Personal tools

IQ Verify Audit process

1.APPLICATION FOR REGISTRATION

On receiving an enquiry for certification services a client application form will be issued, once returned a contract review will be undertaken based on the information supplied to us by the applicant organisation. If the decision is to offer certification services to the applicant organisation, a quotation will then be issued. If the decision is taken that IQ Verify cannot offer certification services, the applicant organisation will be informed in writing providing the decision and justification of the decision.

For those applicant organisations who are offered certification services, on acceptance of their quotation they will be required to sign the Client contract proposal and Client confidentiality form and return them to IQ Verify together with payment of the certification/registration costs. The audit will not be conducted until payment is received.

Once the documentation and payment has been received, arrangements will then be made to undertake the audit.

2 AUDIT METHOD

Audit duration will depend on the following variables:

  • Number of employees
  • Number of sub-contractors employed
  • Number of offices and locations
  • Geographical area where site or work is based
  • Other accreditations already in place
  • Number of scopes and activities undertaken

For registrations for Product audits (e.g BS7499, BS102000, BS7858, BS7958) an initial audit will be required to evaluate whether a product fulfils the specified requirements, followed by an annual surveillance audit.

A product audit will be based on the relevant standard or code of practice for the sectors being audited, this will include any normative references called up in the standard i.e. BS7858 for the security services standards etc.

For registrations for Management System audits (ie.g BS/ ISO 27001, ISO9001, ISO28000, PSC-1 / ISO18788, ISO14001) a two stage audit is carried out as follows:

STAGE ONE

To audit the client's management system documentation, including:

  1. evaluate the client's location and site-specific conditions and to undertake discussions with the client's personnel to determine the preparedness for the stage two audit;
  2. review the client's status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
  3. collect necessary information regarding the scope of the management system, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client's operation, associated risks, etc.);
  4. review the allocation of resources for stage 2 audit and agree with the client on the details of the stage 2 audit;
  5. provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the client's management system and site operations in the context of possible significant aspects;
  6. evaluate if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit.

Consideration shall be given to the needs of the client to resolve areas of concern identified during the stage 1 audit, before the stage 2 audit is arranged.

STAGE TWO

To evaluate the implementation and effectiveness of the client’s documented management system, records and by interviewing relevant members of staff regarding their working practices, including:

  1. information and evidence about conformity to all requirements of the applicable management system standard or other normative document;
  2. performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
  3. the client's management system and performance as regards legal compliance;
  4. operational control of the client's processes;
  5. internal auditing and management review;
  6. management responsibility for the client's policies;
  7. links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence

If a product audit is conducted at the same time as a management system audit (i.e. ISO9001 Quality Management System) then a two stage approach as described above will apply. However, if the organisation has applied for product audit only, a two stage approach is not required.

Audit Report

IQ Verify will provide a written report for each audit (Stage one, stage two, initial, surveillance, recertification etc.). The audit team may identify non-conformities, areas of good practice or improvement opportunities but will not recommend specific solutions. Ownership of the audit report is maintained by IQ Verify.

The audit report will be prepared by the lead auditor and will provide an accurate, concise and clear record of the audit to enable an informed certification decision to be made and will include, within the report or the audit visit plan, or refer to the following:

  1. identification of IQ Verify;
  2. the name and address of the client and the client's management representative;
  3. the type of audit (e.g. initial, surveillance or recertification audit);
  4. the audit criteria;
  5. the audit objectives;
  6. the audit scope, particularly identification of the organizational or functional units or processes audited;
  7. identification of the audit team leader, audit team members and any accompanying persons;
  8. the dates and places where the audit activities (on site or offsite) were conducted;
  9. audit findings, evidence and conclusions, consistent with the requirements of the type of audit;
  10. any unresolved issues, if identified.

The auditor will use the report to discuss the outcome of the audit at the closing meeting. The report will be handed or emailed to the company on the last day of the audit or as soon as possible afterwards. The auditor will emphasise to the company that the report will be quality assured (QA) by IQ Verify before the auditor’s recommendation is confirmed or otherwise.

Possible findings during an audit

Finding

Name

Client response

For any findings, where the standard is not met

Non-conformity report (NCR)

Requires a response from the client within 21 working days, stating the root cause and corrective action. The information will be reviewed to see if the evidence supplied satisfies the requirements of the NCR. If the information is suitable the NCR will be reviewed by the certification panel and a decision made as to whether co certificate or continue certification. If the information is not sufficient additional information will be requested. Where relevant, a revisit will be conducted to ensure that robust resolution of the NCR has been implemented.

The findings will be checked on the next audit if a revisit is not deemed necessary.

An NCR may require a revisit, or if several NCRs are raised and it is believed that there has been a breakdown in policies, process or service, although the majority should be signed off remotely.

Note there are no varying levels of NCR, it is either met the standard clause or not

For any findings where the company is in danger of not meeting the standard, or where there is a failure that doesn’t warrant an NCR

Improvement opportunity (IO)

No evidence required but will be checked on the next audit

For any findings, where the company is performing over and above the standard or doing something exceptionally well

Good practice

(GP)

No evidence required

For anything that does not fit into the above categories, but still warrants a comment

Auditors note

(AN)

No evidence required

Log Non-Conformities - For any Non-Conformities found during the audit, the lead auditor will complete an ‘IQV Audit Non-Conformities log’ listing the findings. Clients are required to complete this log providing root cause, corrective action and evidence to support the resolution of the finding(s) to [email protected] within 21 working days of the audit.

Review and closeout of Non-Conformities - IQ Verify will review the corrections, identified causes and corrective actions submitted by the client to determine if these are acceptable. IQ Verify will verify the effectiveness of any corrective actions taken. The evidence obtained to support the resolution of nonconformities will be recorded. The client will be informed of the result of the review and closeouts of findings.

Note: Verification of effectiveness of correction and corrective action will be carried out based on a review of documentation provided by the client, or where necessary, through verification on-site.

Revisits before closeouts - The client will be informed if an additional full audit, an additional limited audit, or documented evidence (to be confirmed during future surveillance audits) will be needed to verify effective corrective and protective actions before closeouts of findings.

Recommendation - The auditor will make a recommendation to the client at the closing meeting and could include one of the following:

  • Recommended for Approval
  • Recommended, subject to the closure of any non-conformities
  • Re-visit required
  • Proceed to the next stage, where relevant.
  • Not recommended

The auditor’s recommendation will be taken into consideration through the IQ Verify QA process, along with the audit evidence. Once reviewed by IQ Verify, approval will be granted, where relevant.

The Audit Report will also include a summary (which includes include a brief history of the company, when it was established, including any changes since application or last audit i.e. change of personnel or employee or sub contracted numbers and confirmation of audit scope etc.) and an executive summary (which will include a brief synopsis of the audit, what went well, what didn’t, summary of findings, any trends established and confirmation of the robustness of the leadership commitment, policies and procedures etc.).

Audit checklist

During the audit the lead auditor will complete a checklist in line with the relevant standard(s). This will record all information gathered during the audit, including names of documents and records seen, version numbers for ease in identification for any follow-up audits etc. The information recorded within the checklist provides the IQ Verify QA team sufficient detail to enable confirmation of auditor’s recommendation. Yes and no answers within the checklist, except in exceptional circumstances, should always be avoided.

The contents of the checklist is confidential and will only be shared with authorised personnel e.g. IQ Verify and UKAS.

Recommended links