Updated: April 12, 2016
SAAS Procedure 200:2015
Scope of service companies that administer contracts but do not perform the work e.g. cleaning companies. These companies are not considered shell companies? Should the scope mention exclusions such as the actual onsite cleaning?
Response: The answer is “Yes” to each of these questions.
Initial Research: Clause 11.1.3 e) and Clause 13.2.3: Initial research or contact with local interested party is also compliance with below requirement "auditors shall conduct local intelligence gathering while on-site or in a specific area for audits". Am I correct?Response: NO. The requirements of Clause 11.1.3 e) are different from Clause 13.2.3. The intent of Clause 13.2.3 is to perform research prior to the CB going to site. Clause 11.1.3e) provides additional intelligence when in the location of their client company e.g. at the time of the Stage 1 Audit.
13.2 – Initial Research: Should an “Initial Research” be started from stage of application to determine if CB accepts the application and last to 1st stage audit while some activities of an Initial research should be completed by on-site visit? Does it mean that a (partial) result of Initial Research (even it has not been fully completed) SHALL be taken into considerations before accepting an application of SA8000 certification? 1. Generally yes but it can also carry on to the beginning of the Stage 2 phase if information was uncovered at the Stage 1 Audit that requires further investigation.
SAI Fire Safety Checklist: This has been removed from Procedure 200?
Yes as all the new requirements in 200 and the Performance Indicator Annex address this matter.
Witness Fire Drill In Highest Risk Countries – Old Advisory 18. This has been removed from Procedure 200?
Response: Yes as all the new requirements in 200 and the PIA etc address this matter. The CB needs to approach this and other issues in line with the risk based approach to certification as described in ISO 17021-1:2015 Clauses 4.8 & 9.4.2g). Should this requirement change, all CBs and other stakeholders shall be notified.
Table 15: This states that the effort includes reporting time. How long do we need to spend on writing the report?
Response: The time allocation should be 0.25 days on Social Fingerprint and then 80/20%** with respect to on site and reporting time. Using the guide in IAF MD 5:2015 Issue 3 Clause 2.1.2 “The duration of a management system certification audit (1.7) should typically not be less than 80% of the audit time calculated following the methodology in Section 3. This applies to initial, surveillance and recertification audits.”
Table 16: Based on the Table 16, Initial BSCI Allowance Audit Days, addressed in P. 200:2015, reporting audit days are included in both stage 1 and stage 2 audits. However, the Table 17, Single Site Surveillance Audit Effort, mentions that it excludes on-site reporting time. Does it mean that CBs should add extra on-site audit day, says 0.5 day, for reporting on the top of this basic duration for only audit activities?
Response: Table 16 is appropriate to BSCI “transfer/upgrade” audits only. Table 15 is the normal single site audit effort table. The CB is expected to add the time it takes them to produce the report to this audit effort based on how long it takes them to produce the report. This would be normally 0.5 to 1 day.
Table 17: This states that it excludes reporting effort. How long do we need to spend on writing the report?
Response: The time allocation should be 80/20% with respect to on site and reporting time.See note about IAF MD 5 above.
Table 17: Based on the remark in Table 17, it mentions Social Fingerprint Evaluation. From my understanding, the onsite audit effort in the table doesn't include time for doing the SF Evaluation. It means that if additional onsite audit effort, says 0.5 days, should be added for doing SF Evaluation. Right?
Response: Table 17 by means of the * shows that these times DO include the SF Independent Evaluation Effort. Procedure 200A (Audit Requirements for Accredited Certification Bodies For Social Fingerprint) describes the required effort as “sufficient time”. The time required is obviously dependent on the CB Auditors Experience but it is thought that generally this will be between 2-3 hours.
Social Fingerprint: It is not clear how it is possible for the auditor to do the Independent Evaluation after the audit, when it is necessary to give feedback to auditee during closing meeting?
Response: Closing Meeting To be held after SF IE.
Bribery procedure: it is necessary to define how to detect or identify “corrupt auditors”, proactively…?
Response: Yes this is normal practice and expected of all CB’s regardless of size.
Tolerance on announced surveillance audit scheduling: There is no tolerance stated for the audit scheduling of announced surveillance audits.
Response: The following should be adopted: If delay due to client: 3 months delay - certificate is suspended; a total of 6 months delay: certificate is cancelled (delay must be justified in records).
Multi-Site Scope: When reading the new procedure 200, is not totally clear to me that a company can choose to include some sites in scope and leave others out of the scope, even when the perform the same activities in all sites. For example, can a company start SA8000 certification in headquarter only, and in following audits decide to add sites as long as they progress on the implementation of the system in other sites? (as they do with other management systems). So they would begin with a single site certification, including only the workers from the HQ?
Response: That has been permitted in the past and suits an organisations’ roll-out of SA8000 Certification. That way they can learn from the experience and save costs on consultancy etc. There should though be some sort of logic to the roll-out and the CB should work with the client on the understanding say that all sites will be certified with 3 years. Failure to do so will mean that certification is lost for all the sites or that they go back to a single site certification basis. In the initial certification roll-out MUST be the head office then say ALL the sites in a particular town or province etc. SAAS is putting together guidance on scope and CBs shall contact SAAS directly under these described circumstances.
Multi-site Initial Audit Clause 21.4 vs. 21.6.1: Some regional offices in service sector can be limited scope during stage 2 so these two clauses are contradictory?
Response: Yes take 21.6.1 as the criteria for the service sector.
Clause 21.6.9: In the case that sites are classified as "temporary", it is not defined how to consider those in the audit process, since procedure only defines requirements for "permanent sites" surveillance (21.7.4), and a company may provide cleaning service (or pest control, or gardening, or transportation, etc) to many different customers every year, in some cases through participation in tenders, annually or every 2 or 3 years, for example.
Response: Clause 21.7.4 this should be taken as temporary or permanent site.
Clause 21.7.4: It is not clear how to define a temporary site?
Response: It should be noted that the length of contract with a customer does not define whether a workplace is temporary or not. The following illustrates what SAAS consider as a temporary site. “A temporary site is one set up in order to perform specific work or service for a finite and limited period of time”. These may be for example: Construction Sites; Temporary Exhibitions; Outdoor events and concerts; Event caterers; One off customer call-out to repair ítems e.g. photocopier. Examples of permanent sites are: Cleaning services; Pest control; Gardening; Billboards.
Multi-site surveillance: Clause 21.7: Is the audit effort, audit records, interviews etc the same as for single site surveillance?
Clause 21.6.9 states that 2% or 2 work locations (not owned/controlled by the organization) shall be audited. Does not clarify whether this is applicable to permanent and/or temporary sites. Actually, in the service sector, the list of "work locations" (whether permanent or temporary) would be the complete list of customers!?
Response: Clause 21.6.9 refers to premises not owned by the CB Client but at which work is performed by their workers. This applies to both permanent or temporary sites. Yes it would be the complete list of work locations but even if there are 1000 work locations the audit effort is only 2% that is 20 locations at 0.5 days each.
Non-Conformities: If a Major NC is raised by a CB during a surveillance visit then is it expected that the Clients Certificate is suspended?
Response: No not in every case. A Critical NC triggers a client’s automatic suspension.
Clause 22.2.2 Zero Tolerances and Clause 7.2.32: There is no guidance on what are Zero Tolerance issues – are these the same as BSCI has? Only Critical or Critical / Major (in Definitions): always must be reported, but could a Major when for example it is immediately fixed?
Response: NO these are not, in all cases, the same as BSCI Zero Tolerances. They are clearly defined in Clause 7.2.32. Procedure 200 Clause 22.5.1 Clearly states ……… Non-conformities SHALL NOT be closed by the CB during the audit in which they were issued.
Time Bound Non-conformities: Clause 22.3.4: There were several TBNC’s in earlier issues of Procedure 200. Why are these not there now?
Response: Time Bound NCs are limited to ONLY those now found in Procedure 200:2015. Should SAI consider others, they will be added and all stakeholder notified.
Definitions Of OFI and Observations: Some CBs definitions for OFI and Observations are the other way around from Procedure 200. What do we do in these circumstances?
Response: The CB can continue to use their definition as long as they include a clarification in their documented management system as to what their term equates to with respect to the SAAS Procedure 200 definition.
Integration with ISO: There is currently no requirement now that SA8000 audits SHALL not be combined with ISO 9001, 14001 audits etc.?
Response: Correct, there is no requirement. This was removed during the last stages of 200 editing.
Guidance: Will SAI include country-specific guidance somewhere on its website?
Response: Yes, it is planned that SAI will publish country-specific guidance - however, there is no specific timeline for this publication at the moment.
SAAS Procedure 201A:2015
Annex A, clause 184.108.40.206: Are the duplicate audits applicable just if a CB decides to use the resources of partner (subcontracted) organizations to provide SA8000 auditing services (under a contractual agreement)? Or it is a requirement that should be implemented even if the CB manage their own SA 8000 auditing services?
Response: Duplicate audits are not limited to just subcontracted organizations. The accredited CB shall perform a minimum of one duplicate audit on-site for every 100 SA8000 audits globally that the CB performs. The duplicate audit SHALL be based on a risk assessment conducted by the CB.
SAAS Procedure 201B:2015
Clauses 2.2 & 2.3: What´s the difference between Specialist Auditor and Technical Expert? From the definitions in 2.2 and 2.3, they both are “member of the audit team assigned to conduct specific interviews and/or review specific audit evidence utilizing his/her specialized skills.”
Response: Specialist Auditor refers to skills such as worker interviews, payroll analysis, health and safety etc. Technical Expert refers to Technical Industry Sector Experience.
Clause 3.3: For already appointed auditors and experts who were qualified based on previous requirements: is it sufficient to check that they comply with the Annual Maintenance Requirements?
Response: No as Clause 3.3 describes the need for a training plan to be produced for every auditor (and others as described in Clause 3.2). This plan should also encompass SAAS Notification 4B.
Clause 3.6: regards Technical Experts and translators, expert, observers and trainees not as audit team members whereas ISO 17021-1 clause 220.127.116.11 does (although their time is not counted as audit time).
Response: SAAS takes Procedure 201B Clause 3.6 as having the same basic meaning as ISO17021-1:2015 Clause 18.104.22.168 but refers to Team Members as Participants. This is to ensure that for example Specialist Auditors such as female worker interviewers work alone (without a male auditor present) and that their audit effort is also included in the overall audit effort. Clause 3.6 Figure 2 clearly shows this.
Clause 4.1, 4.2 & 4.3: “Persons With Management System Experience”: what does count as management system experience? How many years of experience are required?
Response: It is expected that at least 3 years minimum management system experience is required. The Program Manager will need to justify why they would accept less than 3 years.
Clause 4.3: Lead auditor: requires Social Accountability Advanced Training Modules a) Worker Interview Techniques and b) Fire Prevention and Awareness - those 2 modules are not available on SAI website. When will they be available?
Response: SAI through SAAS with advise when these courses are available.
Clause 4.1, 4.2 & 4.3: Annual maintenance requirements: What´s the meaning of “maintenance by program manager”?
Response: This means that on an annual basis the SA8000 Program Manager reviews each Auditor to make sure that they still meet the requirements of Procedure 201B.
Clause 4.5: Annual Maintenance Requirements: It is not clear what exactly is the expectation of SAAS from this reference.
Response: In drafting the new criteria, SAAS has made it clear that the Program Managers are expected, at minimum, to have the same experience and requirements as the Lead Auditors. If there is a deviation, the CB shall have to justify their reason and SAAS may or may not choose to accept this deviation, resulting in a possible non-conformity. The + sign explains the requirement – referring to audit experience – SA8000 auditing experience – which could be surveillance audits, not specifically limited to only certification or recertification audits:
Ongoing SA8000 Experience+: Demonstrable ongoing experience with SA8000 accreditation requirements (ISO 17011, ISO 17021, SAAS Procedures 200, 201, etc.). Program Managers ahll maintain ongoing experience with SAAS SA8000 requirements (which would include, at minimum, SAAS procedures and normative requirements).
“Structured learning”: SAAS Guideline 305 “Continuing Education Framework” allows structured and semi-structured training. Is this Guideline now obsolete?
Response: Yes Guideline 305 is now obsolete. SAAS have generally followed the IRCA definition of structured learning: interactive and highly participative training courses and seminars; professional body meetings with formal lectures; active participation in the development of standards.
Can the auditor experience exchange meeting be counted as structured learning for CPD?
Response: Yes if face to face in person. If via telephone or VOIP then it is counted as non-structured.
Transition Time Frame
Clarification on Timeline for Initial Certification, Recertification and Transfer Clients:
- Existing clients who have had their Stage 1 audit to SA8000:2008 prior to April 1, 2016 may continue the certification process to SA8000:2008 - even if/when their Stage 2 audit is scheduled after April 1, 2016.
- Existing clients who have had their Stage 2 audit to SA8000:2008 prior to April 1, 2016 and for whom a decision has not yet been made, or who require additional follow-up/special audits may continue the certification process to SA8000:2008 - even if/when their additional audits or the decision-making process continues after April 1, 2016.
- Transfer clients audits may continue the certification process to SA8000:2008 as these clients already hold certification to SA8000:2008, they may continue with SA8000:2008 up until the later deadline of June 30, 2017.
Transition Audit: How long should the client transition audit take during a routine surveillance audit?
Response: It is up to the CB to assess this based upon the size of the company and risk. It is thought that the length of the transition audit would extend the length of a routine surveillance audit by between 0.5 to 1.5 days on site.
Some currently certified organisations may find it difficult to transition to SA8000:2014 – why is there such a short time frame?
Response: The original timeframe was for currently certified organisations to have until December 31, 2016 to complete the transition process. This has been revised and extended to June 30, 2017.
What if the certified organisation is ready for an SA8000:2014 audit but the CB has not yet fully transitioned and trained its personnel on new requirements found in Procedure 200 and the Social Fingerprint process?
Response: With the revised timeframe, CBs may begin conducting SA8000:2014 audits on January 1, 2016, but not before then. A CB is required to submit their plan of action to SAAS and SAAS shall conduct a document review of the CBs revised policies and procedures before a CB is authorized to conduct SA8000:2014 audits. In all cases, an accredited CB shall have amended its policies and procedures prior to March 31, 2016 (and have a document review by SAAS) so it can begin delivering SA8000:2014 audits by April 1, 2016 (if the CB is to conduct SA8000 audits of new clients).
Update: SAAS and SAI have extended the deadline for requiring all new certifications to SA8000:2014 from April 1 to May 15, 2016. This does not change any of the other deadlines for the transition to the new Standard.
What if the certified organisation is due for its SA8000:2014 transition audit but is not ready and/or not compliant with the SA8000:2014 requirements?
Response: If the CB is prepared and able to undertake SA8000:2014 audits but the certified organisation has not fully transitioned to the new requirements, the CB shall still undertake the transition audit. The CB shall issue non-conformities, as appropriate, for the client organisation to address through the corrective actions process.
When an organisation transitions to SA8000:2014, does the SA8000:2014 certificate start a new certification cycle?
Response: If the transition audit takes place during a regularly scheduled surveillance audit, then no, the organisation should remain on the same certification cycle with the same expiry date. However, a new certificate shall be issued to SA8000:2014 rather than SA8000:2008. If the transition audit takes place at recertification, then a new certificate shall be issued with the new certification cycle dates.
When will the new system documents, procedures and policies, training and Social Fingerprint platform be published and available?
Response: The following training and resources are currently available via SAI's website:
- SA8000:2014 Revision Webinar 2: Social Fingerprint: Training for auditors on Social Fingerprint.
- Social Fingerprint Rating Chart
- Guidance for SA8000 Certification Auditors on Social Fingerprint for SA8000: 2014
- Social Fingerprint Glossary
Updated: The following documents have been published and are available via SAI or the SAAS website:
- Procedure 200:2015
- Procedures 201A and 201B:2015
- SA8000:2014 Guidance Document
- Social Fingerprint Self-Assessment for Organisations
Notification 4A, states that parts of SA8000:2014 include minor changes, but the inclusion of Social Fingerprint seems to be a major change. Can you clarify?
Response: It is accurate to say that some elements of the SA8000:2014 have major changes (see Element 9 in SA8000:2014), while other parts of the SA8000:2014 have had very minor or no changes at all from the SA8000:2008 version. Indeed, the inclusion of Social Fingerprint as part of the audit process does constitute a major change to the system itself. Social Fingerprint is a set of tools that help organisations measure and improve their management systems for social performance.
When do Social Fingerprint self-assessments and independent evaluations take place during the certification cycle, including during the SA8000:2014 transition process?
Response: SAI has conferred with its Advisory Board and many stakeholders to decide when the Social Fingerprint self-assessment (taken by the applicant or certified organisation) and the independent evaluation (completed by the SA8000 Lead Auditor) should take place during the audit process. This information is explained explicitly in Advisory 4A, and is further explained in the Guidance for SA8000 Certification Auditors on Social Fingerprint for SA8000: 2014 and SA8000:2014 Revision Webinar- Part 2: Social Fingerprint.
Can CBs provide the Social Fingerprint self-assessment content to certified organisations and new clients?
Response: No. Organisations take the online self-assessment on their own before the audit. A key part of the Social Fingerprint process includes the organisation’s active participation in the system, including an online training component for capacity building. Therefore, the self-assessment will not be made available offline for distribution to clients in advance.
What are the fees for participating in the Social Fingerprint self-assessment and independent evaluations?
Response: SAI has finalized the fee schedule and made the exact figures available. There will be 2 types of fees: one paid by the certified organisation for using the self-assessment and one paid by the CB for using Social Fingerprint as part of the SA8000:2014 audit process.
In which languages will the Social Fingerprint self-assessment be available?
Response: In the immediate future, it will be available in English, Italian and Mandarin.
Has SAAS accepted the edits, comments, suggestions and changes that resulted from the calibration meetings with the CBs and other correspondence with stakeholders?
Response: Yes, many of the changes and suggestions were reviewed and incorporated into the final procedures and systems. SAAS began the process of collecting feedback, input and suggested edits for clarity immediately after the release of the SA80000-related documents in 2007 and 2008. More recently, the outcomes of discussions at calibration meetings and feedback from CBs and SA8000 auditors have been incorporated into the final versions of the documents. The transition period was extended and many other process suggestions have been incorporated, including comments related to the Social Fingerprint self-assessment questions.
CBs’ contracts with their clients do not yet include Social Fingerprint and other aspects of the SA8000:2014 and new Procedure 200 requirements. How should CBs manage this?
Response: CBs shall be required to issue new contracts to certified organisations and applicant organisations, which cover all new and revised audit processes in relation to SA8000:2014, Procedure 200:2015 and Procedure 201A:2015 and Procedure 201B:2015. This includes the Social Fingerprint self-assessment and independent evaluation.
Accreditation Transition Process
What is the required process for a CB to undertake SA8000:2014 audits?
- Updated: See element 7 of the revised document: SAAS Notification 4A: Certification of Clients to SA8000:2014
- Updated: October 1, 2015: All CBs must acknowledge the updated Notification.
- Updated: November 1, 2015: By this date, all CBs shall submit a plan to SAAS identifying their process for incorporating the changes into their accredited SA8000 audit system. These changes shall take into account the revised SA8000:2014, the integration of Social Fingerprint into the audit process, and the new Procedures 200:2015 and 201A:2015 and 201B:2015. All CBs shall also begin the process of revising policies, procedures and other system-related documents, as well as training personnel involved in the accredited SA8000 system. All plans submitted by the CBs shall be reviewed by SAAS in a timely manner. SAAS shall respond to all CBs with any required follow-up, comments or questions about the transition plan.
- Updated: March 31, 2016: By this date, SAAS will conduct a document review of the revised policies and procedures of all CBs. The document reviews will be conducted on a rolling basis, beginning as soon as a CB submits its documents for review, SAAS will assign it to a reviewer for assessment and evaluation.
- A CB must receive approval from SAAS prior to conducting any SA8000:2014 audits. This approval will be issued after SAAS has reviewed the transition plan and conducted a brief document review.
- Between January 1, 2016 and December 31, 2016: SAAS will monitor the CBs’ implementation of their revised procedures and training of personnel through regularly scheduled office and witnessed audits to review files and records, as well as witnessed SA8000:2014 transition audits.
- After the document review, office audit and witnessed audits are conducted, and any outstanding concerns have been addressed, SAAS shall issue an updated accreditation certificate and agreement to the accredited CB.
- SAAS will consider deviations from the expected timeline and plan identified above on a case by case basis.
What are the estimated new costs which will be involved for the review by SAAS (as noted in paragraph 9.3 of Notification 4A)?
Response: SAAS expects to take 1-2 audit days for the document review. This will, of course, depend on the number of documents required for the document review process. Additional time may be needed at the regularly scheduled head office audit.
According to paragraph 1.a. of Notification 4B, a CB shall provide internal training and calibration on new processes and procedures. What is required for this training and calibration?
Response: All CBs shall be required to update their policies, procedures, work instructions, report forms and processes, as necessary, to comply with the new requirements of SA8000:2014, Procedure 200:2015, Procedure 201A:2015 and 201B:2015. Therefore, all CBs are required to provide training to all personnel associated with the accredited SA8000 program – including program managers, auditors (employed or contracted), subject matter experts, and others involved in the SA8000 certification system. This training shall, at minimum, review the revised procedures set out by SAAS, as well as the CB’s internal system changes. This training shall ensure that there is a common understanding among the CBs personnel of the expected implementation, interpretation and use of the new system.
Will this period coincide and take into account the CBs’ transition to ISO 17021-1:2015?
Response: Yes. The transition to ISO 17021-1:2015 shall be in accordance with the timeline for implementation of Procedure 200:2015 and Procedure 201A:2015 and 201B:2015, so that all CBs are accredited to ISO 17021-1:2015 by December 31, 2016.