Registration Decision Criteria Orlando Auditor Training February 20, 2017 Revised June 14, 2017

Introduction Previously, PRI Registrar’s process for registration decision has involved the use of “Expert Reviewers,” who provided an in-depth review of audit documentation to ensure the integrity of the audit data. This Expert Review resulted in a recommendation for registration, and all decisions were made by Pete after a secondary review.

Introduction Given the growth of PRI Registrar, our evolving tools, as well as various changes in the requirements, the decision has been taken to change this process. Going forward, Expert Reviewers will be Registration Decision Makers (though we may still refer to them as Expert Reviewers out of habit).

Competency is broken into four sections: Competency as a Registration Decision Maker is based on the requirements of ISO 17021-1:2015. Competency is broken into four sections: Knowledge of audit principles, practices and techniques Knowledge of specific management system standards / normative documents Knowledge of certification body's processes Knowledge of client's business sector

Knowledge of audit principles, practices and techniques Competency Knowledge of audit principles, practices and techniques Knowledge of generic management systems audit principles, practices and techniques, as specified in this standard sufficient to understand a certification audit report. Knowledge shall be demonstrated by the registration decision maker holding an authorized auditor certificate of any kind.

Competency Knowledge of specific management system standards / normative documents Knowledge of the management system standard or other normative documents being specified for certification sufficient to make a decision on the basis of a certification audit report. Knowledge shall be demonstrated by the registration decision maker holding (or having held in the past) a lead auditor certificate from an AAB (Exemplar Global, Probitas Authentication, etc.) for the standard for which the decision is being made. The decision maker shall have obtained training (as deemed suitable by PRI Registrar) in the specific revision of the standard for which the decision is being made, in cases where the auditor certificate does not indicate revision levels.

Knowledge of certification body's processes Competency Knowledge of certification body's processes Knowledge of a certification body's processes sufficient to determine if expectations of the certification body have been fulfilled on the basis of the information submitted for review. Knowledge shall be demonstrated by the successful completion of training (provided by PRI Registrar) on PRI Registrar's relevant processes and procedures; additionally, the decision maker must receive a passing score of at least 80% on the accompanying test.

Knowledge of client's business sector Competency Knowledge of client's business sector Knowledge of the terminology, practices and processes common to a client's business sector sufficient to understand an audit report in the context of the management system standard or other normative document. Knowledge shall be demonstrated by the registration decision maker by passing the IAF code test associated with the registration decision being made.

PRI Registrar addition: Conflict of Interest PRI Registrar addition: Registration decision makers must be free of conflicts of interest, and are not qualified to make a decision in the following situations: The decision maker has worked for the organization seeking certification or continued certification (either as an employee or a contractor) in the last two years. The decision maker has been involved in the audit resulting in a registration decision.

PRI Registrar Processes Based on the requirement that a Registration Decision Maker must have knowledge of the certification body’s processes; two procedures were identified as particularly relevant for the making of registration decisions. Customer CAR procedure Registration Decision procedure

Highlights from PRI Registrar’s Customer CAR procedure. Customer CARs Highlights from PRI Registrar’s Customer CAR procedure. Required audit dispositions: ISO 9001 / ISO 14001 / OHSAS 18001 Initial / Recertification Audits All major NCRs must be verifiably closed; all minor NCRs must be at least accepted. Transfer Audits All NCRs must be verifiably closed. Surveillance Audits All NCRs must be at least accepted; all major NCRs must be reviewed by a competent Registration Decision Maker. AS9100 / AS9110 / AS9120

Customer CARs Required deadlines: ISO 9001 / ISO 14001 / OHSAS 18001 Agreement between Lead Auditor and client on correction, root cause, and corrective action plan within 30 days of the last days of the audit. AS9100 / AS9110 / AS9120 In cases of containment, containment actions and correction must be submitted by the client within seven (7) days of the end of the audit; agreement must be reached within 14 days from the time of submittal. Failure of the client to submit within the seven days shall result in suspension of their certification. Without containment, agreement between Lead Auditor and client on correction, root cause, and corrective action plan within 30 days of the last days of the audit. The client must be able to demonstrate a return to conformity within 60 days from the issuance of a nonconformance.

Customer CARs Continued Registration ISO 17021-1:2015 9.6.1: “The certification body shall maintain certification based on demonstration that the client continues to satisfy the requirements of the management system standard. It may maintain a client’s certification based on a positive conclusion by the audit team leader without further independent review and decision, provided that: for any major nonconformity or other situation that may lead to suspension or withdrawal of certification, the certification body has a system that requires the audit team leader to report to the certification body the need to initiate a review by competent personnel (see 7.2.8), different from those who carried out the audit, to determine whether certification can be maintained; competent personnel of the certification body monitor its surveillance activities, including monitoring the reporting by its auditors, to confirm that the certification activity is operating effectively.”

Customer CARs Accepting or Closing NCRs The auditor must provide robust statements of acceptance for containment and/or correction, with reference to the evidence based upon which the auditor has approved the containment and/or correction. When closing the NCR, the auditor must provide a robust statement of verification, with specific reference to the evidence provided by the client organization, based upon which the auditor has verified the effectiveness of the corrective action.

Registration Decision Highlights from PRI Registrar’s Registration Decision / Continued Registration procedure. Competency to perform a particular decision: The decision maker shall: be competent to the specific standard of the decision; be competent to the specific IAF code(s) of the decision; not have been involved in the audit under review; have no conflicts of interest involving the organization under review.

Registration Decision Audits that require a registration decision, regardless of standard: All initial, recertification, or transfer audits; Surveillance or special audits involving an increase in scope (including adding locations); Surveillance or special audits during which a Major NCR was issued; Surveillance or special audit in which an issue is identified that could potentially lead to suspension of the client certificate; Any audit in which suspension is initiated or lifted; Any audit, at the discretion of the Client Manager, with complicating factors (e.g., upward trends of NCRs, questionable documentation, etc.).

Registration Decision Registration decisions shall be based upon the criteria documented in the RF-76 and RF-76AS. The RF-76 / RF-76 AS should be downloaded from the RMS Help tab prior to each review. The completed form will be submitted via email to the Client Manager for the audit.

Registration Decision When denying registration, or when there are complications in accepting registration or continued registration, Pete shall take over as the final decision maker. Factors complicating the acceptance of registration or continued registration include, but are not limited to: the need for an increase in surveillance audit frequency by the client organization; the need for a follow-up special audit; the need for temporary suspension of the client certification.

PRI Registrar Processes Embedded below are the full versions of PRI Registrar’s Customer CAR and Registration Decision / Continued Registration procedures. These are draft versions, and may change slightly prior to formal publication, but are accurate for the purposes of this training.

Conclusion All current and prospective Expert Reviewers will be sent a test on this material, and must pass with a score of 80% to become a Registration Decision Maker.

Questions?