IQNet basic document BD 301

Transcription

1 301BD-Integrated audits from 10 CONTENTS 1. Foreword 2. Definitions 3. Reference Documents 4. Audit Duration 5. Auditor Qualification Criteria Annex 1 Example of the integrated audit duration calculation Annex 2 Planning table for specification of the integrated audit duration FOREWORD 1.1 Objective of the document The cooperation between the IQNet partners has proven needs of common approach to the auditing and certification of Integrated Systems [that means QMS and EMS and/or OHSMS (Occupational Health and Safety Management System) and or ISMS (Information Security Management System) etc]. The general objective of this Basic Document is to facilitate mutual acceptance of integrated management audit results between the IQNet partners to operate within the terms of IQNet Basic Document 303 Co-operation of IQNet partners. The methods specified in this document apply for all system management schemes. The specific objectives of the document are to: a) Set up requirements for the maturity of system integration b) Set up requirements for auditors, who are entitled to audit integrated managements systems c) Propose a formula, that is recommended to be used for calculation of integrated system auditing d) Identify any different requirements in IQNet The document specifies the rules not declared in the ISO Guidelines for quality and/or environmental management systems auditing. 1.2 Condition for the use of the document The integrated system approach can be successfully used provided that: Relevant terms and definitions are identical with the appropriate nomenclature being used consistently in all relevant standards, Common system structure and common system elements are used for the various management fields as far as possible, Assessment methods have been integrated where possible into common procedure with separate (QMS, EMS, OHSMS, ISMS) modules. The rules for audit duration reduction are not recommended to use for audits in high risks areas. 1.3 Harmonisation areas The harmonisation by this document relates to the following subjects: Competence of the audit team Maturity of the system integration

2 301BD-Integrated audits from 10 Note1: This document does not specify management system requirements in addition to the requirements of the relevant standards or normative documents but provides needs to be complied with for integrated auditing. 2. DEFINITIONS 2.1 The Integrated Management System is a system to establish policies and objectives and to achieve those objectives by integrating several management fields within this system in a harmonious and efficient way rather than to run several systems in parallel. 2.2 The combined audit is the audit where the programme includes the assessment according to more than one management system requirements standard/normative document (QMS + EMS, QMS + ISMS, EMS + OHSMS, etc.). 2.3 The integrated audit is a specific type of combined audit where the maturity of organisations management system and maturity of qualification of audit team enables reduction of audit time due to the possibilities to run audit more efficiently. 2.4 Maturity of the system integration is the level of the integration of the common requirements of the standards covering the integrated management system. The requirements that characterize the system integration maturity are contained in the clause Maturity of the audit team is the qualification and experience level of the team to audit duly and effectively the integrated management system from the point of view of all standards covering the integrated system. The requirements that characterize the team maturity are contained in the clause 6.3.

3 301BD-Integrated audits from REFERENCE DOCUMENTS BD 303 Co-operation of IQNet partners BD 305 Harmonisation document OHSMS BD 304 Harmonisation document ISMS BD 310 Guidelines for audit duration and multi-site assessment BD 311 Harmonisation document EMS ISO Guidelines for the quality and/or environmental management systems auditing EA-7/05 Guidance on the Application of ISO/IEC 17021:2006 on Combined Audits 4. AUDIT DURATION The amount of man-days spent by the audit-team on the assessment is mainly governed by the: a) Character of the organization b) Maturity of the system integration c) Maturity of the audit team d) Complexity of the integrated management system 4.1 Character of the organisation Aspects referring to the character of organisation are as follows: a) Organisation size b) Locations number c) Number of scopes (NACE) certified d) Shifts number e) Permanent night shift f) Processes complexity (e.g. number of various processes necessary for product and/or service realisation) g) Environmental aspects of resources, processes and products h) Internal risks in the organisation and their level i) Risks for surroundings (e.g. explosion, adverse agents emissions) j) Location related risks that might affect the organisation (e.g. flooding, high risk installation as neighbour etc.) k) Level of information security requirements (e.g. confidentiality, integrity, availability) Note 2: The influence of the above mentioned factor on the audit duration has been solved in the following normative and BD documents: BD 304 Harmonisation Document ISMS BD 305 Harmonisation Document OHSMS BD 310 Guidelines for audit duration and multi-site assessment BD 311 Harmonisation Document EMS 4.2 Maturity of system integration Aspects referring to maturity of system integration of the organisation can be defined as follows: a) Integration level b) Previous state and maturity of any management system, (that means previous existence of certified quality management system and/or, existence of a certified environmental management system and/or other management system) c) Historical aspects d) References from market

4 301BD-Integrated audits from 10 The document specifies three system integration levels Negligible integration level The negligible integration level characteristics are as follows: a) The partial systems were created separately b) There are various persons as management representatives c) Policies were formulated separately and are not harmonised d) Planning mechanisms are different e) Management review has been done separately f) Monitoring of legal requirements is not consistent g) There are different approaches within system documentation Note3: In the organisation where the level of integration was evaluated as negligible, the combined audit (not integrated audit) can be realised only (it means that the reduction of time schedule is very small. For combination of OHSMS with other management systems the audit duration was specified in the consistent way in the BD 305.) Medium integration level The medium integration level characteristics are as follows: a) Each of the partial management system was implemented separately b) Policies for all systems are harmonised c) Various management representatives but one system d) Co-ordinator exists e) Different documentation packets f) Harmonised document and record control g) Mechanisms of planning are different but management review is common h) Awareness of the staff to all systems in key processes exists High integration level The high integration level characteristics are as follows: a) Management commitment to integrated system exist b) One harmonised policy for all systems c) Planning procedures are fully harmonised d) One system co-ordinator uses harmonised system management tools e) One documentation packet f) The same document and record control g) The harmonised system of maintenance of legal requirements h) High awareness of all systems integration by the whole staff exists 4.3 Aspects referring to the maturity of audit team a) The team leader qualification and experience for all management system standards included b) The team leader experience in the combined and/or integrated auditing c) The audit team members qualification and experience in the management systems included d) Experience of the team members in the combined or integrated auditing e) Level of co-ordination of the team f) Qualification and experience of the audit team in the technological areas being audited g) Qualification and experience of the audit team in legislation relevant to the technological areas being audited

5 301BD-Integrated audits from 10 This document specifies three audit team qualification levels. Note 4: Requirements peculiar to each country should be taken into consideration. This level is applicable only contemporary before the IQNet certification bodies train the necessary amount of qualified audit team leaders and audit teams. Note 5: In the case the necessary sector knowledge and skills are not fully covered by the auditors in the audit team they can be ensured by invited technical experts. Technical experts should operate under the direction of an auditor Basic qualification level The basic qualification level characteristics are as follows: a) The team leader is qualified as lead auditor for all systems included b) The auditors have been qualified minimally for one management system and trained minimum one day in the principles of any further management system standard c) The members of the audit team have not fulfilled the whole prescribed experiences in integrated audits yet d) For any technological scope minimal one auditor or technical expert exists Medium qualification level The medium qualification level characteristics are as follows: a) The team leader is qualified as lead auditor for all management system standards included and has minimum 2 complete integrated and/or combined audits experience (8 days) in the role of lead auditor, b) All auditors nominated are qualified for minimum two of the management systems involved and trained minimum one day in the principles of any further management system standard, c) For any technological scope minimal one auditor exists High qualification level The high qualification level characteristics are as follows: a) The team leader is qualified as lead auditor in all management system standards included and has more than 3 complete integrated and/or combined audits practical experience (12 days) in the role of lead auditor, b) The team members are qualified as auditor in all management system standards included and have more than 3 complete integrated and/or combined audits experience (10 days), c) The team has minimum one common experience in the integrated audit and all team members have their specialised roles in audit (legislation, IT, technology etc.), d) For any technological scope minimal one auditor exists. 4.4 Audit duration estimation In praxis the following situations can occur: a) All systems have been integrated are evaluated first time, b) One of the systems has been implemented and certified before. The integrated audit combines surveillance audit or reassessment of this system and initial audit (assessment) of the further one more systems,

6 301BD-Integrated audits from 10 c) All systems included have already been assessed separately but the surveillance or reassessment realised as an integrated audit. All situations mentioned above can be simply solved throughout the following procedure: The general figure for audit duration calculation is: T IMS = T QMS + (T EMS + T OHSMS + T ISMS )*i *q (1) where the symbols in (1) stand for : T QMS audit duration (initial audit, surveillance, reassessment) from tab. 1 BD 310, T EMS - audit duration (initial audit, surveillance, reassessment) from the Guidance matrix in BD 311, T OHSMS - audit duration (initial audit, surveillance, reassessment) from tab.1 of BD 305, T ISMS - audit duration (initial audit, surveillance, reassessment) from tab.1 of BD 304, i - co-efficient of system integration level (see table 3), q - co-efficient of auditor team qualification level (see table 4). Note 6: The first item in the equation should be the biggest value from T QMS T EMS T OHSMS or T ISMS or any other standard included in the integration. Table 3: Agreed values of the system integration level coefficient Coefficient i System integration level negligible medium high Minimum values 0,9-0,95 0,8-0,85 0,7-0,75 Table 4: Agreed values of the auditors team qualification level coefficient Coefficient Auditors team qualification basic medium maximum maturity Minimum values 0,95-1 0,85-0,9 0,75-0,8 Note 7: : Requirements specific to each country should be taken into consideration, for example specific national or regional (for example The European EA-7/05 Guidance on the Application of ISO/IEC 17021:2006 on Combined Audits) accreditation. Note 8: The level of reduction should be recorded as an integral part of audit plan. (See Annex 2) q

7 301BD-Integrated audits from 10 5 AUDITOR QUALIFICATION CRITERIA 5.1 Minimum auditor criteria Minimum criteria which integrated management system auditor team has to meet are as follows: a) The ISO qualification criteria, b) The qualification criteria of BD 304, BD 305 (if appropriate), c) Training and good knowledge of relevant management system standards, d) Good orientation in the legislation related to the management system standards included in integrated system, e) Good knowledge of the processes of the organisation being certified, f) Good experience in the integrated approach co-ordination, g) Good team co-operation. 5.2 Minimum lead auditor criteria Minimum criteria which integrated management system lead auditor has to meet are as follows: a) Education of university level or equivalent b) The ISO requirements c) The qualification criteria of BD 304, BD 305 (if appropriate) d) The lead auditor qualification at least for two management systems e) Training and good understanding of further management system standards f) Good background in the legislation g) Good orientation in PDCA principles h) Capability for big scale of technologies i) Long-time experience in audit techniques j) Experience in managing teams for combined or integrated audits Above criteria can differ per country due to accreditation requirements. When audits are performed in co-operation with another IQNet member the auditor qualification has to be demonstrated in writing to the leading certification body.

8 301BD-Integrated audits from 10 Annex 1: Example of the integrated audit duration calculation Typical practical examples acceptable reduction of audit time for the integrated audit for medium experienced team Combination QMS + EMS QMS + OHSMS EMS + OHSMS QMS + ISMS Negligible system integration T QMS + 0,85 T EMS T QMS + 0,85 T OHSMS T EMS + 0,7 T OHSMS T QMS + 0,9 T ISMS Medium system integration T QMS + 0,75 T EMS T QMS + 0,75 T OHSMS T EMS + 0,65 T OHSMS T QMS + 0,8 T ISMS High system integration T QMS + 0,65 T EMS T QMS + 0,65 T OHSMS T EMS + 0,55 T OHSMS T QMS + 0,7 T ISMS QMS + EMS + OHSMS T QMS + (T EMS + T OHSMS ) 0,8 T QMS + (T EMS + T OHSMS ) 0,7 T QMS + (T EMS + T OHSMS ) 0,55 Note 9: Requirements peculiar to each country should be taken into consideration.

9 301BD-Integrated audits from 10 Annex 2 Planning table for specification of the integrated audit duration Organization No of employees Level of integration Level of risks Maturity of team QMS EMS ISMS OHSAS No of audit days without reduction No of audit days reduced Remarks The general figure for audit duration: T IMS = T QMS + (T EMS + T OHSMS + T ISMS )*i *q where T QMS audit duration (initial audit, surveillance, reassessment) from tab 1 BD 310 T EMS - audit duration (initial audit, surveillance, and reassessment) from the Guidance matrix in BD 311 T OHSMS - audit duration (initial audit, surveillance, and reassessment) from tab.1 of BD 305 T ISMS - audit duration (initial audit, surveillance, and reassessment) from tab.1 of BD 304 Note 6: If the combination of EMS and OHSMS arises the T EMS is taken as a basic. Table 3: Agreed values of the system integration level coefficient Coefficient i System integration level negligible medium high Minimum values 0,9-0,95 0,8-0,85 0,7-0,75 Table 4: Agreed values of the auditors team qualification level coefficient Coefficient Auditors team qualification basic medium maximum maturity Minimum values 0,95-1 0,85-0,9 0,75-0,8 q Proposed: Date: Approved: Date: