Bargaining Power, Strike Durations, and Wage Outcomes: An ...
Guidelines on Supplier Assessment & Certification Times€¦ · they can expect assessments to take...
19
Date: 6/4/2016 Rev: 23 Page 1 of 19 Sci Qual International Pty Ltd GUIDELINES ON CLIENT ASSESSMENT AND CERTIFICATION TIMES for ISO Programs AS/NZS ISO 9001, AS/NZS ISO 14001, AS/NZS 4801, OHSAS 18001 INTRODUCTION These guidelines address the question of the amount of time that should be spent on client assessment with the objective of providing clients with a broad indication of the kind of time element they can expect assessments to take and to establish the required audit durations for specific audits. In addition: REFERENCES 1. ISO/IEC 17021:2015 2. IAF MD 1:2007 IAF Mandatory Document for the Certification of Multiple Sites Based on Sampling 3. IAF MD 4:2008 Use of Computer Assisted Audit Techniques 4. IAF MD 5:2015 Duration of QMS & EMS audits 5. IAF MD11:2013 Application of ISO 17021 to audits of Integrated Management Systems 6. JAS-ANZ Procedure Number 2 Issue 3 dated 3 August 2011
Transcript of Guidelines on Supplier Assessment & Certification Times€¦ · they can expect assessments to take...
Date: 6/4/2016 Rev: 23 Page 1 of 19
Sci Qual International Pty Ltd
GUIDELINES ON CLIENT ASSESSMENT AND CERTIFICATION TIMES
for ISO Programs
AS/NZS ISO 9001, AS/NZS ISO 14001, AS/NZS 4801, OHSAS 18001
INTRODUCTION
These guidelines address the question of the amount of time that should be spent on client assessment with the objective of providing clients with a broad indication of the kind of time element they can expect assessments to take and to establish the required audit durations for specific audits.
In addition:
REFERENCES
1. ISO/IEC 17021:2015
2. IAF MD 1:2007 IAF Mandatory Document for the Certification of Multiple Sites Based on Sampling
3. IAF MD 4:2008 Use of Computer Assisted Audit Techniques
4. IAF MD 5:2015 Duration of QMS & EMS audits
5. IAF MD11:2013 Application of ISO 17021 to audits of Integrated Management Systems
6. JAS-ANZ Procedure Number 2 Issue 3 dated 3 August 2011
Date: 6/4/2016 Rev: 23 Page 2 of 19
CLIENT ASSESSMENT
The adequate assessment of a client depends upon a number of factors including:
The competence & experience of the assessment team
The effectiveness of the agreed corrective action program and
The arrangements for continued compliance, including the re-assessment at agreed intervals.
Underlying this is the prime importance of the time actually spent on the pre-assessment, assessment and follow-up action - and the frequency of surveillance visits. An assessment team may be adequately qualified, supported by procedures and a management body, but if insufficient time is spent, the assessment is of limited value, and will fail to uncover significant system deficiencies, if they exist.
THE TIME ELEMENT
The tables below set out typical assessment program times for clients being assessed for the first time for various ISO programs.
The actual time spent on either the initial certification of a client or a subsequent surveillance visit is governed by a number of factors which vary according to the size of the firm, the product being manufactured or service supplied and the required management system level, eg ISO 9001, ISO 14001, AS 4801, BS OHSAS 18001 or any other program already certified or audited by Sci Qual International.
Initial audit duration should be calculated on the basis of the following factors:-
Number of Full time Employees
Number of Part time employees (converted to EFT)
Number of Casual Employees (converted to EFT)
Number of Contractors (Converted to EFT)
Number of Shift workers and number of shifts (Note: Each shift must be audited unless documented justification is provided for not doing so)
The number of part time personnel may be reduced by up to 50% when calculating the effective number of full time personnel
Where a significant number of personnel carry out nearly identical activities, for example taxi drivers, then the effective number of personnel for this group, being the sum total for this group across the entire organisation, can be calculated as being the square root of the number of personnel in this specific group rounded up. However the similar roles calculation should not be used unless the tasks undertaken are very simple and low risk.
For Example SQRT of 127 = 11.269 = 12
Note. The objective is to establish the complexity of the business and the number of EFT employees as a base line for the calculation of audit duration
The initial audit duration should be established based on the above before any increase or decrease to hours is made as a result of other factors such as:
combined audits, history of CARS
Integrated Management Systems, added complexity
client record of consistent quality management
the results of any prior audits
Date: 6/4/2016 Rev: 23 Page 3 of 19
Remote Auditing using CAAT
With the rapid changes in technology and its use, up to 30% of on site audit time may be conducted remotely from the site being assessed (for example, by video conferencing or computer access) and still count as onsite time. Note if greater than 30% of site time is warranted, this must be justified in the audit plan and approval must be obtained from JAS-ANZ prior to completing the audit (refer IAF MD 4) .
Adjustments in hours can then be made off the lower base after taking out the planning and report writing allowance.
Factors affecting audit duration
Increase in audit duration Decrease in audit duration
Complicated logistics involving more than one building or location where work is carried out. e.g., a separate Design Centre must be audited;
Client is not "design responsible" or other standard elements are not covered in the scope (QMS only);
Staff speaking in more than one language (requiring interpreter(s) or preventing individual auditors from working independently);
Very small site for number of personnel (e.g. office complex only),
Very large site for the number of personnel (e.g., a forest);
Maturity of management system;
High degree of regulation (e.g. food, drugs, aerospace, nuclear power, etc);
Prior knowledge of the client management system (e.g., already certified to another standard by SQI);
System covers highly complex processes or relatively high number of unique activities;
Client preparedness for certification (e.g., already certified or recognized by another 3rd party scheme);
Activities that require visiting temporary sites to confirm the activities of the permanent site(s) whose management system is subject to certification.
High level of automation
Where shifts are operated it may be necessary to take into account downtime for the auditor if the auditor needs to work a night shift in the middle of a week and may require recovery time to prevent fatigue and ensure the audit outcome is not compromised
Where staff include a number of people who work “off location” e.g. salespersons, drivers, service personnel, etc. and it is possible to substantially audit compliance of their activities with the system through review of records.
Outsourced functions or processes
Increase in audit duration for EMS only Higher sensitivity of receiving environment compared to typical location for the industry sector;
Indirect aspects necessitating increase in auditor time;
Views of interested parties; Additional or unusual environmental aspects or regulated conditions for the sector.
Risks of environmental accidents and impacts arising, or likely to arise, as consequences of incidents, accidents and potential emergency situations, previous environmental problems that the organization has contributed to.
Date: 6/4/2016 Rev: 23 Page 4 of 19
Audit Time includes the time spent at a client’s location (physical or virtual) by an Auditor or Audit Team in planning (including off-site document review, if appropriate); interfacing with organization, personnel, records, documentation and processes; and report writing.
Auditor Time involved in such planning and report writing combined should not typically reduce the total on-site Auditor Time to less than 80% of the time shown in the relevant audit duration tables
Where additional time is required for planning and/or report writing, this will not be justification for reducing on-site Auditor Time.
Auditor travel time is not included in this calculation, and is additional to the Auditor time referenced in the chart.
Auditor Time as referenced in the charts below where stated in terms of Auditor Days spent on the assessment.
An Auditor Day is typically a full normal working day of 8 hours.
The number of Auditor Days employed may not be reduced at the initial planning stages by programming longer hours per work day. However it may be necessary to work additional hours in a day to allow efficient management of shift activities.
The time spent by any team member that is not assigned as an auditor (i.e. technical experts, translators, interpreters, observers and auditors-in-training) shall not count in the established duration of the management system audit.
Client managers should always look for the most effective allocation of auditors to an audit.. For example using one auditor for one day rather than two auditors for half a day will in most cases be a more effective/efficient use of audit time.
The reduction of audit time of management systems shall not exceed 30% of the times established from Tables 5 or 6
The Initial Assessment (Certification) cycle.
Certification
A Stage 1 + Stage 2 audit will be conducted for the initial certification. Assessment times will be in accordance with Table 6 & 7
Surveillance
The time for a given organization should be proportional to the time spent at Initial Audit with the total amount of time spent annually on surveillance being about 1/3 of the time spent on the Initial Audit. The planned surveillance time should be reviewed at least at every surveillance and recertification audit to take into account changes in the organisation, system maturity etc. The evidence of review including any adjustments to the audit time will be recorded on SQI database/contract review.
Re-Certification
The audit time for the recertification audit should be calculated on the basis of the updated information of the client and is normally approximately 2/3 of the audit time that would be required for an initial certification audit (Stage 1 + Stage 2) of the organization if such an initial audit were to be carried out at the time of recertification (i.e. not 2/3 of the original time spent on the initial audit).
The audit time of management systems shall consider the outcome of the review of system performance as required by ISO/IEC 17021-1 9.6.3.2.1 (c).
The review of system performance does not itself form part of the audit time for recertification audits.
Date: 6/4/2016 Rev: 23 Page 5 of 19
Integrated Management System
If the organisation has an Integrated Management System (IMS) a combined systems audit can be conducted and the standard time durations can be reduced. The calculation procedure to define the reduction to the audit duration will be calculated from IAF MD 11
Note: that the ability to reduce audit duration for an IMS is a function of two factors:
1. The level of integration of the management system (see notes on level of integration below)
2. The ability of the audit team to perform combined audits –i.e. qualified for more than one management system standard
However it is extremely unlikely that audit time could be reduced by greater than 20% as a result of these factors.
When certification to multiple management system standards is being provided, the planning for the audit must ensure adequate on-site auditing to provide confidence in the certification.
Level of Integration
An integrated management system results when an organisation uses one single management system to manage multiple aspects of organisational performance. It is characterised by:
1. Management Reviews that consider the overall business strategy and plan
2. An integrated approach to internal audits
3. An integrated approach to policy and objectives
4. An integrated approach to systems processes
5. An integrated documentation set including work instructions, to a good level of development as appropriate
6. An integrated approach to improvement mechanisms, (Corrective & Preventive Action, measurements and Continual Improvement)
7. An integrated approach to planning, with good use of business wide risk management approaches
8. Unified management support and responsibilities
Having assessed the above factors SQI will then decide the percentage level of integration based upon the extent to which the organisation’s management system meets the above criteria. This cross referenced to the Audit team ability to perform combined audits determines the reduction in time (%) allowed using the table below.
100 5 5 10 15 20
80 5 5 10 15 15
60 0 5 10 10 10
40 0 5 5 5 5
20 0 0 0 0 0
0
0 20 40 60 80 100
Lev
el
of
Inte
gra
tio
n %
Ability to perform combined audit %
Date: 6/4/2016 Rev: 23 Page 6 of 19
AUDIT DURATION
OHS Audits
1. Table 1 (on the next page) provides guidance on the amount of time required to assess organizations of various sizes. It does this by indicating the number of auditor-days to be spent on-site for stage 1 and 2 audits, annual surveillance and reassessment.
2. It is clearly understood that some organizations of a particular size will need more time. In exceptional cases (such as existing ISO 9001 certification), audit time might be able to be reduced below the minimums in the table. For organizations being concurrently certified or already certified to ISO 9001 or ISO 14001 and having fully integrated management systems, then these audit durations may be reduced by a maximum of 20% where there is a fully integrated system being assessed by an integrated audit team with appropriate qualifications and training in each area of audit responsibility.
3. In the table below, the auditor days shown as "on-site minimums" apply to an organization with a single site; are based on an 8 hour working day including 1 hour for lunch, and exclude all activities other than auditing. The times are to be regarded as true minimums: planning, preparation, travel time and reporting are not to be included. If reports are written on-site in conjunction with the audit, the time for this activity is not included in Table 2. Where two or more team members work together (eg. auditor plus technical expert), that time shall be counted as if a single auditor was involved.
4. The audit duration for multi-site assessments shall be in accordance with IAF MD1 and JAS-ANZ Procedure 2, except that all high OHS complexity sites (as determined by Table 1) shall be included in the certification, surveillance and re-certification audit sample)
5. The client profile must be reviewed at each audit to confirm the OHS complexity and the effective number of personnel, and to take into account any changes in the organization, system maturity etc. The evidence of review including any adjustments to audit duration shall be recorded.
6. Where OHSAS 18001 is being audited in conjunction with AS/NZS 4801 an additional 2 hours should be allowed to cover off the additional requirements
Date: 6/4/2016 Rev: 23 Page 7 of 19
Table 1 Client Profile OHS
Table 1 shall be used to determine the organization’s OHS complexity (Low, Medium, High), but can also be used to determine the OHS complexity of a site or temporary site
Range Score
Dangerous Goods
No Dangerous Goods 0
There are some dangerous goods (but not licensable quantities). 5
There are licensable quantities of dangerous goods. 10
Vehicle/pedestrian interaction (including fork-lifts)
No Vehicle traffic 0
There is vehicle traffic that has the potential to interact with employees or other persons but this interaction is very limited due to the low numbers of vehicles involved and limited potential pedestrian impact.
5
There are a number of forklifts or other vehicle movements around employee work areas, and/or pedestrians are able to enter vehicle work zones.
10
Powered plant (including building plant rooms)
No Powered Plan 0
Powered plant is used occasionally. 5
Powered plant is used regularly or daily. 10
Other plant (including scaffolding) or mechanical hazards
No Other Plant 0
Other plant is used occasionally. 5
Other plant is used regularly or daily. 10
Manual handling (includes Occupational Overuse Syndrome)
No Manual Handling 0
There is manual handling but it is limited to a small number of tasks. 5
There are many manual handling tasks. 15
Hazardous substances (includes asbestos)
No Hazardous Substances 0
There is handling, storage, transport or use of hazardous substances. 5
There are known airborne contaminants in the atmosphere requiring breathing apparatus to be worn on a regular basis (may be in limited parts of the worksite).
15
Atmospheric contaminants other than hazardous substances (excludes confined spaces)
No atmospheric contaminants 0
There has been or could be the need to test atmospheric contaminants to confirm they are below hazardous levels.
2
There are known airborne contaminants in the atmosphere requiring breathing apparatus to be worn on a regular basis (may be in limited parts of the worksite).
5
Use of ionising or non-ionising radiation
No ionising radiation 0
There are low radiation sources. 5
There are high radiation sources. 10
Confined Space (as per AS/NZS 2865)
Non confined space 0
There is a confined space requiring entry. 10
There are a variety of confined spaces requiring entry and/or a number of teams operating in confined spaces.
20
Slips, trips and falls
No risk 0
There are slip, trip or fall hazards. 5
There are a range of activities that expose people to slip, trip and fall hazards 20
Date: 6/4/2016 Rev: 23 Page 8 of 19
Noise
No noise issues 0
There are nuisance noise levels that do not exceed the maximum legislated noise level. 5
There are noise levels that exceed the maximum legislated noise level. 15
Thermal environment
There is no exposure 0
There is exposure to extreme thermal discomfort 5
Below ground work environment
None 0
There is occasional below ground work. 10
There is regular or daily below ground work. 30
Storage and/or use of explosives
None 0
There are explosives on site 5
There are explosives being used 10
Electrical hazards
No electrical hazards 0
There is use of electrical equipment. 2
Occasional need for personnel to work on electrical equipment. 5
Regular or daily need for personnel to work on electrical equipment. 10
Pressurised environment No pressurised environment 0
There is work in a pressurised environment 5
Threats of bullying, violence or occupational assault
No Threats 0
Exposure to internal bullying or violence. 2
Exposure to external bullying or violence. 10
Both conditions apply 12
Total Score for determining OHS Complexity
0 Low OHS Complexity 0-80
Medium OHS Complexity 81 - 115
High OHS Complexity > 116
Notes to interpret Table 1
1. The minimum audit times are based on auditing an OHSMS that is implemented
consistently across a single site. Additional time is required where the OHSMS model or standard is implemented in significantly different ways and to different degrees in the various cost centres, departments or buildings on a site. In some situations there may even be several distinct policies and procedures relating to the same issue on a site. For example, an organisation may conduct hazard identification and risk assessment activities in very different ways across the site and each method would need to be audited.
2. For definitions of plant refer to the National Standard for Plant [NOHSC: 1010 (1994)] available from the Safe Work Australia website www.safeworkaustralia.gov.au
3. Hazards arising from the use of other plant which exposes employees to the risk of entanglement, crushing, cutting, stabbing, puncturing, shearing, friction, striking, high pressure fluid, electrical, explosion, slipping, tripping and falling, ergonomic, suffocation, high temperature or fire.
4. Manual handling activities are likely to be hazardous if there is: 1. Repetitive or sustained application of force; 2. Repetitive or sustained awkward posture; 3. Repetitive or sustained movement; 4. Application of high force; 5. Exposure to sustained vibration; 6. Manual handling of live persons or animals; or 7. Manual handling of unstable or unbalanced loads, or loads which are difficult to
grasp or hold.
Date: 6/4/2016 Rev: 23 Page 9 of 19
5. ‘Contaminant’ (as defined in AS/NZS 2865:2001) means any dust, fume, mist, vapour, biological matter, gas or other substance in liquid or solid form, the presence of which may be harmful to health and safety.
6. ‘Hazardous Substance’ means a substance which is included on the List of Designated Hazardous Substances [NOHSC: 10005 (1999)] or has been classified as a hazardous substance by the manufacturer or importer in accordance with the Approved Criteria for Classifying Hazardous Substances [NOHSC: 1008 (1999)]. For more information refer to the Safe Work Australia website www.safeworkaustralia.gov.au
7. ‘Confined space’ (as defined in AS/NZS 2865:2001 – Safe Working in a Confined Space) is an enclosed or partially enclosed space that is at atmospheric pressure during occupancy and is not intended or designed as a place of work, and (a) is liable at any time to have an atmosphere which contains potentially harmful
levels of contaminant; have an oxygen deficiency or excess; or cause engulfment; and
(b) could have restricted means of entry and exit.
8. Occupational assault is recognised as a hazard in some industries, which have high levels of public contact; e.g. hospitals, aged care facilities, disability services, banking, correctional facilities, police and security services.
Table 2 Audit Durations OHS
Effective Number of Personnel
Audit Duration
Stage 1 & Stage 2 (Days)
Low, Medium & High OHS Complexity (Table 1)
Effective number of Personnel
Audit Duration
Stage 1 & Stage 2 (Days)
Low, Medium & High OHS Complexity (Table 1)
Low Med High Low Med High
1-5 2.5 2.5 3.0 626-875 6.0 8.5 11.0
6-10 2.5 2.5 3.5 876-1175 7.0 10.0 12.5
11-15 2.5 2.5 3.5 11761550 8.0 10.5 13.0
16-25 2.5 3.5 4.0 1551-2025 8.0 11.0 13.5
26-45 3.0 4.0 5.0 2026-2675 8.5 11.5 15.0
46-65 3.5 4.5 6.0 2676-3450 9.0 12.5 16.0
66-85 3.5 5.0 7.0 3451-4350 10.0 13.0 17.5
86-125 4.0 6.0 8.0 4351-5450 10.4 13.5 18.0
126-175 4.5 7.0 9.0 5451-6800 11.0 15.0 19.5
176-275 5.0 7.0 10.0 6801-8501 12.5 16.0 21.0
276-425 5.0 7.0 10.0 8501-10700 13 17.5 22.0
426-625 6.0 8.0 10.5 >1070 Follow progression above
Date: 6/4/2016 Rev: 23 Page 10 of 19
Table 3
-/+ +/+
Large Simple
Multi-site Few processes Repetitive processes Small scope
Large Complex
Multi-site Many processes Large scope Unique processes Design responsible
Starting point from Auditor Time Chart
Few processes Small scope Repetitive processes
Small Simple
Many processes Design responsible Large scope Unique processes
Small Complex
— / — + / —
QMS & EMS
The audit times provided in this section have a range which has been predetermined by Sci Qual International Pty Ltd. All audit timing should fall within these ranges. Within the range, justification for reduced time is required in all but the following circumstances:
1. A maximum 20% reduction from the average is permissible when any standard is audited in conjunction with a second standard. Note:- this is not allowed if different standards are conducted as separate audits (refer IAF:MD11 2.1.5.2)
2. During the second and subsequent certification cycles, the minimum time may be applied Note: A certification cycle is defined as three years for all programs
Audit duration is a function of organisation/system complexity and the industry sector the business operates in.
When justifying lower or higher audit times, the starting point is the average time with the justification based on the following illustration taken from the IAF Mandatory Document for Duration of QMS & EMS Audits IAF MD5:2015. Note should also be taken of the complexity factors in table 4
O
rgan
izatio
n D
istr
ibutio
n +
Z
E
Organization/system Complexity
Date: 6/4/2016 Rev: 23 Page 11 of 19
Table 4 QMS Risk Categories
The following risk categories should be applied for QMS audits and audit time applied using Table 6 in this document.
Low Risk Minimum Times
Medium Risk Average Times
High Risk Maximum Times
Justification must be provided for reducing any of the above categories such as experience with client, previous audit record, simplicity of management systems. So for example a medium risk client could be assigned minimum times if their systems were simple and the auditor had significant experience of the client over a number of years. These risk categories are not definitive, they are examples only and the risk category must be reviewed and approved as part of the contract review. High risk Where failure of the product or service causes economic catastrophe or puts life at risk. Examples include but are not limited to: Food; pharmaceuticals; aircraft; shipbuilding; load bearing components and structures; complex construction activity; electrical and gas equipment; medical and health services; fishing; nuclear fuel; chemicals, chemical products and fibres. Medium risk Where failure of the product or service could cause injury or illness. Examples include but are not limited to: Non load bearing components and structures; simple construction activities; basic metals and fabricated products; non-metallic products; furniture; optical equipment; leisure and personal services. Low risk Where failure of the product or service is unlikely to cause injury or illness. Examples include but are not limited to: Textiles and clothing; pulp, paper and paper products; publishing; office services; education; retailing, hotels and restaurants.
Date: 6/4/2016 Rev: 23 Page 12 of 19
Table 5 EMS Complexity Categories The table below should also be used to identify potential complexity issues when determining audit duration for EMS
Complexity Category
Business sector
High mining and quarrying oil and gas extraction tanning of textiles and clothing pulping part of paper manufacturing including paper recycling processing oil refining chemicals and pharmaceuticals primary productions – metals non-metallic processing and products covering ceramics and cement. coal based electricity generation civil construction and demolition hazardous and non hazardous waste processing e.g. Incineration etc. effluent and sewerage processing
Medium fishing/farming/forestry textiles and clothing except for tanning manufacturing of boards, treatment/impregnation of wood and wooden products paper production and printing excluding pulping non-metallic processing and products covering glass, clay, lime etc. surface and other chemically based treatment for metal fabricated products excludes primary production surface and other chemically based treatment for general mechanical engineering production of bare printed circuit boards for electronics industry manufacturing of transport equipment – road, rail, air, ships non coal based electricity generation and distribution gas production, storage and distribution (note extraction is graded high) water abstraction, purification and distribution including river management (note commercial effluent treatment is graded as high) fossil fuel whole sale and retail food and tobacco – processing transport and distribution - by sea, air, land commercial estate agency, estate management, industrial cleaning, hygiene cleaning, dry cleaning normally part of general business services recycling, composting, landfill (of non hazardous waste) technical testing and laboratories healthcare/hospitals/veterinary leisure services and personal services excludes hotels/restaurants
Date: 6/4/2016 Rev: 23 Page 13 of 19
Low hotels/restaurants wood and wooden products excluding manufacturing of boards, treatment and impregnation of wood paper products excluding printing, pulping and paper making rubber and plastic injection moulding, forming and assembly - excludes manufacturing of rubber and plastic raw materials which are part of chemicals hot and cold forming and metal fabrication excluding surface treatment and other chemical based treatments and primary production general mechanical engineering assembly excluding surface treatment and other chemical based treatments wholesale and retail electrical and electronic equipment assembly excluding manufacturing of bare printed circuit boards
Limited corporate activities and management, HQ and management of holding companies transport and distribution - management services with no actual fleet to manage telecommunications general business services except commercial estate agency, estate management, industrial cleaning, hygiene cleaning, dry cleaning education services
Special Cases
Nuclear nuclear electricity generation storage of large quantities of hazardous material public administration local authorities organizations with environmental sensitive products or services financial institutions
Date: 6/4/2016 Rev: 23 Page 14 of 19
Table 6 – Audit Duration Quality Management Systems Relationship between effective number of personnel and audit duration (initial audit only)
Number of Personnel
Note:- Stage 1 audits shall be a
minimum of 4 hours on site.
Generally they will be about 25% of the total on site
timing.
Assessment Combined stages One and Two
Surveillance Reassessment
Min
Hrs
Average Days
Max Hrs
On site min Hrs
Onsite Average
Days
On site max Hrs
Min Hrs
Average Days
Max Hrs
1-5 8 1.5 16 4 6 hrs 8 6 1.0 10
6-10 12 2.0 21 4 6 hrs 10 8 1.5 14
11-15 14 2.5 26 5 1.0 11 9 2.0 18
16-25 17 3.0 31 6 1.0 12 11 2.0 21
26–45 22 4.0 42 7 1.5 14 15 2.5 28
46-65 28 5.0 52 9 1.5 17 19 3.5 35
66-85 34 6.0 62 11 2.0 21 22 4.0 42
86-125 39 7.0 73 13 2.5 24 26 4.5 49
126-175 45 8.0 83 15 3.0 28 30 5.5 55
176-275 50 9.0 94 17 3.0 31 34 6.0 62
276-425 56 10.0 104 19 3.5 34 37 6.5 69
426-625 62 11.0 114 21 4.0 38 41 7.5 76
626-875 67 12.0 125 22 4.0 42 45 8.0 83
876–1175 73 13.0 135 24 4.5 45 49 8.5 90
1176–1550 78 14.0 146 26 4.5 49 52 9.5 97
1551-2025 84 15.0 156 28 5.0 52 56 10.0 104
2026-2675 90 16.0 166 30 5.5 55 60 10.5 111
2676-3450 95 17.0 177 32 5.5 59 63 11.5 118
3451-4350 101 18.0 187 34 6.0 62 67 12.0 125
4351-5450 106 19.0 198 35 6.5 66 71 12 5 132
5451-6800 112 20.0 208 37 7.0 69 75 13.0 139
6801 –8500 118 21.0 218 39 7.0 73 78 14.0 146
8501-10700 123 22.0 229 41 7.5 76 82 14.5 153
> 10700 Follow progression in each
column above
Note 1: This table is an extension of Annex A, IAF MD 5:2015
Note 2: Min & max audit durations reflect section 8, IAF MD 5:2015.
Date: 6/4/2016 Rev: 23 Page 15 of 19
Environmental Management Systems
The timings for environmental auditing are found in table 7 below. In all cases justification for reduced audit hours below this timing is required with the exception of the following;
1. A maximum 20% reduction from the average is permissible when any standard is audited in conjunction with a second standard. Note:- this is not allowed if different standards are conducted as separate audits
2. During the second and subsequent certification cycles a 15% reduction in time may be applied.
Note: A certification cycle is defined as three years for all programs
Table below shows the effective number of personnel, complexity and audit duration (initial audit only)
The numbers of employees in the table should be seen as a continuum rather than a stepped change.
The process is to establish the number of EFT staff as per page 1 & 2 and then to establish the degree of complexity as per Table 6 below. The combined impact of both factors will determine the required audit duration
Table 7 Audit Duration EMS Systems
Relationship between effective number of personnel, complexity and audit duration (initial audit only)
Effective Number of Personnel
Audit duration Stage 1 + Stage 2 (days)
Effective Number of Personnel
Audit duration Stage 1 + Stage 2 (days)
High Med Low Lim High Med Low Lim
1-5 3.0 2.5 2.5 2.5 626-875 17 13 10 6.5
6-10 3.5 3.0 3.0 3.0 876-1175 19 15 11 7
11-15 4.5 3.5 3.0 3.0 1176-1550 20 16 12 7.5
16-25 5.5 4.5 3.5 3.0 1551-2025 21 17 12 8
26-45 7.0 5.5 4.0 3.0 2026-2675 23 18 13 8.5
46-65 8.0 6.0 4.5 3.5 2676-3450 25 19 14 9
66-85 9.0 7.0 5.0 3.5 3451-4350 27 20 15 10
86-125 11.0 8.0 5.5 4.0 4351-5450 28 21 16 11
126-175 12.0 9.0 6.0 4.5 5451-6800 30 23 17 12
176-275 13.0 10.0 7.0 5.0 6801-8500 32 25 19 13
275-425 15.0 11.0 8.0 5.5 8501-10700 34 27 20 14
426-625 16.0 12.0 9.0 6.0 >10701 Follow progression above
Note 1: Audit duration shown for high, medium, low and limited complexity audits Note 2 The numbers of personnel in Tables 5 & 6 should be seen as a continuum rather than a
stepped change Note It should be recognised that not all organizations in a specific sector will always fall in the same complexity category. Sci Qual International Pty Ltd will allow flexibility in its contract (certification cycle) review procedure to ensure that the specific activities of the organization are considered to determine the complexity category. For QMS, EMS and OHS; if after the calculation the result is a decimal number, the number of days should be adjusted to the nearest half day (e.g.: 5.3 audit days becomes 5.5 audit days, 5.2 audit days becomes 5 audit days).
Date: 6/4/2016 Rev: 23 Page 16 of 19
MULTIPLE SITES INCLUDING Safety, Quality, Environmental
Definitions Temporary Site A site set up by an organisation in order to perform specific work or a
service for a finite period of time and which will not become a permanent site (e.g. construction site)
Additional Site: A new site of group of sites that will be added to an existing certified
multi-site network Multi-site Organisation A multi-site organisation is defined as an organisation having an
identified central office at which certain activities are planned, controlled or managed and a network of local offices or branches (sites) at which such activities are fully or partially carried out.
Where an organisation has multiple sites as defined above it may be eligible for sampling where an appropriate sample size based on the table below can be applied. Table 8
No. of remote Sites Sample size for assessment Sample size for surveillance Sample Size for Re-Assessment where 0.8 factor applies *
2–4
5–9
10–16
17–25
26-36
37-49
50-64
65-81
82-100
x
2 + HO
3 + HO
4 + HO
5 + HO
6 + HO
7 + HO
8 + HO
9 + HO
10 + HO
x + HO
1 + HO
2 + HO
3 + HO
4 + HO
4 + HO
5 + HO
5 + HO
6 + HO
6 + HO
0.6x + HO
2 + HO
3 + HO
4 + HO
5 + HO
6 + HO
7 + HO
8 + HO
9 + HO
10 + HO
0.8x + HO
Sample Sites will be selected based on the calculation in IAF MD1:2007 The following guidance is based on the example of a low to medium risk activity with less than 50 employees at each site. The minimum number of sites to be visited per audit is: Initial audit: the size of the sample shall be the square root of the number of remote sites
(y= x ), rounded to the upper whole number.
Surveillance audit: the size of the annual sample shall be the square root of the number of remote
sites with 0.6 as a coefficient (y=0.6 x ), rounded to the upper whole number.
Reassessment: the size of the sample shall be the same as for an initial audit. Nevertheless,
where the organization has proved to be compliant over the previous three years, the size of the sample could be reduced to a factor of 0.8; i.e.
(y=0.8 x ), rounded to the upper whole number.
Example: 1 head office: visited at each audit (initial/surveillance/reassessment) 4 national offices: sample = 2 : minimum 1 at random 27 regional offices: sample = 6 : minimum 2 at random 1700 local branches: sample = 42 : minimum 11 at random.
Date: 6/4/2016 Rev: 23 Page 17 of 19
However not all organisations are suitable for sampling and some specific criteria apply:
1. Where processes in each location are not similar but are clearly linked, the sampling plan must include at least one sample of each process conducted by the organisation (e.g. fabrication of electronic components in one location, assembly of the same components – by the same company in several other locations)
2. Where fundamentally different processes or activities are used at different sites then multi-site sampling cannot be applied even where the same management system is used. In these cases any reduction from the normal audit duration required must be justified for each site where a reduction is proposed.
3. The management system must be under a centrally controlled and administered plan and be subject to central management review. All sites must be subject to a central internal audit program and all sites must have been audited in accordance with that program prior to SQI starting the audit
4. The management system must be in accordance with the relevant standard and the whole organisation must meet the requirements of the standard.
5. The organisation must demonstrate its ability to collect and analyse data from all sites including the central office and must also demonstrate its authority and ability to initiate organisational change if required
6. When non-conformities are found at any individual site, either through the organisation’s internal auditing or from auditing by SQI, investigation must take place to determine whether the other sites may be affected. SQI will require the organisation to review the non-conformities to determine whether they indicate an overall system deficiency applicable to other sites or not. Where this is the case corrective actions must be carried out and verified at the central office and the individual affected sites. If the non –conformities are limited to specific sites the organisation must justify to SQI why it is acceptable to limit its follow-up corrective actions. Where non-conformities are identified SQI will increase the frequency of the surveillance audits or the size of the sample until we are satisfied that control has been re-established.
7. Where there are significant non conformances that will require additional time to sample during future audits an additional audit should be triggered by the auditor so as to avoid spending too much time during the next audit re-sampling old issues and leaving insufficient time to sample fresh parts of the management system. This would also trigger a review of the audit time for future audits to ensure sufficient time is allowed.
8. SQI Certification Panel will not approve certification for any organisation where corrective actions remain outstanding for any site within the organisation.
9. It is not permissible for an organisation to exclude a “problematic” site from the scope of the certification during the certification process.
10. If all of the sites of a service organisation where the activity subject to certification is performed are not ready to be submitted for certification at the same time, the organisation must advise SQI in advance of the sites it wants to be included in the certification and those that it doesn’t.
Assessment times
The audit time to spend at each site is another important element to consider, and SQI must be able to justify the time spent on multi-site assessment in terms of its overall policy for allocating assessment time.
Normally the number of auditor-days per site should be consistent with the numbers shown as “on site minimums” in the table for the various programs above.
Reductions can be applied to take into account the clauses that are not relevant to the head office and/or the local sites. Reasons for the justification of any such reductions must be recorded by SQI.
The complexity of the activity is another factor that may be taken into consideration.
No reduction is permitted for the central office.
The total time expended on initial assessment and surveillance is the total sum of the time spent at each site plus the head office and should never be less than that which would have been calculated for the size and complexity of the operation if all the work had been undertaken at a single site (i.e. with all the employees of the company in the same site). In most cases it will be considerably more.
Date: 6/4/2016 Rev: 23 Page 18 of 19
Additional sites
On application for a new group of sites to join an already certified multi-site network, each new group of sites should be considered as an independent set to determine the sample size. After including the new group on the certificate, the new sites should be added to the previous ones to determine the sample size for future surveillance or reassessment audits.
The auditor must verify that the new site complies with the management system already certified and that it has been included in the internal audit process prior to the audit taking place to add the new site. This will involve conducting a Stage 2 audit for the new site.
Any new regulations that the additional sites are subject to must be considered in the audit and compliance with these regulations confirmed prior to any extension to scope being confirmed and new certificates issued.
An additional site can have its own unique ABN as long as it operates the same management system as the existing certified site and is under the control of the central office function.
Where any non-conformity is identified at the additional site, the auditor must investigate to determine whether any other sites are affected. The organisation will be required to review the nonconformities to determine if they indicate an overall system deficiency applicable to other sites. If they are found to do so, corrective action should be performed and verified both at the central office and at the individual affected sites. If they are found not to do so, the organization should be able to demonstrate to the certification body the justification for limiting its follow-up corrective action.
Temporary Sites all programs
Temporary sites can range from major project management sites to minor service/installation sites. The need to visit such sites and the extent of sampling should be based on an evaluation of the risks of the failure of the QMS to control product or service output or the EMS to control environmental aspects and impacts associated with the client's operations. The sample of sites selected should represent the range of the client’s scope of certification, competency needs and service variations having given consideration to sizes and types of activities, and the various stages of projects in progress and associated environmental aspects and impacts. Typically on-site audits of temporary sites would be performed. However, the following methods could be considered as alternatives to replace some on-site audits:
Interviews or progress meetings with the client and/or its customer in person or by teleconference.
Document review of temporary site activities.
Remote access to electronic site(s) that contains records or other information that is relevant to the assessment of the management system and the temporary site(s).
Use of video and teleconference and other technology that enable effective auditing to be conducted remotely.
In each case, the method of audit should be fully documented and justified in terms of its effectiveness.
Date: 6/4/2016 Rev: 23 Page 19 of 19
Change of Scope
A change of scope can be approved by the auditor in consultation with the client manager. The auditor must verify that the new scope is applicable and add any new ANZSIC codes or EMS Technical area codes required.
The client manager must confirm that the auditor still complies with the competency requirements for the new scope. This may require the existing auditor to justify any new codes or a new or additional auditor will need to be assigned to the audit.
If a site or change of scope is to be added to an existing certificate at any time other than at a scheduled recertification or surveillance audit, the site should be audited separately.
If the change in scope only applies to part of the organisation this must be stated clearly on the certificate.
The changes to scope or additional sites should be covered under changes “since the last audit” in the Summary of Findings
Control of Externally Provided Functions or Processes (Outsourcing) If an organization outsources part of its functions or processes, SQI must obtain evidence that the organization has effectively determined the type and extent of controls to be applied in order to ensure that the externally provided functions or processes do not adversely affect the effectiveness of the MS, including the organization’s ability to consistently deliver conforming products and services to its customers or to control its environmental aspects and commitments to compliance with legal requirements. SQI will audit and evaluate the effectiveness of the client's management system in managing any supplied activity and the risk this poses to the delivery of objectives, customer and conformity requirements. This may include gathering feedback on the level of effectiveness from suppliers. However auditing the supplier’s management system is not required. Considering that it is included in the scope of the organization’s management system only the control of the supplied activity, and not the performance of the activity itself must be audited. From this understanding of risk any additional audit time shall be determined.
