认可机构对认证机构审核的见证

认可评审实践工作组指南

认可机构对认证机构审核的见证

1. 介绍

认可机构见证认证机构对其客户的审核，具有以下价值： • 在现场验证认证机构的方案和程序的有效性（特别是在委派有能力的审核组方面）。

• 对认证机构审核员进行认证审核、监督审核或在认证审核的情况进行观察，以评价他们是否： o 符合认证机构的程序；

o 充分地遵循了以下文件的要求或指南：

󰂃 ISO/IEC导则62； 󰂃 相关的IAF指南； 󰂃 ISO 19011:2002；

及，适用时，任何相关的行业性要求。

这将使认可机构能够确定认证机构是否有效地控制了认证决定和认证过程，从而能够对认证机构实施经认可的认证的能力进行评价。 2. 审核前的准备

为了能够进行见证评审，认可机构将需要与已认可的和申请认可的认证机构有正式的安排。这些安排应当确保认可机构有权在认为必要时对认证机构的审核实施见证，并确保认证机构与其客户有相应的安排，以允许上述见证得以实施。

这些安排可能需要涉及诸如保密性（认可机构与认证机构之间、认可机构与认证机构的客户之间）此类的问题。

- 1 -

认可机构在决定是否需要对认证机构的审核实施见证时，应当考虑诸如下列的因素：

󰂃 认证机构总体上的绩效；

󰂃 与认证机构业务涉及的工业和服务业领域相关联的风险； 󰂃 来自利益相关方的反馈；

󰂃 认证机构内部审核的结果，等等。

认可机构应当确保见证评审的成本经济合理，并尽可能减少对认证机构及其客户的影响。

在策划见证评审时，认可机构应当确保有认证机构的相关信息。这些信息应当包括以下方面（适用时）的详细情况： 󰂃 认证机构的组织结构； 󰂃 认证机构的质量管理体系； 󰂃 认证机构的运作程序； 󰂃 对认证机构以往评审的结果； 󰂃 向认证机构和认可机构提出的投诉。

此外，在对一个特定的审核（一个特定的认证机构对其一个特定的客户进行的审核）进行见证时，认可机构应当确保有以下方面的详细情况：

󰂃 认证机构的审核计划； 󰂃 认证机构审核组的背景信息；

󰂃 认证机构客户及其质量管理体系的历史情况；

󰂃 关于审核的后勤安排信息（例如审核的时间和地点等）。 认可机构应当有选择和委派自己的评审员的正式过程。认可机构只应当委派有能力的评审员或评审组对认证机构的审核实施见证。认可机构的评审员应当具有：

󰂃 对认证机构客户的业务、过程和产品的适当的知识；

- 2 -

󰂃 对该客户的产品必须符合的法规类别的基本理解； 󰂃 对审核实施见证和收集任何必要信息的能力。 认可机构应当在实施见证前提前通知认证机构： 󰂃 认可机构对其审核实施见证的目标； 󰂃 见证评审的过程；

󰂃 认可机构的反馈和报告过程。

认可机构应与认证机构就见证评审员在审核中的角色和作用达成一致，并就如何向认证机构的客户进行介绍和说明达成一致。

认可机构应当使所有利益相关方明白，认可机构的评审员在见证认证机构的审核时，不是在对认证机构客户的质量管理体系直接进行审核，进行这一审核完全是认证机构的职责和义务。 3. 审核过程中

在对认证机构的审核进行见证时，认可机构评审员应当仅作为观察员来参与审核，不应当干预认证机构对其客户的审核。此外，认可机构评审员应当确保自己不以任何方式来影响认证机构审核的结果。

然而，这并不妨碍认可机构评审员通过在审核中间安排简要通报，或寻求澄清和进一步的信息等方式，来积极地参与过程。澄清、信息沟通、简要通报等应当在策划好的休息时间或单独的会议中进行，这样更好一些。然而，可能也有必要在临时决定的休息或会议中进行这些活动。进行这些活动时，认证机构的客户应当不在场，以确保认可机构对认证机构的相关信息保密。

注：见证评审中收集的任何信息都是保密的，认可机构的评审员和工作人员必须对其予以保密。

认可机构评审员应当避免在审核进行中向认证机构或其客户提供任何意见。

- 3 -

为了使见证评审的价值最大，认可机构评审员应当试图覆盖认证机构的整个现场审核过程。

认可机构评审员应当使认证机构的客户不认为认可机构评审员的在场和见证活动是一种干扰，而认为是一种正面的活动。 4. 反馈和报告结果

认可机构评审员应当仅在审核完成后提供对认证机构表现的反馈意见。在可能时，应当策划在审核结束时，在认证机构客户的场所提供这种反馈意见（认证机构的客户应当不在场）。

认可机构评审员应当仅在收到并审查了认证机构自己的审核报告后，再编写见证评审的报告。

见证评审报告应当避免重复描述认证机构客户QMS绩效的细节以及认证机构审核组提出的审核发现，因为这些内容应当已经包括在认证机构的报告中。

但是，可能会有这样的情况，在见证过程中对某一情况提出了观察意见，而认证机构审核组没有报告这一情况（例如认证机构客户与法规要求相抵触，或认证机构客户的QMS没有正确的符合法规要求）。认可机构评审员应当在审核后的反馈过程中，向认证机构告知上述观察意见，并应当将其作为不符合记入见证评审报告。

如果认可机构的报告包括不符合项，应当要求认证机构管理层采取行动来处理相应的问题。

相似的，如果观察意见清晰表明认证机构对客户QMS的审核存在严重不足，使人对认证机构认证过程的有效性产生怀疑（特别是在监督或再认证审核中），那么这一问题应当在认可机构的报告中进行正确的记录，得到认证机构管理层的正确处理，并应当提交认可机构做进一步的考虑和处置。

- 4 -

Date: 30 July 2005

Accreditation Auditing Practices Group Guidance on:

The Witnessing of CRB Audits by an Accreditation Body

1. Introduction

The witnessing of Certification / Registration Body (CRB) audits on their clients by Accreditation Bodies (ABs) is valuable for:

• verifying, on site, the effectiveness of a CRB's programmes and procedures (and

especially with regard to their assignment of competent audit teams).

• observing the CRB's auditors, as they perform a registration/ certification, a

re-certification, or a surveillance audit, to evaluate if they:

o comply with the CRB's procedures,

o adequately address the recommendations of:

󰂃 ISO/IEC Guide 62, 󰂃 Relevant IAF Guidance 󰂃 ISO 19011:2002,

and, as applicable, any relevant sector specific requirements.

This will enable an AB to determine whether the CRB is effective in controlling its decision making and certification processes, and thus to assess the CRB's capability to perform accredited certification.

2. Pre-audit preparations

In order to be able to witness audits, an AB will need to have formal arrangements in place with its accredited CRBs, and with those CRBs that are in the process of applying for accreditation. These arrangements should ensure that the AB has the right to witness CRB audits, as it sees necessary, and that the CRBs have arrangements in place with their clients to permit such witnessing to be conducted.

These arrangements may need to address issues such as confidentiality, between the AB and the CRB, and between the AB and the CRB's clients.

When deciding if a CRB needs to have an audit witnessed, the AB should take into account factors such as:

󰂃 the CRB's overall performance,

󰂃 the risks associated with the industry and service sectors that the CRB operates in, 󰂃 feedback from interested parties,

󰂃 the results of the CRB's internal audits, etc..

The AB should also ensure that their presence at the audit is cost effective and try to minimise impact on the CRB and its client.

When planning to witness an audit, the AB should ensure that it has relevant information concerning the CRB. This should include, as appropriate, details of:

- 5 -

󰂃 󰂃 󰂃 󰂃 󰂃 the organizational structure of the CRB its quality management system, its operating procedures,

the results of previous audits on the CRB,

complaints brought to the attention of the CRB, and to the AB itself.

Additionally, in relation to witnessing a specific audit (on a specific CRB and a specific client of the CRB), the AB should also ensure that it has details of:

󰂃 the CRB's audit plan,

󰂃 background information on the CRB's audit team,

󰂃 the history of the CRB's client, and the client's quality management system 󰂃 Logistical information for the audit (e.g. the date and location of the audit).

An AB should have a formal process for the selection and appointment of its own auditors. An AB should only assign a competent auditor, or auditors, to witness CRB audits. The AB auditor(s) should have:

󰂃 an appropriate knowledge of the CRB's client's type of business, processes and

products

󰂃 a general understanding of the kinds of regulations the client's products have to

comply with, and

󰂃 the ability to witness an audit and to collect any necessary information.

In advance of witnessing an audit, the AB should inform the CRB of:

󰂃 its objectives for witnessing the audit 󰂃 its assessment process

󰂃 its feedback and reporting processes.

The AB should also agree with the CRB the role that its auditor(s) will play during the audit, and on how this will be presented to the client.

It should be made clear to all interested parties that the AB's auditors, when witnessing the CRBs' audits, are not directly auditing the CRB client's quality management system, as this is the sole duty and responsibility of the CRB.

3. During the audit

During their witnessing of CRB audits, AB auditors should limit their participation in the audits to that of an observer; they should not interfere in a CRB's conduct of its audit on a client. In addition, they should ensure that they do not influence the outcome of a CRB audit, in any manner.

However, this should not prevent the AB assessors from being pro-actively involved in the process, by arranging intermediate briefings, or by asking for clarification and additional information, etc.. Clarifications, exchange of information, briefings etc. should preferably take place during planned breaks or separate meetings; however it may also be necessary to conduct them during ad hoc breaks or meetings. They should be conducted away from the presence of the CRB's client, to preserve AB to CRB confidentiality.

Note; any information collected during the witnessing of an audit is confidential and has to be treated by the ABs' auditors and staff accordingly.

AB auditors should avoid providing any opinions to the CRB, or to its client, while the audit is being conducted.

To be of maximum value, the AB auditors should attempt to cover the CRB's full client audit process at site.

- 6 -

AB auditors should try to ensure that their presence and witnessing activity is not perceived as interference by clients, and is instead viewed positively.

4. Feedback and reporting of results

Feedback on the CRB's performance should only be given to the CRB audit team when the audit is completed. Where possible, this should be planned to occur at the end of the audit, at the client's premises (away from the presence of the client).

The AB's auditors should produce a report on the witnessing of the audit only after receipt and review of the CRB's own audit report.

The report on the witnessing of the audit should avoid repeating details of the performance of the client's QMS and on the findings raised by the CRB audit team, as these should already be included in the CRB's report.

However, there may be situations where observations are made during the witnessing process, and which are not reported by the CRB's audit team, (e.g. that regulatory requirements are being contravened by the client or are not properly addressed by the client's QMS); the AB's auditors should inform the CRB's audit team about such observations during the post-audit feedback session, and should also record them as nonconformities in their report on the witnessing of the audit.

Where an AB's report includes nonconformities, it should require that action is taken by the management of the CRB to address the issues raised.

Similarly, if the observations clearly indicate that the auditing of the client's QMS shows such major deficiencies as to doubt the validity of the CRB's certification process (particularly during surveillance or re-certification audits), this should be properly recorded in the AB's report and duly addressed to the management of the CRB; additionally it should be submitted for further consideration and action within the AB.

- 7 -