1.0 Purpose

To lay down a procedure for the audit and certification of an organization with a network of sites through sampling method that provides adequate confidence in the conformity of its management system.

2.0 Scope

This document applies to sampling of sites during initial, surveillance and Re audit for an organization having similar multisite. This document does not apply to the audit of organizations that have multisite where dissimilar manufacturing and/or service processes are used at the different sites, even though under the same quality management system.

3.0 Responsibility and Authority

Certification Manager is responsible for applying the criteria of sampling to audit in accordance with this procedure.

4.0 Policy & Procedure
4.1 Definition

4.1.1 Site :
A site could include all land on which the activities under the control of an organization at a given location are carried out, including any connected or associated storage of raw materials, byproducts, intermediate products, end products and waste material, and any equipment or infrastructure involved in the activities, whether or not fixed. Alternatively, where required by law, definitions laid down in national or local licensing regimes apply. Other definitions may also be used subject to justification.

Where it is not practicable to define a location (e.g. for services), the coverage of the certification takes into account the organization’s headquarters activities as well as delivery of its services. Where relevant UKRAS may decide that the certification audit be carried out only where the organization delivers its services. In such cases all the interfaces with its central office are identified and audited.

4.1.2 Multisite Organization:
An organization having an identified central function (hereafter referred to as a central office but not necessarily the headquarters of the organization) at which certain activities are planned, controlled or managed and a network of local offices or branches (sites) at which such activities are fully or partially carried out. Examples of possible multisite organizations are:

a] Organization operating with franchise.
b] Food manufacturing companies with a network of sales offices, contact packager (this document applies to the sales network).
c] Service companies with multiple sites offering a similar service
d] Companies with multiple branches

4.2 Sampling Procedure

4.2.1 Eligibility Of An Organization For Sampling
The processes at all the sites have to be substantially of the same kind and have to be operated to similar methods and procedures. Where some of the sites under consideration conduct similar, but fewer processes than others, they may be eligible for inclusion under multisite certification providing that the site(s) which conduct the most processes, or critical processes are subject to full audit.

• Organizations which conduct their business through linked processes in different locations are also eligible for sampling providing all other provisions of this document are met. Where processes in each location are not similar but are clearly linked, the sampling plan includes at least one example of each process conducted by the organization (e.g. fabrication of electronic components in one location, assembly of the same components by the same company in several other locations).

• The organization’s management system has to be centrally controlled and administered FSMS as defined in Clause 4 of ISO 22000:2005, or equivalent for other FSMS’s and be subject to central management review. All the relevant sites (including the central administration function) are subject to the organization’s internal audit program and have been audited in accordance with that program prior to the UKRAS starting its audit.

• It has to demonstrate that the central office of the organization has established a management system in accordance with the relevant management systems standard under audit and that the whole organization meets the requirements of the standard. This also includes consideration of relevant regulations.

• The multisite organization need not be a unique entity, but all sites has to have a legal or contractual link with the central office of the organization. The organization has to demonstrate that all relevant sites (including the central administration function) have been audited in accordance with internal audit program, and that the central office of the organization has established a quality management system in accordance with the audit standard and that the whole organization meets the requirements of the standard.

• The organization has to demonstrate its ability to collect and analyze data (including but not limited to the items listed below) from all sites including the central office and its authority and also demonstrate its authority and ability to initiate organizational change if required:

a) System documentation and system changes;
b) Management review;
c) Complaints;
d) Evaluation of corrective actions;(FSMS, ISMS, QMS, OHSAS, EMS & MD)
e) Internal audit (FSMS, ISMS, QMS, OHSAS, EMS & MD) planning and evaluation of the result for each site and internal audit has been conducted on each site within the three years prior to certification.
f) Changes to aspects and associated impacts for environmental management systems (EMS) and;
g) Different legal requirements.

• All works of each sites included in the certification scope must be integrated into a part of central office’s business.

4.2.2 Sampling Restriction

Even if following cases are multisite, sampling does not apply.
• Dissimilar manufacturing and/or service processes are used at the different sites.
• Dissimilar activities are performed at different sites.
• Detailed certification scope or activities of organization are dangerous or complex.
• Size of the site that is subject of audit is too big to apply to sampling audit.
• Temporary site

4.3 Application Of Sampling Audit

Scheme manager provides information to the organization about the application of this document and relevant management system standards before starting the audit process and doesn’t process if any of the provisions are not met.

Before starting the audit process, Scheme manager informs the organization that the certificate will not be issued if during an initial audit nonconformities in relation to application of the sampling criteria/ eligibility are found.

4.3.1 Contract Review
  • Scheme manager identifies the complexity and scale of the activities covered by the management system subject to certification and any differences between sites as the basis for determining the level of sampling.

    • Scheme manager checks, in each individual case, to what extent sites of an organization operate substantially the same kind of processes according to the same procedures and methods. If the sites proposed for inclusion in the multisite

    • exercise meet these criteria, the sampling procedure is applied to the individual sites.

    • If all the sites of a service organization where the activity subject to certification is performed are not ready to be submitted for certification at the same time, Scheme manager requires the organization to inform UKRAS in advance of the sites that it wants to include in the certification and those which are to be excluded.

    • The initial contract review identifies, to the greatest extent possible, the difference between sites such that an adequate level of sampling is determined.

4.3.2 Audit

Audit team verifies that the same management system governs the activities at all the sites, is actually applied to all the sites and that all the criteria in para 4.2.1 above are met. This requirement also applies to a management system where electronic documents, process control or other electronic processes are used. Scheme manager keeps a record of the justification and rationale for proceeding with a multisite approach.

If more than one audit team is involved in the audit or surveillance of the network, Scheme manager designates a unique audit leader whose responsibility is to consolidate the findings from all the audit teams and to produce a synthesis report.

4.3.3 Dealing withNonconformity
  • One single certificate is issued with the name and address of the central office of the organization. A list of all the sites to which the certificate relates is issued, either on the certificate itself or in an appendix or as otherwise referred to in the certificate. The scope or other reference on the certificate makes clear that the certified activities are performed by the network of sites in the list. If the certification scope of the sites is only issued as part of the general scope of the organization, its applicability to all the sites is clearly stated in the certificate and any annex. Where temporary sites are included in the scope, such sites are identified as temporary in the certification documents.

    • A sub certificate may be issued to the organization for each site covered by the certification under condition that it contains the same scope, or a sub scope of that scope, and includes a clear reference to the main certificate.

    • The certificate is withdrawn in its entirety, if the central office or any of the site does not/do not fulfill the necessary criteria for the maintaining of the certificate. (as per criteria in 4.3.2 above)

    • The list of sites is kept updated by Audit Manager. To this effect, Scheme manager requests the organization to inform it about the closure of any of the sites covered by the certification. Failure to provide such information is considered by UKRAS as a misuse of the certificate, and it may act consequently according to UKRAS procedure (Granting, Maintaining, Extending, Reducing, Suspending and Withdrawing Certification: P09).

    • Additional sites can be added to an existing certificate as the result of surveillance and/or recertification activities or enhancement of the scope as per UKRAS procedure P09.

4.4 Sampling

4.4.1 Methodology
I- The sample is partly selective based on the factors set out below and partly nonselective, and result in a representative range of different sites being selected, without excluding the random element of sampling after the audit, no sampled sites may be non-conforming.
II- multi-sampling is limited to organizations with more than 20 sites and only for categories A,B, G, H & J and that this applies both to the initial certification and to surveillance audits
III- At least 25% of the sample is selected at random.
IV- Evaluation of the audit finding of the sampled sites is deemed equivalent to internal audit finding of the same sites of the organization.
V- Audit finding of the sampled sites are considered indicative of the entire system and correction implemented accordingly.
VI- Taking into account the criteria mentioned hereafter, the remainder is selected so that the differences among the sites selected over the period of validity of the certificate is as large as possible.
VII- The site selection criteria includes among others the following aspects:
a) Results of internal site audits and management reviews or previous certification audits,
b) Records of complaints and other relevant aspects of corrective and preventive action,
c) Significant variations in the size of the sites,
d) Variation in shift patterns and work procedures,
e) Complexity of the ISMS, QMS, EMS, OHSAS, FSMS and MD management system and processes conducted at the sites;
f) Potential interaction with critical information systems or information systems processing sensitive information
g) Modifications since the last certification audit,
h) Maturity of the management system and knowledge of the organization;
i) Environment issues and extent of aspects and associated impacts for environmental management systems; Geographical dispersion
j) Differences in culture, language and regulatory requirements;
VIII- This selection does not have to be done at the start of the audit process. It can also be done once the audit at the central office has been completed. In any case, the central office is informed of the sites to be part of the sample. This can be on relatively short notice, but allows adequate time for preparation for the audit.
IX- Every site included in the ISMS which is subject to significant risks is audited by the UKRAS prior to certification.
X- The surveillance programme has been designed in the light of the above requirements and covers all sites of the client organization or within the scope of the ISMS, FSMS, QMS, EMS, OHSAS & MD certification within a reasonable time.
XI- In the case of a nonconformity being observed, either at the head office or at a single site, the corrective action procedure applies to the head office and all sites covered by the certificate
XII- Address the client organization’s head office activities to ensure that a single ISMS,FSMS,QMS,EMS,OHSAS & MD applies to all sites and delivers central management at the operational level The central office is examined during every certification audit (FSMS, EMS, OHSAS, QMS, ISMS & MD) and at least annually as part of surveillance.

4.4.2 Size of Sample
I- Scheme manager determines the sample size taking into account all the factors described in this procedure. Scheme manager keeps records on each application of multisite sampling justifying it is operating in accordance with this document.
II- The minimum number of sites to be visited per audit is followings for an organization having low to medium risk activity.
III- Initial audit: the size of the sample is the square root of the number of remote sites: (y=), rounded to the upper whole number.
IV- Surveillance visit: the size of the annual sample is the square root of the number of remote sites with 0.6 as a coefficient: (y = 0.6 x), rounded to the upper whole number.
V- Recertification audit: the size of the sample is the same as for an initial audit. Nevertheless, where the quality management system has proved to be effective over a period of three years, the size of the sample could be reduced by a factor 0.8, i.e.: ( y = 0.8 ), rounded to the upper whole number.
VI- The central office is audited during every initial certification and recertification audit and at least annually as part of surveillance.

• The size or frequency of the sample is increased where UKRAS’ risk analysis of the activity covered by the management system subject to certification indicates special circumstances in respect of factors like:
• The size of the sites and number of employees,
• Complexity or risk level of the activity and of the management system,
• Variations in working practices(e.g. shift working),
• Variations in activities undertaken,
• Significant and extent of aspects and associated impacts for environmental management system(EMS),
• Records of complaints and other relevant aspects of corrective and preventive action,
• Any multinational aspects;
• Result of internal audits and management reviews.

VII- When the organization has a hierarchical system of branches (e.g. head (central) office / national offices / regional offices / local branches), the sampling model for initial audit as defined above applies to each level.

1 head office: visited at each audit cycle (initial/surveillance/ recertification)
4 national office: sample = 2 : minimum 1 at random
27 regional office: sample = 6 : minimum 2 at random
1700 local branches: sample = 42 : minimum 11 at random

4.4.3 Audit Times
The number of man-days per site is consistent with the number shown in UKRAS procedure P13 based on IAF document and reflects consideration of moving time to another site.
Reductions can be applied to take into account the clauses that are not relevant to the central office and/ or the local sites. Reasons for the justification of such reductions are recorded. Sites which carry out the most or critical processes are not subject to reductions.
The total time expended on initial audit and surveillance is the total sum of the time spent at each site plus the central office and is never be less than that which would have been calculated for the size and complexity of the operation if all the work had been undertaken at a single site (i.e. with all the employees of the company in the same site).

4.4.4 Additional Sites
On the application of a new group of sites to join an already certified multisite network, each new group of sites is considered as an independent set for the determination of the sample size. After inclusion of the new group in the certificate, the new sites are cumulated to the previous ones for determining the samples size for future surveillance visits or re certification audits.

4.0 Records
IAF Mandatory Document for the Certification of Multiple Sites Based on Sampling