Chapter 4: Third-Party Certification of Management Systems

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

CHAPTER 4: THIRD-PARTY CERTIFICATION OF MANAGEMENT SYSTEMS

Although the primary focus of this book is that of internal management systems audits, many organizations that implement the requirements of one or more of the international ISO standards often also choose to be certified by a so-called “third party.” To enable some comparison and, therefore, to be able to contrast audit styles, this chapter is included and describes the background to the development of “third-party certification of management systems,” or what’s more commonly known as “ISO certification.” This term is, in fact, somewhat misleading since the ISO organization doesn’t involve itself in any aspect of the certification process.

Although not required to be successful in implementing an ISO-based management system, an independent certification of compliance is a common option for many organizations. Often, major purchasing organizations in the aerospace, automotive, defense, and medical device industries require their direct suppliers to obtain an independent certification to ISO9001 as a minimum before contracts are awarded. This requirement is often handed down the line to lower-tier suppliers.

Unless specifically required to comply with customer or regulatory requirements, an organization may either choose a self-declaration of compliance with an ISO management system Standard or choose to have a significant customer attest to the same. These aren’t usually as acceptable to discerning customers, or for other reasons, as the option of an independent certification audit performed by an accredited certification body/registrar.

Before we scrutinize the role and processes of a certification body, it is worth spending some time understanding aspects of accreditation or oversight that govern their operation in the marketplace.

The Importance of Accreditation of Certification Bodies

Accreditation of certification bodies is seemingly not well understood by those who have to employ certification services, despite it being of vital importance to the credibility and quality of the resulting audits. Some basic information about the influence accreditation has on the certification body and its processes is very important to any organization considering offering its QMS for certification. If accreditation of an organization’s ISO9000 certification is not recognized by a customer, it may mean starting back at square one, with the costs being doubled.

Accreditation of certification bodies started in the UK in the late 1980s, shortly after ISO9001 was made publicly available. In response to a (1977) UK Government white paper, written by Sir Frederick Warner, entitled “Standards and Specifications in the Engineering Industries,” which identified the opportunity to reduce the costs and disruption associated with multiple supplier audits of the same suppliers, the concept of using an independent body to certify compliance with the (appropriate) international Standard was floated.

To ensure a minimum level of consistency between what became known as “certification bodies,” the UK Government established an oversight or accreditation body titled the National Accreditation Council for Certification Bodies (NACCB). A similar accreditation body was also established in the Netherlands, known as the Raad Voor Certificatie (RVC). These organizations are currently known as UKAS (United Kingdom Accreditation Service) and RVA (Raad Voor Accreditatie), having changed their names to better describe their activities. Other nations followed suit as ISO9000 gained acceptance around the globe, including the US, where today the principle American national accreditation body – the American National Accreditation Body (ANAB) – is run jointly by the American National Standards Institute (ANSI) and the American Society for Quality (ASQ).

Accreditation bodies evaluate and monitor the performance of certification bodies (as well as other, similar organizations) against a set of defined requirements, from another ISO Standard, this time ISO/IEC 17021. They ensure the audits are carried out according to defined processes and criteria, including the competence of auditors. Applying ISO/IEC 17021 to a certification body is not unlike an organization implementing ISO9000 for its products. Both standards are employed to ensure a quality output from the organization’s business processes.

Today, accreditation of certification bodies is managed, typically, on a national basis, by each organization’s country. Some exceptions exist in the automobile industry, where the IATF (International Automotive Task Force) oversees Third-party Certification Bodies providing ISO/TS 16949 certification and APMG provides accreditation for the Information Services Standard ISO/IEC 20000 as an alternative to ANAB. For the purposes of this book, the descriptions will focus on the accreditation of management systems by ANAB.

To ensure consistency across nations, accreditation bodies may subscribe to the International Accreditation Forum (IAF), which, through multilateral agreements, provides oversight of the certification bodies. In addition to the requirement of ISO/IEC 17021, the IAF also publishes a number of documents, including tables that define the number of days an audit should take, based on the number of people (headcount) involved in the organization’s QMS. For example, the IAF’s MD5 table can be found on the IAF.nu website and also includes descriptions of the factors that allow for tailoring of audit time. Organizations considering certification can obtain this “insider information” to ensure their quoted audit duration is appropriate.

Certification body services

When selecting a certification body (CB), the default supplier selection process often starts with getting three quotes. Quotes may be solicited from these three certification bodies, and, once they’re received, a review might reveal … nothing, except the amounts of time for the audit (in days, usually), and therefore costs, appear to be very similar. For ISO9001 and ISO14001 certification audits, the IAF’s MD5 document defines the duration of each audit, primarily based upon the headcount of the organization. For certification schemes, such as the IATF’s ISO/TS 16949, the audit duration is defined in a supporting document, issued by the IATF, “The rules for achieving ISO/TS Certification.” For the aerospace sector, the International Aerospace Quality Group (IAQG) publishes the AS9101 document covering multiple rules for certification, including audit duration.

The other (typical) costs associated with the auditing service will relate to the following (typical) factors:

auditor daily rate
fees, labeled “admin” or “account management” and
fees for reviewing corrective actions arising from any non-conformity reports issuing from an audit’
travel time (sometimes billed)

Possibly the most significant of these costs is the auditor daily rate, since this may be a key indicator of the amount the auditor charges the CB (many auditors are subcontractors, not employees), or perhaps how much the CB is prepared to pay the auditor. Many auditors are listed by the body they are certified through, for example, RABQSA, in an online directory. It may be that the chosen CB selects a candidate auditor only from that list, without consideration of any other characteristics than the qualifications needed to be on the list!

Another question to be asked might also be whether the auditor is local to the client’s premises. Although an auditor being “around the corner” is optimal in keeping travel expenses lower, this doesn’t consider the following two facets:

The auditor who is local may not possess the necessary experience (EAC code) to suit the client’s business type.
There may be an auditor who is scheduled in the area to perform other audits and, therefore, travel expenses can be amortized across a number of clients. If a client is flexible about audit dates, such an arrangement can work well.

It’s not unusual for an organization to send a list of questions to be answered by certification bodies, as input to the selection process. The following are some typical points that have been asked of certification body candidates:

Who are you accredited with, and are they accredited by a signatory to the IAF, or ANAB-accredited?
Do you publish an official interpretation of the ISO requirements and can we get a copy?
Have you ever had your accreditation revoked or suspended? If so, what were the circumstances?
Share the number of local clients in our area.
Detail your experience in auditing facilities such as machining job shops.
Share the number of local lead auditors in our area.
Detail the experiences of these lead auditors in auditing facilities such as machining job shops.
Detail the number of lead auditors available for the auditing and maintenance of our certification.
How flexible are you on scheduling or rescheduling?
How do you handle differences of opinion over interpretation of the Standard?
What is the process of handling differences, and whom do we contact?
Is the stage 1 audit conducted on-site, off-site, or a combination?
How fast can we set up an interview with you?
Can we also set up an interview with the lead auditor who would be assigned to us?

If we take a look at these questions, many could have been answered at the same time as question one was answered – and that could be simply answered by a quick check of the IAF website! Accreditation to ISO/IEC 17021 takes care of issues such as auditor qualifications, appeals, conduct of the stage 1 audit, and so on.

Perhaps it’s interesting to note that such questionnaires completely miss many of the points that really affect the actual relationship an organization will likely have with its chosen certification body! Rather than waste time asking questions that are actually answered by their accreditation – which is a “playing field leveler” – it would be better to address the actual performance of the certification body in delivering more than just an audit and certificate of compliance with an ISO Standard!

Let’s consider what aspects of the services provided by a CB impact the organization:

quality of service (technical, scheduling, value of audit reports)
quality of auditors (competence, industry experience, audit approach, professionalism)
credibility or reputation of certification (how do your customers and other certified clients perceive the CB?)

Having selected a certification body, the process begins with providing information about the organization on which a quotation may be based.

Typically, the information required by the CB, on which it bases its quote, includes:

Contact personnel details.
Names, positions, phone numbers, e-mail addresses, fax numbers.
Organization details:
- Name, street address (HQ).
- Other locations (if applicable).
Headcount involved in the management system.
The scope of the management system.
Exclusions from the management system (where permitted), such as design, customer property, control of measuring equipment.

The quotation or proposal is likely to reflect the amount of audit time for the following activities:

the “stage 1” audit
the “stage 2” audit
the surveillance audit (usually annually) and
the “triennial reassessment”

It is common for a third-party certificate to be valid for three years. This is a legacy of the approvals given by the UK’s Ministry of Defence (MoD) to its suppliers. Early adopters of third-party certification, in the early 1990s, were often suppliers to the UK MoD, the British Government, and various government departments, making it a requirement for them to be third-party certified.

Note – if a CB doesn’t quote a cost and duration for the triennial audit, the guidance from ISO/IEC 17021 states that the audit is approximately two-thirds of the combined stage 1 two-audit durations.

The certification body will also issue some form of contractually binding agreement. This describes the terms and conditions relating to payment for its services, and details of the organization’s commitment to the rules relating to certification of its Quality Management System. These rules are passed down, from the accreditation bodies, by the certification bodies, to their clients, and are defined (in part) in ISO/IEC 17021. Typically, the rules include:

confidentiality of the information obtained about the organization
changes relating to the organization’s
- ownership
- management and
- locations
changes relating to the
- scope of the management system in terms of products, services locations, for example, and
- major changes to the management system, including those affecting management, regulations, documents and so on; withdrawal of certification.

An additional audit service offered by most certification bodies is known as the “preliminary assessment” or “pre-assessment.” This is a purely optional audit that is not part of the formal certification audit process; is usually a shorter-duration audit; and, as its name suggests, is performed before the actual certification audit is performed. This audit is described later.

Certification body audit process – the basics

Before the various types of audit conducted by a certification body are described in detail, it’s worth taking a look at the basic activities at the core of these audits. These activities are normally founded on the requirement of ISO19011, “Guidelines for Auditing Management Systems.”

The key components of the audit process include the following:

Opening meetings

At the scheduled time, according to the audit schedule/agenda (or other arrangements made), the assigned lead auditor will chair a meeting with representatives of the organization. An agenda for the meeting might look something like this:

Introductions of the auditor(s) and the organization’s participants.
Purpose of meeting and audit scope.
Review of audit agenda/changes.
Logistics: workspace, meal arrangements, working hours, and so on.
Audit guides.
The need for, and availability of, safety equipment.
Audit process: interviews, evidence gathering, and so on.
Audit reporting: verbal, written, grading.
Daily reviews (if multi-day audit).
Confidentiality statement.
Closing meeting purpose and timing.
Discussion/Q & A.

Audit activities

On completion of the opening meeting, the auditor(s) will begin their audit assignments. The audit purpose is to verify that the organization’s management system is implemented and is effective in achieving the stated objectives. They must “test” various people’s understanding of their jobs and process controls, and determine that the organization is effectively planning for the results it and its customers expect to achieve.

To accomplish this, auditors will interview the relevant personnel, from management to members of staff and associates who perform work, asking questions about the processes they work on, the objective(s) of those processes, and current performance of those processes. The auditors will likely also ask questions intended to verify understanding of various people’s responsibilities and authority for control of processes, including taking action when unplanned situations arise, perhaps resulting in nonconforming products, and so on.

Auditors make copious notes as they verify the evidence they see and hear, including references to the specific documents and records they request to see. These records will, typically, include customer orders/contracts, purchase orders placed on suppliers, competence evaluations and training records, minutes from product design review technical meetings, internal auditors’ notes, and so on. These are compared to the organization’s documented Quality Management System and, with what was learned from interviews, a picture is formed by the certification body auditor(s) as to the degree of compliance and effectiveness.

Closing meetings

At the conclusion of a certification body audit, whether it’s stage 2, surveillance, or triennial reassessment, the auditor will convene a “closing meeting.” The purpose of the meeting is to summarize the findings of the audit for the organization, to discuss any follow-up actions that may be necessary, and to outline the purpose and timing of the next visit.

At the end of the audit, one important action for the auditor is to deliver a recommendation to the organization, appropriate to the type of audit that has just been performed. The recommendation is based upon the evidence gathered and conclusions arrived at by the auditor(s).

Example recommendations are defined in the following descriptions of each audit type.

Audit reporting

Certification body auditors are required to fully report the results of the audits they perform. There are two basic forms of report:

Non-conformity reports
audit summary reports

Non-conformity reports (NCRs)

Non-conformity (non-conformance) reports are possibly the most interesting to the organization being audited. As the audit unfolds, the auditor may observe a situation or situations where evidence indicates the Quality Management System is not being implemented, or is not as effective as intended or planned.

In these situations, having agreed the facts with the organization’s representatives, the auditor will complete a non-conformity report (form) with the following fundamental information:

the source of the audit requirement
the audit requirement
the source of the audit evidence and
the audit evidence observed

An example non-conformity report statement might read as follows:

The organization’s Quality Manual, revision #3, states in paragraph 3.3.1, that management reviews are held with a minimum of three Vice Presidents (Engineering, Production, and Quality) in attendance at a meeting to discuss process performance to objectives.

The minutes (record) of the review meeting held on 31 January 2012, indicates that only two VPs were in attendance (Engineering and Quality). As a result, there was no review of Production-related performance to objectives.

The SLA for ACME states a helpdesk initial response to the client will be made within 15 min of receiving a help request. In the period July 5–July 8, it was noted that approximately 25% of responses were made after the 15-min limit.

The nature of the content of each non-conformity report is reviewed and graded by the auditor. Grading gives “gravity” to the content of the report as a means to communicate significance. It is typical that a certification body auditor will consider whether what’s been observed is an isolated or localized non-conformity, not indicating a systemic issue, or whether the situation is determined to be a breakdown of the Quality Management System. Such a breakdown might be a failure of effectiveness, a failure to implement, or a significant number of the (initially) localized non-conformities clustered around a specific ISO9001 requirement.

In an ISO9001 certification audit, there are no specific “rules” for determining when a number of observed non-conformities warrant classification as either “minor” or “major.” A certification body may have its own definitions of categories of non-conformity reports, including “major,” “minor,” “opportunity for improvement,” “category 1,” “category 2” and so on, and some even have definitions of how many “minor” non-conformities found constitute a “major” non-conformity, in their certification service agreement or contract.

A common feature of Certification Body audit non-conformity reports is the inclusion of a statement of the effectiveness of the process/system being audited.

The requirements for auditors to report on this (important) aspect comes from both the automotive and aerospace oversight schemes for Certification Bodies (the “IATF” and “IAQG”).

Audit summary reports

The certification body auditor is required to demonstrate that a comprehensive audit has been carried out, so, toward the end of the audit, a summary of the audit is completed. The certification body will provide the auditor with a form in a prepared format that is then filled out with the details of the specific audit. Details are completed based on the notes taken, people (job titles) interviewed, records reviewed, and so forth.

The summary report will also contain a recommendation to the certification body’s management on the status of the organization’s management system and whether a certificate of compliance should be issued.

The preliminary or pre-assessment audit

Since most organizations come to ISO certification without significant experience of the audit process, the preliminary assessment can be a very useful experience. For readers who are familiar with the performing arts, it’s quite normal, immediately before the “first night” of the performance, for the performers to have a “dry run” through their performance, in the venue, with other performers, musicians, and so on. This dry run is often referred to as the “dress rehearsal” and is done to make any final adjustments to the performance before the public get to see and critique it.

A dress rehearsal isn’t to make major adjustments to the score, choreography, costumes, and so on, since there’s no time available. Instead, it gives the producers an opportunity to visualize the performance in situ, and, hence, minor adjustments may be identified and accommodated.

Unlike the “stage 1” and “stage 2” audits, there is no defined duration for the preliminary assessment, so the organization can choose how long it believes is needed. What’s more, the organization gets to decide what it wants the auditor to review during the visit. The agenda is theirs to define. An organization may decide to have the auditor focus on a few aspects, or take a sweep of the entire Quality Management System. In selecting a smaller focus, organizations often are interested in those aspects of the QMS that may be new to them, for example, a calibration system, where none was formally defined or implemented before. Often, a broad view of the status of the system as a whole can validate for the management team that their efforts are, indeed, ready to undergo the more detailed scrutiny of the registration audit. It acts, therefore, as a dress rehearsal for the actual certification audit.

Other benefits include:

Observing how the assigned certification body auditor goes about performing the audit.

Although the organization will have conducted internal audits, it’s always good to know how the CB auditor does things.

Observing how they interact with the various people they interview.

Each CB auditor is different and they have unique ways of establishing good communications with the people they interact with. It helps to “break the ice” if you know this ahead of time.

Allowing various (key) people of the organization to experience being audited by the certification body auditor.

As before, although internal audits will have been performed, not everyone will have had a role in those. Some people might be natural candidates to be audited by the CB auditor, and it’s a great time to give them that experience.

Uncovering a potential weakness in the system before the stage 2 audit.

This is very useful, of course, as the auditor who did the preliminary assessment will be very aware of the actions you took to rectify the situation found, which also builds confidence in the commitment to implementing an effective system.

The preliminary assessment can be timed with the stage 1 audit. This allows for some continuity of understanding for the auditor since they will have been able to study your system documentation and, while that knowledge is still “fresh,” to take a look at aspects of the implementation too. It also helps to cut down on expenses!

The results of the preliminary assessment can be a useful input to the “management review” as a formal indicator of the “suitability and effectiveness” of the Quality Management System, in the days leading up to the registration audit. Any report from the preliminary assessment is not supposed to have any impact on the actual certification audit, it being entirely up to the organization’s management to determine if any of the auditor’s reported comments are significant enough to warrant corrective actions. In actual fact, if the same auditor who did the preliminary assessment performs the stage 2, then, if the client chooses to act on the auditor’s comments and observations, it will be noticed and will possibly be viewed positively by the auditor, as validation.

A recommendation from the preliminary assessment is whether the client’s QMS is in a suitable status to be successful at the certification audit.

The stage 1 audit

On a mutually agreed date, the certification body’s assigned auditor (also known as the “lead auditor”) performs what is known as the stage 1 audit. The purpose of carrying out this audit is defined in ISO/IEC 17021 as being:

To evaluate the documented Quality Management System.
To ensure the Standard’s requirements have been understood and that key performance, processes, objectives, and operation have all been identified.
To verify the information collected regarding the Quality Management System’s scope and processes, the locations of the business, and any related regulatory and statutory compliance issues.
To review and agree the duration and timing of the stage 2 audit.
To plan the audit activities of the stage 2 audit.
To ensure the internal audits and management reviews have been carried out and that there’s sufficient implementation to support readiness to undergo the stage 2 audit.

The stage 1 audit includes a report detailing the preceding, plus any findings from the audit of documentation and so on.

As well as this report, another key output of the stage 1 audit is a plan or agenda for the stage 2 audit. That plan will, typically, detail each individual focus of the Quality Management System with the duration, timing, and auditor assignments. It may look something like this example (for an organization designing and manufacturing pumps) for a team of two auditors:

Monday, April 4	Lead auditor – audit activity	Auditor 2 – audit activity
8.00 am	Opening meeting with management
8.30 am	Overview of QMS, objectives, and key measurements
9.00 am	Proposals and contracts processing*	Product design and development*
10.00 am	Production planning
11.00 am	Purchasing process, incl. outsourcing controls*
12.00 pm	Lunch
12.30 pm	Receiving and inspection*	Quality planning and controls*
1.00 pm	Manufacturing process – housing machining*	Manufacturing process – casting*
2.00 pm	Pump assembly*	Manufacturing process – impeller machining*
2.45 pm	Pump testing*	Inventory control and warehousing*
3.15 pm	Non-conforming product controls*	Pump finishing*
4.00 pm	Review and compilation of day’s findings
4.30 pm	Presentation of day’s findings and day 2 schedule/adjustments
5.00 pm	Auditors depart

Tuesday, April 5	Lead auditor – audit activity	Auditor 2 – audit activity
8.00 am	Calibration of measuring equipment*	Pump packaging/shipping
8.45 am	Customer feedback and satisfaction*	Equipment maintenance*
9.15 am	Internal audits*	Personnel training programs
10.00 am	Corrective action*	Product and process improvement*
11.00 am	Continuous improvement activities
12.00 pm	Lunch and discussions
12.45 pm	Management review
1.00 pm	Audit findings analysis and report preparation
2.00 pm	Closing meeting
3.00 pm	Auditors depart

*Audit activities will also consider relevant controls of documentation, records, product status, measurements, monitoring, personnel competences, and data analysis.

Once the stage 1 audit is completed, the organization should be clear about the next steps and timing of the stage 2 audit, plus any actions necessary to address issues arising from the audit. Typically, this means taking corrective actions on items raised by the auditor that can affect the successful outcome of the stage 2 audit. A formal submission of actions to the certification body is not usually required, since they will be verified as part of stage 2.

The recommendation from this audit relates to the state of preparation of the client’s QMS to undergo the stage 2 audit, within the agreed time-frame.

The stage 2 audit

Dates for the stage 2 audit were probably agreed and arranged by the auditor with the organization’s management during the stage 1 audit. When the day arrives, the auditor – possibly with a team of auditors (dependent on the audit duration, and so on) – arrives to perform the actual audit of the implementation of the organization’s Quality Management System.

Commencing with an opening meeting (described earlier), the auditor(s) will follow the defined plan, accommodating any unplanned adjustments as needed while still ensuring all the requirements are covered and that the organization’s Quality Management System is fully assessed.

At the end of each audit day, it is typical for the results of the audit to be presented in a debriefing session. This gives an opportunity for any personnel who were not involved in the audit to hear what has been found, if anything, and to learn about what progress has been made and any deviations to the plan or changes for the next day(s). It is also an opportunity for the auditor(s) to indicate any potential audit trails that need to be followed to verify evidence found or to discuss the potential for any non-conformity to be mitigated based upon better explanation of the implementation evidence discovered.

At the end of the audit, the auditor(s) compiles a comprehensive report for submission to the certification body. The report is summarized at the closing meeting (defined earlier).

Although there is the possibility for one or more “major” non-conformities to be discovered during the stage 2 audit, the (lead) auditor will generally advise the organization’s management as soon as it is found. Remember, a “major” non-conformity will prevent the auditor(s) from making recommendation for certification to be granted. Although the organization has the option to terminate the audit at this point, it is recommended to continue with the stage 2 audit for these reasons:

the audit has been paid for, the certification body won’t refund any audit time unused, and
the audit should be completed as planned to reveal all existing issues, so they may be corrected.

Although during a stage 2 audit non-conformities may be discovered, a recommendation can be made by the auditor(s) for certification, if there are none of “major” significance (see previous section on grading of audit non-conformities).

The surveillance audit

On successful certification of an organization’s Quality Management System, the organization moves into the “maintenance phase” of its certification. As defined in the registration agreement, the certification body is required to perform an audit at least annually. If sufficient time is required, a client may elect to have their surveillance audits conducted every six months, to the same total time.

The duration of the surveillance audit is defined in the IAF MD-5 document and is (typically) one-third (33%) of the duration of the stage 1 and stage 2 audits combined.

The surveillance audit is intended to focus on those aspects of the organization’s Quality Management System that are closely related to the maintenance activities:

any changes made to the Quality Management System
management review(s) held since the previous audit
internal audits conducted since the last audit
corrective actions
improvements
customer feedback/complaints and
previous audit non-conformities issued by the CB and associated actions

Over the two surveillance visits, the quality management will be sampled, in particular those aspects that are new and/or changed.

The surveillance audits also have opening and closing meetings and are reported in a similar manner to the certification audit. At the conclusion of the audit, the possible recommendation(s) relate to the ongoing certification or, in the case of significant audit non-conformities (see “major non-conformities”), the recommendation may be to undergo a “special visit” audit.

The triennial reassessment

On the third year after the date of the original certificate of certification was issued, a “triennial reassessment” is usually performed. Because the organization’s Quality Management System should be somewhat mature at this point, the certification body audit should focus on effectiveness or on corrective and improvement actions that have been taken over the previous years. With some three years of data available from customers’ feedback, process performance, product conformity data, supplier evaluations, and so on, the organization’s management should have a clear picture of the suitability of their Quality Management System as a tool to support growth.

As a result of employing a different focus during the triennial reassessment, the duration of this audit is less than the original certification audit. In fact, the MD-5 document allows the duration of the triennial reassessment to be two-thirds (66%) of the stage 1 and stage 2 audit durations combined.

On completion of a successful triennial reassessment, a recommendation may be made to issue a new certificate and the normal pattern of surveillance visits is implemented.

The “special visit” audit

There are circumstances under which an organization’s certification body may require a “special visit” audit. The most significant event that leads to such an audit is when a “major” non-conformity is reported during the period of certification. As defined previously, a major non-conformity indicates that a failure in the Quality Management System has occurred. The nature of this type of systemic failure will usually require a significant corrective action to be undertaken by the organization and, rather than simply relying on records of the results, the certification body auditor may decide to carry out some on-site evaluation of the implementation that led to the records being produced.

Conducted in the manner described earlier, the auditor will focus on the (corrective) actions necessary to address the situation surrounding the major non-conformity. Additionally, the audit will also assess management review and internal audits as key indicators of the manner in which the corrective actions were managed.

At the conclusion of the special visit audit, one of three recommendations may be made and reported to the client, depending on the evidence presented by the client:

The major non-conformity has been removed.
Downgrading of the major to a minor non-conformity. Usually, a request will be made for further evidence of implementation of corrective actions to be provided at the next scheduled audit.
Suspension of the organization’s certificate of compliance. If a client hasn’t taken (suitable) corrective actions to reduce the status of the major non-conformity, for whatever reason, the auditor is required to initiate suspension of the organization’s certificate of compliance.

In addition to the preceding descriptions, it is always advisable to check with the particular certification body, to see how it handles the specifics of each type of audit service. In some circumstances, requirements are defined in a contractually binding agreement that forms the basis of its services to the client. Care should be taken to read any contract to ensure these provisions are well understood, as they often define specific responsibilities of the client.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 4: Third-Party Certification of Management Systems

Create new playlist

Sign In

Sign Up