SADCASF40(a)IssueNo:1 Page1of41 Date:20130118CHECKLISTISO/IEC17021:2011ConformityAssessmentRequirementsforBodiesProvidingAuditandCertificationofManagementSystemsDate(s)ofEvaluation: Assessor(s)&Observer(s): Organization: Area/FieldofOperation: OrganizationsRepresentative: Thereportcoversthefollowing:DocumentReviewonly ImplementationonSiteVisitonlyDocumentReviewandSiteVisitAssessmentofCompanyFilesISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR5 Generalrequirements5.1 Legalandcontractualmatters5.1.1 Legalresponsibility Legal entity or a defined part of a legalentity can be held legally responsible. (Pty)Ltd,CCorother? Verify registration with Registers ofCompanies GovernmentalCBisalegalentitybasedonits governmental status. Identitydepartment.5.1.2 Certificationagreement Legally enforceable agreement (contract)for provision of certification activities tocustomer? AremultipleofficesofaCBormultiplesitesof a certified customer covered by theagreement? Areallthesitescoveredbythescopeofthecertification? 5.1.3 Responsibilityforcertificationdecisions Does CB retain authority and responsibilityfor its decisions relating to certification?e.g. granting, maintaining, renewing,extending, reducing, suspending andwithdrawing. SADCASRef.No: SADCASF40(a)IssueNo:1 Page2of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR5.2 Managementofimpartiality 5.2.1 Is CB top management commitment toimpartiality? Isthereapubliclyaccessiblestatement? Doesitcover:ImportanceofimpartialityConflictofinterestandObjectivityofitsmanagementsystemcertificationactivities? 5.2.2 Areconflictofinterestsidentified,nalyzedanddocumentedandmanagedthroughthesystem? Are relationships posing a threat toimpartialitydocumented? How does the CB demonstrate that iteliminatesorminimizessuchthreats? Information made available to theimpartialityCommittee?(see6.2)Note: A relationship that threatens the impartialityof the CB can be based on ownership, governance,management,personnel,sharedresources,finances,contracts, marketing and payment of a salescommission or other inducement for the referral ofnewclients,etc. 5.2.3 Not offering certification whenrelationships that threaten impartialitycannotbeeliminatedorminimized.SeeNote5.2.2 5.2.4 Does the CB certify another CB for itsmanagement system certificationactivities?SeeNote5.2.2 5.2.5 Does the CB and any part of the samelegal entity offer or provide managementsystemconsultancy? This applies also to that part ofgovernmentidentifiedastheCB.SeeNote5.2.2 5.2.6 DoestheCBprovideinternalauditstoitscertifiedcustomers?DoestheCBcertifyamanagementsystemonwhichitprovidedinternalauditswithin2 years following the end of the internalaudits? This applies also to that part ofgovernmentidentifiedasCB.SeeNote5.2.2 5.2.7 Does the CB certify a customer when theCBs relationship with a managementsystem consultancy or internal audits,poses an unacceptable threat to theimpartialityoftheCB?SeeNotes. SADCASF40(a)IssueNo:1 Page3of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR5.2.8 Does the CB outsource audits to amanagement system consultancyorganization? (Unacceptable threat toimpartiality.See7.5). This clause does not apply to individualscontractedasauditorscoveredin7.3 5.2.9 Are the CBs activities marketed or linkedwithmanagementsystemconsultancy? CB takes action to correct inappropriateclaimsbyanyconsultancyorganization? Are there any implications by CB thatcertification would be simpler, easier,faster or less expensive if a specifiedconsultancyorganizationisused? 5.2.10 Does CB ensure no conflict of interest ofpersonnel? 2 Years rule applied, how effective is theprocess? 5.2.11 Is action taken to respond to any threatsto CBs impartiality arising from theactions of other persons, bodies ororganizations? 5.2.12DoesallCBpersonnel,internal,externalorcommittees act impartially and does theCB allow commercial, financial or otherpressuretocompromiseimpartiality? 5.2.13DoestheCBrequireallpersonneltorevealanyconflictofinterestsituations? Information used as input to identifyingthreatstoimpartiality? 5.3LiabilityandFinancing 5.3.1 Is the CB able to demonstrate that it hasevaluated risks arising from its certificationactivities and that it has adequatearrangements (e.g. insurance or reserves) tocover liabilities arising from its operations ineach of its field of activities and thegeographicareasinwhichitoperates? 5.3.2DoestheCBevaluateitsfinancesandsourcesofincomeanddemonstratetothecommitteespecified in 6.2 that initially and on an ongoing basis, commercial, financial or otherpressuresdonotcompromiseitsimpartiality? SADCASF40(a)IssueNo:1 Page4of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR6. Structuralrequirements6.1 Organizationalstructureandtopmanagement 6.1.1 Organizational structure documentedincluding duties, responsibilities andauthoritiesforpersonnelandcommittees;andrelationshipstootherpartswithinthesamelegalentity? 6.1.2 DoestheCBidentifythetopmanagement(board, group of persons, or person)having overall authority and responsibilityforeachofthefollowing:a) development of policies relating to theoperationofthebody?b) supervision of the implementation ofpoliciesandprocedures?c) supervisionofthefinancesofthebody?d) development of management systemcertificationservicesandschemes?e) performance of audits and certificationandresponsivenesstocomplaints?f) decisionsoncertification?g) delegationofauthoritytocommitteesorindividuals,asrequired,toundertakedefinedactivitiesonitsbehalf?h) contractualarrangements?i)providingadequateresourcesforcertificationactivities? 6.1.3 Formal rules for the appointment, termsof reference and operation of anycommittees involved in the certificationactivities? 6.2 Committeeforsafeguardingimpartiality 6.2.1 DoesthestructureoftheCBsafeguardtheimpartiality of the activities of the CB anddoesitprovideforacommitteeto:a)assistindevelopingthepoliciesrelatingtoimpartialityofitscertificationactivities?b) counteract any tendency on the part of aCB to allow commercial or otherconsiderations to present the consistentobjective provision of certificationactivities?c) advise on matters affecting confidenceincludingopennessandpublicperception?d) conduct an annual review of theimpartiality of the audit, certification anddecisionmakingprocessesoftheCB? SADCASF40(a)IssueNo:1 Page5of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR6.2.2 Is the composition, terms of reference,duties, authorities, competence ofmembers and responsibilities of thiscommittee formally documented andauthorized by top management of the CBtoensure:a) representationofabalanceofinterests?b) access to all the information (see also5.2.2&5.3.2)c) the right to take independent action,where the top management of the CBdoes not respect the advice of thecommittee (e.g. informing authorities,ABs,stakeholders)?Isconfidentialitymaintainedwhentakingindependentactions?See8.5 6.2.3 Arekeyinterestsidentifiedandinvitedtothiscommittee? 7 Resourcerequirements7.1 Competenceofmanagementandpersonnel 7.1.1 Does a CB have a process to ensure thatpersonnel have appropriate knowledgerelevant to the types of managementsystemsandgeographicalareasinwhichitoperates? Iscompetencerequiredforeachtechnicalarea and for each function in thecertification activity determined for eachtechnicalarea? Is the means for the demonstration ofcompetencedetermined? 7.1.2 Are competence requirements determined for all CB personnel and is this asper documented process? Is thedocumentedprocessasperAnnexureAoraspercertificationscheme? 7.1.3 Evaluationprocesses DoestheCBhavedocumentedprocessesfortheinitialcompetenceevaluationandongoingmonitoringofcompetenceandperformanceofallpersonnelinvolvedinthemanagementandperformanceofauditsandcertification? Arethesemethodseffective? SADCASF40(a)IssueNo:1 Page6of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR7.1.4 Otherconsiderations7.1.4.1 Does the CB address the functionsundertaken by management andadministrative personnel whiledetermining the competencerequirements?7.1.4.2 Does the CB have access to the necessarytechnical expertise for technical areas,types of management system andgeographicareasinwhichitoperates? 7.2 Personnelinvolvedinthecertificationactivities 7.2.1 Does the CB as part of its ownorganization have personnel withsufficient competence for managing thetype and range of audit programmes andothercertificationworkperformed? 7.2.2 Does the CB employ or have access to asufficient number of auditors includingaudit team leaders and technical expertstocoverallactivitiesandvolumeofwork? 7.2.3 Does the CB make clear to each personconcerned duties, responsibilities andauthorities? 7.2.4 DoestheCBhavedefinedprocessesfor:SelectingTrainingFormallyauthorizingauditorsandSelectingtechnicalexperts? Does the initial competence evaluation ofan auditor include the ability to applyrequired knowledge and skill duringaudits, as determined by a competentevaluator observing (witnessing) theauditorconductinganaudit? 7.2.5 DoestheCBhaveaprocesstoachieveanddemonstrate effective auditing, includingtheuseofauditorsandauditteamleaderspossessing generic auditing skills andknowledgeaswellasskillsandknowledgeappropriate for auditing in specifictechnicalareas? SADCASF40(a)IssueNo:1 Page7of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR Does the CB define the knowledge andskills for specific certification functions asperAnnexureAofISO/IEC17021:2011? 7.2.6 Are auditors and technical expertsknowledgeable of the CBs auditprocesses, certification scheme and itsrequirements and other relevantrequirements? Does the CB give auditors and technicalexperts access to an uptodate set ofdocumented procedures giving auditinstructions and all relevant informationonthecertificationactivities? 7.2.7 Are auditors and technical experts used inthese activities where they havedemonstratedcompetence?SeeNote9.1.3 7.2.8 Are training needs identified for functionsperformed? Wherethereisneed,istrainingofferedorprovided? 7.2.9 Are person(s) taking the certificationdecisionsknowledgeableonthe:applicablestandard;certificationrequirements;have demonstrated competence toevaluate the audit processes; andrelated recommendations of theauditteam? 7.2.10 Does documented procedures and criteriafor monitoring and measurement ofperformanceofallpersonnelexist? Competence reviewed to identify trainingneeds? 7.2.11 Do procedures include a combination ofonsite observation, review of auditreports and feedback from customers orfromthemarket? 7.2.12 Does the CB periodically observe theperformanceofeachauditoronsite? Is the frequency of onsite observationsbased on need determined from allmonitoringinformationavailable? SADCASF40(a)IssueNo:1 Page8of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR7.3 Useofindividualexternalauditorsandexternaltechnicalexperts Does a CB have a written agreement withexternal auditors and external technicalexperts in place by which they committhemselves to comply with applicablepoliciesandproceduresasdefined? Does the agreement address all relevantaspects? 7.4 Personnelrecords DoestheCBmaintainuptodatepersonnelrecordsincluding:Relevantqualifications;Training;Experience;Affiliations;Professionalstatus;Competence;andAnyrelevantconsultancyservices? Doesthisincludemanagementandadministrativepersonnelinadditiontothoseperformingcertificationactivities? 7.4 Personnelrecords(cont.) 7.5 Outsourcing 7.5.1 Does the CB have a process in which itdescribes the conditions under whichoutsourcingmaytakeplace? Legally enforceable agreement with eachbodythatprovidesoutsourcedservices?SeeNotes 7.5.2 Is the CB outsourcing certificationdecisions? 7.5.3 DoestheCB:a) take responsibilities for all activitiesoutsourced?b) ensure that the body that providesoutsourcesactivities:conformstotheCBsrequirementsconformstotheapplicableprovisionsof this international standardincluding competence, impartialityandconfidentiality?c) ensure that the outsourced services arenot involved in any way that impartialitycouldbecompromised? SADCASF40(a)IssueNo:1 Page9of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR7.5.4 Documented procedures for thequalification and monitoring of alloutsourced services used for certificationactivities? Records of the competence of auditorsandtechnicalexpertsmaintained? 8 Informationrequirements8.1 Publiclyaccessibleinformation 8.1.1 Does the CB maintains and make publiclyaccessible or provide upon requestinformationdescribingitsauditprocesses,certification processes and about thecertification activities, types ofmanagement systems and geographicalareasinwhichitoperates? 8.1.2 Is the information provided by the CB toanyclientortothemarketplaceincludingadvertisingaccurateandnotmisleading? 8.1.3 Does the CB make publicly accessibleinformation about certifications granted,suspendedorwithdrawn? 8.1.4 Does the CB on request from any partyprovidemeanstoconfirmthevalidityofagivencertification:SeeNotes 8.2 Certificationdocuments 8.2.1 Does the CB provide certificationdocuments to the certified client by anymeansitchooses? 8.2.2 Is the effective date on a certificationdocument the date before thecertificationdecision? 8.2.3 Doesthecertificationdocument(s)identifythefollowing:a)thenameandgeographiclocationofeachclient and any sites within the scope of amultisitecertification?b) the dates of granting, extending orrenewingcertification?c)theexpirydateorrecertificationduedateconsistentwiththerecertificationcycle?d)auniqueidentificationcode?e) the standard and/or other normativedocument including issue number and/orrevisionusedforthecertifiedcustomer? SADCASF40(a)IssueNo:1 Page10of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR8.2.3 cont.f) the scope of certification with respect toproduct (including service), process, etc,asapplicableateachsite?g) the name, address and certification markof the CB; other marks (e.g. accreditationsymbol)?h) any other information required by thestandard and/or other normativedocumentusedforcertification?i) in the event of issuing any revisedcertification documents, a means todistinguish the revised documents fromanypriorobsoletedocuments? 8.3 Directoryofcertifiedcustomers Does the CB maintain and make publiclyaccessibleorprovideuponrequest,byanymeans it chooses, a directory of validcertifications? See 8.3 for directorydetail. 8.4 Referencetocertificationanduseofmarks 8.4.1 Does the CB have a policy governing anymarkthatitauthorizescertifiedcustomersto use? See 8.4.1 and ISO/IEC 17030 fordetail. Is the mark used on a product or productpackagingseenbytheconsumer? 8.4.2 DoestheCBpermititsmarktobeappliedto laboratory test, calibration orinspectionreports? 8.4.3 Does the CB require that the clientorganization:a) conforms to the requirements of the CBwhen making reference to its certificationstatusincommunicationmedia?b) does not make or permit any misleadingstatementregardingitscertification?c) does not use or permit the use of acertificationdocumentoranypartthereofinamisleadingmanner?d) upon suspension or withdrawal of itscertification discontinues its use of alladvertising matter that contains areference to certification, as directed bytheCB?(See9.6.3and9.6.6)e) amends all advertising matter when thescopeofcertificationhasbeenreduced? SADCASF40(a)IssueNo:1 Page11of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR8.4.3 cont..f) does not allow reference to itsmanagement system certification to beused to imply that the CB certifies aproduct(includingservice)orprocess?g) does not imply that the certificationapplies to activities that are outside thescopeofcertification?andh) does not use its certification in such amanner that would bring the CB and/orcertification system into disrepute andlosepublictrust? 8.4.4 Does the CB exercise proper control ofownership and take action to deal withincorrect references to certification statusormisleadinguseofcertificationmarksorauditreports?SeeNote 8.5 Confidentiality 8.5.1/8.5.5 Does the CB through legally enforceableagreements have a policy andarrangements to safeguard theconfidentiality of the information at alllevels of its structure, includingcommittees and external bodies orindividualsactingonitsbehalf? 8.5.2 Client informed by the CB of theconfidential information it intends toplaceinthepublicdomain? 8.5.3 Except as required in this internationalstandard,isinformationaboutaparticularclient or individual disclosed to a thirdparty without the written consent of theclientorindividualconcerned? WheretheCBisrequiredbylawtoreleaseconfidentialinformationtoathirdparty,isthe customer or individual concerned,unless regulated by law, notified inadvanceoftheinformationprovided? 8.5.4 Isinformationabouttheclienttreatedasconfidential,consistentwiththeCBspolicy? SADCASF40(a)IssueNo:1 Page12of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR8.5.5 Do all personnel acting on the CBs behalfkeep confidential all information obtainedor created during the performance of theCBsactivities? 8.5.6 Does the CB have available and useequipment and facilities that ensure thesecure handling of confidentialinformation(e.g.documents,records)? 8.5.7 When confidential information is madeavailable to other bodies (e.g. AB,agreement group of a peer assessmentscheme) does the CB inform its client ofthisaction? 8.6 InformationexchangebetweenaCBanditscustomers 8.6.1 Informationonthecertificationactivityandrequirements DoestheCBprovideandupdateclientsonthefollowing:a)a detailed description of the initial andcontinuing certification activity includingthe application, initial audits, surveillanceaudits and the process for granting,maintaining, reducing, extending,suspending, withdrawing certification andrecertification?b)The normative requirements forcertification?c)Informationaboutthefeesforapplication,initial certification and continuingcertification?d)TheCBsrequirementsfortheprospectivecustomer:1To comply with certificationrequirements?2To make all necessary arrangementsfortheconductoftheauditsincludingprovision for examiningdocumentation and the access to allprocesses and areas, records andpersonnel for the purposes of initialcertification, surveillance, recertification and resolution ofcomplaints,and?3To make provisions where applicableto accommodate the presence ofobservers (e.g. accreditation auditorsortraineeauditors)? SADCASF40(a)IssueNo:1 Page13of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSORe)Documents describing the rights andduties of certified clients includingrequirements when making reference toits certification in communication of anykindinlinewiththerequirementsin8.4?f)Information on procedures for handlingcomplaintsandappeals? 8.6.2 NoticeofchangesbyaCB Does the CB give its certified clients duenotice of any changes to its requirementsforcertification? Does the CB verify that each certifiedclient complies with the newrequirements?SeeNote 8.6.3 Noticeofchangesbyaclient LegallyenforceablearrangementstoensurethatthecertifiedcustomerinformstheCBofmattersthatmayaffectthemanagementsystemsabilitytocontinuetofulfilltherequirementsofthestandardusedforcertification?Seeexamplesa)toe)inthestandard 9 Processrequirements9.1 Generalrequirements 9.1.1 Auditprogramme9.1.1.1 Is the audit programme for the fullcertification cycle developed and does itclearly identify the audit activity(ies)required for certification to the selectedstandard(s) or other normativedocuments?9.1.1.2 Does the audit programme include a twostage initial audit, surveillance audits inthe 1st and 2nd years and a recertificationaudit in the 3rd year prior to expiration ofcertification? (The 3year certificationcycle begins with the certification or recertificationdecision).9.1.1.3 Where a CB is taking account ofcertification or other audits alreadygranted to the customer, does it collectsufficient, verifiable information to justifyand record any adjustments to the auditprogramme? 9.1.2Auditplan9.1.2.1General Is an audit plan established for each auditto provide the basis for agreementregarding the conduct and scheduling oftheauditactivities? SADCASF40(a)IssueNo:1 Page14of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSORIs the audit plan based on documentedrequirementsofthecertificationbody?9.1.2.2 Determining audit objectives, scope andcriteria9.1.2.2.1 Does the CB determine the auditobjectives? Is the audit scope and criteria includingchanges established by the CB afterdiscussionswiththeclient?9.1.2.2.2 Are audit objectives describe what is to beaccomplished by the audit and does itincludethefollowing: a) determination of the conformity of theclients management system, or parts of it,withtheauditcriteria b) evaluation of the ability of themanagement system to ensure the clientorganization meets applicable statutory,regulatoryandcontractualrequirementsSeeNote c) evaluation of the effectiveness of themanagement system to ensure the clientorganization is continually meeting itsspecifiedobjectives d) as applicable, identification of areas ofpotentialimprovementofthemanagementsystem9.1.2.2.3 Does the audit scope describe the extentand boundaries of the audit? Where theinitial or recertification process consists ofmore than one audit, are total auditsconsistent with the scope in thecertification?9.1.2.2.4Is the audit criteria used as a referenceagainstwhichconformityisdeterminedanddoesitinclude:The requirements of a defined normativedocumentonmanagementsystemsThe defined processes and documentationof the management system developed bytheclient9.1.2.3 Preparingtheauditplan Is the audit plan appropriate to theobjectivesandthescopeoftheauditand SADCASF40(a)IssueNo:1 Page15of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.2.3 Preparingtheauditplan(cont.) Does it at least include or refer to thefollowing:a)Theauditobjectivesb)Theauditcriteriac)The audit scope including identification ofthe organizational and functional units orprocessestobeauditedd)Thedatesandsiteswheretheonsiteauditactivities are to be conducted includingvisitstotemporarysites,asappropriatee)The expected time and duration of onsiteauditactivitiesf)The roles and responsibilities of the auditteammembersandaccompanyingpersonsSeeNotes1and2 9.1.3 Auditteamselectionandassignments9.1.3.1 Process in place for selecting andappointing the audit team taking intoaccountthecompetenceneededtoachievetheobjectivesoftheaudit? Where there is only one auditor, is theauditorcompetenttoperform?9.1.3.2 In deciding the size and composition of theauditteamwasthefollowingconsidered:a) audit objectives, scope, criteria andestimatedtimeoftheauditb)whethertheauditisacombined,integratedorjointauditc) the overall competence of the audit teamneeded to achieve the objectives of theauditd) certification requirements (including any applicable statutory, regulatory orcontractualrequirements?e)Languageandculturef) Whether the members of the audit teamhave previously audited the clientsmanagementsystem.9.1.3.3Where thenecessaryknowledgeandskillofthe audit team leader and auditors wassupplemented by technical experts,translators and interpreters, were theyselected such that they do not undulyinfluencetheaudit? SADCASF40(a)IssueNo:1 Page16of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.3.4 Where auditorsintraining are included inthe audit team as participants, was anevaluatorappointed? Wastheevaluatorcompetenttotakeoverthedutiesandhavefinalresponsibilityfortheactivitiesandfindingsoftheauditorintraining?9.1.3.5Doestheauditteamleader,inconsultationwith the audit team assign to each teammember responsibility for specificprocesses, functions, sites, areas oractivities and are such assignments takingintoaccounttheneedforcompetence? Were changes to assignments made toensure achievement of the auditobjectives? 9.1.4 Determiningaudittime 9.1.4.1 Does the CB have documented proceduresfordeterminingaudittimeneedtoplanandaccomplishacompleteandeffectiveaudit? Does the procedure include or makereferencetotherelevantannexesintheIAFGD2andGD6documents? In determining the audit time, does the CBconsider among other things the followingaspects:a)The requirements of the managementsystemstandard?b)Sizeandcomplexity?c)Technologicalandregulatorycontext? d)Anyoutsourcing?e)Theresultsofanyprioraudits?f)Numberofsitesandmultisiteconsiderations?g) The risks associated with the product,processesoractivitiesoftheorganization?h) When audits are combined, joint orintegrated?i) Specific criteria for specific certificationschemewhereestablished?9.1.4.2 Does the CB include time spent by anyteam member that is not assigned as anauditor? SADCASF40(a)IssueNo:1 Page17of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.5 Multisitesampling Where multisite sampling is utilized, didthe CB develop an adequate samplingprogramme to ensure proper audit of themanagementsystem? Is the rationale for the sampling plandocumented?(IAFguidanceapplies) 9.1.6 Communicationofauditteamtasks Are the tasks given to the audit teamdefined and make known to the client?Doestheauditteam:a)Examine and verify the structure, policies,processes, procedures, records and relateddocuments of the customer organizationrelevanttothemanagementsystem?b)Determine that these meet all therequirements relevant to the intendedscopeofcertification?c)Determine that the processes andprocedures are established, implementedand maintained effectively, to provide abasis for confidence in the clientmanagementsystem?andd)Communicate to the customer, for itsaction, any inconsistencies between thecustomers policy, objectives and targetsandtheresults? 9.1.7 Communication concerning audit teammembers Does the CB provide the name and, whenrequested, make available backgroundinformation of each member of the auditteam with sufficient time for the clientorganization to object to the appointmentofanyparticularauditorortechnicalexpertand for the CB to reconstitute the team inresponsetoanyvalidobjection? 9.1.8 Communicationofauditplan Is the audit plan communicated and thedatesoftheauditagreedupon,inadvance,withtheclientorganization? 9.1.9 Conductingonsiteaudits9.1.9.1 General DoestheCBhaveaprocessforconducting SADCASF40(a)IssueNo:1 Page18of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.1 General(cont.)Onsiteaudits?Does the process include opening meetingatthestartoftheauditandclosingmeetingattheconclusionoftheaudit?9.1.9.2 ConductingtheopeningmeetingDoestheauditteamhaveaformalopeningmeeting with the clients management andthose responsible for the functions orprocessestobeaudited?Are the opening meeting conducted by theLeadauditor?Are audit activities explained including thefollowing:a)Introduction of the participants includinganoutlineoftheirrolesb)Confirmationofthescopeofcertificationc)Confirmation of the audit plan (includingtype and scope of audit, objectives andcriteria), any changes and other relevantarrangements with the client such as thedate and time for the closing meeting,interim meetings between the audit teamandclientsmanagementd)Confirmation of formal communicationchannels between the audit team and thecliente)Confirmation that the resources andfacilitiesneededbyauditteamareavailablef)Confirmation of matters relating toconfidentialityg)Confirmation of relevant work safety,emergency and security procedures for theauditteamh)Confirmation of the availability, roles andidentitiesofanyguidesandobserversi)The method of reporting including anygradingofauditfindingsj)Information about the conditions underwhich the audit may be prematurelyterminatedk)Confirmation that the audit team leaderand audit team representing the CB isresponsible for the audit and shall be incontrol of executing the audit planincludingauditactivitiesandaudittrails SADCASF40(a)IssueNo:1 Page19of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.2(cont.)l)confirmationofthestatusoffindingsofthepreviousrevieworaudit,ifapplicablem) methods and procedures to be used toconducttheauditbasedonsamplingn) confirmation of the language to be usedduringtheaudito confirmation that during the audit theclient will be kept informed of auditprogressandanyconcernsp)opportunityfortheclienttoaskquestions9.1.9.3 Communicationduringtheaudit9.1.9.3.1 During the audit does the audit teamperiodically assess audit progress andexchange information and does the teamleader reassign work as needed betweenthe audit team members and periodicallycommunicatetheprogressoftheauditandanyconcernstotheclient?9.1.9.3.2 Does the audit team leader report to theclient and where possible to the CBpresence of an immediate and significantrisk(e.g.safety)? IstheoutcomeoftheactiontakenreportedtotheCB?9.1.9.3.3 Doestheteamleaderreviewwiththeclientany need for changes to the audit scopewhich becomes apparent as onsiteauditing activities progress and report thistotheCB?9.1.9.4 ObserversandGuides9.1.9.4.1Observers Prior to the conduct of the audit does theclient agree to the presence andjustification of observers during an auditactivity?9.1.9.4.2Guides Doeseachauditoraccompaniedbyaguide,unless otherwise agreed to by the auditteamleaderandtheclient? Does the audit team ensure that guides donot influence or interfere in the auditprocessoroutcomeoftheaudit?SeeNote SADCASF40(a)IssueNo:1 Page20of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.5 Collectingandverifyinginformation9.1.9.5.1 Is information relevant to the auditobjective, scope and criteria collected byappropriate sampling and verified tobecomeauditevidence?9.1.9.5.2 Are methods to collect informationincluded?a)interviewsb)observationofprocessesandactivitiesc)reviewofdocumentationandrecords9.1.9.6 Identifyingandrecordingauditfindings9.1.9.6.1 Are audit findings summarizing conformityand detailing nonconformity audits and itssupporting evidence recorded andreported?9.1.9.6.2 Where opportunities for improvement arenot prohibited by the requirements of amanagement system scheme, are theyidentifiedandrecorded?9.1.9.6.3 Is a finding of nonconformity recordedagainst a specific requirement of the auditcriteria and does it contain a clearstatement of the nonconformity andidentify in detail the objective evidence onwhichthenonconformityisbased? Are nonconformities discussed with theclient to ensure that the evidence isaccurate andthat the nonconformities areunderstood?9.1.9.6.4 Does the audit team leader attempt toresolveanydivergingopinionsbetweentheaudit team and the client concerning auditevidence on findings and are unresolvedpointsrecorded?9.1.9.7 Preparingauditconclusions Prior to the closing meeting does the auditteam:a)review the audit findings and any otherappropriate information collected duringtheauditagainsttheauditobjectivesb)agree upon the audit conclusions takingintoaccounttheuncertaintyinherentintheauditprocess SADCASF40(a)IssueNo:1 Page21of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.9.7 (cont.)c) identifyanynecessaryfollowupactionsd) confirm the appropriateness of the auditprogramme or identify any modificationrequired (e.g. scope, audit time or dates,surveillancefrequency,competence)9.1.9.8 Conducttheclosingmeeting9.1.9.8.1 Does the team hold a formal closingmeeting with management and are nonconformities presented in such a mannerthat they are understood, and aretimeframesforrespondingagreed? Isattendancerecorded?9.1.9.8.2 Does the closing meeting include thefollowing:a) advising the client that the audit evidencecollected was based on sample of theinformation; thereby introducing anelementofuncertaintyb) the method and timeframe of reportingincludinganygradingofauditfindingsc) thecertificationbodysprocessforhandlingnonconformities including anyconsequences relating to the status of theclientscertificationd) the timeframe for the client to present aplanforcorrectionandcorrectiveactionforany nonconformities identified during theaudite) theCBspostauditactivitiesf) information about the complaint handlingandappealprocesses9.1.9.8.3 Is the client given opportunity forquestions? Are diverging opinions regarding the auditfindings or conclusions discussed, resolvedwherepossible? AreunresolveddivergingopinionsrecordedandreferredtotheCB? 9.1.10 Auditreport9.1.10.1 Does the CB provide a written report foreach audit and is ownership of the reportmaintainedbytheCB? If the audit team identifies opportunitiesfor improvement, do they recommendspecificsolutions? SADCASF40(a)IssueNo:1 Page22of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.10.2 Does the team leader ensure that thereport is prepared and takes responsibilityofthecontentofthereport? Does the report provide accurate, conciseand clear record of the audit and does itincludethefollowing:a)identificationofthecertificationbodyb)name and address of the clientsmanagementrepresentativec)type of audit (e.g. initial, surveillance orrecertification)d)auditcriteriae)auditobjectivesf)audit scope, particularly identification ofthe organizational of functional units orprocessesauditedandthetimeoftheauditg)identification of the audit team leader,audit team members and anyaccompanyingpersonsh)dates and places where the audit activities(onsiteofoffsite)wereconductedi)audit findings, evidence and conclusions,consistent with the requirements of thetypeofauditj)anyunresolvedissues,ifidentified 9.1.11 Causeanalysisofnonconformities Does the CB require the client to analyzethe cause and describe the specificcorrection and corrective actions taken orplanned to be taken to eliminate detectednonconformitieswithinadefinetimeline? 9.1.12 Effectiveness of corrections and correctiveactions Does the CB review the corrections,identified causes and corrective actionssubmitted by the customer to determine iftheseareacceptable? Does the CB verify the effectiveness of anycorrectionandcorrectiveactiontaken? Is the evidence obtained to support theresolutionofnonconformitiesrecorded? Doestheclientgetinformedoftheresultofthereviewandverification?SeeNote SADCASF40(a)IssueNo:1 Page23of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.1.13 Certificationdecision Is the client informed if an additional fullaudit, an additional limited audit ordocumented evidence (to be confirmedduring future surveillance audits) will beneeded to verify effective correction andcorrectiveactions? 9.1.14 Does the CB ensure that the persons orcommittees that make the certification orrecertification decisions are different fromthosewhocarriedouttheaudits? 9.1.15 Actionspriortomakingadecision Does the CB confirm, prior to making adecisionthat:a)Theinformationprovidedbytheauditteamissufficient?b)It has reviewed, accepted and verified theeffectiveness of corrections and correctiveactions for all nonconformities thatrepresent:1failure to fulfill one or more requirementsofthemanagementsystemstandard?or2a situation that raises significant doubtabout the ability of the customersmanagement system to achieve itsintendedoutputsc)It has reviewed and accepted the clientsplanned correction and corrective actionforanyothernonconformity? 9.2 Initialauditandcertification9.2.1 Application Does the CB require an authorizedrepresentativeoftheapplicantorganizationto provide the necessary information toenableittoestablish:a)Thedesiredscopeofthecertification?b)The general features of the applicantorganization including its name and theaddress(es) of its physical location(s),significant aspects of its process andoperations and any relevant legalobligations?c)General information relevant for the fieldof certification applied for, concerning theapplicantorganization,suchasitsactivities,human and technical resources, functionsand relationship in a larger corporation, ifany? SADCASF40(a)IssueNo:1 Page24of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.1 (cont.)d)Information concerning all outsourcedprocessesusedbytheorganizationthatwillaffectconformitytorequirements?e)The standards or other requirements forwhich the applicant organization is seekingcertification?f)Information concerning the use ofconsultancy relating to the managementsystem? 9.2.2 Applicationreview9.2.2.1 Before proceeding with the audit does theCB conduct a review of the application andsupplementaryinformationfor certificationtoensurethat:a) The information about theapplicant and itsmanagement system is sufficient for theconductoftheaudit?b) The requirements for certification areclearly defined and documented and havebeen provided to the applicantorganization?c) Any known difference in understandingbetween the CB and the applicantorganizationisresolved?d) The CB has the competence and ability toperformthecertificationactivity?e) The scope of certification sought, thelocation(s) of the applicants organizationsoperations, time required to completeaudits and any other points influencing thecertification activity are taken into account(language, safety conditions, threats toimpartiality,etc)?f) Records of the justification for the decisiontoundertaketheauditshallbemaintained?9.2.2.2 Following the review of the applicationdoes the CB accept or decline anapplicationorcertification? When declined, are reasons for decliningdocumentedmadecleartotheclient?SeeNote SADCASF40(a)IssueNo:1 Page25of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.2.3 Based on this review does the CBdetermine the competences it needs toincludeinitsauditteam(see7.2.7)andforthecertificationdecision(see7.2.9)?9.2.2.4 Is the audit team appointed and do theyhave the totality of the competencesidentifiedbytheCBassetoutin9.2.2.3forthe certification of the applicantorganization? Is selection of the team performed withreference to the designations ofcompetence of auditors and technicalexpertsmadeunder7.2.5?9.2.2.5 Is the individual(s) who will be conductingthe certification decision appointed toensure appropriate competence isavailable?(See7.2.9and9.2.2.3) 9.2.3 Initialcertificationaudit Is the initial certification audit of amanagement system conducted in twostagesStage1andStage29.2.3.1Stage1audit9.2.3.1.1 Isthestage1auditperformed:a) to audit the clients management systemdocumentation;b) to evaluate the clients location and sitespecific conditions and to undertakediscussions with the clients personnel todetermine to the preparedness for theStage2audit;c) to review the clients status andunderstanding regarding requirements ofthe standard, in particular with respect tothe identification of key performance orsignificant aspects, processes, objectivesandoperationofthemanagementsystem?d) to collect necessary information regardingthe scope of the management, processesand location(s) of the client, and relatedstatutory and regulatory aspects andcompliance (e.g. quality, environmental,legal aspects of the clients operation,associatedrisks,etc.)? SADCASF40(a)IssueNo:1 Page26of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.3.1.1 (cont.)e) to review the allocation of resources forStage 2 audit and agree with the client onthedetailsoftheStage2audit?f) to provide a focus for planning the Stage 2audit by gaining a sufficient understandingoftheclientsmanagementsystemandsiteoperations in the context of possiblesignificantaspects?g) to evaluate if the initial audits andmanagementreviewarebeingplannedandperformed and that the level ofimplementation of the managementsystemsubstantiatesthattheclientisreadyfortheStage2audit? For most management systems it isrecommended that at least part of theStage 1 audit be carried out at the clientspremises in order to achieve the objectivesstatedabove.9.2.3.1.2 AreStage1auditfindingsdocumentedandcommunicated to the client organizationincluding identification of any areas ofconcern that could be classified as nonconformityduringStage2audit?9.2.3.1.3 In determining the interval between Stage1andStage2,isconsiderationgiventotheneeds of the client to resolve areas ofconcernidentifiedduringtheStage1audit? The CB may also need to revise itsarrangementforStage29.2.3.2 Stage2audit9.2.3.2.1 The purpose of the Stage 2 audit is toevaluate the implementation includingeffectiveness of the customersmanagementsystem. Is the Stage 2 audit taking place at thesite(s)oftheclient? Doesitincludeatleastthefollowing:a)Informationandevidenceaboutconformityto all requirements of the applicablemanagement system standard or othernormativedocument? SADCASF40(a)IssueNo:1 Page27of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.2.3.2.1(cont.)b) performance monitoring, measuring,reporting and reviewing against keyperformanceobjectivesandtargets?c) the clients management system andperformanceasregardslegalcompliance?d) operational control of the clientsprocesses?e)internalauditingandmanagementreview?f) management responsibility for the clientorganizationspolicies?g)linksbetweenthenormativerequirements,policy, performance objectives and targets,any applicable legal requirements,responsibilities, competence of personnel,operations, procedures, performance dataandinternalauditfindingsandconclusions? 9.2.4 Initialcertificationauditconclusions Doestheauditteamanalyzeallinformationand audit evidence gathered during theStage 1 and Stage 2 audits to review theaudit findings and agree on the auditconclusions? 9.2.5 Informationforgrantinginitialcertification9.2.5.1DoestheinformationprovidedbytheauditteamtotheCBforthecertificationdecisionincludeasaminimum:a) theauditreports?b) comments on the nonconformities and,where applicable, the correction andcorrectiveactionstakenbytheclient?c)confirmationontheinformationprovidedtothe certification body used in theapplicationreview?(See9.2.2)andd) arecommendationwhetherornottograntcertification together with any conditionsorobservations?9.2.5.2 DoestheCBmakethecertificationdecisionon the basis of an evaluation of the auditfindings and conclusions and any otherrelevant information (e.g. publicinformation, commentsontheauditreportfromthecustomer)? SADCASF40(a)IssueNo:1 Page28of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.3 Surveillanceactivities9.3.1 General9.3.1.1 DidtheCBdevelopitssurveillanceactivitiesso that representative areas and functionscovered by the scope of the managementsystem are monitored on a regular basisand take into account changes to itscertified client and its managementsystem?9.3.1.2 Do surveillance activities include onsiteaudits assessing the certified clientsmanagementsystemfulfillmentofspecifiedrequirements with respect to the standardtowhichthecertificationisgranted? Othersurveillanceactivitiesmayinclude:a)Enquiries from the CB to the certified onaspectsofcertification;b)Reviewing any clients statements withrespect to its operations (e.g. promotionalmaterial,website);c)Requests to the client to providedocuments and records (on paper orelectronicmedia);andd)Other means of monitoring the certifiedclientsperformance. 9.3.2 Surveillanceaudit9.3.2.1 Are onsite audits planned with othersurveillance activities, so that the CB canmaintain confidence that the certifiedmanagement continues to fulfillrequirements in between recertificationaudits? Does the surveillance audit programmeincludeatleast:a)Internalauditsandmanagementreview?b)Reviewofactiontakenonnonconformitiesidentifiedduringthepreviousaudits?c)Treatmentofcomplaints?d)Effectiveness of the management systemwith regard to achieving the certifiedclientsobjectives?e)Progress of planned activities aimed atcontinualimprovement? SADCASF40(a)IssueNo:1 Page29of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.3.2.1 (cont.)f)continuingoperationalcost?g)reviewofanychanges?andh) use of marks and/orany other reference tocertification?9.3.2.2 Are surveillance audits conducted at leastonceayear? Is the date of the 1st surveillance auditfollowing initial certification not more than12 monthsfrom the lastday ofthe Stage 2audit? 9.3.3 Maintainingcertification DoestheCBmaintaincertificationbasedondemonstration that the client continues tosatisfy the requirements of themanagementsystemstandard? Does the CB maintain an organizationscertification based on a positiverecommendation by the audit team leaderwithout further independent reviewprovidedthat:a)For any nonconformity or other situationthat may lead to suspension or withdrawalof certification, the CB needs to initiate areview by appropriately competentpersonneldifferentfromthosewhocarriedout the audit to determine whethercertificationcanbemaintained?(See7.2.9)andb)Competent personnel of the CBmonitor itssurveillance activities, including monitoringthe reporting by its auditors, to confirmthat the certification activity is operatingeffectively? 9.4 Recertification9.4.1 Recertificationcycle9.4.1.1 Is a recertification audit planned andconducted to evaluate the continuedfulfillment of all the requirements of therelevant management system standard orothernormativedocument?9.4.1.2 Does the recertification audit consider theperformance of the management systemover the period of certification and includethe review of previous surveillance auditreports? SADCASF40(a)IssueNo:1 Page30of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR99.4.1.3 In situations where they have beensignificant changes (e.g. changes tolegislation, management, processes, etc.)do the recertification audit activitiesincludeaStage1audit?9.4.1.4 In the case of multiple sites or certificationmultiple management system standardsbeing provided by the CB, does theplanning for the audit ensure adequate onsiteauditcoveragetoprovideconfidenceinthecertification? 9.4.2 Recertificationaudit9.4.2.1 Does the recertification audit include anonsiteauditthataddressesthefollowing:a) the effectiveness of the managementsystem?b) demonstrated commitment to maintain theeffectivenessandimprovement?c) whether the operation of the certifiedmanagement system contributes to theachievement of the organizations policyandobjectives?9.4.2.2 When during a recertification auditinstances of nonconformity or lack ofevidence of conformity are identified, doestheCBdefinetimelimitsforcorrectionandcorrective actions to be implemented priortheexpiryofcertification? 9.4.3 Informationforgrantingrecertification Does the CB make decisions on renewingcertificationbasedon:Theresultsofrecertificationaudit?Theresultsofthereviewofthesystemovertheperiodofcertification?andThe complaints received from users ofcertification? SADCASF40(a)IssueNo:1 Page31of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.5 Specialaudits9.5.1 Extensionstoscope Does the CB in response to an applicationforextensiontothescopeofacertificationalready granted, undertake a review of theapplication and determine any auditactivities necessary to decide whether ornot the extension may be granted? (Thismay be conducted in conjunction with asurveillanceaudit)9.5.2 Shortnoticeaudits If it is necessary for the CB to conductaudits of certified clients at short notice toinvestigate complaints (see 9.8) or inresponsetochanges(see8.6.3)orasfollowuponsuspendedcustomers(see9.6):a)Does the CB describe and make known inadvance to the certified clients (e.g. indocuments as described in 8.6 1) theconditions under which these short noticevisitsaretobeconducted?Andb)c)Does the CB exercise additional care in theassignment of the audit team because ofthe lack of opportunity for the client toauditteammembers? 9.6 Suspending, withdrawing or reducingscopeofcertification 9.6.1 DoestheCBhaveapolicyanddocumentedprocedure(s) for suspension, withdrawal orreduction of the scope of certification anddoes it specify the subsequent actions bytheCB? 9.6.2 Does the CB suspend certification in caseswhenforexample:The customers certified managementsystem has persistently or seriously failedto meet certification requirementsincluding requirements for theeffectivenessofthemanagementsystem?The certified client does not allowsurveillance or recertification audits to beconductedattherequiredfrequencies?orThe certified client has voluntarilyrequestedasuspension? SADCASF40(a)IssueNo:1 Page32of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.6.3 Under suspension the customersmanagement system certification istemporarilyinvalid. Does the CB have enforceablearrangementswithitsclientstoensurethatin case of suspension the client refrainsfromfurtherpromotionofitscertification? Does the CB make the suspended status ofthe certification publicly available (see8.1.3) and take any other measures itdeemsappropriate? 9.6.4 Does failure to resolve the issues that haveresulted in the suspension in a timeestablished by CB result in withdrawal orreductionofthescopeofcertification?SeeNote 9.6.5 Does the CB reduce the customers scopeof certification to exclude the parts notmeeting the requirements when the clienthas persistently or seriously failed to meetthe certification requirements for thosepartsofthescopeofcertification? 9.6.6 Does the CB have enforceablearrangements with the certified customerconcerning conditions of withdrawal (see8.4.3d)ensuringuponnoticeofwithdrawalof certification that the customerdiscontinuesitsuseofalladvertisingmatterthat contains any reference to a certifiedstatus? 9.7 Appeals 9.7.1 DoestheCBhaveadocumentedprocesstoreceive, evaluate and make decisions onappeals? 9.7.2 Is a description of the appeals handlingprocesspubliclyavailable? SADCASF40(a)IssueNo:1 Page33of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.7.3 Is the CB responsible for all decisions at alllevelsoftheappealshandlingprocess? Does the CB ensure that the personsengaged in appeals handling process aredifferent from those who carried out theauditsandmadethecertificationdecisions? 9.7.4 Do submission, investigation and decisionon appeals result in any discriminatoryactionsagainsttheappellant? 9.7.5 Doestheappealhandlingprocessincludeatleastthefollowingelementsandmethods:a) an outline of the process for receiving,validating, investigating the appeal and fordeciding what actions are to be taken inresponse to it, taking into account theresultsofprevioussimilarappeals;b) tracking and recording appeals includingactionsundertakentoresolvethem;c) ensuring that any appropriate correctionandcorrectiveactionistaken. 9.7.6 Does the CB acknowledge receipt of theappeal and provide the appellant withprogressreportsandtheoutcome? 9.7.7 Are the decision to be communicated tothe appellant made by, or reviewed andapproved by, individual(s) not previouslyinvolvedinthesubjectoftheappeal? 9.7.8 Does the CB give formal notice of the endof the appeal handling process to theappellant? 9.8Complaints 9.8.1 Is a description of the complaints handlingprocesspubliclyaccessible? 9.8.2 Upon receipt of a complaint does the CBconfirm whether the complaint relates tocertificationactivitiesthatisresponsibleforand,ifso,dealswith? If the complaint relates to a certified clientdoes the examination of the complaintconsider the effectiveness of the certifiedmanagementsystem? SADCASF40(a)IssueNo:1 Page34of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.8.3 Is a complaint about a certified client alsoreferred by the CB to the certified client inquestionatanappropriatetime? 9.8.4 DoestheCBhaveadocumentedprocesstoreceive, evaluate and make decisions oncomplaints? Is this process subject to requirements forconfidentiality as it relates to thecomplainant and to the subject of thecomplaint? 9.8.5 Does the complaints handling processinclude at least the following elements andmethods:a)an outline of the process for receiving,validating,investigatingthecomplaintandfor deciding what actions are to be takeninresponsetoit?b)trackingandrecordingcomplaintsincludingactionsundertakentoresolvethem?c)ensuringthatanappropriatecorrectionandcorrectiveactionsaretaken?SeeNote 9.8.6 Is the CB receiving the complaintresponsible for gathering and verifying allnecessary information to validate thecomplaint? 9.8.7 Whenever possible does the CBacknowledge receipt of the complaint andprovide the complainant with progressreportsandtheoutcome? 9.8.8 Is the decision to be communicated to thecomplainant made by, or reviewed andapproved by, individual(s) not previouslyinvolvedinthesubjectofthecomplaint? 9.8.9 WheneverpossibledoestheCBgiveformalnoticeoftheendofthecomplainthandlingprocesstothecomplainant? SADCASF40(a)IssueNo:1 Page35of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.8.10 Does the CB determine together with theclient and the complainant whether and, ifso to what extent, the subject of thecomplaint and its resolution shall be madepublic? 9.9 Recordsofapplicantsandclients 9.9.1 Does the CB maintain records on the auditandothercertificationactivityforallclientsincluding all organizations that submittedapplications and all organizations audited,certifiedorwithcertificationwithdrawn? 9.9.2 Do the records on certified clients includethefollowing:a) application information and initial,surveillance and recertification auditreports?b)certificationagreement?c) justification of the methodology used forsampling?d) justification for auditor timedetermination?(See9.1.4)e) verification of correction and correctiveactions?f) records of complaints and appeals and anysubsequent correction and correctiveactions?g) committee deliberations and decisions, ifapplicable?h) documentation of the certificationdecisions?i) certificationdocumentsincludingthescopeof certification with respect to product,processorservicesasapplicable?j) related records necessary to establish thecredibility of the certification such asevidenceofthecompetenceofauditorandtechnicalexpert?SeeNote 9.9.3 DoestheCBkeeptherecordsonapplicantsand customers, secure to ensure that theinformationiskeptconfidential? Are records transported, transmitted ortransferred in a way that ensures thatconfidentialityismaintained? SADCASF40(a)IssueNo:1 Page36of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR9.9.4 DoestheCBhaveadocumentedpolicyanddocumented procedures on retention ofrecords? Arerecordsretainedforthedurationofthecurrent cycle plus one (1) full certificationcycle?SeeNote 10 Management system requirements forCBs10.1 Options In addition to meeting the requirements ofClauses 5 to 9 did the CB implement amanagement system in accordance witheither:a)Management system requirements inaccordancewithISO9001(Option1)?orb)General management system requirements(Option2)? 10.2 Option1:ManagementsystemrequirementsinaccordancewithISO900110.2.1 General Is the ISO 9001 system capable ofsupporting and demonstrating theconsistent achievement of therequirementsofthisinternationalstandard,amplifiedby10.2.2to10.2.4? 10.2.2 Scope Doesthescopeofthemanagementsysteminclude the design and developmentrequirementsforitscertificationservices? 10.2.3 CustomerFocus Does the CB consider the credibility ofcertification and address the needs of allparties (as set out in 4.1.2) that rely uponits audit and certification services, not justitsclients? 10.2.4Managementreview Does the CB include as input formanagement review information onrelevantappealsandcomplaintsfromusersofcertificationactivities? SADCASF40(a)IssueNo:1 Page37of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3 Option 2: General management systemrequirements10.3.1 General Does the CB establish, document,implement and maintain a managementsystem that is capable of supporting anddemonstrating the consistent achievementof the requirements of this internationalstandard? Does the CBs top management establishanddocumentpoliciesandobjectivesforitsactivities? Does top management provide evidence ofits commitment to the development andimplementation of the managementsystem in accordance with therequirements of this internationalstandard? Does top management ensure that thepolicies are understood, implemented andmaintained at all levels of the certificationbodysorganization? Did the CBs top management appoint amember of management who, irrespectiveof other responsibilities, shall haveresponsibilityandauthoritythatincludes:a)Ensuring that processes and proceduresneeded for the management system areestablished, implemented and maintained?andb)Reporting to top management on theperformance of the management systemandanyneedforimprovement? 10.3.2 Managementsystemmanual Are all applicable requirements of thisinternationalstandardaddressedeitherinamanualorinassociateddocuments? Does the CB ensure that the manual andrelevant associated documents areaccessibletoitspersonnel? 10.3.3 Controlofdocuments Did the CB establish procedures to controlthe documents (internal and external) thatrelatetothefulfillmentofthisinternationalstandard? SADCASF40(a)IssueNo:1 Page38of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR Does the procedures define the controlneeded:a)To approve documents for adequacy priortoissue?b)To review and update as necessary andapprovedocuments?c)To ensure that changes and the currentrevisionstatusofdocumentsareidentified?d)To ensure that relevant versions ofapplicable documents are available atpointsofuse?e)To ensure that documents remain legibleandreadilyidentifiable?f)Toensurethatdocumentsofexternaloriginare identified and their distributioncontrolled?andg)To prevent the unintended use of obsoletedocuments and to apply suitableidentification to them if they are retainedforanypurpose?SeeNote 10.3.4Controlofrecords Does the CB establish procedures to definethe controls needed for the identification,storage, protection, retrieval, retentiontime and disposition of its records relatedto the fulfillment of this internationalstandard? Does the CB establish procedures forretaining records for a period consistentwithitscontractualandlegalobligations? Is access to these records consistent withtheconfidentialityarrangements?SeeNote 10.3.5 Managementreview10.3.5.1General Did the CBs top management establishprocedures to review its managementsystem at planned intervals to ensure itscontinuing suitability, adequacy andeffectiveness including the stated policiesand objectives related to the fulfillment ofthisinternationalstandard? Arethesereviewsconductedatleastonceayear? SADCASF40(a)IssueNo:1 Page39of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3.5.2Reviewinputs Does the input to management reviewincludeinformationrelatedto:a)Resultsofinternalandexternalaudits?b)Feedback from clients and interestedparties related to the fulfillment of thisinternationalstandard?c)Feedback from the committee forsafeguardingimpartiality?d)Statusofpreventiveandcorrectiveactions?e)Followup actions from previousmanagementreviews?f)Fulfillmentofobjectives?g)Changes that could affect themanagement?andh)Appealsandcomplaints?10.3.5.3 Reviewoutputs Do the outputs from the managementreview include decisions and actionsrelatedto:a)Improvement of the effectiveness of themanagementsystemanditsprocesses?b)Improvement of the certification servicesrelated to the fulfillment of thisinternationalstandard?andc)Resourceneeds? 10.3.6 Internalaudits10.3.6.1 Does the CB establish procedures forinternal audits to verify that it fulfills therequirements of this international standardand that the management system iseffectivelyimplementedandmaintained?SeeNote10.3.6.2 Is an audit programme planned taking intoconsideration the importance of theprocesses and areas to be audited as wellastheresultsofpreviousaudits?10.3.6.3 Areinternalauditsperformedatleastonceevery12months?10.3.6.4 DoestheCBensurethat:a)Internal audits are conducted by qualifiedpersonnel knowledgeable in certification,auditing and the requirements of thisinternationalstandard?b)Auditorsshallnotaudittheirownwork? SADCASF40(a)IssueNo:1 Page40of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3.6.4(cont.)c) Personnel responsible for the area auditedareinformedoftheoutcomeoftheaudit?c)Any actions resulting from internal auditsare taken in a timely and appropriatemanner?andd)Any opportunities for improvement areidentified? 10.3.7 Correctiveactions Does the CB establish procedures foridentification and management of nonconformitiesinitsoperations? Does the CB also, where necessary, takeactions to eliminate the causes of nonconformities in order to preventrecurrence? Are corrective actions appropriate to theimpactoftheproblemencountered? Dotheproceduresdefinerequirementsfor:a)Identifying nonconformities (e.g. fromcomplaintsandinternalaudits)?b)Determiningthecausesofnonconformity?c)Correctingnonconformities?d)Evaluating the need for actions to ensurethatnonconformitiesdonotrecur?e)Determining and implementing in a timelymannertheactionsneeded?f)Recordingtheresultsofactionstaken?andg)Reviewing the effectiveness of correctiveactions? 10.3.8Preventiveactions DoestheCBestablishproceduresfortakingpreventive actions to eliminate the causesofpotentialnonconformities? Arepreventiveactionstakenappropriatetothe probable impact of the potentialproblems? Do the procedures for preventive actionsdefinerequirementsfor:a)Identifying potential nonconformities andtheircauses?b)Evaluating the need for action to preventNNtheoccurrenceofnonconformities?Determining and implementing the actionneeded? SADCASF40(a)IssueNo:1 Page41of41 Date:20130118ISO/IEC17021REQUIREMENTSCBSREFERENCESCOMMENTBYASSESSOR10.3.8(cont.) c)Recordingtheresultsofactionstaken?andd)Reviewing the effectiveness of thepreventiveactions?SeeNote Additional/GeneralComments(Thisspacemaybeusedtoexpandoncommentsinspecificsections)SignedLead/TechnicalAssessor: Date: