The purpose of this document is to define the MQA process that has to be followed by applicant organizations seeking Certification based on the requirements of relevant management system standards as per requirements of ISO/IEC 17021, and other applicable international standards for certification bodies offering management system certifications or related services.
This document guides you through the certification process including some of the back-office activities which you don’t see usually.
MQA, on request, will provide any specific information required by the applicant organization.
This procedure is applicable to any Management System Certification Services provided by MQA.
||Audits carried out by MQA, independent of the Customer and the parties that rely on certification, for the purpose of certifying the Customer's management system.
||Presence of objectivity where objectivity means that conflicts of interest do not exist or are resolved so as not to adversely influence subsequent activities of MQA.
||Organization whose management system is being audited by MQA for certification purposes.
||Person who provides specific knowledge or expertise to the audit team.
||Ability to apply knowledge and skills to achieve intended results.
||Person who conducts an audit.
ISO/IEC 17021-1:2015, clause 9.1 - 9.6
5. PRE-CERTIFICATION ACTIVITIES
- 5.1.1 MQA is providing certification services to the organizations established as legal entities around the globe. It is expected that the organizations applying for certification MUST be registered entities as per applicable laws within their country.
- 5.1.2 Customer has to send a formal Request for Quotation (RFQ) with all required details mentioned below:
- Company Name
- Company Website (If any)
- Contact Person's Name
- Contact Person's Email
- Contact Person's Mobile #
- Management System (In Scope)
- Scope of Certification (Including Processes)
- No. of Employees under Scope
- No. of Sites under Scope
- Are You Already Certified? (Yes/ No)
- If Yes - Attach Existing/ Expired ISO Certificate
- Whether consultancy has been provided and, if so (By whom?)
- 5.1.3 Sales Team of MQA will receive the RFQ and acknowledge the Customer ASAP.
- 5.1.4 MQA reserves the right to seek more information for the respective Customer before deciding to accept the application for further processing.
- 5.1.5 Sales Team will log the respective RFQ in the MQA Portal for further processing.
- 5.1.6 Before applying for certification, the Customer must have met the following conditions:
- Implement the management systems for at least three months. This is necessary to assess the ability of the organization to carry out the process as per the documented management system.
- Carried out minimum one round of internal audit and management review against the applicable documented management system.
5.2 Application Review
- 5.2.1 MQA conducts a review of the application and supplementary information to ensure that:
- The information about the Customer and its management system is sufficient to develop an audit programme.
- Any known difference in understanding between the MQA and the Customer is resolved.
- MQA has the competence and ability to perform the certification activity.
- The scope of certification sought, the site(s) of the Customer’s operations, time required to complete audits and any other points influencing the certification activity are taken into account (language, safety conditions, threats to impartiality, etc.)
5.3 Application Review - Status
- 5.3.1 Based on the application review process, the MQA will either accept or decline an application for certification. When the MQA declines an application for certification as a result of the application review, the reasons for declining an application shall be documented and communicated to the Customer.
- 5.3.2 Based on this review, the MQA will determine the competences it needs to include in its audit team and for the certification decision.
Note: Records of the justification for the decision to undertake the audit are maintained.
5.4 Audit Programme Development
- 5.4.1 An audit programme for the full certification cycle shall be developed by MQA to clearly identify the audit activity/activities required to demonstrate that the Customer’s management system fulfils the requirements for certification to the selected standard(s) or other normative document(s).
- 5.4.2 The audit programme for the certification cycle shall cover the complete management system requirements.
Calculation of Audit Time
- 5.4.3 MQA has a documented procedure for determining audit time. For each Customer the MQA shall determine the time needed to plan and accomplish a complete and effective audit of the Customer’s management system.
- 5.4.4 The duration of the management system audit and its justification shall be recorded.
- 5.4.5 Where multi-site sampling is used for the audit of a Customer’s management system covering the same activity in various geographical locations, the MQA will develop a sampling programme to ensure proper audit of the management system.
- 5.4.6 The rationale for the sampling plan shall be documented for each Customer. Sampling is not allowed for some specific certification schemes, and where specific criteria have been established for a specific certification scheme, e.g. ISO/TS 22003, these shall be applied.
5.5 Quotation Submission
- 5.5.1 For accepted applications, the MQA will prepare a formal quotation for the related services as per the developed audit programme and share with Customer to review and accept.
- 5.5.2 MQA Quotation contains all the description of services required by the Customer.
5.6 Quotation Review
- 5.6.1 Customer will review the respective quotation and respond on the quotation on the MQA Portal.
5.7 Certification Agreement Submission
- 5.7.1 Once Customer has accepted the quotation, then the MQA will prepare a formal Certification Agreement for the related services and share with Customer to review and accept.
5.8 Certification Agreement Acceptance
- 5.8.1 Customer will review the respective Certification Agreement and accept it to proceed with the respective contract services.
5.9 Gap Assessment (Readiness Review)
- 5.9.1 After the acceptance of Certification Agreement, a Gap Assessment i.e. Readiness Review will be conducted by MQA Auditor. This assessment consists of an informal visit before the Initial Certification Audit. Please note that Customer must be able to demonstrate that their management system has been fully operational for a minimum of three months and has been subject to a full cycle of internal audits and management review. This phase is required to know the readiness of Customer’s management system implementation to avoid any later issues during the initial certification audit activities.
- 5.9.2 Based on the Gap Assessment results, Customer may postpone the initial certification audit activities.
6. CERTIFICATION AUDIT ACTIVITIES
6.1 Determine Audit Objectives, Scope and Criteria
- 6.1.1 The audit objectives are determined by the MQA and the audit scope and criteria, including any changes, shall be established by the MQA after discussion with the Customer.
- 6.1.2 The audit scope describes the extent and boundaries of the audit, such as sites, organizational units, activities, and processes to be audited. Where the initial or re-certification process consists of more than one audit (e.g. covering different sites), the scope of an individual audit may not cover the full certification scope, but the totality of audits shall be consistent with the scope in the certification document.
- 6.1.3 The audit criteria used as a reference against which conformity is determined and include:
- The requirements of a defined normative document on management systems.
- The defined processes and documentation of the management system developed by the Customer.
- 6.1.4 MQA prepares a tentative audit program for the Customer for next three years which includes initial two stage audits, surveillance audit and renewal audit date prior to expiration of the certificate.
- 6.1.5 During any stage of the certification cycle this program may change due to the changes in the organization. It is the responsibility of the certified organization to inform MQA about any changes related to:
- The legal, commercial, organizational status or ownership,
- Organization and management (e.g. key managerial, decision-making, or technical staff),
- Contact address and sites, size of the organization,
- Scope of operations under the certified management system.
- Major changes to the management system and processes.
6.2 Audit Team Selection
- 6.2.1 The audit team, including the audit team leader and technical expert as necessary is identified by MQA from their pool of empanelled auditors, considering the competence needed to achieve the objectives of the audit and requirements for impartiality.
- 6.2.2 If there is only one auditor, the auditor shall have the competence to perform the duties of an audit team leader applicable for that audit. The audit team shall have the totality of the competences identified by the MQA.
- 6.2.3 The names of the members of the audit team, along with their profile and details will be communicated to the Customer along with the audit schedule giving them a time of two working days to raise any objection against the appointment of any of the team members. Any objection by the Customer against any of the team members must be accompanied in writing with adequate grounds for the objection. MQA will evaluate the objection and decide whether to change the team member or to overrule the objection raised by the Customer.
- 6.2.4 Efforts are made to ensure that the team is kept intact throughout the audit process. If there is any change in the composition of the team members, the same shall be communicated to the MQA for their acceptance.
- 6.2.5 The team members are required to maintain confidentiality of the sensitive information about the operation of the applicant organization obtained as part of the audit process.
- 6.2.6 The necessary knowledge and skills of the audit team leader and auditors may be supplemented by technical experts, translators and interpreters who shall operate under the direction of an auditor. Where translators or interpreters are used, they shall be selected such that they do not unduly influence the audit
- 6.2.7 The criteria for the selection of technical experts are determined on a case-by-case basis by the needs of the audit team and the scope of the audit.
6.3 Audit Plan Preparation
- 6.3.1 Based on the draft audit programme, a detailed audit plan for each audit appropriate to the objectives and scope of the audit will be prepared by MQA Lead Auditor / any competent person in that relevant management system in coordination MQA Lead Auditor before 7 working days and communicated to Customer for their acceptance.
- 6.3.2 While Preparing this audit plan, the MQA Lead Auditor will take care of the individual person’s knowledge and skills, experience in the related sector specific requirements.
- 6.3.3 The audit plan shall at least include or refer to the following:
- the audit objectives
- the audit criteria
- the audit scope, including identification of the organizational and functional units or processes to be audited
- the dates and sites where the on-site audit activities will be conducted, including visits to temporary sites and remote auditing activities, where appropriate
- the expected duration of audit activities
- the roles and responsibilities of the audit team members and accompanying persons, such as observers or interpreters.
- 6.3.4 The audit plan must be communicated, and the dates of the audit shall be agreed upon, in advance, with the Customer.
6.4 Certification Audits
The certification audit will be performed by MQA in two stages i.e. stage 1 and stage 2 and MQA audit methodology may include the below:
- Review of records,
- Interviews with the Customer’s employees,
- Observation of processes,
- Review of systems configurations,
Audit is always a sampling activity where the activities performed in each stage is written below for your reference:
6.4.1 Stage – 1 Audit
The stage 1 audit shall be performed to verify:
- The Customer’s management system documentation including all levels on documents.
- To evaluate the Customer’s location (s) and site-specific conditions and to undertake discussions with the Customer’s personnel to determine the preparedness for the stage 2 audit.
- To review the Customer’s status and understanding regarding requirements of the standard(s), in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system.
- To collect necessary information regarding the scope of the management system, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the Customer’s operation, associated risks, etc.)
- To review the allocation of resources for stage 2 audit and agree with the client on the details of the stage 2 audit.
- To evaluate if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit.
- To provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the Customer’s, management system and site operations in the context of possible significant aspects.
- If the stage 1 is successful, the Lead Auditor can proceed with stage 2 audit immediately provided agreed by client. If stage 1 and stage 2 audits are planned consecutively then an offsite document review will be performed prior to the stage 1 audit and a document review report will be submitted to the client. Client will provide the relevant documents for document review prior to stage 1.
- Stage 1 will be conducted on-site or remotely as per the agreement between MQA and Customer.
- The maximum gap between stage 1 and stage 2 will be 90 days. After the lapse of 90 days, this will be treated as a new certification.
- Client will be given an official report on the outcome of stage 1 audit. All critical non-conformities have to be closed and evidence to be submitted prior to the stage 2 audit. All non-critical non-conformities must be closed and evidence to be shown during stage 2.
- At the end of stage I audit, recommendation may be any one of the following depending upon the findings during the audit:
- MQA may share a plan for the stage 2 audit with Customer as per the closure status of stage 1 audit.
- Follow-up Audit
Note: Stage 1 does not require a formal audit plan and the stage 1 output does not need to meet the full requirements of a report.
6.4.2 Stage – 2 Audit
The stage 2 audit will be performed to verify the implementation, including effectiveness, of the client's management system. The stage 2 audit will take place at the site(s) of the client or remotely. It will include at least the following:
- Information and evidence about conformity to all requirements of the applicable management system standard or other normative document.
- Performance monitoring, measuring, reporting, and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document).
- The client's management system and performance as regards to legal compliance.
- Operational control of the client's processes.
- Internal auditing and management review.
- Management responsibility for the client's policies.
- Links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.
- The result of the audit will be informed in the concluding meeting.
- Customer will be given an official audit report on the outcome of the stage 2 audit.
- There are four possible outcomes from the stage 2 audit i.e. Certification/Renewal audits:
- Recommendation for certification subject to closure of the Non-conformities.
- Limited re-audit or follow-up visit at a later date based on the findings.
- No recommendation for certification, which usually means that a complete re-audit is necessary.
- Recommendation for certification.
- All critical nonconformities must be closed and evidence to be submitted on MQA Portal within 45 days from the last day of stage 2 for and ISO standard. After the lapse of specified days, this will be treated as a new certification.
- All non-critical nonconformities must be closed and evidence to be shown during next surveillance audit.
6.5 Audit Report
- 6.5.1 MQA must provide a written report for each audit to the Customer. The audit team may identify opportunities for improvement but shall not recommend specific solutions. Ownership of the audit report shall be maintained by MQA.
- 6.5.2 The MQA Lead Auditor shall ensure that the audit report is prepared and shall be responsible for its content. The audit report shall provide an accurate, concise, and clear record of the audit to enable an informed certification decision to be made and shall include or refer to the following:
- identification of the certification body i.e. MQA.
- the name and address of the Customer and the Customer’s representative.
- the type of audit (e.g. initial, surveillance or recertification audit or special audits)
- the audit criteria
- the audit objectives
- the audit scope, particularly identification of the organizational or functional units or processes audited and the time of the audit
- any deviation from the audit plan and their reasons
- any significant issues impacting on the audit programme
- identification of the audit team leader, audit team members and any accompanying persons
- the dates and places where the audit activities (on site or offsite, permanent, or temporary sites) were conducted.
- audit findings reference to evidence and conclusions, consistent with the requirements of the type of audit.
- significant changes, if any, that affect the management system of the client since the last audit took place.
- any unresolved issues, if identified
- where applicable, whether the audit is combined, joint or integrated
- a disclaimer statement indicating that auditing is based on a sampling process of the available information.
- recommendation from the audit team
- the audited client is effectively controlling the use of the certification documents and marks, if applicable.
- verification of effectiveness of taken corrective actions regarding previously identified nonconformities, if applicable.
6.6 Certification Decision
- 6.6.1 MQA Lead Auditor submits audit report along with the supporting auditor notes, necessary documents to Certification Decision Committee for technical review.
- 6.6.2 The Certification Decision Committee will make the certification decision on the basis of an evaluation of the audit findings and conclusions and any other relevant information specified in the audit report and other submitted information.
- 6.6.3 The Certification Decision Committee are in its capacity shall have the right to ask for any further clarifications on the report and information submitted on the applicant’s process and the applicant shall not refuse to present such information.
- 6.6.4 MQA ensures that the persons or committees that make the decisions for granting or refusing certification, expanding or reducing the scope of certification, suspending or restoring certification, withdrawing certification or renewing certification are different from those who carried out the audits and the individual(s) appointed to conduct the certification decision shall have appropriate competence.
- 6.6.5 Once Certification Decision Committee shares the positive decision then a certificate will be issued that will be valid for 1 year. This is maintained through annual surveillance audits (partial audits) and a 3 yearly recertification audit (full system audit).
- 6.6.6 Customer can download the ISO certificate(s) from MQA Portal as well as see the audit reports and fill the correction actions and related responses for the issues audit findings.
- 6.6.7 ISO certificate(s) will be verified on MQA website as well as on the Accreditation Board website for authenticity.
7. CERTIFICATION MAINTENANCE
7.1 Surveillance Audit
- 7.1.1 MQA will perform annual surveillance audits during the period of the certificate’s validity. The surveillance audits will include evaluation of any amended documentation, planning and conduct of the audit, including reporting and registration by certification body.
- 7.1.2 The frequency and duration of surveillance audit is dependent on factors including:
- Complexity and risk of business activities
- Size and structure of Customer’s organization
- Number of management systems standards included in the scope of certification
- Number of sites listed within the scope of certification
- 7.1.3 The result of the audit will be informed in the concluding meeting.
- 7.1.4 Client will be given an official report on the outcome of the surveillance audit.
- 7.1.5 All critical non-conformities have to be closed and evidence to be submitted within 45 days from the last day of the audit. After the lapse of specified days, this will be treated as a new certification.
- 7.1.6 All non-critical non-conformities have to be closed and evidence to be shown during next audit.
- 7.1.7 The surveillance audits will have to be carried out within – 3 / + 0 months from the last date of the certification audit for annual surveillance and – 1.5 / + 0 for bi-annual surveillance audit.
- 7.1.8 Any delay from the surveillance audit date will result in suspension. If the Customer did not initiate the audit within 90 days (for annual surveillance) and 45 days (for bi-annual surveillance), the certification body will revoke the suspension. However, any further delay, the certification body will dismiss the certificate.
- 7.1.9 Re-certification audits to be performed minimum of 3 months prior to expiry of the certificate. Generally, only 1 stage of audit is required for re-certification audits. However, if applicable a re-certification audit may be performed in 2 stages.
7.2 Recertification Audit
- 7.2.1 The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. A recertification audit shall be planned and conducted to evaluate the continued fulfilment of all of the requirements of the relevant management system standard or other normative document.
- 7.2.2 Recertification Audit shall be planned and conducted in due time to enable for timely renewal before the certificate expiry date.
7.3 Special Audits
7.3.1 Expanding Scope
- 220.127.116.11 Special audits shall be carried out whenever there is a modification of scope which include addition or deletion of activities and are applicable to the following changes in the organization:
- If there is a merger or an acquisition by the Customer.
- Addition or deletion of process activities.
7.3.2 Short-Notice Audits
- 18.104.22.168 MQA reserves the right to conduct short notice audits under the following situations:
- Complaints received from the customers or interested parties
- Company has filed for bankruptcy or has been delisted.
- Change in the customer’s Management
- Change in the customer’s location of activities
- Change in the customer’s business operations
- Major changes to the management system and processes
- Follow up on suspended clients
- Adverse media reports.
7.3.3 Transfer Audits
- 22.214.171.124 MQA considers the request from the Customers seeking transfer of accredited management system certificates issued by another certification body (CB) to MQA during the period of the certificate validity.
- 126.96.36.199 Whenever MQA receives such requests, Sales team must obtain following information from the Customer:
- Complete Client Information.
- Existing valid certificate.
- Reason for seeking transfer.
- Previous audit report and Status on raised non-conformities.
- 188.8.131.52 The following aspects are verified during the application review process:
- Scope requested by the Organization fall within the scope of MQA
- Validity of certificate to know that its note expired.
- review of complaints and actions taken
- Status on last audit findings as per audit report.
- Verification whether the other CB is covered by a valid Accreditation Board.