/You Ask, We Answer
You Ask, We Answer 2017-10-17T12:50:48+00:00

You Ask, We Answer

 

We have compiled a list of Frequently Asked Questions to help with a number of issues a client may have, whether they are already certified or embarking on their certification. If you do have any other questions then please contact us using any preferred method.

How do I Become an ISO Auditor? 2017-10-20T11:32:29+00:00

Many people will see auditing as a path to early retirement and in some ways, this is a good opportunity to slow down but keep an income coming in.  Becoming an auditor is relatively straight forward, becoming a good auditor is a separate subject matter but I thought I would lay down the general principles and steps someone needs to take to become an auditor.

First, you need your head read as you’re mad, only kidding, the job is enjoyable even though it can sound boring and a conversation stopper.  You get to see a lot of things and learn many things about business and general personal conduct and relationships.

The real first thing is to be prepared for travel, anyone who applies to IMS for a job underestimates the amount of travel involved, no matter how much I explain and ensure they understand I always get people tell me they didn’t realise how much.  Auditing is not done on your doorstep, there is never enough work in a local area to keep someone from traveling at least some of the time.  This may not be every night but expect a night or two a week based on full time position.

I always tell people that I can teach you how to audit but I can’t teach you is the logical approach and demeanour that you need to take and the industry knowledge that should be in place for the sectors you plan on auditing.

We have produced a full article on how to become an auditor which you can read here.

Is an Annual Assessment Obligatory/Mandatory? 2017-10-17T16:21:50+00:00

Yes, under ISO 17021 (the standard to which all Certification Bodies are assessed against), it is a requirement to have a surveillance assessment at least every 12 months.

This is in order to ensure that the organisation is continuing to maintain their standards.

How do I Make a Complaint or Appeal? 2017-10-17T12:58:14+00:00

Well we hope that you never have to but just in case you feel you need to raise an issue you should first address your complaint to the Global Certification Manager.

If you are not satisfied with the response to a complaint, you may further complain to the chairman of the Impartiality Committee.

At any time, any interested party may appeal to the Impartiality Committee if:

  • An application is rejected;
  • A certificate is suspended or terminate;
  • An audit result is not satisfactory.

Appeals should be made via the Global Certification Manager. The appellant will have the opportunity to present his/her case to the Impartiality Committee. The Certification Body’s costs arising from the appeal shall be to the account of: the appellant if the appeal fails; and to IMS if the appeal succeeds.

Complaints will be acknowledged with an initial response in writing within 3 days, and a full written response will be provided upon completion of a full investigation.

If a dispute arises during an audit, the auditor will aim to reach an agreement with the Auditee.  Where this is not possible, the Auditee should contact the Global Certification Manager who will undertake an investigation into the nature of the dispute, and inform the Auditee in writing as to the decision.  The Global Certification Manager will also inform the Auditee of the appeals procedure and further rights to take the matter to the IMS Reliance Impartiality Committee.

At any time, any interested party may make a complaint to IMS about you as a certificated supplier. In this event, we shall send you details of the complaint (excluding the identity of the complainant), and ask you to provide timely comment on the complaint. We would expect that you would propose appropriate corrective action. Depending on your response, we would take note for subsequent surveillance visits, and might require a further audit (see Step 8).

Should an IECQ HSPM client or auditee be unhappy with the outcome of an appear and feel that the decision is against the rules of the IECQ Scheme, the organisation may submit an appear in writing to the Secretary of the IECQ within one month after having been informed of the appeal decision, setting out all reasons for the appeal.

Submission, investigation and decision on complaints shall not result in any discriminatory

actions against the complainant.

Do I need to Grant the Auditor Access to all my Records? 2017-10-17T12:54:30+00:00

During Management System audits, IMS will require access to organisational records in order to verify and validate compliance against the relevant standard being assessed.  If there are any records which cannot be made available for review by the audit team for reasons of confidentiality or sensitive information IMS will need to be informed prior to any certification activity taking place.

IMS shall undertake a review of the information given to us and determine whether the Management System can be adequately audited in the absence of these records.  If conclusion is made that it is not possible to adequately audit the Management System without reviewing the identified confidential or sensitive records, the organisation shall be informed that the certification audit cannot take place until appropriate access arrangements have been granted.

It is often possible to see the same process without seeing certain records, we can look at a similar one instead.  This is often the case where ITAR is applied.

What is an Organisation? 2017-10-17T12:44:40+00:00

At the opening meeting we will also seek to agree the definition of the organisation which you wish to have certificated. This need not have the same boundaries as organisations recognised by company law. The important thing is that the organisation be a sensible operating unit. You cannot exclude parts of the organisation simply because “they are not ready” or because you don’t want to include them. By contrast, the organisation could include parts of several different companies (e.g.: one of your sub-contractors). But whatever the definition, it must be clear before the audit starts.

If you are operating through a number of remote branches, all of which:

  • are part of the same organisation,
  • are under the same control,
  • are doing substantially the same job
  • are under common management, and
  • use the same management system and procedures

The assessment can be by sampling. However, all the branches have to be assessed at least once over the three years before re-audit. In this case the certificate relates to the organisation as a whole. IMS reserves the right not to accept a certification project for organisations structure in a way that conflicts company law.

Significant changes to your organisation – such as a change in entity or name – must be notified to IMS immediately and in writing.

What is a “Scope”? 2017-10-17T12:42:25+00:00

At the opening meeting (during the initial audit), we will seek to agree the “scope” for which you wish to be certificated. Scope is a concise (usually a one or two sentence) description of your business. It is your responsibility to propose the scope, although our Audit Team Leader will help if necessary.

Your scope should be sufficiently and precisely drawn as to give a clear understanding of the types of products or services which you supply. You should not be certificated for the supply of products you do not make or for services you do not provide. We need to satisfy ourselves that you are competent to supply across all the items normally understood to come within your certificated scope.

If there are regulatory requirements, standards or other normative documents against which you supply products or services, these should be included in your scope.

The scope of certification cannot be changed during the audit.  If you wish to make an amendment to your scope or include any additional processes then please notify the IMS Head office prior to the assessment taking place.

What happens if my certification is refused? 2017-10-17T12:40:52+00:00

9 times out of 10, if there are any issues with an audit recommendation made by an auditor, the client will not know about it.  The issue will be resolved behind the scenes without the client being made away and is usually a conversation or a report update between the person making the certification decision (giving the final yes) and the auditor.  In very rare cases, the auditor may need to contact the client for clarification or additional audit evidence.

If certification is refused, for whatever reason, the auditee will be advised in writing of the reasons and given the opportunity to respond.

Refusal to grant, continue or renew certification may be for a number of reasons. These reasons shall be clearly and fully explained by IMS to the auditee in writing (typically via email) and the auditee will be asked to acknowledge the notification.

If the auditee is unhappy with the decision and or explanations given, then the complaints / appeals process should be followed.

How long does it take for me to receive my certificate? 2017-10-17T11:41:48+00:00

On receipt of the Audit Report and, where applicable, corrective actions, the certification body will undertake a review to ensure that all the correct procedures have been followed, whether the recommendation of the Audit Team Leader is sound, and whether corrective actions have been appropriately addressed and evidenced.

This process can sometimes take several weeks – particularly if there are queries about the completeness of the assessment and corrective actions.  IMS does have an objective to get these all done within 14 days at the latest.  The person undertaking the review may also require additional evidence to be provided to ensure that the system meets the requirements of the specified standards.  In exceptional circumstances, this could include an additional visit.

On completion of a satisfactory review the recommendation to certificate will be confirmed by the certification body and the appropriate certificate will be issued.

IMS will provide appropriate information relating to, and update the auditee on: all decisions made regarding the granting, refusing, maintaining, renewing, suspending or restoring of certification and expanding or reducing the scope of certification.

What do I do if I have Non-conformances? 2017-10-17T11:38:57+00:00

For any nonconformity there will be a proposed corrective action to remedy any defects in either products or processes.  All corrective actions must be cleared to the satisfaction of the Audit Team Leader or a nominated representative before certification is granted or continued.

The nonconformities will be numbered and listed in the audit report or Non-conformance Report depending on the scheme.  The proposed action should state:

  • The action completion date and responsibilities;
  • Any rework of nonconforming product;
  • Corrective action to contain the non-conformance
  • Root Cause information to highlight how the non-conformance occurred
  • Corrective action to prevent the non-conformance from re-occurring

NB: simply repairing or re-working nonconforming product is not corrective action; you must identify the root causes of nonconformities and take action to remove them and the correction and corrective actions.

We can provide soft-copy forms to assist in the preparation of the corrective action plan. You are encouraged to maintain the plan in machine readable form – desirably in a form readable on the auditor’s PC and in word or excel.

For Initial Assessments, all corrective actions must be cleared within 90 days of the end of the initial audit. If they are not, a further stage 2 audit may be required prior to certification. The Audit Team Leader may reduce this timeframe.  For surveillance visits, the audit team will make a recommendation as to whether objective evidence for the closure of non-compliances must be submitted to IMS within defined timescales, or whether they can be closed out at the next surveillance visit.

Corrective actions and any supporting evidence shall be submitted by the date stated on the NCR form.  Failure to submit suitable actions and evidence to address any non-conformances within 90 days of the audit will result in suspension.

With the Aerospace Scheme organisations are required to issue a corrective action plan with detailed containment within 7 days.  Failure to close non-conformances within 30 days will result in suspension.

What is an Audit Plan? 2017-10-17T11:36:58+00:00

An audit plan is a programme which identifies which departments, functions or projects will be examined on which days and with respect to which aspects of the standard. If several auditors are to be involved, then the allocation of their time needs to be planned. The Auditee needs to know when staff are likely to be required. If there are several locations to visit, the travel arrangements need to be optimised. The audit plan has to ensure that all relevant aspects of the organisation are adequately covered.

What is a Pre-audit/Gap Analysis? 2017-10-17T11:34:59+00:00

The pre-audit/Gap Analysis is optional. It will be no longer than half the duration of the initial audit. It will be carried out in the same way as an initial audit, and provides practice for the Auditee being audited. The objective is to find any major areas of weakness or aspects of the standards which are not addressed (either adequately or at all). The Auditee can request what elements are audited.

Why Can’t I use the UKAS logo on my Vehicles? 2017-10-17T11:33:06+00:00

This is probably one of the biggest issues we find when assessing organisations use of the logos.  Instructions (Doc 34) are given to every client and are available on our website in the documents section but organisations do not apply the rules correctly.

In simple terms, the UKAS logo is the Royal Crown and the Royal Crown can not appear on any vehicles apart from the Royal Mail Vehicles.

What we find is that organisations will send the logos off to the printers and they will either not send the guidance document (Doc 34) or the printer does not read the document, they then produce the logos and put them on the Vehicles.

When we come and perform our assessment we notice that you are using the incorrect logo and we raise a non-conformance and you then have to take them off which is costing you more money (need to get other logos printed), more time (you need someone to take them all off), and you wasted the money getting them printed in the first place.

We provide you with vehicle logos which you are free to plaster all over your vehicles as much as you want, these will show the standard you are certified to and also reference to IMS so they can verify your approval.

Please ensure you apply the logos correctly as we don’t like making people remove them all after they have spent time and money applying them.  If you have any questions which you feel Doc 34 does not answer then please feel free to contact us.

What Happens if my Certificate is Suspended or Withdrawn? 2017-10-17T11:17:19+00:00

The circumstances under which a customer’s certificate may be suspended, withdrawn and/or cancelled include:

  • The client’s certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system;
  • The certified client does not allow surveillance or recertification audits to be conducted at the required frequencies;
  • The certified client has voluntarily requested a suspension;
  • Misuse of certification marks/logos etc.;
  • The customer’s circumstances change in such a way as to invalidate the scope of certification;
  • The customer otherwise contravenes the terms and conditions of the certificate.

During surveillance, it may become apparent that the Auditee is not working to a compliant, documented, management system, or he/she may be misusing the marks, or otherwise contravening the terms of their certificate. In this case, the Auditee may be advised that their certificate is suspended pending meeting the terms of their certificate. This will usually involve the Auditee’s submitting a corrective action plan within 28 days setting out the corrective actions, including responsibilities and timescales that the customer intends to take to address the non-compliances/contraventions.

During suspension, the customer will not make any claims that the product/system is certified.  The IMS logo / certification mark will not be used on any products during the period of suspension.  The suspended status of the certification shall be made publically accessible via the website and IMS shall take any further measures deemed appropriate.

Any verification actions shall be carried out within six months of the suspension decision.

In the event that the customer does not complete the activities set out in the Corrective Action Plan, the Certificate will be withdrawn.  With immediate effect, the customer will be required to return the certificate to IMS International, cease all further use of the IMS logo and certification marks, and will not make any claim to certification of systems, services or products.  The withdrawal status of the certification shall be made publically accessible via the website and IMS shall take any further measures deemed appropriate.

What is a Reassessment? 2017-10-17T11:15:31+00:00

A re-assessment of the entire management system is generally required every three years.  The time needed for re-assessment will depend on how many assessment days have been carried out during the assessment cycle, the level of control over the system demonstrated throughout the cycle, the number of sites visited etc. Generally, a re-assessment will require approximately two-thirds of the audit days undertaken for the initial assessment.  However, if the surveillance audits have been carried out in excess of the guidance number of days, and if compliance with the standard has been good, a shorter review will be carried out.  In other cases, the number of days could be equal to the initial assessment.  Depending on past performance over the audit cycle it may be necessary to apply a stage 1 and stage 2 assessment.

Reassessment Audit Objectives

  • Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements.  Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system.

Reassessment Audit Criteria

  • To evaluate the continued fulfilment of all requirements of the management system standard and shall include a review of the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification.  An evaluation of the commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance and whether the operation of the certified management system contributes to the achievement of the client’s policy and objectives.
Why is my 1st Surveillance Assessment after 9 months not 12? 2017-10-17T11:12:15+00:00

The certificate you receive will have a 36 month (3 year) expiration, we are not allowed to issue a new certificate after the 3 years until the reassessment has been performed and any non-conformances closed off.  We therefore put your first surveillance visit after 9-10 months instead of 12 to give you some protection, your next surveillance will be 12 months after the 1st.

When we re-issue your certificate you do not lose any time as the dates will continue so you do not lose money and we are not stealing time from you.  The gap is there to protect your certificate continuation in the event of non-conformances being raised during your reassessment, sufficient time is included for you to close those issues off.

What is a Surveillance Assessment? 2017-10-17T11:08:04+00:00

The objective of a surveillance audit is for us to assure ourselves that you are continuing to work to a system which complies with the standards to which you are certificated, and that you take timely corrective action to correct nonconformities.

During surveillance, we may find nonconformities. As before, you need to propose corrective action. These will usually be cleared down at the following surveillance visit, but the Audit Team Leader may recommend more immediate clear-down.

After a number of visits, if it becomes apparent that compliance with the standard is good, then the time needed for surveillance may be reduced. An indication would be the number and nature of the nonconformities found during surveillance.

On the other hand, of course, if compliance were found to be poor or worrying, then the amount of surveillance might need to be increased. In a poor case, a further audit might be needed. Clearly, these costs are in the hands of the Auditee.

Surveillance audits will be performed in the years between the initial and reassessment.  The first year’s surveillance following initial assessment shall take place no later than 12 months after the last day of the stage 2 audit, these will generally be planned for 9-10 months after the stage 2.  The continuous surveillance visits shall be conducted at least once a year.  If the audit cycle is not maintained within these requirements then certification may lapse and a re-application may be required.

If requested, surveillance visits can be split so they are performed more frequently over the 12 month period e.g. every six months.

Surveillance Audit Objectives

  • Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements.  Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system

Surveillance Audit Criteria

  • To give confidence that the certified management system continues to fulfil requirements between recertification audits and shall include internal audits and management review, review of actions taken on non-conformities identified during the previous audit, treatment of complaints, effectiveness of the management system with regard to achieving objectives, progress of planned activities aimed at continual improvements, continuing operational control, review of any changes and the use of marks and/or any other reference to certification.
How Many Non-conformances can I have before I Fail the Audit? 2017-10-17T10:58:34+00:00

The short answer is there is no magic number.  Auditors will keep going to complete the audit unless the audit has to be aborted due to you not having anything in place which to be honest doesn’t happen since they introduced the Stage 1 and Stage 2 requirement.  A client may request that we stop auditing but that is up to them, not the auditor.

We have raised as many as 24 Non-conformances in a single audit but still kept going until the audit was completed.

How much time do you need to leave between a stage 1 and stage 2 assessment? 2017-10-17T10:55:24+00:00

There is no rule for this and it will depend on a lot of things such as your experience, the complexity of the system, the non-conformance situation, availability of personnel and auditors and the maturity of the system.

Some organisations will have the stage 1 and stage 2 within a week of each other, this happens when the system is really simple, the client has experience of running and implementing management systems or we know the consultant who has helped with the implementation as this gives us confidence that you will be ready.

Generally, most people will leave a month gap which is enough time for them to fix any errors to enable the stage 2 to run smoothly.

Can you Fail a Stage 1 Assessment? 2017-10-17T10:48:45+00:00

You can never really fail any of the assessment stages, you can however need another visit to perform again (worst case scenario) or have to fix some errors (non-conformances).

Generally, during a stage 1 assessment you will have some errors than need to be corrected but if these are small fixes then we will just review these as part of your stage 2 assessment, there is not ordinarily a need to submit evidence of correction before the stage 2.

If the nature of the errors is larger then we may want some evidence supplied before we go ahead with the stage 2, maybe some procedure updates etc.

If we turn up on site and you have nothing in place then we are more likely going to need another stage 1 assessment.

So you never really fail, you just don’s pass until you fix everything.

What is a Stage 2 ISO Audit? 2017-10-25T12:56:22+00:00

The stage 2 ISO audit is your main assessment that will give you certification (assuming you pass).

Stage 2 Audit objectives

  • Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements. Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system.

Stage 2 Audit Criteria

  • To evaluate the implementation, including effectiveness, of the client’s management system and shall include information and evidence about conformity to all requirements of the applicable standard.  Performance monitoring, measuring, reporting and review against key performance objectives and targets.  Details on the client’s management system and performance with regards to legal compliance.  Operation control of the clients processes. Internal audits and management review.  Management responsibility for the client’s policies.  Links between the normative requirements, policy, performance objectives and targets, any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and intern audit findings and conclusions.

The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of the client’s management system. The stage 2 audit shall take place the site(s) of the client. It shall include at least the following:
• Information and evidence about conformity to all requirements of the applicable management system standard or normative document;
• Performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
• The client’s management system and performance as regards legal compliance;
• The client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
• Operational control of the client’s processes;
• Internal auditing and management review;
• Management responsibility for the client’s policies;
• Links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.

What is a Stage 1 ISO Audit? 2017-10-25T12:53:42+00:00

A Stage 1 assessment is almost like a pre-assessment or sometimes called a gap analysis.  The idea of the stage 1 assessment is to review your current status to see if you are ready for the main assessment, it also helps the auditor prepare for the stage 2 main assessment in case they need to go off and research sometime, or even they may deem they are not technically competent to perform the main assessment.

Stage 1 Objectives

  • Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements.  Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system.

Stage 1 Audit Criteria

  • To give confidence that the management system and client is prepared for a stage 2 assessment and shall include a review of the client’s management system documentation, an evaluation of the client’s location and site-specific conditions and undertake discussions with the client’s personnel to determine the preparedness for the stage 2 audit.  A review of the client’s status and understanding regarding the requirements of the standard.  To collect necessary information regarding the scope, processes, locations, statutory and regulatory aspects and compliance.  Review the allocation of resources for stage 2 audit, provide a focus for planning stage 2 audit and evaluate if the internal audits and management review are being planned and performed and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit.

The stage 1 audit shall be performed:

  • To audit the client’s management system documentation (this can be done off-site, Contract review will specify);
  • To evaluated the client’s location and site-specific conditions and to undertake discussions with the clients personnel to determine the preparedness for stage 2 audit;
  • To evaluate the client’s processes and equipment, applicable statutory / regulatory requirements and to undertake discussions with the client’s personnel to determine the preparedness for stage 2 audit, including the levels of controls established)
  • To review the client’s status and understanding regarding requirements to the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
  • To collect necessary information regarding the scope of the management systems, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client’s operation, associated risks, etc.);
  • To review the allocation of resources for stage 2 and agree with the client on the details of the stage 2 audit;
  • To provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the client’s management system and site operations in the context of possible significant aspects;To evaluate if the internal audits and management review are being planned and performance, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit
});