Yes, under ISO 17021 (the standard to which all Certification Bodies are assessed against), it is a requirement to have a surveillance assessment at least every 12 months.
This is in order to ensure that the organisation is continuing to maintain their standards.
During Management System audits, Auva will require access to organisational records in order to verify and validate compliance against the relevant standard being assessed. If there are any records which cannot be made available for review by the audit team for reasons of confidentiality or sensitive information Auva will need to be informed prior to any certification activity taking place.
Auva shall undertake a review of the information given to us and determine whether the Management System can be adequately audited in the absence of these records. If conclusion is made that it is not possible to adequately audit the Management System without reviewing the identified confidential or sensitive records, the organisation shall be informed that the certification audit cannot take place until appropriate access arrangements have been granted.
It is often possible to see the same process without seeing certain records, we can look at a similar one instead. This is often the case where ITAR is applied.
Well we hope that you never have to but just in case you feel you need to raise an issue you should first address your complaint to the Chief Operating Officer.
If you are not satisfied with the response to a complaint, you may further complain to the CEO.
Appeals should be made via the Chief Operating Officer. The appellant will have the opportunity to present his/her case to the Impartiality Committee. The Certification Body’s costs arising from the appeal shall be to the account of: the appellant if the appeal fails; and to Auva if the appeal succeeds.
Complaints will be acknowledged with an initial response in writing within 3 days, and a full written response will be provided upon completion of a full investigation.
If a dispute arises during an audit, the auditor will aim to reach an agreement with the Auditee. Where this is not possible, the Auditee should contact the Chief Operating Officer who will undertake an investigation into the nature of the dispute, and inform the Auditee in writing as to the decision. The Chief Operating Officer will also inform the Auditee of the appeals procedure and further rights to take the matter to Auvas Impartiality Committee.
At any time, any interested party may make a complaint to Auva about you as a certificated supplier. In this event, we shall send you details of the complaint (excluding the identity of the complainant), and ask you to provide timely comment on the complaint. We would expect that you would propose appropriate corrective action. Depending on your response, we would take note for subsequent surveillance visits, and might require a further audit.
Submission, investigation and decision on complaints shall not result in any discriminatory actions against the complainant.
At the opening meeting we will also seek to agree the definition of the organisation which you wish to have certificated. This need not have the same boundaries as organisations recognised by company law. The important thing is that the organisation be a sensible operating unit. You cannot exclude parts of the organisation simply because “they are not ready” or because you don’t want to include them. By contrast, the organisation could include parts of several different companies (e.g.: one of your sub-contractors). But whatever the definition, it must be clear before the audit starts.
If you are operating through a number of remote branches, all of which:
- are part of the same organisation;
- are under the same control;
- are doing substantially the same job;
- are under common management, and;
- use the same management system and procedures.
The assessment can be by sampling. However, all the branches have to be assessed at least once over the three years before re-audit. In this case the certificate relates to the organisation as a whole. Auva reserves the right not to accept a certification project for organisations structure in a way that conflicts company law.
Significant changes to your organisation – such as a change in entity or name – must be notified to Auva immediately and in writing.
At the opening meeting (during the initial audit), we will seek to agree the “scope” for which you wish to be certificated. Scope is a concise (usually a one or two sentence) description of your business. It is your responsibility to propose the scope, although our Audit Team Leader will help if necessary.
Your scope should be sufficiently and precisely drawn as to give a clear understanding of the types of products or services which you supply. You should not be certificated for the supply of products you do not make or for services you do not provide. We need to satisfy ourselves that you are competent to supply across all the items normally understood to come within your certificated scope.
If there are regulatory requirements, standards or other normative documents against which you supply products or services, these should be included in your scope.
The scope of certification cannot be changed during the audit. If you wish to make an amendment to your scope or include any additional processes then please notify the Auva Head office prior to the assessment taking place.
9 times out of 10, if there are any issues with an audit recommendation made by an auditor, the client will not know about it. The issue will be resolved behind the scenes without the client being made away and is usually a conversation or a report update between the person making the certification decision (giving the final yes) and the auditor. In very rare cases, the auditor may need to contact the client for clarification or additional audit evidence.
If certification is refused, for whatever reason, the auditee will be advised in writing of the reasons and given the opportunity to respond.
Refusal to grant, continue or renew certification may be for a number of reasons. These reasons shall be clearly and fully explained by Auva to the auditee in writing (typically via email) and the auditee will be asked to acknowledge the notification.
If the auditee is unhappy with the decision and or explanations given, then the complaints / appeals process should be followed.
On receipt of the Audit Report and, where applicable, corrective actions, the certification body will undertake a review to ensure that all the correct procedures have been followed, whether the recommendation of the Audit Team Leader is sound, and whether corrective actions have been appropriately addressed and evidenced.
This process can sometimes take several weeks – particularly if there are queries about the completeness of the assessment and corrective actions. Auva does have an objective to get these all done within 14 days at the latest. The person undertaking the review may also require additional evidence to be provided to ensure that the system meets the requirements of the specified standards. In exceptional circumstances, this could include an additional visit.
On completion of a satisfactory review the recommendation to certificate will be confirmed by the certification body and the appropriate certificate will be issued.
Auva will provide appropriate information relating to, and update the auditee on: all decisions made regarding the granting, refusing, maintaining, renewing, suspending or restoring of certification and expanding or reducing the scope of certification.
For any nonconformity there will be a proposed corrective action to remedy any defects in either products or processes. All corrective actions must be cleared to the satisfaction of the Audit Team Leader or a nominated representative before certification is granted or continued.
The nonconformities will be numbered and listed in the audit report or Non-conformance Report depending on the scheme. The proposed action should state:
- The action completion date and responsibilities;
- Any rework of nonconforming product;
- Corrective action to contain the non-conformance
- Root Cause information to highlight how the non-conformance occurred;
- Corrective action to prevent the non-conformance from reoccurring.
NB: simply repairing or re-working nonconforming product is not corrective action; you must identify the root causes of nonconformities and take action to remove them and the correction and corrective actions.
We can provide soft-copy forms to assist in the preparation of the corrective action plan. You are encouraged to maintain the plan in machine readable form – desirably in a form readable on the auditor’s PC and in word or excel.
For Initial Assessments, all corrective actions must be cleared within 90 days of the end of the initial audit. If they are not, a further stage 2 audit may be required prior to certification. The Audit Team Leader may reduce this timeframe. For surveillance visits, the audit team will make a recommendation as to whether objective evidence for the closure of non-compliances must be submitted to Auva within defined timescales, or whether they can be closed out at the next surveillance visit.
Corrective actions and any supporting evidence shall be submitted by the date stated on the NCR form. Failure to submit suitable actions and evidence to address any non-conformances within 90 days of the audit will result in suspension.
If you would like to learn how to maintain an effective internal audit process, check out this link.
An audit plan is a programme which identifies which departments, functions or projects will be examined on which days and with respect to which aspects of the standard. If several auditors are to be involved, then the allocation of their time needs to be planned. The Auditee needs to know when staff are likely to be required. If there are several locations to visit, the travel arrangements need to be optimised. The audit plan has to ensure that all relevant aspects of the organisation are adequately covered.
A re-assessment of the entire management system is generally required every three years. The time needed for re-assessment will depend on how many assessment days have been carried out during the assessment cycle, the level of control over the system demonstrated throughout the cycle, the number of sites visited etc. Generally, a re-assessment will require approximately two-thirds of the audit days undertaken for the initial assessment. However, if the surveillance audits have been carried out in excess of the guidance number of days, and if compliance with the standard has been good, a shorter review will be carried out. In other cases, the number of days could be equal to the initial assessment. Depending on past performance over the audit cycle it may be necessary to apply a stage 1 and stage 2 assessment.
Reassessment Audit Objectives
- Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements. Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system.
Reassessment Audit Criteria
- To evaluate the continued fulfilment of all requirements of the management system standard and shall include a review of the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification. An evaluation of the commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance and whether the operation of the certified management system contributes to the achievement of the client’s policy and objectives.
The objective of a surveillance audit is for us to assure ourselves that you are continuing to work to a system which complies with the standards to which you are certificated, and that you take timely corrective action to correct nonconformities.
During surveillance, we may find nonconformities. As before, you need to propose corrective action. These will usually be cleared down at the following surveillance visit, but the Audit Team Leader may recommend more immediate clear-down.
After a number of visits, if it becomes apparent that compliance with the standard is good, then the time needed for surveillance may be reduced. An indication would be the number and nature of the nonconformities found during surveillance.
On the other hand, of course, if compliance were found to be poor or worrying, then the amount of surveillance might need to be increased. In a poor case, a further audit might be needed. Clearly, these costs are in the hands of the Auditee.
Surveillance audits will be performed in the years between the initial and reassessment. The first year’s surveillance following initial assessment shall take place no later than 12 months after the last day of the stage 2 audit, these will generally be planned for 9-10 months after the stage 2. The continuous surveillance visits shall be conducted at least once a year. If the audit cycle is not maintained within these requirements then certification may lapse and a re-application may be required.
If requested, surveillance visits can be split so they are performed more frequently over the 12 month period e.g. every six months.
Surveillance Audit Objectives
- Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements. Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system
Surveillance Audit Criteria
- To give confidence that the certified management system continues to fulfil requirements between recertification audits and shall include internal audits and management review, review of actions taken on non-conformities identified during the previous audit, treatment of complaints, effectiveness of the management system with regard to achieving objectives, progress of planned activities aimed at continual improvements, continuing operational control, review of any changes and the use of marks and/or any other reference to certification.
The pre-audit/Gap Analysis is optional. It will be no longer than half the duration of the initial audit. It will be carried out in the same way as an initial audit, and provides practice for the Auditee being audited. The objective is to find any major areas of weakness or aspects of the standards which are not addressed (either adequately or at all). The Auditee can request what elements are audited.
This is probably one of the biggest issues we find when assessing organisations use of the logos. Instructions are given to every client upon certification but organisations do not apply the rules correctly.
In simple terms, the UKAS logo is the Royal Crown and the Royal Crown can not appear on any vehicles apart from the Royal Mail Vehicles.
What we find is that organisations will send the logos off to the printers and they will either not send the guidance document (How to use our logos) or the printer does not read the document, they then produce the logos and put them on the Vehicles.
When we come and perform our assessment we notice that you are using the incorrect logo and we raise a non-conformance and you then have to take them off which is costing you more money (need to get other logos printed), more time (you need someone to take them all off), and you wasted the money getting them printed in the first place.
We provide you with vehicle logos which you are free to plaster all over your vehicles as much as you want, these will show the standard you are certified to and also reference to Auva so they can verify your approval. Please ensure you apply the logos correctly as we don’t like making people remove them all after they have spent time and money applying them. If you have any questions then please feel free to contact us.
The certificate you receive will have a 36 month (3 year) expiration, we are not allowed to issue a new certificate after the 3 years until the reassessment has been performed and any non-conformances closed off. We therefore put your first surveillance visit after 9-10 months instead of 12 to give you some protection, your next surveillance will be 12 months after the 1st.
When we re-issue your certificate you do not lose any time as the dates will continue so you do not lose money and we are not stealing time from you. The gap is there to protect your certificate continuation in the event of non-conformances being raised during your reassessment, sufficient time is included for you to close those issues off.
The short answer is there is no magic number. Auditors will keep going to complete the audit unless the audit has to be aborted due to you not having anything in place which to be honest doesn’t happen since they introduced the Stage 1 and Stage 2 requirement. A client may request that we stop auditing but that is up to them, not the auditor.
There is no rule for this and it will depend on a lot of things such as your experience, the complexity of the system, the non-conformance situation, availability of personnel and auditors and the maturity of the system.
Some organisations will have the stage 1 and stage 2 within a week of each other, this happens when the system is really simple, the client has experience of running and implementing management systems or we know the consultant who has helped with the implementation as this gives us confidence that you will be ready.
Generally, most people will leave a month gap which is enough time for them to fix any errors to enable the stage 2 to run smoothly.
You can never really fail any of the assessment stages, you can however need another visit to perform again (worst case scenario) or have to fix some errors (non-conformances).
Generally, during a stage 1 assessment you will have some errors than need to be corrected but if these are small fixes then we will just review these as part of your stage 2 assessment, there is not ordinarily a need to submit evidence of correction before the stage 2.
If the nature of the errors is larger then we may want some evidence supplied before we go ahead with the stage 2, maybe some procedure updates etc.
If we turn up on site and you have nothing in place then we are more likely going to need another stage 1 assessment.
So you never really fail, you just don’t pass until you fix everything.
The stage 2 ISO audit is your main assessment that will give you certification (assuming you pass).
Stage 2 Audit objectives
- Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements. Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system.
Stage 2 Audit Criteria
- To evaluate the implementation, including effectiveness, of the client’s management system and shall include information and evidence about conformity to all requirements of the applicable standard. Performance monitoring, measuring, reporting and review against key performance objectives and targets. Details on the client’s management system and performance with regards to legal compliance. Operation control of the clients processes. Internal audits and management review. Management responsibility for the client’s policies. Links between the normative requirements, policy, performance objectives and targets, any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and intern audit findings and conclusions.
The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of the client’s management system. The stage 2 audit shall take place the site(s) of the client. It shall include at least the following:
- Information and evidence about conformity to all requirements of the applicable management system standard or normative document;
- Performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
- The client’s management system and performance as regards legal compliance;
- The client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
- Operational control of the client’s processes;
- Internal auditing and management review;
- Management responsibility for the client’s policies;
- Links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.
A Stage 1 assessment is almost like a pre-assessment or sometimes called a gap analysis. The idea of the stage 1 assessment is to review your current status to see if you are ready for the main assessment, it also helps the auditor prepare for the stage 2 main assessment in case they need to go off and research sometime, or even they may deem they are not technically competent to perform the main assessment.
Stage 1 Objectives
- Determination of the extent of conformity of the Clients management system and evaluation of the capability of the management system to ensure compliance with statutory, regulatory and contractual requirements. Evaluation of the effectiveness of the management system in meeting its specified objectives and the identification of areas of potential improvement of the management system.
Stage 1 Audit Criteria
- To give confidence that the management system and client is prepared for a stage 2 assessment and shall include a review of the client’s management system documentation, an evaluation of the client’s location and site-specific conditions and undertake discussions with the client’s personnel to determine the preparedness for the stage 2 audit. A review of the client’s status and understanding regarding the requirements of the standard. To collect necessary information regarding the scope, processes, locations, statutory and regulatory aspects and compliance. Review the allocation of resources for stage 2 audit, provide a focus for planning stage 2 audit and evaluate if the internal audits and management review are being planned and performed and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit.
The stage 1 audit shall be performed:
- To audit the client’s management system documentation (this can be done off-site, Contract review will specify);
- To evaluated the client’s location and site-specific conditions and to undertake discussions with the clients personnel to determine the preparedness for stage 2 audit;
- To evaluate the client’s processes and equipment, applicable statutory / regulatory requirements and to undertake discussions with the client’s personnel to determine the preparedness for stage 2 audit, including the levels of controls established)
- To review the client’s status and understanding regarding requirements to the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
- To collect necessary information regarding the scope of the management systems, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client’s operation, associated risks, etc.);
- To review the allocation of resources for stage 2 and agree with the client on the details of the stage 2 audit;
- To provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the client’s management system and site operations in the context of possible significant aspects;To evaluate if the internal audits and management review are being planned and performance, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit
To obtain and maintain confidence, it is essential that Auva’s decisions be based on objective evidence of conformity (or nonconformity) obtained by Auva, and that its decisions are not influenced by other interests or by other parties.
An Impartiality Committee is in place to help ensure that Auva’s activities remain impartial and that we are not influenced by outside pressures. This process is managed per Procedure 2.
A Risk Declaration shall be completed by any person who can influence the certification process (Auditor, Decision Maker, Impartiality Committee Member, Directors) to ascertain their impartiality and threat to the business.
A review of these documents shall be completed by the CEO and any outcome of these reviews shall be dealt with as necessary. A risk rating shall be given to each risk review which will highlight the significance of that body or person on the impartiality of the business. The Impartiality Committee shall oversee this process to advise the CEO on appropriate controls over identified risks. A log of related bodies is maintained with all current related bodies within Google Drive and will be provided to the Impartiality Committee for review.
Auva does not provide consultancy services and do not have any direct links to any consultancy body. Within the ISO 27006 (ISMS) scheme; Auva are permitted to be involved with certain activities without them being considered as consultancy or having potential conflict of interest. These activities include:
- Planning and being present at information meetings, examination of documents, auditing and follow up of non-conformities
- Arranging and participating as a lecturer in training courses, provided that, where the courses relate to information security management, related management systems or auditing. Auva’ involvement shall not provide specific information and shall remain generic in content which is freely available in the public domain.
- Publishing on request, information describing our interpretation of the requirements
- Activities prior to the audit, solely aimed at determining readiness for certification audit (sometimes known as a gap analysis). These activities shall not result in any certification recommendations or advice that would threat impartiality. These activities shall also not be used as justification to reduce the eventual certification audit duration.
- Performing second and third party audits to standards or regulations which are not part of the scope of accreditation.
- Identifying and making recommendations for improvement as long as they are not specific
Any information obtained by Auva or any of its subsidiaries in the course of its assessment and certification activities will not be disclosed to any third party without the written consent of the client, or where required by law. Where the law requires information to be disclosed to a third party, the client will be informed of the information provided, as permitted by the law.
The policy and practices of Auva relating to confidentiality are summarised here. Auva may disclose information to a third party without further reference to the customer (namely where required by law, for the purposes of Auva Certifications Accreditation, and for inclusion on the Auva register of certified firms. All customers of Auva sign agreement to the Terms and Conditions by signing the quotation, and this acts as written permission for third party disclosure for these instances.
All personnel employed or contracted by Auva are required to sign a confidentiality agreement. The Confidentiality Agreement is to be signed by all employed staff and members of the Impartiality Committee. The Contractor Agreement is to be signed by all Contractor organisations and the Confidentiality Agreement is to be signed by any person employed by that contractor. These documents shall be signed before gaining access to information pertaining to Auva and its customers. Each signed agreement is maintained within that individuals staff file.
The policy and practices of Auva relating to confidentiality are summarised in the Auditor Handbook. Confidentiality arrangements are covered during client audits at both the opening and the closing meetings, and are included on the mandatory agendas within the Audit Report templates.
Head Office staff must ensure that offices containing Auva or customer information are kept locked when not attended.
Visitors to Head Office will not be left unaccompanied unless a confidentiality agreement is first signed.
Any member of the public may request access or disclosure of any client’s certification status (i.e. the granting, extending, maintaining, renewing, suspending, reducing the scope of, or withdrawing of certification) in order to gain confidence in the integrity and credibility of certification. Auva shall provide this information in a timely manner. They may also request information about our audit process and certification process which is highlighted on our website.
Auva Shall provide access to specific interested parties that request information on conclusion of a specific audit, we will be provide relevant non-confidential information about the conclusion of an audit.
An up to date list is maintained on the Auva Website that shows the current status of all certificates, this is uploaded on a weekly basis by the COO. Additional information can be requested as highlighted above.
Introduction to Managing Certificates
Auva is responsible for, and retains authority for, the decisions relating to the certification, including granting, maintaining, renewing, extending, reducing, suspending, withdrawing and managing ISO certificates.
You can verify the validity of an ISO Certificate issued by Auva on our website Certificate Checker.
Certification Review/Decisions/Renewing
The certification officer shall be independent of the audit activity and shall not have carried out the audit.
The certification officer is responsible for ensuring that the audit has been carried out thoroughly with all applicable clauses audited to conclusion. Verification should be carried out against the initial application information to ensure the scope, site information, activities and effective number of employees is accurate and does not invalidate the audit.
Non-conformances shall be reviewed and where applicable corrective action plans and supporting objective evidence confirmed. Effective correction, root cause and corrective actions need to be demonstrated as per the auditor handbook.
If Auva is not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months after the last day of stage 2, then Auva shall conduct another stage 2 prior to recommending certification.
If the officer is not happy with the report and/or corrective actions after discussions and follow-up information as required, then this will be handled as per procedure 8. Auditors shall be informed and action taken as appropriate.
During the certification review stage, the certification officer shall complete the certification review form (Form 05). Particular attention shall be paid to the section for reviewing the day allocation and adjustments made as necessary should the client change considerably. A clear record of the queries and comments raised with the auditor during the certification review shall be made on the certification review form (form 05), along with the responses from the auditor. This may include reference to a file or email hyperlink.
The decision(s) made regarding the granting, refusing, renewing or maintaining of certification and that made regarding expansion or reduction of scopes shall be recorded on Form 05.
The decision(s) made regarding suspension or withdrawal of certification shall be recorded on Form 09.
Clients shall be informed and updated on all decisions made regarding the granting, refusing, maintaining, renewing, suspending or restoring of certification and expanding or reducing the scope of certification.
If certification is refused, for whatever reason, the auditee will be advised in writing of the reasons and given the opportunity to respond. Notification shall be given without delay.
Refusal to grant, continue or renew certification may be for a number of reasons. These reasons shall be clearly and fully explained by Auva to the auditee in writing (typically via email) and the auditee will be asked to acknowledge the notification.
The auditee shall have explained to them the option to appeal the refusal, along with the process of addressing the issues raised. This may be a reapplication, a new or further audit or submission of actions / evidence.
The refusal process shall be overseen by the CEO and administered by the COO.
Suspension of ISO Certificates
Auva shall take the decision to suspend certification in cases when, for example:
- The client’s certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system,
- The certified client does not allow surveillance or recertification audits to be conducted at the required frequencies,
- The certified client has voluntarily requested a suspension or withdrawal
- The certified client has not paid any monies due
- Misuse of certification marks/logos etc;
- The customer’s circumstances change in such a way as to invalidate the scope of certification;
- The customer otherwise contravenes the terms and conditions of the certificate.
- The client has not successfully submitted a Corrective Action Plan and/or objective evidence within three months of the audit taking place;
- Cases where it can be demonstrated that the system seriously failed to meet the OHS certification requirements;
- The client fails to submit suitable corrective actions and evidence (as applicable) to address audit findings;
- Deliberate or consistent non-compliance shall be considered a serious failure to support the policy commitment to achieving legal compliance and shall preclude certification or cause existing EMS/OHS standard certificate(s) to be suspended.
Under suspension the client’s management system certification is temporarily invalid.
In the event that it may be necessary to suspend certification, the case is referred to the CEO or delegated representative. The CEO will consider all available evidence, including audit reports, certification reviews, examples of misuse of marks/logos etc, and prepare a written report on the situation and/or identify the actions within the certification review record. The person reviewing the information shall be competent for the Technical Area applicable to the scope of certification as identified on the skills matrix.
If the decision has been made to suspend certification, the CEO or nominated representative shall write to inform the client that the certificate has been suspended, detailing any actions that are to be completed as necessary.
During suspension, the customer will not make any claims that the system is certified. The Auva logo / certification mark will not be used on any marketing literature of documentation during the period of suspension. The Auva Certificate Log shall be updated and the Website Validator shall be updated and uploaded onto the Auva website for public access.
The CEO or delegated representative will review any information submitted, record the review and inform the customer in writing as to whether or not it has been accepted and if there are any follow-up requirements such as a special visit/audit.
The suspension status shall not exceed 6 months and the certificate shall be withdrawn after that period.
If registered under the SSIP scheme, the portal upload shall be updated accordingly.
Withdrawal of ISO Certificates
In the event that the customer does not complete the activities set out in the letter or requests withdrawal from a scheme, the Certificate will be withdrawn. With immediate effect, the customer will be required to return the certificate to Auva International, cease all further use of the Auva logo and certification marks, and will not make any claim to certification of systems, services or products. The withdrawal status of the certification shall be shown on the certificate log and Validator on the website.
Auva will endeavour to obtain all withdrawn ISO certificates and records of attempts made in the client file.
All records relating to the withdrawal and/or withdrawal of certification will be kept in the customer’s file. The CEO will include a summary of the case in his/her report to the Impartiality Committee. Returned certificates will be marked as “returned” and kept in the customer’s file.
The Certificate Log and Website Validator shall be updated once decisions have been made.
The decision to restore certification shall be recorded within the client file after any issues have been addressed. This shall be performed by a competent person in line with the skills matrix.
Extending or Reducing the Scope of ISO Certificates
The scope of ISO Certificates issued to a Client may need to be reduced or extended in response to changes to a Client’s operations and business. When a client has persistently or seriously failed to meet the certification requirements the parts of the scope affected shall be excluded. Any such reduction shall be in line with the requirements of the standard used for certification.
Requests for changes to scopes received from Clients shall be reviewed by Auva and, in the case of an extension to scope; a decision will be taken on whether any additional on-site audit activity is required before a revised certificate is issued. The information and review shall be recorded using the Contract Review Form.
A request to reduce the scope of certification shall be reviewed to ensure that it will not affect the frequency and duration of on-site audits. This information and review shall be recorded within the client file
The need for change may also be identified during on-site audit activity and this shall be recorded on the Audit Report and any recommendation for change will be subject to confirmation.
Upon successful changes to scopes of certification, the current certificate shall be requested for return by the client, the certificate log shall be updated with the new scope of certification.
If the client is shown on the SSIP database their scope shall be updated accordingly and uploaded to the SSIP website.
The transfer process is straightforward. Auva can transfer the certification of any client that has a valid certification issued by a UKAS (or equivalent) accredited certification body. You simply need to request a quote from us and once that has been agreed, we can begin the process.
We just need the agreement from you to communicate with your current provider and we do the rest! In all but very rare cases (e.g. if there have been significant changes to your organisation or processes, or if there have been major findings raised) we simply issue you with an Auva certificate and pick up and maintain your current certificate validity and audit visit cycle. The transfer process is free and certification is continuous.
To find out more about transferring certification you can read our transfer section or if you have any specific questions you can drop us a message.
The number of ISO Audits will depend on what stage you are at with your certification.
All new certifications require a stage 1 (an initial visit to review your management system and understand how prepared you are for certification) this is then followed by a stage 2 (this is a full audit of your management system and processes and results in a recommendation for or against certification).
Once certification has been granted (a three year period), you then begin a surveillance visit cycle – the first surveillance ISO Audit will typically be around 10 months from your stage 2, with the second surveillance typically 12 months from the first surveillance.
Certifications are valid for three years and there will be a reassessment visit required prior to expiry. Some clients may wish to split the surveillance visits throughout the year – e.g. six monthly, we can discuss that with you.
If there are changes to your organisation throughout the cycle – e.g. you wish to add an activity to your scope, this may require a stand alone ‘special’ visit.
If you would like to know more information then you can drop us a message.
There are four main audit findings that can be raised during an audit.
A stage 1 may raise ‘potential non conformances’ – these are areas that will require review and action prior to the stage 2 and that could prevent a recommendation for certification.
At stage 2, surveillance and reassessments there could be a major non-conformance (this is a finding that affects the ability of a management system to achieve intended results – e.g. no internal audits undertaken), a minor non-conformance (an audit finding that does not necessarily affect intended results, but is not in line with requirements or could lead to a major – e.g. internal audit programme not being maintained).
Finally there are ‘observations’ – these are audit findings that are brought to your attention for consideration as they may form an ‘early warning’ or an ‘opportunity for improvement’ based on the experience of the auditor.
All non-conformances will require you to submit a corrective action plan (as well as evidence as required). All audit findings will be communicated to you as they arise and at the closing meeting, with any required follow up actions / timescales agreed with you at the closing meeting.
If you have any specific questions you can drop us a message.
If you would like to learn how to maintain an effective internal audit process, check out this link.
In order to maintain business continuity as much as possible for us and our clients, during the Covid-19 virus outbreak, Auva is offering remote auditing as an option for clients.
Each audit will need to be reviewed on a case by case basis and we will be happy to discuss this further with you.
Going forward (after the virus has cleared), remote auditing is only possible for a proportion of your assessment in line with IAF rules.
If you would like to discuss this in more detail you can drop us a message.
A Certification Review / Technical Review is a process that all ISO assessments have to go through in order to have their certification granted, renewed or amended.
Whenever an assessment takes place, the auditor will only make a recommendation for or against certification, they do not have the final decision, the final decision is down to the certification officer / decision maker within the Certification Body. Each certification body uses different terminology but the activity and the principle is all the same.
This process takes place to ensure impartiality over the process, the certification officer will be independent of the audit process and will review the report and supporting information to ensure that the auditor has completed the audit effectively. The review will ensure that all areas have been covered, the technical content is sufficient to demonstrate compliance against the standard itself and any other requirements such as legislation, a review is also taken of any findings and the closure.
Each certification body does this slightly differently but the person performing the review needs to be technically competent for your business and the standard, we can’t use just anyone. The process generally takes a few hours but can vary depending on the complexity and length of the assessment. There may also be some back and forth with the assessor to get some of the report either clarified or rectified depending on the issues, there are commonly some tweaks to be made as auditors sometimes forget to clearly present discussions. There is no need to worry if you hear of reports getting rejected or if the assessor needs to come back to you for some clarifications, it’s all just part of the process.
The entire process from start to finish varies on certification bodies, we have a KPI of 14 days maximum but our average is far less, these typically get completed within 5 days as your certificate turnaround is a key priority of our business.
If you have any specific questions or concerns you can contact us anytime.
No, the transfer process works in the same way as if you were transferring energy suppliers, you do not get cut off before the transfer is complete.
No, the certificate issued by Auva will be an exact match to what you have with your current certification provider. The same start date and expiration dates are shown
No, you do not need to speak to them at all. Once you accept our quotation, we will contact the current provider and request the transfer information we require. You do not need to do anything apart from sign the quotation
Nothing, the transfer process is done from our Head Office and this is performed free of charge. In the very rare cases where you have outstanding open non-conformances from your current Certification provider, we may need to perform an on site assessment at a cost. This will be communicated to you prior to the transfer so you can walk away with no cost and retain your current certification. 99.99% of the time it is totally free.
In 99.99% of cases no, there is no requirement to perform a transfer assessment. We perform an offsite transfer review in our offices where we will review all previous assessments and your current certificate but you do not need to be involved in this process. Our in-house team of experts performs this assessment without client involvement.
No, not to bore you with details but there is an accreditation rule that we are all required to follow that restricts any certification body from canceling a certificate when being notified of transfers. When we notify the current certification provider that you are transferring to Auva, they will act in an ethical manner and will leave your certificate valid until we have completed the transfer process. After the transfer is complete and we have notified them, they will then withdraw your certification with them but you are covered by our certificate at that time.
We can only transfer certificates that we are permitted to under our UKAS accreditation approval. If you are outside our scope of certification we will inform you during the application process.
We can transfer any certificate that is from a UKAS (or international equivalent) Certification Body. This restricts us from transferring any organisation who has an unaccredited certificate.
Unfortunately, if your certificate has expired or has been withdrawn then we are unable to transfer your certificate and you would need to reapply as a new certification.
You can change to any certificate body you wish, you are not legally or contractually tied to any accredited certification body.
We have successfully transferred hundreds of certificates over the years, its a major part of our new business and we are pretty slick at the process now.
This all depends on your current auditor. If they are employed full time with the current certification body then the chances are you will lose them. If they are contracted then if they are not already an Auva auditor then we can almost certainly use them if they wish to work for us also.
We need the last three years worth of assessment reports and your current certificates. You do not need to provide these though, we request them from the current certification body and they are required to send to us. There is a little more information we also need but these are just questions that the current provider will answer.
The process from start to finish is typically performed in less than a week. We are somewhat at the mercy of the previous certification body as we need to wait for them to respond to our request but this is often a matter of days.
Yes, you are not required to hold your certification with any provider for any period of time. You can even change between a stage 1 and stage 2 assessment if you wish. You can change it at any time of the process or time of year.
The only advice we would give is to not request a transfer if you already have an assessment planned with the current provider within the next 30 days as this could potentially incur costs from the current provider. In these circumstances we would advise you to wait until just after your next assessment.
It’s easy, after you sign the quotation we issue an email to your current provider requesting the last three years reports and certificates. We then perform a desktop review of all the information; verify the reports, review any findings and the certificate.
Once that is complete, we will issue you with a replacement certificate and then inform the previous certificate provider that the transfer is complete.
Unfortunately you will need to change your logos at some point, this can be a gradual and managed process if you have printed documents with the previous provider displayed. Our assessors will review this during the assessments.
None at all, we are very open and transparent and what we quote is what you pay. There are no hidden expenses or certificate costs and we do not charge an annual management fee unlike some of our competitors.
You will see us when the previous provider was due to perform their next assessment. We do not change the audit cycle from what you currently have, we simply turn up instead of your previous provider.
