Certification Process

Certification Process

1.0 PURPOSE

2.0 SCOPE

3.0 REFERENCES

4.0 RESPONSIBILITIES

• 4.1 Request for Quote
• 4.2 Application review
• 4.3 Acceptance of the Offer
• 4.4 Stage 1/Document review
• 4.5 Certification audit

  4.5.1 Audit Plan

  4.5.2 Audit Team

  4.5.3 Opening Meeting

  4.5.4 Audit performance

  4.5.5 Closing Meeting

  4.5.6 Audit Report

  4.5.7 Document Submission

  4.5.8 Board of Review

  4.5.9 Issuing the Certificate

• 4.6 Maintance of certification

  4.6.1 Surveillance Audit

  4.6.2 Re-Certification Audit

  4.6.3 Special Audits

5.0 TRANSFER AUDITS

• 5.1 Applicants currently registered by a certification body accredited by an IAF MLA signatory
• 5.2 Pre-Transfer Review
• 5.3 Conducting the transfer Audit
• 5.4 Applicants currently registered by a certification body accredited by other than an IAF MLA signatory or by an unaccredited registrar
• 5.5 TUV USA cooperation with the transfer process
  
  

1.0 PURPOSE

This document outlines the process for conducting on-site audits as defined in documented requirements drawn up in accordance with the relevant guidance provided in ISO 19011 and 17021.

Return to top

2.0 SCOPE

The procedure is structured to fully meet the requirements of the referenced documents listed under paragraph 3.0 below, and to enable free client access, impartiality, non-discrimination, and participation by all parties concerned in the certification process.

Return to top

3.0 REFERENCES

ISO 17021
ISO 19011

Return to top

The following flow chart outlines the basic certification process employed by TUV-USA:

4.0 RESPONSIBILITIES

4.1 Request for Quote
Any organization can submit a request for quote to TUV-USA.

Return to top

4.2 Application review
Before proceeding with the quote/offer, TUV USA reviews the information on the application plus any additional information available, such as web sites. All applications are reviewed by the sector specific manager for the following:

1. Review general information – Company name, address, contact, etc.
2. Verify scope within TUV USA approved accreditations and codes
3. Consider associated risks with this client, including potential threats to impartiality, if any
4. Language, safety conditions, shifts, number of employees
5. Consider any outsourced processes.

The costs for audit activities are calculated and entered on the Quotation Worksheet by the Customer Service Administrator. The Certification manager or designee reviews the information, based on the requirements of IAF Guidance documents as applicable. Justification for added or reduced on-site time must be clearly described. Multi-site certification calculations are quoted in accordance with IAF Guidance documents or per specific industry requirements.

The quotation worksheet is forwarded to the Customer Service Administrator, who prepares a formal offer and sends it to the potential client. When an offer is generated, it is recorded on the quote log by the Customer Service Administrator. Issuance of an offer is the record of the justification for the decision to undertake the audit. The offer and P009 are then forwarded to the potential client.

If the review indicates that an offer should not be made, the applicant is notified of the decision by the Customer Service Administrator. If it is decided to tender an offer in opposition to these general guidelines, a record of the justification for the decision to undertake the audit will be maintained with the client documentation. All exceptions must be approved by the Director of Operations or designee.

The Customer Service Administrator or will follow up and track issued quotations made to potential new customers of TUV USA.

The Assistant to the President and Director of Operations is designated as backup for the Customer Service Administrator.

Return to top

4.3 Acceptance of the Offer
Upon notification of client acceptance of the offer (usually by receipt of a purchase order), a review is performed again to verify TUV USA can meet all requirements of the certification process, and that all commercial terms have been agreed to.

Based on this review, the sector specific manager determines the competences needed to include in the audit team and for the certification decision. The audit team is appointed and composed of auditors (and technical experts, as necessary) who, between them, have the competence to perform the certification of the applicant organization. The review board requirements are verified at this time as well.

Return to top

4.4 Stage 1/Document review
The client is responsible to provide its latest revisions of the quality manual, process descriptions, procedures, and work and test instructions to the Lead Auditor for documentation review as agreed on. The documents are reviewed against the requirements of the applicable standards and all known requirements (regulatory, customer specifics, e.g.). The document review results are included in the stage 1 activities and reporting. The client is informed by the reviewer of the results either verbally or through a copy of the report.

Stage 1 audit
The stage 1 audit is performed:

1. to audit the client's management system documentation;
2. to evaluate the client's location and site-specific conditions and to undertake discussions with the client's personnel to determine the preparedness for the stage 2 audit;
3. to review the client's status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
4. to collect necessary information regarding the scope of the management system, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client's operation, associated risks, etc.);
5. to review the allocation of resources for stage 2 audit and agree with the client on the details of the stage 2 audit;
6. to provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the client's management system and site operations in the context of possible significant aspects;
7. to evaluate if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit.
8. to gather exact details of the portion of the QMS system that is to be audited per site audited.

The stage 1 audit is documented on the Stage One Audit form. The embedded audit plan may be modified by the Lead auditor to meet the specific organization’s requirements, and provided to the client by the Lead Auditor in advance of the audit.

The stage 1 audit will normally be carried out at the client's premises in order to achieve the objectives stated above. Justification for offsite performance may be granted based on:

• Very small organization
• Simple system and processes
• Remote location
• Others as appropriate

All requests for waiver of the onsite performance of the stage 1 must be documented and approved by the Director of Operations or Certification Manager of TUV-USA.

When the stage 1 is not done onsite, the required information must be reviewed using telecons, emails, document submissions, or other means, to assure the audit readiness of the organization.
Stage 1 audit findings shall be documented and communicated to the client, including identification of any areas of concern that could be classified as nonconformity during the stage 2 audit.

In determining the interval between stage 1 and stage 2 audits, consideration shall be given to the needs of the client to resolve areas of concern identified during the stage 1 audit. The certification body may also need to revise its arrangements for stage 2. The normal period should not be longer than ninety days. Once a stage 1 audit is performed, no pre-audits are allowed for the client, as this might result in a conflict of interest.

Stage 1 audits are not normally required for recertification, certificate transfers, and for existing clients. Stage 1 audits may be performed for these activities as explained in section 4.6.2 of this document or when deemed necessary by the sector manager.

Return to top

4.5 Certification audit
TUV-USA top management directs all employees in its auditing, certification, and surveillance functions to certify clients to quality system standards.  The Certification Manager or Assistant to the President/Director of Operations selects the Lead Auditor for each audit team.

The Lead Auditor is responsible for conducting all phases of the audit, including preparation of the audit plan, submittal of the audit report, supervision of the other audit team member(s) and making recommendations regarding the client’s quality management system certification. The Lead Auditor represents the audit team with the client’s management.

The audit team members are responsible for cooperating with and supporting the Lead Auditor during the ongoing audit activities, including input for recommendation in regard to the client's quality management system certification. The client shall provide access to its facilities, resources, and cooperate with the TUV-USA audit team in the achievement of the audit objectives.

Return to top

4.5.1 Audit Plan
Audit planning shall take into consideration the results of the stage 1 audit, if applicable.

The Audit Plan for the certification audit is prepared by the Lead Auditor and contains the following:

• Audit objectives and scope
• Reference documents (appropriate industry standard)
• Identification of audit team members and the client’s management representative
• Dates and place where the audit is to be conducted
• Expected time and duration for the opening and closing meetings, meetings with the client’s management, and for each major audit activity (process based)
• Client’s organizational unit representatives to be audited for each major audit activity
• Language of the audit
• Confidentiality requirements
• Audit report submittal and expected date of issue.

The Lead Auditor submits the audit plan to the client for approval, and copies the audit team member(s). The lead auditor assigns each member of the audit team specific processes to audit. Auditor caucuses are held as needed to aid in the audit management, share information, or adjust the audit plan, as necessary.

Return to top

4.5.2 Audit Team
For new clients, the Certification Manager or designee selects the audit team members based on skills, experience and, special product expertise as needed for the client scope of registration. The selection is based on the following:

1. Scheme qualification
2. Level of impartiality
3. Specific industry experience
4. Language skill 
5. Geography
6. Organization input

The Assistant to the President / Director of Operations is authorized to assign existing audit team members to subsequent audit activities for the same client. Auditors assigned to surveillance audits and recertification audits not on the prior audits will be appointed as above.

The selection and approval of the audit team is recorded on the Auditor Assignment Form. The Lead auditor will notify the client verbally or in writing of the selected audit team, with sufficient time allowed to permit the client to appeal the selection.

Return to top

4.5.3 Opening Meeting
The opening meeting is normally convened at the beginning of the first audit day. The Lead Auditor conducts the meeting attended by the audit team members, the client representatives as appropriate and the management representative. Information to be included in the opening meeting, as well as attendance, is recorded on the Opening and Closing form.

Return to top

4.5.4 Audit performance
The Audit Team verifies, through interviews, examination of documents, and observation of activities and conditions in the audited areas. The processes audited are documented by the audit team in the auditor notes.

The stage 2 audit will verify:

• information and evidence about conformity to all requirements of the applicable management system standard
• performance monitoring, measuring, reporting and reviewing against key performance objectives and targets
• the client's management system and performance as regards legal compliance;
• operational control of the client's processes;
• internal auditing and management review;
• management responsibility for the client's policies;
• links between the normative requirements, policy, performance objectives and targets, any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.
• For AS9000 auditsReview OASIS database program
• Identify OASIS administrator
• Have client register in OASIS
• The physical locations and audit time spent at each site.
• All sites will have an individual Objective Evidence Record done pertaining to the area or portion of the QMS system audited.

A nonconformity is defined as the absence of, or the failure to implement and maintain, one or more quality management system requirements, or a situation that would, on the basis of available objective evidence, raise significant doubt as to the quality of what the organization is supplying. Nonconformance’s are documented on the brief audit report as follows:

• Minor Nonconformity:  A single system failure or lapse in conformance.
  
• Major Nonconformity:  The absence of, or total breakdown of a quality management system element as specified in the appropriate standard or any non-conformance where the effect is judged to be detrimental to the integrity of the product or service. A number of minor nonconformities against one requirement can represent a total breakdown of the system and may be considered as a major nonconformity.

Nonconformance reports are issued for audits performed under the AS9100 sector scheme.
Opportunities for improvement will be recorded as a means of providing the client value added information with the intent of strengthening the quality management system without defining the methods to be used. Recorded opportunities for improvement are not to be construed as non-conformities. The quality management system must clearly provide evidence of effective implementation but may require additional clarification or description of the process.

Return to top

4.5.5 Closing Meeting
The Lead Auditor conducts the meeting attended by the audit team members, the client representatives as appropriate and the management representative.  Attendance is recorded on the Opening and Closing form, which also contains the areas to be covered during the closing meeting.

The organization’s representative will sign the Brief audit report to acknowledge the audit outcome. A copy of this document will be retained by the audit team.

Return to top

4.5.6 Audit Report
The client submits evidence of closure of audit findings to the Lead Auditor. The Lead Auditor informs the client of acceptance status of any actions taken. Final verification of the corrective action may include a review of client documentation, records or by an on-site verification within a time period agreed to by the client and the Lead Auditor.

The audit team shall analyze all information and audit evidence gathered during the stage 1 and stage 2 audits to review the audit findings and agree on the audit conclusions. The audit team will provide to TUV-USA the audit documentation, comments on the nonconformities and, where applicable, the correction and corrective actions taken by the client. The audit team will also confirm the information on Application form is correct, and provide their recommendation whether or not to grant certification, together with any conditions or observations.

Following the certification audit, the Lead Auditor prepares the Audit Report, with input from the audit team members. The issuance of the Audit report is indication the Lead auditor has reviewed and approved any actions taken for items noted within the Brief Report. The audit is complete upon submission of the audit report to the client.

Return to top

4.5.7 Document Submission
The Lead auditor will submit all audit documentation to the New Hampshire office no later than two weeks of the audit completion. Should any findings be noted on Brief audit report, the entire audit documentation package with the exception of the final audit report shall be submitted, with the final report sent upon acceptance of the client’s implementation of appropriate actions by the lead auditor.

It is the responsibility of the Lead Auditor to track client closure of nonconformance’s within the specified time period, and to assure timely submission of audit documentation to the NH office.

When concurrent audits are performed, it is acceptable to use a single form for all providing the forms are technically equivalent. Examples of this include combined sector specific audits, QMS/EMS audits, TUV Cert/ TUV USA audits, etc. 

Return to top

4.5.8 Board of Review
The Certification Section is responsible for review of the Auditor team recommendation for certification and has the final decision on client certification. The final decision is made from information found on and recorded on the Auditor Technical Review / Performance analysis form.

Certificates of Registration are not issued until all nonconformance’s have been reviewed and accepted by the Lead Auditor and fully implemented by the organization.  Follow-up may or may not be necessary. The effective date on the certificate shall not be before the date of the certification decision.

The Lead Auditor is responsible to follow up on any items identified by the review board in a timely manner, including submission of revised documentation and all client contacts.

Return to top

4.5.9 Issuing the Certificate

Upon approval the Certification Section issues a certificate with a validity of three years. The Certification Manager or designee signs the certificate. The following steps are completed:

• Notify the client that certification has been granted
• Provide the client with the certificate
• Provide the client with artwork for the TUV USA logo and accreditation body mark and the rules for their use
• Provide the client with the certification audit report
• Include the client in the TUV-USA published list of certified organizations
• Provide the client with the applicable client responsibility documents

Return to top

4.6 Maintenance of certification
The TUV-USA certificate is valid for three years; provided the client system is maintained and successful surveillance audits are performed. The certified client shall maintain all certification requirements throughout the validation period, including those found in the TUV-USA procedure P-009. Recertification audits are performed at the end of the three-year period in order to renew the validity of the certificate for another three-year period.

All surveillance audit reports are subject to independent review by competent TUV-USA personnel to assure the process is effective. Any audit findings that may initiate certification suspension or withdrawal are subject to this review as well. This is indicated to the reviewers by checking the box on F010 audit report “Suspension/withdrawal of certificate recommended by the audit team.

TUV-USA will reduce the client's scope of certification to exclude the parts not meeting the requirements, when the client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. The certificate will be revised to reflect the amended scope.

Return to top

4.6.1 Surveillance Audit
Surveillance audits shall be conducted at least once a year. The date of the first surveillance audit following initial certification shall not be more than 12 months to the month from the last day of the stage 2 audit. The surveillance audit is scheduled with the client with a tolerance of minus three, plus zero months of the certification date. One Auditor normally performs the surveillance audit.

The Assistant to the President / Director of Operations provides the Lead Auditor with Quote Worksheet /Auditor Assignment. The Lead Auditor is responsible to verify with the client information is correct (headcount, scope, etc.). If any differences are found, the lead auditor will notify the NH office, who will notify the certification manager. The certification manager will review the changes for their potential impact on the performance of the audit, including possible modification to the certification.

Surveillance activities shall include on-site audits assessing the certified client's management system's fulfillment of specified requirements with respect to the standard to which the certification is granted.

Audit planning is done to assure that that the certification body can maintain confidence that the certified management system continues to fulfill requirements between recertification audits. The audit planning shall take into account the previous audit activities, including areas of nonconformance and identified opportunities for improvement.

The audit planning will try to cover as many processes of the client’s system as practical. Where no significant issues exist from previous audits, the second annual surveillances will include the client processes not included in the first annual surveillance cycle.

When there is a change of auditors between audits, the new auditor has access to the prior audit results to help familiarize themselves with the client and its certified management system.

Conduct of the audit will be consistent with the requirements of certification audits, i.e. open meeting, interviews, etc.

Surveillance audits will include:

1. internal audit, management review and preventive and corrective action;
2. review of action taken on nonconformities identified during the last audit;
3. customer complaints;
4. changes to the documented system;
5. areas subject to change;
6. other selected areas as appropriate
7. the effectiveness of the quality management system with regard to achieving the organization’s objectives;
8. the functioning of procedures for notifying management of any breaches;
9. progress of planned activities aimed at continual improvement of system performance;
10. follow up of conclusions resulting from internal audits;
11. use of logos and marks, references to certification (including at a minimum);
    • Company documentation
    • Company marketing material
    • Company websiterecords of appeals, complaints and disputes brought before TUV-USA, 
12.  where any nonconformity or failure to meet the requirements of certification is revealed, that the organization has investigated its own systems and procedures and taken appropriate corrective action.
13. the scope of registration as listed on the certificate to ensure no changes have occurred
14. continuing operational control
15. Aerospace clients:
    • confirmation of OASIS administrator
    • Identity matches OASIS database
    • If not, inform client of need to change OASIS information
    • Proficiency of administrator(if changed) for responsibilities in OASIS

The surveillance audit documentation completed by the Auditor shall include:

• Audit Plan
• Opening and Closing Meeting attendance
• Brief audit report
• Audit Report
• Auditor Notes / Audit Question List / AS9101 Quality Assessment as applicable

The surveillance audit report describing the results of the audit shall be submitted to the NH office no later than two weeks after the audit is completed. Should any findings be noted on the brief audit report, the entire audit documentation package with the exception of the final audit report shall be submitted, with the final report sent upon acceptance of the client’s implementation of appropriate actions by the lead auditor.

It is the responsibility of the Lead Auditor to track client closure of nonconformance’s within the specified time period, and to assure timely submission of audit documentation to the NH office.

The client certification shall be maintained based on successful completion of surveillance audits, including audit document submission reviews by TUV-USA. Should the results of the audit indicate certification is not maintained, the process described in P008, Certificate Suspension and Withdrawal shall apply.

Return to top

4.6.2 Re-Certification Audit
A recertification audit is conducted at the end of the initial certification to evaluate the continued fulfillment of all of the requirements of the relevant management system standards. The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification.

Consideration is given to the performance of the client’s management system over the period of certification, and includes the review of previous surveillance audit reports.

The recertification audit normally will not include a stage 1, but may have a stage 1 audit in situations where there have been significant changes to the management system, the client, or the context in which the management system is operating (e.g. changes to legislation).

In the case of multiple sites or certification to multiple management system standards, the planning for the audit shall ensure adequate on-site audit coverage to provide confidence in the certification per P014.

All recertification audits shall include the following:

• the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
• demonstrated commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance;
• whether the operation of the certified management system contributes to the achievement of the organization's policy and objectives.

During a recertification audit, if nonconformances are noted, correction and corrective actions need to be implemented prior to the expiration of the current certification.

The registration section will make its decision for renewing certification as described in 4.5.8, and on the results of the recertification audit, as well as the results of the review of the system over the period of certification and complaints received from users of certification.

Return to top

4.6.3 Special Audits 
In the event special audits are deemed necessary for Extensions to scope or Short-notice audits, the QSD management will handle these situations on a case by case basis. Documentation of these will be maintained in the client’s file.

Should an existing client request an extension to the scope of a certification already issued,
TUV-USA will require the client to provide an updated F001 form. TUV-USA will then undertake a review of the application and determine any audit activities necessary to decide whether or not the extension may be granted and if allowed, the time and timing required. Scope extension audits may be conducted in conjunction with a surveillance audit or as a stand alone audit, depending on the results of the F001 review.

Receipt of a valid complaint from an interested third party is an example of when a short notice audit may be performed. Documented complaints by a third party relative to the client’s certified management system will be reviewed by the Director of Operations or designee. If the complaint is determined to be valid, TUV-USA may elect to perform an audit specifically addressing the complaint. Any nonconformance’s raised during this audit will be subject to the same process as a nonconformance issued in a scheduled audit.

TUV-USA form F010, “Audit report” provides the client with information of when a short notice may also be required. This includes major changes to the quality system or quality documentation, changes in location, ownership, product scope and key personnel. When received, the impacts of the changes are reviewed by the sector manager against the certified system, and potential impact is determined. If additional information is required, the client or other interested parties may be contacted.

Return to top

5.0 TRANSFER AUDITS

5.1 Applicants currently registered by a certification body accredited by an IAF MLA signatory

The applicant will provide proof of its current accredited quality system certification. If the applicant’s quality system scope is within TUV USA’s accreditation, a quote for the transfer of registration will be sent to the applicant. The duration of the quoted on-site audit will reflect current surveillance or re-certification guidelines for the size and complexity of the applicant relative to its position in the life of its current registration.

Return to top

5.2 Pre-Transfer Review

The sector manager from TUV-USA shall carry out a review of the current certification status of the prospective client. This review will be conducted by means of the application review and, direct contact with the prospective client by telephone if necessary.

The transfer review covers the following aspects:

• Confirmation that the client’s scope is within TUV-USA accreditation scope+
• The reasons for seeking a transfer
• A valid accredited certificate, in terms of authenticity, duration, scope of activities covered by the quality management system and scope of accreditation, is held in respect of the site or sites wishing to transfer. 
• A review of prior audit reports and nonconformance’s, if any
• Customer complaints 
• Expiration date of current certificate
• any current engagement by the organization with regulatory bodies in respect of legal compliance.

If practical, the validity of the applicant's current certification and the status of outstanding nonconformities will be verified with the current registrar.

Certificates known to have been suspended or to be under threat of suspension will normally not be accepted for transfer. Outstanding nonconformities should be closed out, if practical, with the current registrar before transfer. If not, verification of closure will be performed by TUV-USA prior to transferring certification.

If doubt continues to exist after the pre-transfer review as to the adequacy of a current or previously held certification, TUV-USA will, depending upon the extent of doubt, either:

• Treat the applicant as a new client or
• Conduct an assessment concentrating on identified problem areas

The decision as to the action required will depend upon the nature and extent of any problems found and will be explained to the applicant.

Return to top

5.3 Conducting the transfer Audit

If the transfer audit is performed, the auditor will obtain evidence as to the current health of the applicant’s quality system. This will involve review of past audit reports and nonconformance’s issued, as well as auditing a representative sample of the client’s certified management system. 

The Certification section will review the audit information and make a final determination concerning the audit team recommendation.  If the application for transfer or assumption of registration is accepted by TUV USA, a TUV USA certificate will be issued for the length of time of the original certification period.

Return to top

5.4 Applicants currently registered by a certification body accredited by other than an IAF MLA signatory or by an unaccredites registrar

Applicants in this category will be treated as currently uncertified.  They will be quoted and processed as new certifications.

Return to top

5.5 TUV USA cooperation with the transfer process

If a TUV USA certified firm terminates its relationship with TUV USA and requests in writing that its quality system’s third party assessment records held by TUV USA be transferred to another registrar, TUV USA will comply with the request, assuming all matters between the firm and TUV USA are otherwise in order.

Return to top

P001 V1.5