Certification Process Requirements

SAAS Certification Process Requirements SAAS Procedure 200 and ISO/IEC 17021 Social Accountability Accreditation Services, June 2010

Accreditation Process and Policies

SAAS Normative Requirements SAAS maintains a set of Procedures and Policies, revised between 2007 and 2008, that it follows in conducting accreditation work: SAAS Procedure 200 sets out the certification process requirements for Certification Bodies (CBs) undertaking the assessments of organizations against the SA8000 standard. SAAS Procedure 201 sets out the internal policies SAAS must follow in granting and maintaining accreditation of a CB by SAAS. SAAS Procedure 203 contains the qualifications and training requirements for accreditation auditors and SAAS staff. SAAS has also developed a set of Work Instructions that accreditation auditors must follow in undertaking document reviews, on-site office and witness audits, and review of corrective actions. 3

SAAS Normative Requirements In addition, SAAS requires implementation of several ISO documents: SAAS maintains procedures and policies in compliance with ISO/IEC 17011:2004, the international standard for accreditation bodies accrediting certification bodies. SAAS requires implementation of ISO/IEC 17021:2006 by all accredited CBs. 17021 is the international standard setting out requirements for bodies providing audit and certification of management systems. 4

Certification Process and Policies

SAAS Procedure 200 SAAS Procedure 200 is the document prescribing the procedures, criteria and methodology that a certification body (CB) must undertake in carrying out assessment of an organization for compliance with SA8000 certification. These requirements deal with CB audit processes, auditor qualifications, procedures and SA8000 certificates. Noncompliance to these rules results in the issuance of corrective action requests (CARs) and, if not corrected, suspension and ultimately cancellation of accreditation. 6

SAAS Procedure 200 Written for Certification Bodies. Sets out SA8000 certification process requirements. Established to provide consistency in SA8000 process. Supporting documents include: SA8000:2008 Procedure 201: SAAS Accreditation Policies Procedure 304: How to Make a Complaint / Appeal Procedure 406: Schedule of Fees Procedure 426: Use of the Mark 7

SAAS Procedure 200 Main elements of Procedure 200: Structural requirements of the CB Adherence to ISO/IEC 17021:2006 Conflict of interest and consulting restrictions Records maintenance Audit process requirements: Stage 1 and stage 2 audits Scope of certification Multi-site auditing Audit planning Issuance of nonconformities Surveillance frequency Audit team requirements, training, skills and evaluation Audit reports Management of complaints SA8000 certificate requirements On-site audit day requirements 8

SAAS Procedure 200 SA8000 certification authorized for implementation around the world in any industry except: Myanmar (Burma) until the ILO lifts its sanctions. Maritime until such a time when SAAS, in consultation with SAI, determines otherwise, in accordance with applicable ILO conventions. 9

CB Requirements The CB shall: Be legally identifiable. Be responsible for certification decisions. Have SA8000-specific procedures and perform internal audits. Have a common management system among offices. Conform to ISO/IEC 17021:2006. Have a complaints management system. Avoid conflicts of interest related bodies cannot provide consulting to certification clients within 2 years. Have documented procedures to ensure continuing effectiveness of its auditors including witnessed audits and continuing education. Maintain records including: audit reports, living wage calculation, audit day quotes, nonconformities, etc. 10

Audit Planning The audit plan shall include: Evaluation of all of the organization s social management system requirements. Assessment of the effectiveness of the system. Evidence of internal audits. Information gathered from local and regional experts and stakeholders. Pre-planning shall include: Process for determining sufficient wage level. A documented and implemented stakeholder engagement process. Appropriate language skills. Understanding the history and conditions of the client organization. 11

Audit Days Appendix 1 provides the required audit day table the CB shall follow. The overall time for the audit (stages 1 and 2) are expressed in auditor days includes the planning, off-site interviews, document review, on-site audit, and report writing. The audit days do not include time deemed necessary for engagement with external stakeholders. The CB shall calculate the time on the audit based upon: Sector complexity Perceived risk Number of employees Off-site worker interviews The number of workers is calculated considering the total number of workers paid by the client either directly or through an employment agency including: Seasonal Part-time Temporary workers Subcontractors Calculation of employees is based on worker totals during the high season. 12

Audit Process The certification process must address all elements of the SA8000 standard. The certification audit must have a 2 stage audit. Certification applies to all parts of a continuous process. Multi-site schemes are audited using a sampling process. Each on-site SA8000 audit must include these elements: Management systems Complaints response Worker training on SA8000 Effectiveness of corrective actions Health and safety Worker representative activities Working hours Wages Each shift must be audited on every audit. At least 30% of the audit time shall be used for worker interviews. 13

SA8000 Maintenance SA8000 certified facilities must undergo surveillance audits every 3 months. CBs must conduct a minimum of 1 unannounced audit in a three year cycle. The entire system must be re-assessed once every 3 years. The SA8000 certificate shall contain: Scope of the facility including address and activities Edition of the SA8000 standard, date of certification and date of expiration Remote sites that are included in the scope. The SA8000 mark A unique certificate number. 14

Nonconformities If fulfillment of a specified SA8000 requirement has not been demonstrated, the finding of a nonconformity (NC) may be reported. A corrective action request written as a result of an NC must have 3 parts: The statement of nonconformity The reference to SA8000 The objective evidence observed. Major NC: absence of or total breakdown of a system to meet an SA8000 requirement or likely to result in the failure of the SA8000 system or reduce the ability to assure control of policies to protect workers. Minor NC: an NC that is not likely to result in the failure of the system not systemic in nature. All NCs must be recorded. A client cannot be certified to SA8000 with open major NCs 15

Certification Process by CB of SA8000 Applicant 16

Accreditation and Certification Process 17

Audit Team Requirements SA8000 Lead Auditors shall be: Qualified by an accredited CB Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes) Trained at SAAS approved/accredited SA8000 courses Experienced, demonstrated by having: Served as a lead auditor on at least 3 accredited ISO systems audits Participated in at least 3 SA8000 certification or surveillance audits. SA8000 Team Auditors shall be: Employed or under contract to an accredited CB Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes) Trained at SAAS approved/accredited SA8000 courses Experienced, demonstrated by having: Participated in at least 3 accredited ISO systems audits Participated in at least 1 SA8000 audit. 18

Audit Team Requirements Audit Teams shall: Consist of qualified SA8000 auditors. Have at least one lead auditor. Have an expert worker interviewer. Have a team member or subject matter expert with relevant sector experience. Not have any team member who has provided consultancy for the client in the 2 years prior to the audit. Audit teams should have at least one expert with a background in worker rights. The CB shall evaluate auditor performance. Training Requirements: SA8000 basic auditor training course SA8000 advanced auditor training course (within 2 years of the basic) Continuing education, 12 hours annually, related to management systems auditing, CSR and SA8000 elements. 19

Audit Report The audit report shall: Include requirements set out in ISO 17021, 9.1.10. Address every SA8000 element with specific descriptive notations: Overtime Control of suppliers Wages Homework Freedom of association Health and safety. Include an overall description of the facility. Note the interview format used along with details. Reports must be submitted within 20 working days of the audit. The lead auditor is responsible for comprehensive reporting notes and checklists. 20

Complaints Process Accredited CBs must have a complaints system in place to accept and investigate complaints. The process shall include: Correspondence with the complainant. An investigation of the complaint. A report back to the complainant. An investigation may be aided by: An unannounced audit. Interviews with stakeholders. The investigation shall cover all elements identified in the complaint. The report shall include: The resolution of the complaint. The reasons for the conclusion. A summary of the documented evidence. The corrective action agreed upon and confirmation of evidence. Every 6 months, the CB shall report to SAAS a detailed report of all complaints. 21

SAAS Advisories to Procedure 200 Since the issuance of Procedure 200 in December 2007, SAAS has issued 8 supporting Advisories: Advisory 1: Complaints: sets out a more formal structure for CBs to manage complaints from stakeholders. Advisory 2: Auditor Training: clarifies the term equivalent used in Procedure 200 lays out the minimum number of audits an SA8000 auditor must experience in order to be qualified. Advisory 3 and 7: SA8000:2008: provides the timeline for transitioning all clients from SA8000:2001 to SA8000:2008. Advisory 4: Subcontracting: clarifies the provision in Procedure 200 for subcontracting SA8000 auditing work. Advisory 5: Auditor Training: provides continuing education requirements of SA8000 auditors. Advisory 6: Half Day audits: clarifies the requirements of the audit day table. Advisory 8: Accreditation Cycle: shifts the accreditation cycle from 3 years to 4 years for CBs. 22

Expected Changes to Procedures Since the issuance of Procedure 200 in December 2007, SAAS has also considered and implemented several changes or improvements to policies. Changes and pilots that have been considered by the SA8000 Advisory Committee include: Allowing facilities that meet risk and performance criteria to be moved from semi-annual surveillance audits to annual surveillance audits. Allowing audits in the maritime industry. Piloting enhanced stakeholder consultation methodology. Updating the SA8000 applicant status program. 23

ISO/IEC 17021: 2006 Social Accountability Accreditation Services, June 2010 24

ISO/IEC 17021:2006 Conformity assessment Requirements for bodies providing audit and certification of management systems 25

ISO/IEC 17021 Structure Ten Sections: 1 Scope 2 Normative references 3 Terms and definitions 4 Principles 26

ISO/IEC 17021 Structure Ten Sections 6 Normative: 5 General requirements 6 Structural requirements 7 Resource requirements 8 Information requirements 9 Process requirements 10 Management system requirements 27

General requirements for management system certification bodies Significant changes from previous normative document (ISO Guide 62): 10 Management system requirements for management system certification bodies 9.2.3 Initial certification audit 9.2.3.1 Stage 1 audits 9.2.3.1 Stage 2 audits Incorporation of ISO 19011:2002 as a normative document 9.9 Records on certified clients (better definition of required records)

10 Management system requirements for management system CBs The CB shall establish and maintain a management system in accordance with 10.1 or 10.2 This replaces the requirement of ISO/IEC Guide 62, 2.1.4 Quality System.

10 Management system requirements for management system CBs 10.1 Option 1 Management system requirements in accordance with ISO 9001 The certification body shall establish and maintain a management system, in accordance with the requirements of ISO 9001 that is capable of supporting and demonstrating the consistent achievement of the requirements of this International Standard.

10 Management system requirements for management system CBs This makes the ISO 9001 standard normative and requires all CBs to meet the requirements of ISO 9001. What does this mean to us and the CB?

10 Management system requirements for management system CBs More requirements! Since all ISO 9001 requirements apply (except for allowable exclusions) the CB will have to have: Quality Manual Quality Objectives Continuous Improvement Process (Including Preventive Actions) Measurement of Customer Satisfaction Planning of Product Realization

10 Management system requirements for management system CBs More requirements! Most significant is the requirement to use the process approach to management. (ISO 9001-4.1, a) This may also require that we audit using the process auditing approach. (We have typically done system audits.)

ISO/IEC 17021 Content Section 1 Scope: Contains principles and requirements for the competence, consistency and impartiality of the audit and certification of management systems of all types and for bodies providing these activities. 34

ISO/IEC 17021 Content Section 2 - Normative references: ISO 9000:2005, Quality management systems Fundamentals and vocabulary ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing1) ISO/IEC 17000:2004, Conformity assessment Vocabulary and general principles 35

ISO/IEC 17021 Content Section 3 - Terms and definitions : For the purposes of this document, the terms and definitions given in ISO 9000, ISO/IEC 17000 and the following apply. 3.1 certified client - organization whose management system has been certified 3.2 impartiality - actual and perceived presence of objectivity 3.3 management system consultancy - participation in designing, implementing or maintaining a management system 36

ISO/IEC 17021 Content Section 4 - Principles: Clause 4 describes the principles on which credible certification is based. These principles underpin all the requirements in this International Standard, but such principles are not auditable requirements in their own right. 37

ISO/IEC 17021 Content Section 4 General: Principles for inspiring confidence include 4.2 impartiality, 4.3 competence, 4.4 responsibility, 4.5 openness, 4.6 confidentiality, and 4.7 responsiveness to complaints. 38

SA8000 Audit Hierarchy Requirements Documents SAAS ISO/IEC 17011 and SAAS Procedure 201 Certification Body ISO/IEC 17021 and SAAS Procedure 200 Client SA8000 Standard 39

CB Structure Hierarchy CB Specific Requirements Industry/Legal Requirements SAAS Procedure 200 ISO/IEC 17021 Ground = Principles impartiality, competence, responsibility, openness, confidentiality and responsiveness to complaints 40

General requirements for management system certification bodies 2 Normative references The following referenced documents are indispensable for the application of this document. ISO 9000:2005, Quality management systems Fundamentals and vocabulary ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing1) ISO/IEC 17000:2004, Conformity assessment Vocabulary and general principles 41

10 Management system requirements for management system CBs 10.1.1 Scope For application of the requirements of ISO 9001, the scope of the management system shall include the design and development requirements for its certification services.

10 Management system requirements for management system CBs 10.1.2 Customer focus For application of the requirements of ISO 9001, when developing its management system, the certification body shall consider the credibility of certification and address the needs of all parties that rely upon its audit and certification services (as set out in 4.1.2), not just its clients. For SAAS, this is a real positive that we may have to define specific requirements for.

10 Management system requirements for management system CBs 4.1.2 - The overall aim of third-party certification is to give confidence to all parties that rely upon certification... which includes but are not limited to: a) the certified organizations that are the clients of the certification bodies; b) the customers of the certified organizations; c) governmental authorities; d) nongovernmental organizations; e) consumers and other members of the public.

10 Management system requirements for management system CBs 10.1.3 Management review For application of the requirements of ISO 9001, Clause 5.6.2, (Inputs to management review) the certification body shall include as input for management review, information on relevant complaints and appeals from users of audit services. For SAAS, this means that any SA8000 complaints must be addressed in the CB s management review

10 Management system requirements for management system CBs 10.1.4 Design and development For application of the requirements of ISO 9001, when developing a new management system certification scheme, or adapting an existing one to special circumstances, the certification body shall ensure that the guidance given in ISO 19011, and which is appropriate to third-party situations, is included as a design input.

10 Management system requirements for CBs Significant changes in the normative requirements from ISO/IEC Guide 62: 10.1 Options The CB shall implement a management system in accordance with either a) management system requirements in accordance with ISO 9001 (see 10.2), or b) general management system requirements (see 10.3). 47

10 Management system requirements for management system CBs 10.2 Option 2 General management system requirements The CB s top management shall establish and document policies and objectives for its activities. The CB top management shall appoint a member of management to ensure that: policies and procedures are established, implemented and maintained Reports performance of system to top management

10 Management system requirements for management system CBs The system shall include: 10.2.1 management system manual 10.2.2 Control of documents 10.2.3 Control of records 10.2.4 Management review Review inputs Review outputs

10 Management system requirements for management system CBs The system shall include: 10.2.5 Internal audits 10.2.6 Corrective actions 10.2.7 Preventive actions

General requirements for management system certification bodies Significant changes in the normative requirements from ISO/IEC Guide 62: 9.2.3 Initial certification audit now done in two stages: The initial certification audit of a management system shall be conducted in two stages, which are described in Clauses 9.2.3.1 Stage 1 audit and 9.2.3.2 Stage 2 audit 51

9.2.3 Initial certification audit 9.2.3.1.1 - For most management systems, it is recommended that at least part of the stage 1 audit be carried out at the client's premises in order to achieve the objectives stated above. 9.2.3.1.2 Stage 1 audit findings shall be documented and communicated to the client, including identification of any areas of concern that could be classified as nonconformity during the stage 2 audit. 52

9.2.3.1 Stage 1 Audits 9.2.3.1.1 Stage 1 audits shall have an audit plan 9.2.3.1.2 Normally the certification body shall perform the stage 1 audit of a client organization s management system on-site 9.2.3.1.3 The stage 1 audit shall be performed to: a) evaluate the applicant organization ' s location and site-specific conditions and to undertake discussions with the client organization ' s personnel to determine the preparedness for the stage 2 audit; b) review the client organization s status and understanding regarding requirements of the standard

9.2.3.1 Stage 1 Audits 9.2.3.1.3 The stage 1 audit shall be performed to: c) collect necessary information regarding the scope of the management system, processes and location(s) of the client organization, and related statutory, regulatory aspects and compliance, e.g. quality, environmental, legal aspects of the applicant organization ' s operation, associated risks etc; d) review the allocation of resources for stage 2 and agree with the client organization on the details of the stage 2 audit; e) provide a focus for planning the stage 2 audit

9.2.3.1 Stage 1 Audits 9.2.3.1.3 The stage 1 audit shall be performed to: f) evaluate if the internal audits and management review are being planned and performed effectively and that the level of implementation of the management system substantiates that the client organization is ready for the stage 2 audit.

9.2.3.1 Stage 1 Audits 9.2.3.1.4 Stage 1 audit results shall be documented and communicated to the client organization including identification of any areas of concern that could be classified as nonconformity during the stage 2 audit. 9.2.3.1.5 Any part of the management system that is audited during the stage 1 audit and determined to be fully implemented, effective, and in conformity with requirements, may not need to be re-audited during the stage 2 audit, however the certification body has to ensure that the already audited parts of the management system continue to conform to the certification requirements.

9.2.3.1 Stage 1 Audits 9.2.3.1.5 (con t) In this case the stage 2 audit report shall include these findings and clearly state that compliance has been established during the stage 1 audit. 9.2.3.1.6 In determining the interval between stage 1 and stage 2, consideration should be given to the needs of the client to resolve areas of concern identified during the stage 1 audit. The certification body may also need to revise its arrangements for stage 2.

9.2.3.2 Stage 2 Audit The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of the client's management system. The stage 2 audit shall take place at the site(s) of the client 58

9.2.3.2 Stage 2 Audit 9.2.3.2.1 Stage 2 audits shall have an audit plan 9.2.3.2.2 The stage 2 audit shall take place at the site(s) of the client organization. The purpose of the stage 2 audit is to evaluate the implementation and effectiveness of the client s management system. 9.2.3.2.3 The audit team shall conduct the stage 2 audit to gather audit evidence that the management system conforms to the standard and other certification requirements.

9.2.3.2 Stage 2 Audit 9.2.3.2.4 The audit team shall audit a sufficient number of examples of the activities of the client organization in relation to the management system and activities to get a sound appraisal of the implementation, including effectiveness, of the management system 9.2.3.2.5 As part of the audit, the audit team shall address a sufficient number of the staff, including top management and operational personnel of the audited facility, to provide assurance that the system is implemented and understood throughout the client organization.

9.2.3.2 Stage 2 Audit 9.2.3.2.6 The audit team shall analyze all information and audit evidence gathered during the stage 1 and stage 2 audits to determine the extent of fulfillment with all certification requirements and decide on any nonconformity. The audit team may suggest possible areas for improvement, to be presented to the client organization as opportunities for improvement, but shall not recommend specific solutions.

9.2.3.2 Stage 2 Audit 9.2.3.2.7 The stage 2 audit shall cover an examination of the organization s processes which address at least the following: a) information and evidence about conformity to all requirements of the applicable normative document; b) performance monitoring, measuring, reporting and reviewing against key performance objectives and targets; c) the system organization and performance as regards legal compliance; d) operational control;

9.2.3.2 Stage 2 Audit 9.2.3.2.7 The stage 2 audit shall cover an examination of the organization s processes which address at least the following: e) internal auditing and management review; f) management responsibility for the client organization s policies; g) links between policy, performance objectives and targets.

9.2.3.2 Stage 2 Audit 9.2.3.2.8 Post-audit activities shall cover at least the following: a) a record of any identified and agreed nonconformities shall be left with the client prior to departure from the audit site; b) establishing the audit report specified in 9.2.4.

ISO 19011:2000 Requirement 2 Normative references The following referenced documents are indispensable for the application of this document. ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing.

ISO 19011:2000 Requirement References to the requirements in ISO 19011:2002 include: 7.2.5 The certification body shall have a process for ensuring that the auditors it uses are competent both as auditors in the generic sense and for auditing in specific technical areas Appropriate documented requirements to this effect shall be based on the guidance provided in ISO 19011, Clause 7.

ISO 19011:2000 Requirement References to the requirements in ISO 19011:2002 include: 9.1.2 The CB shall ensure that an audit plan is established for each audit based on the guidance in ISO 19011. 9.1.3 The certification body shall have a process for selecting and appointing the audit team. This process shall be based on the guidance provided in ISO 19011.

ISO 19011:2000 Requirement References to the requirements in ISO 19011:2000 include: 9.1.11 The certification body shall have a process for conducting on-site audits based on the guidance provided in ISO 19011, Clause 6.5 9.2.4.3 The stage 2 audit report shall be based on the guidance provided in ISO 19011, Clause 6.6.1.

ISO 19011:2000 Requirement References to the requirements in ISO 19011:2000 include: 9.3.3.1 For surveillance audits, the report from the audit team shall be based on the guidance provided in ISO 19011

9 Better definition of records 9.9.2 Records on certified clients shall include: application information and initial, surveillance and recertification audit reports; justification of the methodology for sampling; justification for auditor time determination (see 9.1.5); verification of correction and corrective actions; records of complaints and appeals and any subsequent correction or corrective actions; committee deliberations and decisions, if applicable;

9 Better definition of records 9.9.2 Records on certified clients shall include: documentation of the certification decisions; certification documents including the scope of certification with respect to product, process or service as applicable, and related records necessary to establish the credibility of the certification.

General requirements for management system certification bodies Significant changes in the normative requirements from ISO/IEC Guide 62: 9.6 Suspending, withdrawing or reducing the scope of certification Significant expansion in the requirements and details for suspensions leading to withdrawal of certifications 9.6.1 through 9.6.7 replaces 2.1.5.1 in Guide 62 72

General requirements for management system certification bodies Significant changes in the normative requirements from ISO/IEC Guide 62: 9.9 Records on certified clients (better definition of required records) 9.9.1 through 9.9.4 replaces 2.1.8.1 & 2.1.8.2 73

ISO/IEC 17021 Summary: 17021 is a significant departure from Guide 62 All accredited CBs must be assessed for 17021 compliance prior to the end of September 2008 Auditors must be qualified in ISO 19011 and ISO 9001 to conduct 17021 audits 74