Requirements for Certification as an. IRCA Auditor (All Schemes)

Requirements for Certification as an IRCA Auditor (All Schemes)

Requirements for Certification as an IRCA Auditor (All Schemes) Contents Note: This contents is hot-linked. Click on a section to be taken to that page 1. Introduction to IRCA Auditor Certification p. 3-4 2. Certification Grades and Summary of Grade Applicabilities p. 5 3. Instructions for Initial Certification, Maintenance of Certification, Renewal of Certification and Changing Your Certification Grade (Regrade) p. 6-8 3.1 How to: Make an initial application p. 6 3.2 How to: Maintain your certification p. 7 3.3 How to: Renew your certification p. 7 3.4 How to: Regrade p. 7 3.5 IRCA s evaluation process: What we do p. 8 4. Essential Guidance for Application p. 9-15 4.1 General p. 9 4.2 Guidance on educational requirements p. 9 4.3 What audits do we accept for certification? p. 9-11 4.4 What training course certificates does IRCA accept? p. 11-12 4.5 Guidance on continuing professional development (CPD) p. 12-14 4.6 Guidance on work experience p. 14-15 4.7 Guidance on flexibility and potential concessions within IRCA s criteria p. 15 5. Auditor Certification Criteria p. 16-19 5.1 Internal Auditor and Provisional Internal Auditor p. 16 5.2 Auditor and Provisional Auditor p. 17 5.3 Lead Auditor p. 18 5.4 Principal Auditor p. 19 6. Renewal of Certification Criteria and Requirements p. 20-22 7. Terms and Conditions p. 23-24 7.1 Appeals and complaints p. 23 7.2 Enforcement of certification p. 23 7.3 Confidentiality p. 23 7.4 Legal status p. 23 7.5 Fees p. 23-24 IRCA 1000 (Rev 1) 15.04.2013

Appendix I p. 25-58 Scheme-specific requirements and guidance are given for the following: Appendix II Part 1 - Quality Management System Auditor Scheme p. 25 Part 2 - Environmental Management System Auditor Scheme p. 26 Part 3 - Occupational Health and Safety Management System Auditor Scheme p. 27 Part 4 - Information Security Management System Auditor Scheme p. 28-29 Part 5 - Information Technology Service Management System Auditor Scheme p. 30 Part 6 - Business Continuity Management System Auditor Scheme p. 31-32 Part 7 - Energy Management System Auditor Scheme p. 33 Part 8 - Pharmaceutical Management System GMP Auditor Scheme p. 34-36 Part 9 - Aerospace Quality Management System Auditor Scheme p. 37-40 Part 10 - TickIT Auditor Scheme p. 41 Part 11 - Food Safety Management System Auditor Scheme p. 42-44 Part 12 - Social Systems Auditor Scheme p. 45-46 Part 13 - EICC-GeSI Auditor Scheme p. 47-49 Part 14 - Maritime Auditor Scheme p. 50-52 Part 15 - SSiP Assessor Scheme p. 53-58 Definitions p. 59 Appendix III IRCA Code of Conduct p. 60 Copyright IRCA 2012 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without prior permission of the International Register of Certificated Auditors (IRCA). 2

1. Introduction to IRCA Auditor Certification Commitment to professionalism IRCA auditor certification demonstrates your commitment to the profession through: a) Your demonstration of required knowledge and skills, gained through work experience, training and audit experience, to: Plan and organise an audit of a management system (MS) Identify, understand and audit relevant business processes Sample and evaluate audit evidence, and determine the effectiveness of a management system Report audit findings and conclusions accurately Communicate clearly, both orally and in writing, with personnel at all levels of an organisation Plan, organise and lead the audit team, and manage the audit process. b) Your adherence to principles of proper ethical conduct, fair presentation and due professional care, as articulated in the IRCA Code of Conduct c) Your commitment to continuing professional development (CPD) d) Your commitment to provide value to: The users and stakeholders who rely on management systems audits to establish if the organisation s management system can consistently meet customer and applicable regulatory requirements The auditee by providing management with information regarding the organisation s ability to meet its management system-related business objectives; identifying problems that may prevent the client from meeting its management system-related business objectives; and identifying meaningful opportunities for improvement, as well as those areas of risk that are not yet identified or managed. When you achieve IRCA auditor certification, you join over 14,000 management systems auditors in over 120 countries who share your professionalism and commitment, and benefit from: A globally recognised qualification, valued and often required by employers and clients Entry on to our publically available online register of auditors, which is used by employers globally Your individual certification card, to demonstrate your certification to clients and employers Your auditor certification logo, for you to use on your stationery and documents The IRCA system of continuing professional development, to support your career progression through always being able to demonstrate a currency of skills and knowledge. 3

The IRCA schemes To be efficient and competitive, business and industry needs competent auditors. The purpose of our management systems auditor certification schemes is to provide confidence through accredited certification, and to show business and industry that auditors certificated to these schemes are competent. As part of the certification process, we will evaluate you against requirements that reflect the key skills, knowledge and experience that define competence and which you, the management system (MS) auditor, need to possess and to demonstrate during an audit. Each scheme is based on a key standard, such as: ISO 9001: Quality management systems Requirements (latest issue) ISO 14001: Environmental management systems Requirements (latest issue), etc. And each scheme is influenced by the following auditing standards: ISO 19011: Guidelines for auditing management systems (latest issue) ISO 17021: Conformity assessment Requirements for bodies providing audit and certification of management systems (latest issue). Our award of certification means we have recognised that you understand and are competent (depending on the grade awarded) to: Uphold the principles of proper ethical conduct, fair presentation and due professional care Communicate clearly, both orally and in writing, with personnel at all levels of an organisation Plan and organise an audit of a management system Identify, understand and audit relevant business processes Sample and evaluate audit evidence, and determine the effectiveness of a management system Report audit findings and conclusions accurately Plan, organise and lead the audit team, and manage the audit process. The scope of certification is general. You may select from a list of up to six standard industry sectors in which you have acquired work experience. These details, although included within the register, are self-declarations and outside the scope of certification. The details of all certificated auditors are included within a register that is publicly available. The schemes are intended for: Auditors, eg those for whom auditing is a significant part of their role, including supply chain auditors, those employed by certification bodies/registrars, and those conducting audits within their own organisations Practitioners, eg consultants, audit programme managers, and others involved in auditing through the development and maintenance of management systems, auditor training and standards development. 4

2. Certification Grades and Summary of Grade Applicabilities Most auditor schemes have four main grades of certification and two provisional grades. However, some schemes have different/limited grades, or different terms (eg Assessor). Please refer to the respective appendix for further guidance on any scheme. Grade Applicability Guidance notes Internal Auditor Provisional Internal Auditor Auditor Provisional Auditor Lead Auditor Principal Auditor You should consider this grade if you conduct internal partial system audits of your organisation s management system, or a supplier s management system. It is likely that you will not be a fulltime auditor, and you may only audit a few times each year. Whilst the internal auditor grade requires the applicant to have conducted audits, the provisional grade does not. It is therefore appropriate for professionals who have attended an internal auditor training course, but that do not or have not had the opportunity to conduct audits, yet wish to receive formal recognition of their ability. The auditor grade is appropriate for those who conduct full system audits as a member of an audit team and/or as a sole auditor. They may be conducting internal full system audits, second-party full system audits, or conducting third-party audits for certification purposes but do not yet have sufficient experience of leading audit teams. Whilst the auditor grade requires the applicant to have conducted audits, the provisional grade does not. It is therefore appropriate for professionals who have attended an auditor training course, but that do not or have not yet had the opportunity to conduct audits. This grade applies to competent auditors experienced at managing audits and at leading audit teams. This would be the case for auditors working as audit team leaders for certification bodies or those who perform supplier audits for organisations. This grade is appropriate for Senior Audit professionals with an extensive and demonstrable history of conducting full system audits as lead auditors, who may no longer lead audit teams, or conduct audits on a regular basis. Principal Auditors are not required to submit evidence of audits at regrade, as they may have progressed into audit training or management roles. However, submission of any audits carried out is recommended. Partial system audits are audits that do not cover the entire management system in a single audit. They are commonly departmental, or focused on a particular process, procedure or requirement. It is important to note that the training course certificate is valid for initial application for a period of three years, after which it will no longer be accepted for auditor certification in an initial application. Internal full system audits are accepted. See 4.3 g (p.10). Training course certificates are valid for a period of three years, after which they will typically no longer be accepted for auditor certification in initial application (see 4.3b). However, once registered at the provisional auditor grade and as long as the CPD requirements are met, you will be eligible to apply to upgrade to Auditor and Lead Auditor status, should you start to conduct audits and lead audit teams at any point in the future. Internal full system audits are accepted. See 4.3 g (p.10). 5

3. Instructions for Initial Certification, Maintenance of Certification, Renewal of Certification and Changing Your Certification Grade (Regrade) 3.1 How to: Make an initial application Step 1 Select the grade you want to apply for by reviewing Section 2 of this document (p.5), and checking that you meet the requirements outlined in Section 5 (p.16) and the relevant scheme appendix (p.25-58), in terms of: Relevant work experience Required education/qualifications Required auditor training Required audit experience (except for provisional grades). Step 2 Complete the IRCA auditor certification application form (available at www.irca.org): Indicate which discipline(s) and grades you are applying for, and attach evidence as required. We accept applications and supporting documentation in the following languages: English Japanese Spanish. For all other languages, the application must be accompanied by a certified translation (into English) of the original text. This is particularly important for educational qualifications, training courses and work experience. Step 3 Submit your completed application form and fee: Current auditor certification application fees are available at the IRCA website (www.irca.org). You may submit your form electronically by email, or by post to: Email: Address: registration@irca.org IRCA, Chancery Exchange, 10 Furnival Street, London, EC4A 1AB, UK See the What we do later in this section to learn how we manage your application. Do not send the annual certification fee. If your application is successful, we will write and ask you to pay the annual certification fee. Step 4: Pay your first annual certification fee. After we have evaluated your application, we will communicate the grade of certification we can offer you or indicate what extra evidence is required to achieve auditor certification. If you wish 6

to accept our offer of certification, pay your first annual fee and you will receive your first IRCA auditor certification card, and be placed on the IRCA online register of auditors. Once your application is successful, we award certification for a period of three years beginning from the month we award certification. This three-year period is referred to as the certification period. During the certification period, at the end of the first and second years you may maintain certification by payment of the annual certification fee, and by compliance with the Code of Conduct. We don t, however, require you to submit any other documentation at the end of year one and year two. At the end of the third year, all certificated auditors are required to complete the triannual renewal of certification process. 3.2 How to: Maintain your certification Your entry onto the IRCA online register of certificated auditors is dependent on you paying your annual certification fee every 12 months (starting from your initial certification date) and by compliance with the IRCA Code of Conduct. 3.3 How to: Renew your certification We don t require you to submit any other documentation at the end of year one and year two. At the end of the third year, all certificated auditors are required to complete the renewal of certification process by providing evidence of continuing professional development, audit experience (depending on grade) and declarations of ongoing compliance with the IRCA Code of Conduct, including any complaints against you. If you are successful at renewal, we will award you certification for a further three-year certification period, and so on. Please refer to Section 6 (p.20) for the grade-specific renewal criteria. We will write to you two months prior to your certification expiring to remind you that your renewal is due. 3.4 How to: Regrade You can apply to be regraded at any time. When we offer you initial certification, we will indicate the audit experience and competencies you need to attain the next grade(s) of certification. To apply for regrade, you should complete IRCA/106 log sheets, enclose any additional information requested, and send it to us with the regrade fee. Please visit www.irca.org for costs. A successful application for regrade will not normally result in a change to your renewal of certification date. There is no regrade fee if you are regraded as part of the (three-year) renewal of certification process. Please contact us if you need any further advice on how to regrade. 7

3.5 IRCA s evaluation process: What we do We usually take about four weeks to process each application, but that time may vary depending on the time required to verify the information submitted with the application. Giving us all the information we need will speed up the application process, which has four stages: 1) Administrative check All applications are checked first by our certification staff to make sure you have included all of the information that we need. 2) Technical evaluation This phase is performed by IRCA's technical experts; the reviewing officers. The reviewing officers evaluate the information submitted against the certification requirements, then they will perform a verification of some or all of this information. At the conclusion of the technical evaluation, the reviewing officers will make a recommendation on certification to the certification manager. We consider verification to be an essential element supporting the overall credibility of the certification process. Consequently, great care is taken by the reviewing officers in reviewing and verifying applications against all aspects of the certification requirements. We will perform the evaluation as speedily as we can, but sometimes it is not possible to be as quick as we (or you) would like. Processing your application is likely to take longer if you have unusual educational qualifications, if your current (or former) employers are slow to provide verification information, or if the auditee organisations are not helpful. Typically, certification decisions will be made based on the documented information provided by the applicant. However, IRCA will, at its own discretion, invite a number of applicants for interview to verify the information provided, and evaluate the understanding of the auditor. 3) Certification The final decision on your certification is made by the certification manager. The certification decision is performed independently of the technical evaluation process detailed above. 4) Offer and award of certification The certification manager will write to you formally with an offer of certification to the appropriate grade. We will send you this offer and ask you to pay your first annual fee. Certification will be awarded when we receive your payment of the annual fee. Your details are then added to our online register of certificated auditors, and we will send you your certification card. Although the card is issued to you, it remains our property and you must return it to us should we ask you to. The IRCA certificate is intended for display as a formal recognition of your certification to a specific grade you should not use it as proof of certification. Please contact us if you wish to purchase a certificate. 8

4. Essential Guidance For Application 4.1 General a) Certification is available, without restriction, to all individuals worldwide who satisfy the certification requirements. b) You must meet the requirements within Section 5 (Auditor Certification Criteria) and any additional requirements contained within the respective scheme-specific requirements (see Appendix I). 4.2 Guidance on educational requirements a) All qualifications submitted must be supported by documentary evidence. An example of acceptable evidence would be a good-quality photocopy of the original certificate indicating the awarding body, the title and date of the award, and the name of the person to whom the award was made. If any of this information is not available or not clear, we may ask you to supply us with more evidence. The same applies if a copy of a certificate is not available, such as when it has been lost or destroyed for example. Acceptable evidence would include an official letter from the awarding body confirming the award. A transcript of an award (ie an official, detailed account of the course content) would also be acceptable evidence if it clearly states the date and title of the award. If no documentary evidence can be supplied by the awarding body, it is unlikely we would accept your qualification. IRCA reserves the right to verify this information with the relevant organisation and/or individual(s). b) Where our criteria states degree or near degree, all postgraduate diplomas, undergraduate and postgraduate degrees awarded in a relevant subject will normally be accepted. c) We use the UK definition of a degree as the degree benchmark. But we recognise that not all degrees awarded in the UK and in other countries meet this standard. Many fall just short, either in content or in duration, and we call these near degrees. For the purposes of auditor certification, we recognise a near degree as meeting the tertiary education requirement. 4.3 What audits do we accept for certification? a) Normally, we will only accept audits performed during the previous three-year period. We define previous period as being that period immediately prior to the date that we received your completed application. b) Audits can only be accepted once the respective training course has been successfully completed. (For example, lead audits conducted before a Lead Auditor course has been successfully completed will not be counted). c) We will only accept audits that have been performed in accordance with the auditing guidance standard ISO 19011 or ISO 17021, and against the relevant ISO standard for the scheme you are applying for (or an alternative standard we accept as being equivalent). Audits performed against alternative national, international or company standards may be acceptable. d) We must be able to verify all audit experience you submit in your log sheets. Please make 9

sure you include detailed information of the audits you perform, and provide sufficient contact details so that we are able to perform a verification. e) Applying for second and subsequent auditor schemes: If you are already certificated as an Auditor, Lead Auditor or Principal Auditor on one of our other schemes and you are applying for certification or regrade to a second or subsequent scheme, then a minimum of 75% of the audit days shall need to be relevant to the scheme you are applying for. The remainder may be relevant to the scheme(s) you are already certified for. Note: This does not apply to renewal, where you need to demonstrate that you meet the audit requirements for each scheme. f) Acceptability of combined/integrated audits: For new applications, where two or more standards are being audited during a combined/integrated management system audit, we will only accept the audit days allocated to the relevant scheme for which you are applying. For recertification, where two or more standards are being audited during a combined/integrated management system audit, the full audit duration will be accepted. g) Acceptability of internal audits: We will consider accepting internal audits for Auditor, Lead Auditor and Principal grades, providing you can demonstrate that the audit was of the full management system covering all clauses and requirements of the applicable management system standard, and that it was of a part of the organisation from which you are entirely independent (eg separate business unit or sister company). Audits submitted must demonstrate this. We require you to submit, with your audit log; An organisation structure diagram of the company, showing the auditor s independence from the system audited A sample audit report Any other information that you feel is supportive and relevant, such as written description of the type of audit, charts, reports, etc. h) Acceptability of consultancy audits: We will accept audits performed by you when acting as a consultant for a client if all of the following are satisfied: The client (auditee) already had a fully established management system prior to the audit You had no part in setting up the management system being audited (except in such specific circumstances as described below) You were independent of the auditee The scope of the audit included all elements of the management system. We will also accept pre-assessment audits performed by you on a management system that you were involved in developing, if the certification body subsequently awarded certification at the first attempt. 10

i) Acceptability of surveillance (partial system) audits: We do not normally accept surveillance (partial system) audits when submitted for initial certification or at regrade (except for Internal Auditor). However, we do accept surveillance audits for renewal of certification. j) Acceptability of on-site and off-site audits: IRCA will only accept on-site audits that have involved a significant amount of interaction with the auditee(s). If the audit is limited to conducting a document review (eg records or data analysis), observation of work performed, completing checklists and sampling (eg products) without interaction with the auditee(s), it is not acceptable. Further, significant onsite preparation time (eg half a day) may not be counted towards the days on site. A maximum of one day s off-site per audit will be accepted. k) Acceptability of remote audits: IRCA will accept remote audits as a substitute for the required on-site audit days, where there has been as much interaction between the auditor and the auditee as would occur during an on-site audit. Interaction may be achieved remotely through such means as video conferencing, document and record-sharing systems, etc (remote audit activities are performed at any place other than the location of the auditee, regardless of the distance). If you have conducted extensive remote audits that you feel are suitable, please provide additional information including the scope and nature of the audit, and, if possible, supporting documentation such as audit plans and reports. l) Acceptability of audits to standards other than those issued by the ISO: We will accept audits performed against standards that we have evaluated as being equivalent to the relevant ISO standard. We maintain a list of acceptable alternative standards for each auditor scheme, but it is possible that you may claim audits against a standard that is not on this list. We have a formal process for evaluating new standards, and you are advised to contact us for advice where you consider an alternative standard may be acceptable to us. m) Audits we do not accept: Audits of the same management system that are repeated more frequently than once every 12 months Audits of less than one day s duration (six hours of audit activity, exclusive of breaks), except for the internal auditor grade, where we will accept audits of three hours exclusive of breaks Gap analysis, close out or follow-up visits Audits performed before successful completion of the formal training requirement Audits performed outside the accepted three-year period. 4.4 What training course certificates does IRCA accept? a) We are looking for you to have a certificate for the successful completion of an IRCAcertified training course. IRCA does accept a very small number of non-irca-certified 11

training courses as being equivalent to its own courses. Please refer to this page on our website: http://www.irca.org/en-gb/certification/how-to-apply/accepted-alternatives/ or contact head office for information about accepted alternatives. b) You should normally have successfully completed auditor training within the three-year period immediately prior to application for certification. We may accept training completed prior to this period if you provide evidence of recent and relevant continuing professional development (CPD), work experience and currency of your auditing skills. We advise you to refer to the IRCA website (www.irca.org) for a current listing of all IRCA-certified training organisations offering IRCA-certified management system auditor training courses. c) All training course certificates submitted must be supported by documentary evidence. An example of acceptable evidence would be a good-quality photocopy of the original certificate indicating the awarding body, the title and date of the award, and the name of the person to whom the award was made. If any of this information is not available or is not clear, we may ask you to supply us with more evidence. If no documentary evidence can be supplied by the awarding body, it is unlikely we would accept your training course certificate. IRCA reserves the right to verify this information with the relevant organisation and/or individual(s). d) IRCA does not accept certificates of attendance. Certificates must be of successful completion of a course. The only exception to this rule is that IRCA will accept a certificate of attendance of an Auditor/Lead Auditor course, as meeting the training requirement for the Internal Auditor grade. 4.5 Guidance on continuing professional development (CPD) CPD is a framework that encourages you to continuously update your professional knowledge, personal skills and competencies. The purpose of CPD is to make you more effective as an auditor, and to make the auditing profession more credible. The concept of CPD and the value it contributes is now recognised and accepted throughout all professional fields. Any CPD submitted must be in subjects that are broadly related to auditing and the relevant management system. Because there are so many topics that we recognise will enhance your auditing competence, we do not attempt to list them all here. But we categorise them into four areas and three types. We also provide guidance here on what the focus of your CPD should be, and the approach you should take to conducting CPD: CPD Areas (not in order of significance): 1) Management system related (eg learning about a new standard or learning about updates to standards). 2) Auditing related (eg auditor skills refresher training). 3) Technical knowledge related (eg legislation and regulatory updates, industry changes, relevant technology changes, technical process knowledge and other technical knowledge that will enable you to audit more effectively). 4) Soft skills training (eg communication skills, conflict resolution and negotiation, personal effectiveness, creative problem solving, strategic thinking, management/business training, team building, influencing skills and other related training). 12

CPD Types 1. Unstructured Included in this category would be; Reading and contributing to a relevant online forum such as IRCA s discussion group on LinkedIn is also accepted Reading IRCA INform, our e-magazine available from www.irca.org Distance and open-learning study that is not assessed and does not lead to a qualification The reading of professional and technical journals, books and other publications. 2. Semi-structured Included in this category would be; Non-interactive lectures, talks etc Professional body meetings The research, preparation and first delivery of lectures/courses Technical research, either at work or at an external institution Forms of open and distance-learning that involve assessment, and that result in the acquisition of a qualification. 3. Structured Note: Repeated training deliveries and lectures/presentations cannot be counted more than once. Included in this category would be; Relevant aspects of on-the-job training and development where specific outcomes have been planned, identified and recorded by you (only new activities, training and development will be considered). General day to day tasks, activities that do not help maintain/enhance your skills as an auditor, or that are not relevant to auditing, will not be accepted Interactive and highly participative training courses Seminars and formal lectures Active participation in the development of applicable standards. CPD Focus CPD should be focused on appropriately developing ones knowledge and skills to maintain ones effectiveness as an auditor. In determining what your CPD objectives should be, you should consider: 1. What has changed/ is changing? This could be a standard update, a technical change 13

(such as to legislation or regulation) or an important change in industry, such as technology or techniques used 2. What your strengths and weaknesses are 3. What your ambitions are for the future are 4. Feedback you have been given. CPD Approach You should consider carefully what CPD you wish to do in the three-year certification period. You should identify some objectives early on, and plan your CPD activities in advance to ensure you continue to meet the CPD requirements. You may conduct CPD in a number of ways (types and areas). IRCA will not prescribe how you should accomplish your personal CPD objectives, however IRCA will normally only accept a maximum of 20 hours unstructured CPD. In certain circumstances, IRCA may accept a greater number of hours of unstructured CPD, if the auditor can demonstrate; a) Good reason for not conducting enough semi-structured or structured CPD b) That there have been no significant changes that would warrant a semi-structured or structured approach. (For example; an update to the standard may require formal update training). If you have conducted 45 hours of CPD, but IRCA determines that you have not conducted CPD in a specific area that it believes to be critically important, IRCA will advise you of this and you will be required to submit evidence of this CPD to IRCA within an agreed timeframe. For each CPD entry on your log, you are required to state/describe: 1. What type of CPD it was 2. What areas the CPD was focused on 3. What skills/knowledge you have gained, and how these have enhanced your capabilities as an auditor 4. The contact details of someone who can confirm that the CPD took place (for structured and semi-structured). It is your responsibility to provide a case for acceptance of any activity you submit, and this must be supported by sufficient and appropriate evidence, such as records of your activities, provision of the contact details of someone who can verify that the CPD took place (for nonindependent CPD) and any formal certificates or qualifications you may have received. Completing the CPD log sheet clearly, fully and providing an accurate description of the CPD undertaken and the skills/knowledge attained, will help ensure your CPD log is accepted. 4.6 Guidance on work experience a) Please refer to the scheme-specific appendix document and the guidance section of the application form for information about what will be accepted as experience relevant to the auditor scheme you are applying for. b) Short periods of training cannot be included in this work-experience requirement, 14

however apprenticeships and the like may be considered as acceptable work experience. Please provide additional information if you wish any training to be considered towards your work experience. 4.7 Guidance on flexibility and potential concessions within IRCA s criteria For any auditor certification grade on any IRCA scheme, IRCA may certificate an auditor who does not meet fully the criteria as displayed, so long as the auditor can demonstrate their competence and suitability for the grade by other means. To be considered for a certification grade for which you do not fully meet the criteria, please provide the following with your application: A cover letter highlighting which grade you are seeking to be certified for (this letter should also explain why you believe yourself to be suitable for this grade) A copy of your curriculum vitae All relevant training certificates and educational certificates A recommendation from an IRCA-certified Lead/Principal Auditor (if possible) Any other supporting documentation, for example an auditor certification from another auditor-certification body Completed IRCA audit logs and CPD logs to support your application. Note: The certification process will still require you to make a non-refundable application payment before your application can be formally reviewed. IRCA will review applications that request such concessions on a case-by-case basis, and will provide a full and justified explanation for any decisions made. Any flexibility or concessions to the IRCA requirements will be entirely at the discretion of the Certification Manager. 15

5. Auditor Certification Criteria Below are the generic IRCA criteria for becoming an auditor. You must refer to and meet the additional scheme-specific requirements within the relevant part of Appendix 1 also. 5.1 Internal Auditor (see the bottom of the page for Provisional Internal Auditor) Education At least to secondary education level. Work experience Four years full-time experience, or two years with a degree or near degree One year s full-time experience relevant to the auditor scheme. Auditor training A relevant IRCA-certified Foundation course and a relevant IRCA-certified Internal Auditor training course or The relevant IRCA-certified Auditor/Lead Auditor training course (refer to 4.4 for guidance on what training IRCA accepts). Note: IRCA will consider, on a case-by-case basis, auditors applying for an internal auditor grade that have successfully completed an Internal Auditor course, but not the respective Foundation course. The decision will be based on the information provided in the work experience and sector understanding parts of the application form. Auditing experience You need to have performed at least five internal audits, each of which must have been of at least three hours duration, have included all elements of the audit cycle audit planning, document review, auditing, interviewing and audit reporting and must not have involved areas or activities in which you yourself perform. However, we will accept audits of activities for which you are directly or indirectly responsible, eg as a line manager. (Refer to 4.3 for guidance on what audits are accepted.) Provisional Internal Auditor No audits are required. All other requirements are the same as those for an Internal Auditor. 16

5.2 Auditor (See the bottom of the page for Provisional Auditor) Education At least to secondary education level. Note: If you have a degree or near degree level qualification, we will reduce the requirement for work experience. Acceptable qualifications include those awarded by an institution recognised by a national governmental body or accredited by a national professional body. Work experience Four years full-time experience, or three years with a degree or near degree Two years full-time experience relevant to the auditor scheme you are applying for. Please refer to the scheme-specific appendix document for information about what will be accepted as experience relevant to the auditor scheme you are applying for. Auditor training A relevant IRCA-certified Auditor/Lead Auditor training course or The relevant IRCA-certified Auditor/Lead Auditor Conversion training course only acceptable if you have previously completed a five-day Auditor/Lead Auditor training course in another discipline. (Refer to 4.4 for guidance on what training IRCA accepts.) Auditing experience You need to have performed at least four full management system audits covering all clauses (requirements) of the applicable management system standard. Auditing activity must include document review, preparation and performance of on-site audit activities, and audit reporting. The total duration of these audits must not be less than 20 days, 15 of which must have been acquired on site. (Refer to 4.3 for guidance on what audits are accepted.) Note: Although we recommend you should complete all of the audits under the direction and guidance of an auditor competent as a team leader (one currently certificated as a lead auditor or who has equivalent competence), we acknowledge that for many auditors this will be very difficult and costly to arrange. Consequently, we will accept a minimum of one audit under these conditions. We may require this team leader to attest to your competence to audit as a team member. Provisional Auditor No audits are required. All other requirements are the same as those for an Auditor. 17

5.3 Lead Auditor Education At least to secondary education level. Note: If you have a degree or near degree level qualification, we will reduce the requirement for work experience. Acceptable qualifications include those awarded by an institution recognised by a national governmental body or accredited by a national professional body. Work experience Four years full-time experience, or three years with a degree or near degree Two years full-time experience relevant to the auditor scheme you are applying for. Please refer to the scheme-specific appendix document for information about what will be accepted as experience relevant to the auditor scheme you are applying for. Auditor training A relevant IRCA-certified Auditor/Lead Auditor training course Or the relevant IRCA-certified Auditor/Lead Auditor Conversion training course only acceptable if you have previously completed a five-day Auditor/Lead Auditor training course in another discipline. (Refer to 4.4 for guidance on what training IRCA accepts.) Auditing experience Four full management system audits as an auditor-in-training, totalling 20 days, including a minimum of 15 days on site and Three full management system audits as the leader of an audit team that includes at least one other auditor, totalling 15 days, 10 of which must have been spent on site. (Refer to 4.3 for guidance on what audits are accepted.) Note: Although we recommend you should complete all of the audits under the direction and guidance of an auditor competent as a team leader (one currently certificated as a lead auditor or who has equivalent competence), we acknowledge that for many auditors this will be very difficult and costly to arrange. Consequently, we will accept a minimum of one audit under these conditions. We may require this team leader to attest to your competence to lead an audit team. If you are already certificated to the relevant auditor grade, you need only perform the three lead audits as above. 18

5.4 Principal Auditor This grade is for Senior Audit professionals with an extensive and demonstrable history of conducting full system audits and lead audits. Principal Auditors may or may not conduct audits on a regular basis, as it is not uncommon for some to have progressed into managerial roles later in their career. Some examples of the sorts of individuals that may qualify for this grade include (but are not limited to): full-time third-party auditors, audit managers, certification managers, audit training and development personnel (including management system auditor training course designers), and persons involved in the development of relevant audit and management system standards (such as ISO 19011). Work experience Eight years full-time experience relevant to the auditor scheme you are applying for. Please refer to the scheme-specific appendix document for information about what will be accepted as experience relevant to the auditor scheme you are applying for. Other requirements Six years certification to Lead Auditor grade by IRCA (or acceptable alternative) prior to certification. Note 1: You must have completed six years certification as a Lead Auditor and meet the criteria for Lead Auditor certification at the second recertification (this is the earliest time possible to be eligible for Principal Auditor). If you have already completed two recertifications as a Lead Auditor, you may transition to Principal Auditor at any time. Note 2: You may choose to maintain your Lead Auditor certification, rather than progressing to Principal Auditor. However, you will need to continue to meet the renewal requirements for Lead Auditor if you do so. Or Submission of evidence of three years full-time employment as a management systems auditor with an accredited certification body (or demonstrable and significant evidence of contracted third-party audits with an accredited certification body). Note: Acceptable evidence of employment as a management systems auditor would typically include a letter from senior management confirming the duration and nature of the employment. 19

6. Renewal of Certification Criteria and Requirements You must renew your certification every three years, ie at the end of the third complete year. We will write to you two months before your certification period expires and ask you to send us your audit and CPD log, CPD objectives log and other documents. We will evaluate these against the renewal requirements listed below and make a certification decision. We will then write to you with the results. All criteria must be met for each individual scheme for which you hold certification. The renewal of certification process involves the following six requirements: 1) Continuing professional development (CPD) 2) Audit experience 3) Other requirements 4) Declaration of complaints 5) Compliance with the IRCA Code of Conduct 6) Payment of the annual fee. 1) Continuing professional development For Internal Auditor and Provisional Internal Auditor There is no CPD requirement. For Provisional Auditor, Auditor, Lead Auditor and Principal Auditor CPD Log: You must have completed at least 45 hours of appropriate CPD during the three-year period immediately prior to renewal of certification. (A maximum of 20 hours unstructured is permitted unless an exception is agreed with IRCA see guidance). Through CPD, you are required to demonstrate your currency of knowledge and skills through updates in subject areas within the four main categories, as stated in 4.5: Management system related Auditing related Technical knowledge related (eg legislation and regulatory updates) Soft skills training, eg communication skills, conflict resolution and negotiation, personal effectiveness, creative problem solving, strategic thinking, management/business training, team building, influencing skills or similar (not in order of significance). Note: CPD does not have to be conducted in all categories. You should identify CPD that is essential to maintaining your currency and effectiveness as an auditor, and CPD that can enhance your effectiveness as an auditor. 20

2) Audit experience We need you to record and submit your audit experience on the audit log sheets (IRCA/106) that we supply. For Internal Auditor: You need to have completed a minimum of five internal audits, the total duration of which must have been at least 15 hours. For Provisional Internal Auditor and Provisional Auditor There is no audit requirement. For Auditor: Five audits, two of which must be full system audits. Three of the five audits may be surveillance or partial system audits. Audit experience within the three-year certification period shall be not less than eight on-site audit days. You must have performed these audits within the previous three-year certification period. For Lead Auditor: Five audits, two of which must be full system audits. Three of the five audits may be surveillance or partial system audits. A minimum of one full system audit shall be while leading a team that includes at least one other person (a total team of two persons minimum). Note: IRCA may exercise discretion over this requirement, should the auditor have a substantial and demonstrable history of conducting lead audits. Audit experience within the three-year certification period shall be not less than eight on-site audit days. You must have performed these audits within the previous three-year certification period. For Principal Auditors: There is no formal audit requirement, however we strongly encourage you to submit a record of any audits that you do conduct, to support your application for recertification. Evidence of continuing involvement in auditing, such as the management of audit programmes, auditor training design or management, audit standards involvement and/or other responsibility in audit management, should be provided. 21

3) Additional Requirements For all grades other than Principal Auditor: There are no other requirements For Principal Auditor: You must submit evidence of continued work experience related to the relevant management system(s) and evidence of continued involvement in auditing or audit-related activities. 4) Declaration of complaints We need you to tell us about any complaints made against your professional conduct. It is important we know of any complaints, as we need to consider these as part of the renewal of certification process. We will investigate all instances of complaints. If complaints are made against your conduct and you do not declare them, the consequences will be far more serious and may result in suspension or withdrawal of your certification. 5) Compliance with the Code of Conduct We need you to make a declaration that you have always acted in compliance with the Code of Conduct (see Appendix III). 6) Payment of the annual fee And finally, we need you to pay the annual fee. Because the fee will be dependent on the grade we offer you after renewal, we do not ask you to pay this fee until we have completed renewal. We will write to you with the results of the renewal, enclosing the invoice and fee-due date. Failure to pay your annual fee within 28 working days of the date of the invoice will result in your certification being withdrawn, and the removal of your details from the online register. Once we have received your payment, we will write to you again enclosing your new certification card. 22

7. Terms and Conditions 7.1 Appeals and complaints You have the right to appeal against any certification decision taken by us. We operate a quality system that includes established procedures for considering appeals and complaints. 7.2 Enforcement of certification We enforce (ie suspend or withdraw) certification for three reasons: 1) If you fail to meet the certification criteria for the grade to which you are certificated. This enforcement occurs when you apply to renew your certification. In most cases, withdrawal will be preceded by an offer of an alternative grade, for a period during which you have the opportunity to meet the requirements of, and be reinstated to, the grade you originally held. 2) If you breach the Code of Conduct. We reserve the right to undertake action against your certification if we find you to have acted contrary to the Code of Conduct options available include suspending or, in instances of serious or sustained breach, withdrawing your certification. 3) If you fail to pay the requisite fees. 7.3 Confidentiality We undertake to consider as strictly confidential all information, correspondence and documentation you submit to us in support of your certification activities. We reserve the right to publish relevant details of each certificated auditor in our register, available online at www.irca.org. We reserve the right to disclose details of your certification record to other auditor certification and accreditation bodies. We will do so with discretion and only in instances where we consider withholding this information will compromise the integrity of certification, eg where we have taken action against (ie suspended or withdrawn) your certification, and you have applied to another auditor-certification body without fully disclosing your record while certificated by us. 7.4 Legal status The certification of auditors by us and all activities associated with the administration of the register is governed in accordance with English law, and is subject to the exclusive jurisdiction of the English courts. 7.5 Fees Fees are set annually and apply to the calendar year (1 January-31 December). Contact us direct or see www.irca.org for details of current fees applicable for your country. Application fee: We need you to pay this fee when you send in your application. Alternatively, we will invoice you on receipt of your application. This fee covers the costs of the application process and is not refunded if the application is unsuccessful. Failure to pay this fee will cause a delay in the processing of your application. 23