ISO 9001:2008 Surveillance Audit Frequency Requirements

[vanputten]

Hello Hilary:

Let's assume you are required to be audited 4 days a year. Why would two x 2 day audits be more disruptive and costly than 1 x 4 day audit?

 

[Howard Atkins]

Hello keres:

The frequency of surveillance audits does not depend on the certification body (CB). The frequency of audits depends on the agreement between the customer (the auditee) and the supplier (the CB).

The IAF requirements must be met in terms of audit days. But the frequency is an agreement between the customer and the supplier as long as it does not exceed 12 months as Randy has pointed out.

This is not what Randy said.

The only qualifier is

"Surveillance audits shall be conducted at least once a year. The date of the first surveillance audit following initial certification shall not be more than 12 months from the last day of the stage 2 audit."

This applies only to the very first surveillance audit after certification.
After then it is once in every numbered year.
It is possible to perform surveillance audits Dec 2011 and Jan 2012 for these 2 years

 

[vanputten]

Calendar year? Fiscal year? I would think the intent of the requirement is to have at least one audit within each 12 month cycle from the last day of the stage 2 audit. If an organization wants more, then that is fine too.

 

[Howard Atkins]

Calendar year? Fiscal year? I would think the intent of the requirement is to have at least one audit within each 12 month cycle from the last day of the stage 2 audit. If an organization wants more, then that is fine too.

The intent is the intent but as we know too often things are not defined properly.

This requirement has not changed in the 2011 version of ISO 17021

The definition of Calendar_year is that which is accepted in the certification industry and as I stated the case of where surveillance audits in Dec 2011 and Jan 2012 are performed will fulfill the requirements for 2011 and 2012



The rules of ISO/TS 16949 are different and require that all surveillance audits are in the framework of -3months/+1 month from the closing meeting of the last certification or re certification audit.
The accreditation of CBs for ISO/TS 16949 is not according to ISO 17021 but by the IATF rules.

 

[vanputten]

I am surprised organizations don't regularly schedule their ISO 9001 audits in December and January. Many of the records might be exactly the same from December to January such as Management Review records.

An organization could have almost two identical external surveillance audits in December and January and then wait another 22 months for their next Stage 2 external audit.

Of course, this is from a "pass the compliance audit" standpoint and not from a "get as much out of the audit as possible" standpoint.

Stage 2 December 2011
1st Surveillance December 2012
2nd Surveillance January 2013
Stage 2 audit December 2014

 

[mguilbert]

I am surprised organizations don't regularly schedule their ISO 9001 audits in December and January. Many of the records might be exactly the same from December to January such as Management Review records.

An organization could have almost two identical external surveillance audits in December and January and then wait another 22 months for their next Stage 2 external audit.

Of course, this is from a "pass the compliance audit" standpoint and not from a "get as much out of the audit as possible" standpoint.

Stage 2 December 2011
1st Surveillance December 2012
2nd Surveillance January 2013
Stage 2 audit December 2014

The toughest part with performing this type of audit schedule (End/Beginning of year) may be the holidays and key personnel taking time off. I know in my company people are out alot during the holiday season. Using Vacation Time before they lose it.

Back on topic, I agree with the audit schedule is up to what is agreed upon in the contract. Once per year, twice per year, quarterly, etc. The CB may be trying to work around their auditors current audit schedules.

 

[Jaxter]

I have a question along this same thread...

We renewed our 9001:2008 cert last year that will expire in 2014. In the beginning when we 1st started our QMS, we had 3rd party audits 6 mos. 6 mos. then 1 yr. & 1 yr. and last year had our recertification audit because our original cert was going to expire. We are approaching our next "scheduled" 3rd party audit and we need to push it back a few weeks from the official "1 yr calendar date". Our auditor will not budge and has threatened to pull our cert if we don't comply. My question is...

1. Can he do that?
2. Since we are already recertified until 2014, do we still have to have annual 3rd party audits?
3. Is this stated somewhere in the 9001:2008 standard? Where?

We are a small company, 47 employees.

 

[Sidney Vianna]

Your registrar has to comply with ISO 17021, which requires them:

9.3.2.2 Surveillance audits shall be conducted at least once a year. The date of the first surveillance audit following initial certification shall not be more than 12 months from the last day of the stage 2 audit.

There are different interpretations about what "once a year" means...it seems that your auditor is taking the conservative approach that once a year means no longer than 365 days later...
And, if you want to keep the certificate in good standing, YES, you must undergo surveillance audits. Your certificate (or appendix) should have text to that effect.

 

[Randy]

I have a question along this same thread...

We renewed our 9001:2008 cert last year that will expire in 2014. In the beginning when we 1st started our QMS, we had 3rd party audits 6 mos. 6 mos. then 1 yr. & 1 yr. and last year had our recertification audit because our original cert was going to expire. We are approaching our next "scheduled" 3rd party audit and we need to push it back a few weeks from the official "1 yr calendar date". Our auditor will not budge and has threatened to pull our cert if we don't comply. My question is...

1. Can he do that?
2. Since we are already recertified until 2014, do we still have to have annual 3rd party audits?
3. Is this stated somewhere in the 9001:2008 standard? Where?

We are a small company, 47 employees.

No....He cannot "pull" your cert, that's horse&hit


Yes, you have to have your surveillance performed

Most likely a small offset backwards is being set to allow time for any problems if found to be rectified before your certificate turns into a pumpkin

And Sidney gave you where the surveillance requirement originates

And if you never bothered to do it before, take time to read your contract and/or any quotes for service because all the answers you seek may already be in your hands

 

[Jaxter]

Thanks Randy,

Our cert doesn't expire until 2014. This is the 1st audit after our recertification a year ago. I believe our initial contract had a "timeline" for audits over the first few years. I don't believe we signed a "contract" for anything after that, just invoices with an understanding of yearly audits, but I'll definitely check. I understand the "12 months", but I find it hard to believe that there is absolutely no "wiggle room" for scheduling, whatever the reason. The threat of pulling our cert only movitates me to start looking for another registar for ISO. We are going into our 5th year of ISO, so it's not like we're newbies who need the "babysitting". Thank the Lord there's Elsmar! It really helps when there's questionable situations that require advice and direction.