How is the ISO system audit time calculated? What is the minimum requirement?

The audit time for various types of audits refers to the effective time required to carry out audit activities measured in auditor days. One auditor day is usually 8 hours (excluding travel time or lunch breaks).

Effective personnel includes all full-time staff involved within the scope of certification (including personnel for each shift). Non-fixed personnel present during the audit (seasonal staff, temporary staff, and subcontractors) and part-time personnel should also be included in the effective personnel count.

The audit time for all types of audits includes on-site time at the client's location, as well as time spent off-site on planning, document review, interactions with client personnel, and report writing. When allocating audit time for planning and report writing, the total on-site audit time should generally not be less than 80% of the time listed in QMS 1 Table and EMS 1 Table. The number of auditor days should not be reduced by increasing the working hours per day.
   

During the initial three-year certification cycle, the time for conducting surveillance audits for a specific organization should be proportional to the time of the initial certification audit (Stage 1 + Stage 2), with the total annual surveillance audit time being approximately one-third of the initial certification audit time.

When adjusting audit time, the following factors (but not limited to these) also need to be considered. Let's take a look at the details together.

01
Quality Management System

1. Relationship between Effective Personnel and Audit Time

1. The number of personnel in the above table should be considered as continuously changing rather than stepwise. That is, if plotted as a curve, the starting point of each line segment should come from the value in the previous column of the table, with each column value as the endpoint of each segment. The curve's starting point corresponds to 1.5 days when the number of personnel is 1.

2. The certification body's procedures may specify the calculation of audit time when the number of personnel exceeds 10,700. This audit time should follow the progressive pattern in Table QMS 1 and remain consistent with it.

2. Relationship between Complexity and Audit Time

The risk types here are not fixed and immutable; they are provided as examples for certification bodies to use when determining the risk type of an audit.

1. Business activities expected to be identified as low risk may require less audit time than calculated in Table QMS1; those identified as medium risk will use the audit time calculated in Table QMS1; those defined as high risk will use more audit time than calculated in Table QMS1.

2. If an enterprise includes mixed business activities (for example, a construction company building simple buildings - medium risk, and building bridges - high risk), the certification body will determine the appropriate audit time, considering the effective personnel involved in each activity.

02
Environmental Management System

1. Relationship between Effective Personnel, Complexity, and Audit Time

1. Audit time is shown according to high, medium, low, and limited environmental factor complexity levels.

2. The number of personnel in the above table should be considered as continuously changing rather than stepwise. That is, if plotted as a curve, the starting point of each line segment should come from the value in the previous column of the table, with each column value as the endpoint of each segment. The curve (taking medium complexity as an example) starts at 2.5 days when the number of personnel is 1.

3. The certification body's procedures may specify the calculation of audit time when the number of personnel exceeds 10,700. This audit time should follow the progressive pattern in Table EMS 1 and remain consistent with it.

2. Relationship between Business Category and Environmental Factor Complexity Type

Based on the nature and severity of organizational environmental factors, five main types of environmental factor complexity that fundamentally affect audit time can be defined. These five types are:

High — Environmental factors have significant nature and severity (typically production or processing organizations with multiple significant environmental factors);

Medium — Environmental factors have moderate nature and severity (typically production organizations with some significant environmental factors);

Low — Environmental factors have low nature and severity (typically assembly organizations with almost no significant environmental factors);

Limited — Environmental factors have limited nature and severity (typically organizations in office environments);

Special — Requires additional special consideration during audit planning.

Table EMS 1 covers four of the above five complexity types: high, medium, low, and limited.

Table EMS 2 correlates the above five complexity types with typical industries covered by each type. Certification bodies should recognize that not all organizations within a specific industry belong to the same complexity type. The certification body's application review procedures should have some flexibility to ensure that the organization's specific activities are considered when determining its complexity type.

For example: Although many organizations in the chemical industry should be classified as "high complexity," if an organization only performs mixing operations without chemical reactions or emissions, or only engages in trading activities, it may be classified as "medium complexity" or even "low complexity." Certification bodies should document all cases where organizations in a specific industry are classified into a lower complexity type.

Table EMS 1 does not cover "special complexity." In such cases, certification bodies should analyze the situation specifically and reasonably determine the management system audit time.

03
Occupational Health and Safety Management System

1. Relationship between OHSMS Effective Personnel, OHS Risk Complexity, and Audit Time

1. Audit time is shown according to high, medium, and low OHS risk complexity levels.

2. The number of personnel in the above table should be considered as continuously changing rather than stepwise. That is, if plotted as a curve, the starting point of each line segment should come from the value in the previous column of the table, with each column value as the endpoint of each segment. The curve (taking medium complexity as an example) starts at 2.5 days when the number of personnel is 1.

2. Relationship between Business Category and OHS Risk Complexity Type

The three main OHS risk complexity types are determined based on the nature and severity of OHS risks that fundamentally affect the organization's audit time. These three types are:

High Risk — OHS risks have significant degree and severity (usually construction, heavy manufacturing, or processing organizations);

Medium Risk — OHS risks have moderate degree and severity (usually light manufacturing organizations with some significant risks); and

Low Risk — OHS risks have low degree and severity (usually office-based organizations).

Certification bodies should recognize that not all organizations in a specific industry will fall into the same OHS risk type. Certification bodies should allow flexibility in their contract review procedures to ensure that the organization's specific activities are considered when determining the OHS risk complexity type.

For example, although many enterprises in the shipbuilding industry should be classified as "high risk," small carbon fiber boat manufacturing organizations with only low complexity activities can be classified as "medium risk."

Certification bodies should record all cases that reduce the complexity level of OHS risks for organizations in specific industries. The complexity level of an organization's OHS risks may also be related to the consequences of OHSMS control risk failures:

High — risk management failure may endanger life or cause serious injury or illness;

Medium — risk management failure may cause injury or illness; and

Low — risk management failure may cause minor injury or illness.