Are you wondering how you will complete your internal audits? Or what you need to do to for your 3rd party registrar audits? Well, this blog contains some official documents to help you sort out fact from fiction so you can make a plan that works for your organization and is within the international "rules."
First, let's explain that the International Accreditation Forum (IAF) is the overarching organization that sets requirements (via mandatory documents) and guidance (informational documents) that apply to Accreditation Bodies (ABs) and Conformity Assessment Bodies (CABs). Your 3rd party registrar is a CAB. Here is a link to an overview of IAF. An IAF Informative Document reflects the consensus of IAF members to support the consistent application of requirements. However, IAF Accreditation Body Members, and the Conformity Assessment Bodies (CAB) they accredit, are not under any obligation to use or comply with anything in this document. These documents are useful guides.
Back in 2011, the IAF created an informative document Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations Issue 1 (IAF ID 3: 2011). A pandemic qualifies! This document states that certification bodies are to define a plan in consultation with their clients: "An extraordinary event affecting a certified organization or CAB may temporarily prevent the CAB from carrying out planned audits on-site. When such a situation occurs, ABs and CABs, operating under recognised standards or regulatory documents need to establish (in consultation with certified organizations) a reasonable planned course of action."
Section 3 of the document lists several questions to assess risk for continuing certification and understand the certified organization’s current and expected future situation. An example question is: "If the certified organization is certified to a management system standard that requires a disaster recovery plan or emergency response plan, has the certified organization implemented the plan and was it effective?" You may want to read the full list of questions to assess your risks and prepare for the conversation with your registrar.
Section 3 also details the limits of delay time between the 3rd party audits (1st surveillance and re-certification audits have less flexibility than 2nd surveillance). With the potential of everyone wanting to delay their audits, it puts an incredible strain on the registrars and their auditors. Some registrars are gearing up for remote audits. This means your internal audits need to be completed, perhaps via remote access too.
One of the next questions that arises is related to remote auditing. Can they be done? How would/ could it be done? This applies to both internal and 3rd party audits. IAF defined a mandatory document in 2018 THE USE OF INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) FOR AUDITING/ASSESSMENT PURPOSES Issue 2 (IAF MD 4:2018). IAF also created an informative document in 2015 Principles on Remote Assessment Issue 1 (IAF ID 12:2015). Both have useful information for remote audit planning.
There is an expectation that remote auditing under normal circumstances is limited to 30% of the overall audit time. However, COVID-19 is not a normal circumstances. If you want to see the tables for calculating required time for Quality, Environmental and Health and Safety audits, see the 2019 IAF mandatory document DETERMINATION OF AUDIT TIME OF QUALITY, ENVIRONMENTAL, AND OCCUPATIONAL HEALTH & SAFETY MANAGEMENT SYSTEMS Issue 4, Version 2 (IAF MD 5:2019).
What should you do?
Remember that we offer consulting and auditing services. We can help evaluate your audit program, provide auditing support, or teach your auditors how to audit whether on site or remotely.