Certification Process

The actual process of certification is a relatively straightforward matter.

Indeed, most of the certification schemes follow the same basic procedures as outlined below.

A potential client will be asked to provide the following information for the purpose of generating a quotation for certification services:

Desired scope of the certification;
General features of their organization, including the name and address (es) of its physical location(s), significant aspects of its process and operations, and any relevant legal obligations;
General information, relevant for the field of certification applied for, concerning the their organization, such as its activities, human and technical resources, functions and relationship in a larger corporation, if any;
Information concerning all outsourced processes used by the organization that will affect conformity to requirements;
The standards or other requirements for which they are seeking certification;
Information concerning the use of consultancy relating to the management system.

Once the quotation is accepted by the client, the acceptance will be acknowledged. Auditor(s) will be nominated and the client will be contacted to setup a Stage 1 audit.

A Stage 1 audit is performed for all new clients and will include the following:

Auditing of the client’s management system documentation;
Evaluation of the client’s location and site-specific conditions and discussions with the client’s personnel to determine the preparedness for the Stage 2 audit;
Review of the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
Collecting necessary information regarding the scope of the management system, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client’s operation, associated risks, etc.);
Reviewing the allocation of resources for stage 2 audits and agree with the client on the details of the stage 2 audit;
Gaining a sufficient understanding of the client’s management system and site operations in the context of possible significant aspects to provide a focus for planning the stage 2 audit;’
Evaluation to determine if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for the Stage 2 audit.

For most management systems, at least part of the Stage 1 audit will need to be carried out at the client’s premises in order to achieve the objectives stated above.

Upon completion of the Stage 1 audit a report will be generated and given to the client documenting the audit findings including identification of any areas of concern that could be classified as nonconformity during the stage 2 audit.

If the outcome of the Stage 1 audit is satisfactory, albeit with minor points raised, the Auditor will agree a date for the Stage 2 audit to commence.

Where the outcome is not satisfactory (major points raised) and the Auditor does not believe the client is ready to proceed to the Stage 2 audit, the Stage 2 audit will not be scheduled until the client has had sufficient time to resolve the points raised during the Stage 1 audit.

A Stage 2 audit is conducted to evaluate the implementation and effectiveness of the clients’ management system and will include at least the following:

Information and evidence about conformity to all requirements of the applicable management system standard or other normative document;
Performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
The client’s management system and performance as regards legal compliance;
Operational control of the client’s processes;
Internal auditing and management review;
Management responsibility for the client’s policies;
Links between the normative requirements, policy, performance objectives and targets (Consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.

Upon completion of the Stage 2 audit, the Audit Team will analyse and review all information and audit evidence gathered during the Stage 1 and Stage 2 audits and agree on audit findings and conclusions.

A report will be generated and given to the client.

Where no concerns (discrepancies or non-compliances) have been raised, registration will be recommended by the Lead Auditor.
Where there are minor concerns (discrepancies) raised, the client will need to close out the concerns prior to registration being recommended.
Major concerns (non-compliances) raised also need to be closed out by the client, however a limited re-audit of the client may be required to effectively close out the major concerns prior to registration being recommended.

Once registration has been recommended, Report will be submitted to Further Review of Decision Maker and After review of Report, if Decision Maker accepted the Report, Certificate issued.

If it’s not accepted, reviewer will keep report on hold and may ask auditor for Justification on particular area of audit, if justification accepted, can be proceed further, if not Certificate cannot be proceed, This may require to Re-audit client or reject the certification.

The Decision Maker/ report reviewer should make the decision for granting or refusing Certification (upon Completion of certification Audit), expanding or reducing scope of certification, suspending or restoring scope of certification (upon Completion of certification/Surveillance Audit), Withdrawing or renewing certification (Upon Completion of Surveillance/Recertification Audit).

After issuance of certificate and the client will be placed on an agreed surveillance regime. For the smaller company, this may mean a single one-day visit per annum. However, for the larger client and depending upon the standard registered, the surveillance man-day requirements can be more onerous – see notes below.

At each surveillance visit, a random sample of the client’s system will be audited, but the approach will be similar to that of the formal on-site audit described above as a Stage 2 audit.

As such, a written report will be issued at the close of each surveillance visit and providing no major noncompliance points are raised, continued registration will be maintained.

The initial certificate of registration is valid for a three-year period, providing the client complies with the Certification Regulations, and the surveillance visits scheduled during the three-year period are satisfactory.

Prior to the end of the three-year certification period, a triennial review of all previous visit reports is conducted and then a complete reassessment audit is performed to ensure that all is in order for a new certificate, valid for a further three-year period, to be issued. The recertification audit may need to include a Stage 1 audit in situations where there have been significant changes to the management system, the client or the context in which the management system is operating (e.g. changes in legislation). The process then repeats as described above.

Notes

As stated previously, the process described above is in essence the same for all certifiable schemes offered. However, some schemes have slight variations.
During its validity period, Certification may be suspended (not exceeding 6 months) or the scope of certification reduced by order of the designated authority in line with the policy on this aspect, if the conditions so warrant, such as the following:
1. Organization does not agree or allow to get surveillance audit /recertification audit conducted within due date at the prescribed frequency.
2. Financial issues, such as non-payment of dues.
3. As a result of special visit, it is observed that correction or corrective actions taken by the client against findings/complaints are not appropriate. As a result, there is serious or persisting failure in maintaining Management System.
4. Failure to meet certification requirements including the requirement to maintain effectiveness of the certified management system
5. Client (certified organization) requests itself, provided suspension sought is for a limited period (say not exceeding six months) for any reason, such as strike at work of operation, temporary lock out, financial crises, major changes being taken up in the system during which they may not be able to comply with the system.
6. As a result of investigation of complaint, where the findings so warrant.
ISO 14001, IATF 16949, AS 9100 and HACCP, ISO 22000 requirements have additional requirements for auditing and as such, the audit man-day times are greater than those published for ISO 9001.
Guidance on man-day requirements is published by the IAF and as such, the client can verify whether any quoted times are reasonable and fair.