The growth in the number of management systems and respective reference standards for certification has led to the increase of different methodologies for determining the audit time, which includes requirements partially or significantly different from those of the document IAF MD 5 which was basically designed for Quality Management Systems (QMS), Environmental Management Systems (EMS) and Occupational Health and Safety Management Systems (OH&SMS).
Furthermore, determining audit time becomes more complicated in the case of the combination of multi-site management systems and integrated audits of two or more different management systems. This complex situation has highlighted the need to provide a guide to ensure that the combination of all the main factors of each methodology contributing to the determination of the total audit time is correctly considered.
2. SCOPE
This informative document provides guidance for achieving a basic level of consistency for determining the audit time according to the application of the relevant requirements of ISO/IEC 17021-1 for audits of different management systems, such as:
- Quality Management Systems (QMS).
- Environmental Management Systems (EMS).
- Occupational Health and Safety Management Systems (OH&SMS).
- Energy Management Systems (EnMS).
- Food Safety Management Systems (FSMS).
- Information Security Management Systems (ISMS).
- Information Technology Service Management Systems (ITSMS).
- Medical Devices Management Systems (MDMS).
The same approach may extend to other ISO/IEC 17021-1-based certification schemes.
3. TERMS AND DEFINITIONS
Management Systems Certification Scheme: | A conformity assessment system is related to management systems to which the same specified requirements, specific rules and processes apply. |
Client Organization | The entity or defined part of an entity operating a management system. |
Central Function | The function that is responsible for and centrally controls the management system. Note: Descriptions and requirements of “central function” are provided in clause 5 of IAF MD1:2018. |
Permanent Site | A site (physical or virtual) where a client organization performs work or provides a service continuously. Note: Descriptions and requirements of “site” are provided in clauses 3.1.1 and 3.1.2 of IAF MD1:2018. |
Virtual Site | Virtual location is where a client organization performs work or provides a service using an online environment allowing persons irrespective of physical locations to execute processes. Note 1: A virtual site cannot be considered as such where the processes must be executed in a physical environment, e.g. warehousing, manufacturing, physical testing laboratories, installation or repairs to physical products. Note 2: An example of such a virtual site is a design & development organisation with all employees performing work located remotely, working in a cloud environment. Note 3: A virtual site (e.g. an organisation’s intranet) is considered a single site for the calculation of audit time. |
4. METHODOLOGY FOR DETERMINING THE TOTAL AUDIT TIME
4.1. General Requirements
The determination of the audit time for the certification of management systems should be based on the information obtained from the client organization and established before the preparation of the audit plan. The certification body should periodically review the effectiveness of the process to establish the audit time. The methodology for determining the total audit time is based on the general requirements of the relevant clauses of ISO/IEC 17021-1:2015:
- 9.1.4 “Determining audit time”.
- 9.1.5 “Multi-site sampling”.
- 9.1.6 “Multiple Management Systems Standards”.
4.2. Specific Requirements
The specific requirements applicable to each management system are included in the IAF MLA Level 4 standards and IAF mandatory documents, to be used alone or in combination, listed in clauses 5.1 and 5.2 and reported in Tables 1 and 2 with details of the application.
4.3. Methodological Approach
The certification body should use the framework provided in Level 3 and Level 4 MLA documents to develop a process to determine the time of the management system certification audit specific to the client organization. The methodological approach is structured as a sequence of steps organized according to the process flow reported in Figure 1 and described in detail in Table 2:
- Check whether one or more management systems are applicable and determine the applicable standards (see Table 1).
- Evaluate whether the organization is eligible for multi-site certification.
- Evaluate whether sampling is appropriate or not.
- Determine the number of sampled sites.
- Determine the Effective Number of Persons (ENP) for each management system at each site (when relevant based on the applicable scheme requirements).
- Determine the complexity level for each management system at each site (when applicable).
- Determine the audit time for each management system at each site (as applicable).
- Determine the adjustment factors in reduction or increase for each management system at each site (when applicable).
- In the case of multi-site determine a further reduction in audit time for each site (when applicable).
- In the case of multiple management systems check whether there are conditions for conducting an integrated audit.
- Determine the starting point for the total audit time of the integrated management system (IMS).
- Adjust the integrated audit time by considering factors that may increase or reduce the required audit time.
- Calculate the on-site audit duration.
- Consider how to split the audit time between Stage 1 and Stage 2.
- Determine the audit time for surveillance and recertification audits.
- Confirm audit time or make adjustments as needed during the certification cycle.
4.4. Additional Considerations
4.4.1 Main Factors
Different factors should be used for the determination of the audit time for the certification of specific management systems. The main factors to be taken into account should depend on the type and scope of the audit:
- The effective number of personnel
- Risk and complexity categories associated with the products, processes or activities of the client organization (when relevant based on the applicable scheme requirements and site-specific conditions).
- Management system standard
- Number of sites to be audited
- Single or integrated management systems
- Level of integration in an integrated management system
- Other factors specific to each management system (see Table 2)
The certification body should identify the applicable factors that can contribute to the adjustment of the audit time for a particular client organization.
4.4.2 Relevant Management System Standard(s) and Other Requirements
The duration of management system certification audits can depend on relevant management system standard(s) and certification scheme requirements and the type of audit (e.g. initial audit, surveillance, recertification, special audit):
- When an audit is done in two stages (e.g. initial audit and recertification audit), the duration of management system certification audits is the sum of stage one and stage two.
- The time spent travelling (en route or between sites) and any breaks are not included in the determination of the duration of management system certification audits.
- The audit time for all types of audits includes the total time spent on-site at a client’s location (physical or virtual) and the time spent off-site carrying out planning, document review, interacting with client personnel and report writing.d) The total time spent on site at a client’s location (physical or virtual) is the duration of a management system certification audit. This is the time from the start of the opening meeting to the end of the closing meeting (3.8).
- Other audits (e.g. special audits, transfer audits) can be performed and the duration of such audits is usually established on a case-by-case basis depending on the objectives of the audits.
5. APPLICABLE DOCUMENTS
5.1. ISO Standards
5.1.1 IAF MLA Level 3 Standard Applicable to Management Systems
ISO/IEC 17021-1:2015 Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements
5.1.2 IAF MLA Level 4 Standards Applicable to Management Systems
Standards containing criteria supplementary to those contained in ISO/IEC 17021-1:2015 to be used in conjunction with ISO/IEC 17021-1:2015 for specific management systems:
- ISO 50003:2021 Energy management systems — Requirements for bodies providing audit and certification of energy management systems.
- ISO/IEC 27006:2015 Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems – “Amendment 1:2020”.
- ISO/IEC -20000-6:2017 Information technology — Service management — Part 6: Requirements for bodies providing audit and certification of service management systems.
- ISO/TS 22003:2013 Food safety management systems — Requirements for bodies providing audit and certification of food safety management systems.
5.1.3 IAF MLA Level 5 Standards Applicable to Management Systems
Standards used by the accredited conformity assessment body to deliver an accredited conformity assessment field:
- ISO 9001:2015 Quality management systems — Requirements.
- ISO 14001:2015 Environmental management systems — Requirements.
- ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use.
- ISO 50001:2018 Energy management systems — Requirements with guidance for use.
- ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.
- ISO/IEC 20000-1:2018 Information technology — Service management — Part 1: Service management system requirements.
- ISO 22000:2018 Food safety management systems — Requirements for any organization in the food chain.
- ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes.
5.2. IAF Mandatory Documents
Documents containing additional mandatory requirements to those contained in ISO/IEC 17021-1:2015 for determining the audit time when conducting separate or integrated audits in case of single-site or multi-site management systems:
- IAF MD 1:2018 IAF Mandatory Document for the Audit and Certification of a Management System Operated by a Multi-Site Organization.
- IAF MD 5:2019 Determination of Audit Time of Quality, Environmental, and Occupational Health & Safety Management Systems.
- IAF MD 9:2022 Application of ISO/IEC 17021-1 in the Field of Medical Device Quality Management Systems (ISO 13485).
- IAF MD 11:2013 IAF Mandatory Document for Application of ISO/IEC 17021 for Audits of Integrated Management Systems (IMS).