SAAS Certification Process Requirements SAAS Procedure 200 Social Accountability Accreditation Services, June 2010
Accreditation Process and Policies
SAAS Normative Requirements SAAS maintains a set of Procedures and Policies, revised between 2007 and 2008, that it follows in conducting accreditation work: SAAS Procedure 200 sets out the certification process requirements for Certification Bodies (CBs) undertaking the assessments of organizations against the SA8000 standard. SAAS Procedure 201 sets out the internal policies SAAS must follow in granting and maintaining accreditation of a CB by SAAS. SAAS Procedure 203 contains the qualifications and training requirements for accreditation auditors and SAAS staff. SAAS has also developed a set of Work Instructions that accreditation auditors must follow in undertaking document reviews, on-site office and witness audits, and review of corrective actions. 3
SAAS Normative Requirements In addition, SAAS requires implementation of several ISO documents: SAAS maintains procedures and policies in compliance with ISO/IEC 17011:2004, the international standard for accreditation bodies accrediting certification bodies. SAAS requires implementation of ISO/IEC 17021:2006 by all accredited CBs. 17021 is the international standard setting out requirements for bodies providing audit and certification of management systems. 4
Certification Process and Policies
SAAS Procedure 200 SAAS Procedure 200 is the document prescribing the procedures, criteria and methodology that a certification body (CB) must undertake in carrying out assessment of an organization for compliance with SA8000 certification. These requirements deal with CB audit processes, auditor qualifications, procedures and SA8000 certificates. Noncompliance to these rules results in the issuance of corrective action requests (CARs) and, if not corrected, suspension and ultimately cancellation of accreditation. 6
SAAS Procedure 200 Written for Certification Bodies. Sets out SA8000 certification process requirements. Established to provide consistency in SA8000 process. Supporting documents include: SA8000:2008 Procedure 201: SAAS Accreditation Policies Procedure 304: How to Make a Complaint / Appeal Procedure 406: Schedule of Fees Procedure 426: Use of the Mark 7
SAAS Procedure 200 Main elements of Procedure 200: Structural requirements of the CB Adherence to ISO/IEC 17021:2006 Conflict of interest and consulting restrictions Records maintenance Audit process requirements: Stage 1 and stage 2 audits Scope of certification Multi-site auditing Audit planning Issuance of nonconformities Surveillance frequency Audit team requirements, training, skills and evaluation Audit reports Management of complaints SA8000 certificate requirements On-site audit day requirements 8
SAAS Procedure 200 SA8000 certification authorized for implementation around the world in any industry except: Myanmar (Burma) until the ILO lifts its sanctions. Maritime until such a time when SAAS, in consultation with SAI, determines otherwise, in accordance with applicable ILO conventions. 9
CB Requirements The CB shall: Be legally identifiable. Be responsible for certification decisions. Have SA8000-specific procedures and perform internal audits. Have a common management system among offices. Conform to ISO/IEC 17021:2006. Have a complaints management system. Avoid conflicts of interest related bodies cannot provide consulting to certification clients within 2 years. Have documented procedures to ensure continuing effectiveness of its auditors including witnessed audits and continuing education. Maintain records including: audit reports, living wage calculation, audit day quotes, nonconformities, etc. 10
Audit Planning The audit plan shall include: Evaluation of all of the organization s social management system requirements. Assessment of the effectiveness of the system. Evidence of internal audits. Information gathered from local and regional experts and stakeholders. Pre-planning shall include: Process for determining sufficient wage level. A documented and implemented stakeholder engagement process. Appropriate language skills. Understanding the history and conditions of the client organization. 11
Audit Days Appendix 1 provides the required audit day table the CB shall follow. The overall time for the audit (stages 1 and 2) are expressed in auditor days includes the planning, off-site interviews, document review, on-site audit, and report writing. The audit days do not include time deemed necessary for engagement with external stakeholders. The CB shall calculate the time on the audit based upon: Sector complexity Perceived risk Number of employees Off-site worker interviews The number of workers is calculated considering the total number of workers paid by the client either directly or through an employment agency including: Seasonal Part-time Temporary workers Subcontractors Calculation of employees is based on worker totals during the high season. 12
Audit Process The certification process must address all elements of the SA8000 standard. The certification audit must have a 2 stage audit. Certification applies to all parts of a continuous process. Multi-site schemes are audited using a sampling process. Each on-site SA8000 audit must include these elements: Management systems Complaints response Worker training on SA8000 Effectiveness of corrective actions Health and safety Worker representative activities Working hours Wages Each shift must be audited on every audit. At least 30% of the audit time shall be used for worker interviews. 13
SA8000 Maintenance SA8000 certified facilities must undergo surveillance audits every 3 months. CBs must conduct a minimum of 1 unannounced audit in a three year cycle. The entire system must be re-assessed once every 3 years. The SA8000 certificate shall contain: Scope of the facility including address and activities Edition of the SA8000 standard, date of certification and date of expiration Remote sites that are included in the scope. The SA8000 mark A unique certificate number. 14
Nonconformities If fulfillment of a specified SA8000 requirement has not been demonstrated, the finding of a nonconformity (NC) may be reported. A corrective action request written as a result of an NC must have 3 parts: The statement of nonconformity The reference to SA8000 The objective evidence observed. Major NC: absence of or total breakdown of a system to meet an SA8000 requirement or likely to result in the failure of the SA8000 system or reduce the ability to assure control of policies to protect workers. Minor NC: an NC that is not likely to result in the failure of the system not systemic in nature. All NCs must be recorded. A client cannot be certified to SA8000 with open major NCs 15
Certification Process by CB of SA8000 Applicant 16
Accreditation and Certification Process 17
Audit Team Requirements SA8000 Lead Auditors shall be: Qualified by an accredited CB Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes) Trained at SAAS approved/accredited SA8000 courses Experienced, demonstrated by having: Served as a lead auditor on at least 3 accredited ISO systems audits Participated in at least 3 SA8000 certification or surveillance audits. SA8000 Team Auditors shall be: Employed or under contract to an accredited CB Qualified ISO 9001 or equivalent lead auditors (must be trained and experienced in ISO 19011 auditing processes) Trained at SAAS approved/accredited SA8000 courses Experienced, demonstrated by having: Participated in at least 3 accredited ISO systems audits Participated in at least 1 SA8000 audit. 18
Audit Team Requirements Audit Teams shall: Consist of qualified SA8000 auditors. Have at least one lead auditor. Have an expert worker interviewer. Have a team member or subject matter expert with relevant sector experience. Not have any team member who has provided consultancy for the client in the 2 years prior to the audit. Audit teams should have at least one expert with a background in worker rights. The CB shall evaluate auditor performance. Training Requirements: SA8000 basic auditor training course SA8000 advanced auditor training course (within 2 years of the basic) Continuing education, 12 hours annually, related to management systems auditing, CSR and SA8000 elements. 19
Audit Report The audit report shall: Include requirements set out in ISO 17021, 9.1.10. Address every SA8000 element with specific descriptive notations: Overtime Control of suppliers Wages Homework Freedom of association Health and safety. Include an overall description of the facility. Note the interview format used along with details. Reports must be submitted within 20 working days of the audit. The lead auditor is responsible for comprehensive reporting notes and checklists. 20
Complaints Process Accredited CBs must have a complaints system in place to accept and investigate complaints. The process shall include: Correspondence with the complainant. An investigation of the complaint. A report back to the complainant. An investigation may be aided by: An unannounced audit. Interviews with stakeholders. The investigation shall cover all elements identified in the complaint. The report shall include: The resolution of the complaint. The reasons for the conclusion. A summary of the documented evidence. The corrective action agreed upon and confirmation of evidence. Every 6 months, the CB shall report to SAAS a detailed report of all complaints. 21
SAAS Advisories to Procedure 200 Since the issuance of Procedure 200 in December 2007, SAAS has issued 5 supporting Advisories: Advisory 1: Complaints: sets out a more formal structure for CBs to manage complaints from stakeholders. Advisory 2: Auditor Training: clarifies the term equivalent used in Procedure 200 lays out the minimum number of audits an SA8000 auditor must experience in order to be qualified. Advisory 3 and 7: SA8000:2008: provides the timeline for transitioning all clients from SA8000:2001 to SA8000:2008. Advisory 4: Subcontracting: clarifies the provision in Procedure 200 for subcontracting SA8000 auditing work. Advisory 5: Auditor Training: provides continuing education requirements of SA8000 auditors. Advisory 6: Half Day audits: clarifies the requirements of the audit day table. Advisory 8: Accreditation Cycle: shifts the accreditation cycle from 3 years to 4 years for CBs. 22
Expected Changes to Procedures Since the issuance of Procedure 200 in December 2007, SAAS has also considered and implemented several changes or improvements to policies. Changes and pilots that have been considered by the SA8000 Advisory Committee include: Allowing facilities that meet risk and performance criteria to be moved from semi-annual surveillance audits to annual surveillance audits. Allowing audits in the maritime industry. Piloting enhanced stakeholder consultation methodology. Developing mixed audit team requirements. Piloting traceability or chain of custody certification systems. Updating the SA8000 applicant status program. 23