Certification Policies & Procedures
Conformity assessment activities must be undertaken impartially. DEKRA Certification, Inc. ("DEKRA") remains responsible for the impartiality of its conformity assessment activities and will not allow commercial, financial or other pressures to compromise impartiality.
Top management within DEKRA Certification, Inc. is committed to impartiality when executing activities within the management system certification. DEKRA manages conflict of interest and ensures the objectivity of its management system certification activities.
DEKRA maintains top management commitment to impartiality in management system certification activities. DEKRA maintains a policy which supports the importance of impartiality in carrying out its management system certification activities, manages conflict of interest and ensures the objectivity of its management system certification activities.
DEKRA Certification, Inc. will not certify another certification body ("CB") for its quality management system certification. DEKRA will not seek quality management system certification from another CB.
Neither DEKRA nor any part of the same legal entity, and any entity under the organizational control of DEKRA, will offer or provide management system consultancy. This will not preclude the possibility of exchange of information (e.g. explanation of findings or clarification of requirements) between DEKRA and its clients.
The carrying out of internal audits by DEKRA to its certified clients is a significant threat to impartiality. Therefore, DEKRA and any part of the same legal entity and any entity under the organizational control of DEKRA will not offer or provide internal audits to its certified clients. A recognized mitigation of this threat is that DEKRA will not certify a management system on which it provided internal audits for a minimum of two years following the completion of the internal audits.
DEKRA will not outsource audits to a management system consultancy organization, as this poses an unacceptable threat to the impartiality of DEKRA. This will not apply to individuals contracted as auditors.
DEKRA’s activities will not be marketed or offered as linked with the activities of an organization that provides management system consultancy. DEKRA will take action to correct inappropriate links or statements by any consultancy organization stating or implying that certification would be simpler, easier, faster or less expensive if DEKRA were used.
DEKRA, and all auditors working on behalf of DEKRA, shall not state or imply that certification would be simpler, easier, faster or less expensive if a specified consultancy organization were used.
In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, will not be used by DEKRA to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel will not be used for a minimum of two years following the end of the consultancy.
Where a client has received management systems consultancy from a body that has a relationship with DEKRA (including the DEKRA parent organization and any other DEKRA entity worldwide), this is a significant threat to impartiality. A recognized mitigation of this threat is that DEKRA will not certify the management system for a minimum of two years following the end of the consultancy.
DEKRA will take action to respond to any threats to its impartiality arising from the actions of other persons, bodies or organizations.
All DEKRA personnel, either internal or external, or committees, who could influence the certification activities, shall act impartially and shall not allow commercial, financial or other pressures to compromise impartiality.
DEKRA requires personnel, internal and external, to reveal any situation known to them that can present them or DEKRA with a conflict of interests. DEKRA will record and use this information as input to identifying threats to impartiality raised by the activities of such personnel or by the organizations that employ them, and will not use such personnel, internal or external, unless they can demonstrate that there is no conflict of interest.
Records of the conflict of interest review and plan shall be maintained.
It shall be considered a conflict of interest if, within the previous three years, any staff member of DEKRA or any related entity has provided to the client any of the following non-verification services:
- Provided consultancy or services related to developing, implementing or maintaining the model demonstrating energy performance;
- Providing consultancy or services related to developing, implementing or maintaining the Register of Implemented Energy Performance Improvement Actions;
- Providing consultancy on developing or implementing the energy management system or energy performance improvements;
- Conducting an internal audit of the organization’s EnMS;
- Conducting an energy audit within the scope and boundary of the EnMS; or,
- Complete SEP 50001 Scorecard for Client
For multi-site, DEKRA shall not prepare the SEP Energy Performance Improvement Reports for sites not sampled in the audit.
It is the responsibility of DEKRA top management to safeguard the impartiality of DEKRA activities.
Signed Contract Auditor Agreements shall serve as a record of conflict of interest of the contracted auditors under DEKRA's control.
DEKRA and any part of the same legal entity shall not have management system consultancy as part of their organization, offer or provide quality management system or AQMS consultancy, or conduct internal audits for their clients.
More than one pre-audit shall be considered as consultancy.
CBs, or bodies related to a CB, that have provided management system consulting services and/or paid private training to a particular client may not conduct certification services for that client, nor may they supply auditors for a period of two years after the services were provided.
Medical Device Impartiality
(MD9 5.2) DEKRA and its auditors shall be impartial and free from engagements and influences which could affect their objectivity, and in particular shall not be:
- involved in the design, manufacture, construction, marketing, installation, servicing or supply of the medical device
- involved in the design, construction, implementation or maintenance of the quality management system being audited
- an authorized representative of the client organization, nor represent the parties engaged in these activities
The situations hereafter are examples where impartiality is compromised in reference to the criteria defined above:
- the auditor having a financial interest in the client organization being audited (e.g. holding stock in the organization)
- the auditor being employed currently by a manufacturer producing medical devices
- the auditor being a member of staff from a research or medical institute or a consultant having a commercial contract or equivalent interest with the manufacturer or manufacturers of similar medical devices
DEKRA may carry out the following ISMS-related duties without them being considered as consultancy or having a potential conflict of interest:
- aranging and participating as a lecturer in training courses, provided that, where these courses relate to information security management, related management systems or auditing, DEKRA shall confine themselves to the provision of generic information and advice which is publicly available, i.e. they shall not provide company-specific advice which contravenes the requirements of b) below;
- making available or publishing on request information describing the certification body’s interpretation of the requirements of the certification audit standards (see ISO 27006:2015 126.96.36.199);
- activities prior to audit, solely aimed at determining readiness for certification audit; however, such activities shall not result in the provision of recommendations or advice that would contravene this clause and DEKRA shall be able to confirm that such activities do not contravene these requirements and that they are not used to justify a reduction in the eventual certification audit duration;
- performing second and third-party audits according to standards or regulations other than those being part of the scope of accreditation;
- adding value during certification audits and surveillance visits, e.g. by identifying opportunities for improvement, as they become evident during the audit, without recommending specific solutions.
DEKRA shall not provide internal information security reviews of the client’s ISMS subject to certification. Furthermore, DEKRA shall be independent from the body or bodies (including any individuals) which provide the internal ISMS audit.
Occupational Health and Safety Impartiality
DEKRA shall not offer or provide specific services in the field of Occupational Health and Safety considered as OHSMS consultancy to clients certified or being certified for OHSMS by DEKRA. These include, but are not limited to:
- performing the role of Occupational Health and Safety coordinator,
- safety reporting,
- performing risk assessments,
- performing Occupational Health and Safety inspections and internal audits,
- communication with regulatory authorities on behalf of the client,
- assistance in developing an organization’s Occupational Health and Safety Management System, and
- accident and incident investigation.
Management system certification is offered by DEKRA Certification, Inc., which operates independently from any consulting and training activities using the DEKRA brand.
Use of Certification Documents and Marks
The client shall not:
- use the DEKRA certification mark on a product nor product packaging nor in any other way that may be interpreted as denoting product conformity. There must be no ambiguity in the certification mark or the accompanying text as to what DEKRA has certified.
- publish its certification status prior to DEKRA issuing a certificate
- make or permit any misleading statement regarding its certification.
- use or permit the use of a certification document or any part thereof in a misleading manner. upon withdrawal of its certification, discontinue its use of all advertising matter that contains a reference to certification by DEKRA.
- delay amending all advertising matter if the scope of certification changes.
- make or permit any misleading statement regarding its certification.
- use or permit the use of a certification document or any part thereof in a misleading manner.
- allow reference to its management system certification to be used in such a way as to imply that DEKRA certifies a product, process or service.
- imply that the certification applies to activities and sites that are outside the scope of certification.
- use its certification in such a manner that would bring DEKRA and/or the certification system into disrepute and lose public trust.
- apply any DEKRA mark to a laboratory test, calibration, inspection report or certificate.
If Client makes any statement regarding a DEKRA-certified management system on product packaging or in accompanying information, the statement must not imply that this certifies the product, process, or service. The statement must identify: i) the certified client (e.g. brand or name); (ii) the type of management system (e.g. quality, environment) and the applicable standard; and (iii) the certification body (DEKRA).
Product packaging is considered as that which can be removed without the product disintegrating or being damaged. Accompanying information is considered as separately available or easily detachable. Type labels or identification plates are considered as part of the product.
Certificates may be reproduced in color or black and white but must contain all information per the certificate without alteration.
Client may announce the receipt of their certification, with or without logos, on stationary, and in literature/advertising in accordance with the following:
- Company Name and Division(s)/Site(s) and Location(s) for which the certification applies must be noted. Client may not imply that all divisions/sites are certified unless a multi-site certification has been granted covering all divisions/sites.
- Client must note the appropriate Standard for which their certification applies (e.g. ISO 9001, ISO 14001, TL 9000, AS9100, etc).
- Scope of certification per Client's certification agreement and the certificate must be noted. Clients must not imply that all processes or services for a particular division/site are certified unless all have been certified. Example: A division/site may have a “manufacturing process” and a “service process”. The certification might only cover one of the two processes; therefore, a Client may not claim that this division/site is certified without also noting the “scope”.
- DEKRA logos may not be used in Client’s contracts with third parties.
Client must obtain written permission for use of the DEKRA name if it is to be used for any purpose not stated above. A sample of the proposed use must also be submitted to DEKRA with the request.
Initial Certification Audit
The initial certification audit of a management system shall be conducted in two stages: stage 1 and stage 2.
Planning ensures that the objectives of stage 1 can be met and the client remains informed of any “on site” activities during stage 1. Stage 1 does not require a formal audit plan.
The objectives of stage 1 are to:
- review the client’s management system documented information;
- evaluate the client’s site specific conditions and to undertake discussions with the client’s personnel to determine the preparedness for stage 2;
- review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the management system;
- obtain necessary information regarding the scope of the management system, including the client’s site(s); processes and equipment used; levels of controls established (particularly in case of multisite clients); and applicable statutory and regulatory requirements.
- review the allocation of resources for stage 2 and agree the details of stage 2 with the client;
- provide a focus for planning stage 2 by gaining a sufficient understanding of the client’s management system and site operations in the context of the management system standard or other normative document;
- evaluate if the internal audits and management reviews are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for stage 2.
- confirm the level of integration if the client holds multiple integrated standards.
Documented conclusions with regard to fulfillment of the stage 1 objectives and the readiness for stage 2 must be communicated to the client, including identification of any areas of concern that could be classified as a nonconformity during stage 2.
The stage 1 output does not need to meet the full requirements of a report.
In determining the interval between stage 1 and stage 2, consideration must be given to the needs of the client to resolve areas of concern identified during stage 1. DEKRA may also need to revise its arrangements for stage 2. If any significant changes which would impact the management system occur, DEKRA will consider the need to repeat all or part of stage 1. The client must be informed that the results of stage 1 may lead to postponement or cancellation of stage 2.
EnMS Stage 1
Any necessary SEP Administrator approvals should be received prior to the Stage 1 audit.
The Stage 1 audit may be performed on-site or remotely.
The Stage 1 audit shall include the following:
- confirmation of scope and boundaries of the EnMS for certification;
- review of a graphical or narrative description of the organizations facilities, equipment, systems and processes for the identified scope and boundaries;
- confirmation of the number of EnMS effective personnel, energy sources, significant energy uses and annual energy consumption, in order to confirm the audit duration;
- review of the documented results of the energy planning process;
- review of a list of the energy performance improvement opportunities identified as well as the related objectives, targets and action plans.
If SEP is included, the Stage 1 audit shall be performed to:
- collect necessary information regarding the scope and boundaries;
- review the client's status regarding the requirements of ANSI/MSE 50028-1;
- review energy types to ensure there have not been exclusions;
- review data to confirm it is not more than 11 months old;
- • ensure that the SEP Register of Implemented Energy Performance Improvement Actions is available and the SEnPI is available and meets the threshold requirements of the p-value, F-test value and R2 value as set forth in the SEP M&V Protocol;
- review the client’s status regarding SEP PA approvals, as applicable; and,
- evaluate whether internal audits and management reviews include SEP requirements and are being planned and performed.
Outputs from the above Stage 1 SEP requirements shall include:
- confirmation that the SEP PA pre-approval(s) have been received, as applicable;
- confirmation of the SEP Register of Implemented Energy Performance Improvement Actions for the Bottom Up Comparison has been filled out; and,
- review of a facility site plan or layout or graphical or narrative description of the facility.
Minimum components of a SEP Stage 1 audit:
- the results of the last internal audit of the energy management system following the requirements of ISO 50001 and ANSI/MSE 50028;
- a summary of the last management review;
- the specific energy performance level and energy performance improvement percentage that is being claimed;
- the modeling method from the appropriate sector-specific SEP Measurement and Verification Protocol used in arriving at the energy performance improvement claim or during the Stage 1 audit criteria for a model that requires pre-approval is reviewed or discussed;
- a discussion of any non-default values from the sector-specific SEP Measurement and Verification Protocol, as appropriate;
- a list of the energy performance improvements related to the energy performance improvement claim is available;
- a list of systems, processes, or equipment within the scope of the EnMS;
- a facility site plan or layout or graphical or narrative description of the facility.
There shall be two classifications of Stage 1 findings:
- ready, and
- not ready.
If the conclusion of the report is that the client is "not ready" for the Stage 2 audit, the client shall submit the required documents or records to attain a "ready" conclusion. There shall be documented evidence of when the "ready" conclusion is achieved. Upon achieving a "ready" conclusion from the Stage 1 audit, the client and DEKRA shall make arrangements for the Stage 2 audit.
Medical Device (ISO 13485) Stage 1
(MD9 188.8.131.52) Where higher risk medical devices (e.g. GHTF C and D) are concerned, the stage 1 audit must be performed on-site.
Aerospace Stage 1
Before the Stage 1 audit, the audit team leader shall be confirmed and possible audit team members shall be identified.
The Stage 1 audit shall:
- be performed by the audit team leader appointed for the initial audit with audit team assistance, if needed; and
- include an on-site visit.
For organizations with more than one site that have a single QMS, the Stage 1 audit shall also include an evaluation of the identified central function with the authority for administration, control, audit, review, and maintenance of the QMS. Additionally, a relevant number of representative sites, including all sites with different technologies and dissimilar activities, shall be included. This will give the audit team sufficient information in order to identify the complexity, risk, and scale of the activities covered by the QMS subject to certification; any differences between sites; and to what extent each site produce or provide substantially the same kind of products/services according to the same procedures and methods.
The Stage 1 audit shall include a tour of the site facilities. This will enable the audit team to gain a greater understanding of the organization's processes, equipment, areas, products, and state of readiness in preparation for the Stage 2 audit.
During the Stage 1 audit, the audit team shall collect sufficient information that allows DEKRA to:
- confirm the audit program;
- review the need for additional technical experts and/or auditors to compose a competent audit team;
- review the percentage of revenue for aviation, space, and defense industry business, as a proportion of the organization's total revenue (as declared by the organization, during the application review phase);
- confirm the number of employees associated to aviation, space, and defense industry business (i.e., full time, part time, temporary) and percentage of total work force (as declared by the organization, during the application review phase);
- review the key (e.g., top five) aviation, space, and/or defense customers (as declared by the organization, during the application review phase);
- confirm other customers requiring 9100-series standards compliance, together with and customer specific QMS requirements (if applicable);
- confirm the number of shifts and shift patterns specific to production, maintenance and/or servicing
- determine restricted areas/proprietary information/confidentiality;
- determine customer presence at the organization [i.e., resident representatives, regular meetings, reason(s) for presence];
- determine any additional audit activities, as needed, for the fulfillment of the requirements for initial certification; and
- schedule the Stage 2 audit activities.
The audit team leader shall require the organization to provide the necessary documented information and documentation for review, including the following:
- requirements determined as not applicable within the scope, including justification by the organization (see 9100-series standards clause 4.3);
- QMS documented information (e.g., quality manual);
- Evidence of performance data for each key customer; including product or service conformity and OTD trends, plus any complaints; the data should be sufficient to allow the audit team leader to make a judgment on performance and trends.
- product conformity and OTD performance measures and trends;
- evidence that the requirements of the applicable 9100-series standards are addressed by the organization's documented information established for the QMS (see 9100-series standards clause 4.4);
- evidence of customer satisfaction and complaint summaries, including verification of customer reports, scorecards, and special status or equivalent.
- evaluation of certification structure (i.e., single site, multiple site, campus, several site, complex organization) eligibility for determination of audit time and sampling (see 9104/1);
- level of QMS integration
- export limitations/controls (if applicable) [e.g., International Traffic in Arms Regulations (ITAR), Export Administration Regulation (EAR)];customer delegated inspection and/or authorized direct ship/direct delivery (if applicable);
The audit team leader shall use the results of the organization review and additional information obtained from the site tour to verify the following and present at the Stage 1 closing meeting:
- develop a plan for the Stage 2 audit, that includes any additional QMS requirements from the organization's aviation, space, and defense customers;
- verify the proposed scope of certification and its applicability to the IAQG scheme and, where necessary, communicate to the organization why the proposed scope should be modified;
- verify the information used for audit day calculation and recommend/revise, as needed;
- review the audit time for the Stage 2 audit and update the audit plan accordingly;
- adjust the composition of the audit team for the Stage 2 audit, including the addition of any technical experts or translators that are needed;
- verify the information used for determination of the certification structure; and
- identify any changes required to the contract and communicate those revisions to the organization and DEKRA.
- DEKRA shall review the status of the areas of concerns to determine preparedness for the Stage 2 audit.
After the Stage 1 audit, the team composition for the Stage 2 audit shall be reviewed based on information received and observed during the Stage 1 audit; followed by the final appointment of the team members.
The Certification Structure Form must be forwarded to the IAQG OPMT Certification Oversight Subcommittee for review, prior to the Stage 2 audit, if the client is determined to have a Complex structure.
ISMS Stage 1
DEKRA shall require that a client makes all necessary arrangements for the access to internal audit reports and reports of independent reviews of information security.
At least the following information shall be provided by the client during stage 1 of the certification audit:
- general information concerning the ISMS and the activities it covers;
- a copy of the required ISMS documentation specified in ISO/IEC 27001 and, where required, associated documentation.
In this stage of the audit, DEKRA shall obtain documentation on the design of the ISMS covering the documentation required in ISO/IEC 27001.
DEKRA shall obtain a sufficient understanding of the design of the ISMS in the context of the client’s organization, risk assessment and treatment (including the controls determined), information security policy and objectives and, in particular, of the client’s preparedness for the audit. This allows planning for stage 2.
The results of stage 1 shall be documented in a written report. DEKRA shall review the stage 1 audit report before deciding on proceeding with stage 2 and for selecting the stage 2 audit team members with the necessary competence.
DEKRA shall make the client aware of the further types of information and records that may be required for detailed examination during stage 2.
OHSMS Stage 1
Audit will be used to ensure accurate effective number of personnel as defined in Section 9.1.4 Sector Requirements – OHS (ISO 45001) of this MSM is considered for OH&HMS Audits.
The purpose of stage 2 is to evaluate the implementation, including effectiveness, of the client’s management system. The stage 2 will take place at the site(s) of the client. It will include the auditing of at least the following:
- information and evidence about conformity to all requirements of the applicable management system standard or other normative documents;
- performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);
- the client’s management system ability and its performance regarding meeting of applicable statutory, regulatory and contractual requirements;
- operational control of the client’s processes;
- internal auditing and management review; and
- management responsibility for the client’s policies.
The audit team will analyze all information and audit evidence gathered during stage 1 and stage 2 to review the audit findings and agree on the audit conclusions.
The central function shall be audited during the initial certification.
At the outcome of the audit, the audit team shall document which processes were audited on each site visited. This information will be used to amend the audit program and audit plans for subsequent surveillance audits.
EnMS Stage 2
During the Stage 2 audit, DEKRA shall gather the necessary audit evidence to determine whether or not energy performance improvement has been demonstrated prior to making a certification decision.
Confirmation of energy performance improvement is required for granting the initial certification. Examples on how an organization may demonstrate energy performance improvement are provided in ISO 50003 Annex C.
DEKRA shall collect information that includes verification of data and calculations used to provide the energy performance claim.
DEKRA shall assess the SEnPI performance improvement in conformity with the requirements of the SEP M&V Protocol, taking into account:
- definition of the scope and boundaries,
- designated baseline year and achievement period,
- the modeling method from the SEP M&V Protocol,
- energy performance improvement, and
- the Bottom Up Comparison and the related SEP Register of Implemented Energy Performance Improvement Actions.
The SEnPI performance improvement verification steps and the activity required of the SEP Performance Verifier are:
- Energy review – verify that energy and related data and other variables used in the analysis are appropriate and representative. Metered data used in the analysis shall be from calibrated meters.
- Energy models – verify that the energy models were developed in conformity to the requirements of the appropriate sector-specific Measurement and Verification Protocol and that:
- variables used in the models can reasonably be expected to be significant drivers of the energy use being modeled,
- variables not used in the models which could reasonably expect to be significant drivers of energy use have been examined for inclusion in the models,
- equation coefficients used in the model meet the validity test specified in the Measurement and Verification Protocol, and coefficients used in the models are reasonable.
- Conditions – verify that the conditions of the facility and its operations existing in the reporting year are consistent with those that existed in the baseline year. If not consistent, verify that changes to the energy performance models have been made that properly and adequately account for any changes in conditions that are found to invalidate the historic baseline model.
- Energy baseline – verify that the selected baseline year satisfies the requirements of the appropriate sector-specific SEP Measurement and Verification Protocol.
- Energy Performance Indicators – verify that the energy performance indicators for the baseline and reporting years are properly calculated using verifiable data in accordance with the applicable sector-specific SEP Measurement and Verification Protocol and are accurate representations of energy performance for the defined scope of the energy management system.
- Verify that the energy performance improvement has been calculated in accordance with the appropriate sector-specific SEP Measurement and Verification Protocol.
- “Bottom Up Sanity Check” of Projects and Other Energy Performance Improvements in accordance with the applicable sector-specific SEP Measurement and Verification Protocol to validate that the energy performance improvement achievement level has been met by examining evidence of improvement through facility, equipment, system process and maintenance and operation upgrades.
The Stage 2 certification and recertification audit may be paused for a maximum period of 30 days, if during the assessment, it is determined that the organization needs SEP PA approvals that have not been obtained. The pause shall allow the organization to apply for and obtain the needed SEP PA approvals.
If the client does not achieve the minimum energy performance improvement required by the sector-specific Measurement and Verification Protocol in the Stage 2 audit; DEKRA may allow a corrective action completed within 30 days that provides the updated information demonstrating the achievement of the claimed energy performance improvement. The corrective action timeline shall not extend beyond 30 days (1 month). The corrective action and timeframe shall be approved by both the SEP Performance Verifier and the SEP Lead Auditor. If the updated information is not provided within the 30 days, a Stage 1 and Stage 2 or recertification audit is required.
Aerospace Stage 2
During the on-site activities for the Stage 2 audit, the elements of the QMS and the associated organization's processes shall be audited for conformity, including determination of effectiveness. Detailed audit findings, including reference to the audited processes, process documentation, and associated records, shall be documented.
During the opening meeting, the audit team leader shall reaffirm with the organization the issues identified during the Stage 1 audit.
After the opening meeting, the audit team leader shall decide on conducting a facility tour to review substantial changes in scope or facilities, since the last visit, and revise planning, as needed, due to organization changes since the Stage 1 audit (e.g. personnel changes, department/business unit reorganization, new customer complaint) or any objections from the organization that impact the audit.
ISMS Stage 2
On the basis of findings documented in the stage 1 audit report, DEKRA develops an audit plan for the conduct of stage 2. In addition to evaluating the effective implementation of the ISMS, the objectives of stage 2 are to confirm that the client adheres to its own policies, objectives and procedures.
To confirm this, the audit shall focus on the client’s:
- top management leadership and commitment to information security policy and the information security objectives;
- documentation requirements listed in ISO/IEC 27001;
- assessment of information security related risks and that the assessments produce consistent, valid and comparable results if repeated;
- determination of control objectives and controls based on the information security risk assessment and risk treatment processes;
- information security performance and the effectiveness of the ISMS, evaluating against the information security objectives;
- correspondence between the determined controls, the Statement of Applicability and the results of the information security risk assessment and risk treatment process and the information security policy and objectives;
- implementation of controls (see 27006 Annex D), taking into account the external and internal context and related risks, the organization’s monitoring, measurement and analysis of information security processes and controls, to determine whether controls are implemented and effective and meet their stated information security objectives;
- programs, processes, procedures, records, internal audits and reviews of the ISMS effectiveness to ensure that these are traceable to top management decisions and the information security policy and objectives.
DEKRA maintains the process below for conducting onsite audits. This process includes an opening meeting at the start of the audit and a closing meeting at the conclusion of the audit. Where any part of the audit is made by electronic means or where the site to be audited is virtual, DEKRA must ensure that such activities are conducted by personnel with appropriate competence. The evidence obtained during such an audit must be sufficient to enable the auditor to take an informed decision on the conformity of the requirement in question. “On site” audits can include remote access to electronic site(s) that contain(s) information that is relevant to the audit of the management system. Consideration can also be given to the use of electronic means for conducting audits.
Note that all audit management, audit reporting, and final approval of all findings remains the responsibility of the lead auditor; associate auditors do not have the responsibility for any client communication.
Conducting the opening meeting
A formal opening meeting must be held with the client’s management and, where appropriate, those responsible for the functions or processes to be audited. The purpose of the opening meeting, usually conducted by the audit team leader, is to provide a short explanation of how the audit activities will be undertaken. The degree of detail must be consistent with the familiarity of the client with the audit process and will consider the following:
- introduction of the participants, including an outline of their roles;
- confirmation of the scope of certification;
- confirmation of the audit plan (including type and scope of audit, objectives and criteria), any changes, and other relevant arrangements with the client, such as the date and time for the closing meeting, interim meetings between the audit team and the client’s management;
- confirmation of formal communication channels between the audit team and the client;
- confirmation that the resources and facilities needed by the audit team are available;
- confirmation of matters relating to confidentiality;
- confirmation of relevant work safety, emergency and security procedures for the audit team;
- confirmation of the availability, roles and identities of any guides and observers;
- the method of reporting, including any grading of audit findings;
- information about the conditions under which the audit may be prematurely terminated;
- confirmation that the audit team leader and audit team representing DEKRA is responsible for the audit and must be in control of executing the audit plan including audit activities and audit trails;
- confirmation of the status of findings of the previous review or audit, if applicable;
- methods and procedures to be used to conduct the audit based on sampling;
- confirmation of the language to be used during the audit;
- discussion of expected outcomes based on the ISO/IAF Joint Communiques. Auditors should refer to the following to familiarize themselves to allow explanation at the audit:
- confirmation that, during the audit, the client will be kept informed of audit progress and any concerns; and
- opportunity for the client to ask questions.
SEP Opening Meetings – additional requirements
- Note the objective of the audit: "DEKRA must verify the SEnPI energy performance and assess the energy management system and energy performance in accordance with the requirements of ANSI MSE 50028 to provide assurance that a facility's energy performance and energy management system claims are complete, consistent, transparent, and at certification or recertification have a valid SEnPI model."
- Remind the participants that an energy performance and energy management system claim is a statement about the following facets of performance:
- facility energy performance improvements, and
- conformance with ISO 50001 and ANSI/MSE 50028.
- Discuss how energy performance shall be demonstrated and verified:
- Conformance with management system requirements as defined in ISO 50001 and ANSI/MSE 50028.
- Satisfaction of energy performance improvement requirements as defined in the appropriate sector- specific SEP Measurement and Verification Protocol.
- Clarification of the roles of the audit team members including the SEP Performance Verifier, the SEP Lead Auditor, the SEP team member and any other team members.
- The opening meeting for surveillance audits shall address that the purpose of the audit is to confirm that energy performance shall be demonstrated and verified separately as discussed below:
- Conformance with management system requirements as defined in ISO 50001 and ANSI/MSE 50028.
Aerospace Opening Meetings – additional requirements
DEKRA shall ensure that their clients have established an OASIS database administrator for the purposes of managing the organization’s contact information within the database, users associated with the organization, external access to organization audit results in the database, and OASIS database feedback.
In case of a non-single site certification structure:
- the AEA shall conduct site specific opening meetings; or
- a central opening meeting shall be conducted with representatives from all sites, either physically or by means of electronic/distance meeting methods (e.g., net-meeting, Webex, Meet-me).
Lead Auditor shall inform the organization of the requirement to appoint an OASIS database administrator, who shall maintain the following data in the database:
- organization name, address, and locations included on the certification (approval by DEKRA is required prior to revising this data);
- the name(s) and e-mail address(es) of the organization’s OASIS database administrator(s); and
- the organization’s contact person, phone, fax, e-mail address, and website, as applicable.
The following requirements shall also be reiterated at each opening meeting, to explain that each on-site audit (except for nonconformity follow-up and special audits) shall include the following:
- a review of the changes to the QMS, since the last audit (including certification structure);
- a review of requirements from new aviation, space, and defense customers, since the last audit;
- a review of customer satisfaction information and requested corrective actions and associated responses;
- an interview with top management;
- an audit of the organization's processes, including their performance and effectiveness as identified in the audit plan;
- an audit of the continual improvement of the QMS;
- an audit of follow-up actions from previous audits; and
- an audit of the purchasing process.
At the end of the opening meeting, the audit team leader shall:
- decide on conducting a facility tour to review substantial changes in scope or facilities, since the last visit; and
- revise planning, as needed, due to organization changes since the Stage 1 audit (e.g., personnel changes, department/business unit reorganization, new customer complaint) or any objections from the organization that impact the audit.
During a Stage 2 opening meeting, the audit team leader shall also reconfirm with the organization the issues identified during the Stage 1 audit
Communication during the audit
During the audit, the audit team shall periodically assess audit progress and exchange information. The audit team leader will reassign work as needed between the audit team members and periodically communicate the progress of the audit and any concerns to the client.
Where the available audit evidence indicates that the audit objectives are unattainable or suggests the presence of an immediate and significant risk (e.g. safety), the audit team leader will report this to the client and, if possible, to DEKRA to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope, or termination of the audit. The audit team leader will report the outcome of the action taken to DEKRA.
The audit team leader will review with the client any need for changes to the audit scope which becomes apparent as onsite auditing activities progress and report this to DEKRA.
Onsite Auditing (Obtaining and verifying information)
During the audit, information relevant to the audit objectives, scope and criteria (including information relating to interfaces between functions, activities and processes) must be obtained by appropriate sampling and verified to become audit evidence.
Methods to obtain information will include, but are not limited to:
- observation of processes and activities; and
- review of documentation and records.
For SEP Audits
Information relevant to the SEnPI performance shall be verified.
Methods to collect information shall include verification of data and calculations used to provide the energy performance claim.
For Aerospace Audits
The audit shall be conducted through the use of various auditing approaches. The audit team shall pursue relevant audit trails to assist in the determination of QMS conformity and effectiveness.
Audit tools may be developed (e.g., check sheets, questionnaires) to help auditors in the collection of objective evidence during the audit process.
Additionally, organizations can deny auditors access to proprietary or classified information, and/or areas due to the competitive sensitivity or national security regulations invoked in customer contracts. The Lead Auditor shall require the organization to provide information and if any activities, programs, specifications, and/or areas are not accessible because of a restrictive or confidential nature.
Any information considered confidential by the organization's customers and/or authorities, or the organization itself, shall not be reported, unless approved by the audited organization.
The audit team should pursue process-based audit trails by following actual products, customer orders, and related documents.
When special processes (see 9100/9110 clause 184.108.40.206) are included in the audit plan, the audit team shall evaluate process validation, as well as, the monitoring, measuring, and control of these processes, including the following:
- The retained documented information relating to each audited special process, including the established arrangements and a comparison between actual and planned results.
- The audit team shall identify and select a sample of special processes, including those defined by the customer. For the selected special processes, the audit team shall audit the monitoring and measuring equipment used (e.g., calibration, accuracy) and the method for recording the results. If required, the traceability between the process (e.g., batch or load charge identification) and the resulting product or service shall be verified.
- In the case of outsourced special processes, the audit team shall verify that the organization's external provider control process addresses these items accordingly. In addition, the audit team shall review the use of customer-designated sources, as required.
Special processes are managed by using personnel qualified, as required by organization and/or customer requirements, and by controlling physical or chemical process characteristics [e.g., temperature, time (process duration), pressure, chemical composition of product or process treatment material (surface treatment solution)].
If an audit(s) has been performed by a customer or by a specialized independent 3rd party, the audit team can take the audit by these organizations into account. This can include audit results, sampling of the findings, and verification of any reported nonconformities to determine adequate resolution (i.e., no recurrence).
If there is more than one surveillance audit during a year (e.g., every six months), some activities (e.g., interview with top management) may be spread over these audits.
Each on-site audit, except for nonconformity follow-up and special audits shall include the following, as applicable:
- a review of the changes to the QMS, since the last audit (including certification structure);
- a review of requirements from new aviation, space, and defense customers, since the last audit;
- a review of customer satisfaction information and requested corrective actions and associated responses
- an interview with top management
- an audit of the organization's processes, including their performance and effectiveness as identified in the audit plan;
- an audit of the continual improvement of the QMS;
- an audit of follow-up actions from previous audits; and
- an audit of the purchasing process.
For TL 9000 Audits
While on site the Lead Auditor is required to:
- Comply with most current version of ISO/IEC 17021-1 Conformity Assessment-Requirements for Bodies for Providing Audit and Certification of Management Systems.
- Confirm Pre-Audit CB information Package data is still current.
- Review effectiveness of the corrective action system processes to include sampling of corrective actions that are overdue and corrective actions not considered overdue but are still open after nine months.
- When reviewing documentation requirements ensure that current practice is reflected in the documented procedure and aligns with the applicable TL 9000 release.
- Review a sampling of customer TL 9000 audit findings and customer satisfaction results since the last CB audit.
- Follow-up on progress of any relevant formal complaints registered with the CB against the organization.
- Review root cause of pertinent product recalls to identify processes for additional focus within the audit.
- Use the process audit approach for TL 9000 Measurements to include collection, validation and submittal in accordance with Section 7 below.
- For those processes audited, the process review shall include an assessment of the effectiveness of that process.
- Verify that the organization has a documented system in place that covers:
- Measurements collection: Much, if not all, of Measurements Handbook sections 3.5.2
- sub sections a), c) through j), and the collection/submission portion of b), can be verified prior to going on-site.
- Measurements validation, in accordance with Measurements Handbook section 3.5.2. The CB shall audit to the depth necessary to assure effective implementation of TL 9000 requirements (see item 8 below).
- Measurements reporting, in accordance with Requirements Handbook section 5.4.1.C.1 and Measurements Handbook sections 3.2 subsections a) and b).
- Ensure the TL 9000 measurements are used internally by the organization per Measurements Handbook section 3.1 Requirements for Measurements Usage. This includes reviews by management, quality/strategic objective setting for continual improvement, result/trend reviews, and corrective action plans for any performance deviating from the organization’s defined quality/strategic objectives, in accordance with Requirement Handbook sections 5.4.1.C.1, 5.6, 8.5.2 and Measurement Handbook sections 3.1 first hyphen, 3.5.2 subsections i) and j).
- If any measurements are identified as ”EXEMPT”, as defined in Measurements Handbook , sections 3.2 b) and 4.2.8 b), the documented rationale for the exemption shall be reviewed and accepted if valid by the CB auditor. The CB auditor shall ensure this documentation has been available for review if requested by the organization’s customers. The claimed exemption(s) also shall be noted on the organization's registration profile.
- Verify that measurements are being used in customer/organization relationships, in accordance with Measurement Handbook section 3.1.
- Verify that necessary information is being shared by the organization with its suppliers in accordance with the Measurement Handbook section 3.5.2 n) and o).
- Verify that measurements are reported to the TL 9000 Administrator [UTD] in full accordance with the Measurement Handbook sections 3.1 third hyphen, 3.2 subsections a) and b), 3.5.2 subsections b) through h), and 3.5.2 k). This is to include a review of the Data Submission Receipts for:
- “Passed” designation
- “EXEMPT” designations
- Any notes or advisories on the Data Submission Receipts and
- Verify the following:
- Any claimed exemptions are documented and valid
- All items shown “EXEMPT” on the Data Submission Receipt are in full compliance with the Measurement Handbook and item 3 above
- There is a Data Submission Receipt for every product category listed in the organization’s scope and each match the organization’s registration options (Hardware, Software, and/or Services) as appropriate to the product category.
- If current performance shows an undesirable deviation from the organization’s defined quality/strategic objectives for TL 9000 Measurements, the CB auditor shall verify that corrective action has/is being taken, is documented, and progress is being tracked, in accordance with Measurements Handbook sections 3.1 a), 3.5.2 subsections i) and j), and 3.5.5 c), and Requirements Handbook section 8.5.2.
- Verify that measurements collected are consistent with scope of registration, registration option [HSV], and product category, in accordance with Measurements Handbook sections 3.2 subsections a) and b), and 3.5.2 c). This can be done prior to the on-site activities.
- Review the actual data submissions, verifying proper implementation of the counting rules for required measurements. This check is to review data consistency covering a minimum one-year period except when the organization and/or new product have been certified for less than one year in which case the data shall be reviewed for at least as long as the organization and/or new product has been certified.
- For the initial registration audit, pre-certification data submissions (minimum of 3 consecutive months data) require verification. This shall be done to fulfill Measurements Handbook requirement 3.3.1 first hyphen and in accordance with sections 3.5.2 subsections a) and b).
- When an Organization upgrades its registration to a new version of the Measurements Handbook as part of its Surveillance or Re-certification Audit, at least the most recent month’s data submission shall use the new version of handbook. CB auditors will verify that all relevant counting rule changes have been properly implemented for the required measurements.
- While the sample size for the above requirement is left to the auditing organization, it is expected that the depth of assessment for the sampled measurements assures accurate and comprehensive calculation, counting rules, reporting mechanisms, and validation of the measurements.
- Confirm that the registration information (for example, scope, product category, and locations) contained in the Registration Management System (“RMS”) is current and accurate during each assessment, to support the verification of Measurements Handbook sections 3.4.1 and 3.5.2 c). This can be started prior to the on-site activities.
- Confirm that the product categories chosen by the organization are correct for their products, in accordance with Measurements Handbook section 3.5.2 c). This can be done prior to the on-site activities.
For ISMS Audits
DEKRA’s procedures shall not presuppose a particular manner of implementation of an ISMS or a particular format for documentation and records. Certification procedures shall focus on establishing that a client’s ISMS meets the requirements specified in ISO/IEC 27001 and the policies and objectives of the client.
DEKRA shall have documented procedures for:
- the initial certification audit of a client’s ISMS, in accordance with the provisions of ISO/IEC 17021-1;
- surveillance and re-certification audits of a client’s ISMS in accordance with ISO/IEC 17021-1 on a periodic basis for continuing conformity with relevant requirements and for verifying and recording that a client takes corrective action on a timely basis to correct all nonconformities."
DEKRA, represented by the audit team, shall:
- require the client to demonstrate that the assessment of information security related risks is relevant and adequate for the ISMS operation within the ISMS scope;
- establish whether the client’s procedures for the identification, examination and evaluation of information security related risks and the results of their implementation are consistent with the client’s policy, objectives and targets.
- DEKRA shall also establish whether the procedures employed in risk assessment are sound and properly implemented.
From 27006 Annex D, Review of Controls
The implementation of controls that were determined as necessary by the client for the ISMS (as per the Statement of Applicability) shall be reviewed during stage 2 of the initial audit and during surveillance or re-certification activities.
The audit evidence that DEKRA collects shall be sufficient to draw a conclusion as to whether the controls are effective. How a control is expected to perform may, for example, be specified in procedures or policies of the client.
The best quality of audit evidence is gathered from observation by the auditor (e.g. that a locked door is locked, people do sign confidentiality agreements, the asset register exists and contains assets observed, system settings are adequate, etc.). Evidence can be gathered from seeing the results of performance of a control (e.g. printouts of access rights given to people signed by the correct authorizing official, records of incident resolution, processing authorities signed by the correct authorizing official, minutes of management (or other) meetings etc.). Evidence can be the result of direct testing (or re- performance) of controls by the auditor, e.g. attempts to perform tasks said to be prohibited by the controls, determination whether software to protect against malicious code is installed and up-to-date on machines, access rights granted (after checking to authorities), etc. Evidence can be gathered by interviewing persons doing work under the organization’s control/contractors about processes and controls and determining whether this is factually correct.
Table D.1 in ISO 27006:2015 provides guidance for the review of the implementation of controls listed in ISO/IEC 27001:2013, Annex A, and the gathering of audit evidence as to their performance during the initial audit and subsequent audits. The Table is not intended to provide guidance for reviewing controls other than those in ISO/IEC 27001:2013, Annex A.
“Organizational control” and “Technical control”: An “X” in the respective column indicates whether the control is an organizational or a technical control. As some controls are both organizational and technical, entries can be in both columns for such controls. Evidence of the performance of organizational controls can be gathered through review of the records of performance of controls, interviews, observation and physical inspection. Evidence of the performance of technical controls can often be gathered through system testing (see below) or through use of specialized audit/reporting tools.
“System testing” means direct review of information systems (e.g. review of system settings or configuration). The auditor’s questions can be answered at the system console or by evaluation of the results of testing tools. If the client has a computer-based tool in use that is known to the auditor, this can be used to support the audit, or the results of an evaluation performed by the client (or their sub- contractors) can be reviewed. The table contains two categories for the review of technical controls: a) “possible”: system testing is possible for the evaluation of control implementation, but may not be necessary in an ISMS audit; b) “recommended”: system testing is usually necessary in an ISMS audit.
“Visual inspection” means that these controls usually require a visual inspection at the location to evaluate their effectiveness. This means that it is not sufficient to review the respective documentation on paper or through interviews; the auditor should verify the control at the location where it is implemented.
"The “Audit review guidance” column provides possible focus areas for the evaluation of the control, as further guidance for the auditor."
For OHSMS Audits
The audit team shall interview the following personnel:
- the management with legal responsibility for Occupational Health and Safety,
- employees' representative(s) with responsibility for Occupational Health and Safety,
- personnel responsible for monitoring employees' health, for example, doctors and nurses. Justifications in case of interviews conducted remotely shall be recorded,
- managers and permanent and temporary employees.
Other personnel that should be considered for interview are managers and employees performing activities related to the prevention of Occupational Health and Safety risks, and contractors’ management and employees.
Identifying and Recording Audit Findings
Audit findings summarizing conformity and detailing nonconformity must be identified, classified and recorded to enable an informed certification decision to be made or the certification to be maintained.
Opportunities for improvement may be identified and recorded, unless prohibited by the requirements of a management system certification scheme. Audit findings, however, which are nonconformities, will not be recorded as opportunities for improvement.
A finding of nonconformity must be recorded against a specific requirement, and will contain a clear statement of the nonconformity, identifying in detail the objective evidence on which the nonconformity is based.
All Nonconformities written by DEKRA auditors must contain:
- an identification of the applicable criteria,
- a clear statement for the finding, and
- traceable, objective evidence.
Nonconformities may be written by auditors or other DEKRA personnel against the client's system as an output of any audit activity and at any point during the audit time or as an output from the review of corrective action plans and implementation. Nonconformities need not arise from a process audit and may also arise as a result of the auditor's informal discussion and review. Nonconformities may arise while the auditor is planning the audit, during the opening meeting, at any point in the audit, at the closing meeting, or as part of any follow up activity. DEKRA may also issue nonconformities to a client at any time in the certification cycle; nonconformities need not be tied to audit events.
Nonconformities must be discussed with the client to ensure that the evidence is accurate and that the nonconformities are understood. The auditor however will refrain from suggesting the cause of nonconformities or their solution.
The audit team leader will attempt to resolve any diverging opinions between the audit team and the client concerning audit evidence or findings, and unresolved points must be recorded.
If, at the closing meeting, resolution of diverging opinions is not possible, or the client continues to disagree with the finding, the finding may be written in the 'Requests' section of the Audit Report for follow up and arbitration by the DEKRA office.
For multiple management system standards (integrated audits), each finding shall be traceable to the applicable management system standard(s)/specification(s). The lead auditor shall consider the impact that a nonconformity found for one of the management system standard(s)/ specification(s) has on the compliance with the other management system standard(s) /specification(s).
EnMS Audit Findings
When classifying nonconformities for ISO 50001, the definition of major nonconformity for EnMS will be used by the auditor.
Aerospace Audit Findings
The NCR form shall be used to record nonconformities; each NCR shall contain only one nonconformity. When nonconformities are identified, the audit team shall categorize the nonconformity as ‘major’ or ‘minor’, according to the definitions provided in this standard. The need for immediate containment shall be identified by the audit team.
The NCR may be issued against 9100-series standard clauses 4.4.1.c and/or 4.4.4.g, if the nonconformity is related to the effective operation and control of the process.
NCRs identified against 9100-series standard clauses 4.4.1.c and/or 4.4.1.g, resulting from multiple PEARs, may be combined into a single NCR.
For surveillance, recertification or special audits, the audit team leader shall advise within the Audit Report whether the recorded nonconformities should be reason for suspension or withdrawal of the certificate. Failure by the organization to demonstrate effective corrective action to deal with repeat nonconformities shall warrant suspension of the certification.
Recurrence of the same or similar nonconformity found during consecutive audits at a particular site/location shall be considered as a major nonconformity against the corrective action process.
Soft grading of nonconformities and/or identifying them as an observation or opportunity for improvement does not benefit the organization, its customers, or DEKRA. Furthermore, there is risk that the nonconformity would be given a lower priority for correction and/or corrective action, or that no action would be taken and the conditions will expand and/or continue to exist.
MDQMS (ISO 13485) Audit Findings:
(MD9 220.127.116.11) Examples of nonconformities are as follows:
- failure to address applicable requirements for quality management systems (e.g. failure to have a complaint handling or training system)
- failure to implement applicable requirements for quality management systems
- failure to implement appropriate corrective and preventative action when an investigation of post market data indicates a pattern of product defects
- products which are put onto the market and cause undue risk to patient and/or users when the device is used according to the product labeling
- the existence of products which clearly do not comply with the client’s specifications and/or the regulatory requirements
- repeated nonconformities from previous audits.
TL9000 Audit Findings:
DEKRA must maintain a documented process to ensure that findings raised during audits are being recorded in accordance with the findings definition listed in Section 1 of the Code of Practice. This process shall include an evaluation of the quantity and type of audit findings raised: majors, minors, and opportunities for improvements. The process shall include investigation and, where necessary, performance improvement of individual auditors who consistently misclassify audit findings.
NOTE: See “Guidance for Monitoring Auditor Performance” on the tl9000.org website for additional information on factors to be considered in these evaluations and other guidance.
OHSMS (ISO 45001) Audit Findings
DEKRA shall detail the actions to be taken in the event that it discovers a non-compliance with relevant regulatory requirements. These procedures shall include a requirement that any such non-compliance(s) are immediately communicated to the organization being audited.
Preparing Audit Conclusions
Under the responsibility of the audit team leader and prior to the closing meeting, the audit team shall:
- review the audit findings, and any other appropriate information obtained during the audit, against the audit objectives and audit criteria and classify the nonconformities;
- agree upon the audit conclusions, taking into account the uncertainty inherent in the audit process;
- agree any necessary follow up actions;
- confirm the appropriateness of the audit program or identify any modification required for future audits (e.g. scope of certification, audit time or dates, surveillance frequency, audit team competence).
SEP Audit Conclusions
The SEP Performance Verifier decision regarding the achieved level shall be the published level of achievement.
Attempts to resolve any differences shall be made by the SEP Performance Verifier and supported by the SEP Lead Auditor as needed.
Any differences in opinion shall be recorded and reported to the SEP Administrator.
In preparing the audit conclusions for certification or recertification, the SEP team shall confirm the achievement level (see ANSI/MSE 50028).
For ANSI/MSE 50028-1 Audits (SEP 50001) - The Lead Auditor for SEP’s input is the conclusion on conformance to ANSI/MSE 50028-1 and confirmation from the SEP PV that the verified energy performance improvement is greater than 0.0 percent according to the SEP M&V Protocol. Attempts to resolve any differences shall be made by the Lead Auditor for SEP and supported by the SEP PV as needed. Any differences in opinion shall be recorded.
Conducting the Closing Meeting
A formal closing meeting, where attendance must be recorded, must be held with the client’s management and, where appropriate, those responsible for the functions or processes audited.
The purpose of the closing meeting, usually conducted by the audit team leader, is to present the audit conclusions, including the recommendation regarding certification.
Any nonconformities must be presented in such a manner that they are understood, and the timeframe for responding must be agreed.
“Understood” will not necessarily mean that the nonconformities have been accepted by the client.
The closing meeting will also include the following elements where the degree of detail shall be consistent with the familiarity of the client with the audit process:
- advising the client that the audit evidence obtained was based on a sample of the information; thereby introducing an element of uncertainty;
- the method and timeframe of reporting, including any grading of audit findings;
- DEKRA's process for handling nonconformities including any consequences relating to the status of the client’s certification;
- the timeframe for the client to present a plan for correction and corrective action for any nonconformities identified during the audit; e) DEKRA's post audit activities; and
- information about the complaint and appeal handling processes.
The client must be given opportunity for questions.
Any diverging opinions regarding the audit findings or conclusions between the audit team and the client must be discussed and resolved where possible. Any diverging opinions that are not resolved must be recorded and referred to DEKRA.
SEP Closing Meeting:
The closing meeting shall be conducted by the SEP Lead Auditor. The closing meeting shall include information on the pathway and performance achieved if it is a certification or a recertification audit and any follow-on actions that have been agreed to.
Aerospace Closing Meeting
At the closing meeting, the audit team leader shall, at a minimum, provide the organization with any applicable NCRs and associated PEARs associated with those NCRs.documented in accordance with the 9101 standard. The audit team leader shall present the complete audit report to the organization within two weeks of the closing meeting using the audit report and associated forms defined in the 9101 standard.
For surveillance and special audits, the audit team leader shall advise the organization whether recorded nonconformities jeopardize an existing certificate. In the event that certification is suspended, an appropriate course of action shall be agreed between the organization and DEKRA. Where there is a failure to agree on a course of action, the appeals procedure of DEKRA shall be invoked.
OHS (45001) Closing Meeting
The organization representative shall be requested to invite the management legally responsible for occupational health and safety, personnel responsible for monitoring employees’ health and the employees' representative(s) with responsibility for occupational health and safety to attend the closing meeting. Justification in case of absence shall be recorded.
DEKRA will provide a written report for each audit to the client. The audit team may identify opportunities for improvement but will not recommend specific solutions. Ownership of the audit report is maintained by DEKRA.
The stage 1 output does not need to meet the full requirements of a report.
The audit team leader must ensure that the audit report is prepared and must be responsible for its content. The audit report will provide an accurate, concise and clear record of the audit to enable an informed certification decision to be made and will include or refer to the following:
- identification of the certification body;
- the name and address of the client and the client’s representative;
- the type of audit (e.g. initial, surveillance or recertification audit or special audits);
- the audit criteria;
- the audit objectives;
- the audit scope, particularly identification of the organizational or functional units or processes audited and the time of the audit;
- any deviation from the audit plan and their reasons;
- any significant issues impacting on the audit program;
- identification of the audit team leader, audit team members and any accompanying persons;
- the dates and places where the audit activities (on site or offsite, permanent or temporary sites) were conducted;
- audit findings (see 9.4.5), reference to evidence and conclusions, consistent with the requirements of the type of audit;
- significant changes, if any, that affect the management system of the client since the last audit took place;
- any unresolved issues, if identified;
- where applicable, whether the audit is combined, joint or integrated;
- a disclaimer statement indicating that auditing is based on a sampling process of the available information;
- recommendation from the audit team;
- a statement that the audited client is effectively controlling the use of the certification documents and marks, if applicable;
- verification of effectiveness of taken corrective actions regarding previously identified nonconformities, if applicable;
- a statement on the conformity and the effectiveness of the management system together with a summary of the evidence relating to:
- the capability of the management system to meet applicable requirements and expected outcomes;
- the internal audit and management review process;
- a conclusion on the appropriateness of the certification scope;
- confirmation that the audit objectives have been fulfilled.
If IAF MD4:2018 was used, audit reports shall indicate the extent to which IAF MD4:2018 has been used in carrying out the audit, and how it contributed to audit effectiveness and efficiency.
The audit report for ISO 50001 shall include:
- scope and boundaries of the EnMS being audited;
- statement of achievement of continual improvement of the EnMS and energy performance improvement with audit evidence to support the statements.
The audit report for SEP shall also address the decisions:
- confirmation that the energy performance was verified,
- the energy performance claim, as verified,
- confirmation the model meets the sector-specific Measurement and Verification Protocol requirements and the certification level.
DEKRA shall also complete the SEP Energy Performance Improvement report and submit it to the SEP Administrator.
For audits involving an Aerospace certification decision, DEKRA shall be responsible for the input of the required data into the OASIS database within 30 days after the certificate issue date. For all other audits, DEKRA shall submit the required data into the OASIS database within 90 days after the on-site visit date. This entry into the database can be performed either directly by DEKRA or through the SMS, in accordance with the arrangements defined by the IAQG sector or NAIA.
At the conclusion of the Stage 1 audit, the Stage 1 Audit Report shall be compiled and issued. At the conclusion of each certification, surveillance, and recertification and special audit, the audit results shall be recorded and issued including the standard forms. The Supplemental Audit Report shall be used to record results for individual sites, if the Audit Report does not include audit details of the individual sites.
Requirements determined as not applicable withing the determined scope, as justified by the organization and accepted by the audit team, shall be documented in the Audit Report.QMS Process Matrix Report, and Audit Report.
The content in the Audit Report, including findings, shall give a true and independent view of the conformity status and determination of effectiveness of the QMS in order to give confidence to customers or potential customers; enabling them to draw appropriate conclusions in their supplier selection and surveillance processes.
For combined and integrated audits, separate reports shall be issued (i.e., one for each audit performed for each standard). Where appropriate, processes common between the standards may be reported on the same PEAR and QMS Process Matrix Report. Each report for combined and integrated audits shall be linked to all other reports from the associated audit.
The audit team shall complete the QMS Process Matrix Report to demonstrate which processes and 9100- series standard clauses have been audited, including a summary of objective evidence related to each 9100-series standard clauses 4, 5, 6, 7, 9 and 10.
If objective evidence for clauses 4, 5, 6, 7, 9 and 10 are recorded on PEAR(s), there is no need to repeat these details on the QMS Process Matrix Report. Reference to the applicable PEAR(s) should be stated in the respective QMS Process Matrix Report objective evidence field.
The QMS Process Matrix Report has multiple applications, it can be:
- pre-populated, prior to on-site activity, and easily modified/revised, as appropriate, during each visit;
- used after the Stage 1 audit, for preparation of the audit plan for the initial Stage 2 audit;
- used after the certification/recertification audit, to prepare the audit plan for the certification cycle surveillance audits;
- used to assist in visibly presenting the cross-references between the AQMS standard requirements and the organization's processes.
The audit team shall record measures, targets, and values of KPIs related to each audited operational process (see 9100-series standards clause 8) on the PEAR, taking into account the confidentiality of information.
Upon mutual agreement between the organization and DEKRA, other processes can be recorded on a PEAR.
The audit team shall issue an NCR against the relevant 9100-series standard clause, when the process is not delivering the planned results and appropriate action is not being taken.
Recording of process information may be combined into a single PEAR and QMS Process Matrix Report for multiple site, several site, campus, or complex organizations, provided that the process is common across sites/structures. Information recorded shall reflect each site included in the PEAR and QMS Process Matrix Report. The process effectiveness level shall reflect the lowest value of the various sites assessed.
The audit team shall record a summary of audit trails and audit evidence related to each audited product realization process (see 9100-series standards clause8) on the PEAR.
The audit team shall issue and NCR against the relevant 9100-series standard clause, when planned activities of a process are not realized of not fully realized.
Population of the PEAR may start during the Stage 1 audit to record information reviewed.
The audit team shall evaluate the effectiveness of each audited product realization process (see 9100-series standards clause8) considering:
- process realization - the extent to which planned activities are realized; and
- process results - the extent to which planned results are achieved.
In order to determine the effectiveness level of the audited process, the audit team shall evaluate the audit evidence arising from the PEAR and select the corresponding value, based upon the descriptions given in the Process Evaluation Matrix (see AS9101, Table 3).
The process effectiveness level derived from the evaluation shall be recorded in the PEAR documented on the QMS Process Matrix Report.
An effectiveness level of "5" shall only be determined, if the audited process is delivering the planned results and planned activities are fully realized with no nonconformities identified.
The Audit Report shall clearly document the portions of the quality management system that were audited on each surveillance visit.
The audit team leader shall provide documented findings at the end of each audit. A written report will be provided to the organization within 30 days of the conclusion of each audit, or within 30 days of the conclusion of a multi-site audit. The report will include the documented findings, overall audit conclusions, significant audit trails and recommendations.
DEKRA is required to monitor audit reports to ensure conformance with ISO/IEC 17021-1 auditing requirements and include evidence that items in this document are addressed and documented in the audit report even if the item is not applicable.
In addition to the requirements for reporting in ISO/IEC 17021-1, 9.4.8, the audit report shall provide the following information or a reference to it:
- an account of the audit including a summary of the document review;
- an account of the certification audit of the client’s information security risk analysis;
- deviations from the audit plan (e.g. more or less time spent on certain scheduled activities);
- the ISMS’ scope.
DEKRA shall ensure that its audit reports contain a statement on the conformity and the effectiveness of the organization’s OHSMS together with a summary of the evidence with regards to the capability of the OHSMS to meet its compliance obligations.
The audit report shall be of sufficient detail to facilitate and support the certification decision. It shall contain:
- significant audit trails followed and audit methodologies utilized (see 18.104.22.168);
- observations made, both positive (e.g. noteworthy features) and negative (e.g. potential nonconformities);
- comments on the conformity of the client’s ISMS with the certification requirements with a clear statement of nonconformity, a reference to the version of the Statement of Applicability and, where applicable, any useful comparison with the results of previous certification audits of the client.
Completed questionnaires, checklists, observations, logs, or auditor notes may form an integral part of the audit report. If these methods are used, these documents shall be submitted to DEKRA as evidence to support the certification decision. Information about the samples evaluated during the audit shall be included in the audit report, or in other certification documentation.
The report shall consider the adequacy of the internal organization and procedures adopted by the client to give confidence in the ISMS.
In addition to the requirements for reporting in ISO/IEC 17021-1, 9.4.8, the report shall cover:
- a summary of the most important observations, positive as well as negative, regarding the implementation and effectiveness of the ISMS requirements and IS controls;
- the audit team’s recommendation as to whether the client’s ISMS should be certified or not, with information to substantiate this recommendation.
Reports are submitted to the DEKRA office by the lead auditor within 15 days after the audit.
The Audit Report package consists of:
- The Audit Report itself (may be used as a synthesis report or site report)
- Audit Program
- Audit Plan
- Corrective Action Plans are included in the Audit Report by the client.
If there are Major Nonconformities noted, Client Services will set a deadline of 90 days from the close of the audit.
Client Services notes the tentative date for the next event and confirms it by posting it in the DEKRA database. Client Services may also choose another date if desired, or required by sector or client.
If the report is a Stage 2 or a Recertification, Client Services adds the report to the Certification Review package.
Every report is reviewed for changes to a client’s ongoing certification. The report content is reviewed for Open Nonconforming Findings, Changes to Client’s scope, number of employees, locations and/or shifts. The client services associate makes a determination that the organization should continue with the certification. Any changes should be addressed following this procedure.
Possible reasons for review: Large organizational change, Change in Scope, Off the audit cycle schedule, Unpaid invoices, Concern about cancellation, Name change, Etc.
Client Services reviews the client’s certificate, reports and account information to determine if there is no change needed, if a modification to the management plan is needed, if a change to the certificate is needed, or if the certificate should be cancelled. When there is no change, normal scheduling will continue.
Occasionally. modifications to the management plan may be needed. Modifications can be made to: audit frequency, audit/days, sampling structure, account management decisions, cancellation policy, etc. For complex issues the client services associate may seek help from an account manager, who will review the proposed changes for approval.
If modifications are required, Client Services may issue a new quotation or add an addendum to the current quotation (if change is of a financial nature).
Client Services records notes in the client file and database detailing what changes were made.
DEKRA may require additional audit activities but will in all cases require a Certification Review to confirm the changed scope or status of the certificate, except for client-requested suspensions and cancellations.
The Certification Official may determine that the Certificate must be cancelled. The Managing Director must be involved in this decision.If the certificate is to be cancelled, DEKRA will close the business contract as stated in the Master Services Agreement for Management System Certification and the Certification Agreement.
Cause Analysis of Nonconformities
DEKRA requires the client to analyze the cause and describe the specific correction and corrective actions taken, or planned to be taken, to eliminate detected nonconformities, within a defined time.
If a client does not achieve the requirements of ANSI/MSE 50028, a corrective action shall be submitted and the means of approving that submission must be agreed between the client and the SEP Lead Auditor and SEP Performance Verifier.
A client may not submit data to modify the verified SEP achievement level following the certification or recertification audit.
Effectiveness of Corrections & Corrective Actions
The lead auditor will review the corrections, identified causes and corrective actions submitted by the client to determine if these are acceptable.
At subsequent audits, the lead auditor shall verify the effectiveness of any previous correction and corrective actions taken.
The evidence obtained to support the resolution of nonconformities must be recorded by the Lead Auditor.
The client must be informed of the result of the review and verification. The client must be informed if an additional full audit, an additional limited audit, or documented evidence (to be confirmed during future audits) will be needed to verify effective correction and corrective actions. Verification of effectiveness of correction and corrective action can be carried out based on a review of documented information provided by the client, or where necessary, through verification onsite. Usually this activity is done by a member of the audit team.
Cause analysis must adhere to the guidelines in ANAB Heads Up 362, including a true root cause. Auditor approvals of client root cause submittals will be reviewed in Technical Review and may be rejected by the DEKRA office, resulting in additional client nonconformities and delay or possible expiration of certificates.
This procedure defines the controls required for the tracking and closure of Client nonconformities generated under all standards.
No nonconformities are written at the Certification Stage 1 audit.
For major nonconformities at Certification or Recertification audits, certification or recertification cannot be recommended until all major nonconformities are fully resolved.
The NCR shall be used to document verification of the corrective action. Evaluation and closing of the corrective action plan and associated corrective actions relating to a nonconformity shall not be performed during the audit in which the nonconformity was issued.
Verification activities shall be carried out, as determined by the audit team leader. Verification shall be carried out on-site, if the verification of the corrective action cannot be carried out based on a review of the documentation and supporting objective evidence provided by the organization. A completed NCR shall be uploaded into the OASIS database, after verification.
For combined and integrated audits, where a nonconformity has been determined in a common process, a single NCR shall be issued referencing the requirements for each AQMS standard. NCRs issued on common processes shall be referenced in both reports.
No certificates to AQMS standards or any combination of AQMS standards requiring a certification decision shall be issued, unless all major and minor nonconformities have been contained; satisfactorily corrected with root cause analysis; and the corrective action has been implemented, reviewed, accepted, and verified by the CB. This requirement also applies to the issuance of a certificate after the transfer from another CB.
DEKRA shall initiate the client certification suspension process, when an organization fails to demonstrate that conformance to the applicable standard has been re-established within 60 days from the issuance of a Nonconformity Report (NCR). See section 9.6.5 for processing Aerospace suspensions.
TL 9000 Nonconformities
All major nonconformities shall be resolved prior to the issuance of the TL 9000 certificate. All nonconformities are handled in accordance with the CB’s standard operating procedure(s).
CBs shall have a documented process to close major and minor nonconformities identified in a TL 9000 audit. The process for closing nonconformities shall include:
- A Corrective Action Plan (CAP) for each nonconformity shall be received by the CB within 30 days following the Organization’s receipt of the audit report. This CAP shall include containment/correction, root cause analysis, and an implementation due date. CBs are required to respond to the proposed CAP in a timely manner. Resolution by the organization of a major nonconformity requires acceptable evidence of implementation of the CAP within the CB’s specified timeframe, not to exceed 90 days from the Organization’s receipt of the audit report. Resolution by the organization of a minor nonconformity requires acceptable evidence of implementation of the CAP no later than the next scheduled audit. Exceptions to these resolution timeframes shall be approved by the CB, fully justified by the organization and documented. A follow-up visit within the 90-day timeframe will be required for major nonconformities to verify effective implementation of the corrective action unless otherwise justified and documented.
- A TL 9000 certification shall not be issued until: (a) all major nonconformities are fully resolved; and (b) minor nonconformities are fully resolved or corrective action plans are defined consistent with the above-timing requirements.
- A certified organization shall not receive re-certification if there are overdue minor nonconformities from the previous audit or any unresolved major nonconformities at the time the certificate expires. Failure to meet the deadline for closing a major nonconformity after a surveillance audit shall lead to the withdrawal of the TL 9000 certificate. The certificate may be reinstated on resolution of the nonconformity.
When nonconformities are found at any individual site, either through the organization’s internal auditing or from auditing by DEKRA, investigation shall take place to determine whether the other sites may be affected. Therefore, DEKRA shall require the organization to review the nonconformities to determine whether they indicate an overall system deficiency applicable to other sites. If they are found to do so, corrective action shall be performed and verified both at the central function and at the individual affected sites. If they are found not to do so, the organization should be able to demonstrate to DEKRA the justification for limiting its follow-up corrective action.
DEKRA shall require evidence of these actions and recommend that DEKRA increase the organization's sampling frequency and/or the size of sample until they are satisfied that control is re-established.
At the time of the decision making process, if any site has a major nonconformity, certification shall be denied to the whole multi-site organization of listed sites pending satisfactory corrective action. It shall not be admissible that, to overcome the obstacle raised by the existence of a nonconformity at a single site, the organization seeks to exclude from the scope the “problematic” site during the certification process.
Corrective Action Deadlines
For all nonconformities, within 15 days of the audit, Clients submit corrective action plans to DEKRA Client Services.
For major nonconformities, within 90 days of the audit, Clients submit evidence of corrective action implementation to DEKRA Client Services. Extensions to this deadline may be granted by Client Services.
For minor nonconformities, at the next audit event, Clients submit evidence of corrective action implementation to the DEKRA Lead Auditor.
After issuance of a nonconformity the audit team leader shall:
- require the organization to analyze the root cause and report the specific correction and corrective actions taken, or planned to be taken, to eliminate the detected nonconformities on the NCR; and
- agree with the organization on correction, corrective action(s), and corrective action plans within a maximum of 30 calendar days from the end of the on-site audit.
When the nature of the nonconformity needs immediate containment action, the audit team leader shall require the organization to:
- describe the immediate actions ('fix now') taken to contain the nonconforming situation/conditions and to control any identified nonconforming products. Correction shall always be recorded; and
- report within 7 calendar days, after the audit, the specific containment actions, including correction, and reach agreement on those actions with the audit team leader within the next 14 calendar days.
Containment action and correction can also be reviewed during the audit.
DEKRA shall ensure that customer notification is addressed, as applicable, in the certified organization’s containment and corrective action process.
The Auditor shall note any nonconformities found at the audit. Nonconformities will be subject to technical review by DEKRA and may be modified or removed based on recorded justification.
The DEKRA office will determine whether an onsite corrective action visit is required. Otherwise, an offsite corrective action audit shall be performed.
- 0-3 Non-conformities: No Charge
- 1hour (1/8 man-day rate): Each Nonconformity after 3.
Corrective Action Plans
Clients shall submit proposed corrective action plans to the Auditor by the agreed deadline. Corrective action plan review must address Client's
- root cause analysis;
- corrective action plan.
The Auditor shall review and approve the corrective action plans prior to submittal to the DEKRA office. Additional feedback may be requested from the Auditor to assist in the review.
If any plan is not approved, communications shall continue between Client Services, Auditor, and Client until resolution is reached. More information, or a revised plan, may be required.
If Auditor disagrees with Client Services' determination, they shall appeal directly to the Technical Director. The Technical Director shall review the appeal and issue a binding decision.
Client Services or Auditor shall note the approval of the corrective action plan in the appropriate area of a Nonconformity page of the Audit Report.
Corrective Action Implementation
For corrective actions stemming from Major Nonconformities requiring an onsite audit to close, evidence of implementation may be reviewed and approved by the Auditor onsite, and the nonconformity closed.
Evidence of implementation for minor nonconformities may be reviewed and approved by the Auditor onsite at the next event, and the nonconformity closed.
Nonconformity closure must address Client's evidence of implemented Corrective Action and note the evidence reviewed.
Client Services shall internally review and approve the implementation of corrective action for Major Nonconformities and close the nonconformity. Additional feedback may be requested from the Technical Director or a senior technical expert to assist in the review.
When the nonconformity is closed, Client Services shall notify the Client and copy the Auditor. Client Services or Auditor shall note the approval of the corrective action implementation in the appropriate column of the Nonconformities section of the DEKRA Audit Record.
Client Services may invoice the Client for the previously agreed corrective action review and closure hours.
Verification of Effectiveness
The Auditor shall verify the effectiveness of the approved implemented corrective actions at the next audit event.
The Auditor shall note the verification of corrective action effectiveness in the appropriate area of a Nonconformity page of the Audit Report. It is not expected that additional time be added to the audit event for verification of effectiveness.
Review at Certification/Recertification
The Certification Official shall review the nonconformities, both current and closed/verified, from the most recent (Re)Certification report prior to issuing a decision regarding initial or continued certification.
If any step in the corrective action review process is not approved, communications shall continue between the Certification Official, Client Services, and Auditor until resolution is reached. More information, or additional audit activities, may be required.
For Minor NCs issued at Certification or Recertification, the Certification Official need only approve the corrective action plan activities to issue a certification decision.
DEKRA ensures that the persons or committees that make the decisions for granting or refusing certification, expanding or reducing the scope of certification, suspending or restoring certification, withdrawing certification or renewing certification are different from those who carried out the audits. The individual(s) appointed to conduct the certification decision must maintain appropriate competence.
The person(s) assigned by DEKRA to make a certification decision must be employed by, or must be under legally enforceable arrangement with either DEKRA or an entity under the organizational control of DEKRA. DEKRA’s organizational control must be one of the following: a) whole or majority ownership of another entity by DEKRA; b) majority participation by DEKRA on the board of directors of another entity; c) a documented authority by DEKRA over another entity in a network of legal entities (in which DEKRA resides), linked by ownership or board of director control.
The persons employed by, or under contract with, entities under organizational control, will fulfill the same requirements of ISO 17021-1 as persons employed by, or under contract with, DEKRA.
Decisions are made regarding the granting, maintaining, extending, reducing, suspending and withdrawing of certificates by an impartial, informed, qualified Certification Official. To ensure the Certification Official is informed, records from the audit, such as the report and all resulting corrective actions, will be made available. To ensure the Certification Official is qualified, the Technical Director will make available a list of Certification Officials who are qualified based on the requirements of the standard, and specific DEKRA training.
Occasionally there may be certification decisions which must be expedited due to imminent certificate expiration. When this occurs, the impartiality of the certification decision process may be compromised. To mitigate this, when a certification decision must be expedited, it shall be entered into the DEKRA Resolution Center as a ticket, by any party. Once entered, the process of certification decision and certificate issuance will be directly managed by Top Management in as timely a manner as impartiality allows. The data from all expedited certification decision requests shall be periodically investigated and analyzed to determine root cause for process delays.
Certificates are issued in a uniform, controlled manner to ensure that each certificate has the required information to identify the client and the scope of the system that is certified as well as accreditation marks are applicable and agreed upon.
All audit reports and certificates are kept on file to ensure traceability of audit activities and certification decisions.
DEKRA will record each certification decision including any additional information or clarification sought from the audit team or other sources.
See DEKRA procedure P-002 Client Scope or Cert Changes for process flow and inputs and outputs.
SEP Certification Decisions
The SEP Administrator shall be informed by DEKRA of the certification decisions and energy performance improvement levels of the applicable client organization.
DEKRA shall confirm prior to making a positive decision, that all the following requirements have been met:
- The ISO 50001 certificate is valid
- The transition requirements of GTESS are met, as applicable
- The client has implemented the GTESS Interpretations, as applicable
- The site(s) sampled have valid energy performance model(s) at the time of initial certification and recertification
- The energy performance improvement (SEnPI Performance) is verified
- The model conforms to the SEP Certification Protocol and SEP M&V Protocol requirements.
For multi-site audits, the SEP PV shall:
- Complete an SEP Energy Performance Improvement Report for each site within the sample.
- Confirm that there is an SEP Energy Performance Improvement Report completed by the organization’s certified SEP PV for each site within the scope and boundaries.
Aerospace Certification Decisions
No certificates to AQMS standards or any combination of AQMS standards requiring a certification decision shall be issued, unless all major and minor nonconformities have been contained; satisfactorily corrected with root cause analysis; and the corrective action has been implemented, reviewed, accepted, and verified by the CB. This requirement also applies to the issuance of a certificate after the transfer from another CB. The certification decision for AQMS clients must include a verification of OASIS certificate upload. Based upon on a positive certification decision, the Certification Official verifies the certification data is correct in OASIS and then publishes the certificate in OASIS.
ISMS Certification Decisions
DEKRA shall not certify an ISMS unless it has been operated through at least one management review and one internal ISMS audit covering the scope of certification.
The certification decision shall be based, additionally to the requirements of ISO/IEC 17021-1, on the certification recommendation of the audit team as provided in their certification audit report.
The persons or committees that take the decision on granting certification should not normally overturn a negative recommendation of the audit team. If such a situation does arise, DEKRA shall document and justify the basis for the decision to overturn the recommendation.
Certification shall not be granted to the client until there is sufficient evidence to demonstrate that arrangements for management reviews and internal ISMS audits have been implemented, are effective and will be maintained.
OHSMS Certification Decisions:
DEKRA shall not certify OHSMS unless:
- Full legal compliance is expected to the requirements of stakeholders and interested parties of the Client. The perceived worth of accredited certification in OHS field is closely related to the achieved satisfaction of the interested parties in relation to legal compliance.
- The Client shall be able to demonstrate that it has achieved compliance with the legal OHS requirements that are applicable to it through its own evaluation of compliance prior to the Certification Body granting certification.
- Where the Client may not be in legal compliance, it shall be able to demonstrate it has activated an implementation plan to achieve full compliance within a declared date, supported by a documented agreement with the regulator, wherever possible for the different national conditions. The successful implementation of this plan shall be considered as a priority within the OHSMS.
- Exceptionally, DEKRA may still grant certification but shall seek objective evidence to confirm that the organization’s OHSMS:
- is capable of achieving the required compliance through full implementation of the above implementation plan within the due date and
- has addressed all hazards and OHS risks to workers and other exposed personnel and that there are no activities, processes or situations that can or will lead to a serious injury and/or ill-health, and
- during the transitional period has put in place the necessary actions to ensure that the OHS risk is reduced and controlled
Actions Prior to Making a Decision
DEKRA maintains the below process (Technical Review and Certification processing) to conduct an effective review prior to making a decision for granting certification, expanding or reducing the scope of certification, renewing, suspending or restoring, or withdrawing of certification, including, that a) the information provided by the audit team is sufficient with respect to the certification requirements and the scope for certification; b) for any major nonconformities, it has reviewed, accepted and verified the correction and corrective actions; and c) for any minor nonconformities it has reviewed and accepted the client’s plan for correction and corrective action.
Information For Granting Certification
The information provided by the audit team to DEKRA for the certification decision will include, as a minimum:
- the audit report;
- the audit program,
- the audit plan;
- comments on the nonconformities and, where applicable, the correction and corrective actions taken by the client;
- confirmation of the information provided to the certification body used in the application review;
- confirmation that the audit objectives have been achieved; and
- a recommendation whether or not to grant certification, together with any conditions or observations.
If DEKRA is not able to verify the implementation of corrections and corrective actions of any major nonconformity within 6 months after the last day of stage 2, DEKRA will conduct another stage 2 prior to recommending certification.
Certification Package Processing
Client Services receives a report triggering certificate review and issuance: Certification Stage 2, Recertification, Transfer, or Extension of Scope. (If Minor NCs were written, report must contain CA Plan approval. If Major NCs, processing is on hold until the Major's implementation is verified by the office).
Technical Reviewers and some Certification Officials and/or OP assessors are qualified to perform Technical Review. Technical Review is the first stage of Certification Decision.
All Certification Stage 2 reports are sent to technical review, and include Stage 1 reports in the package. All Recertification reports, and all Transfer reports are sent to technical review.
For AQMS Surveillance Audits, 100% of Audit Reports shall be reviewed.
All other Surveillance audit reports are formally reviewed by Client Services for auditor recommendation, requests, and NCs.
Technical review checks the conformity of the certification reports against the current requirements of:
- ISO 17021-1
- IAF Mandatory Documents
- ANAB rules and Accreditation Manual
- Any sector-specific Rules (e.g., TL9000, ESD, AS9104 series, EnMS/SEP)
Technical Reviewers shall have access to these standards and rules and be appropriately trained.
The Technical Review-Cert Decision Checklist is a tool used to assist the Technical Reviewers to verify if required elements and records are included in the client records.
Technical Reviewers may address incorrect report information, including findings not in conformity with accreditation requirements, by correcting them internally or rejecting the Certification Package directly back to the Certification Processor or the Auditor, with instructions.
A Technical Reviewer cannot review their own work.
The Certification Official is responsible for making the final decision for or against certification and shall not be the same person as the Technical Reviewer. In that case, technical review and certification decision may proceed concurrently.
The Technical Reviewer shall forward the reviewed and signed report documents to the Certification Official for decision.
Certification decision shall address the completeness and conformity of all reports and events for the certification cycle against the requirements of:
- ISO 17021-1
- IAF Mandatory Documents
- ANAB Accreditation Manual
- ANAB Accreditation Rules
- Any sector-specific Rules
Certification Officials shall have access to and be knowledgeable regarding these standards and rules.
The Technical Review-Cert Decision Checklist is a tool used to assist the Certification Officials to verify if required elements and records are included in the client records and verify that any issues raised within Technical Review were properly resolved/corrected.
Ensure that all AQMS certificates reflect AS9104/1. For AQMS certifications, a certified organization shall not receive a new three year certification period if they were not subjected to a recertification.
Certification Officials may address incorrect certificate package information, including changes to the certificate itself, or findings not in conformity with accreditation requirements, by correcting them internally or engaging with the Technical Reviewer, Client Services, and Auditor for additional feedback.
All certificates are electronic version (PDF) unless client requests a hard copy. The OASIS Administrator is responsible for publishing AQMS client certificates as required by sector requirements. The TL Administrator is responsible for publishing TL client certificates as required by sector requirements. Upon receipt of the completed certification package and final electronic certificate, the Administrator for each sector publishes the certificate in the sector specific database. OASIS is updated by the AS Cert Official.
Client Services will ensure clients are sent pdf copies of all certificates that are issued. The email shall also include a link to the DEKRA Seal website
If the client replies to the certificate email with requested changes that affect the scope of certification, further review/approval/certification decision will be required.
DEKRA will make decisions on renewing certification based on the results of the recertification audit, as well as the results of the review of the system over the period of certification and complaints received from users of certification.
All TL-9000 Certificates must be published to TIA Business Performance Community (TIA-BPC) within 7 weeks from when the certificate is changed. Upon Certification recommendation for TL-9000 Certification, client goes to TIA Business Performance Community (TIA-BPC) website and prints a TL ID Profile from the site.
DEKRA is to provide QuEST with a quarterly report summary of TL 9000 audit statistics. DEKRA is to report on the following statistics:
- Number of TL 9000 surveillance audits completed
- Number of TL 9000 registration audits completed
- Number of TL 9000 registrations issued
- Total number of major nonconformities issued
- Total number of minor nonconformities issued
- Total number of opportunities for improvement
- Number of audit days conducted for registration
- Number of audit days conducted for surveillance
- Minimum days required for registration
- Minimum days required for surveillance
This information should be submitted within 7 weeks of the end of each calendar quarter.
For AS clients, the Aerospace Cert Official performs the OASIS update upon certificate issuance.
Oasis database is updated within 30 days of every certificate decision and 90 days for all other audit events.
ANAB requires a quarterly update on the certificates that DEKRA issues with the ANAB logo. Refer to “Heads Up – 81” for details.
See section 9.1.5 for certification decisions related to EnMS multisites where nonconformities have been reported.
For EnMS audits, DEKRA shall provide disclosure of the status of the audit results related to the SEP audit to the SEP Administrator in regards to the granting, extending, maintaining, renewing, suspending, reducing the scope of, extending the scope of, or withdrawing of certification in demonstration of openness.
The verification is based on evidence collected through an objective review of the organization's energy performance claim. Timely information about the status of the verification must be accessible or disclosed appropriately to intended users, the client or responsible party.
The information for the certification decision shall also include the performance claim and pathway.
- Closeout and Invoicing
- Client Services files client-specific documents and, for Recertification, moves previous certification cycle documents to a dedicated folder.
- Client Services updates the Database and files the certification package.
- Client Services prepares invoice for certification fees (including charges for revisions to certificate, OASIS Database, and/or ANAB annual fees)
The transfer of certification is defined as the recognition of an existing and valid management system certification, granted by one accredited CB (hereafter referred as the "issuing CB"), by another accredited CB, (hereafter referred to as the "accepting CB") for the purpose of issuing its own certification.
The requirements listed below apply to DEKRA as an issuing CB or an accepting CB.
When industry-specific programs that allow transfers have requirements that differ from or are in addition to the requirements in IAF MD 2, IAF MD 2 is fully applicable and cannot be superseded. Industry requirements that are in addition to IAF MD2 do apply. Some industry-specific programs may not allow transfers.
Accredited certificates are identified by an IAF MLA signatory AB accreditation symbol on the certification documents. Certification documents that do not include the accreditation symbol of an IAF MLA signatory are unaccredited.
Only certifications which are covered by an accreditation of an IAF or Regional MLA signatory at level 3 and where applicable level 4 and 5 shall be eligible for transfer.
Per AR17, because of the number of accredited programs, the many markets in which ANAB-accredited CBs operate, and the demand of CBs to have options for ANAB-accredited certifications, the following certifications are eligible to be transferred to an ANAB-accredited certification provided the requirements of IAF MD 2 and AR17 are met:
- All ANAB-accredited certifications are eligible for transfer.
- All certifications accredited by an IAF MLA management system signatory at level 3 are eligible even if the AB is not an MLA signatory at level 4 or 5. Therefore, any certification accredited by an IAF MLA signatory AB is eligible for transfer to an ANAB-accredited certification.
Organizations holding certifications that are not covered by such accreditations shall be treated as new clients.
Only valid accredited certification shall be transferred. Certification which is known to be suspended shall not be accepted as a transfer. In cases where certification has been granted by a CB which has ceased trading or whose accreditation has expired, been suspended or withdrawn, the transfer shall be completed within 6 months or on expiration of the certification whichever is sooner. In such cases, the accepting CB shall inform the AB, under whose accreditation it intends to issue the certification, prior to the transfer.
Cooperation Between CBs
The cooperation between the issuing the accepting CB is essential for the effective process for transfer and the integrity of certification. When requested, the issuing CB shall provide the transferring CB all the documents and information required by MD 2. Where it has not been possible to communicate with the issuing CB, the accepting CB shall record the reasons and make every effort to obtain necessary information from other sources.
If the documentation is provided by the certified organization, the accepting CB must confirm with the issuing CB that all documentation is complete and the certification is valid and eligible for transfer.
The transferring client shall authorize that the issuing CB provides the information sought by the accepting CB. The issuing CB shall not suspend or withdraw the organization's certification following the notification that the organization is transferring the accepting CB if the client continues to satisfy the requirements of certification.
When extenuating circumstances (e.g., nonconformity, lack of payment, failure to schedule required audits, or client request) require suspension or withdrawal, the issuing CB shall follow its suspension or withdrawal process.
DEKRA shall validate the certification by contacting the issuing CB unless the issuing CB has ceased trading. DEKRA shall maintain evidence of this communication (e.g., note to file on whom DEKRA person communicated with and date and outcome of communication or email response).
If no response is received within a reasonable and sufficient time period (within seven days), DEKRA considers this an answer in the affirmative and proceed.
The accepting CB and/or the transferring client shall contact the AB which accredits the issuing CB where the issuing CB:
- has not provided the requested information to the accepting CB, or
- suspends or withdraws the transferring client's certification without cause
A competent person or group from DEKRA shall carry out a review of the certification of the transferring client. The individual person or group conducting the pre-transfer visit shall have the same competence that is required for and audit team appropriate for the scope of certification being reviewed.
This review shall be conducted by means of a documentation review and where identified as needed by this review, for example there are outstanding major nonconformities, shall include a pre-transfer visit to the transferring client to confirm the validity of the certification. This pre-transfer visit is not an audit. Reasons for not conducting a visit shall be fully justified and documented.
Where the pre-transfer review (document review and/or pre-transfer visit) identifies issues that prevent the completion of transfer, DEKRA shall treat the transferring client as a new client. The justification for this action shall be explained to the transferring client and shall be documented by DEKRA and the records maintained.
The review shall cover the following aspects and its findings as a minimum and the review and its findings shall be fully documented:
- confirmation that the client’s certification falls within the accredited scope of the issuing and accepting certification body
- confirmation that the issuing CB's accredited scope falls within its accreditation body's MLA scope
- the reasons for seeking a transfer
- that the site or sites wishing to transfer certification hold a valid accredited certification
- the initial certification or most recent certification audit reports, and the latest surveillance report; the status of all outstanding nonconformities that may arise from them and any other available, relevant documentation regarding the certification process. If these audit reports are not made available or if the surveillance audit or recertification audit has not been completed as required by the issuing CB's audit program, then the organization shall be treated as a new client.
- complaints received and action taken
- considerations relevant to establishing and audit plan and an audit program. The audit program established by the issuing CB should be reviewed if available. If no problems are identified by the pre-transfer review, the certification cycle shall be based on the previous certification cycle and the DEKRA shall establish the audit program for the remainder of the certification cycle.
- any current engagement by the transferring client with regulatory bodies relevant to the scope of the certification in respect of legal compliance
Pre-Transfer Review Process
When a transfer of certification is considered from another CB to DEKRA, DEKRA maintains this process for obtaining sufficient information in order to take a decision on certification and inform the transferring client of the process. Note that certification schemes can have specific rules regarding the transfer of certification.
This process describes the steps of review and transferring a certification for a client previously certified by another certification body covered by an IAF MLA signatory. DEKRA must develop its own confidence based on objective evidence that the management system meets all requirements for a DEKRA certificate.
To ensure that all the requirements of IAF MD2 and ANAB Rule 17 are addressed when transferring new clients, DEKRA maintains the following Pre-Transfer Review process.
All Pre-Transfer Reviews must use the internal web portal to capture the formal date of decision and any comments.
After signed quote, Sales sends the following information package to the Pre-Transfer Reviewer:
- Date of on-site pre-transfer visit, or justification and documentation for document review only.
- (MD 2.2.4.i) confirmation that the client's certification falls with the accreditation scope of the issuing CB and DEKRA's
- (MD 2.2.4.ii) confirmation that the issuing CB's accreditation scope falls within its AB's MLA scope
- (MD 2.2.4.iii) Client's reasons for seeking a transfer.
- (MD 2.2.4.iv) The audit plan and program from the issuing CB, if available
- (MD 2.2.4.v) The initial certification or most recent recertification audit reports, and the lastest surveillance reports
- (MD 2.2.4.v) The status of all outstanding nonconformities that may arise from them
- (MD 2.2.4.vi) complaints received, regarding the client, and actions taken
- (MD 2.2.4.vii) considerations relevant to establish an audit program and plan. The audit program established by the issuing CB should be reviewed, if available
- (MD 2.2.41.viii) any current engagement by the client with regulatory bodies relevant to the scope of the certification in respect of legal compliance
Additional Aerospace Information:
- (9104/1 8.8.d) Date of special audit to confirm validity of certification.
- (9104/1 8.8.c) If the certificate is expiring in the next 12 months, planned dates for the required Stage 1 and Stage 2 audits.
The Pre-Transfer Reviewer verifies that:
- All the required parts of the pre-transfer package above are present.
- An onsite pre-transfer client visit shall be scheduled prior to transfer. Unless a justification is made by pre-transfer reviewer and the justification is put into the client file.
- (MD 2.4) If no communication was received from the issuing CB:
- (MD2 2.1.2) evidence must be placed in file showing that the client's existing certificate is not suspended or under threat of suspension.
- All the reports back to the last certification or recertification decision are present. Otherwise the client must be treated as new.
If the client's current event is surveillance, the surveillance audit is not overdue. Surveillance audits may be done any time in the calendar year. If the surveillance audit is overdue, the client must be treated as new.
The site or sites seeking to transfer hold an accredited certificate which is valid in terms of authenticity, duration and scope of activities.
- (MD2 2.1.1) The issuing CB's accreditation is by an IAF MLA signatory (AB mark or IAF mark on certificate). If the accreditation is not by MLA signatory, the client must be treated as new.
- (MD2 2.1.3) If the issuing CB has ceased trading or their accreditation has expired, been suspended or withdrawn, the transfer must occur within 6 months or on expiration of the certification, whichever is sooner.
- (AS9104/1 8.8.a, 8.8.b) If an aerospace transfer, the issuing CB must also be accredited under the 9104 series ICOP scheme (verify in OASIS), and the issuing CB must not have any open corrective actions (verify in OASIS).
- (MD2 2.2.41.i) The client's certified activities fall within DEKRA's accredited scope.
Note that, for Aerospace clients, the certificate may not be transferred until after the assumption audit (ie, Special Audit for transfers at surveillance, Stage 1 and Stage 2 for transfers within 12 months of expiration) and positive Certification Decision. After a positive DEKRA certification decision, upload proof of successful assumption to OASIS.
The Pre-Transfer Reviewer will decide any special audit requirements for non-Aerospace and document in the client file the decision to require or not require a visit to the client along with the appropriate justification.
A Special Audit is always required for Aerospace audits unless the transfer is within 12 months of expiration, which then requires Stage 1 and Stage 2.
The Pre-Transfer Reviewer places the reviewed final documents along with a note in the 'Client Post' or other designated shared folder to allow scheduling staff to add it to the main client file and assign a certificate number.
Should a disagreement arise between the Pre-Transfer Reviewer and Sales, the Managing Director may rule. A note regarding the disagreement and its disposition must also be added to the Transfer Package.
Transfer Certification Decisions
DEKRA shall not issue certification to the transferring client until:
- DEKRA has verified the implementation of corrections and corrective actions in respect of all outstanding major nonconformities; and
- DEKRA has accepted the transferring client's plans for correction and corrective action for all outstanding minor nonconformities.
- The normal certification decision making process shall be followed including that the personnel making the certification decision be different from those which carried out the pre-transfer review.
The certification cycle shall be based on the previous certification cycle and DEKRA shall establish the audit program for the remainder of the certification cycle. DEKRA can quote the organization's initial certification date on the certification documents with the indication that the organization was certified by a different CB before a certain date.
Where DEKRA has to treat the client as a new client as a result of the pre-transfer review, the certification cycle shall begin with the certification decision. DEKRA shall take the decision on certification before any surveillance or recertification audits are initiated.
Once the accepting CB has issued the certification it shall inform the issuing CB.
Aerospace Transfers (AS9104, 8.8)
All Aerospace transfers require a formal Certification Decision prior to accepting any certificates. The transfer must be complete and the certificate accepted before any regularly-scheduled audit activities may be performed for the client. For example, if a client transfers in a Surveillance year, DEKRA must first perform all transfer activities and issue a positive Cert Decision approving the transfer before sending any auditor out to perform the Surveillance audit. If the transfer happens in a Recertification year, there will be TWO Cert Decisions entered in the Portal for that year; the decision approving the Transfer and the later decision to Recertify the client.
For transfer of AQMS certificates, IAF MD 2 and AR 17 are applicable in full with the following additional requirements:
- Only valid certifications issued, under the 9104-series standards ICOP scheme, by a CB with a valid accreditation are eligible for transfer.
- All communication with the issuing CB, including requests for reports and certificates, must be done using the feedback function of the OASIS database, to maintain complete records of transfer in OASIS.
- No certificate transfer between CBs shall occur, when the CB controlling the existing certificate has nonconformities documented that are awaiting corrective action closure and acceptance, unless the current CB has ceased its activities or is unable to close the corrective actions. In cases of open corrective actions, DEKRA shall ensure closure of corrective actions, prior to certificate issuance.
- Transfer of existing certificates expiring within the next 12 months shall require a Stage 1 and Stage 2 audit.
DEKRA shall ensure that, prior to certificate issuance, a special audit (on-site) is carried out by an AEA to confirm the validity of the certification being transferred.
A new certificate shall not be issued, unless all minor and major nonconformities have been contained and satisfactorily corrected; the root cause analysis completed; and corrective action has been implemented, reviewed, accepted, and verified by the accepting CB. If the closure of nonconformities takes more than 90 days, transfer of the existing certificate is not allowed.
Review/verification of the corrective action by the accepting CB shall take place on-site (except for corrective actions related to AQMS documentation).
DEKRA maintains a client certification based on demonstration that the client continues to satisfy the requirements of the management system standard.
DEKRA may maintain a client’s certification based on a positive conclusion by the audit team leader without further independent review and decision, provided that:
- a) for any major nonconformity or other situation that may lead to suspension or withdrawal of certification, DEKRA has a system that requires a) the audit team leader to report to DEKRA the need to initiate a review by competent personnel, to determine whether certification can be maintained (addressed in the 'Certification Recommendation' section of the Audit Report)
- b) competent personnel of DEKRA monitor its surveillance activities, including monitoring the reporting by its auditors, to confirm that the certification activity is operating effectively (Client Services staff, trained on this manual, accreditation standards, and client certification standards.)
DEKRA develops its surveillance activities so that representative areas and functions covered by the scope of the management system are monitored on a regular basis, and take into account changes to its certified client and its management system.
Surveillance activities shall include onsite auditing of the certified client’s management system’s fulfillment of specified requirements with respect to the standard to which the certification is granted.
Other surveillance activities may include:
- inquiries from DEKRA to the certified client on aspects of certification;
- reviewing any certified client’s statements with respect to its operations (e.g. promotional material, website);
- requests to the certified client to provide documented information (on paper or electronic media); and
- other means of monitoring the certified client’s performance.
Surveillance audits are onsite audits, but are not necessarily full system audits, and must be planned together with the other surveillance activities so that DEKRA can maintain confidence that the client’s certified management system continues to fulfill requirements between recertification audits.
Each surveillance for the relevant management system standard shall include:
- internal audits and management review;
- a review of actions taken on nonconformities identified during the previous audit;
- complaints handling;
- effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system(s);
- progress of planned activities aimed at continual improvement;
- continuing operational control;
- review of any changes; and
- use of marks and/or any other reference to certification.
The central function shall be audited at least on a calendar year as part of surveillance.
Surveillance audits shall be conducted according to ISO 50003 and ISO /IEC 17021-1.
The requirements of ANSI/MSE 50028-1 shall be included on the audit plans as criteria for surveillance audits.
Surveillance audits do not require a review of the requirements of the SEP Certification Protocol or SEP M&V Protocol, with one exception. The exception shall be when additional sites are added during a surveillance audit. The organization’s SEP PV shall complete the SEP Energy Performance Improvement Reports for each site added during a surveillance audit. The organization’s SEP PV shall submit the SEP Energy Performance Improvement Reports to the SEP PA. The Lead Auditor for SEP shall check for the p-values, F-test, R2 and RF factor per the SEP M&V Protocol.During the surveillance audits, DEKRA shall review the necessary audit evidence to determine whether or not continual energy performance improvement has been demonstrated.
Surveillance audits shall focus on confirmation that the management system and energy performance have been effectively maintained by reviewing management system processes and energy performance actions and trends. This shall include:
- copies of last management review,
- results of last internal audit including details of the completion of closed loop corrective actions for any findings, and
- copies of any new documents and any new systems implemented since the last audit.
Energy performance actions and trends shall include:
- changes to the energy planning process,
- EnMS energy performance indicators,
- corrections or corrective actions resulting from significant changes to the energy performance indicators,
- status of energy objectives and their related targets, and
- review of the organization's management of significant deviations.
Surveillance audits do not include a review of the Measurement and Verification model or verification of SEnPI performance by an SEP Performance Verifier.
There shall not be any changes to the certificate if the energy performance improvement is different than the original certification during the surveillance period. Changes are made during the recertification period only.
All clauses of the applicable AQMS standard (except requirements determined as not applicable within the determined scope) and the organization's processes that are part of the QMS shall be audited, during the surveillance audits within one certification cycle. The audit method(s) to be used (e.g., audits on specific problems, areas, products, or sub-processes) shall be based on the outcome of the audit team’s review of QMS performance data, including product conformity and OTD.
Detailed audit findings, including reference to the audited processes, process documentation, and associated records, shall be documented.
The audit team shall verify the effectiveness of corrective actions taken for nonconformities (if applicable) identified during the previous audit.
If there is more than one surveillance audit during a year (e.g., every six months), some activities (e.g., interview with top management) may be spread over these audits.
Medical Device (ISO 13485) Surveillance
(MD9 22.214.171.124) In addition to requirements of 17021-1, the surveillance program shall include a review of actions taken for notification of adverse events, advisory notices, and recalls.
Surveillance audit procedures shall be consistent with those concerning the certification audit of the client’s ISMS as described in this International Standard.
The purpose of surveillance is to verify that the approved ISMS continues to be implemented, to consider the implications of changes to that system initiated as a result of changes in the client’s operation and to confirm continued compliance with certification requirements. Surveillance audit programs shall cover at least:
- the system maintenance elements such as information security risk assessment and control maintenance, internal ISMS audit, management review and corrective action;
- communications from external parties as required by the ISMS standard ISO/IEC 27001 and other documents required for certification;
- changes to the documented system;
- areas subject to change;
- selected requirements of ISO/IEC 27001;
- other selected areas as appropriate.
As a minimum, every surveillance by DEKRA shall review the following:
- the effectiveness of the ISMS with regard to achieving the objectives of the client’s information security policy;
- the functioning of procedures for the periodic evaluation and review of compliance with relevant information security legislation and regulations;
- changes to the controls determined, and resulting changes to the SoA;
- implementation and effectiveness of controls according to the audit program.
DEKRA shall be able to adapt its surveillance program to the information security issues related to risks and impacts on the client and justify this program.
Surveillance audits may be combined with audits of other management systems. The reporting shall clearly indicate the aspects relevant to each management system.
During surveillance audits, DEKRA shall check the records of appeals and complaints brought before DEKRA and, where any nonconformity or failure to meet the requirements of certification is revealed, that the client has investigated its own ISMS and procedures and taken appropriate corrective action.
A surveillance report shall contain, in particular, information on clearing of nonconformities revealed previously and the version of the SoA and important changes from the previous audit. As a minimum, the reports arising from surveillance shall build up to cover in totality the requirements above.
The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole, and its continued relevance and applicability for the scope of certification. DEKRA makes decisions on renewing certification based on the results of the recertification audit, as well as the results of the review of the system over the period of certification and complaints received from users of certification.
The balance of information required for the recertification package is the same as required for the initial certification package.
A recertification audit must be planned and conducted to evaluate the continued fulfillment of all of the requirements of the relevant management system standard or other normative document. This must be planned and conducted in due time to enable for timely renewal before the certificate expiry date.
The lead auditor shall ensure that all previous reports from the current certification cycle are reviewed before the audit and used to modify the arrangements for the Recertification audit, if necessary.
Recertification audit activities may need to have a stage 1 in situations where there have been significant changes to the management system, the organization, or the context in which the management system is operating (e.g. changes to legislation).
Such changes can occur at any time during the certification cycle and DEKRA might need to perform a special audit which might or might not be a two stage audit.
The recertification audit will include an onsite audit that addresses the following:
- the effectiveness of the management system in its entirety in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
- demonstrated commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance;
- the effectiveness of the management system with regard to achieving the certified client’s objectives and the intended results of the respective management system(s).
For any major nonconformity, DEKRA will define time limits for correction and corrective actions. These actions must be implemented and verified prior to the expiration of certification.
When recertification activities are successfully completed prior to the expiry date of the existing certification, the expiry date of the new certification can be based on the expiry date of the existing certification. The issue date on a new certificate must be on or after the recertification decision.
If DEKRA has not completed the recertification audit or DEKRA is unable to verify the implementation of corrections and corrective actions for any major nonconformity prior to the expiry date of the certification, then recertification will not be recommended and the validity of the certification will not be extended. The client must be informed and the consequences must be explained.
Following expiration of certification, DEKRA can restore certification within 6 months provided that the outstanding recertification activities are completed, otherwise at least a stage 2 must be conducted. The effective date on the certificate must be on or after the recertification decision and the expiry date must be based on the prior certification cycle.
The central function shall be audited at every recertification audit.
During the recertification audit, DEKRA shall review the necessary audit evidence to determine whether or not continual energy performance improvement has been demonstrated prior to making a recertification decision.
The recertification audit shall also take into account any major change in facilities, equipment, systems or processes.
Confirmation of continual energy performance improvement is required for granting the recertification. Energy performance improvement can be affected by changes in facilities, equipment, systems or processes, business changes, or other conditions that result in a change or a need to change the energy baseline.
The additional requirements of ANSI/MSE 50028 and the other normative documents of ANSI/MSE 50028 shall be considered as a part of the recertification decision.
For recertification, a Stage 1 audit shall be required if the client changes the chosen SEP certification pathway or modifies the SEnPI model such that it now requires SEP Administrator approval per the appropriate sector- specific Measurement and Verification Protocol. The Stage 1 audit may be conducted off-site.
During recertification audits, if the certified client is unable to demonstrate energy performance improvements of their chosen SEP certification pathway, DEKRA shall review the status of the ISO 50001 certification and inform the client the SEP certification has been suspended. The client is invited to re-apply when appropriate.
A client’s or certified client’s failure to respond to corrective actions from a certification or re-certification audit shall result in escalation of the issue. DEKRA shall follow standard process for escalation.
Aerospace Recertification Audits
The recertification audit should be planned a minimum of three months before the expiry date of the current certificate. The ‘scope of certification’ shall be verified prior to each recertification audit. Any change of customer approval status shall be reviewed by the audit team to determine the impact on the certification status. During on-site activities for the recertification, the QMS and the organization's processes that are needed for the QMS shall be audited for conformity, including determination of effectiveness.
- The organization's QMS, associated processes, and documentedinformation shall be reviewed for changes.
- Detailed audit findings, including reference to the audited processes and documented information shall be recorded
- The audit ream shall verify the effectiveness of corrective actions taken for nonconformities (if applicable) identified during the previous audit.
- Appointment of a new audit team could be a justification for a full or partial Stage 1 audit, including an on-site visit by the audit team.
Re-certification audit procedures shall be consistent with those concerning the initial certification audit of the client’s ISMS as described in ISO 27006.
The time allowed to implement corrective action shall be consistent with the severity of the nonconformity and the associated information security risk.
DEKRA shall, in response to an application for expanding the scope of a certification already granted, undertake a review, or engage the Lead Auditor to undertake a review, of the application and determine any audit activities necessary to decide whether or not the extension may be granted. This may be conducted in conjunction with a surveillance audit.
When a client has a change within its organization, a scope change may be necessary. The following process details the responsibilities and authorities to change the scope of certification. Client or Auditor notifies the DEKRA office that scope change is necessary. The scope may be reduced or increased to reflect the client’s current processes.
Lead Auditor recommends processing to continue either with or without an audit. When scope is being increased, the Lead Auditor must confirm that all necessary audit activities have taken place and/or perform an onsite extension of scope. For a simple reduction in scope (such as a product being dropped from the product list, or a misspelling) no audit would be required.
Client Services evaluates the request for change, Lead Auditor's recommendation, and determines the amount of follow-up, and directs auditor if appropriate.
For AS9100 certificates, scope increases (but not reductions) always require a Special audit before the change can be processed by the DEKRA office.
Note: Corrections of misspelled words do not require a certification decision or this process to be followed (these are considered typographical corrections only, and do not change the meaning of the information contained on the certificate).
If an audit is not required to make the change and the Auditor received the scope change request from the client, the Auditor forwards all relevant information to the DEKRA office. Upon receipt from the auditor, Client Services prepares a Certification Review package.
Certification Official may approve or reject the scope change pending additional audit activities.
It may be necessary for DEKRA to conduct audits of certified clients at short notice or unannounced to investigate complaints, or in response to changes, or as follow up on suspended clients. These audits may be termed 'Short-Notice' or "Special" (for AS and ISO 45001) Audits.
In such cases:
- DEKRA will describe and make known in advance to the certified clients the conditions under which such audits will be conducted;
- DEKRA will exercise additional care in the assignment of the audit team because of the lack of opportunity for the client to object to audit team members.
DEKRA may require the performance of special audits during the certification cycle in response to one of the following situations:
- In response to a request from a client’s customer or other interested party when a serious issue has been identified (supported by objective evidence)
- In response to a request from a client to change the scope of registration, or change in location, revise, add or delete sites
- In response to a request for a transfer (Assumption) of certificate from another CB
- As a part of DEKRA’s corrective action resulting from nonconformities issued to DEKRA by AB (Example: Not enough onsite time spent in the last audit at specific client)
- In response to information derived from regulatory or other interested party when a serious issue has been identified (supported by objective evidence)
- In response to complaints, to changes, or as follow up on suspended clients (short notice audits may be necessary)
- In response to a client suspension in order to assess the suspension for next action (Lift suspension, continue suspension, escalate to withdrawal).
An unannounced or short-notice audit may also be necessary if DEKRA has justifiable concerns about implementation of corrective actions or compliance with standard and regulatory requirements.
These audits shall be coordinated with the client prior to the scheduled special audit. Specific reasons and specific objectives for the special audit will be communicated to the client.
If the request originated from client’s customer or other interested party, the requestor will be notified in advance of the audit dates and also will be informed about the audit results. Client Services/Auditor shall collect relevant information from the Requestor to justify the Special Audit.
DEKRA’s Management reviews the information to determine if a Special Audit is required. If no Special Audit is required than the normal audit cycle continues.
Client Services writes a quote for the Special Audit and submit the quote to the client. DEKRA shall describe and make known in advance to the certified client the conditions under which the Special Audit will be conducted.
Scheduler shall follow the guidelines specified in Audit Team Selection, Assignment, and Scheduling procedure and selects the competent audit team.
Account Manager / Auditor: An Audit Plan shall be prepared and submitted to the client prior to the scheduled Special Audit. The Audit Plan shall clearly state the scope of the audit, dates, duration, audit team and agenda
Special Audits for ISO standards may be conducted by any qualified Lead Auditor. Auditor makes recommendation that Special Audit is sufficient or not sufficient and requires additional actions.
DEKRA shall follow the established procedure for Certification Review. If Results of the Special Audit are not sufficient, DEKRA shall follow the established procedure for Suspension & Withdrawal or continue with the corrective action process. Results of the Special Audit shall be communicated to the Special Audit Requestor. Client Services shall update any required external databases such as OASIS.
Aerospace Special Audits
Special audits shall be conducted, during the certification cycle, in response to one of the following situations:
- An organization's request to revise their existing certification scope, certification structure, number of site(s) and/or locations; and
- Transferring certification from on CB to another
Although a "Special Audits" is not listed as part of the audit program, it can be applicable after initial certification, when directed by special request.A special audit can be conducted in response to a customer or other interested party request, when a serious issue (supported by objective evidence) has been identified.
Special audits shall be coordinated with the organization prior to the visit. The organization shall be given information about the specific reason and subject of the visit. Detailed audit findings, including reference to the audited processes and documented information shall be recorded.
Use of the QMS Process Matrix Report and PEAR, during a Special Audit is dependent on the reason for the audit.
OHS (45001) Special Audits
Independently from the involvement of the competent regulatory authority, a special audit may be necessary in the event that DEKRA becomes aware that there has been a serious incident related to occupational health and safety, for example, a serious accident, or a serious breach of regulation, in order to investigate if the management system has not been compromised and did function effectively. DEKRA shall document the outcome of its investigation.
Information on incidents such as a serious accident, or a serious breach of regulation necessitating the involvement of the competent regulatory authority, provided by the certified client or directly gathered by the audit team during the special audit, shall provide grounds for DEKRA to decide on the actions to be taken, including a suspension or withdrawal of the certification, in cases where it can be demonstrated that the system seriously failed to meet the OHS certification requirements. Such requirements shall be part of the contractual agreements between DEKRA and the organization.
Medical Device (ISO 13485) Short-Notice Audits
(MD9 9.5.2) Short notice audits may be required when:
- External factors apply such as:
- available post-market surveillance data known to DEKRA on the subject devices indicate a possible significant deficiency in the quality management system
- significant safety related information becoming known to DEKRA
- Significant changes occur which have been submitted as required by the regulations or become known to DEKRA, and which could affect the decision on the client's state of compliance with the regulatory requirements. The following are examples of such changes which could be significant and relevant to DEKRA when considering that a special audit is required, although none of these changes should automatically trigger a special audit:
- QMS – impact and changes:
- new ownership
- extension to manufacturing and/or design control
- new facility, site change
- modification of the site operation involved in the manufacturing activity (e.g. relocation of the manufacturing operation to a new site or centralizing the design and/or development functions for several manufacturing sites)
- new processes, process changes
- significant modifications to special processes (e.g. change in production from sterilization through a supplier to an on-site facility or a change in the method of sterilization)
- QM management, personnel
- modifications to the defined authority of the management representative that impact
- QMS – impact and changes:
- Quality management system effectiveness or regulatory compliance
- The capability and authority to assure that only safe and effective medical devices are released
- Product related changes:
- new products, categories
- addition of a new device category to the manufacturing scope within the quality management system (e.g. addition of sterile single use dialysis sets to an existing scope limited to haemodialysis equipment, or the addition of magnetic resonance imaging to an existing scope limited to ultrasound equipment)
- QMS & Product related changes:
- changes in standards, regulations
- post market surveillance, vigilance
ISMS Special Audits
The activities necessary to perform special audits shall be subject to special provision if a client with a certified ISMS makes major modifications to its system or if other changes take place which could affect the basis of its certification.
Gap Assessments or Pre-Audits (they are the same activity, hereinafter called "pre-audits") are another type of DEKRA special audit. These are managed the same as any required special audit activity. Aerospace Pre-Audits are performed prior to Stage 1 and are required by DEKRA's accreditation, whereas other types of pre-audits may not be required, but requested by clients.
Auditors for pre-audits must be competent and approved for the client standard.
Auditors for pre-audits need not be competent in the client's specific technical area (IAF code). Therefore, the "Team Member" function in the DEKRA Database may be used to assign a pre-auditor.
Auditors can use the "Pre-Audit Report Template" and record evidence and interviewees as in all other audits. The Pre-Audit Report Template is not generally available to auditors in the cloud and must be sent directly to the Auditor as part of any pre-audit package.
Aerospace Pre-Audits – additional requirements
More than one pre-audit shall be considered as consultancy.
Suspending, Withdrawing, or Reducing the Scope of Certification
DEKRA maintains the below policy and documented procedure(s) for suspension, withdrawal or reduction of the scope of certification, which specifies the subsequent actions by DEKRA.
Cancellation requests must originate from the client and may be included in an audit report. The request shall be immediately forwarded to Client Services.
Client Services issues certification cancellation letter to Client and saves in Client file.
Client Services removes future audit dates from the DEKRA database, records the lost account and reason, and marks client as inactive in relationship management system(s).
Client Services notifies accounting and other DEKRA entities (such as medical, TS) via email of cancellation as appropriate, copying Directors and IT department to allow removal of client from the web list of certified clients.
Suspension and Withdrawal
DEKRA shall suspend certification in the following cases:
- the client’s certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system;
- the certified client does not allow surveillance or recertification audits to be conducted at the required frequencies;
- the certified client has voluntarily requested a suspension.
Additional specific reasons for suspension include:
- Major nonconformities that could result in nonconforming product
- Failure to close a major NCR in the required time frame
- Failure to meet the conditions of the certification agreement
- For TL 9000 Clients, failure for to update QuEST database in required time frame
- For AS9100 Clients, failure to update site administrator in the OASIS database
- For ISO 45001 Clients, failure to demonstrate their ongoing commitment to legal compliance (see Section 9.5 on Certification Decision for exception).
Under suspension, the client’s management system certification is temporarily invalid.
Suspension leading to Withdrawal is used when a client has failed to meet the terms of the Certification Agreement. Any person may recommend if a certificate should be suspended or withdrawn. Certification Official decides if there is an adequate reason for suspension.
Managing Director or Technical Director or Designee prepares a suspension letter, sends to client and copies the account manager and the auditor. Client Services updates internal and external databases including OASIS and the DEKRA website to reflect suspended certification within 14 calendar days. (Industry specific standards have specific database notification requirements). Client Services suspends scheduling future audits.
DEKRA will restore the suspended certification if the issue that has resulted in the suspension has been resolved.
Failure to resolve the issues that have resulted in the suspension in a time established by DEKRA will result in withdrawal or reduction of the scope of certification.
Technical Director decides if the client has taken sufficient action to resolve the reason for suspension in sufficient time. If more than six months elapse, the certificate shall be withdrawn, except in emergency situations due to force majeure. If sufficient action is taken, a positive letter is sent to the client, copying the account manager and auditor, and required databases (QuEST, OASIS) are updated.
Reduction of Scope
In lieu of Suspension, DEKRA may reduce the scope of client certification to exclude the parts not meeting the requirements, when the certified client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Any such reduction shall be in line with the requirements of the standard used for certification.
Clients may also request reduction. No special audit is needed for reduction of scope.
Multisite Withdrawal – additional requirements
The certification documentation will be withdrawn in its entirety if any of the sites does not fulfill necessary provisions for the maintenance of the certification.
DEKRA shall inform the SEP Administrator of any change in certification status.
Aerospace Suspension and Withdrawal – additional requirements
In situations where withdrawal of certification is restricted to a specific AQMS standard only, the certificate should be re-issued for the other standards that have not been affected.
DEKRA shall initiate the client certification suspension process, when an organization fails to demonstrate that conformance to the applicable standard has been re-established within 60 days from the issuance of a Nonconformity Report (NCR).
DEKRA shall arrange for the OASIS database to be updated when an organization’s AQMS standard certificate(s) is suspended or withdrawn. This shall be performed by DEKRA within 14 calendar days to reflect any change in an organization’s certification status.
DEKRA maintains the documented process below to receive, evaluate and make decisions on appeals.
The appeals handling process includes the following elements and methods: a) an outline of the process for receiving, validating and investigating the appeal, and for deciding what actions need to be taken in response to it, taking into account the results of previous similar appeals; b) tracking and recording appeals, including actions undertaken to resolve them; c) ensuring that any appropriate correction and corrective action are taken.
DEKRA is responsible for all decisions at all levels of the appeals handling process. Top management must ensure that the persons engaged in the appeals handling process are different from those who carried out the audits and made the certification decisions. DEKRA must be responsible for gathering and verifying all necessary information to validate the appeal.
Submission, investigation and decision on appeals must not result in any discriminatory actions against the appellant.
- Any person may initiate an appeal by using the DEKRA Resolution Center (DRC) . Appeals directly communicated to a DEKRA employee shall be entered on behalf of the actual Appellant, using the Appellant's contact email in the web form.
- DEKRA will acknowledge receipt of the appeal and will provide the appellant with progress reports and the result of the appeal. The DRC automatically acknowledges receipt of the appeal to the Appellant's contact email.
- All appeals are automatically assigned in the DRC for investigation to the Technical Director or Designee (hereinafter ‘Investigator’). If the appeal relates to a Certification Decision by the Technical Director or Designee, the appeal will be reassigned to another Director.
- The Investigator will track the status of the appeal by any method which allows a complete report to be made to the Appellant or ANAB at any time.
- The Investigator will gather and verify evidence to validate the appeal.
- The Investigator will present the evidence to the Appellant in the form of a progress report via email, copying all Directors, and solicit final comment from the Appellant.
- The Investigator will then decide what actions, if any, need to be taken, considering the results of similar appeals, and shall communicate the decision to all Directors, including a reminder that submission, investigation, and decision on appeals shall not result in any discriminatory actions against the Appellant.
- Any two Directors together, or the Managing Director alone, may within 3 business days overrule the decision of the Investigator and present the appeal for discussion and majority vote among all Directors not involved in the subject of the appeal.
- The decision to be communicated to the appellant must be made by, or reviewed and approved by, individual(s) not previously involved in the subject of the appeal.
The Investigator will communicate the final decision to the Appellant via email. The email shall also remind the Appellant that the appeal "may be elevated to ANAB as a complaint for further consideration, per the ANAB Certification Client Bill of Rights and Responsibilities".
- If DEKRA corrective action is indicated as a result of the appeal, it will be handled using the DEKRA Corrective Action procedure.
- The Investigator will record the resolution of the appeal and all resultant actions by any method which will allow ANAB assessment.
- DEKRA will give formal notice to the appellant of the end of the appeals handling process.
DEKRA shall ensure that the SEP Performance Verifier engaged in the appeals-handling process is different from the person who carried out the verification associated with the certification decision
DEKRA must maintain a process to settle disputes over interpretations of the TL 9000 standard.
DEKRA maintains the below documented process to receive, evaluate and make decisions on complaints. This process must be subject to requirements for confidentiality, as it relates to the complainant and to the subject of the complaint.
The complaints handling process includes the following elements and methods: a) an outline of the process for receiving, validating, investigating the complaint, and for deciding what actions need to be taken in response to it; b) tracking and recording complaints, including actions undertaken in response to them; and c) ensuring that any appropriate correction and corrective action are taken.
DEKRA must be responsible for all decisions at all levels of the complaints handling process.
Submission, investigation and decision on complaints will not result in any discriminatory actions against the complainant. DEKRA is responsible for gathering and verifying all necessary information to validate the complaint.
- Any person may initiate a complaint by using the DEKRA Resolution Center (DRC) . Complaints directly communicated to a DEKRA employee or Auditor or other DEKRA Representative shall be entered on behalf of the actual Complainant, using the Complainant's contact email in the web form.
- Whenever possible, DEKRA will acknowledge receipt of the complaint, and shall provide the complainant with progress reports and the result of the complaint. The DRC automatically acknowledges receipt of the complaint to the Complainant's contact email.
- All complaints are automatically assigned in the DRC to the Technical Director or Designee (hereinafter ‘Investigator’). If the complaint relates to a Certification Decision by the Technical Director, the complaint will be reassigned.
- Upon receipt of a complaint, DEKRA will confirm whether the complaint relates to certification activities that it is responsible for and, if so, will deal with it. If the complaint relates to a certified client, then examination of the complaint will consider the effectiveness of the certified management system.
- All feedback received is reviewed and, if response requested, the response is provided within 30 calendar days from receipt of complaint.
- All requests for corrective action must be responded to within 30 calendar days from receipt of complaint.
- DEKRA shall be responsible for the resolution of all complaints. Complaints that cannot be resolved by DEKRA shall be referred to the AB.
- The Investigator will investigate, gather and verify evidence to validate the complaint, and determine whether the complaint relates to DEKRA's own activities or those of a certified client or other individual.
- If the complaint relates to a client or individual, their information will be treated confidentially, in conformity with the confidentiality provisions of ISO 17021-1.
- The Investigator will track the status of the complaint by any method which allows a complete non-confidential report to be made to the Complainant or confidential report to be made to ANAB or regulatory bodies at any time.
- The Investigator will present non-confidential evidence to the Complainant in the form of a progress report via email, copying all Directors, and solicit final comment from the Complainant.
- If confidential information exists, the Investigator will present all evidence, including confidential information, in a separate email to all Directors, including a reminder that "no information about a particular certified client or individual may be disclosed to a third party without the written consent of the certified client or individual."
- The Investigator will then decide what actions, if any, need to be taken, considering the results of similar complaints, and shall communicate the decision to all Directors, including a reminder that "submission, investigation, and decision on complaints shall not result in any discriminatory actions against the Complainant."
- Any two Directors together, or the Managing Director alone, may within 3 business days overrule the decision of the Investigator and present the complaint for discussion and majority vote among all Directors not involved in the subject of the complaint.
- The decision to be communicated to the complainant must be made by, or reviewed and approved by, individual(s) not previously involved in the subject of the complaint.
- The Investigator will communicate the final decision to the Complainant via email. The email shall also remind the Complainant that the complaint may be "elevated to ANAB for further consideration, per the ANAB Certification Client Bill of Rights and Responsibilities".
- If DEKRA is required by law or authorized by contractual arrangement (as with ANAB) to share information, the appropriate body shall also be copied on the email. The Investigator will also send the appropriate body a separate email with all evidence, both confidential and non-confidential, and the final decision regarding the complaint.
- If DEKRA corrective action is indicated as a result of the complaint, it will be handled using the DEKRA Corrective Action procedure. The procedure invoked as a result of a complaint must be ensured to provide for containment activities, verification that conformance to the applicable standard is re-established, completion of root cause analysis, corrective actions addressing all root causes, and a completion date for the implementation of all corrective actions.
- If DEKRA determines that a short notice audit is necessary, this audit shall be completed within 90 calendar days from receipt of the complaint.
- The Assignee will record the resolution of the complaint and all resultant actions by any method which will allow ANAB assessment or further action by regulatory bodies as required by law.
- DEKRA will give formal notice of the end of the complaints handling process to the complainant. If another body is notified, the Assignee will also, via separate email, notify the individual or client concerned of the information which was shared.
DEKRA shall upon request make available to ANAB all complaints and appeals about its accredited certification system and their resolution, which may include correction and corrective action relative to DEKRA’s certification programs.
Any valid complaint about a certified client will also be referred by DEKRA to the certified client in question at an appropriate time. DEKRA will determine, together with the certified client and the complainant, whether and, if so to what extent, the subject of the complaint and its resolution must be made public.
DEKRA shall inform the SEP Administrator of any verified complaints about performance concerning itself or its certified personnel.
Complaints represent a potential incident and an indication to possible nonconformity.