The actual process of certification is a relatively straightforward matter.
Indeed, most of the certification schemes follow the same basic process, which is outlined below:
a) The desired scope of the certification;
b) Relevant details of the applicant organization as required by the specific certification scheme, including its name and the address(es) of its site(s), its processes and operations, human and technical resources, functions, relationships and any relevant legal obligations;
c) Identification of outsourced processes used by the organization that will affect conformity to requirements;
d) The standards or other requirements for which the applicant organization is seeking certification;
e) Whether consultancy relating to the management system to be certified has been provided and, if so, by whom.
On receipt of above information, a review shall be conducted based on the enquiry and supplementary information for certification submitted by client. Following the review of the enquiry, URS shall either accept or decline to provide a formal quotation for certification.
A formal quotation shall then be issued to the client. Should the client accept the quotation in writing, URS shall perform a contract review and produce an audit programme and determine the Lead Auditor(s) requirements for the certification activity.
Following the review, a stage 1 audit is performed for all new clients - the objectives of a stage 1 are:
a) Review the client’s management system documented information;
b) Evaluate the client’s site-specific conditions and to undertake discussions with the client’s personnel to determine the preparedness for stage 2 (formal on-site audit);
c) Review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
d) Obtain necessary information regarding the scope of the management system, including:
f) Provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative document.
g) Evaluate if the internal audits and management reviews are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for stage 2.
For most management systems, at least part of the Stage 1 audit will need to be carried out at the clients premises in order to achieve the objectives stated above.
Upon completion of the Stage 1 audit, a report will be generated and given to the client documenting conclusions with regard to fulfilment of the stage 1 objectives and the readiness for stage 2 shall be communicated to the client; including identification of any areas of concern that could be classified as a nonconformity during the stage 2 audit.
If the outcome of the Stage 1 audit is satisfactory, albeit with minor points raised, the Auditor will agree a date for the Stage 2 audit to commence.
Where the outcome is not satisfactory (major points raised) and the Auditor does not believe the client is ready to proceed to the Stage 2 audit, the Stage 2 audit will not be scheduled until the client has had sufficient time to resolve the points raised in the Stage 1 audit report.
A Stage 2 audit is conducted to evaluate the implementation, including effectiveness of the client’s management system. The stage 2 shall take place at the site(s) of the client. It shall include the auditing of at least the following:
a) Information and evidence about conformity to all requirements of the applicable management system standard or other normative documents.
b) Performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document).
c) The client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements.
d) Operational control of the client’s processes.
e) Internal auditing and management review.
f) Management responsibility for the client’s policies and ability to correct issued raised by the system.
Upon completion of the Stage 2 audit, the Audit Team will analyze and review all information and audit evidence gathered during the Stage 1 and Stage 2 audits and present the audit findings and conclusions.
A report will be generated and given to the client.
• Where no concerns (discrepancies or non-compliances) have been raised, registration will be recommended by the Lead Auditor.
• Where there are minor concerns (discrepancies) raised, the client will need to close out the concerns prior to registration being recommended.
• Major concerns (non-compliances) raised also need to be closed out by the client, however a limited re-audit of the client may be required to effectively close out the major concerns within 6 months after the last day of stage 2 audit, in case it goes beyond this then another stage 2 shall audit shall be conducted prior to recommending certification.
Once registration has been recommended and a certificate issued, the client will be placed on an agreed surveillance regime.
These are conducted on site at the prescribed periodicity. Surveillance audits shall be conducted at least once in a calendar year. The date of the first surveillance audit following initial certification shall not be more than 12 months from the certification decision date. Note a formal re-certification audit is required to re-issue a new certificate of registration after the three-year life of the certificate issued.
Surveillance activities shall include on-site auditing of the certified client’s management system’s fulfilment of specified requirements with respect to the standard to which the certification is granted.
Each surveillance audit for the relevant management system standard shall include, as a minimum the following audit sampling:
a) Internal audits and management review activities.
b) A review of actions taken on nonconformities identified during previous audits.
c) The complaints handling system and records.
d) Effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system (s).
e) Progress of planned activities aimed at continual improvement.
f) Continuing operational control.
g) Review of any changes.
h) Use of marks and/or any other reference to certification.
As such, a written report will be issued at the close of each surveillance visit and providing no major noncompliance points are raised, continued registration will be maintained.
Other surveillance activities may include:
a) Enquiries from the certification body to the certified client on aspects of certification.
b) Reviewing any certified client’s statements with respect to its operations (e.g. promotional material, website).
c) Requests to the certified client to provide documented information (on paper or electronic media).
d) Other means of monitoring the certified client’s performance.
The initial certificate of registration is valid for a three-year period, providing the client complies with the Certification Regulations, and the surveillance visits scheduled during the three-year period are satisfactory.
Prior to the end of the three-year certification period, a triennial review of all previous visit reports is conducted and then a complete reassessment audit is performed to ensure that all is in order for a new certificate, valid for a further three-year period, to be issued. The recertification audit may need to include a Stage 1 audit in situations where there have been significant changes to the management system, the client or the context in which the management system is operating (e.g. changes in legislation). The process then repeats as described above for each 3-year certificate of registration.
The recertification audit shall include an on-site audit that addresses the following:
As such, a written report will be issued at the close of recertification visit and providing no major noncompliance points are raised, Recertification will be recommended and new certificate will be issued.
Where there are minor concerns (discrepancies) raised, the client will need to close out the concerns prior to the expiry date of the existing certification. The expiry date of the new certification can be based on the expiry date of the existing certification. The issue date on a new certificate shall be on or after the recertification decision.
In case the recertification audit has not been completed or URS is unable to verify the implementation of corrections and corrective actions for any major nonconformity prior to the expiry date of the certification, then the current issue date of the certificate is the date of the certificate decision date and the expiry date shall be based on prior certification cycle, NOT 3 years from the date of this decision date.
Following expiration of certification, certification can be restored within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 shall be conducted. The current issue date on the certificate shall be on or after the recertification decision and the expiry date shall be based on prior certification cycle.
As stated previously, the process described above is in essence the same for all certifiable schemes offered. However, some schemes have slight variation in requirements, but such variations shall be advised by the appropriate certification Scheme Team.
Guidance on man-day requirements is published by the IAF and as such, the client can verify whether any quoted times are reasonable and fair.