EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

Similar documents
Scheme Document SD 003

IAF Mandatory Document for the Transfer of Accredited Certification of Management Systems

ISO/IEC INTERNATIONAL STANDARD

Certification Description of Malaysia Sustainable Palm Oil (MSPO) Standard

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC :2015 IMPACT ON THE CERTIFIED CLIENT

Description of the certification procedure MS - ISO 9001, MS - ISO 14001, MS - ISO/TS and MS BS OHSAS 18001, MS - ISO 45001, MS - ISO 50001

Global Wind Organisation CRITERIA FOR THE CERTIFICATION BODY

Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

PEFC Certification System Netherlands - Certification Procedures

Global Wind Organisation CRITERIA S FOR THE CERTIFICATION BODY

Inhalt. Description of Certification Procedure ISO 22000, HACCP and DIN 15593

CNAS-RC01. Rules for Accreditation of Certification Bodies

Requirements for Certification Bodies operating Certification against the PEFC International Chain of Custody Standard

EA Document for Recognition of Verifiers under the EU ETS Directive

Prot. DC2018SSV120 Milano, To all Certification Bodies (CBs) with OH&S accreditation. To the associations of Conformity Assessment Bodies

CERTIFICATION GUIDELINES FOR MANAGEMENT SYSTEM

Checklist According to ISO IEC 17065:2012 for bodies certifying products, process and services

Minimum Requirements For The Operation of Management System Certification Bodies

PEFC N 04 Requirements for certification bodies and accreditation bodies

ISO : Competence Requirements Clause 7

Rules for LNE Certification of Management Systems

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

SİGMACERT ULUSLARARASI BELGELENDİRME EĞİTİM TEST HİZMETLERİ LTD. ŞTİ.

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

IAF Guidance on the Application of ISO/IEC Guide 62:1996

Checklist According to ISO IEC 17024:2012 for Certification Bodies for person

ISO/IEC 17065:2012 VERTICAL/FILE REVIEW ASSESSMENT

Areas of impact for client consideration taken from the Rules for achieving and maintaining IATF recognition 4 th Edition for ISO/TS 16949

PT. TÜV NORD Indonesia. CERTIFICATION PROCEDURE of ISO 37001

IPC Certification Scheme IPC Management Systems Auditors

IPC Certification Scheme IPC QMS/EMS Auditors

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

1.0 TITLE: Auditing Procedure. 2.0 PURPOSE: To provide an outline and instructions on the GMCS auditing process of clients.

Scheme Document. For more information or help with your application contact BRE Global on +44 (0) or

SPECIFIC PROVISIONS FOR THE ACCREDITATION OF CERTIFICATION BODIES IN THE FIELD OF INFOR- MATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

USDA ISO Guide 65 Program Accreditation for Certification Bodies

QMS/EMS CB Accreditation Criteria

BRE Global Limited Scheme Document SD 186: Issue No December 2017

ACCREDITATION CRITERIA FOR MANAGEMENT SYSTEM CERTIFICATION BODIES ISSUE NO : 01 ISSUE DATE : 17/01/2015 PREFACE

Inter American Accreditation Cooperation. IAAC, IAF and ILAC Resolutions Applicable to IAAC MLA Peer Evaluations

Part 5: Requirements for ABs FOOD SAFETY SYSTEM CERTIFICATION Part V: Requirements for Accreditation Bodies

PROTERRA CERTIFICATION PROTOCOL V2.2

TRAINING COURSE CERTIFICATION (TCC) COURSE REQUIREMENTS

GUIDELINES FOR CERTIFICATION OF MANAGEMENT SYSTEMS

UKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems

IAF Mandatory Document KNOWLEDGE REQUIREMENTS FOR ACCREDITATION BODY PERSONNEL FOR INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Conformity Assessment Schemes and Interoperability Testing (1) Keith Mainwaring ITU Telecommunication Standardization Bureau (TSB) Consultant

Areas of impact for client consideration taken from the Rules for achieving IATF recognition Third edition for ISO/TS

UKAS accredited Certification Bodies

Section Qualifications of Audit teams Qualifications of Auditors Maintenance and Improvement of Competence...

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

ISO/IEC CASCO ISO/IEC CD ISO/IEC 2008 All rights reserved. Date: ISO/IEC CASCO/WG 21. Secretariat: CASCO

Stakeholder Rules: Rue Montoyer, 10 B-1000 Brussels, Belgium Telephone: Fax:

Network Certification Body

CNAS-RC02. Rules for Sanctions against the Accreditation of Certification Bodies

IAF Guidance on the Application of ISO / IEC Guide 65:1996

Timber Products Inspection, Inc.

DQS Inc. Management Systems Solutions Certification Requirements

SANAS TECHNICAL REQUIREMENT FOR THE APPLICATION OF ISO/IEC IN THE FIELD OF FUSION WELDING METALLIC MATERIALS

Green Gold Label Certification Regulation

ETHIOPIAN NATIONAL ACCREDITATION OFFICE. Minimum Requirements For The Operation Of Product Certification Bodies

SPECIFIC PROVISIONS FOR THE ACCREDITATION OF CERTIFICATION BODIES IN THE FIELD OF FOOD SAFETY MANAGEMENT SYSTEMS

AUDITOR / LEAD AUDITOR PHARMACEUTICAL AND MEDICAL DEVICE INDUSTRY

ISO 9001 Auditing Practices Group Guidance on:

S. Scholz / K. Meyer / J.E. Nielsen / Harald Drück/J.Fernández/E.Prado/L.Nelson Page 1 of 7

IAF Information Document (draft)

C E R T I F I C A T I O N O F M A N A G E M E N T S Y S T E M S

This is a preview - click here to buy the full publication. IEC Quality Assessment System for Electronic Components (IECQ System)

Network Certification Body

GLOBAL MANAGEMENT CERTIFICATION SERVICES PRIVATE LIMITED PROCEDURE

Reliable Quality Assurance Pvt. Ltd.

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE

ORDINANCE ON EMPLOYMENT PROMOTION (AZAV) INFORMATION SECURITY MANAGEMENT SYSTEMS ACCORDING TO DIN ISO/IEC (INCL. IT SECURITY CATALOGUE)

PTSPAS Product Assessment HAPAS Equivalent in accordance with MCHW SHW Volume 1 Clause and

Agreement on High Security Locks

ISO/IEC INTERNATIONAL STANDARD. Conformity assessment Requirements for bodies certifying products, processes and services

THE GUIDE FOR ASSESSMENT OF AN EMAS ENVIRONMENTAL VERIFIER

Regulation for the accreditation of product Certification Bodies

Advent IM Ltd ISO/IEC 27001:2013 vs

The Next Step for ISO 9001 and ISO Certification Advanced Surveillance and Recertification procedures (ASRP)

FOOD SAFETY SYSTEM CERTIFICATION Part IV: Requirements for Certification Bodies

EXAM PREPARATION GUIDE

NOTE: This includes Aerospace Auditors (AAs) and Aerospace Experienced Auditors (AEAs)

TRAINING COURSE CERTIFICATION (TCC) COURSE REQUIREMENTS

CERTIFICATION SCHEME

A80F300e Description of the SA8000:2014 certification procedure

KENYA ACCREDITATION SERVICE

Certification Process Overview

Orion Registrar, Inc. Certification Regulations Revision J Effective Date January 23, 2018

Accreditation programme for management systems certification bodies NAR IRT Edition 2

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

IAF Informative Document. Information on the Transition of Management System Accreditation to ISO/IEC :2015 from ISO/IEC 17021:2011

Rules for Operators. Version 6 / Version 6, 13 May 2011 Page 1/12

Personnel Certification Program

Date 1. Each CB shall be fully transitioned for ISO 9001:2015 per IAF ID 9 and ANAB Accreditation Rule 20.

Inter American Accreditation Cooperation. IAAC Transition from ISO/IEC 17011:2004 to ISO/IEC 17011:2017

GUIDELINE. of the European Committee for Welding of Railway Vehicles (ECWRV) ( ) PART 1

SOUTH AFRICAN NATIONAL STANDARD

Transcription:

Publication Reference EA-7/05 EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits PURPOSE This document has been prepared by a task force under the direction of the European Cooperation for Accreditation (EA) Certification Committee to harmonise generic principles according to which combined audits of management systems should be conducted (whatever the combination). October 2008 rev 00 Page 1 of 15

Authorship The publication has been written by a task force of the EA Certification Committee. Official language The text may be translated into other languages as required. The English language version remains the definitive version. Copyright The copyright of this text is held by EA. The text should not be copied for resale. Further information For further information about this publication, you should contact your national member of EA or the Chairman of the Certification Committee. Please check our website for up-to-date information http://www.european-accreditation.org/ Category 2 EA MLA support documents Date of approval: 25 October 2008 Date of implementation: 25 October 2009 Transitional period: October 2008 rev 00 Page 2 of 15

Foreword This document has been prepared by a task force under the direction of the European Cooperation for Accreditation (EA) Certification Committee to harmonise generic principles according to which combined audits of management systems should be conducted (whatever the combination). The working group consisted of representatives from European Accreditation Bodies and stake holders representing accredited certification bodies for management systems. The document has been structured as ISO/IEC 17021:2006. The term shall is used throughout this document to indicate those provisions which, reflecting the requirements of ISO/IEC 17021:2006 are mandatory. The term should is used to indicate guidance which, although not mandatory, is provided as a recognised means of meeting the requirements. October 2008 rev 00 Page 3 of 15

CONTENTS INTRODUCTION... 5 1. SCOPE... 5 2. NORMATIVE REFERENCES... 5 3. TERMS AND DEFINITIONS... 5 4. PRINCIPLES... 6 5. GENERAL REQUIREMENTS... 6 6. STRUCTURAL REQUIREMENTS... 6 7. RESSOURCE REQUIREMENTS... 6 8. INFORMATION REQUIREMENTS... 6 8.1 Publicly accessible information... 6 8.2 Certification documents... 6 8.3 Directory of certified clients... 7 8.4 Reference to certification and use of marks... 7 8.5 Confidentiality... 7 8.6 Information exchange between a certification body and its clients... 7 9. PROCESS REQUIREMENTS... 7 9.1 General requirements... 7 9.2 Initial audit and certification... 9 9.3 Surveillance activities... 10 9.4 Recertification...11 9.5 Special audits...11 9.6 Suspending, withdrawing or reducing the scope of certification... 11 9.7 Appeals... 11 9.8 Complaints... 11 9.9 Records of applicants and clients... 11 10. MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES... 11 ANNEX 1 REDUCTION OF TIME... 12 ANNEX 2 EXAMPLE: AUDIT OF INTERNAL AUDIT... 14 October 2008 rev 00 Page 4 of 15

INTRODUCTION This document provides guidance on the application of ISO/IEC 17021:2006 for the planning and delivery of combined audits. All clauses of ISO/IEC 17021:2006 continue to apply and this guidance does not supersede any of the requirements in that standard. The aim of this document is to establish guidance for the combined audit and, if appropriate, the certification of an organisations management system(s) against two or more sets of audit criteria. The term shall is used throughout this document to indicate those provisions which, reflecting the requirements of ISO/IEC 17021:2006, are mandatory. The term should is used to indicate guidance which, although not mandatory, is provided by EA as a recognized means of meeting the requirements. Certification bodies that performs combined audits and do not follow the EA Guidance in any respect will only be eligible to refer to accreditation on certificates as a result of a combined audit if they can demonstrate to the accreditation body that their solutions meet the relevant clause of ISO/IEC 17021:2006 in an equivalent way. It should be noted that the annexes at the rear of this document are also part of the guidance given and should be read as such. 1. SCOPE EA Guidance to clause 1 This guidance document is focusing on the situation of a combined audit covering management system standards which address different organizational risks (e.g. quality, environmental, safety, security etc). There are situations where one standard (e.g. TL 9000, AS/EN 9100 etc) totally incorporates the requirements of another (i.e. ISO 9001). For this situation, when conducting an audit against one standard (e.g TL, AS) it is also possible to issue certification to ISO 9001 (provided scope is the same) solely on the basis of the TL or AS audit. G.9.1.4 and Annex 1 is not developed to address this situation. 2. NORMATIVE REFERENCES EA Guidance to clause 2. 3. TERMS AND DEFINITIONS EA Guidance to clause 3 G.3.1 The following definitions apply to the EA Guidance in this document Combined audit: A combined audit is an audit of an organization s management system (s) against 2 or more sets of audit criteria/standards conducted at the same time. Integrated management system (IMS): For the purposes of this document, an IMS results when an organization uses one single management system to manage multiple aspects of organizational performance, to meet the requirements of more than one management system standard. Note 1: Management systems can appear in different levels of integration. See Annex 1. October 2008 rev 00 Page 5 of 15

Note 2: For the purposes of this document audit criteria is intended to mean management system standards used as a basis for conformity assessment and certification (e.g. ISO 9001, ISO 14001, ISO 27001 etc) 4. PRINCIPLES EA Guidance to clause 4 5. GENERAL REQUIREMENTS EA Guidance to clause 5 6. STRUCTURAL REQUIREMENTS EA Guidance to clause 6 7. RESSOURCE REQUIREMENTS EA Guidance to clause 7 8. INFORMATION REQUIREMENTS 8.1 Publicly accessible information EA Guidance to clause 8.1 G 8.1.1 This information shall include details about its process for conducting combined audits. 8.2 Certification documents EA Guidance to clause 8.2 G 8.2.1 Certification documents issued as a result of a combined audit should be issued as: One single certificate which should reference all management system standards covered by the combined audit ( see Note) and/or Separate certificates for each management system standard. Note: In situations where withdrawal of certification is restricted to a specific management system standard only, the certificate should be re-issued for the other standards that have not been affected. October 2008 rev 00 Page 6 of 15

G 8.2.3.b) and c) If certification cycles are not harmonised for the individual management system standards covered by the combined certificate, then all applicable certification issue and expiry dates shall be shown on the certification documents. The expiry date of the combined certificate shall be the earliest of the individual expiry dates. 8.3 Directory of certified clients EA Guidance to clause 8.3 8.4 Reference to certification and use of marks EA Guidance to clause 8.4 8.5 Confidentiality EA Guidance to clause 8.5 8.6 Information exchange between a certification body and its clients EA Guidance to clause 8.6 9. PROCESS REQUIREMENTS 9.1 General requirements EA Guidance to clause 9.1 G 9.1.2 The audit plan shall ensure that -All areas and activities applicable to each management system standard covered by the scope of the visit are assessed by appropriate competent auditors. - Sufficient time is allocated to accomplish a complete and effective audit of the client s management system(s) for the management system standards covered by the scope of the audit. G 9.1.3 The audit team as a whole shall satisfy the competence requirements for each technical area as relevant for each certification scheme covered by the scope of the combined audit. In cases where the audit team leader does not have the competence required to audit all management system standards covered by the combined audit, individual team members shall be appointed as the `lead for each applicable standard and be responsible for any related recommendations that fall outside the competence of the audit team leader. G 9.1.4 To determine the audit time for a combined audit covering two or more management system standards, e.g. A + B + C, the certification body shall October 2008 rev 00 Page 7 of 15

calculate the required audit time for each management system standard separately (applying all relevant factors provided for by the applicable accreditation guidance and / or scheme rules for each standard) calculate the starting point T for the duration of the combined audit by adding the sum of the individual parts (e.g. T = A + B + C) where appropriate, adjust the starting point figure by taking into account factors that may reduce (see annex 1) or increase the time required for the combined audit. These factors should include but not be limited to: o The availability and use of multi-discipline auditors. o The extent to which the organisations management system is integrated. o The ability of the organisations personnel to respond to questions concerning more than one management systems standard.. o The planning of the audit takes into account effective use of auditor time. o The complexity of combined audits compared with single management system audits. Inform the client that combined audit durations which have been based on declared levels of system integration that are subsequently found to be invalid, will be subject to adjustment. Note: Reference G 9.2.3 refers It is unlikely that the sum of all adjustments made for a given organisation, considering all factors, would reduce the time required for a combined audit by more than 20% from the starting point figure above. The starting point figure and justification for reduction shall be documented. Combined audits of non integrated management systems (although conducted at the same time) should not qualify for any time reduction. G 9.1.5 Existing (accreditation) guidance relating to each management system standard needs to be considered when developing a sampling plan for the combined audit. G 9.1.6 All applicable elements of each management system standard relevant to the scope of the combined audit visit shall be adequately assessed. For example, when conducting a combined audit of an integrated management system covering Quality, Safety and Environmental, it would be unacceptable to verify the effectiveness of the system for corrective action by only auditing samples relevant to say Quality. In some areas of the audit programme it should be appropriate for auditors to audit aspects of a management system standard for which they are not formally qualified as auditor or lead auditor. The following are examples of where this should be appropriate; Areas where the requirements of the management system standards and the technical knowledge to undertake the audit is common. E.g. Control of documents. Areas where the auditor should verify compliance with requirements which are administrative in nature see Annex 2, Example for Internal Audits Confirmation of evidence / close out of an audit trail. October 2008 rev 00 Page 8 of 15

o During an audit it is often necessary to follow up and confirm that an element of objective evidence exists within the company records and/or processes. This confirmation can be in the form of a closed question and is often used to close out audit trails that have been raised. A typical example may be that following the quality management system audit of a design department, confirmation is required that a particular clause is referenced on a purchase order for certain product types. This confirmation of evidence should be undertaken by any auditor. It should be noted that any audit of the technical consequences of the evidence not being available must be made by an auditor competent for the relevant management system standard. In general, delegation opportunities are restricted to the administrative rather than the management of processes. They should only be undertaken following an appropriate briefing from the lead auditor qualified for the specific management system standard. Findings should be reported back to the lead auditor who will decide what, if any, further action is to be taken and review and agree the report to the client. Audit tasks relating to the technical aspects of processes (e.g. their management, controls, capability and effectiveness) which demand specific technical competence in relation to the audit criteria shall not be delegated to auditors who are not competent for the technical area as relevant for each certification scheme. G 9.1.9 See guidance to 9.1.6. G 9.1.10 Audit reports produced as a result of a combined audit should be issued as a combined report (in which findings relating to all management system standards covered by the combined audit are included in one common report) or as separate reports. Each finding raised in a combined report shall be traceable to each applicable management system standard(s). Separate nonconformities should be raised for each management system standard unless specific findings are applicable to the requirements of more than one standard. The certification body should consider the impact that a nonconformity found for one of the system standards has on the compliance of the management system(s) with the other standards. G 9.1.11 This analysis and description shall be done for each nonconformity taking account of the requirements of each management system standard. G 9.1.12 The person(s) that determine that the corrections and corrective actions are acceptable shall be competent for each of the management system standard(s) covered by the nonconformity. 9.2 Initial audit and certification 9.2.1 Application EA Guidance to clause 9.2.1 G 9.2.1 For combined audits this information should include information relating to a) the level of integration (see annex 1) of the organisation's management system(s) and b) the ability of the organisations personnel (at the time of the audit) to respond to questions relating to each management system standard covered by the combined audit. October 2008 rev 00 Page 9 of 15

Organisations choose different approaches to how they manage the various aspects of their business performance (e.g. quality, health and safety or environmental), from totally separate to partially integrated to fully integrated management systems. The extent to which a system is integrated is a factor which will influence the time required to conduct a combined audit. 9.2.2 Application review EA Guidance to clause 9.2.2 G 9.2.2 When conducting this review the certification body shall take into account any additional activities (restrictions) related to the management system standards to be covered by the combined audit (e.g. specific sector scheme requirements). G 9.2.2.3 See guidance for 9.1.3 9.2.3 Initial certification audit EA Guidance to clause 9.2.3 G 9.2.3.1.1 d) For combined audits the information collected during the Stage 1 visit should include information relating to a) the level of integration of the organisation's management system(s) and b) the ability of the organisations personnel to respond to questions relating to each management system standard - in order to verify the information obtained and decisions made at the Application Review (see 9.2.1 and 9.2.2) G 9.2.3.1.1 e) The certification body shall review and modify as necessary the audit duration that was based on a level of system integration which was confirmed during the stage 1 audit. Confirm if the level of integration coincides with the level declared by the client. G 9.2.3.2 See guidance for 9.1.6. 9.2.4 Initial certification audit conclusions EA Guidance to clause 9.2.4 9.2.5 Information for granting initial certification EA Guidance to clause 9.2.5 9.3 Surveillance activities EA Guidance to clause 9.3 G 9.3 See guidance for 9.1.6. October 2008 rev 00 Page 10 of 15

9.4 Recertification EA Guidance to clause 9.4 G 9.4 See guidance for 9.1.2, 9.1.5 and 9.1.6. 9.5 Special audits EA Guidance to clause 9.5 9.6 Suspending, withdrawing or reducing the scope of certification EA Guidance to clause 9.6 G 9.6 If one management system standard is affected by suspension or withdrawal the certification body shall investigate if the other management system standards and the certificate(s) are affected, too. 9.7 Appeals EA Guidance to clause 9.7 9.8 Complaints EA Guidance to clause 9.8 9.9 Records of applicants and clients EA Guidance to clause 9.9 10. MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES EA Guidance to clause 10 October 2008 rev 00 Page 11 of 15

ANNEX 1 REDUCTION OF TIME Figure 1 100 5 5 10 15 20 Level of integration % 80 60 40 20 5 5 10 15 15 0 5 10 10 10 0 5 5 5 5 0 0 0 0 0 0 100 0 20 40 60 80 Ability to perform combined audit % Figure 1: This figure illustrates the reduction (%) in combined audit duration and its relationship to: Vertical axis, the level of integration of an organisations management system (see below) (which should include a consideration of the auditees ability to respond to multi-aspect questions); and Horizontal axis, the extent to which individual audit team members are qualified for more than one management system standard covered by the combined audit (i.e. multi-skilled) calculated using the following formula: 100 ((X 1-1)+ (X 2-1)+ (X 3-1)+ (X n -1)) Z(Y-1) Where X 1,2,3 n is the number of standards for which auditor n is qualified relevant for the scope of the combined audit; Y is the number of management system standards to be covered by combined audit; Z is the number of auditors. October 2008 rev 00 Page 12 of 15

Example: A combined audit team of 3 auditors covering three different management system standards. One auditor is qualified for all three standards; one auditor is qualified for two of the standards and the other auditor is qualified for one standard. The percentage figure to be used for the horizontal axis is: 100 ((3-1) + (2-1) + (1-1)) = 50 % 3(3-1) Level of integration An integrated management system results when an organization uses one single management system to manage multiple aspects of organizational performance. It is characterised by: 1. Management Reviews that consider the overall business strategy and plan. 2. An integrated approach to internal audits. 3. An integrated approach to policy and objectives. 4. An integrated approach to systems processes. 5. An integrated documentation set including work instructions, to a good level of development as appropriate. 6. An integrated approach to improvement mechanisms, (Corrective and Preventive Action; measurements and Continual Improvement). 7. An integrated approach to planning, with good use of business wide risk management approaches. 8. Unified management support and responsibilities. The certification body must decide the percentage level of integration based upon the extent to which the organisations management system meets the above criteria. October 2008 rev 00 Page 13 of 15

ANNEX 2 EXAMPLE: AUDIT OF INTERNAL AUDIT Consider the audit of internal audit when conducting a combined audit visit covering Q (ISO 9001), S (OHSAS 18001) and E (ISO 14001) of a typical manufacturing plant. There are some common requirements of all three standards for internal audit. These are almost entirely administrative relating to the existence of programmes and plans, reporting and follow up activities. However, there are different bases for the determination of audit frequency and duration. From the quality perspective there will be no requirement to audit the waste water treatment plant or solid waste disposal but these will feature prominently in an ISO 14001 based programme and should be included in the health & safety programme depending on the type of processes and activities in the plant. Conversely an assembly operation in an electronics plant has (should have) many quality and health & safety issues but should have relatively few environmental issues. The audit programme needs to reflect the relative risks to the environment and risks to health and safety as well as the significance to quality. Therefore, the internal audit programme and plan should be reviewed by certification body auditor(s) competent for each management system standard. Competence of the organisations internal auditors should be defined in terms of basic audit process, technical and regulatory knowledge and knowledge of the activities being audited. It is rare to find truly multi-skilled internal auditors and so the deployment by the organisation of internal auditors with the right competence should also be assessed by certification body auditors qualified for each management system standard covered by the combined audit. For this example the certification body auditor should ask three main questions: Auditor question Combined systems Auditor competence Is the internal audit programme effectively designed? Is the internal audit programme being implemented in accordance with procedures? Is it effective? The certification body audit team needs to confirm that the Quality, Environmental and Health & Safety components of the programme are weighted according to the status and importance of the processes and areas to be audited, the environmental risks and the health & safety risks and results of previous audits This would be a confirmation that trained internal auditors conduct audits against the plan and follow procedures The certification body audit team need to evaluate the competence of internal auditors, the relevance of findings and the appropriateness of the corrective actions. The certification body audit team needs to review the audit programme to consider whether it is appropriate and sufficient for each management system standard. This should only be done by auditor(s) competent for each management system standard covered by the combined audit. Any CB auditor may assess the administrative components of internal audit This should only be done by auditor(s) competent for each management system standard covered by the combined audit. October 2008 rev 00 Page 14 of 15

Conclusion Audit of the internal audit programme and plan to assess that the frequency and duration of audits has been established on the basis of risk and that competent internal auditors have been assigned should only be done by CB auditors competent for each management system standard covered by the combined audit Sampling and audit of relevant internal audit reports to confirm the effectiveness (by audit of content and comparison with their own observations) of the internal audit programme should only be conducted by CB auditors qualified for each management system standard covered by the combined audit; Any CB auditor should verify the administrative aspects of internal audit such as; the existence of a documented procedure; the existence of an audit programme; scheduling and conduct of audits as per programme, reporting, follow up and close out of internal audits as per documented procedure. However review of the organisations corrective actions for effectiveness should be conducted by an auditor competent for the respective standard. October 2008 rev 00 Page 15 of 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback