. Failure to satisfactory closure shall result in complete re-audit.
Surveillance Audit (SA)
The registered quality management system should continue to meet the requirements of specific standard and should be managed effectively by the auditee organisation. SA is intended to verify the continued effective maintenance of the auditee organization’s quality management system, satisfy the needs of the auditee organisation and maintain the integrity of the registration process as a whole.
SA is intended to:
- Assess that the auditee organization’s registered quality management system has been maintained.
- Verify that changes to quality management system subsequent to the previous visit are in compliance with respective standard and that objective evidence is available to substantiate implementation.
- Re-confirm that quality management system is appropriate to auditee organization’s product, process or service provided, with the capability of managing and improving performance.
- Promote the effectiveness of quality management system.
- Assess changes in auditee organization’s operations, technology that could affect the certification / registration (Changes for example change in scope, location, addition of other locations, change in employee etc. will be confirmed with the client by the Manager Operation’s or his designee at the time of scheduling the surveillance audit)
The various mandatory elements to be audited at every surveillance are –
- Changes to documented system
- Management responsibility & review
- Legal regulatory compliance
- Use of certificate and logo
- Internal audits
- Corrective & Preventive actions
- Document control
- Continual improvements
- Appeals / Complaints / communication from external interested parties
- Effectiveness of the management system to achieve auditee organization’s policy, Objectives & targets, intended results of the respective management systems.
- Progress of the planned activities and continuing operational performance
- Follow-up on identified non-conformities (internal / certifying body)
- Appeals / complaints received by ISOQAR
The surveillance audit may be combined with the audits of other management systems. The report should clearly indicate the aspects relevant for each management system.
First Surveillance Audit will be conducted within twelve months from date of certification decision and the subsequently at least once per calendar year.
The surveillance frequency / timing may be adjusted to accommodate factors such as seasons (seasonal products like fruit juices, sugar etc.) or management systems certification of a limited duration (e.g. temporary construction site).
Process steps for Surveillance Audit
The team leader is responsible for managing and documenting the results of SA. The team leader may delegate specific responsibilities for conduct of audit activities to assigned audit team members. Manager Operation’s is responsible for review of audit report to assess effectiveness. The process steps for the Surveillance Audit are
- Manager Operation’s or designee schedules the audit and informs the Audit team leader (TL). Care is taken that the first surveillance audit is scheduled within 12 months interval – date being last day of Certification Audit. Subsequent Surveillance Audits are to be carried out once annually at a minimum. A set of necessary documents like client details, earlier audit report, changes to client activity, changes in client manpower etc. is given to TL. On receiving the audit schedule from the AE, TL discusses the logistics and audit plan which was a part of the previous audit report with auditee organisation and confirms the same. This will be applicable in case there are no changes in the client activity.
- In case of any changes the TL will review the proposed surveillance, audit plan TL shall review the functions / processes audited in the earlier surveillances before finalizing the audit plan taking into the account the changed activity. TL shall ensure that all critical processes are audited at least twice and rest at least once in the three-year period.
- Where an assignment is particularly complex (i.e. begins at several different locations, has particular technological requirements, and/or utilizes a large number of team members, etc.), it may be beneficial to call a team briefing some time before the scheduled surveillance date to coordinate details.
- An opening meeting is held to advise the auditee organisation of the objectives of registration audit, details of the audit and schedule and obtain for the auditee organization’s cooperation.
- Where more than one person has been assigned, daily team meeting may be scheduled after the auditee organisation meeting / site visit to plan the day’s strategy and cover any points not included in the pre-visit team meeting.
- The audit team shall review the effectiveness of corrective actions taken for nonconformities issued in the earlier audit in subsequent surveillance audits / renewal audits. The audit team may decide to escalate the nonconformity to major or reissue the nonconformity, depending on effectiveness of the actions taken.
- Changes to the auditee organization’s documentation since the previous visit is reviewed and outstanding non-conformance(s) followed-up for effectiveness. The auditee organization’s quality management system is assessed according to the schedule and audit trails identified during adequacy audit. Documents reviewed, personnel interviewed and other pertinent data is recorded in the auditor’s note pads. Non-conformances are raised after proper investigation against activities found non-compliant. The Observations are issued identifying areas of improvement only. The caution will be observed in recording the Observations so that the issues pertaining to non-conformance are not reflected as observations and vice versa. The recording of observations will be strictly confined to areas of improvement only.
- When audit is for more than a day, daily team debrief meeting is used to discuss findings, followed by auditee organisation debrief to present the findings of day.
- On the final day of the audit, the team discusses overall performance during the audit and prepares the audit report (F092). The team decision to recommend continuation of certification is recorded in the report. Program for the next visit is also prepared (follow-up visit / surveillance plan). In case of a major nonconformity, complete / limited audit is necessary and the audit time requirement is estimated by the auditor in discussion with Manager – Operations. The audit schedule for the special audit is detailed and agreed upon with the client.
- The visit ends with a Closing Meeting where the recorded findings and team recommendations are formally presented to the auditee organisation and any follow-up actions agreed upon. Auditee submits the corrective action plan for all non-conformances issued. Also, during the Closing Meeting the Team Leader informs the Client for submitting the evidences of Corrective Action taken for review and closure of the Minor Nonconformities identified. In case of major nonconformity identified the client is informed whether an additional full audit or an additional limited audit is necessary depending on the impact of the major nonconformity identified.
- The audit summary report (F093) is handed to the auditee organisation and the report (F092) is forwarded to Head Office for review and processing. The program (audit plan) for next visit along with a three-year audit program covering the entire certification cycle and auditor notes (if in hard copy) is forwarded AE with the report. The audit-trails are exclusive notes strictly for use of auditors to carry out the audit and the team leader shall ensure that they are never given out to the auditee.
- The report is submitted to HO only after satisfactory verification of corrective actions taken for the non-conformance(s). The client shall submit the evidences of corrective actions taken within the time agreed with the audit team (within six months) Failure to satisfactory closure shall result in complete re-audit or suspension / with drawl of the certificate
- At least one half of the management system will be checked by the auditor at each surveillance visit. It is essential to ensure that the full system (as a minimum) is covered over a three-year period by surveillances. At each visit complaints, satisfactions, management review, internal audits, use of registration marks, documentation changes, and evidence of improvement will be reviewed.
- The three-year audit program may be reviewed and modified based on various inputs like complaints, changes in the certification / accreditation / legal requirements, changes in client’s management and interested party concerns.