Irca 1000 Auditor Certification Requirements
Irca 1000 Auditor Certification Requirements
Irca 1000 Auditor Certification Requirements
p. 6-8 p. 6 p. 7 p. 7 p. 7 p. 8 p. 9-14 p. 9 p. 9 p. 9-11 P. 11-12 p. 12-13 p. 13 p. 13-14 p. 15-20 p. 15 p. 16 p. 17 p. 18-20 p. 21-23 p. 24-25 p. 24 p. 24 p. 24 p. 24 p. 24-25
5. Auditor Certification Criteria 5.1 Internal Auditor and Provisional Internal Auditor 5.2 Auditor and Provisional Auditor 5.3 Lead Auditor 5.4 Principal Auditor 6. Renewal of Certification Criteria and Requirements 7. Terms and Conditions 7.1 Appeals and complaints 7.2 Enforcement of certification 7.3 Confidentiality 7.4 Legal status 7.5 Fees
Appendix I Scheme-specific requirements and guidance are given for the following: Part 1 - Quality Management System Auditor Scheme Part 2 - Environmental Management System Auditor Scheme Part 3 - Occupational Health and Safety Management System Auditor Scheme Part 4 - Information Security Management System Auditor Scheme Part 5 - Information Technology Service Management System Auditor Scheme Part 6 - Business Continuity Management System Auditor Scheme Part 7 - Energy Management System Auditor Scheme Part 8 - Pharmaceutical Management System Auditor Scheme Part 9 - Aerospace Quality Management System Auditor Scheme Part 10 - TickIT Auditor Scheme Part 11 - Food Safety Management System Auditor Scheme Part 12 - Social Systems Auditor Scheme Part 13 - EICC-GeSI Auditor Scheme Part 14 - Maritime Auditor Scheme Part 15 - SSiP Assessor Scheme Appendix II Definitions Appendix III IRCA Code of Conduct
p. 26-58
p. 26 p. 27 p. 28 p. 29-30 p. 31 p. 32-33 p. 34-35 p. 36-37 p. 38-40 p. 41 p. 42-44 p. 45-46 p. 47-49 p. 50-52 p. 53-58
p. 59
p. 60
Copyright IRCA 2012 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without prior permission of the International Register of Certificated Auditors (IRCA).
b) Your adherence to principles of proper ethical conduct, fair presentation and due professional care, as articulated in the IRCA Code of Conduct c) Your commitment to continuing professional development (CPD) d) Your commitment to provide value to: The users and stakeholders who rely on management systems audits to establish if the organisations management system can consistently meet customer and applicable regulatory requirements The auditee by providing management with information regarding the organisations ability to meet its management system-related business objectives; identifying problems that may prevent the client from meeting its management system-related business objectives; and identifying meaningful opportunities for improvement, as well as those areas of risk that are not yet identified or managed.
When you achieve IRCA auditor certification, you join over 14,000 management systems auditors in over 120 countries who share your professionalism and commitment, and benefit from: A globally recognised qualification, valued and often required by employers and clients Entry on to our publically available online register of auditors, which is used by employers globally Your individual certification card, to demonstrate your certification to clients and employers Your auditor certification logo, for you to use on your stationery and documents The IRCA system of continuing professional development, to support your career progression through always being able to demonstrate a currency of skills and knowledge.
The IRCA schemes To be efficient and competitive, business and industry needs competent auditors. The purpose of our management systems auditor certification schemes is to provide confidence through accredited certification, and to show business and industry that auditors certificated to these schemes are competent. As part of the certification process, we will evaluate you against requirements that reflect the key skills, knowledge and experience that define competence and which you, the management system (MS) auditor, need to possess and to demonstrate during an audit.
Each scheme is based on a key standard, such as: ISO 9001: Quality management systems Requirements (latest issue) ISO 14001: Environmental management systems Requirements (latest issue), etc
And each scheme is influenced by the following auditing standards: ISO 19011: Guidelines for auditing management systems (latest issue) ISO 17021: Conformity assessment Requirements for bodies providing audit and certification of management systems (latest issue).
Our award of certification means we have recognised that you understand and are competent (depending on the grade awarded) to: Uphold the principles of proper ethical conduct, fair presentation and due professional care Communicate clearly, both orally and in writing, with personnel at all levels of an organisation Plan and organise an audit of a management system Identify, understand and audit relevant business processes Sample and evaluate audit evidence, and determine the effectiveness of a management system Report audit findings and conclusions accurately Plan, organise and lead the audit team, and manage the audit process.
The scope of certification is general. You may select from a list of up to six standard industry sectors in which you have acquired work experience. These details, although included within the register, are self-declarations and outside the scope of certification. The details of all certificated auditors are included within a register that is publicly available. The schemes are intended for: Auditors, eg those for whom auditing is a significant part of their role, including supply chain auditors, those employed by certification bodies/registrars, and those conducting audits within their own organsations Practitioners, eg consultants, audit programme managers, and others involved in auditing through the development and maintenance of management systems, auditor training and standards development.
Grade
Internal Auditor
Applicability
You should consider this grade if you conduct internal partial system audits of your organisations management system, or a suppliers management system. It is likely that you will not be a fulltime auditor, and you may only audit a few times each year. Whilst the internal auditor grade requires the applicant to have conducted audits, the provisional grade does not. It is therefore appropriate for professionals who have attended an internal auditor training course, but that do not or have not had the opportunity to conduct audits, yet wish to receive formal recognition of their ability. The auditor grade is appropriate for those that conduct full system audits as part of their role, but do not lead teams. They may be conducting internal full system audits, second-party full system audits, or conducting third-party audits for certification purposes. Whilst the auditor grade requires the applicant to have conducted audits, the provisional grade does not. It is therefore appropriate for professionals who have attended an auditor training course, but that do not or have not yet had the opportunity to conduct audits.
Guidance notes
Partial system audits are audits that do not cover the entire management system in a single audit. They are commonly departmental, or focused on a particular process, procedure or requirement. It is important to note that the training course certificate is valid for initial application for a period of three years, after which it will no longer be accepted for auditor certification in an initial application. Internal full system audits are accepted. See 4.3 f (p.10).
Auditor
Provisional Auditor
Lead Auditor
Principal Auditor
Most auditors working for certification bodies are lead auditors, as are auditors who perform supplier audits for large organisations. This grade is reserved for competent auditors experienced at managing audits and at leading teams. This grade is intended to recognise the considerable experience and competence of: Management system consultants who design, implement, evaluate and maintain management systems and conduct consultancy audits on behalf of their clients. Sole auditors (previously IRCA-certificated to lead audit teams) who now undertake audits on their own (ie as a team of one, performing all aspects of an audit without assistance) Audit managers and audit professionals (previously IRCAcertificated to lead audit teams) whose career has taken them away from direct involvement in conducting audits, but who can demonstrate ongoing currency of applicable discipline knowledge, and audit knowledge and skills through other management system and audit-related activities. For example: o Audit programme managers (first-party in large and complex organisations, and those with overall responsibility for second-party supplier audits) o Those involved in audit and management system standards development o Certification body managers, (third-party audits) including persons carrying out technical reviews and authorising certification decisions o Those carrying out original design and development of auditor training, and delivery of IRCA-certified auditor training.
Training course certificates are valid for a period of three years, after which they will typically no longer be accepted for auditor certification in initial application (see 4.3b). However, once registered at the provisional auditor grade and as long as the CPD requirements are met, you will be eligible to apply to upgrade to Auditor and Lead Auditor status, should you start to conduct audits and lead audit teams at any point in the future. Internal full system audits are accepted. See 4.3 f (p.10).
3. Instructions for Initial Certification, Maintenance of Certification, Renewal of Certification and Changing Your Certification Grade (Regrade)
3.1 How to: Make an initial application
Step 1 Select the grade you want to apply for by reviewing Section 2 of this document (p. 5), and checking that you meet the requirements outlined in Section 5 (p. 15) and the relevant scheme appendix (p.26-58), in terms of: Step 2 Complete the IRCA auditor certification application form (available at www.irca.org): Indicate which discipline(s) and grades you are applying for, and attach evidence as required. We accept applications and supporting documentation in the following languages: English Japanese Spanish. Relevant work experience Required education/qualifications Required auditor training Required audit experience (except for provisional grades).
For all other languages, the application must be accompanied by a certified translation (into English) of the original text. This is particularly important for educational qualifications, training courses and work experience. Step 3 Submit your completed application form and fee: Current auditor certification application fees are available at the IRCA website (www.irca.org). You may submit your form electronically by email, or by post to: Email: Address: [email protected] IRCA, Chancery Exchange, 10 Furnival Street, London, EC4A 1AB, UK
See the What we do box later in this section to learn how we manage your application. Do not send the annual certification fee. If your application is successful, we will write and ask you to pay the annual certification fee.
Step 4: Pay your first annual certification fee. After we have evaluated your application, we will communicate the grade of certification we can offer you or indicate what extra evidence is required to achieve auditor certification. If you wish
to accept our offer of certification, pay your first annual fee and you will receive your first IRCA auditor certification card, and be placed on the IRCA online register of auditors. Once your application is successful, we award certification for a period of three years beginning from the month we award certification. This three-year period is referred to as the certification period. During the certification period, at the end of the first and second years you may maintain certification by payment of the annual certification fee, and by compliance with the Code of Conduct. We dont, however, require you to submit any other documentation at the end of year one and year two. At the end of the third year, all certificated auditors are required to complete the triannual renewal of certification process.
We usually take about four weeks to process each application, but that time may vary depending on the time required to verify the information submitted with the application. Giving us all the information we need will speed up the application process, which has four stages:
1) Administrative check All applications are checked first by our certification staff to make sure you have included all of the information that we need.
2) Technical evaluation This phase is performed by IRCA's technical experts; the reviewing officers. The reviewing officers evaluate the information submitted against the certification requirements, then they will perform a verification of some or all of this information. At the conclusion of the technical evaluation, the reviewing officers will make a recommendation on certification to the certification manager. We consider verification to be an essential element supporting the overall credibility of the certification process. Consequently, great care is taken by the reviewing officers in reviewing and verifying applications against all aspects of the certification requirements. We will perform the evaluation as speedily as we can, but sometimes it is not possible to be as quick as we (or you) would like. Processing your application is likely to take longer if you have unusual educational qualifications, if your current (or former) employers are slow to provide verification information, or if the auditee organisations are not helpful. Typically, certification decisions will be made based on the documented information provided by the applicant. However, IRCA will, at its own discretion, invite a number of applicants for interview to verify the information provided, and evaluate the understanding of the auditor.
3) Certification The final decision on your certification is made by the certification manager. The certification decision is performed independently of the technical evaluation process detailed above.
4) Offer and award of certification The certification manager will write to you formally with an offer of certification to the appropriate grade. We will send you this offer and ask you to pay your first annual fee. Certification will be awarded when we receive your payment of the annual fee. Your details are then added to our online register of certificated auditors, and we will send you your certification card. Although the card is issued to you, it remains our property and you must return it to us should we ask you to. The IRCA certificate is intended for display as a formal recognition of your certification to a specific grade you should not use it as proof of certification. Please contact us if you wish to purchase a certificate.
sure you include detailed information of the audits you perform, and provide sufficient contact details so that we are able to perform a verification e) If you are already certificated as an Auditor, Lead Auditor or Principal Auditor on one of our other schemes, we will accept other full management system audits such as ISO9001, ISO 22000, OH&S 18001, ISO 27001, ISO 20000, ISO 14001, or acceptable alternatives including combined/integrated audits, where these do not exceed 25% of the total audit experience required. However, these are only accepted for initial certification and at regrade, not at renewal of certification f) Acceptability of internal audits: We will consider accepting internal audits for Auditor, Lead Auditor and Principal grades, providing you can demonstrate that the audit was of the full management system covering all clauses and requirements of the applicable management system standard, and that it was of a part of the organisation from which you are entirely independent (eg separate business unit or sister company). We require you to show on your audit log how many employees the company has, and provide any other information that you feel is supportive and relevant, such as written description of the type of audit, charts, reports, etc g) Acceptability of consultancy audits: We will accept audits performed by you when acting as a consultant for a client if all of the following are satisfied: The client (auditee) already had a fully established management system prior to the audit You had no part in setting up the management system being audited (except in such specific circumstances as described below) You were independent of the auditee The scope of the audit included all elements of the management system.
We will also accept pre-assessment audits performed by you on a management system that you were involved in developing, if the certification body subsequently awarded certification at the first attempt h) Acceptability of combined/integrated audits: Where two or more standards are being audited during a combined/integrated management system audit, we will only accept (for initial certification and regrade) the audit days allocated to the relevant scheme you are applying for. For recertification, the full audit duration will be accepted i) Acceptability of surveillance (partial system) audits: We do not normally accept surveillance (partial system) audits when submitted for initial certification or at regrade (except for Internal Auditor). However, we do accept surveillance audits for renewal of certification
10
j)
Acceptability of on-site and off-site audits: IRCA will only accept on-site audits that have involved a significant amount of interaction with the auditee(s). If the audit is limited to conducting a document review (eg records or data analysis), observation of work performed, completing checklists and sampling (eg products) without interaction with the auditee(s), it is not acceptable. Further, significant onsite preparation time (eg half a day) may not be counted towards the days on site. A maximum of one days off-site preparation per audit will be accepted
k) Acceptability of remote audits: IRCA will accept remote audits as a substitute for the required on-site audit days, where there has been as much interaction between the auditor and the auditee as would occur during an on-site audit. Interaction may be achieved remotely through such means as video conferencing, document and record-sharing systems, etc (remote audit activities are performed at any place other than the location of the auditee, regardless of the distance). If you have conducted extensive remote audits that you feel are suitable, please provide additional information including the scope and nature of the audit, and, if possible, supporting documentation such as audit plans and reports l) Acceptability of audits to standards other than those issued by the ISO: We will accept audits performed against standards that we have evaluated as being equivalent to the relevant ISO standard. We maintain a list of acceptable alternative standards for each auditor scheme, but it is possible that you may claim audits against a standard that is not on this list. We have a formal process for evaluating new standards, and you are advised to contact us for advice where you consider an alternative standard may be acceptable to us. m) Audits we do not accept: Audits of the same management system that are repeated more frequently than once every 12 months Audits of less than one days duration (six hours of audit activity, exclusive of breaks), except for the internal auditor grade, where we will accept audits of three hours exclusive of breaks Gap analysis, close out or follow-up visits Audits performed before successful completion of the formal training requirement Audits performed outside the accepted three-year period. 4.4 What training course certificates does IRCA accept? a) Ideally, we are looking for you to have a certificate for the successful completion of an IRCAcertified training course. IRCA does accept a very small number of non-IRCA-certified training courses as being equivalent to its own courses. Please refer to this page on our website: http://www.irca.org/en-gb/certification/How-to-apply/accepted-alternatives/ or contact head office for information about accepted alternatives b) You should normally have successfully completed auditor training within the three-year period immediately prior to application for certification. We may accept training completed prior to this period if you provide evidence of recent and relevant continuing professional
11
development (CPD), work experience and currency of your auditing skills. We advise you to refer to the IRCA website (www.irca.org) for a current listing of all IRCA-certified training organisations offering IRCA-certified management system auditor training courses c) All training course certificates submitted must be supported by documentary evidence. An example of acceptable evidence would be a good-quality photocopy of the original certificate indicating the awarding body, the title and date of the award, and the name of the person to whom the award was made. If any of this information is not available or is not clear, we may ask you to supply us with more evidence. If no documentary evidence can be supplied by the awarding body, it is unlikely we would accept your training course certificate. IRCA reserves the right to verify this information with the relevant organisation and/or individual(s). d) IRCA does not accept certificates of attendance. Certificates must be of successful completion of a course.
4.5 Guidance on continuing professional development (CPD) CPD is a framework that encourages you to continuously update your professional knowledge, personal skills and Competencies. The purpose of CPD is to make you more effective as an auditor, and to make the auditing profession more credible. The concept of CPD and the value it contributes is now recognised and accepted throughout all professional fields. Any CPD submitted must be in subjects that are broadly related to auditing and the relevant management system. Because there are so many topics that we recognise will enhance your auditing competence, we do not attempt to list them here. But we categorise them into three areas: 1) Management system related 2) Auditing related 3) Technical knowledge related (eg legislation and regulatory updates). CPD weighting We recognise that no single method for learning suits everyone. Therefore, we will accept CPD acquired in ways that range from the very informal (eg reading and self-study) to the formal (eg classroom training). We recognise that some ways of acquiring CPD are more effective than others, so we apply a system of w eightin g where some activities are accorded more recognition than others. Due to this weighting, one hour of learning may not always equal one recordable CPD hour. The activities are divided into three broad categories: a) Unstructured; where three hours equals one CPD hour Included in this category would be distance and open-learning study that is not assessed and does not lead to a qualification; the reading of professional and technical journals, books and other publications; and relevant aspects of on-the-job training where specific outcomes have been planned and identified.
12
Reading IRCA INform, our e-magazine available from www.irca.org, or contributing to a relevant online forum such as IRCAs discussion group on LinkedIn, is also accepted. A maximum of four hours of unstructured CPD will be accepted for contribution to discussion forums. Evidence must be documented and verified on IRCA/173 CPD logs b) Semi-structured; where two hours equals one CPD hour Included in this category would be non-interactive lectures, talks etc, informal professional body meetings of a more social nature (networking opportunities), the research, preparation and first delivery of lectures/courses, publishing articles, and forms of open and distance-learning that involve assessment, and that result in the acquisition of a qualification. Note: Repeated training deliveries and lectures/presentations cannot be counted more than once. c) Structured; where one hour equals one CPD hour Examples of this category would be interactive and highly participative training courses and seminars, professional body meetings with formal lectures, and active participation in the development of standards. The range of activities that may be included within each category is extensive, and the small number of examples above is intended to provide broad guidance only. Most auditors submit evidence of activities that includes all three categories, but it is not a requirement that you do so. The only restriction we have is that unstructured CPD cannot constitute more than one-third (ie 15 hours) of the total amount of acceptable CPD hours. It remains your responsibility to provide a case for acceptance of any activity you submit, and this must be supported by sufficient and appropriate evidence. This will involve you making and retaining records of your activities, and having these properly verified where possible. We have developed a CPD and training log sheet (IRCA/173) for this purpose. It is in your interest to provide us with information in a clear, logical and easily understandable format. The speed with which we are able to evaluate and renew your certification will depend on this. 4.6 Guidance on work experience a) Please refer to the scheme-specific appendix document and the guidance section of the application form for information about what will be accepted as experience relevant to the auditor scheme you are applying for b) Short periods of training cannot be included in this work-experience requirement, however apprenticeships and the like may be considered as acceptable work experience. Please provide additional information if you wish any training to be considered torwards your work experience.
13
4.7 Guidance on applying for transfer to Principal Auditor Application for transfer from Lead Auditor to Principal Auditor is normally made at the time of renewal of certification. Application for transfer may be made: Proactively when you know your role is going to change. In this case, you may request transfer to Principal Auditor provided you meet the requirements for prior Lead Auditor certification, and also meet the requirements for renewal of your Lead Auditor certification at the time of transfer. Retrospectively after your role has changed and at the next renewal of certification. In this case, you will need to meet the requirements for prior Lead Auditor certification, and also provide evidence of meeting the requirements for Principal Auditor in the three years following your last renewal of Lead Auditor certification.
Note: Where your role changes part-way through the three-year certification period, it is likely that you will want to submit evidence that comprises a combination of audits completed, and also evidence of your involvement in other audit and audit-related activities. In these circumstances, use the requirements above as a guide to the evidence you should provide, and the IRCA will evaluate each application on a case-by-case basis.
14
5.1 Internal Auditor (see the bottom of the page for Provisional Internal Auditor)
Education At least to secondary education level. Work experience Four years full-time experience, or two years with a degree or near degree One years full-time experience relevant to the auditor scheme. Auditor training A relevant IRCA-certified Foundation course and A relevant IRCA-certified Internal Auditor training course or the relevant IRCA-certified Auditor/Lead Auditor training course. (Refer to 4.4 for guidance on what training IRCA accepts.) Note: IRCA will consider, on a case-by-case basis, auditors applying for an internal auditor grade that have successfully completed an Internal Auditor course, but not the respective Foundation course. The decision will be based on the information provided in the work experience and sector understanding parts of the application form. Auditing experience You need to have performed at least five internal audits, each of which must have been of at least three hours duration, have included all elements of the audit cycle audit planning, document review, auditing, interviewing and audit reporting and must not have involved areas or activities in which you yourself perform. However, we will accept audits of activities for which you are directly or indirectly responsible, eg as a line manager. (Refer to 4.3 for guidance on what audits are accepted.)
15
5.2 Auditor (See the bottom of the page for Provisional Auditor)
Education At least to secondary education level. Note: If you have a degree or near degree level qualification, we will reduce the requirement for work experience. Acceptable qualifications include those awarded by an institution recognised by a national governmental body or accredited by a national professional body. Work experience Four years full-time experience, or three years with a degree or near degree Two years full-time experience relevant to the auditor scheme you are applying for. Please refer to the scheme-specific appendix document for information about what will be accepted as experience relevant to the auditor scheme you are applying for. Auditor training A relevant IRCA-certified Auditor/Lead Auditor training course. Or the relevant IRCA-certified Auditor/Lead Auditor Conversion training course only acceptable if you have previously completed a five-day Auditor/Lead Auditor training course in another discipline. (Refer to 4.4 for guidance on what training IRCA accepts.) Auditing experience You need to have performed at least four full management system audits covering all clauses (requirements) of the applicable management system standard. Auditing activity must include document review, preparation and performance of on-site audit activities, and audit reporting. The total duration of these audits must not be less than 20 days, 15 of which must have been acquired on site. (Refer to 4.3 for guidance on what audits are accepted.) Note: Although we recommend you should complete all of the audits under the direction and guidance of an auditor competent as a team leader (one currently certificated as a lead auditor or who has equivalent competence), we acknowledge that for many auditors this will be very difficult and costly to arrange. Consequently, we will accept a minimum of one audit under these conditions. We may require this team leader to attest to your competence to audit as a team member.
Provisional Auditor
No audits are required. All other requirements are the same as those for an Auditor.
16
17
18
2) Auditor development This route is suitable for IRCA-certificated Lead Auditors who wish to transfer to Principal Auditor because the nature of their audit activities has changed. There are two options associated with the development route, and both options require prior certification to the grade of Lead Auditor. Option 1 Sole auditors This option is for auditors that have been certificated by IRCA to lead audit teams who now undertake sole audits (ie as a team of one), performing all aspects of an audit without assistance. Requirements: Prior Lead Auditor certification Six years certification to Lead Auditor grade by IRCA (or acceptable alternative) prior to transfer. Note: Exceptionally, we will consider accepting less than five years as an IRCA-certificated lead auditor, if you are able to demonstrate a very considerable and comprehensive experience in leading teams over a shorter period. Sole audits in the three-year period prior to transfer Five sole or lead audits, two of which shall be full system audits. The remaining three audits may be surveillance or partial system audits Audit experience within the three-year certification period prior to transfer shall be not less than nine audit days CPD totalling 45 hours (in the three-year certification period prior to transfer). Option 2 - Audit managers and audit professionals This option is for auditors previously certificated by IRCA (or acceptable alternative) to lead audit teams, who are able to maintain the currency of their audit knowledge and skills through audit and audit-related activities, but who no longer conduct audits eg audit managers, certification managers, audit training and development personnel, including management system auditor training course designers, and persons involved in the development of relevant audit and management system standards (such as ISO 19011). Requirements: Prior Lead Auditor certification Six years certification to Lead Auditor grade by IRCA (or acceptable alternative) prior to transfer. Note: Exceptionally, we will consider accepting less than six years as an IRCA-certificated Lead Auditor if you are able to demonstrate a considerable and comprehensive experience in leading teams over a shorter period.
19
Other requirements Submission of verifiable evidence of having carried out management system audit and auditor-related activities at a senior level, totalling not less than 15 days, over the threeyear period. These activities shall be relevant to the planning, conduct, management, review and effectiveness of management system audits; development of auditor competency, including management system auditor training course design; and development of recognised standards for conducting management system audits. CPD totalling 45 hours (in the three-year certification period prior to transfer).
20
1) Continuing professional development For Internal Auditor and Provisional Internal Auditor There is no CPD requirement. For Provisional Auditor, Auditor, Lead Auditor and Principal Auditor You must have completed at least 45 hours of appropriate CPD during the threeyear period immediately prior to renewal of certification. Through CPD, you are required to demonstrate your currency of knowledge and skills through updates in subject areas within the three main categories, as stated in 4.5: Management system related Auditing related Technical knowledge related (eg legislation and regulatory updates).
It is important that you demonstrate that you are up-to-date with any regulatory and legislative changes that are relevant to auditing within the respective scheme. We need you to provide us with evidence that you have met this requirement. Should the reviewing officer feel that not enough evidence has been provided, more evidence may be requested. Where evidence is lacking, you may be required to attend interview, or be requested to write a detailed account of the subject in question in order to satisfy IRCA of your currency of such knowledge and skills. 2) Audit experience We will need you to record and submit your audit experience on the audit log
21
sheets (IRCA/106) that we supply. For Internal Auditor: You need to have completed a minimum of five internal audits, the total duration of which must have been at least 15 hours. For Provisional Internal Auditor: There is no audit requirement. For Auditor or Lead Auditor: Five audits, two of which must be full system audits (for Lead Auditor, a minimum of one full system audit shall be while leading a team that includes at least one other person). Three of the five audits may be surveillance or partial system audits. Audit experience within the three-year certification period shall be not less than eight audit days. You must have performed these audits within the previous three-year certification period. For Provisional Auditor: There is no audit requirement. For Principal Auditors audit managers and audit professionals: There is no audit requirement. For Principal Auditors sole auditors and consultants: Five sole or lead audits, two of which shall be full system audits. The remaining three audits may be surveillance or partial system audits. Audit experience within the three-year certification period shall be not less than eight audit days. You must have performed all the audits within the previous three-year certification period. 3) Additional requirements For all grades other than Principal Auditor: There are no additional requirements.
22
For Principal Auditor audit managers and audit professionals: Submission of verifiable evidence of carrying out management system audit and auditorrelated activities at a senior level, totalling not less than 15 days over the three-year period. These activities shall be relevant to the planning, conduct, management, review and effectiveness of management system audits; development of auditor competency, including management system auditor training course design; and development of recognised standards for conducting management system audits. For Principal Auditors sole auditors and consultants: There are no additional requirements. 4) Declaration of complaints We need you to tell us about any complaints made against your professional conduct. It is important we know of any complaints, as we need to consider these as part of the renewal of certification process. We will investigate all instances of complaints. If complaints are made against your conduct and you do not declare them, the consequences will be far more serious and may result in suspension or withdrawal of your certification. 5) Compliance with the Code of Conduct We need you to make a declaration that you have always acted in compliance with the Code of Conduct (see Appendix III). 6) Payment of the annual fee And finally, we need you to pay the annual fee (please note, there is no additional fee for renewal). Because the fee will be dependent on the grade we offer you after renewal, we do not ask you to pay this fee until we have completed renewal. We will write to you with the results of the renewal, enclosing the invoice and fee-due date. Failure to pay your annual fee within 28 working days of the date of the invoice will result in your certification being withdrawn, and the removal of your details from the online register. Once we have received your payment, we will write to you again enclosing your new certification card.
23
24
Annual certification fee: This fee covers the annual cost of administering your certification. We will normally invoice you for this fee when we first offer you certification following your application, and each year thereafter, three months before payment is due.
Failure to pay your fees within 28 days of them being due will result in withdrawal of your certification. Upon receipt of your fee, your card will be issued. Application for regrade fee: This fee covers the costs of evaluating your regrade. We need you to pay this when you submit your request and, as with the application fee, the regrade fee is not refundable. If you are regraded during the year, we will not ask you to pay any further certification fees for that current year. You may request a regrade at any stage during the certification period. There is no regrade fee if we regrade you as part of the (three-year) renewal of certification process.
Except for every third year, when your renewal is due we invoice you after we have completed your renewal, on the basis that your grade (and fee) may have changed as a result. Upon receipt of payment, your card will be issued.
25
Appendix I Part 1 Quality Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: Knowledge of basic quality management principles Understanding of quality management tools and techniques that are applied in organisations that will enable the auditor to assess a quality management system, and generate audit findings and conclusions An understanding of an organisations operational activities and its interactions, to enable you to understand the relationship with product quality.
The QMS Scheme is based on the auditing key standard: ISO 9001: Quality management systems Requirements
Guidance for who this scheme is intended for Quality management system auditors, such as those employed by third-party certification bodies/registrars or by purchasing organisations (second-party auditors) Quality management practitioners, such as quality management consultants, quality managers and third-party certification managers Employees conducting quality management system audits within their own organisations (internal audits).
26
Appendix I Part 2 Environmental Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements Within the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: Knowledge of environmental aspects and impacts Ability to judge aspect significance Knowledge of local environmental legislation Understanding of methods and techniques of environmental management that enable the auditor to examine an environmental management system, and to generate appropriate audit findings and conclusions Understanding of environmental science and technology that enables the auditor to understand the fundamental relationships between human activities and the environment Understanding of technical and environmental aspects of operations that enables you to understand the interaction of an organisations activities, products, services and operations with the environment.
The EMS Scheme is based on the auditing key standard: ISO 14001: Environmental management systems Specification with guidance for use (latest issue). Guidance on who this scheme is intended for Environmental auditors, eg those employed by third-party certification bodies/registrars or by purchasing organisations Environmental practitioners, eg environmental consultants, environmental managers and other environmental personnel Employees conducting environmental audits within their own organisation, ie internal audits.
27
Appendix I Part 3 Occupational Health and Safety System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: Generic auditing skills as detailed earlier in this document (IRCA 1000) OH&S management methods and techniques that enable you to examine OH&S management systems, and to generate appropriate audit findings and conclusions OH&S technical Competencies, such as the management of risk, health and safety activities in the workplace, including chemical/physical/biological hazards; legal and organisational factors within the country or area of operation, etc Acceptable work experience would include: o o o o o o o Full-time role as manager, supervisor, engineer or technician, involved in technical aspects of facility operation in compliance with OH&S regulations Implementation and maintenance of OH&S or integrated management systems involving health and safety compliance management Monitoring compliance with health and safety law and regulation, on behalf of a regulating body Auditing OH&S management systems on behalf of an accredited certification body Assessment of supplier probity against an acceptable OH&S management system standard on behalf of an employing organisation Provision of appropriate consultancy services involving OH&S Full-time role relating to the performance of OH&S risk assessment and management of safety audits of all types (not necessarily system audits).
The OH&S Scheme is based on the auditing key standards: BS OHSAS 18001: Occupational health and safety management systems. Requirements (latest issue). HSG65, and BS8800 (latest issues). Guidance on who this scheme is intended for Occupational health and safety professionals intending to demonstrate a core competency in audit management performance Management systems auditors (eg quality, environmental, IT, etc) who possess a considerable understanding and knowledge of OH&S issues, and who are able to demonstrate sufficient competence to participate in OH&S or integrated management system audits Occupational health and safety management system auditors who wish to have their auditing competence recognised.
28
Appendix I Part 4 Information Security Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: Knowledge of the range of application for an ISMS Knowledge of information security-related legislation applicable to the country(s) of operation Knowledge of the techniques and tools used in information security management Understanding of the potential business impacts of ISMS Understanding the importance of asset and owner identification Knowledge of control objectives and how these are addressed Knowledge of risk assessment and identification Understanding of the threats, vulnerabilities and impacts Understanding the difference between risk assessment and risk evaluation Understanding of the methodology of risk treatment, application, residual risk and review of risk treatment plan Knowledge of the understanding of the importance of the statement of applicability in the ISMS, and how it is used Knowledge of the difference between an IS event and incident.
The ISMS Scheme is based on the auditing key standards: ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements ISO/IEC 17799:2005 Information technology security techniques Code of practice for information security management EA 7/03: Guidelines for the accreditation of bodies operating certification/registration of information security management systems ISO/IEC 27001:2005 which provides correspondence and alignment with ISO 9001:2000 Quality management systems Requirements and ISO 14001:2004 Environmental management systems Requirements with guidance for use.
29
Guidance on who this scheme is intended for ISMS auditors, eg those employed/contracted by third-party certification/registration bodies and those involved in first or second-party ISMS audits Information security practitioners, eg information security consultants, IT security managers and IT personnel Employees conducting ISMS audits within their own organisation, ie internal ISMS audits.
30
Appendix I Part 5 Information Technology Service Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: Knowledge of the role of IT service providers and their responsibilities Knowledge of the importance of governance in relation to the ITMS Basic training in IT service management knowledge (eg IRCA will accept the ITIL Foundation certificate or equivalent training) Knowledge of ITIL. (IRCA will accept the ITIL Foundation certificate or equivalent training as satisfying this requirement) Understanding identification and management via risk analysis applied to ITMS Understanding of service level agreement (SLA), service management system (SMS), and service management plans and their interaction Understanding of release and deployment management and the importance of the agreed release policy Understanding configuration management and the importance of configuration items (CI) Understanding of the service delivery, including continuity and availability, and problem resolution process Understanding of the business relationship management and of the importance of SLAs.
The ITSMS Scheme is based on the auditing key standard: ISO 20000: Information technology Service management (current edition).
Guidance on who this scheme is intended for Employees conducting IT service management system audits within their own organisation, ie internal audits IT service management system auditors, eg those employed by third-party certification bodies/registrars or by purchasing organisations IT service management practitioners, eg IT service management consultants and other IT service management personnel.
31
Appendix I Part 6 Business Continuity Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements Within the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies:
1) Knowledge of business continuity management principles that cover: BCM policy and programme management Understanding the organisation impact and risk Determining BCM strategies Developing and implementing BCM responses Exercising, maintaining and reviewing BCM arrangements Embedding BCM in organisational culture.
Note: IRCA will accept completion of the BCI Certificate Examination (CBCI) as evidence of the above. 2) Understanding the core processes involved in business continuity management and the interrelationships that enable you to examine BCMS, and to generate appropriate audit findings and conclusions Understanding the relationship processes based on business continuity management and supplier continuity management Understanding resolution processes based on identifying potential threats and impacts, and handling disruptions and business continuity incidents Knowledge of processes and products, including services, that enable you to comprehend the business context in which the audit is being conducted Knowledge of relevant standards, regulatory or legal requirements pertaining to BCM, within the specific sector and geography being audited Understanding the need for BCM to be a top management-led embedded business process, and the experience to evaluate whether this is being maintained effectively Understanding the nature of continual improvement through the use of top management leadership, planning and performance evaluation.
3) 4) 5) 6) 7) 8)
Guidance on who this scheme is intended for BCMS auditors, eg those employed by third-party certification bodies/registrars or by purchasing organisations BCMS practitioners, eg senior managers, BCMS consultants and other BC personnel Employees conducting BCMS audits within their own organisation, ie internal audits.
32
Guidance on transitioning to ISO 22301 from BS 25999 Please find guidance on transitioning to ISO 22301 from BS 25999 on the scheme page on the IRCA website: http://www.irca.org
33
Appendix I Part 7 Energy Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: Knowledge of energy management and the principles of energy efficiency Understanding the principles of fuel combustion, heat transfer and energy flow Understanding the relevant sources of energy regulation, guidelines and standards Understanding the typical methods and technologies for increasing energy efficiency Ability to interpret energy measurement units, sources, costs, tariffs and scheduling Ability to scrutinise energy-use data analysis methods Ability to analyse energy baselines, energy targets, performance indicators, monitoring and performance measurement Understanding the impact of organisational processes and equipment on energy efficiency Understanding of methods and techniques of energy management that enable the auditor to examine an energy management system, and to generate appropriate audit findings and conclusions.
In addition to the above, you need to demonstrate that you have completed training acceptable to IRCA that covers the following: The principles of fuel combustion, heat transfer and energy flow The relevant sources of energy regulation, guidelines and standards The typical methods and technologies for increasing efficiency Energy measurement units, sources, costs, tariffs and scheduling Energy-use data analysis methods Energy performance indicators, monitoring and performance measurement The impact of organisational processes and equipment on energy efficiency Electricity use: motors, drives, lighting and computers, etc.
Note: As a guide, courses such as the Energy Institutes Certificate in Energy Management Essentials (or equivalent) would meet this requirement, as would higher-level energy management-related qualifications.
The EnMS Scheme is based on the auditing key standard: ISO 50001: Energy management systems Requirements with guidance for use (latest Issue).
34
Guidance on who this scheme is intended for Energy management system auditors, eg those employed by third-party certification bodies/registrars or by purchasing organisations Energy management practitioners, eg energy consultants and other energy personnel Employees conducting energy management system audits within their own organisation, ie internal audits.
35
Appendix I Part 8 Pharmaceutical Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: Understanding of the pharmaceutical supply chain and the context of individual suppliers within the globalisation of the pharmaceutical supply chain Knowledge of ICH Q8 (current edition) and/or equivalent key elements in pharmaceutical development and the interaction of ICH Q9 (current edition) Understanding of risk management to establish the control strategy that can include parameters and attributes related to drug substance, product materials and components. This should embody a working relationship with IHC Q9 Understanding of GMPs and the application of EudraLex Volume 4 or the 21 CRF standards associated with them Understanding of the required GxP for which auditor application applies. For example, an auditor who is responsible for assessing the conformance of suppliers of active pharmaceutical ingredients must be familiar with ICH Q11: Development and manufacture of drug substances. An auditor performing internal audits on behalf of a biotech company must be familiar with EudraLex Volume 4 (Good manufacturing practice guidelines) Annex 2: Manufacture of biological medicinal products for human use. An auditor who is responsible for the assessment of an organisations global supply chain and suppliers who supply to other industries as well as the pharmaceutical industry must be familiar with the PQGs Guide to Supply Chain Risk Management and ISO 9001: Quality management systems Requirements. Knowledge of pharmaceutical product development process, including technology transfer.
The PQMS Scheme is based on the auditing key standards: ICH Q10: Pharmaceutical quality system (current edition) ICH Q9: Quality risk management (current edition) ICH Q8: Pharmaceutical development (current edition) ICH Q7: Good manufacturing practice guide for active pharmaceutical ingredients ISO 19011: Guidelines for auditing management systems (current edition) ISO 17021: Requirements for bodies providing audit and certification of management systems (current version).
36
Guidance on who this scheme is intended for Internal auditors who conduct partial pharmaceutical quality management system audits Pharmaceutical auditors working for third-party certification bodies/registrars who complete full pharmaceutical quality management system audits of suppliers, including: o o o Audits requiring specific technical Competencies, eg excipient manufacture, distributors, contract manufacture and analysis, etc Audits of raw material and component suppliers certified to ISO 9001, taking account of guidance document ICH Q11 Audits of different phases of the product lifecycle (ie research and development, clinical trial manufacture, commercial manufacture, distribution and supply, and product discontinuation).
Pharmaceutical quality practitioners consultants, audit programme managers and other related personnel.
37
Appendix I Part 9 Aerospace Quality Management System Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements Within the sector understanding and work experience sections of the application form, all applicants are required to demonstrate knowlege and competence in the application of aerospace requirements. This means services and products that have airworthiness, regulatory, legal or aerospace-specific requirements. It will not be sufficient for you to have experience of products such as seats and cabin equipment, simple fasteners, general forgings, castings, fabrications or machined parts that, while used in aerospace applications, are subject to general engineering requirements rather than the airworthiness requirements detailed below. You should demonstrate on the form knowledge and competence in the majority of the following aerospace industry-specific aspects of aerospace industry quality, regulatory and/or military aerospace requirements: First article inspection Airworthiness and safety requirements Aerospace material traceability requirements Aerospace subcontractor approval and control Variation management of key characteristics Flow-down of aerospace QMS requirements Foreign object damage/debris (FOD) prevention Use of customer-supplied products Calibration controls and positive recall systems Acceptance authority media Nonconforming material management Sampling inspection/statistical process control requirements and limitations Special processes Configuration management/requirements control Aerospace manufacturing techniques Tool control Design development verification and validation.
For all grades other than Principal Auditor The two years of full-time aerospace experience (see notes 1 and 2 below) should be recent. The preferentional situation is that the two years experience was gained within the last four years. If, however, your employment in the aerospace industry finished more than two years before the date of the application, it may still be acceptable if you can demonstrate two years of relevant experience during the last 10 years. But in this instance, you must also provide evidence that you have maintained knowledge of, and contact with, aerospace standards and requirements.
38
For all grades There is an additional requirement of 45 hours of appropriate CPD having been completed over the previous three years (see p.21). At least a minimum of 15 hours of this must be directly related to development of specific aerospace industry or services auditing skills, and address currency of aerospace standards and regulations. Examples of acceptable ways of keeping up-to-date might include: Audits in aerospace companies while employed by a certification body or consultant Attendance on aerospace QMS training courses, such as AS/EN9100, AS/EN9110 and EASA Part 21 or Part 145 Courses run by aerospace primes for their suppliers, other training courses, or membership of a quality group run by the CQI or similar.
Note 1 Acceptable aerospace experience means employment in an organisation that is an aerospace prime or major supplier to a prime, designing or producing engine parts, avionics, landing gear, airframe components or auxiliary equipment, or a repair/maintenance organisation that has one or more of the following: AS9100/EN9100 certification AS9110/EN9110 certification FAR/EASA Part 21 or Part 145 approval CAA, JAA or FAA approval to airworthiness standards ISO 9001, where the applicant can clearly show the experience was not of products such as seats, fasteners, general forgings, castings or fabrications that, while used in aerospace, are subject to general engineering requirements rather than the airworthiness requirements detailed above.
Employment in one of the following is also considered as satisfying the aerospace work experience requirements: Civil, military (including armed forces personnel) or space organisations such as a national aviation authority (NAA), European space agency (ESA), NASA, or a government ministry or department of defence (MOD/DoD) where the prime responsibility was for aerospace. Note 2 For acceptable aerospace experience within the organisation as described in Note 1, the applicants role is required to have been related to the Aerospace QMS. Examples would include quality manager or engineer; production or manufacturing engineer, if involved in setting quality standards or validating compliance of products or methods of manufacture in accordance with design intent; design engineer, if working with airworthiness requirements; supplier quality engineers, if evaluating suppliers QMS or products in compliance with aerospace requirements; applicants working in a national aviation authority (NAA), space agency or government department of defence, having
39
responsibilty for monitoring the design, manufacture and procurement of aerospace products from appropriately approved aerospace prime organisations or suppliers to prime organisations, the assessment and approval of such organisations quality management systems and compliance with airworthiness requirements. Also, armed forces personnel who have direct experience of the repair and maintenance of military aircraft and associated aircraft systems and subsystems. The Aerospace QMS Scheme is based on the auditing key standards: ISO 9001: Quality management systems Requirements (latest edition) or AS/EN/JSIQ 9100: Quality management systems Aerospace Requirements (latest edition) or AS/EN 9110: Quality management systems Aerospace Requirements for maintenance organisations (latest edition). Note a): AS9120: Quality management systems Aerospace Requirements for stockist distributors also exists, but is not deemed to be comprehensive enough for the IRCA Aerospace Sector Scheme, and so audits to this standard alone are not acceptable audit experience. Note b): The IRCA Aerospace QMS Scheme must not be confused with the International Aerospace Quality Group ICOP Scheme. The IRCA Scheme is not sufficient for auditors conducting certification audits to the standards referenced above to gain entry on to the OASIS database. Guidance on who this scheme is intended for QMS auditors expected to check the effectiveness and compliance with aerospace requirements, such as those employed by third-party certification bodies/registrars (but not for ICOP certification), or to conduct second-party audits on behalf of purchasing organisations, or on behalf of organisations carrying out first-party audits of a size or complexity beyond the capability of internal auditor grades Quality practitioners, eg quality consultants, quality managers and other quality personnel that require the greater understanding or professional standing conferred by the grade Technical personnel/airworthiness surveyors etc with employment experience with civil aerospace regulatory authorities and government military aerospace organisations.
40
The TickIT Scheme is based on the following standards: ISO9001, ISO90003, ISO12207, ISO15288 and TickIT Guide (latest issues). Guidance on who this scheme is intended for Auditors working in the information technology industry, or in organisations involved in the development and/or procurement of: Software products Products that include software Software systems that facilitate service provision.
41
Appendix I Part 11 Food Safety Management System Auditor Scheme Specific Requirements and Guidance
Important notes: For Part 1 of this scheme, all of the IRCA auditor grades are available (see table on p.5) For Part 1 of this scheme, the generic auditor criteria apply (Section 5) For Part 2 of this scheme, only one grade is available ISO 22003: Auditor For Part 2 of this scheme, all the generic criteria for auditor grade apply (see Section 5.2).
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies: For Part 1 of FSMS Scheme: Experience of working within the food chain, preferably with an understanding of implementing and/or operating a management system Understanding the food sciences associated with food safety programmes Knowledge of relevant key food safety legislation Understanding prerequisite programmes Knowledge of relevant good practice guides, such as GMP, GHP, GAP, GVP, etc Understanding the principles of HACCP, as defined by the Codex Alimentarius Understanding the principles of food safety risk management and risk mitigation, including the processes used for determination of risk levels Understanding of methods and techniques of food safety management that enable the auditor to examine a food safety management system, and to generate appropriate audit findings and conclusions.
For Part II of FSMS Scheme As with Part 1, plus the following: Acceptable qualifications corresponding to post-secondary education, within general microbiology and general chemistry, in the category in which you are seeking certification (see categories below). This may be part of a science-based degree or near degree qualification, or a separate award by a recognised institution. Each additional category requires this qualification For those meeting the training requirements through an FSMS Auditor Conversion course, a minimum of a one-day course in HACCP principles, hazard assessment and hazard analysis, and food safety management principles including relevant prerequisite programmes (PRPs) of the Codex Alimentarius.
42
Part II: Auditing experience For initial certification to your first category, you need to have performed a minimum of 12 FSMS audit days and all under the direction and guidance of a Lead Auditor (or similarly qualified) competent to attest to your competence. The audits must have been conducted within four different organisations in the category you are applying for Each additional category requires four FSMS audits under the direction and guidance of a qualified auditor in the new category.
Part II: Renewal of certification You need to have completed at least five external audits per year, including at least two FSMS audits
or A minimum of four FSMS on-site external audits per year or Ten FSMS audit days per year.
The FSMS Scheme is based on the auditing key standards: Part 1: ISO 22000: Food safety management systems Requirements for any organisation in the food chain (latest issue) Part II: As with Part I, but including additional requirements based on ISO/TS 22003, for auditors who only carry out third-party certification audits.
Guidance on who these schemes are intended for Part 1: Environmental health officers Quality, environmental or health and safety management systems auditors who possess a considerable understanding and knowledge of food safety issues, and who are able to demonstrate competence to participate in food safety or integrated management system audits Food safety auditors who wish to have their auditing competence recognised.
Part II: Auditors conducting third-party audits on behalf of an accreditation or certification body, and performing audits to ISO 22000 (latest issue) and ISO/TS 22003 (latest issue) or an acceptable alternative.
43
FSMS Scheme Part II Food chain categories (as per ISO/TS 22003)
Category codes A B C Categories Farming 1 (Animals) Examples of sectors Animals, fish, egg production, milk production, beekeeping, fishing, hunting and trapping Fruits, vegetables, grain, spices and horticultural products Meat, poultry, eggs, dairy and fish products
Farming 2 (Plants)
Processing 1 (Perishable animal products, including all activities after farming, eg slaughtering Processing 2 (Perishable vegetable products) Processing 3 (Products with long shelflife at an ambient temperature) Feed production Catering Distribution Services
Fresh fruits and fresh juices, preserved fruits, fresh vegetables and preserved vegetables
Canned products, biscuits, snacks, oil, drinking water, beverages, pasta, flour, sugar and salt
F G H I
Animal feed and fish feed Hotels and restaurants Retail outlets, shops and wholesalers Water supply, cleaning, sewage, waste disposal, development of product, process and equipment, and veterinary services Transport and storage Process equipment and vending machines Additives, vitamins, pesticides, drugs, fertilizers, cleaning agents and biocultures Manufacturing packaging material
J K L M
44
Appendix I Part 12 Social Systems Auditor Scheme Specific Requirements and Guidance
Scheme specific (additional) requirements In the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies:
Internationally accepted human rights norms, laws and regulations relating to labour and ethics issues Relevant industry codes of practice, legal requirements, guidelines and standards relating to labour, ethics, health and safety, and environmental issues Relevant international, national and local judicial systems and legislative frameworks Relevant social responsibility and labour culture, trade unions, non-governmental organisations (NGOs) and other interested parties within the country or area of operation.
Auditors are required to have the ability to: Plan, conduct and report a social systems audit Communicate responsibly and clearly, both orally and in writing, with personnel at all levels of an organisation, including workers Apply methods and techniques to gather and evaluate objective evidence (including payroll) and determine the conformance of a system designed to meet the audit criteria Generate accurate, appropriate and responsible audit findings and conclusions Uphold the principles of proper ethical conduct, fair presentation and due professional care.
The Social Systems Auditor Scheme is based on any of the following audit criteria: The Worldwide Responsible Accredited Production (WRAP) programme The Ethical Trading Initiative (ETI) Base Code performed in accordance with the SEDEX Members Ethical Trade Audit (SMETA) Best Practice Guidance The current versions of the EICC-GeSI Validated Audit Process (VAP) Audit Criteria, using the Electronic Industry Code of Conduct (EICC) and performed in accordance with the EICC-GeSI VAP Audit Operations Manual Any suitable proprietory scheme that includes the following United Nations (UN) and International Labour Organization (ILO) Conventions and core management principles.
Relevant UN Conventions:
Universal Declaration of Human Rights adopted and proclaimed by the General Assembly of the United Nations in resolution 217A (iii) 1948 UN Convention on the Rights of the Child 1924/1959 and 1989 UN Convention on All Forms of Discrimination Against Women 1979 ILO Tripartite Declaration of Principles Concerning Multinational Enterprises and Social Policy 2000
45
Note: Audits performed to the standard SA8000, developed by Social Accountability International (SAI), may also be used to demonstrate audit experience.
Guidance on who this scheme is intended for Certification to this scheme is generic and relevant to social systems audits performed within any industry, and therefore does not require any industry sector-specific Competencies. There is a specialist scheme for social systems auditors operating within the electronics industry, which requires specific auditor training and sector competence as defined within the EICC-GeSI Auditor Scheme. The purpose of both these Social System Auditor Schemes is to provide confidence that auditors who are certified are competent to audit for a variety of stakeholders, including: Purchasing organisations Supplier organisations Regulatory authorities NGOs Contracted verification agencies.
46
As an Auditor you must meet the requirements for at least one of these: Labour and ethics scope and/or Environmental, health and safety scope.
Lead Auditor
As a Lead Auditor it is mandatory that you meet the requirements for the labour and ethics scope. You may also meet the requirements for the environmental, health and safety scope.
* Scope requirements
Labour and ethics scope for all grades Five years general work experience, including either: or Qualification(s) in a closely related field. or EICC-GeSI Environmental, Health and Safety Lead Auditor course, plus EICCGeSI Labour and Ethics Conversion course. Two years of relevant labour and ethics work experience
Environmental, health and safety scope for all grades Five years general work experience, including either: or or EICC-GeSI Labour and Ethics Lead Auditor course, plus EICC-GeSI Environmental, Health and Safety Conversion course. Qualification(s) in a closely related field. Two years of relevant environmental and health and safety systems work experience
Qualifications/ experience
Auditor training
47
Within the sector understanding and work experience sections of the application form, you are required to demonstrate the following knowledge and competencies:
Internationally accepted human rights norms, laws and regulations relating to labour and ethics issues Relevant industry codes of practice, legal requirements, guidelines and standards relating to labour, ethics, health and safety, and environmental issues Relevant international, national and local judicial systems, and legislative frameworks Relevant social responsibility and labour culture, trade unions, non-governmental organisations (NGOs) and other interested parties within the country or area of operation.
The EICC-GeSI Scheme is based on the following audit criteria key documents:
Electronic Industry Code of Conduct (current version): The EICC Code of Conduct establishes standards to ensure that working conditions in the electronics industry supply chain are safe, that workers are treated with respect and dignity, and that business operations are environmentally responsible. The EICC Code of Conduct encourages broad adoption of CSR best practices by all ICT companies and suppliers, through guidelines for performance and compliance with critical CSR policies. The EICC Code of Conduct is the primary reference document for the EICC-GeSI Audit Criteria. EICC-GeSI provides the tools for audit compliance with the code and helps companies report progress, hence the significance of the following two key criteria documents: EICC-GeSI Validated Audit Process (VAP) Audit Criteria (current version) EICC-GeSI VAP Audit Operations Manual (current version)
48
49
Work experience You must have four years work experience in any of the positions below: Master, chief engineer, first mate, second engineer, superintendent or manager engaged in organising, managing and operating ships, surveying ships, or providing specific marine consultancy Deck and engineer officers sailing as chief mate or second engineer, having obtained their master and/or chief engineer certificates/qualifications Principal or senior lecturer in a marine college, teaching the above relevant marine courses and with supporting records of sea service.
Note 1: Sea time is most important, and IRCA will not only review qualifications and work experience but also records of sea-time experience, so please make sure this is made clear in your application. Note 2: Experience as a cargo surveyor, shipbuilder, ship designer, ship repairer or a ship inspector is not acceptable.
Academic qualifications Applicants are expected to hold at least one of the following: A degree in Nautical Science, Marine Engineering or Naval Architecture Under STCW 95 basic training; Deck Officer Certificate II/2 or Engineering Officer Certificate III/2 or a recognised equivalent.
50
Auditor training All applicants must have successfully completed an Approved Auditing Maritime Safety Management Systems training course, within a three-year period immediately prior to any application for certification. Such training courses must meet the requirements of ISO 19011:2011. Audit experience Auditor Requires a minimum of five audits, consisting of a maximum of four against the ISM code for the issue of the Ships Safety Management Certificate, and a maximum of two audits for the purpose of issuing the Document of Compliance for the shipping company. Applicants shall state on their audit log sheets (IRCA/106) which certificate has been issued for each audit, and further details of at least five audits shall be included on the Supplementary Audit log form (IRCA/150). Lead Auditor Requires a minimum of a further five audits (in addition to those specified above) as team leader, leading a team of two or more auditors. The overall total of 10 audits shall include one audit (as team leader) for issuing the Document of Compliance to a company managing a minimum of 10 vessels, or include two audits (as team leader) for issuing the Document of Compliance for companies managing less than 10 vessels. Note: Details of the above audits must be included on the Supplementary Audit form IRCA/150. Renewal of certification The generic requirements for renewal of certification apply (see Section 6), although all qualifying audits shall have been performed against a management system that includes all the elements of the ISM code. In addition to the IRCA/106 audit log sheet, all auditors are required to complete the IRCA/150 Supplementary Maritime (ISM) audit log form for each audit claimed. The maritime scheme is based on the following key document: ISM Code: The International Management Code for the Safe Operation of Ships and for Pollution Prevention (latest issue). Guidance on who this scheme is intended for Maritime auditors, such as those employed by: Flag administrations Recognised organisations Third-party certification bodies/classification bodies/registrars Charterers, oil majors or P&I clubs.
51
Maritime practitioners, such as: Marine consultants Ship managers Other marine personnel.
Employees conducting ISM code audits within their own organisation, ie: Internal audits Second-party audits.
52
Work experience (generic criteria does not apply) For all grades: Five years, or four years with a degree or near degree Two years of relevant health and safety work experience.
Examples of acceptable work experience include: A full-time role as manager, supervisor, engineer or auditor involved in technical aspects of construction-related site work in compliance with OH&S regulations The implementation and maintenance of OH&S or integrated management systems involving construction-related site health and safety compliance management Monitoring compliance on behalf of a regulating body against health and safety laws and regulations Auditing construction OH&S management systems on behalf of an accredited certification body The assessment of supplier probity against an acceptable OH&S management system standard on behalf of an employing organisation Provision of appropriate consultancy services involving OH&S Full-time role relating to the performance of OH&S risk assessment and management of safety audits of all types (not necessarily systems audits) Irrespective of the nature of your job, a key requirement is that you have acquired and can demonstrate knowledge and understanding of risk assessment and risk mitigation. If you submit OH&S work experience that is not included in the examples above, you will need to provide us with evidence that supports your claim that your work experience is acceptable.
53
Auditor training (generic criteria does not apply) For all grades: Successful completion of an IRCA-certified SSiP Assessor course and examination.
Auditing experience (generic criteria does not apply) For the Provisional Assessor: None.
For the Assessor: You need to have performed at least 10 complete assessments against Core Criteria Stage 1; this assessment activity must include document review, preparation and performance of the assessment activities, and assessment reporting. Although we recommend you should complete all of the assessments under the direction and guidance of an SSIP reviewer, we acknowledge that for many small SSIP Forum members this will be very difficult and costly to arrange. Consequently, we will accept a minimum of one assessment under these conditions. We will require the reviewer to attest to your competence to assess.
For the Reviewer: In addition to the assessment requirement for the SSIP Assessor grade listed above, you must have completed five acceptable assessment verifications.
Please note: For both an assessor and reviewer, assessment verifications must have taken place during the previous two-year period, and assessments must have taken place during the previous three-year period. We must be able to verify all assessment and verification experience you submit in your log sheets We will only accept assessments that have been performed in accordance with the requirements of the CDM 2007 ACOP Appendix 4 for Core Criteria Stage 1 Assessments performed against alternative national, international or company standards may be acceptable, as long as the issues required in Core Criteria Stage 1 are addressed as a basic minimum We will accept OHSAS 18011 audits performed by you if the scope of the audit included all elements of CDM 2007 ACOP Appendix 4 for Core Criteria Stage 1.
Renewal of certification
The renewal of certification process involves five requirements: Continuing professional development (as per generic criteria) Assessment experience (generic criteria does not apply) Declaration of complaints (as per generic criteria)
54
Compliance with the IRCA Code of Conduct (as per generic criteria) Payment of the annual fee (as per generic criteria).
Assessment experience
We need you to record and submit your assessment experience on the assessor log sheets (IRCA/4006) which we supply.
For SSIP Assessor grade: You need to have completed at least 15 acceptable assessments.
For SSIP Reviewer grade: You need to have completed at least 15 acceptable assessments, of which at least five must have been assessment verifications You must have performed all assessments within the previous three-year certification period.
Background to the SSIP Scheme The revised Construction (Design and Management) Regulations, which came into force in April 2007, introduced the Stage 1 Core Criteria for assessing health and safety competence of contractors and consultants working in the construction industry. The introduction of these competence criteria provided an opportunity for existing health and safety prequalification schemes to build on and formalise mutual recognition already in operation amongst some schemes. The Safe Systems in Procurement (SSIP) Forum (www.ssip.org.uk): Acts as an umbrella organisation to facilitate mutual recognition between health and safety prequalification schemes, wherever it is practicable to do so Actively advises and influences clients about acceptable interpretation and appropriateness of health and safety competence standards in UK schemes Embraces the core guidance on competence and training in the Approved Code of Practice (ACoP) of the Construction (Design and Management) Regulations 2007.
The SSIP Scheme Assessor Certification Scheme: To have credibility, the SSIP scheme requires competent and consistent assessors. To be efficient and competitive, SSIP Forum member organisations need competent assessors. The purpose of the IRCA SSIP Assessor Certification Scheme (SSIP Scheme) is to provide confidence to SSIP Forum member organisations and contractors/clients using assessed service providers and organisations/contractors who apply for approval via the SSIP scheme, that assessors certified to this scheme are competent.
55
As part of the certification process, we will evaluate you against requirements that reflect the key skills and attributes that define competence, and which you, the SSIP assessor, need to have and demonstrate during an assessment process. The management of health and safety in construction requires that a competency assessment of organisations (including principal contractors, contractors, designers and CDM coordinators) should be carried out as a two-stage process: Stage 1 is an assessment of a companys health and safety organisation and arrangements to determine whether these are sufficient to enable the organisation to carry out the work safely and without risk to health. Stage 2 is an assessment of the organisations experience and track record to establish that it is capable of doing the work. In order to provide more consistency in the way in which competency assessments of companies are carried out, a set of core criteria has been agreed by industry and HSE. These core criteria are set out in Appendix 4 of the CDM Regulations 2007. HSE encourages clients to accept a valid accreditation from any of the SSIP Forum member schemes as having met Stage 1 of the Core Criteria, and should not then require any further evidence in relation to Stage 1. The possession of an SSIP Forum accreditation cannot be taken on its own as a sufficient assessment of competence for a business to commence construction work, and all clients must ensure that before engaging an accredited business to carry out construction work, a further Stage 2 assessment of the core criteria will always be needed. This Stage 2 assessment is the responsibility of the client.
The SSIP Scheme is based on the following key document: Construction (Design and Management) Regulations 2007. Guidance on who this scheme is intended for Individuals and managers carrying out assessments against CDM 2007 Core Competence Stage 1 who wish to have their assessing competence recognised.
56
A1
Operates independently whilst working collaboratively within the company or SSIP membership. Contacts the applicant in a credible and positive manner that sets the tone for an effective assessment and reporting dialogue. Deploys appropriate techniques for assessing top management commitment and involvement in the safety management and application process. Applies assessment criteria appropriately to the size, risk and type of business.
D2
E1 E2 F1
Maintains and monitors the progress of individual assessments against realistic timelines, when the process requires additional data or clarification of evidence supplied in support of core competence criteria requirements. Maintains open communication with the applying organisation with respect to assessment progress. Acquires all required information effectively using appropriate techniques, to ensure conformity to the core competence criteria requirements. Selects samples and topics that are relevant and commensurate with the safety risks associated with the business activity or service provided by the applicant. Remains focused on assessment objectives and is not deflected away from required assessment trails. Collects information effectively through a variety of means, such as observing and reviewing documents, records and data, and where necessary interviewing and listening. Effectively tests the level of compliance and robustness of the applying companys processes. Demonstrates effective assessment of stated processes via review of supplied inputs, outputs, controls, reviews and resources. Analyses data effectively and makes rational judgements. Is aware of and acts upon factors that can affect the reliability of the assessment findings and conclusions. Evaluates the effectiveness of the system within the context of the business/industry sector. Evaluates and reports to the applying organisation as to whether the design and implementation of the safety system is appropriate to the required application, and the advancement of safety standards within the applying organisation.
F2
F3 Gather assessment evidence F4 F5 F6 F7 G1 Evaluate findings and decide conformity and effectiveness of the safety system G2 G3
57
Activity Identify opportunities for use of simplification/ best practice beyond conformance
H1
Adopts a value-added approach to the assessment, but does not offer consultancy
Practices effective verbal communication through personal linguistic skills Discloses and discusses assessment findings openly and honestly with the applicant Communicates the findings of the assessment in a style that is credible and which is of value to the applying organisation Makes requests for additional data or clarification in a style that is accurate, easily understood and straightforward to follow Writes an assessment report that accurately and succinctly summarises the assessment findings using only verifiable facts Adapts to changing circumstances, and is open to new ideas, approaches and methods Deals with ambiguity Works productively in high-pressure environments Keeps emotions under control, handles criticism well and learns from it
Generic Competencies Assessment Appropriately samples the assessment process to confirm consistency
K1
Reviews assessors outputs to confirm standard assessment across the scheme Identifies and provides necessary assessors of CPD Identifies any trends with specific assessors Reviews the complaint or dispute fairly and without pre-judgement
58
Appendix II Definitions
Audit A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively, to determine the extent to which audit criteria are fulfilled. Auditee The organisation being audited. Audit client The person or organisation requesting an audit. Audit team Two or more auditors performing an audit, one of whom is appointed as leader. Lead audit An audit where the auditor performed the audit whilst leading a team of at least one other auditor. Sole audit An audit where one auditor performed all phases of the audit. First-party audit An audit performed within an organisation by that organisations own auditing resource. Also referred to as an internal audit. Second-party audit An audit of contractors/suppliers undertaken by, or on behalf of, a purchasing organisation. This may include the audit of companies or divisions supplying goods or services to others within the same group. Also referred to as a supplier audit. Third-party audit An audit of an organisation performed by a body that is independent of the organisation being audited, eg certification body or registrar.
59
g) In the event of any alleged breach of this code, to cooperate fully with any formal enquiry procedure.
60