Audit and Certification Regulations

1. Purpose

This regulation describes the generalities related to the audit / certification of the Institute for Advanced Industrial Systems (SOCAR), which derives from standard requirements, criteria for the accreditation body and corporate rules, and its contents in order to inform applicants of the use of services The research institute and its full compliance with its provisions have been formulated.

2. Application scope

This regulation applies for certification / certification certification for organizations applying for certification and certified organizations.

3. Definitions and abbreviations

3.1. definitions


3.1.1. Auditor

Qualified person to carry out an audit process.

3.1.2. Serial

The person who guides and leads the audit team.

3.1.3. technical expert

A person who provides a specific knowledge or expertise for the audit topic and the audit team.

3.1.4. Intelligence audit (Witness audit)

A kind of audit conducted by the company to assess the performance of the audit team at the site of the audit.

3.1.5. Audit (conformity assessment)

Systematic, independent, and systematic process in order to obtain audit evidence and evaluate it objectively to determine the extent to which the audit criteria are met.

3.1.6. third party

An individual, entity, or organization that uses the services and products of organizations that are certified by the Advanced Systems Research Institute.

3.1.7. Decision committee

An organization created by the company and charged with unbiased judgment and decision making on the audit process.

3.2. Abbreviations


3.2.1. Company

Institute of Advanced Industrial Systems (special joint stock company).

3.2.2. Applicant organization

An organization that is applying for an adaptation certificate in the company's business domains.

3.2.3. Certified organization

An organization that has already received a certificate of conformity in the company's business domains.

3.2.4. Multi-site organization

An organization that has a central office and the organization's activities are planned, controlled or managed, and the organization's executive activities are fully or partially carried out in a network of local offices or sites.

There is no need for any site in a multi-site organization to have an independent legal identity and there must be a contractual or legal link between the headquarters and each site.

Also, caretaker and site audits are tracked by the headquarters, which means that the head office can enforce corrective action at any site and on demand.

4. Request for certification services

Each time a written application for certification is sent by the applicant organization to the company, the organization must complete the "Application Form" form on the AIS-FRM-51 form and send it to the company.


The following items are controlled by the company before the application for new certification or changes to previous certificates is accepted by the company:

1) The standard fit of the demand and the scope of application of the certificate with the activities of the company

2) Locate the sites of the applicant organization

3) Ensuring the knowledge and technical expertise in the field of application within the company

4) Calculate the number of people-day of audit


In the event of any of the following, the request can not be accepted by the company (even if the initial acceptance of the request has been made):

1) If the requesting authority provides any false or non-honest information at the time of its introduction and at the time of the request for certification.

2) If during the certification process it is determined that the applicant organization has submitted incorrect and non-honest information.

3) If the certification process is overshadowed by the illegal activities of the applicant organization, for example, activities that lead to violations of public interest, anti-social activities or other activities that may interfere with the company's business, and that the company determines that This certificate may be against public interest or intervention in normal activities.

4) If the applicant organization is inactive (in recession).

5) If the applicant organization does not pay the announced tariffs at the time specified in the contract for the provision of evaluation services.

6) Detecting the company that the request is not relevant to the company's activities.

7) In the event of violation of the provisions of the contract of conformity assessment services or the provisions of this regulation.


The accuracy of the information received from the applicant organization can be verified through:

1) Review received documents

2) Calling the applicant organization

3) Visit the applicant organization

5. Review and conclude the contract

Upon acceptance of the application, a draft contract for the provision of conformity assessment services shall be prepared in accordance with the requirements of the applicant organization and forwarded to the applicant organization. If agreed with the provisions of the contract and its signature, the applicant organization will send a contract to participate, which will be considered as a revision of the contract. After that, the CEO of the company signed the contract and eventually the company will assign the identification code to the contract and a copy of the contract will be sent along with an official letter to the audited entity, which is the act of communicating the contract.

6. Generalities related to planning, auditing and presentation of audit reports

After the conclusion of the contract, the company proceeds with the planning of audits and then audits the auditors and the parts required for certification in order to assess the status of the audited activities for the implementation and maintenance of the management system and Documentation and records.

In the event of non-compliance observed at the time of the audit, the non-conformance form is completed and submitted to the auditee. Also, after the audit, the company will prepare and submit the audit report to the auditee within 25 business days of the audit.

The intellectual property rights of the audit reports belong to the company. The auditee can take action to reveal audit reports to their customers. All report pages should then be provided to the customer.

The company has the authority to organize an audit team consisting of members with the following roles and responsibilities:

Serial

1) Communicating with auditors about the process of conducting audits

2) Preparation of an audit plan and audit implementation in accordance with it

3) Supervising members of the audit team

4) Provide an audit report

5) Announce the results of the audit to the company

Auditor

Audit implementation in accordance with the audit program

Auditor under training

An Auditory Auditor who acts under the supervision and supervision of a Certified or Auditor.

technical expert

Provide expertise for the audit team


The company may send individuals with an audit team under the supervision of an observer, who do not play any role in conducting audits. These people are:

Appraiser by the creditor entity

Perform intuitive evaluation to assess the compliance of the company's audit activities with the certification standards.

Observer on behalf of the company

Perform an in-depth assessment to ensure that the audit team performs the audit activity in a manner consistent with the company's operating procedures.

Translator

Translate the discussion if necessary

Other people appointed by the company

The presence of these people is carried out with the consent of the auditee.


Auditors' advisers and supervisors can be present at the time of the audit but can not comment. When they conclude that these people are detrimental to the audit process, they should leave the audit site.

7. Audit

7.1. Announcement of the date of the audit and introduction of the audit team


Audit is performed in accordance with the assigned day (calculated individually).

The date of the audit and introduction of the members of the audit team shall be no more than 11 working days after the advance payment and written in writing to the auditee.

The audited entity may submit its request for changes in the date of the audit in writing and within a maximum of 7 working days after the official announcement of the date of the auditing by the company. If the reasons for this request are justified and accepted by the company, the company will proceed to review the date of the audit.

7.2. Audit plan


After the official approval of the history and the audit team by the audited entity, the company prepares, according to information received from the audited entity, how to conduct audits, the time and place of audits, assignment of duties to each auditor, and so on. At least 14 days before the date of the audit, in the form of an "audit plan" to the audited entity.

7.3. First stage audit


The first phase audit includes evaluating the approved management system documentation (such as regulations, policies, processes, quality objectives, required standards and procedures for implementing the audit process, etc.) and the extent to which auditors are prepared to conduct audits. The second stage is. The first phase audit takes place at the site audited.

The first phase audit is done to identify and identify the weaknesses and deficiencies in the management system documentation.

The main issues related to the first phase audit are:

Verifying the scope of demand for certification and certification

Check for management system documentation

Identify the sites of the organization subject to the certificate domain

Reviewing the appropriateness and identification of key processes (including excluded clauses), the policy / objectives of the management system with the activities of the company

Ensure that the applicable rules, regulations, and other requirements are identified by the auditee as well as a review of how they are tracked in the company's documentation.

Ensure the implementation of internal audit and management review meetings

Collect the necessary information for the second phase audit

If the audit team sees in the first phase audit that there is an occurrence in the second phase audit as an inconsistency, then this should be reported to the auditee during the same audit phase and no need to be notified. The audited entity is not involved in corrective actions or corrective actions.

7.4. Check the readiness of the audited organization


When the following activities are not carried out, the second phase audit should not be performed:

Internal audit has been implemented and recorded.

The management review has been implemented and registered.

7.5. Second stage audit


The second phase audit is carried out to assess the adaptation of the implementation results (deployment) and the effectiveness of the audited management system with the required standard.

The second phase audit involves planning, conducting audits, preparing an audit report, verifying the audit report by the company, and certification by the company (if recommended by the audit team).

7.6. Conditions lead to the delay or cancellation of the certification audit


Export audit should be carried out according to the audit plan. The audit and certification process may be delayed or canceled after any of the following conditions are detected:

1) The auditee is legally prosecuted or inspected.

2) A notice has been received by legal entities regarding the suspension of their nature (role) as a provider or have been ordered to suspend their business activities.

3) For activities that fall within the scope of the certificate, they have not obtained the necessary permits from the relevant institutions.

4) Ability to carry out work after serious accidents and have been ordered by law enforcement agencies to suspend their operations.

5) The auditee is located in areas that have designated the legal bodies of those areas as prohibited areas for some safety or security issues.

7.7. Noncompliance fixes


7.7.1. In case of identification and registration of minor minorities in the audit process, the following steps are taken according to the following table:

Table 1
Type of audit Possible event mode Deadline for Corrective Action (Calendar Day) Deciding on the audit result
Second stage audit or registration and re-issuance Not conforming - Recommended for certification
Minor noncompliance 365 The certificate is issued and the effectiveness of the corrective actions is monitored in the next inspection.
Major lack of conformity 89 Follow-up audits are carried out and if a confirmatory corrective action is approved, certification is recommended.
Follow up audit after the second phase audit Non-conformance (s) has been resolved - Recommended for certification
Incompatibility (s) has not been resolved - Follow-up audits should be repeated. Audits will be void if non-conformance is not resolved.
Career Audit Not conforming - Recommended for renewal of the certificate
Minor noncompliance 365 The validity of the certificate has been extended. The effectiveness of the measures taken in the next audit will be reviewed
Major non-conformance or partial non-conformance of the previous period is not effectively closed 89 It is not recommended to renew the certificate (Certificate Suspension) and it is necessary to carry out an additional 89 calendar days of follow-up audits only to check the major non-conformities and to check the effectiveness of non-compliance of the previous period.
Follow up audits after care audits Non-conformance (s) has been resolved - The suspension of the certificate and the renewal of the certificate is recommended
Incompatibility (s) has not been resolved - Follow-up audit should be repeated. If the non-compliance is not resolved, the certificate will be revoked.


7.7.2. Major inconsistencies detected by the company can be one of the following:

1) Absence of a complete system or method of execution

2) Failure to fully operate an operating system or procedure

3) There is a similar inconsistency within the system

4) repeated violations of legal and structural requirements

5) An example is that in spite of the obvious environmental consequences, no environmental aspect has been identified. (ISO14001)

6) An example is the fact that, despite the occurrence of a significant and manageable information security risk, no risk has been identified in the risk audit. (ISO27001)

7) An example is the fact that, despite the occurrence of an important health and safety risk, no risk has been identified in the risk audit. (OHSAS18001)

8) The inability of the audited management system to comply with standard requirements, including customer requirements

9) The apparent failure of the audited management system to achieve the policy and objectives set

10) Absence of records of the implementation of activities

11) Failure to implement one of the standard clauses

8. Deciding on the certification

The accuracy of the audit team's reports and the appropriateness of the audit process are assessed at various stages and the final decision is made on certification.

9. Certification

When the company's decision-making committee decides on the audited entity to qualify for certification, the certificate is issued and valid for a period of 3 years from the date of the second-stage audit.

10. Publish information about issued certificates

The company, the certificate information of the certified organization, and other necessary information (hereinafter referred to as "certificate issuance"), is made available to the public through the information infrastructure as well as the certification body.

11. Caretaking Audit

11.1. General


In order to confirm that the certified organization is in continuous compliance with the relevant standard requirements, the company carries out a care audit at least once a year and conducts audit of the renewal of the license every three years.

The audit plan will be determined and specified 14 business days before the audit.

In the event of the conditions set forth in clause 7.6, the company can delay or cancel the audit.

In multi-site organizations, additional sites can be added to the existing certificate when renewal of the certification or audit care and by paying the corresponding fees.

11.2. Career Audit


Based on the results of caretaking audits, if the organization's management system is maintained and effectively maintained, the audit of the audited entity will be renewed.

If, at multi-site organizations, one site is not prepared to conduct an audit at the time of the caretaking audit, the auditee is required to inform the matter formally. In this case, the domain of the certified company certificate has been changed and the sites that are not ready to be audited are removed from the issued certificate domain.

11.3. Renewal certification audit


The certification renewal audit process must be completed in full before the expiration date of the certificate and the decision on issuing or not reissuing the certificate has been made.

Based on the results of the renewal certification audit, if the decision committee determines that the applicant's management system is acceptable for renewal, a re-certification will be issued. The expiry date of the new certificate is exactly 3 years after the expiry date of the previous license.

The audited entity must take steps to ensure that the perceived misunderstanding of the previous certificate is still valid.

12. Special Audit

12.1. Change Change / Transition Audit


After certification, any change in the content of the certificate (such as changing the standards, changing the scope of the certificate, integrating and diversifying the systems, changing the name / location of the organization, etc.), a significant change in operations, or increase / decrease Certainly, in the number of auditors to be audited, the certified organization must submit a "request for changes to the certificate contents" without delay to the company and comply with the provisions in clause 4 of this regulation.

If an application for a change in the contents of a certificate provided by a certified organization is accepted by the company, a revision-related audit must be implemented. When a change in organization's name / location occurs, with a company's opinion, a written acknowledgment can be replaced by auditing. When the change audit is related to the standard revision, for example, the change in the year of publication or standard edition, then this audit is called the audit of changes.

The Company may suspend the execution of this audit when the organization is certified under the terms of clause 7.6 (conditions leading to delay or cancellation of audits) of this regulation.

If a company determines that, as a result of a substantive change in the organization's system of certification or similar, a change audit is required, then the first phase audit should be performed in accordance with paragraph 7.3 before doing so.

A change audit can be performed simultaneously with a caretaker audit or an audit of the renewal of the certificate. If the change audit is performed separately, the scheduling schedule must be determined and submitted 14 days before the date of the audit.

First of all, the readiness of the applicant organization should be checked and, if prepared, this audit can be carried out. This preparation is assessed by reviewing the documentation in three areas: (a) management review; (b) internal audit; (c) corrective and preventive action taken. Previous audit is measured.

If the company agrees that the content of the certificate may be changed after the written confirmation or after the audit, then a certificate reflecting the changes will be issued.

The certified organization must take steps to prevent the misunderstanding of the validity of the previous certificate.

When a minor or major non-compliance is identified, the provisions of paragraph 7.7 must be followed.

12.2. Short-term audit (case)


Every time one of the following occurs in relation to a certified organization, a case should be audited:

1) When major changes in the content of certified or certified organization management processes occur as a result of the change in the nature and processes of the site and no information about these changes will be given to the company.

2) When any report (such as a report of accidents leading to death or major environmental incidents) or a complaint from a third party entity causes doubt as to the effectiveness of an organization's management system, or doubts about non-compliance Compliance with legal requirements related to the standard.

3) when the company determines that each of the conditions set forth in clause 13.1 of this Regulation has been created.

12.3. Follow up audits


Each time one of the following occurs with a certified organization, a follow-up audit should be conducted:

1) When the certified organization requests suspension.

2) If in the second phase audits or annual health audits, significant non-conformities are identified by the audit team, which requires conducting an audit to confirm its corrective actions.

12.4. Transfer certificate from other certifying entities


If the applicant organization is certified by another certifying body and the applicant is transferring its certification to the company, in order to transfer the certificate, the company must ensure that all of the following is met by the applicant organization: (12.4.1)

1) An organization that is applying for the transfer of its certification to a company must be certified by a valid accreditation body.

2) The transferred certificate is not subject to suspension, including the absence of unconstitutionality in the organization.

3) The scope of the certificate of the applicant organization must be in accordance with the range of activities that the company has been approved in that field.

In addition to the measures mentioned in clause 4 (request for certification services), the applicant organization must provide the company with the following documents / records in order to satisfy the requirements of clause 12.4.1.

1) Application form

2) A copy of the certificate issued by the prior certifying body

3) Copy the audit report carried out by the previous certifying authority

4) Other documents related to the certification process

After reviewing the required documents, a transfer audit, like the second phase audit, should be carried out at the applicant's place to ensure that the organization's management system is in place.

According to the results of the transfer audit, if the company proves that the management system of the certified organization is maintained then it will be subject to certification. The duration of the validity of the certificate issued by the company will be the same as the timeframe set out in the former organization's certificate, and the timing of the caretaker audits in accordance with the timing of the caretaking audit of the former license.

If it is proved that the conditions set forth in clause 12.4.1 are not met, certification certification should be fully implemented.

13. Suspension of the certificate and its removal

In the event that a claim is made that any of the following conditions are raised in relation to the Certified Organization, a short-term (case-by-case) audit in accordance with Clause 12.2 shall be conducted in such cases and if necessary. (Paragraph 13.1)

These conditions include:

1) If the corrective action report on non-compliance is not submitted at the specified time.

2) If the corrective action agreed between the company and the audited entity is not implemented.

3) If the certified organization violates the terms of use of the certificate and the mark of conformity of the company.

4) If, as a result of the instruction or suspension of business by the authorities, the certified organization's management system is not implemented for at least 2 months.

5) If the activities of a certified organization are in violation of laws or regulations relating to their business.

6) Proven lack of effectiveness of certified organization management system.

7) If the activities of a certified organization violate the rules contained in this regulation.

8) If the certified organization does not comply with the payment terms indicated (how to pay the contract amount).

9) If the certified organization requests a written suspension of the certificate.

If the claim is confirmed by the audit team, then the company can take action to suspend the certification of the certified organization.

When the company temporarily suspends the certificate of the certified organization, it does public information through its information infrastructure. In this situation, the company will send a written notice to the certified organization, which will be dealt with due to the suspension, deadline for its removal, etc. Also, the certified organization will not have the right to use the company's compliance signs until the suspension has been lifted.

If the company receives a written notice about the suspension request from a certified organization, if a company is identified, a follow-up audit will be carried out in accordance with clause 12.3, in which it will be checked whether the non-conformance which led to the suspension of the certificate Has been resolved or not? Based on the results of the survey, the company determines whether to lift the suspension on the agenda.

If the company is satisfied that the suspension is to be lifted, the company will notify the certified organization of the suspension and disclose the suspended certificate to the certified organization.

14. Revocation of certification / voluntary revocation of the certificate

In cases where any of the following issues occur in relation to a certified organization, the company may take action to revoke certified certification of the organization:

1) If the suspended organization fails to comply with the suspensions within the time limit set by the company.

2) Provides any inaccurate information at the time of its introduction and at the time of request for certification.

3) if the organization has determined that the organization has submitted incorrect and non-systematic information during the certification process.

4) If the certificated organization is prevented from continuing its activities due to banking reasons (for example, failure to pay the loan on time).

5) If the certified organization has discontinued the cooperation agreement for legal reasons or dissolution, it has voluntarily taken action.

6) If the certified organization violates the terms of the contract "to provide conformity assessment services".

7. If the headquarters or any of the sites fail to meet the essential requirements for maintaining the management system.

The certified organization may voluntarily and through a written request for a certificate revocation. If the organization's certificate is revoked, the company will, through its communication infrastructure, act in relation to the public notice of the certificate status.

In the event of a certificate being revoked in any way, the original certificate must be referred to the company and terminated permanently using the sign of conformity of the company.

15. Request for a retrial (appeal)

If there is a request for a re-examination (appeal) by the audited / certified organization regarding company-made decisions that include audit / certification issues, then in this regard, in addition to completing the application for re-examination of the number AIS-FRM-144, which is provided through auditing / certified organizations through the company's communications infrastructure.

Requests must be made in writing and up to 21 business days after the announcement of the company's decision, otherwise the requests will not be processed by the company.

The company will process the appeal and provide its response in writing at the latest 15 working days after receiving a retrial.

16. Request for a third-party complaint

In cases where a third-party complaint is filed, a company can ask a certified organization to conduct a review by the organization itself before making a statement about the probable relationship of the complaint with the certified organization's management system.

The certified organization must respond properly to the company's request by providing relevant information.

In the absence of a satisfactory response from a certified organization, the company will conduct a case study on the complaint.

The audited / certified organization must record the records of complaints and corrective actions taken to remove any of them. This registration and maintenance should be in accordance with the certified reference standard.

17. Intuitive assessment and access to documents by the certification body

If the accreditation body requests to extend the qualification of the company, it will be present during the audit by the audit team from the auditee and make an in-depth assessment, or the documents and records associated with the audited certificate of access Then the auditee must agree to this request.

18. Safety

The auditee is required to provide the necessary safety in the locations where the auditors of the company and their companions, such as a technical expert, are present. If the auditors suffer any injury, the company will apply for compensation from the audited entity due to the injury caused and the audited entity is required to pay compensation.

If the audited entity suffers damage from the auditors (intentionally), it can apply to the company for damages.

19. How to pay the contract amount

The audit applicant must pay the costs associated with each stage of the contract in accordance with the time period specified in the contract for the performance of the "provision of conformity assessment services". (Paragraph 19.1)

If any part of the tariff table is amended, the company will immediately notify the applicant organization of the change and its execution time.

If the applicant organization fails to pay the tariffs mentioned in paragraph 19.1 in due time, the company may refuse to certify. In this situation, the company can withdraw from the application for certification, suspension of the certificate or revocation of it in accordance with its own procedures and the losses incurred due to the failure of the applicant organization to pay promptly the obligations from the prepayment amount.

20. Use of certification and compliance signs

In order to ensure the correct use of the certified organization's certificate and compliance mark (third party), the terms and conditions of the company that are governed by the requirements of the Governing Board are as follows:

1) The certified organization is required to apply the company-specific conformance marks exactly as it is provided by the company and does not apply any changes to the conformance signs.

2) The only change that a certified organization is allowed to apply is the size of the sign of compliance.

In this regard (resize the sign of conformity), the following points are necessary:

A) The sign of conformity must be completely transparent and legible

B) the contents of the sign of conformity are maintained in full

C) The change in the size of the conformance mark must be made uniformly for all its components.

3) The auditee can not apply the conformance symbols in colors other than primary or black and white.

4) Organizations that are successful in obtaining certification can only use the sign of conformity in letterheads, brochures and internet advertising.

5) If the scope of the certification does not include all products or services provided by the certified organization or does not include all the facilities and facilities of the organization, the use of the conformance mark should not be made in such a way that all products , Services, locations and facilities of the certified organization are covered by the scope of the certificate

6) A certified organization should strictly refrain from directly affixing the mark of conformity of the management system on the product or product packaging. In other words, the sign of the compliance of the management system should not be used in a way that is certified by customers of the organization to be associated with a product certification

7. The certified organization should not use the certificate or conformity marking in such a way as to compromise the company's reputation

8) The electronic version of certified organizations used in publicity or other purposes should not include any penny

9) The sign of conformity should only be used by the certified organization, and the right to use the certification or conformity markings can not be assigned to a person, entity, or other organization by a certified organization.

10) In the event that the scope of certification is reduced, the certified organization can not use the excluded scope of advertising.

11) If the certificate of conformity or certificate of the certified organization is suspended or revoked by any company for any reason, the certified organization must suspend all advertising which is related to the suspension or revocation certificate.

12) Certified labs by the company are not permitted to use the management system compliance mark on their test reports or calibration sheets.

13) Companies certified by the company are not allowed to use the management system compliance mark on their inspection reports sheet.

14. The certified organization must, in a systematic manner, monitor and monitor the use of the mark of third-party compliance within its organization.

15) In the event of a lack of conformity associated with the use of the conformance marks, the certified organization must design appropriate corrective actions and after obtaining approval from the company, apply the report of the measures taken and the results of the control of the effectiveness of the corrective actions The company

16) If there are complaints related to the use of the conformance mark, a certified organization must keep all records and keep them available to the company.

17) If the activity of any of the sites specified in the certificate is terminated, the certified organization shall be obliged to proceed with the notification to the appropriate and timely information.

21. Edit edit

The items listed in this regulation may need to be changed. In this case, the company immediately informs certified organizations through its communication infrastructure, the new edition and the date of its implementation.