certification requirements, procedure 200 and iso 17021

SAAS

Certification Process Requirements

SAAS Procedure 200 and ISO/IEC 17021

© Social Accountability Accreditation Services,

June 2010

Accreditation Process and Policies

3

SAAS Normative Requirements

• SAAS maintains a set of Procedures and Policies, revised between 2007 and 2008, that it follows in conducting accreditation work:� SAAS Procedure 200 sets out the certification process

requirements for Certification Bodies (CBs) undertaking the assessments of organizations against the SA8000 standard.

� SAAS Procedure 201 sets out the internal policies SAAS must follow in granting and maintaining accreditation of a CB by SAAS.

� SAAS Procedure 203 contains the qualifications and training requirements for accreditation auditors and SAAS staff.

� SAAS has also developed a set of Work Instructions that accreditation auditors must follow in undertaking document reviews, on-site office and witness audits, and review of corrective actions.

4

SAAS Normative Requirements

• In addition, SAAS requires implementation

of several ISO documents:

� SAAS maintains procedures and policies in

compliance with ISO/IEC 17011:2004, the international standard for accreditation bodies

accrediting certification bodies.

� SAAS requires implementation of ISO/IEC

17021:2006 by all accredited CBs. 17021 is the

international standard setting out requirements for bodies providing audit and certification of

management systems.

Certification Process and Policies

6

SAAS Procedure 200

• SAAS Procedure 200 is the document prescribing the procedures, criteria and methodology that a

certification body (CB) must undertake in carrying

out assessment of an organization for compliance with SA8000 certification.

• These requirements deal with CB audit processes, auditor qualifications, procedures and SA8000

certificates.

• Noncompliance to these rules results in the

issuance of corrective action requests (CARs) and, if not corrected, suspension and ultimately

cancellation of accreditation.

7

SAAS Procedure 200

• Written for Certification Bodies.

• Sets out SA8000 certification process requirements.

• Established to provide consistency in SA8000 process.

• Supporting documents include:� SA8000:2008

� Procedure 201: SAAS Accreditation Policies

� Procedure 304: How to Make a Complaint / Appeal

� Procedure 406: Schedule of Fees

� Procedure 426: Use of the Mark

8

SAAS Procedure 200

• Main elements of Procedure 200:� Structural requirements of the CB� Adherence to ISO/IEC 17021:2006� Conflict of interest and consulting restrictions� Records maintenance� Audit process requirements:

• Stage 1 and stage 2 audits

• Scope of certification

• Multi-site auditing

• Audit planning

• Issuance of nonconformities

• Surveillance frequency

� Audit team requirements, training, skills and evaluation� Audit reports� Management of complaints� SA8000 certificate requirements� On-site audit day requirements

9

SAAS Procedure 200

• SA8000 certification authorized for

implementation around the world in any

industry except:• Myanmar (Burma) until the ILO lifts its sanctions.

• Maritime until such a time when SAAS, in consultation with SAI, determines otherwise, in accordance with applicable ILO conventions.

10

CB Requirements

• The CB shall:� Be legally identifiable.

� Be responsible for certification decisions.

� Have SA8000-specific procedures and perform internal audits.

� Have a common management system among offices.

� Conform to ISO/IEC 17021:2006.

� Have a complaints management system.

� Avoid conflicts of interest – related bodies cannot provide consulting to certification clients within 2 years.

� Have documented procedures to ensure continuing effectiveness of its auditors – including witnessed audits and continuing education.

� Maintain records including: audit reports, living wage calculation, audit day quotes, nonconformities, etc.

11

Audit Planning

• The audit plan shall include:• Evaluation of all of the organization’s social

management system requirements.

• Assessment of the effectiveness of the system.

• Evidence of internal audits.

• Information gathered from local and regional experts and stakeholders.

• Pre-planning shall include:• Process for determining sufficient wage level.

• A documented and implemented stakeholder engagement process.

• Appropriate language skills.

• Understanding the history and conditions of the client organization.

12

Audit Days

• Appendix 1 provides the required audit day table the CB shall follow.

• The overall time for the audit (stages 1 and 2) are expressed inauditor days includes the planning, off-site interviews, document review, on-site audit, and report writing.

• The audit days do not include time deemed necessary for engagement with external stakeholders.

• The CB shall calculate the time on the audit based upon:

� Sector complexity

� Perceived risk

� Number of employees

� Off-site worker interviews

• The number of workers is calculated considering the total number of workers paid by the client either directly or through an employment agency including:

� Seasonal

� Part-time

� Temporary workers

� Subcontractors

• Calculation of employees is based on worker totals during the high season.

13

Audit Process

• The certification process must address all elements of the SA8000 standard.

• The certification audit must have a 2 stage audit.

• Certification applies to all parts of a continuous process.

• Multi-site schemes are audited using a sampling process.

• Each on-site SA8000 audit must include these elements:

� Management systems

� Complaints response

� Worker training on SA8000

� Effectiveness of corrective actions

� Health and safety

� Worker representative activities

� Working hours

� Wages

• Each shift must be audited on every audit.

• At least 30% of the audit time shall be used for worker interviews.

14

SA8000 Maintenance

• SA8000 certified facilities must undergo surveillance audits every 3 months.

• CBs must conduct a minimum of 1 unannounced audit in a three year cycle.

• The entire system must be re-assessed once every 3 years.

• The SA8000 certificate shall contain:• Scope of the facility including address and activities

• Edition of the SA8000 standard, date of certification and date of expiration

• Remote sites that are included in the scope.

• The SA8000 mark

• A unique certificate number.

15

Nonconformities

• If fulfillment of a specified SA8000 requirement has not been demonstrated, the finding of a nonconformity (NC) may be reported.

• A corrective action request written as a result of an NC must have 3 parts:

� The statement of nonconformity

� The reference to SA8000

� The objective evidence observed.

• Major NC: absence of or total breakdown of a system to meet an SA8000 requirement or likely to result in the failure of the SA8000 system or reduce the ability to assure control of policies to protect workers.

• Minor NC: an NC that is not likely to result in the failure of the system – not systemic in nature.

• All NCs must be recorded.

• A client cannot be certified to SA8000 with open major NCs

16

Certification Process by CB of SA8000 Applicant

17

Accreditation and Certification Process

18

Audit Team Requirements

• SA8000 Lead Auditors shall be:

� Qualified by an accredited CB

� Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes)

� Trained at SAAS approved/accredited SA8000 courses

� Experienced, demonstrated by having:

• Served as a lead auditor on at least 3 accredited ISO systems audits

• Participated in at least 3 SA8000 certification or surveillance audits.

• SA8000 Team Auditors shall be:

� Employed or under contract to an accredited CB

� Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes)

� Trained at SAAS approved/accredited SA8000 courses

� Experienced, demonstrated by having:

• Participated in at least 3 accredited ISO systems audits

• Participated in at least 1 SA8000 audit.

19

Audit Team Requirements

• Audit Teams shall:

� Consist of qualified SA8000 auditors.

� Have at least one lead auditor.

� Have an expert worker interviewer.

� Have a team member or subject matter expert with relevant sector experience.

� Not have any team member who has provided consultancy for the client in the 2 years prior to the audit.

• Audit teams should have at least one expert with a background in worker rights.

• The CB shall evaluate auditor performance.

• Training Requirements:

� SA8000 basic auditor training course

� SA8000 advanced auditor training course (within 2 years of the basic)

� Continuing education, 12 hours annually, related to management systems auditing, CSR and SA8000 elements.

20

Audit Report

• The audit report shall:

� Include requirements set out in ISO 17021, 9.1.10.

� Address every SA8000 element with specific descriptive notations:

• Overtime

• Control of suppliers

• Wages

• Homework

• Freedom of association

• Health and safety.

� Include an overall description of the facility.

� Note the interview format used along with details.

• Reports must be submitted within 20 working days of the audit.

• The lead auditor is responsible for comprehensive reporting notes and checklists.

21

Complaints Process

• Accredited CBs must have a complaints system in place to accept and investigate complaints.

• The process shall include:� Correspondence with the complainant.

� An investigation of the complaint.

� A report back to the complainant.

• An investigation may be aided by:� An unannounced audit.

� Interviews with stakeholders.

• The investigation shall cover all elements identified in the complaint.

• The report shall include:� The resolution of the complaint.

� The reasons for the conclusion.

� A summary of the documented evidence.

� The corrective action agreed upon and confirmation of evidence.

• Every 6 months, the CB shall report to SAAS a detailed report of all complaints.

22

SAAS Advisories to Procedure 200

• Since the issuance of Procedure 200 in December 2007, SAAS has issued 8 supporting Advisories:

� Advisory 1: Complaints: sets out a more formal structure for CBsto manage complaints from stakeholders.

� Advisory 2: Auditor Training: clarifies the term “equivalent” used in Procedure 200 – lays out the minimum number of audits an SA8000 auditor must experience in order to be qualified.

� Advisory 3 and 7: SA8000:2008: provides the timeline for transitioning all clients from SA8000:2001 to SA8000:2008.

� Advisory 4: Subcontracting: clarifies the provision in Procedure200 for subcontracting SA8000 auditing work.

� Advisory 5: Auditor Training: provides continuing education requirements of SA8000 auditors.

� Advisory 6: Half Day audits: clarifies the requirements of the audit day table.

� Advisory 8: Accreditation Cycle: shifts the accreditation cycle from 3 years to 4 years for CBs.

23

Expected Changes to Procedures

• Since the issuance of Procedure 200 in December 2007, SAAS has also considered and implemented several changes or improvements to policies. Changes and pilots that have been considered by the SA8000 Advisory Committee include:

� Allowing facilities that meet risk and performance criteria to be moved from semi-annual surveillance audits to annual surveillance audits.

� Allowing audits in the maritime industry.

� Piloting enhanced stakeholder consultation methodology.

� Updating the SA8000 applicant status program.

2424

ISO/IEC 17021: 2006ISO/IEC 17021: 2006

© Social Accountability Accreditation Services,

June 2010

2525

Conformity assessment —Requirements for bodies providing

audit and certification of management systems

ISO/IEC 17021:2006ISO/IEC 17021:2006

2626

ISO/IEC 17021 StructureISO/IEC 17021 Structure

Ten Sections:

• 1 Scope

• 2 Normative references

• 3 Terms and definitions

• 4 Principles

2727

ISO/IEC 17021 StructureISO/IEC 17021 Structure

Ten Sections – 6 Normative:

• 5 General requirements

• 6 Structural requirements

• 7 Resource requirements

• 8 Information requirements

• 9 Process requirements

• 10 Management system requirements

General requirements for management system certification bodies

Significant changes from previous normative document (ISO Guide 62):• 10 Management system requirements for management system certification bodies

• 9.2.3 Initial certification audit

• 9.2.3.1 – Stage 1 audits

• 9.2.3.1 – Stage 2 audits

• Incorporation of ISO 19011:2002 as a normative document

• 9.9 Records on certified clients (better definition of required records)

10 Management system requirements for management system CBs

The CB shall establish and maintain a management system in accordance with 10.1 or 10.2

This replaces the requirement of ISO/IEC Guide 62, 2.1.4 Quality System.

10.1 Option 1 – Management system requirements in accordance with ISO 9001

The certification body shall establish and maintain a management system, in accordance with the requirements of ISO 9001 that is capable of supporting and demonstrating the consistent achievement of the requirements of this International Standard.


This makes the ISO 9001 standard normative and requires all CBs to meet the requirements of ISO 9001.

What does this mean to us and the CB?


More requirements!

Since all ISO 9001 requirements apply (except for allowable exclusions) the CB will have to have:

• Quality Manual

• Quality Objectives

• Continuous Improvement Process (Including Preventive Actions)

• Measurement of Customer Satisfaction

• Planning of Product Realization


More requirements!

Most significant is the requirement to use the process approach to management. (ISO 9001 - 4.1, a)

This may also require that we audit using the process auditing approach. (We have typically done system audits.)


3434

ISO/IEC 17021 ContentISO/IEC 17021 Content

Section 1 – Scope:

Contains principles and requirements for the

competence, consistency and impartiality of the audit and certification of management systems of all types

and for bodies providing these activities.

3535


Section 2 - Normative references:

•ISO 9000:2005, Quality management systems —

Fundamentals and vocabulary•ISO 19011:2002, Guidelines for quality and/or

environmental management systems auditing1)•ISO/IEC 17000:2004, Conformity assessment —

Vocabulary and general principles

3636


Section 3 - Terms and definitions :

•For the purposes of this document, the terms and

definitions given in ISO 9000, ISO/IEC 17000 and the following apply.

• 3.1 certified client - organization whose management system has been certified• 3.2 impartiality - actual and perceived presence of objectivity• 3.3 management system consultancy -

participation in designing, implementing or maintaining a management system

3737


Section 4 - Principles:

Clause 4 describes the principles on which credible

certification is based. These principles underpin all the requirements in this International Standard, but such

principles are not auditable requirements in their own right.

3838


Section 4 – General:

Principles for inspiring confidence include4.2 � impartiality, 4.3 � competence, 4.4 � responsibility,4.5 � openness, 4.6 � confidentiality, and4.7 � responsiveness to complaints.

3939

SA8000 Audit HierarchySA8000 Audit Hierarchy

SAAS

Certification Body

ISO/IEC 17011 andSAAS Procedure 201

ISO/IEC 17021 and SAAS Procedure 200

SA8000 Standard

Requirements Documents

Client

4040

CB Structure HierarchyCB Structure Hierarchy

ISO/IEC 17021

SAAS Procedure 200

Industry/Legal Requirements

CB Specific Requirements

Ground = Principles

impartiality, competence, responsibility, openness, confidentiality and responsiveness to complaints

4141


2 Normative referencesThe following referenced documents are indispensable for the application of this document.

ISO 9000:2005, Quality management systems —Fundamentals and vocabularyISO 19011:2002, Guidelines for quality and/or environmental management systems auditing1)ISO/IEC 17000:2004, Conformity assessment —Vocabulary and general principles

10.1.1 Scope

For application of the requirements of ISO 9001, the scope of the management system shall include the design and development requirements for its certification services.


10.1.2 Customer focus

For application of the requirements of ISO 9001, when developing its management system, the certification body shall consider the credibility of certification and address the needs of all parties that rely upon its audit and certification services (as set out in 4.1.2), not just its clients.

For SAAS, this is a real positive that we may have to define specific requirements for.


4.1.2 - The overall aim of third-party certification is to give confidence to all parties that rely upon certification... which includes but are not limited to:

a) the certified organizations that are the clients of the certification bodies;

b) the customers of the certified organizations;

c) governmental authorities;

d) nongovernmental organizations;

e) consumers and other members of the public.


10.1.3 Management review

For application of the requirements of ISO 9001, Clause 5.6.2, (Inputs to management review) the certification body shall include as input for management review, information on relevant complaints and appeals from users of audit services.

For SAAS, this means that any SA8000 complaints must be addressed in the CB’s management review


10.1.4 Design and development

For application of the requirements of ISO 9001, when developing a new management system certification scheme, or adapting an existing one to special circumstances, the certification body shall ensure that the guidance given in ISO 19011, and which is appropriate to third-party situations, is included as a design input.


4747

10 Management system 10 Management system requirements for CBsrequirements for CBs

Significant changes in the normative requirements from ISO/IEC Guide 62:

10.1 Options

The CB shall implement a management system in accordance with eithera) management system requirements in accordance with ISO 9001 (see 10.2), orb) general management system requirements (see 10.3).

10.2 Option 2 – General management system requirements

The CB’s top management shall establish and document policies and objectives for its activities.

The CB top management shall appoint a member of management to ensure that:

•policies and procedures are established, implemented and maintained

•Reports performance of system to top management


The system shall include:

•10.2.1 – management system manual

•10.2.2 – Control of documents

•10.2.3 – Control of records

•10.2.4 – Management review

•Review inputs

•Review outputs


The system shall include:

•10.2.5 – Internal audits

•10.2.6 – Corrective actions

•10.2.7 – Preventive actions


5151


Significant changes in the normative requirements from ISO/IEC Guide 62:•9.2.3 Initial certification audit now done in two stages:

The initial certification audit of a management system shall be conducted in two stages, which are described in Clauses 9.2.3.1 – Stage 1 audit and 9.2.3.2 – Stage 2 audit

5252

9.2.3 Initial certification audit9.2.3 Initial certification audit

9.2.3.1.1 - For most management systems, it is recommended that at least part of the stage 1 audit

be carried out at the client's premises in order to

achieve the objectives stated above.

9.2.3.1.2 Stage 1 audit findings shall be documented and communicated to the client,

including identification of any areas of concern that

could be classified as nonconformity during the stage 2 audit.

9.2.3.1 – Stage 1 Audits

9.2.3.1.1 Stage 1 audits shall have an audit plan

9.2.3.1.2 Normally the certification body shall perform the stage 1 audit of a client organization’s management system on-site

9.2.3.1.3 The stage 1 audit shall be performed to:

a) evaluate the applicant organization's location and site-specific conditions and to undertake discussions with the client organization's personnel to determine the preparedness for the stage 2 audit;

b) review the client organization’s status and understanding regarding requirements of the standard



c) collect necessary information regarding the scope of the management system, processes and location(s) of the client organization, and related statutory, regulatory aspects and compliance, e.g. quality, environmental, legal aspects of the applicant organization's operation, associated risks etc;

d) review the allocation of resources for stage 2 and agree with the client organization on the details of the stage 2 audit;

e) provide a focus for planning the stage 2 audit



f) evaluate if the internal audits and management review are being planned and performed effectively and that the level of implementation of the management system substantiates that the client organization is ready for the stage 2 audit.


9.2.3.1.4 Stage 1 audit results shall be documented and communicated to the client organization including identification of any areas of concern that could be classified as nonconformity during the stage 2 audit. 9.2.3.1.5 Any part of the management system that is audited during the stage 1 audit and determined to be fully implemented, effective, and in conformity with requirements, may not need to be re-audited during the stage 2 audit, however the certification body has to ensure that the already audited parts of the management system continue to conform to the certification requirements.


9.2.3.1.5 (con’t) In this case the stage 2 audit report shall include these findings and clearly state that compliance has been established during the stage 1 audit.

9.2.3.1.6 In determining the interval between stage 1 and stage 2, consideration should be given to the needs of the client to resolve areas of concern identified during the stage 1 audit. The certification body may also need to revise its arrangements for stage 2.

5858

9.2.3.2 Stage 2 Audit9.2.3.2 Stage 2 Audit

The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of the

client's management system. The stage 2 audit

shall take place at the site(s) of the client…

9.2.3.2 – Stage 2 Audit

9.2.3.2.1 Stage 2 audits shall have an audit plan

9.2.3.2.2 The stage 2 audit shall take place at the site(s) of the client organization. The purpose of the stage 2 audit is to evaluate the implementation and effectiveness of the client’s management system.

9.2.3.2.3 The audit team shall conduct the stage 2 audit to gather audit evidence that the management system conforms to the standard and other certification requirements.


9.2.3.2.4 The audit team shall audit a sufficient number of examples of the activities of the client organization in relation to the management system and activities to get a sound appraisal of the implementation, including effectiveness, of the management system

9.2.3.2.5 As part of the audit, the audit team shall address a sufficient number of the staff, including top management and operational personnel of the audited facility, to provide assurance that the system is implemented and understood throughout the client organization.


9.2.3.2.6 The audit team shall analyze all information and audit evidence gathered during the stage 1 and stage 2 audits to determine the extent of fulfillment with all certification requirements and decide on any nonconformity. The audit team may suggest possible areas for improvement, to be presented to the client organization as opportunities for improvement, but shall not recommend specific solutions.


9.2.3.2.7 The stage 2 audit shall cover an examination of the organization’s processes which address at least the following:

a) information and evidence about conformity to all requirements of the applicable normative document;

b) performance monitoring, measuring, reporting and reviewing against key performance objectives and targets;

c) the system organization and performance as regards legal compliance;

d) operational control;


9.2.3.2.7 The stage 2 audit shall cover an examination of the organization’s processes which address at least the following:

e) internal auditing and management review;

f) management responsibility for the client organization’s policies;

g) links between policy, performance objectives and targets.


9.2.3.2.8 Post-audit activities shall cover at least the following:

a) a record of any identified and agreed nonconformities shall be left with the client prior to departure from the audit site;

b) establishing the audit report specified in 9.2.4.

ISO 19011:2000 Requirement

2 Normative referencesThe following referenced documents are indispensable for the application of this document.

ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing.


References to the requirements in ISO 19011:2002 include:

• 7.2.5 The certification body shall have a process for ensuring that the auditors it uses are competent both as auditors in the generic sense and for auditing in specific technical areas

Appropriate documented requirements to this effect shall be based on the guidance provided in ISO 19011, Clause 7.


References to the requirements in ISO 19011:2002 include:

• 9.1.2 The CB shall ensure that an audit plan is established for each audit based on the guidance in ISO 19011.

•9.1.3 The certification body shall have a process for selecting and appointing the audit team.

This process shall be based on the guidance provided in ISO 19011.


References to the requirements in ISO 19011:2000 include:• 9.1.11 The certification body shall have a process for conducting on-site audits based on the guidance provided in ISO 19011, Clause 6.5• 9.2.4.3 The stage 2 audit report shall be based on the guidance provided in ISO 19011, Clause 6.6.1.


References to the requirements in ISO 19011:2000 include:• 9.3.3.1 For surveillance audits, the report from the audit team shall be based on the guidance provided in ISO 19011

9 Better definition of records

• 9.9.2 Records on certified clients shall include:

• application information and initial, surveillance and recertification audit reports;

• justification of the methodology for sampling;

• justification for auditor time determination (see 9.1.5);

• verification of correction and corrective actions;

• records of complaints and appeals and any subsequent correction or corrective actions; committee deliberations and decisions, if applicable;

9 Better definition of records

• 9.9.2 Records on certified clients shall

include:

• documentation of the certification decisions;

• certification documents including the scope

of certification with respect to product, process or service as applicable, and

• related records necessary to establish the credibility of the certification.

7272



9.6 Suspending, withdrawing or reducing the scope

of certification – Significant expansion in the requirements and details for suspensions leading to

withdrawal of certifications

9.6.1 through 9.6.7 replaces 2.1.5.1 in Guide 62

7373



9.9 Records on certified clients (better definition of

required records)

9.9.1 through 9.9.4 replaces 2.1.8.1 & 2.1.8.2

7474

ISO/IEC 17021ISO/IEC 17021

• Summary:

• 17021 is a significant departure from Guide

62

• All accredited CBs must be assessed for 17021 compliance prior to the end of

September 2008

• Auditors must be qualified in ISO 19011 and

ISO 9001 to conduct 17021 audits