Auditee Guidelines and Obligations IMS International Limited

 

 

 

 

 

 

 

 

 

 

 

 

Contents

 

 

 

 

1. Introduction

Summary and Purpose

This document is to provide potential clients and auditees with some of the information they need before they place an order with IMS for assessment services. Much of the information is intended to be the basis of the contract between the client and IMS.

1.1 Scope and Applicability

This document applies to all the auditing services undertaken by IMS International.

2. Introduction to IMS International

IMS International (IMS) was set up to act as a Certification Body for professional and services companies - particularly those in the information technology sector, but in recent years has received extensions to scope from UKAS to enable us to better service a wide range of industries.

IMS was set up and is owned by private shareholders and is self-financing by fees from services.

IMS is accredited by the United Kingdom Accreditation Service (UKAS) to carry out assessments of quality systems to ISO 9000 (i.e.: BS EN ISO 9001:2000) and to TickIT.

IMS is based in England, and can carry out certification work throughout the world, from its offices in the USA, Far East etc.

IMS has a small central staff, and seeks to use modern automation to make its operations as efficient and cost-effective as possible. IMS employs external specialists for auditing work. All are carefully vetted before being assigned to client work. All are registered by the International Register of Certificated Auditors for the type of work they undertake, or by careful scrutiny.

IMS has a Governing Board which comprises independent representatives from a wide range of interests in the areas in which IMS carries out certification. The Governors set the policy for the Certification Body, and ensure that these policies are carried out. In the event of an appeal, it is the Governors who are the final arbiters.

The Certification Body is managed by a General Manager who implements the policies of the Governing Board.

QUALITY POLICY

This policy is known and understood by all within our company, and provides the philosophy upon which all our services are planned, developed and monitored.

The other policies are as follows.

Pol.002 No person will be used for certification or assessment work if his/her judgement could be influenced by his/her employer's involvement with the organisation being assessed.

Pol003 Individuals who are involved in certification, including those acting in a managerial capacity or as Governors, shall not have been involved in any consultancy activity for the organisation being assessed, or any organisation related to it, in the preceding two years.

Pol004 The services of the Certification Body shall be available to all organisations equally, subject to acceptable commercial terms, except that no organisation shall be certified if it has employed any employee or shareholder of the Company as a consultant or adviser within the preceding two years.

Pol005 The General Manager shall be free from control and undue influence by anyone with a direct commercial interest in the services to be certificated.

Pol006 Staff will be assigned only to those tasks to which they are suited by virtue of qualifications, training and experience.

Pol.007 Information about clients or auditees shall be held and stored so as to be secure and in confidence, except so far as required by law.

Pol008 Reports about, and other information concerning clients and auditees shall be made available to staff and Governors only so far as they have a need to know.

2.1 Organisational Overview of the Certification Body

The way in which the Certification Body works is broadly as follows:

The Governing Board is responsible for ensuring the impartiality of the assessment and certification process.  It meets regularly to conduct any necessary business such as:

- to review policies;
- to receive and consider the report of the General Manager;
- to consider and rule on any appeals against the results of audits;
- to appoint new Governors;
- to decide on and follow up any actions which arise;
- to review any certificates which have been approved.

The General Manager runs the Certification Body. More particularly:

- he/she implements the policies of the Governing Board;
- he/she reports annually to the Governing Board via its chairman;
- he/she assigns auditors to carry out assessments and to provide audit reports;
- he/she administers the Scheme and issues certificates based on the reports and recommendations of auditors and Certification Officers.

The structure of the Certification Body is shown below.

 

 

 

 

 

 

 

 

 

 

The General Manager has operations staff, auditors, certification officers, and a systems manager reporting to him/her. In summary, their roles are as follows.

- The operations staff carry out the instructions of the General Manager, and follow the procedures of the Certification Body.

- Internal auditors plan, carry out and follow up internal audits.

- Auditors plan and carryout the audits of auditees prior to certification.

- Certification Officers review the recommendations of auditors and decide whether a certificate may be awarded.

A full list of all the Governors is available upon request.

 

2.2 The Company and the Certification Body

The Company, the Certification Body and their parts are shown in the following figure.

Members of the Company

 

Board of Directors

 

Governing Board

 

Certification Body

 

General Manager and his Staff, sub-contractors, auditors and other staff

 

3. The Assessment and Certification Process

The process of assessment (or auditing) and certification comprises a series of steps as follows. (Note: "assessment" is the process of examining a system to check that it complies with the appropriate standards; "certification" is the final step of issuing a certificate if the assessment is successful.)

3.1 Step 1 - Pre-Audit

The pre-audit is optional. It will be no longer than half the duration of the initial audit. It will be carried out in the same way as an initial audit, and provides practice for the auditee being audited. The objective is to find any major areas of weakness or aspects of the standards which are not addressed (either adequately or at all). The auditee can request what elements are audited.

3.2 Step 2 - Review of Documentation

This is the first link in the assessment chain. First we check that your quality system documentation describes a system which complies with the relevant standards. Then (at the initial audit) we check that you are doing what your documentation says you should. The documentation review is usually carried out off site.

3.3 Step 3 - Audit Planning

An audit plan is a programme which identifies which departments, functions or projects will be examined on which days and with respect to which aspects of the standard. If several auditors are to be involved, then the allocation of their time needs to be planned. The auditee needs to know when staff are likely to be required. If there are several locations to visit, the travel arrangements need to be optimised. The audit plan has to ensure that all relevant aspects of the organisation are adequately covered.

3.4 Step 4 - Initial Audit

The initial audit may take from one of many man-days depending on the size and complexity of your organisation, the time allocation will be in accordance with Guidelines set out in Guides 62, 65 and 66.

The initial audit will start with an opening meeting and end with a closing meeting.

At the opening meeting, we will seek to agree the "scope" for which you wish to be certificated. See Section 6.

Scope and the definition of the organisation are finally agreed at the opening meeting. However, it is desirable that you have a clear idea of them beforehand.

After the opening meeting, the auditors will visit various parts of the sites to be audited. They will interview staff, inspect records and documents, and examine products and processes. They will be seeking evidence that your system works as described in your documentation, and that it is appropriate for your claimed scope. They will take notes as objective evidence.

At the end of each day, the auditors will write up any nonconformities or observations and let you know what they have found.

At the closing meeting, the Audit Team Leader will summarise what has been found, and will tell you what action he will recommend to the certification body. There are a number of possible courses of action. The Audit Team Leader has full discretion as to what he recommends. Essentially, the possibilities are as follows.

a. Recommend immediate certification, there being no nonconformities.

b. Recommend certification, subject to the satisfactory clearance of corrective action evidence to be shown by post.

c. Recommend certification, subject to the satisfactory clearance of corrective action after verification at a further visit.

d. Recommend that there be a further audit with the emphasis on named areas.

e. Recommend that the auditee re-apply for certification after implementing a compliant system.

NOTE: the recommendation of the Audit Team Leader on certification is subject to confirmation by the certification body.

For ISO 14001 certification it is a requirement for the Initial Audit to be conducted over two separate stages involving two audit visits:

Stage 1 - Objectives are to provide a focus for planning the audit (stage 2) by gaining an understanding of the Environmental Management System (EMS) in the context of your environmental aspects and associated impacts, policy and objectives, and in particular, to assess your preparedness for the stage 2 assessment.

Stage 2 - Objectives are to confirm that your EMS has been effectively implemented and that you are adhering to your policies, objectives and procedures and that the EMS conforms with all the requirements of ISO 14001 is achieving your policy objectives.

In addition to reporting any non-compliances identified against ISO 14001, your auditor will also make known to you any identified breaches of relevant environmental legislation or regulatory requirements.  Whilst such breaches may not necessarily be a non-compliance against ISO 14001, it will be expected that your EMS has effective controls and processes in place to achieve continual and consistent conformance with relevant environmental regulatory requirements.

3.5 Step 5 - Clear Down Corrective Actions

For any nonconformity there will be a proposed corrective action to remedy any defects in either products or processes. All corrective actions must be cleared to the satisfaction of the Audit Team Leader or a nominated representative before certification.

The nonconformities will be numbered and listed in the audit report. The corrective action plan is a parallel table, which identifies the proposed action for each nonconformity. The proposed action should state:

- the action completion date;

- any rework of nonconforming product;

- corrective (and preventive) action - as defined by ISO 9001 and ISO 14001.

NB: simply repairing or re-working nonconforming product is not corrective action; you must identify the root causes of nonconformities and take action to remove them.

We can provide soft-copy forms to assist in the preparation of the corrective action plan. You are encouraged to maintain the plan in machine readable form - desirably in a form readable on the auditor's PC.

For Initial Assessments and Re-assessments, all corrective actions must be cleared within 13 weeks of the end of the initial audit. If they are not, a further audit will be required prior to certification. The Audit Team Leader may reduce this timeframe.  For surveillance visits, the audit team will make a recommendation as to whether objective evidence for the closure of non-compliances must be submitted to IMS within defined timescales, or whether they can be closed out at the next surveillance visit.

3.6 Step 6 - Certification

On receipt of the Audit Report and, where applicable, corrective actions, the certification body will undertake a review to ensure that all the correct procedures have been followed, whether the recommendation of the Audit Team Leader is sound, and whether corrective actions have been appropriately addressed and evidenced.

This process can sometimes take several weeks - particularly if there are queries about the completeness of the assessment and corrective actions.  The person undertaking the review may also require additional evidence to be provided to ensure that the system meets the requirements of the specified standards.  In exceptional circumstances, this could include an additional visit.

On completion of a satisfactory review the recommendation to certificate will be confirmed by the certification body and the appropriate certificate will be issued.

3.7 Step 7 - Surveillance

The objective of a surveillance audit is for us to assure ourselves that you are continuing to work to a system which complies with the standards to which you are certificated, and that you take timely corrective action to correct nonconformities.

During surveillance, we may find nonconformities. As before, you need to propose corrective action. These will usually be cleared down at the following surveillance visit, but the Audit Team Leader may recommend more immediate clear-down.

After a number of visits, if it becomes apparent that compliance with the standard is good, then the time needed for surveillance may be reduced. An indication would be the number and nature of the nonconformities found during surveillance.

On the other hand, of course, if compliance were found to be poor or worrying, then the amount of surveillance might need to be increased. In a poor case, a further audit might be needed. Clearly, these costs are in the hands of the auditee.

Also, see Section 4.9 (Suspension and Cancellation of Certificates).

3.8 Step 8 - Further Audit

If there have been significant changes to your quality system or organisation, or if you wish to change your certificated scope, then a further audit may be required. What is to be done will depend on the recommendations of the Audit Team Leader.

A further audit is a partial or full audit similar to the initial audit. Its extent will depend on the change which caused it. The most common cause is a change in scope, but it may be required because of a change in organisation or the quality system, or if the Audit Team Leader is concerned about the compliance of your system with the standard.

3.9 Step 9 - Re-Audit

After three years from the initial audit, we re-audit your system. This follows a similar path as in the beginning: a document review followed by an audit and a clear-down of the corrective actions.

Surveillance then continues with a further re-audit three years later.

4. Certification Guidelines

4.1 Scope

At the opening meeting (during the initial audit), we will seek to agree the "scope" for which you wish to be certificated. Scope is a concise (usually a one or two sentence) description of your business. It is your responsibility to propose the scope, although our Audit Team Leader will help if necessary.

Your scope should be sufficiently and precisely drawn as to give a clear understanding of the types of products or services which you supply. You should not be certificated for the supply of products you do not make or for services you do not provide. We need to satisfy ourselves that you are competent to supply across all the items normally understood to come within your certificated scope.

If there are regulatory requirements, standards or other normative documents against which you supply products or services, these should be included in your scope.

4.2 Definition of Organisation

At the opening meeting we will also seek to agree the definition of the organisation which you wish to have certificated. This need not have the same boundaries as organisations recognised by company law. The important thing is that the organisation be a sensible operating unit. You cannot exclude parts of the organisation simply because "they are not ready" or because you don't want to include them. By contrast, the organisation could include parts of several different companies (e.g.: one of your sub-contractors). But whatever the definition, it must be clear before the audit starts.

If you are operating through a number of remote branches, all of which:

- are part of the same organisation,

- are under the same control,

- are doing substantially the same job

- are under common management, and

- use the same management system and procedures

the assessment can be by sampling. However, all the branches have to be assessed at least once over the three years before re-audit. In this case the certificate relates to the organisation as a whole. IMS reserves the right not to accept a certification project for organisations structure in a way that conflicts company law.

4.3 Supplies outside the Certificated System

It is your responsibility to ensure that you make no false claims as to the extent of your certification. Further, you must ensure that, when you supply products or services which were not designed or produced under your quality system, you do not make any implicit nor explicit claim to certification for those goods or services supplied.  Moreover, you must ensure that certification is only used to indicate that products or services meet the requirements of the specified standard(s), and not use your certification to imply or claim that the products or services conform to any requirements outside the specified standard(s).

4.4  UKAS (and ISO/IEC Guide 25) Accreditation

If you carry out tests or calibration work which is appropriate to UKAS accreditation, then you must obtain such accreditation and not simply obtain 9001 certification. Your UKAS (or ISO/IEC Guide 25) accreditation will be accepted by IMS as evidence of compliance with the related requirements of ISO 9001 (this is for the UK only).

4.5 Effects on the Environment

ISO 9001 does not require that processes have no adverse effects on the environment except insofar as this is a customer requirement. ISO 14001 is available as a standard against which firms may be certificated to demonstrate that their processes take the environment into account more generally. (IMS can provide this certification).

4.6 Meeting Legal Requirements

If your quality system conforms to ISO 9001, then you aim to meet all "agreed requirements" of the purchaser, including any legal requirements which are implied by your contract with them. During the audit, you will need to show that you actively seek to meet all known legal statutory and regulatory requirements.

We shall check that you have arrangements in place for ensuring that you have identified and are able to meet all relevant requirements. However, we shall not check that you do meet them; that remains your responsibility.

4.7 Policy as to when Certification Services shall be available

The services of the Certification Body shall be available to all organisations equally, subject to acceptable commercial terms, except that no organisation shall be certified if it has employed any employee or shareholder of the Company as a consultant or adviser within the preceding two years.

4.8 Complaints and Complaint Records

As part of his/her documented management system, the auditee shall keep a record of all complaints received and records of the remedial and preventive actions taken, and any predisposing factors within the quality system. These records shall be made available to the auditor at each audit and surveillance visit.

4.9 Suspension and Cancellation of Certificates

During surveillance, it may become apparent that the auditee is not working to a compliant, documented, management system, or he/she may be misusing the marks, or otherwise contravening the terms of their certificate. In this case, the auditee may be advised that their certificate is suspended pending meeting the terms of their certificate. This will usually involve the auditee's carrying out appropriate corrective action. Should they fail to achieve the corrective action within 14 days, the certificate will be withdrawn.

During suspension, the auditee shall not make any claims that he/she is certificated, except that they may continue to use the marks.

If a certificate is withdrawn, the auditee shall immediately cease all claims to certification, cease to use the marks, and return all certificates to IMS.

5. Complaints and Appeals

At any time, a client or auditee may make a complaint about the service provided by IMS. Complaints should be addressed to the General Manager. If you are not satisfied with the response to a complaint, you may further complain to the chairman of the Governing Board.

At any time, any interested party may appeal to the Governing Board if:

- an application is rejected;
- a certificate is suspended or terminate;
- an audit result is not satisfactory

Appeals should be made via the General Manager. The appellant will have the opportunity to present his/her case to the Governing Board. The Certification Body's costs arising from the appeal shall be to the account of: the appellant if the appeal fails; and to IMS if the appeal succeeds.

Complaints will be acknowledged with an initial response in writing within 10 days, and a full written response will be provided upon completion of a full investigation.

If a dispute arises during an audit, the auditor will aim to reach an agreement with the auditee.  Where this is not possible, the auditee should contact the General Manager who will undertake an investigation into the nature of the dispute, and inform the auditee in writing as to the decision.  The General Manager will also inform the auditee of the appeals procedure and further rights to take the matter to the IMS Reliance Governing Board. 

At any time, any interested party may make a complaint to IMS about you as a certificated supplier. In this event, we shall send you details of the complaint (excluding the identity of the complainant), and ask you to provide timely comment on the complaint. We would expect that you would propose appropriate corrective action. Depending on your response, we would take note for subsequent surveillance visits, and might require a further audit (see Step 8).

6. Accredited Scope

Currently, IMS offers certification to organisations for a number of sectors, if you would like to check to see if IMS is accredited for your organisations activities please contact our offices.

7. Rules governing the use of the Certification Mark etc.

The certification mark is used as part of a set.

a. the certification mark shows that the firm has been certificated by IMS to ISO 9001, ISO 14001 or had product certified to a specific standard or other normative document

b. the accreditation mark shows that the certification was accredited by UKAS;

c. the TickIT mark shows that the certification was accredited as meeting the requirements of the TickIT scheme.

The range of logos that may be used, as appropriate, are as follows:

                  

 

                   

 

           

For quality and environmental management system certification the marks may be used on stationery including sales brochures; they may not be used on products, associated documentation, or certificates. They may be used in electronic form where the use is akin to that of stationery, but not where they may seem to be associated with a product.

For product certification, the marks may only be used in connection with a product manufactured under the product conformity scheme against which certification has been granted, and should only be used to indicate conformity with the requirements of that scheme.  The marks should not be used to claim or imply that the products meet any requirements outside the standard against which they have been certified.

The UKAS and TickIT marks may not be used on vehicles. The marks may not be used on laboratory test and calibration reports.

The marks shall be not less than 20mm in height, and shall (apart from the TickIT mark) be a single colour only, which may be red, brown, black, dark blue, gold or the predominant colour of the letterhead in the case of pre-printed letterhead paper.

The TickIT mark may be in colour. In this case, the monochrome part shall be the same colour as the other marks with which it is used. The main part of the arrow shall be pantone red 032 (solid magenta and solid yellow); the shadow part of the arrow and the "IT" shall be pantone warm grey 8 (30% black).