Certification Popular Science | Once the quality system has its initial certification, is the surveillance audit still difficult?

In the complete operation of quality management systems, environmental management systems, and occupational health and safety management systems, there are three key audit points: initial audit, surveillance audit, and recertification audit. So, what are the differences among these three types of external audits?

- Initial Audit -

This refers to the first external audit when an enterprise begins to establish the system, divided into Stage One and Stage Two, which is an audit of the entire system.

The first stage audits the system documents and evaluates the specific conditions of the enterprise's operation sites and on-site situations to determine the readiness for the second stage audit; the second stage audit evaluates the implementation of the customer's management system, including its effectiveness, and should be conducted on the customer's site; the audit team should analyze all information and evidence collected during the first and second stage audits to review audit findings and reach consensus on the audit conclusion.

- Surveillance Audit -

This means the certification body regularly monitors representative areas and functions within the scope of the certified customer's management system, considering changes in the certified customer and their management system.

Surveillance audits are on-site audits but do not necessarily cover the entire system and should be planned together with other surveillance activities so that the certification body can maintain confidence that the certified management system continuously meets requirements during the certification cycle. During the certificate validity period, secondary surveillance audits are conducted regularly. The first surveillance audit date is calculated from the completion date of the initial audit, generally conducted within 9-12 months; the second surveillance audit is also completed 9-12 months after the previous surveillance audit. Each surveillance audit must not exceed 12 months; otherwise, suspension actions will be taken.

- Recertification Audit -

This confirms the continued conformity and effectiveness of the management system as a whole, as well as the ongoing relevance and suitability to the certification scope, to evaluate whether the certified customer continues to meet all requirements of the relevant management system standards or other normative documents.

The initial management system certificate is valid for three years. Within three months before expiration, the certified organization should apply for recertification (certificate renewal). All recertification activities and certificate reissuance should be completed within the previous three-year validity period. If the certified organization has special circumstances, with written application and negotiation, the recertification audit date may be appropriately postponed but must still be completed within the certificate validity period; otherwise, it will be treated as an initial audit.

It is well known that system certificates are valid for three years. After initial certification, annual audits are required to maintain certificate validity. Taking the quality management system as an example, here is a sharing of the standard process for surveillance audits.

1 .  Surveillance Audit Procedure:

The certification body shall effectively track organizations holding its issued quality management system certification certificates (hereinafter referred to as certified organizations) and supervise the certified organizations to continuously operate the quality management system and comply with certification requirements. To ensure compliance, the certification body shall determine the frequency of surveillance audits based on the quality risk level or other characteristics of the certified organization's products and services. As a minimum requirement, the first surveillance audit after initial certification shall be conducted within 12 months from the certificate issuance date. Thereafter, surveillance audits shall be conducted at least once every calendar year (except in years when recertification is required), and the interval between two surveillance audits shall not exceed 15 months.

If the certified enterprise's products are found non-compliant in the national product quality supervision sampling inspection, the certification body shall conduct a surveillance audit of the enterprise within 30 days from the issuance of the notice by the National Quality Supervision Administration. Surveillance audits shall be conducted on-site at the certified organization. Due to market, seasonal, or other reasons, if it is difficult to cover all products and services in each surveillance audit, the surveillance audits within the certificate validity period must cover all products and services within the certification scope.

2 .  The surveillance audit shall at least cover the following content:

① Whether there have been important changes in activities covered by the quality management system since the last audit, and changes in resources for operating the system.

② Whether the important key points identified according to system clause requirements are operating normally and effectively as required by the quality management system.

③ Whether corrective and corrective actions taken for nonconformities identified in the last audit remain effective.

④ Whether activities covered by the quality management system that involve legal and regulatory requirements continue to comply with relevant regulations.

⑤ Whether quality objectives and quality performance have reached the values set by the quality management system. If not, whether the certified organization has operated internal audit mechanisms to identify causes and management review mechanisms to determine and implement improvement measures.

⑥ Whether the certified organization's use of certification marks or references to certification qualifications comply with the "Certification and Accreditation Regulations" and other relevant provisions.

⑦ Whether internal audits and management reviews are standardized and effective.

⑧ Whether complaints are accepted and handled in a timely manner.

⑨ Whether effective improvement measures have been timely formulated and implemented for problems or complaints found during system operation.

3 .  For nonconformities found during surveillance audits, the certification body shall require the certified organization to analyze the causes, set deadlines for completing corrective and corrective actions, and provide evidence of the effectiveness of these actions.

The certification body shall verify the effectiveness of the certified organization's handling of nonconformities in a timely manner using appropriate methods.

4 .  Based on the surveillance audit report and other relevant information, the certification body shall decide whether to continue maintaining, suspend, or revoke the certification certificate.