GENERAL REGULATION FOR MANAGEMENT SYSTEM …§ões... · · 2016-10-20See also SAI’s...

GENERAL REGULATION FOR MANAGEMENT SYSTEM CERTIFICATION SPECIAL REQUIREMENTS – SA8000

GENERAL REGULATION FOR

MANAGEMENT SYSTEM

CERTIFICATION

SPECIAL REQUIREMENTS

SA8000

of 27


REG001C-EN/8

Índex

1. FOREWORD ................................................................................................................................................... 3

2. SCOPE ............................................................................................................................................................ 3

3. NOTICE OF CHANGES ..................................................................................................................................... 3

4. DEFINITONS ................................................................................................................................................... 3

5. GRANTING CERTIFICATION ............................................................................................................................ 5

5.1 CERTIFICATION PROCESS ............................................................................................................................ 5 5.2 APPLICATION ............................................................................................................................................... 6 5.3 SOCIAL FINGERPRINT PROCESS ................................................................................................................... 8 5.4 APPLICATION REVIEW ................................................................................................................................. 9 5.5 PRE-AUDITS ............................................................................................................................................... 10 5.6 AUDIT TEAM .............................................................................................................................................. 10 5.7 INITIAL AUDIT ............................................................................................................................................ 12 5.8 AUDIT REPORT........................................................................................................................................... 13 5.9 CERTIFICATION DECISION ......................................................................................................................... 14 5.10 CERTIFICATE AND USE OF CERTIFICATION MARKS ................................................................................... 15

6. SURVEILLANCE AND RECERTIFICATION AUDITS ............................................................................................15

6.1. SURVEILLANCE AUDITS ............................................................................................................................. 15 6.2. RECERTIFICATION AUDITS ......................................................................................................................... 16

7. SPECIAL AUDITS ............................................................................................................................................17

8. SANCTIONS ...................................................................................................................................................17

9. VOLUNTARY SUSPENSION OR WITHDRAWAL OF THE COMPLIANCE CERTIFICATE ........................................18

10. COMPLAINTS AND APPEALS ......................................................................................................................19

11. POSTPONMENTS .......................................................................................................................................20

12. CONFIDENTIALITY .....................................................................................................................................20

13. INFORMATION ..........................................................................................................................................21

14. FINANCIAL OBLIGATIONS ..........................................................................................................................22

15. NOTICE OF CHANGES BY THE ORGANIZATION...........................................................................................22

16. CERTIFICATION RECOGNITION AND TRANSFER .........................................................................................22

17. RESPONSIBILITY ........................................................................................................................................23

ANNEX A – CYCLE TIMELINE TO SA8000:2014 .......................................................................................................25

ANNEX B – INTEGRATION OF SF INTO SA8000:2014 CERTIFICATION ....................................................................26

of 27


REG001C-EN/8

1. FOREWORD

1.1 This document presents the specific dispositions for the certification of Social Accountability

Management Systems according to SA8000 standard.

2. SCOPE

2.1 The present document applies to all SA8000 certification processes.

2.2 SA8000 certification is generally permitted in all countries and is applicable in all industries

except as designated in the exclusions below.

2.3 SA8000 certification is not permitted in Maritime Activities covered by the MLC sector.

Additionally, SAI published a SA8000:2014 Certification Exclusion List which shall be consulted for

up to date exclusions.

2.4 SA8000 certification is valid for a single organization or a multi-site organization with facilities

within a single country. Multi-site certification across multiple countries is not permitted.

2.5 SAAS developed an SA8000 certification country risk assessment process to categorize the

oversight and assurance process activities according to risk level. This methodology allows the

categorization of countries as highest, high and lower risk. The classification used is periodically

reviewed by the SAAS that communicates with APCER.

2.6 APCER can certify an entire organization; however, it is not possible to certify personnel in only

one department of a multi-department organization and not the other(s).

2.7 The reference documents for the SA8000 certification are the SA8000:2014 standard, the

Performance Index Indicator Annex, the Social Fingerprint and ISO/IEC 17021-1:2015.

3. NOTICE OF CHANGES

3.1 APCER reserves the right to amend the certification requirements during the period of validity of

the certificate, in particularly, if there are changes in the requirements defined by SAAS. Changes

to certification requirements imply the amendment of the present document, REG001C.

3.2 Any changes made to this document are communicated to Client Organizations.

4. DEFINITONS

4.1 For the purposes of this document the definitions given in the SA8000 standard, procedures 200,

201A and 201B shall apply.

4.2 For SA8000 certification there are four types of audit non-conformity findings:

- Critical non-conformity (CNC): a grievous breach of the SA8000 Standard that results in

severe impact to individual rights, life, safety and/or SA8000, SAI or SAAS’ reputation. That

includes:

of 27


REG001C-EN/8

1. A breach of ethical standards;

2. Immediate threats to workers lives; and/or

3. Grievous and intentional violations of human rights.

Note: In the case of an SA8000 certified organization, the raising of a CNC results in the immediate

suspension of the organization’s SA8000 Certificate.

- Major nonconformity (MNC): one or more of:

The absence or total breakdown of a system to meet an SA8000 requirement. A

number of minor-nonconformities against one requirement can represent a total

breakdown of the system and thus be considered a major nonconformity;

A nonconformity that judgment and experience indicate is likely either to result in

the failure of the social management system in meeting its goals and expectations or

to materially reduce its ability to assure control of this policies and directives in the

workplace to protect its workers;

A minor non-conformity that has not been addressed, or for which no significant

improvement has been made by the time of a follow-up audit, in spite the

organization’s commitment to resolve the issue;

A nonconformity that poses an imminent and immediate but not life-threatening

threat to the health and safety of workers;

A Major non-conformity may be raised after the audit only in the case where an

auditor is concerned for their personal safety and the possible consequences that

might arise if they raised the Major NC at the time of the audit;

A Major non-conformity that has not been addressed or for which no significant

improvement has been made by the time of a follow up audit, in spite of the

organization’s commitment to resolve the issue, shall lead to the organization being

issued a warning and moved toward suspension;

- Minor nonconformity (NC): a failure or oversight in some part of the organization’s social

management system relative to SA8000 that is not systemic in nature, or a single observed

lapse in following one item of organization’s social management system.

- Time-Bound Non-Conformity (TB NC): special non-conformities that can only be raised as a

result of audit evidence and findings that show that the client organization meets the local law

but not the higher requirements of SA8000:2014 or vice versa. TB NCs can only be raised for

findings regarding Remuneration: the organization pays workers the legal minimum wage but

not a living wage.

- Opportunity for improvement (OFI): to indicate where practice is a little slack or inconsistent

or systems may be improved.

4.3 Other important definitions to consider for SA8000:2014 certification are described below.

of 27


REG001C-EN/8

4.4 Maritime Activities: Those involving seafarers, i.e. any persons employed or engaged or working

in any capacity on board a ship. See also SAI’s SA8000:2014 Certification Exclusion List.

a. Maritime Activities are further broken down into those excluded from SA8000

certification and those that are not.

b. Maritime Activities excluded from certification are those covered by the ILO Maritime

Labor Convention, 2006 (NO. 186), (MLC).

c. Maritime Activities that may be eligible for certification are those that relate to

seafarers on vessels that navigate exclusively in inland waters or waters within, or

closely adjacent to sheltered waters or areas where port regulations apply.

d. The determination as to whether a ship is a certifiable workplace will depend on several

factors, including definitions supplied by local regulations.

4.5 Zero Tolerance: Violations observed during an SA8000 audit that, in the opinion of APCER’s audit

team, require immediate action by the organization, require the APCER’s SA8000 auditor to raise

a Critical or Major Non-Conformity at the time of observing the violation. The audit may be

aborted. May also be known as a critical or immediately reportable issue.

4.6 Micro-enterprises: a micro-enterprise is an organization with 10 or fewer personnel.

4.7 Breach of Ethical Standards: verified intentional attempts to corrupt or defraud the SA8000 audit

process.

4.8 Grievous and Intentional Violations of Human Rights: Intentional egregious violations of human

rights. As the aim of the audit process is to evaluate conformity with the SA8000 Standard,

efforts shall be made by the applicant or certified organization to rapidly bring about the

necessary changes to address these violations.

4.9 Duplicate Audit: An audit that repeats the audit that was performed previously to check if

findings are credible.

5. GRANTING CERTIFICATION

5.1 CERTIFICATION PROCESS

5.1.1 Initial certification audits to organizations not yet certified according to SA8000 include an

evaluation of the organization using Social Fingerprint. These organizations shall complete the

Social Fingerprint Self-Assessment through the SAI online training centre prior to the initial

SA8000:2014 Stage 1 Audit and consult the instructions made available by SAI - SA8000:2014

Social Fingerprint Self-Assessment Client Instructions.

5.1.2 Organizations already certified SA8000:2008 intending to make the transition to SA8000:2014

shall identify and implement all changes necessary to their existing SA8000-documentation in

order to meet the requirements of SA8000:2014 and the integration of Social Fingerprint into

the audit process. They shall conduct a gap analysis to understand the areas in their system

of 27


REG001C-EN/8

that need to be revised and complete the SF Self-Assessment in the online SAI Training Center

before the Stage 2 Audit recertification.

5.1.3 APCER will assess the implementation of SA8000:2014 by the organization during an on-site

transition audit which may be completed during normally scheduled certification,

recertification and surveillance activities. Additional assessments may be conducted if

considered necessary by APCER. For the transition audit the organization shall perform the

Social Fingerprint self-assessment before the audit and an independent evaluation will be

performed by APCER.

5.1.4 If the organization has retained a consultant to help it achieve SA8000 certification, the

consultant may attend the Opening and Closing Meetings but may not represent the

management of the organization during the audit. If in attendance, they shall be silent

observers.

5.1.5 The organization shall give access to SAAS for the purposes of witness audits and other special

audits as needed.

5.2 APPLICATION

5.2.1 Before requesting SA8000:2014 certification, the organization shall:

- Have a management system fully implemented for at least 6 months according to reference

documents, and provide records to evidence its adequacy and effective operation and have

performed an internal audit to all SA8000 requirements and a management review before

APCER’s initial audit;

- Have completed the Social Fingerprint Self-Assessment through the SAI online training

centre;

- Organizations already certified SA8000:2008 shall have conducted a gap analysis to

understand the areas in their system that need to be revised

5.2.2 When sending the application form, the organization shall provide a simple layout

drawing/plan of their premises that includes all buildings and floors and canteen, dormitory,

clinic and crèche and all other employer provided worker service facilities as appropriate,

including any areas under construction or renovation.

5.2.3 Shell Companies, organizations without active operations, are prohibited from being certified

to SA8000. Therefore any organization applying for SA8000 certification shall:

- Have been engaged in its stated business for at least 6 months prior to its application for

SA8000;

- Have active contracts with its customer(s).

5.2.4 The candidate organization shall define the scope of certification according to the following

rules:

of 27


REG001C-EN/8

- The geographic boundaries of the scope shall be clearly defined;

- The scope of a single SA8000 certificate shall include the entire legal entity’s structure and

cover all processes, properties and operations of a continuous process or premises;

- In cases where a subcontractor is used by the organization to deliver parts of its activities,

the scope statement shall clearly specify that some processes are delivered by

subcontractors and those parts are excluded from the scope;

- Working conditions for all personnel working on-site of the organization seeking

certification (including those employed by supplier organizations) are required to also

comply with the requirements of SA8000;

- Employment agencies shall include their contracted workers in their scope of certification.

5.2.5 The candidate organization shall post the SA8000 Standard in prominent locations including in

field offices.

5.2.6 Multi-site organizations may also require a certification process. The multi-site organization is

defined as an organization having an identified central function (central office or headquarters

or head office) at which activities are planned, controlled, and/or managed with a network of

offices, branches or sites at which activities are carried out. The organization shall have a

common management system which has established policies and procedures to manage all

sites. The sites shall be subject to internal audits, at minimum annually, and surveillance by the

head office. The results of these internal audits shall be available for review by the CB during

the headquarters audit.

5.2.7 The multi-site organization shall have one designated and formally nominated SA8000

management representative and deputy at the organization headquarters for the whole group

of sites, as well as local management representatives at the additional sites, and the following

SA8000 requirements shall be managed centrally at a designated organization headquarters:

- Authorization and Control of the SA8000 Management System Documentation;

- Evaluation and control of corrective actions, including root cause analysis, correction

and preventive action;

- Centralized Management Review that addresses all sites;

- Centralized Hazard Analysis and Risk Assessment activities;

- Centralized internal audit planning, delivery and evaluation of internal audit results

(Client’s Lead Internal Auditor shall have taken and passed the SAI-approved 3-day and

2-day Basic SA8000 Auditor Course);

- Control of suppliers;

- Centralized management systems addressing HR function;

- Identification and management of training needs.

of 27


REG001C-EN/8

5.2.8 For multi-site organizations, the certification scope shall be similar for all sites. The scope of

the certificate shall be transparent and clear for all stakeholders to understand exactly what is

included in the certification. Multi-site certification shall not apply to organizations where the

sites have fundamentally dissimilar or unrelated processes or activities, even though they may

be under the same management system.

5.2.9 If the scope of a SA8000 certificate includes workers that work at permanent sites not owned

and not controlled by the organization, for the multi-site certification:

- These activities can only be added to the organization’s SA8000 multi-site certification if

the organization formally audits the site and maintains records of such audits.

- A sample of these permanent sites shall be subject to internal audits each year by the

organization.

5.2.10 For multi-site organizations with workers that work at permanent sites not owned and not

controlled by client organisation (such as those workers employed by a staffing or cleaning

agency) for the multi-site certification:

- These activities can only be added to the Client’s SA8000 multi-site certification if

organization formally audits the site and maintains records of such audits.

- A sample of these permanent sites shall be subject to internal audits each year by the

organization as well as site audits by APCER.

- Should APCER not be permitted access to any of these permanent sites at any time for

whatever reason, the Client’s multi-site certification shall be cancelled and withdrawn.

5.2.11 In the case of multi-site certificates, if the organization fails to meet the requirements of

SA8000 over subsequent audits, then the entire multi-site certificate will be cancelled and

each site is required to be certified autonomously. It is not acceptable that, in order to

overcome the obstacle raised by non-conformities identified by APCER with respect to a

particular site, that the organization seek to exclude this site from the scope of the multi-site

certification process.

5.3 SOCIAL FINGERPRINT PROCESS

5.3.1 The Social Fingerprint is an assessment method of the SA8000 maturity system of each

organization and includes a Self-Assessment taken by the SA8000 applicant or certified

organization and an Independent Evaluation conducted by APCER’s auditors.

5.3.2 The Social Fingerprint Self-Assessment is considered valid for a period of 6 months.

5.3.3 By incorporating the Social Fingerprint into SA8000:2014, SAI aims to increase the integrity,

credibility and effectiveness of SA8000 certification and build the capacity of SA8000 certified

organizations to develop mature management systems.

5.3.4 The integration of Social Fingerprint assessment into the SA8000:2014 certification process is

explained in Annex B of this document.

of 27


REG001C-EN/8

5.3.5 During the initial certification cycle, a Social Fingerprint Independent Evaluation will be

conducted by APCER during the following audits:

- Stage 1 Audit;

- Stage 2 Audit;

- Surveillance 2.

- Surveillance 4.

5.3.6 For organizations already certified SA8000:2008 that transition to SA8000:2014 at

recertification, a Social Fingerprint Independent Evaluation will be conducted by APCER during

the following audits:

- Recertification Stage 2 SA8000:2014 Audit;

- Surveillance 2;

- Surveillance 4.

5.3.7 For organizations already certified SA8000:2008 that transition to SA8000:2014 during a

surveillance audit shall complete the Self-assessment through the SAI online training centre

before the transition audit.

5.3.8 In this case, a Social Fingerprint Independent Evaluation will be conducted during the following

audits:

- The surveillance audit that serves as the transition audit to SA8000:2014.

- Two additional audits in addition to the next recertification audit:

o If transition audit occurs during a surveillance 1 or 2 Audit, the Social Fingerprint

Independent Evaluation occurs at the Surveillance 3 and Recertification Audit;

o If transition audit occurs during surveillance 3, 4 or 5 Audit, the Social Fingerprint

Independent Evaluation occurs at the Recertification Audit.

5.3.9 After completing the certification cycle with SA8000:2014, the Social Fingerprint process (self-

assessment and independent evaluation) occurs during the recertification audit every 3 years

except for organizations that transition to SA8000:2014 during a Surveillance 4 or 5 Audit (see

Annex A).

5.3.10 The organization that completes the Social Fingerprint process, including the self-assessment

and the independent evaluation, receives a Social Fingerprint Scorecard. This Scorecard

contains two sets of scores: 1) the self-assessment scores and 2) the independent evaluation

scores.

5.4 APPLICATION REVIEW

5.4.1 APCER reviews the application and communicates its result to the Organization.

of 27


REG001C-EN/8

5.4.2 APCER reserves the right not to provide services, nor maintain contractual relationships with

organizations, nor to issue or maintain certification of an organization whose activities are in

conflict of interest with APCER's obligations stipulated in the accreditation agreement with

SAAS for SA8000 certification activities or, based solely in APCER’s opinion, with organizations

that may have a negative impact on APCER reputation. Organizations engaged in illegal

activities, or having a history of repeated non-compliance with the certification requirements,

among others, are in these circumstances.

5.4.3 APCER reserves the right to cancel the certification process if the initial audit does not occur in

a period of 6 months after the acceptance of the application, due to reasons not attributable

to APCER.

5.4.4 APCER reserves the right to cancel the certification process, if the certification is not granted,

in a two years period after the application, due to reasons attributable to the Organization.

5.4.5 Whenever the situations mentioned in 5.3.3 e 5.3.4 occur, APCER notifies, in writing, the

Organization of the process cancellation unless this communication is no longer possible

because APCER was not informed of any contact changes.

5.5 PRE-AUDITS

5.5.1 APCER provides pre-assessment audits as an optional service, upon request of the candidate

organization.

5.5.2 The pre-audit can only be performed prior to the initial Stage 1 audit and shall not be

performed in lieu of a Stage 1 audit. The pre-audit is formally documented in an audit report

and consists of non-binding findings.

5.6 AUDIT TEAM

5.6.1 APCER informs in writing the audit team composition, requesting the Organization’s

acceptance. Usually, the audit team includes a lead auditor and one or more auditors,

including technical experts. The size and composition of the audit team depends of various

factors, including the requested scope of certification.

5.6.2 The Organization can object to any particular appointed auditor. For that, the Organization

shall fundament in writing its reasons, in a 5 days period after receiving the communication. If

APCER considers valid the reasons presented by the Organization appoints other auditor. If the

objections raised by the Organization prevent the audit conduction by qualified auditors,

APCER reserves the right to cancel the certification process for non-feasibility.

5.6.3 The applicant organization expressly recognizes the independence of AT and undertakes to

refrain from any offers to the AT or to entities related to it, which can compromise its

independence, including the request for consultancy or other activities, within the time limits

of 27


REG001C-EN/8

agreed between APCER and the Audit Team, namely two years before and two years after the

service.

5.6.4 The lead auditor is responsible for coordinating the audit and for establishing communication

between the audit team and the Organization, including setting the dates of the audit.

5.6.5 Other types of audit participants are auditors, technical experts (person who provides, to the

audit team, specific knowledge or expertise related to the organization, the process or activity

to be audited), translators, interpreters and observers.

5.6.6 Observers may be included in the audit team, without additional costs for the Organization,

but do not participate in the audit. The observers can be:

- APCER’s auditors in a qualification process;

- APCER’s auditors that are “Supervisors” included in the auditors’ supervision process, this

is, in situ evaluation of its performance;

- Evaluators of accreditation bodies as part of APCER's accreditation process, in particular in

witness audits.

5.6.7 The organization shall ensure that auditors have free access to premises, documents,

processes, areas, records and personnel relevant to the evaluation process of the management

system and verification of its application limits. The audit team shall have access to all parts of

the facility, during working hours (including night shifts) on an announced and unannounced

basis and so they can confirm all buildings and locations that the organization operates. This

includes any areas under construction or renovation, in which case auditors shall be provided

with protective equipment as necessary.

5.6.8 Relevant staff includes staff covered by the scope of certification of the management system,

including contracted staff, staff working on behalf the organization or employees external to

the organization.

5.6.9 The organization must be available to the Audit Team during the audit and contribute to its

realization, informing the AT about all the facts relevant to the assessment of the management

system.

5.6.10 All areas of the organization shall be able to be briefly toured (including canteen, dormitory,

clinic and crèche and all other employer-provided worker service facilities as appropriate).

5.6.11 The audit team shall take the following pictures for evidence of conformance:

- SA8000 standard(s);

- Evacuation exits;

- Organization building/premises;

- Evacuation drills;

- Work floor(s);

- Warehouse;

of 27


REG001C-EN/8

- Dormitory;

- Supporting facilities (e.g. sewage treatment, boiler, generator);

- Canteen;

- Attendance record system;

- Chemical storage area;

- Work-in-progress;

- Personal protective equipment;

- H&S non-compliances;

- Firefighting equipment;

- Best practice

- All Organization’s documents reviewed as a part of the management systems.

5.6.12 Other than identified above photographs are kept to a minimum and not include those of

proprietary processes or individual workers.

5.6.13 If the client organization refuses permission to take photographs this will be clearly stated in

the audit report.

5.6.14 When required by the audit team, the organization shall provide their calculations of living

wage, minimum wage and lowest wage in the organization, adjusted to gross or net.

5.7 INITIAL AUDIT

5.7.1 The purpose of the initial certification audit is to evaluate if the Organization’s management

system fulfils the requirements of the applicable standard. The social accountability

management system implemented by the organization shall be in compliance with the SA8000

standard requirements, and requirements established by APCER in this document.

5.7.2 The initial certification process is generally conducted in three stages: stage 1 and stage 2

audits and Social Fingerprint Independent Evaluation in both stages. This evaluation is

performed during the audit.

5.7.3 The stage 1 audit is conducted during an on-site visit to the organization. In the case of micro-

enterprises, APCER may consider not necessary an on-site Stage 1 audit.

5.7.4 The stage 1 SA8000 audit includes a document review to confirm that the organization has

established procedures and processes, is knowledgeable of legal requirements, and is ready

for a Stage 2 SA8000 certification audit.

5.7.5 Stage 1 audit findings are documented and communicated to the Organization. In determining

the time period between stage 1 and stage 2 audits, consideration is given to the needs of the

Organization to solve audit findings identified during stage 1, but in no case can exceed 6

months.

of 27


REG001C-EN/8

5.7.6 If any significant changes which would impact the management system occur, APCER may

consider the need to repeat all or part of stage 1. In this case, the Organization is informed

that the results of stage 1 may lead to postponement or cancellation of stage 2.

5.7.7 The stage 2 SA8000 audit confirms that the organization is effectively implementing a

management system and conforming to the requirements of the SA8000 Standard. At this

stage, workers are interviewed. It also involves a Social Fingerprint Independent Evaluation of

the organization’s Social Fingerprint Self-Assessment.

5.7.8 In extreme circumstances, an audit can be terminated for lack of proper or adequate system

implementation. In this case, a report is produced that covers the activities performed until

the audit was terminated. If a stage 2 audit is terminated, the audit shall be repeated from the

very beginning of the stage 2 process, if the applicant continues to seek certification.

5.8 AUDIT REPORT

5.8.1 The audit report provided by the audit team is APCER’s property.

5.8.2 The audit findings recorded in the audit report are classified according to 4.

5.8.3 A list of non-conformities is presented at the audit’s closing meeting.

5.8.4 The audit report is sent to the organization one month after the last day of the audit. Any

diverging opinions regarding the audit findings or conclusions that cannot be solved and

clarified at the closing meeting are recorded in the audit report.

5.8.5 The Audit Report is validated by APCER, and can suffer changes by APCER.

5.8.6 The Organization submits to APCER a corrective action plan after the conclusion of the audit,

identifying for each nonconformity and major nonconformity a root cause analyses, correction

and corrective action taken or planned to be taken, the deadline and the person responsible

for it. The following timeline shall be complied with and actions shall be implemented and

verified prior to the expiration of certification.

5.8.7 The CNC, MNC and NC shall be addressed within the following time, from the last day of the

on-site audit:

Type of non-

conformity

Corrective Action Plan Sent To

APCER Within

Corrective Action

Completed Within

Critical NC 1 week 1 month

Major NC 1 month 3 months

Minor NC 2 months 6 months

5.8.8 The TB NC shall be addressed as follows:

- Nominal Corrective Action: 18 months;

of 27


REG001C-EN/8

- Maximum Corrective Action Timeline: 24 months.

5.8.9 Corrective actions not completed within the allocated timing will result in upgrading the NC

and/or suspension or loss of the SA8000 certificate, depending on the nature of the lapse of

the social accountability management system.

5.8.10 APCER verifies the effectiveness of correction and corrective actions taken prior to closing an

NC through:

- On-site verification of effectiveness for closure of all Critical and Major NCs. There may be

very limited circumstances when a Critical or Major can be closed via documentation

review.

- The special audit to confirm effectiveness of corrective actions addressing Critical NCs shall

take place within 30 days of issuance of the Critical NC. The audit to confirm effectiveness

of corrective actions addressing Major NCs shall take place within 90 days of issuance.

- APCER may determine as necessary an on-site visit to confirm effective closure of a Minor

or Time-Bound NC.

5.8.11 APCER informs the Organization of the result of this review and verification. APCER may decide

the need to perform an additional full audit, an additional limited audit, or documented

evidence to verify effective correction and corrective actions.

5.9 CERTIFICATION DECISION

5.9.1 APCER appreciates the audit report, the corrective action plan and the evidences of the

implementation of the corrective actions taken.

5.9.2 The certification decision depends on the corrective actions submitted by the Organization

being considered appropriate by APCER.

5.9.3 On-site verification of effectiveness of the corrective actions implementation is required for

closure of all Critical and Major NCs. Only in very limited circumstances a Critical or Major can

be closed via documentation review.

5.9.4 The special audit to confirm effectiveness of corrective actions addressing Critical NCs shall

take place within 30 days of issuance of the Critical NC. The audit to confirm effectiveness of

corrective actions addressing Major NCs shall take place within 90 days of issuance.

5.9.5 If an on-site visit is required to confirm effective closure of a Minor or Time-Bound NC, this is

communicated at the end of the audit.

5.9.6 The certification decision can be positive or negative.

5.9.7 In the event of a negative certification decision, APCER justifies its decision and proposes a

follow up audit, to occur within a six month period.

5.9.8 The certification decision is communicated to the Organization, in writing, within one month

period following the reception of all necessary information, except in duly justified cases.

of 27


REG001C-EN/8

5.10 CERTIFICATE AND USE OF CERTIFICATION MARKS

5.10.1 After a positive certification decision, APCER issues a certificate valid for three years and

authorizes the certified Organization to use the certification marks, according to the APCER’s

procedure “Rules for the Use of the Certification Mark”, IT034.

5.10.2 An SA8000-certified organization may use the SAAS accreditation mark for SA8000 only in

conjunction with the accredited APCER’s certification mark on the organization’s stationery,

literature, and website subject to the conditions below and to the CB’s own conditions for use

of its certification mark.

5.10.3 In no circumstances, the certification mark shall be used outside the scope of certification

identified in the Certificate.

5.10.4 The abusive use of the certification marks or certificate, by the certified Organization or by

thirds, gives APCER the right to exercise proper control of ownership and take proper actions,

including legal actions.

5.10.5 APCER verifies the proper use of the certification marks and certificate in the surveillance and

recertification audits, and the abusive use or the failure to fulfil the requirements of the

procedure “General rules for using the certification mark” is considered nonconformity.

6. SURVEILLANCE AND RECERTIFICATION AUDITS

6.1. SURVEILLANCE AUDITS

6.1.1. The SA8000 certification process comprises of 5 surveillance audits (one every six months),

with an independent evaluation of the Social Fingerprint during surveillance audits 1 and 2,

and a recertification audit at the beginning of the new cycle, also with an independent

evaluation of the Social Fingerprint.

6.1.2. The purpose of the surveillance audit is to confirm the continuing compliance of the certified

Organization with the requirements of the applicable standard, and is not necessarily full

system audits.

6.1.3. During an audit cycle, at least one surveillance audit is unannounced for all organizations. For

organizations in high and highest risk countries, another surveillance audit is unannounced.

6.1.4. The first surveillance audit is always announced and shall occur no later than 6 months from

the last day of the initial Stage 2 or recertification audit.

6.1.5. The second surveillance audit is the mandatory unannounced audit and will occur between the

4th and 8th month after the 1st surveillance audit.

6.1.6. A major nonconformity or persistent issues may indicate the need for an additional

unannounced audit during the period of certification.

6.1.7. The process is equivalent to the described in 5.

of 27


REG001C-EN/8

6.1.8. At the request of the organization within the initial certification cycle, after the first six month

audit and the second [twelve month] audit, micro-enterprises may be allowed to move to an

annual surveillance schedule in lower risk countries only. If the number of personnel increases

to more than ten within the initial certification cycle, the frequency of the required SA8000

surveillance audits reverts to a 6 monthly semi-annual surveillance schedule for that

organization.

6.1.9. APCER reserves the right to apply sanctions without waiting for the corrective action

implementation, whenever the audit report analysis concludes that the conditions to maintain

the certified Organization status are not met.

6.2. RECERTIFICATION AUDITS

6.2.1. The purpose of the recertification audit is to evaluate the continued fulfilment of all of the

requirements of the reference standard, confirming the effectiveness of the management

system as a whole and shall address the following:

- Effectiveness of the management system in its entirety in the light of internal and

external changes and its continued relevance and applicability to the scope of

certification;

- Demonstrated commitment to maintain the effectiveness and improvement of the

management system in order to enhance overall performance;

- The effectiveness of the management system with regard to achieving the certified

organization‘s objectives and the intended results of the management system.

6.2.2. The recertification audit shall be planned and conducted until 120 days before the certificate

expires to enable for timely renewal.

6.2.3. Organization response to the recertification audit report shall ensure that APCER has thirty

days to review it.

6.2.4. For any Critical or Major nonconformity, the corrective actions shall be implemented and

verified by APCER prior to the expiration of certification.

6.2.5. When recertification activities are successfully completed prior to the expiry date of the

existing certificate, recertification is recommended. A new certificate is issued for a new 3

years cycle based on the expiry date of the existing certificate.

6.2.6. If APCER has not completed the recertification audit or is unable to verify the implementation

of corrections and corrective actions prior to the expiry date of the certification, then the

recertification shall not be recommended and the validity of the certification shall not be

extended.

6.2.7. If the outstanding recertification activities are completed within 6 months following the expiry

date of certification, APCER can restore certification and the effective date on the certificate

of 27


REG001C-EN/8

shall be the date of recertification decision and the expiry date shall be based on prior

certification cycle (less than 3 years).

6.2.8. If the outstanding activities are not completed as defined in 6.2.7 at least an initial stage 2

audit shall be conducted.

6.2.9. The recertification audit considers the performance of the management system over the

period of certification, and includes the review of previous surveillance audit reports and

possible complaints.

6.2.10. In situations where there have been significant changes in the management system, in the

Organization, or in the context in which the management system is operating, the

recertification audit activities may be conducted in two stages, following the methodology

defined for initial audits.

7. SPECIAL AUDITS

7.1 Special audits are typically performed for the following reasons and can be announced or

unannounced:

- Extension/expansion of a client organization’s scope of SA8000 certification.

- To investigate possible auditor bribery.

- To investigate a complaint, whether generated internally, from a stakeholder, from a client

organization or from SAAS.

- As part of a calibration/duplicate audit process.

7.2 The organization shall allow APCER to access organization’s premises to perform special audits,

when determined necessary.

8. SANCTIONS

8.1 The failure of the conditions established in this Regulation, as well as of the terms of the

application form, by certified Organizations may be subject to sanctions, for which APCER shall

consider the seriousness of the breach, persistence and repetition of the same.

8.2 Applicable sanctions are suspension and withdrawal of the certificate.

8.3 The sanctions imposed are always communicated to the certified Organization in writing by

registered letter with acknowledgment.

8.4 The suspension or the withdrawal of the certificate does not give the Organization any right to

reimbursement of payments made by that date, or to release from payment of services that are

still to pay.

8.5 If the organization does not accept that an audit of APCER is witnessed by SAAS, this will lead to

the withdrawal of the certificate.

of 27


REG001C-EN/8

8.6 APCER suspends the certification when:

- the organization’s certified SA8000 management system has persistently or seriously failed

to meet certification requirements, including requirements for the effectiveness of the

management system;

- the certified organization does not allow surveillance or recertification audits to be

conducted at the required frequencies.

8.7 Under suspension, the SA8000 certification is temporarily invalid.

8.8 APCER restores the suspended certification if the issue that has resulted in the suspension has

been resolved. Failure to resolve the issues that have resulted in the suspension in a time

established in section 5.8 will result in withdrawal of certification.

8.9 If a Critical Non-Conformity is raised and leads to withdrawal of the SA8000 certificate, the

organization may re-apply for certification after a period of three years from the date when a

Critical Noncompliance Non-Conformity associated with audit integrity is issued.

8.10 If an organization has its SA8000 certificate withdrawn by APCER for any reason and the

organization decides, within 6 months, to re-establish its SA8000 certification with APCER, the

defined in section 6 of the present document shall apply. Any requests to re-establish its SA8000

certification after 6 months, or with a new CB, shall be treated as a new application and an initial

certification audit is required.

8.11 In case of multi-site certificates, if the organization fails to meet the requirements of SA8000 over

subsequent audits, then the entire multi-site certificate will be cancelled and each site will be

required to be certified autonomously. Additionally, if APCER is not permitted to access to any of

the permanent sites at any time for whatever reason, the organization’s certification will be

cancelled and withdrawn.

9. VOLUNTARY SUSPENSION OR WITHDRAWAL OF THE COMPLIANCE CERTIFICATE

9.1 The certified Organization may request the temporary suspension or the withdrawal of the

certificate.

9.2 The suspension or withdrawal requests shall be addressed to APCER by registered letter with

acknowledgment of receipt, within a minimum of 60 days, except in force majeure cases, prior to

the date of effect of the voluntary suspension or withdrawal.

9.3 In any case the suspension or withdrawal requests release the certified Organization from the

obligation to proceed with the payments due to APCER and do not give the Organization the right

to reimbursement of payments made by that date.

9.4 The voluntary suspension period is agreed between APCER and the Organization and determined

by the motivations that led to the voluntary suspension, being usually 6 months. For duly justified

cases this period may not be longer than one year.

of 27


REG001C-EN/8

9.5 The revalidation of a suspended certificate implies the performance of an audit to assess the

compliance with all the requirements established by the applicable standard, and does not

replace the certification cycle audits.

9.6 During the voluntary suspension period, the organization cannot use the certificate and the

certification marks, or make any reference to the certification granted by APCER.

9.7 If an organization voluntarily decides to suspend its SA8000 certification granted by APCER and

then decides within 6 months to re-establish its SA8000 certification with APCER, the defined in

section 6 of the present document shall apply. Any requests to re-establish its SA8000

certification after 6 months, or with a new CB, are treated as a new application and an initial

certification audit is required.

10. COMPLAINTS AND APPEALS

10.1 The complaints addressed to APCER can be related to the service provided by APCER or

complaints about Organizations certified by APCER.

10.2 The complaints and appeals are dealt with in accordance with the procedures established for this

purpose and publicly available.

10.3 Complaints received by APCER on organizations it has certified under the scope of the respective

certificates are communicated to the holders of the certificate and are investigated by APCER

with the interested organization or other relevant stakeholders and may lead to additional

investigation actions.

10.4 The certified organization is committed to timely collaborate with APCER throughout the

investigation process on the eventually received complaints about the organization, and any

additional actions that APCER deems necessary.

10.5 APCER considers as an appeal any complaint presented by the Organization concerning the

certification decision, within 30 days following the communication of the decision.

10.6 The appeals are evaluated by the Appeals Committee of APCER, which is composed by members

that are independent from the certification process subject of the appeal. There is no appeal

from the deliberations of this Committee.

10.7 If the decision of the Appeal Committee is not favourable to the appellant, the cost of the appeal,

any actions and movements, you will be charged to him.

10.8 After receiving a complaint against an SA8000 certified organization, if the complaint is accepted

by APCER, an investigation is conducted in accordance with the APCER’s complaints handling

procedure.

10.9 The complaint investigation may be aided by an unannounced audit and through interviews with

outside stakeholders, such as trade unions, NGOs, and the complainant.

of 27


REG001C-EN/8

10.10 The relevant complainant may wish to remain anonymous. In such cases, SAAS shall act as the

intermediary; APCER shall send all correspondence to SAAS, which shall liaise with the

complainant.

10.11 If SAAS receives a complaint regarding APCER or an APCER’s client, SAAS may elect to investigate

the APCER's actions in investigating the complaint by conducting an additional audit of the APCER

and/or certified organization.

10.12 Non-confidential information about complaints is published on the SAAS website:

http://www.saasaccreditation.org/complaints.

11. POSTPONMENTS

11.1 Postponements concerning the audit planning are not allowed, except in exceptional and duly

justified cases.

11.2 Any postponement request that goes beyond the period between audits defined by APCER, or any

unavailability of the Organization for planning and conducting the audit can lead to the decision

of suspension of certification, as defined in point 8 of this Regulation.

11.3 The cancellation by the Organization of a scheduled audit, with 15 days or less from the planned

date is subject to a penalty payment of 50% of the cost of that audit.

12. CONFIDENTIALITY

12.1 APCER controls access and manages as confidential all information, data and documents of the

Organization obtained during the certification process, at all levels of its structure, including audit

team composition, commissions and bodies or external people that act in the name of APCER.

APCER also manages as confidential the information of the Organization from sources other than

itself (e.g., entities presenting complaints, regulatory body).

12.2 APCER or its representatives can subscribe and accept additional requirements of confidentiality,

on Organization's request.

12.3 If any additional requirements of confidentiality prevent the execution of conformity assessment

or may not be ensured, APCER reserves the right not to provide the service.

12.4 There shall be no duty of confidentiality in the following cases:

When the information received is in the public domain;

When the information is not confidential because it was publicly disclosed by the Organization;

When it concerns the fulfilment of a legal obligation or binding orders issued by competent

authorities, including courts or courts of arbitration.

12.5 APCER undertakes to inform in advance the Organization of the information to be made available

to the public domain, in addition to that transmitted in this Regulation and in the applicable

Special Requirements. When the disclosure of confidential information by APCER is required by

http://www.saasaccreditation.org/complaints

of 27


REG001C-EN/8

law or authorized by contractual arrangements, the client organization or person concerned will

be notified of the information provided, unless prohibited by law.

12.6 APCER reserves the right to provide confidential information to representatives and auditors of

the accreditation bodies, in order to provide documented evidence of compliance with the

applicable standards and / or procedures of the certification activity.

12.7 All SA8000 audit reports are made available to Social Accountability Accreditation Services (SAAS)

upon request, at any time.

12.8 The confidentiality of all information contained therein is guaranteed by agreement between

APCER, SAAS and SAI, as part of the oversight system.

13. INFORMATION

13.1 The updated information on the certificates of conformity issued, suspended or cancelled is

available on the APCER's website www.apcergroup.com. This information includes the

identification of the organization, the standard, the scope of certification and the geographical

location (city and country) of the Organization, and may be supplemented by other information

defined in the applicable Special Requirements.

13.2 The information concerning the withdrawn certificates is made available during a year, after the

certificate is cancelled.

13.3 APCER, upon request of the Organization, confirms the validity and scope of a particular

certification.

13.4 APCER provides upon request information about the status of a given certification, and the name,

related normative document, scope and geographical location (city and country) for a specific

certified client.

13.5 SAAS maintains a publicly accessible list of accredited SA8000 certificates which includes the

name of the certified organisation and sites, address, scope of certificate, date of initial and

subsequent certifications, the name of the CB that issued the certificate, and the certificate

number.

13.6 The certified Organization shall maintain an effectively implemented management system during

the certificate’s validity.

13.7 The certified Organization agrees to inform APCER without delay, of any major changes to the

organizational structure and its management system, such as:

The legal, commercial, organizational status or ownership;

Organization and management (e.g. key managerial, decision-making or technical staff);

Scope of operations under the certified management system;

Major changes to the management system and processes;

Changes on locations (head office and sites).

of 27


REG001C-EN/8

13.8 When appropriate, these changes can imply conducting a special audit.

14. FINANCIAL OBLIGATIONS

14.1 The certification process involves the payment of the costs associated with the different

assessment activities (application review, preliminary visit if applicable, and audit), which are

invoiced when the services are provided, and are an obligation of the Organization, regardless of

the results.

14.2 APCER reserves the right to not issue a certificate until the settlement of invoices concerning the

assessment process.

14.3 APCER may, in any phase of the certification process, demand advance payments of the

certification activities to be conducted.

14.4 APCER reserves the right, in any phase of the certification process, to cancel the process and

suspend or withdraw the certificate, when the financial obligations of the Organization to APCER

are not settled in time, without prejudice to the use of the legal means at APCER disposal.

15. NOTICE OF CHANGES BY THE ORGANIZATION

15.1 The certified Organization shall maintain an effectively implemented management system during

the certificate’s validity.

15.2 The certified Organization agrees to inform APCER without delay, of any major changes to the

organizational structure and its management system, such as:

The legal, commercial, organizational status or ownership;

Organization and management (e.g. key managerial, decision-making or technical staff);

Scope of operations under the certified management system;

Major changes to the management system and processes;

Changes on locations (head office and sites).

15.3 When appropriate, these changes can imply conducting a special audit.

16. CERTIFICATION RECOGNITION AND TRANSFER

16.1 APCER accepts the certificate transfer from other accredited CB’s within the rules defined by

SAAS.

16.2 The preferred time of such a change is at the end of the 3-year certification cycle, if an

organization elects to change its CB and to continue certification to SA8000 at any point.

16.3 For transfer during or at the end of the certification cycle, the organization’s certificate shall be

valid, with no open critical or major nonconformities. If open critical or major NCs exist, no

of 27


REG001C-EN/8

transfer audit may be undertaken. If the client is currently suspended with its existing CB, a

transfer may not take place. Any open minor nonconformity shall be addressed by a corrective

action plan.

16.4 APCER shall perform and document an on-site audit equivalent to a recertification audit to effect

a transfer of certificate; a Social Fingerprint Independent Evaluation shall be conducted as per

the recertification requirements.

16.5 The client organization shall complete a Social Fingerprint Self-Assessment prior to the transfer

audit if more than 6 months have passed since it performed a Self-Assessment.

16.6 APCER may determine the need of an additional Stage 1 Audit prior to the transfer audit. If the

stage 1 audit is required, the organization shall complete a Self-Assessment prior to the stage 1

audit.

16.7 A new certification cycle shall commence with the issuance of a new SA8000 certificate to a

transfer client.

16.1 When the organization intends to transfer to another certification body, APCER remains the right

to provide copies organization’s SA8000 reports to a new CB.

16.2 Clients certified by organizations not accredited by SAAS are not considered recognized valid

SA8000 certificate holders. Therefore, those clients are not considered eligible to undergo the

transfer process and initial certification audits will be conducted.

17. RESPONSIBILITY

17.1 The certified client, and not the certification body, has the responsibility for consistently

achieving the intended results of implementation of the management system standard and

conformity with the requirements for certification.

17.2 APCER is not responsible before third parties for any personal or material damage, capital or non-

capital, resulting directly or indirectly from the activities of the certified Organization.

17.3 The certificate is issued according to methodologies internationally recognized and proves that

the certified Organization has implemented a management system that has been found, based

on the audit sampling and any subsequent information, to be in compliance with the established

requirements in the applicable standard and that is capable of maintaining its performance.

APCER is not responsible, in any case, for any actions or eventual mistakes of the certified

Organization.

17.4 Certification by APCER does not absolve in any case the Organization of the detention of

warranties and liabilities relating thereto as the current legislation obliges, whatever

management system is certified. APCER is not responsible, in any case, for any noncompliance by

the certified Organization of current legislation or noncompliance derived from the

Organization’s activity.

of 27


REG001C-EN/8

17.5 APCER is not responsible in the case a third party does not recognize or recognizes partly the

certificate issued by APCER.

17.6 As a result of default or defective compliance of the contract that is celebrated with the

Organization, it shall not be required from APCER a compensation superior to the costs of the

respective services, except in situations of deceit or serious fault.

17.7 Except as established in the law as mandatory, APCER is not responsible for acts committed by

the people used to fulfil the obligations under this contract, except in situations of deceit or

serious fault.

of 27


REG001C-EN/8

ANNEX A – CYCLE TIMELINE TO SA8000:2014

Type Stage

1 Stage

2 Surv. 1 Surv. 2 Surv. 3 Surv. 4 Surv. 5

Stage 2 (Recert.)

Surv. 1 through Surv. 5

Stage 2 (Recert.)

New SA + IE

IE IE IE SA + IE SA + IE

Recertification

SA + IE

IE IE SA + IE SA + IE

Transition occurs in Surveillance 1

SA + IE IE IE SA + IE SA + IE

Transition occurs in Surveillance 2*

SA + IE IE SA + IE* IE SA + IE

Transition occurs in Surveillance 3*

SA + IE IE SA + IE* IE SA + IE

Transition occurs in Surveillance 4**

SA + IE SA + IE**

IE IE SA + IE

Transition occurs in Surveillance 5**

SA + IE SA + IE**

IE IE SA + IE

* Companies that transition during Surveillance 2 and Surveillance 3 will be certified if they meet the requirements of

SA8000:2014, but still need to conduct an additional IE anytime during their second recertification cycle.

** Companies that transition during Surveillance 4 and Surveillance 5 will be certified if they meet the requirements of

SA8000:2014, but still need to conduct 2 additional IEs anytime during their second recertification cycle.

of 27


REG001C-EN/8

ANNEX B – INTEGRATION OF SF INTO SA8000:2014 CERTIFICATION

Figure 1 shows the integration of the Social Fingerprint and the SA8000:2014 during the initial certification

cycle. The candidate organization shall complete the SF self-assessment prior to the stage 1 audit. During

stage 1 and 2 audits, APCER performs the SF Independent Evaluation. After these 2 audits are completed

and the certification granted, the SA8000:2014 certification cycle starts.

During the certification cycle, the SF Independent Evaluation is performed at the 2nd and 4th surveillance

audits and at every recertification audit, as shown in figure 2 below.

Figure 1: SF and SA8000:2014 Integration during Initial Certification.

of 27


REG001C-EN/8

Figure 2: Integration of SF into Surveillance Audits.

GENERAL REGULATION FOR MANAGEMENT SYSTEM …§ões... · · 2016-10-20See also SAI’s...

Documents

Transcript of GENERAL REGULATION FOR MANAGEMENT SYSTEM …§ões... · · 2016-10-20See also SAI’s...