Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
articles:iso_9001_certification_cost [2023/05/17 12:28] – [The first 3-year Cycle] rrandallarticles:iso_9001_certification_cost [2023/06/18 20:01] (current) – [Multi-Site Businesses] rrandall
Line 7: Line 7:
  
 ===== The first 3-year Cycle ===== ===== The first 3-year Cycle =====
-{{ :articles:3-year_certification_cycle_transp.png?direct&300|}} +{{ :articles:3-year_certification_cycle_transp.png?direct&360|}} 
-The first 3-year cycle includes an “Initial” Audit” which consists of Stage 1 & Stage 2 audit activities. After successful completion of the Stage 2 audit, along with verification and closure of any nonconformities identified, the company will receive its certification. This is followed by 2 (two) “Surveillance” audits. At that point, the company has the opportunity to renew its certification for another 3-year term. The continuing certification audits begin with a “Reassessment” audit that covers the entire scope of the certification. This is then followed by another two (2) “Surveillance” audits. And the process repeats.+The first 3-year cycle includes an “Initial” Audit” which consists of Stage 1 & Stage 2 audit activities. After successful completion of the Stage 2 audit, along with verification and closure of any nonconformities identified, the company will receive its certification. This is followed by 2 (two) “Surveillance” audits. At that point, the company has the opportunity to renew its certification for another 3-year term.  
 + 
 +The continuing certification audits begin with a “Reassessment” audit that covers the entire scope of the certification. This is then followed by another two (2) “Surveillance” audits. And the process repeats.
  
 This means, unless the company is growing in size, that the first 3-year cycle will be the most expensive. I will cover the specifics of “how” that cost is calculated below. So open a blank spreadsheet (or get your pen & calculator ready) and I’ll show you how to calculate your approximate costs relating strictly to ISO 9001 certification EXCLUDING the travel & living expenses of the auditor(s)… which can be a significant, separate cost if the CB you select doesn’t have auditors in your immediate area. This means, unless the company is growing in size, that the first 3-year cycle will be the most expensive. I will cover the specifics of “how” that cost is calculated below. So open a blank spreadsheet (or get your pen & calculator ready) and I’ll show you how to calculate your approximate costs relating strictly to ISO 9001 certification EXCLUDING the travel & living expenses of the auditor(s)… which can be a significant, separate cost if the CB you select doesn’t have auditors in your immediate area.
Line 16: Line 18:
 The following is a step-by-step guide for estimating ISO 9001 certification cost. The following is a step-by-step guide for estimating ISO 9001 certification cost.
  
-1. Every CB (Certification Body – aka Registrar) has an “Audit Day Rate”. During 2023 I polled 10 CBs and found that this rate averaged $1,500/day (±$300) for ISO 9001 (add $100/day for AS91xx certification). \\  +1. Every CB charges a fixed fee covering the “Certification Management” (aka, “Certificate Administration”, “Maintenance Fee”). This fee is separate from the audit day rates because these fees are fixed for each individual certificate or site. Some of the activities that this fee covers include: 
-2. All CBs are required to consult [[https://iaf.nu/en/iaf-documents/?cat_id=7|IAF MD 5, “Determination of Audit Time of Quality, Environmental, and Occupational Health & Safety Management Systems”]] (available free) to determine the number of audit days required for each audit (the "MD" designator means that it is a "Mandatory Document"). This determination begins by obtaining the number of personnel at the company who will be involved with the company’s Quality Management System (QMS).+  * Customer Service Representatives (CSRs) or Schedulers time 
 +  * Management of the actual certification (tracking the upcoming and past audits) 
 +  * Technical Reviews of each completed audit report (to ensure compliance with ISO 17021-1) 
 +  * Tracking and closing nonconformities 
 + 
 +While this fee varies from one CB to the next, these average approx. $500 per certificate/site (±$100). For AS91xx certificates, there is an additional standard $500 annual fee (for OASIS). 
 + 
 +2. Every CB (Certification Body – aka Registrar) has an “Audit Day Rate”. During 2023 I polled 10 CBs and found that this rate averaged $1,500/day (±$300) for ISO 9001 (add $100/day for AS91xx certification). \\  
 + 
 +3. All CBs are required to consult [[https://iaf.nu/en/iaf-documents/?cat_id=7|IAF MD 5, “Determination of Audit Time of Quality, Environmental, and Occupational Health & Safety Management Systems”]] (available free) to determine the number of audit days required for each audit (the "MD" designator means that it is a "Mandatory Document"). This determination begins by obtaining the number of personnel at the company who will be involved with the company’s Quality Management System (QMS).
 <WRAP center round important 80%> <WRAP center round important 80%>
 +[[https://iaf.nu/en/iaf-documents/?cat_id=7|IAF MD 5]] defines applicable personnel as: \\ 
 +<WRAP indent>
 +//1.9. Effective Number of Personnel \\ 
 +The effective number of personnel consists of all personnel (permanent, temporary, and part-time) involved within the scope of certification including those working on each shift. When included within the scope of certification, it shall also include non-permanent (e.g. contractors) personnel.//
 +</WRAP>
 Personnel not involved with the QMS typically include those individuals who have absolutely no direct or indirect involvement with customers or fulfilling customer requirements. Examples may include cafeteria personnel, groundskeepers, janitorial, and/or security personnel within a manufacturing company. Also, there are no direct requirements in ISO 9001 for Accounting/Financial functions… even though Accounts Receivable invoices to customers. Personnel not involved with the QMS typically include those individuals who have absolutely no direct or indirect involvement with customers or fulfilling customer requirements. Examples may include cafeteria personnel, groundskeepers, janitorial, and/or security personnel within a manufacturing company. Also, there are no direct requirements in ISO 9001 for Accounting/Financial functions… even though Accounts Receivable invoices to customers.
 </WRAP> </WRAP>
  
-3. The CB then consults IAF MD 5, “Table QMS 1 – Quality Management Systems” (found in “Annex A – Quality Management Systems”)... shown below, to match the number of personnel at the company to the range found in the “//Effective Number of Personnel//” column. This will indicate the “//Audit Time Stage 1 + Stage 2 (days)//”.+4. The CB then consults IAF MD 5, “Table QMS 1 – Quality Management Systems” (found in “Annex A – Quality Management Systems”)... shown below, to match the number of personnel at the company to the range found in the “//Effective Number of Personnel//” column. This will indicate the “//Audit Time Stage 1 + Stage 2 (days)//”.
  
 ^  **Relationship between Effective Number of Personnel and Audit Time (Initial Audit only)**  ^^^^ ^  **Relationship between Effective Number of Personnel and Audit Time (Initial Audit only)**  ^^^^
Line 39: Line 55:
 |  426-625  |  11  |  >10700  |  Follow progression above  | |  426-625  |  11  |  >10700  |  Follow progression above  |
  
- +5. The CB will then make adjustments to the number of audits days determined from “Table QMS 1” based upon the complexity of the company (Ref. IAF MD 5, Figure QMS 1 – Relationship between Complexity and Audit Time) and associated risks of its products and/or services (Ref. IAF MD 5, Annex A, Table QMS 2 – Examples of Risk Categories).  
-4. The CB will then make adjustments to the number of audits days determined from “Table QMS 1” based upon the complexity of the company (Ref. IAF MD 5, Figure QMS 1 – Relationship between Complexity and Audit Time) and associated risks of its products and/or services (Ref. IAF MD 5, Annex A, Table QMS 2 – Examples of Risk Categories).  +
 {{ :articles:iaf_md_5-figure_qms-1.png?direct&600 |}} {{ :articles:iaf_md_5-figure_qms-1.png?direct&600 |}}
 <WRAP center round box 90%> <WRAP center round box 90%>
Line 49: Line 64:
 **High Risk** \\  **High Risk** \\ 
 Where failure of the product or service causes economic catastrophe, or puts life at risk. Examples include but are not limited to:  Where failure of the product or service causes economic catastrophe, or puts life at risk. Examples include but are not limited to: 
-Food; pharmaceuticals; aircraft; shipbuilding; load bearing components and structures; complex construction activity; electrical and gas equipment; medical and health services; fishing; nuclear fuel; chemicals, chemical products and fibres. \\ +Food; pharmaceuticals; aircraft; shipbuilding; load-bearing components and structures; complex construction activity; electrical and gas equipment; medical and health services; fishing; nuclear fuel; chemicals, chemical products and fibres. \\ 
  
 **Medium Risk** \\  **Medium Risk** \\ 
Line 60: Line 75:
 </WRAP> </WRAP>
  
-In order to understand how audit days and be reduced (or increased) it is important to understand the difference between the terms “Audit Time” and “Audit Duration”. As per MD 5, sec. 1 “Definitions”, these terms are defined as:+In order to understand how audit days and be reduced (or increased) it is important to understand the difference between the terms [[articles:what_is_audit_duration_vs_audit_time|“Audit Time” and “Audit Duration”]].
  
-<blockquote> +For a simple (low complexity) company providing products/services in a low-risk category, the CB is allowed to reduce the **audit time** by up to 30% (Ref. IAF MD 5, sec. 3.9). However, if the company is complex and/or providing products/services in a high-risk category, then the CB can add time to the audit (IAF MD 5 provides no guidance on how much time may be added). Later, additional audit time may also be determined necessary due to new “risks”, such as “the results of any prior audits” (Ref. ISO 17021-1, sec. 9.1.4.2)
-**1.6. Audit Time** \\  +
-Time needed to plan and accomplish a complete and effective audit of the client organization’s management system (ISO/IEC 17021-1). \\  +
- +
-**1.7. Duration of Management System Certification Audits** \\  +
-Part of audit time (1.6) spent conducting audit activities from the opening meeting to the closing meeting, inclusive. \\  +
- +
- +
-Note: Audit activities normally include: +
-  * conducting the opening meeting +
-  * performing document review while conducting the audit +
-  * communicating during the audit +
-  * assigning roles and responsibilities of guides and observers  +
-  * collecting and verifying information +
-  * generating audit findings +
-  * preparing audit conclusions +
-  * conducting the closing meeting  +
- +
-</blockquote> +
- +
-For a simple (low complexity) company providing products/services in a low-risk category, the CB is allowed to reduce the audit time by up to 30% (Ref. IAF MD 5, sec. 3.9). However, if the company is complex and/or providing products/services in a high-risk category, then the CB can add time to the audit (IAF MD 5 provides no guidance on how much time may be added). Later, additional audit time may also be determined necessary due to new “risks”, such as “the results of any prior audits” (Ref. ISO 17021-1, sec. 9.1.4.2)+
  
 IAF MD 5, sec. 2.1.2 states “the duration of a management system certification audit should typically not be less than 80% of the audit time…”. The CBs read this “should” as “shall”. IAF MD 5, sec. 2.1.2 states “the duration of a management system certification audit should typically not be less than 80% of the audit time…”. The CBs read this “should” as “shall”.
  
-<WRAP center round info 80%> +6. After making adjustments to the audit time based on complexity and risk, the CB will determine the number of days required for the “Stage 1” audit (sometimes called a “Document Review”). While the “Stage 1” audit is typically a one-day audit, it could be 2 days (or more) for very large or complex businesses. The “Stage 1” audit is intended to ensure that the company is prepared for a full audit of their QMS (Ref. ISO 17021-1:2015, sec. 9.3.1.2). The Stage 1 audit will verify that the company has:
-If a portion of the audit is being performed remotely, then 80% of the audit time must be spent on-site (Ref. IAF MD 5, sec. 4.1). Exceptions to this (e.g., pandemics) are addressed in “[[https://iaf.nu/en/iaf-documents/?cat_id=10|IAF ID 3, Informative Document for Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations]]”. +
-</WRAP> +
- +
-5. After making adjustments to the audit time based on complexity and risk, the CB will determine the number of days required for the “Stage 1” audit (sometimes called a “Document Review”). While the “Stage 1” audit is typically a one-day audit, it could be 2 days (or more) for very large or complex businesses. The “Stage 1” audit is intended to ensure that the company is prepared for a full audit of their QMS (Ref. ISO 17021-1:2015, sec. 9.3.1.2). The Stage 1 audit will verify that the company has:+
   * Documented an appropriate “Scope” (Ref. [[https://committee.iso.org/files/live/sites/tc176/files/documents/ISO%209001%20Auditing%20Practices%20Group%20docs/Auditing%20to%20ISO%209001%202015/APG-Scope_and_Applicability_Ver2_2020-02.pdf|ISO 9001 Auditing Practices Group   * Documented an appropriate “Scope” (Ref. [[https://committee.iso.org/files/live/sites/tc176/files/documents/ISO%209001%20Auditing%20Practices%20Group%20docs/Auditing%20to%20ISO%209001%202015/APG-Scope_and_Applicability_Ver2_2020-02.pdf|ISO 9001 Auditing Practices Group
 Guidance on: Scope and applicability]]) Guidance on: Scope and applicability]])
Line 101: Line 92:
 The remainder of the audit days are allocated to the “Stage 2” audit… which will assess the entire scope of the certification. The remainder of the audit days are allocated to the “Stage 2” audit… which will assess the entire scope of the certification.
  
-6. After completing the “Initial” Audit” (Stage 1 & Stage 2 audit), the next two (2) audits will be Surveillance audits with each covering approx. half of the applicable requirements of ISO 9001, The time allocated for a Surveillance audit will be 1/3 of the days determined from IAF MD 5, “Table QMS 1 – Quality Management Systems” (Ref. IAF MD 5, sec. 5 “Surveillance”) after adjustments for complexity and risk... rounded up to the nearest half day.+7. After completing the “Initial” Audit” (Stage 1 & Stage 2 audit), the next two (2) audits will be Surveillance audits with each covering approx. half of the applicable requirements of ISO 9001, The time allocated for a Surveillance audit will be 1/3 of the days determined from IAF MD 5, “Table QMS 1 – Quality Management Systems” (Ref. IAF MD 5, sec. 5 “Surveillance”) after adjustments for complexity and risk... rounded up to the nearest half day.
  
-7. After successfully completing two (2) Surveillance audits, the initial 3-year contract ends… and the company will be offered the opportunity to renew its certification contract. This time, there will be no “Stage 1” audit.  And the recertification audit will be 2/3 of the audit days determined by the CB (Ref. IAF MD 5, sec. 6 “Recertification”) after adjustments for complexity and risk...  rounded up to the nearest half day. +8. After successfully completing two (2) Surveillance audits, the initial 3-year contract ends… and the company will be offered the opportunity to renew its certification contract. This time, there will be no “Stage 1” audit.  And the recertification audit will be 2/3 of the audit days determined by the CB (Ref. IAF MD 5, sec. 6 “Recertification”) after adjustments for complexity and risk...  rounded up to the nearest half day. 
  
 ==== Multi-Site Businesses ==== ==== Multi-Site Businesses ====
  
-If your company is a multi-site, there are additional criteria that must be taken into account. With the information above, reference, [[https://iaf.nu/en/iaf-documents/?cat_id=7|IAF MD 1, "IAF Mandatory Document for the Audit and Certification of a Management System Operated by a Multi-Site Organization"]].+If your company is a multi-site, there are additional criteria that must be taken into account. With the information above, reference, [[https://iaf.nu/en/iaf-documents/?cat_id=7|IAF MD 1, "IAF Mandatory Document for the Audit and Certification of a Management System Operated by a Multi-Site Organization"]], which identifies a multi-site organization as: 
 +<blockquote>IAF MD 1, sec2.4 Multi-site Organization \\  
 +An organization covered by a single management system comprising an identified 
 +central function (not necessarily the headquarters of the organization) at which 
 +certain processes/activities are planned and controlled, and a number of sites 
 +(permanent, temporary or virtual) at which such processes/activities are fully or 
 +partially carried out.</blockquote>
  
 {{page>wiki:pathforward}} {{page>wiki:pathforward}}