1 Purpose
It is to define the understanding of multi-site , possible multi-site and the sampling principle and stipulate the assessment of multi-site,sampling audit,audit duration,and how to express each location on the certificate, which meet
the requirements of ISO/IEC 17021 “Management System Certification Body Requirements” and IAF-MD1 “IAF Mandatory Document for the Audit and Certification of a Management System Operated by a Multi-Site Organization”.
2 Applicable scope
It applies to the review and acceptance,certification audit and certification decision and the expression on the certificate.
3 Definition
3.1 Organization
Person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.
3.2 Permanent Site
Site (physical or virtual) where a client organization performs work or from which a service is provided on a continuing basis.
3.3 Temporary Site
Site (physical or virtual) where a client organization performs specific work or from which a service is provided for a finite period of time and which is not intended to become a permanent site.
3.4 Multi-site Organization
An organization covered by a single management system comprising an identified central function (not necessarily the headquarters of the organization) at which certain
processes/activities are planned and controlled, and a number of sites (permanent, temporary or virtual) at which such processes/activities are fully or partially carried out.
3.5 Central Function
The function that is responsible for and centrally controls the management system (refer to Section 5).
3.6 Virtual Site
Virtual location where a client organization performs work or provides a service using an on-line environment allowing persons from different physical locations to execute processes.
Note 1: A virtual site cannot be considered as such where the processes must be executed in a physical environment e.g. warehousing, physical testing laboratories, installation or repairs to physical products.
Note 2: An example of such a virtual site is a design & development organization with all employees performing work located remotely, working in a cloud environment.
Note 3: A virtual site (e.g. an organization’s intranet) is considered a single site for the purpose of calculating of audit time.
Note 4: For further information, see also IAF MD 4: Use of Computer Assisted Auditing Techniques ("CAAT") for Accredited Certification of Management Systems.
3.7 Sub-scope
The scope of a single site.
Note: The scope of a single site might be the same as the full scope of the multi-site organization but may also be only a small part of the multi-site organization’s scope.
Note: The above definition of “sub-scope” is to be used for the purposes of implementing the requirements of this document (in contrast with the use of the term on page 2 of this document, where reference is made to “sub-scope” in the context of accreditation and not certification).
3.8 Top Management
Person or group of people who directs and controls an organization at the highest level.
4 Responsibility
4.1 Marketing department is responsible for ensuring whether the application organization has multi-site and is required to submit all sites list.
4.2 Audit department makes audit programme and determine the audit duration according to the temporary/multi-site list confirmed by audited party, and transmits relevant information to audit team. Audit team is responsible for implementing audit in accordance with audit requirements for multi-site organization.
4.3 Decision maker is responsible for making the certification decision depending on reviewing all certification audit documents required by multi-site certification and make the decision.
5 Application
5.1 Site
5.1.1 A site could include all land on which processes/activities under the control of an organization at a given location are carried out, including any connected or associated storage of raw materials, by-products, intermediate products, end products and waste material, and any equipment or infrastructure involved in the processes/activities, whether or not fixed. Alternatively, where required by law, definitions laid down in national or local licensing regimes shall apply.
5.1.2 Where it is not practicable to define a location (e.g. for services), the coverage of the certification should take into account the organization’s headquarters processes/activities as well as delivery of its services. Where relevant, HIC may decide that the certification audit will be carried out only where the organization delivers its services. In such cases all the interfaces with its central function shall be identified and audited.
5.2 Temporary Site
5.2.1 Temporary sites that are covered by the organization's management system shall be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system. They may, however be included within the scope of a multi-site certification and included on the certification document, subject to agreement between the Certification Body and the client organization. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
5.3 Multi-site Organization
5.3.1 A multi-site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central function of the organization and be subject to a single management system, which is laid down, established and subject to continuous surveillance and internal audits by the central function. This means that the central function has rights to require that the sites implement corrective actions when needed in any site. Where applicable this should be set out in the formal agreement between the central function and the sites.
6 Eligility of a Multi-site Organization for certification
6.1 The organization shall have a single management system.
6.2 The organization shall identify its central function.The central function is part of the organization and shall not be subcontracted to an external organization.
6.3 The central function shall have organizational authority to define, establish and maintain the single management system.
6.4 The organization’s single management system shall be subject to a centralized management review.
6.5 All sites shall be subject to the organization’s internal audit programme.
6.6 The central function shall be responsible for ensuring that data is collected and analyzed from all sites and shall be able to demonstrate its authority and ability to initiate organizational change as required in regard, but not limited, to:
(i) system documentation and system changes;
(ii) management review;
(iii) complaints;
(iv) evaluation of corrective actions;
(v) internal audit planning and evaluation of the results;
(vi) statutory and regulatory requirements pertaining to the applicable standard(s).
Note:The central function is where operational control and authority from the top management of the organization is exerted over every site. There is no requirement for the central function to be located in a single site.
7 Methodologies
7.1 Methodology for Auditing of a Multi-site Organization Using Site Sampling
7.1.1 Conditions
7.1.1.1 Sampling of a set of sites is permitted where the sites are each performing very similar processes/activities.
7.1.1.2 Not all organizations fulfilling the definition of “multi-site organization”will be eligible for sampling.
7.1.1.3 Not all management systems standards are suitable for consideration for multi-site certification. For example, multi-site sampling would be unsuitable where the audit of variable local factors is a requirement of the standard. Specific rules also apply for some schemes, for example those including aerospace (AS 9100 series) or automotive (IATF 16949) and the requirements of such schemes shall take precedence.
7.1.1.4 In order to obtain sufficient trust in the effectiveness of the management system through the audit, it is not appropriate to conduct site sampling in the following situations,but not limited:
1) The risk or complexity associated with the scope category or process or activity is
high or complex.
2) Size of sites eligible for multi-site audit;
3)Variations in the local implementation of the management system to address different processes/activities or different contractual or regulatory systems.
7.1.2 Sampling
7.1.2.1 The sample shall be partly selective based on the factors set out 7.1.2.4 and partly random, and shall result in a representative range of different sites being selected, ensuring all processes covered by the scope of certification will be audited.
At least 25% of the sample shall be selected at random.
7.1.2.3 Taking into account the provisions mentioned below, the remainder shall be selected so that the differences among the sites selected over the period of validity of the certificate is as large as possible.
7.1.2.4 The site selection shall consider, among others, the following aspects:
1) results of internal site audits and management reviews or previous certification audits;
2) records of complaints and other relevant aspects of corrective and preventive action;
3) significant variations in the size of the sites;
4) variations in shift patterns and work procedures;
5) complexity of the management system and processes conducted at the sites;
6) modifications since the last certification audit;
7)maturity of the management system and knowledge of the organization;
8)environmental issues and extent of aspects and associated impacts for environmental management systems;
9) differences in culture, language and regulatory requirements;
10) geographical dispersion;
11) whether the sites are permanent, temporary or virtual.
7.1.2.5 This selection does not have to be done at the start of the audit process. It can also be done once the audit of the central function has been completed. In any case, the central function shall be informed of the sites to be included in the sample. This can be on relatively short notice, but shall allow adequate time for preparation for the audit.
7.1.3 Size of Sample
7.1.3.1 The Audit Team shall have records on each application of sampling for each multi-site organization, justifying it is operating in accordance with this document.
7.1.3.2 The minimum number of sites to be visited per audit is:
Initial audit: the size of the sample shall be the square root of the number of sites: (y=√ x), rounded up to the next whole number, where y = number of sites to be sampled and x = total number of sites.
Surveillance audit: the size of the annual sample shall be the square root of the number of sites with 0.6 as a coefficient (y=0.6 √x), rounded up to the next whole number. Re-certification audit: the size of the sample shall be the same as for an initial audit. Nevertheless, where the management system has proved to be effective over the certification cycle, the size of the sample could be reduced to, y=0.8 √x, rounded up to the next whole number.
7.1.3.3 The central function shall be audited during the initial certification and every
recertification audit and at least once a calendar year as part of surveillance.
7.1.3.4 The size or frequency of the sample shall be increased where the HIC’s risk analysis of the process/activity covered by the management system subject to certification indicates special circumstances in respect of factors such as:
1) the size of the sites and number of employees;
2) the complexity or risk level of the process/activity and of the management system;
3) variations in working practices (e.g. shift working);
4) variations in process/activities undertaken;
5) records of complaints and other relevant aspects of corrective and preventive action;
6) any multinational aspects; and
7)results of internal audits and management review.
7.1.3.5 When the organization has a hierarchical system of branches (e.g.head (central) office, national offices, regional offices, local branches), the sampling model for initial audit as defined above applies to each level.
Example:
1 head office: visited at each audit cycle (initial or surveillance or recertification)
4 national offices: sample = 2: minimum 1 at random
27 regional offices: sample = 6: minimum 2 at random
1700 local branches: sample = 42: minimum 11 at random
The sample of regional offices should include at least one regional office controlled by each national office. The sample of local branches should include at least one local branch controlled by each regional office. This may result in the sample size at each level exceeding the minimum sample size calculated in accordance with paragraph 7.1.3.2.
7.1.3.6
The sampling process shall be part of the management of the audit programme. At any time (i.e. before planning the surveillance audit, or when any organization site changes its structure, or in case of acquisition of new site(s) which will be added into the certification boundary), the Audit Department shall review the sampling foreseen in the audit programme in order to establish the need to adjust the sample size prior to auditing the sample with a view to maintaining certification.
7.1.4 Additional Sites
On the application of inclusion of new sites or a new group of sites to join an already
certified multi-site organization, the Certification Body shall determine the required activities to be performed before including the new site(s) in the certificate. This shall include consideration of whether or not to audit the new site(s). After inclusion of the new site(s) in the certificate, the sample size for future surveillance or recertification audits shall be determined.
7.2
7.1 Methodology for Auditing of Multi-site Organizations Where Site Sampling Using Section 6.1 is not Appropriate
7.2.1 The audit programme shall consist of an initial audit and recertification audit of all sites. In surveillance audits, 30% of sites, rounded up to the whole number, shall be covered in a calendar year. Each audit will include the central function. The sites selected for the second surveillance audit will normally be different from the sites selected for the first surveillance audit.
7.2.2 The audit programme shall be designed to ensure that all processes covered by the certification scope are audited over each cycle.
7.2.3 Additional Sites
On the application of a new site to join an already certified multi-site organization, the
site shall be audited before being included in the certificate, in addition to the planned
surveillance in the audit programme. After inclusion of the new site in the certificate, it shall be cumulated with the previous ones for determining the audit time for future surveillance or recertification audits.
7.3 Methodology for Auditing Multi-site Organizations that Include a Combination of Sites that can be Sampled and Other Sites that Cannot be Sampled The audit programme shall be established using Section 7.1 for those sites that can be
sampled and Section 7.2 for the remaining part of the organization where Section 7.1 is not appropriate.
8 Certification implementation for multi-site organization
8.1 Application and Application Review
Marketing department/audit department/contract reviewer shall obtain necessary
information concerning the applicant organization to:
1) confirm that a single management system is deployed across the organization;
2) determine the scope of the management system being operated and the requested scope of certification and, if applicable, sub-scopes;
3)understand the legal and contractual arrangements for each site;
4)understand“what happens where”i.e. processes/activities provided at each site and
identify the central function;
5) determine the degree of centralization of process/activities which are delivered to all sites (e.g. purchasing);
6) determine interfaces between the different sites;
7)determine which sites may be applicable for sampling (i.e. where very similar
processes/activities are provided) and those that are not eligible;
8)take into consideration other relevant factors (see also IAF MD 4, IAF MD 5, IAF MD11: IAF Mandatory Document for Application of ISO/IEC 17021 for Audits of Integrated Management Systems (IMS), ISO/IEC TS 17023);
9) determine the audit time for the organization;
10) determine the audit team(s)’competence required; and
11) identify the complexity and scale of the processes/activities (e.g. one or many) covered by the management system.
8.2 Audit Programme
8.2.1
In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.1.3, the audit
programme shall at least include or refer to the following:
1) processes/activities provided on each site;
2)identification of those sites which are liable to be sampled, and which are not; and
3) identification of sites which are covered by sampling, and which are not.
8.2.2 When determining the audit programme, HIC shall allow sufficient additional time for activities which are not part of the calculated audit time, such as travelling, communicating among audit team members, post-audit meetings,etc. due to the specific configuration of the organization to be audited.
Note: Remote auditing techniques may be used, provided that the processes to be audited are of such a nature that remote auditing is appropriate (see ISO/IEC 17021-1 and IAF MD
8.2.3
Where audit teams consisting of more than one member are used at any point, it shall be the responsibility of the Audit Department, in conjunction with the team leader, to identify the technical competence required for each part of the audit and for each site and to allocate appropriate team members for each part of the audit.
8.3 Calculation of Audit Time
8.3.1 An organization that satisfies the eligibility criteria may consist of sites that can be sampled, sites that cannot be sampled or a combination of both. The audit time must be sufficient to undertake an effective audit irrespective of the makeup of the organization. Unless precluded by specific schemes, the reduction of audit time per sampled site shall not be greater than 50%. For example, 30% is the maximum reduction in audit time allowed by IAF MD 5 while 20% is to be considered the maximum reduction allowed for the single management system processes performed by the central function and any potential centralised processes (e.g. purchasing).
The audit time per selected site (whether it comes from sampling as in 7.1, from non-
sampling as in 7.2 or from mixed methodology as in 7.3), including elements of the central function if applicable, shall be calculated for each site using the applicable IAF documents (e.g. IAF MD 5 for quality and environmental management systems, IAF MD 11 for integrated management systems) and, where necessary, any applicable sector scheme requirements for the calculation of man-days.
8.4
8.4.1
In addition to the requirement in ISO/IEC 17021-1:2015 clause 9.2.3, the Audit team
leader shall at least consider the following when preparing the audit plan:
1) certification scope and sub-scopes for each site;
2) management system standard for each site, if multiple management system standards are being considered;
3)processes/activities to be audited;
4) audit time for each site; and
5) allocated audit team.
8.5 Initial Audit: Stage 1
During Stage 1, the audit team shall complete the information to:
1) confirm the audit programme;
2) plan Stage 2, taking into account the processes/activities to be audited in each site; and
3) confirm that the Stage 2 audit team has the required competence.
8.6 Initial Audit: Stage 2
At the outcome of the initial audit, the audit team shall document which processes were audited on each site visited. This information will be used to amend the audit programme and audit plans for subsequent surveillance audits.
8.7 Nonconformities and Certification
8.7.1 When nonconformities, as defined in ISO/IEC 17021-1, are found at any individual site, either through the organization’s internal auditing or from auditing by HIC, investigation shall take place to determine whether the other sites may be affected. Therefore, the Audit team shall require the organization to review the nonconformities to determine whether or not they indicate an overall system deficiency applicable to other sites. If they are found to do so, corrective action shall be performed and verified both at the central function and at the individual affected sites. If they are found not to do so, the organization shall be able to demonstrate to the Certification Body the justification for limiting its follow-up corrective action.
8.7.2 HIC shall require evidence of these actions and increase its sampling frequency and/or the size of sample until it is satisfied that control is re-established.
8.7.3 At the time of the decision-making process, if any site has a major nonconformity, certification shall be denied to the whole multi-site organization of listed sites pending satisfactory corrective action.
8.7.4 It shall not be admissible that, to overcome the obstacle raised by the existence of a nonconformity at a single site, the organization seeks to exclude from the scope the "problematic" site during the certification process.
8.8 Certification Documents
8.8.1 The certification document shall reflect the scope of certification and the sites and /legal entities (where applicable) covered by the multi-site certification.
8.8.2 Certification documents shall contain the name and address of all the sites, reflecting the organization to which the certification documents relate. The scope or other reference on these documents shall make it clear that the certified activities are performed by the sites onthe list. However, if a site’s activities only include a subset of the organization’s scope, the certification document shall include the site’s sub-scope. When temporary sites are shown on the certification documents, such sites shall be identified as temporary.
8.8.3
Where certification documents for one site are issued, they shall include:
1) that it is the management system of the whole organization which is certified;
2) the activities performed for that specific site / legal entity which are covered by this certification;
3) traceability with the main certificate, e.g. a code; and
4)a statement saying “the validity of this certificate depends on the validity of the main certificate”. Under no circumstances, can this certification document be issued to the name of the site/legal entity or suggest that this site/legal entity
is certified (the one certified is the client organization), nor shall it include a declaration of conformity of the site processes/activities to the normative document.
8.8.4 The certification documentation will be withdrawn in its entirety if any of the sites does not fulfil the necessary provisions for the maintenance of the certification.
8.9 Surveillance Audits
8.9.1 Surveillance of multi-site organizations that can be sampled shall be audited in accordance with Section 7.1. The audit time per site shall be calculated in accordance with Clause 8.3 above.
8.9.2 Surveillance of multi-site organizations that cannot be sampled in accordance with Section 7.1 is based on auditing 30% of the sites plus the central function. The sites selected for the second surveillance of a certification cycle shall
normally not include any sites sampled as part of the first surveillance audit. The audit time per site shall be calculated in accordance with Clause 8.3 above.
8.10 Recertification Audits
8.10.1 Recertification of multi-site organizations that can be sampled shall be audited in accordance with Section 7.1. The audit time per site shall be calculated in accordance with Clause 8.3 above.
8.10.2 Recertification of multi-site organizations that cannot be sampled shall be audited as per initial audit, i.e. all sites audited plus the central function. The audit time per site and central function shall be calculated in accordance with Clause 7.3 above.
