You are on page 1of 61

Requirements for

Certification as an

IRCA Auditor (All Schemes)

Requirements for Certification as an IRCA Auditor


(All Schemes)
Contents
Note: This contents is hot-linked. Click on a section to be taken to that page.
1. Introduction to IRCA Auditor Certification

p. 3-4

2. Certification Grades and Summary of Grade Applicabilities

p. 5

3. Instructions for Initial Certification, Maintenance of Certification, Renewal of


Certification and Changing Your Certification Grade (Regrade)

p. 6-8

3.1 How to: Make an initial application


3.2 How to: Maintain your certification
3.3 How to: Renew your certification
3.4 How to: Regrade
3.5 IRCAs evaluation process: What we do

p. 6
p. 7
p. 7
p. 7
p. 8

4. Essential Guidance for Application


4.1
4.2
4.3
4.4
4.5
4.6
4.7

p. 9-15

General
Guidance on educational requirements
What audits do we accept for certification?
What training course certificates does IRCA accept?
Guidance on continuing professional development (CPD)
Guidance on work experience
Guidance on flexibility and potential concessions within IRCAs criteria

5. Auditor Certification Criteria


5.1 Internal Auditor and Provisional Internal Auditor
5.2 Auditor and Provisional Auditor
5.3 Lead Auditor
5.4 Principal Auditor

p. 9
p. 9
p. 9-11
P. 11-12
p. 12-14
p. 14-15
p. 15
p. 16-20
p. 16
p. 17
p. 18
p. 19-20

6. Renewal of Certification Criteria and Requirements

p. 20-22

7. Terms and Conditions

p. 23-24

7.1 Appeals and complaints


7.2 Enforcement of certification
7.3 Confidentiality
7.4 Legal status
7.5 Fees

p. 23
p. 23
p. 23
p. 23
p. 23-24

IRCA 1000 (Rev 1) 15.04.2013

Appendix I

p. 25-57

Scheme-specific requirements and guidance are given for the following:


Part 1 - Quality Management System Auditor Scheme
Part 2 - Environmental Management System Auditor Scheme
Part 3 - Occupational Health and Safety Management System Auditor Scheme
Part 4 - Information Security Management System Auditor Scheme
Part 5 - Information Technology Service Management System Auditor Scheme
Part 6 - Business Continuity Management System Auditor Scheme
Part 7 - Energy Management System Auditor Scheme
Part 8 - Pharmaceutical Management System Auditor Scheme
Part 9 - Aerospace Quality Management System Auditor Scheme
Part 10 - TickIT Auditor Scheme
Part 11 - Food Safety Management System Auditor Scheme
Part 12 - Social Systems Auditor Scheme
Part 13 - EICC-GeSI Auditor Scheme
Part 14 - Maritime Auditor Scheme
Part 15 - SSiP Assessor Scheme

p. 25
p. 26
p. 27
p. 28-29
p. 30
p. 31-32
p. 33
p. 34-36
p. 37-40
p. 41
p. 42-44
p. 45-46
p. 47-49
p. 50-52
p. 53-58

Appendix II
Definitions

p. 59

Appendix III
IRCA Code of Conduct

p. 60

Copyright IRCA 2012


All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means electronic, mechanical, photocopying, recording or
otherwise without prior permission of the International Register of Certificated Auditors (IRCA).

1. Introduction to IRCA Auditor Certification


Commitment to professionalism
IRCA auditor certification demonstrates your commitment to the profession through:
a) Your demonstration of required knowledge and skills, gained through work experience,
training and audit experience, to:

Plan and organise an audit of a management system (MS)


Identify, understand and audit relevant business processes
Sample and evaluate audit evidence, and determine the effectiveness of a
management system
Report audit findings and conclusions accurately
Communicate clearly, both orally and in writing, with personnel at all levels of an
organisation
Plan, organise and lead the audit team, and manage the audit process.

b) Your adherence to principles of proper ethical conduct, fair presentation and due
professional care, as articulated in the IRCA Code of Conduct
c) Your commitment to continuing professional development (CPD)
d) Your commitment to provide value to:

The users and stakeholders who rely on management systems audits to establish if
the organisations management system can consistently meet customer and
applicable regulatory requirements
The auditee by providing management with information regarding the
organisations ability to meet its management system-related business objectives;
identifying problems that may prevent the client from meeting its management
system-related business objectives; and identifying meaningful opportunities for
improvement, as well as those areas of risk that are not yet identified or managed.

When you achieve IRCA auditor certification, you join over 14,000 management systems auditors in
over 120 countries who share your professionalism and commitment, and benefit from:

A globally recognised qualification, valued and often required by employers and


clients
Entry on to our publically available online register of auditors, which is used by
employers globally
Your individual certification card, to demonstrate your certification to clients and
employers
Your auditor certification logo, for you to use on your stationery and documents
The IRCA system of continuing professional development, to support your career
progression through always being able to demonstrate a currency of skills and
knowledge.

The IRCA schemes


To be efficient and competitive, business and industry needs competent auditors. The purpose of
our management systems auditor certification schemes is to provide confidence through
accredited certification, and to show business and industry that auditors certificated to these
schemes are competent.
As part of the certification process, we will evaluate you against requirements that reflect the key
skills, knowledge and experience that define competence and which you, the management system
(MS) auditor, need to possess and to demonstrate during an audit.

Each scheme is based on a key standard, such as:

ISO 9001: Quality management systems Requirements (latest issue)


ISO 14001: Environmental management systems Requirements (latest issue), etc

And each scheme is influenced by the following auditing standards:

ISO 19011: Guidelines for auditing management systems (latest issue)


ISO 17021: Conformity assessment Requirements for bodies providing audit and
certification of management systems (latest issue).

Our award of certification means we have recognised that you understand and are
competent (depending on the grade awarded) to:

Uphold the principles of proper ethical conduct, fair presentation and due professional
care
Communicate clearly, both orally and in writing, with personnel at all levels of an
organisation
Plan and organise an audit of a management system
Identify, understand and audit relevant business processes
Sample and evaluate audit evidence, and determine the effectiveness of a
management system
Report audit findings and conclusions accurately
Plan, organise and lead the audit team, and manage the audit process.

The scope of certification is general. You may select from a list of up to six standard industry
sectors in which you have acquired work experience. These details, although included within the
register, are self-declarations and outside the scope of certification.
The details of all certificated auditors are included within a register that is publicly available.
The schemes are intended for:

Auditors, eg those for whom auditing is a significant part of their role, including supply
chain auditors, those employed by certification bodies/registrars, and those conducting
audits within their own organsations
Practitioners, eg consultants, audit programme managers, and others involved in
auditing through the development and maintenance of management systems, auditor
training and standards development.

2. Certification Grades and Summary of Grade Applicabilities


Most auditor schemes have four main grades of certification and two provisional grades. However, some
schemes have different/limited grades, or different terms (eg Assessor). Please refer to the respective
appendix for further guidance on any scheme.

Grade

Applicability

Guidance notes

Internal
Auditor

You should consider this grade if you conduct internal partial


system audits of your organisations management system, or a
suppliers management system. It is likely that you will not be a fulltime auditor, and you may only audit a few times each year.

Provisional
Internal
Auditor

Whilst the internal auditor grade requires the applicant to have


conducted audits, the provisional grade does not. It is therefore
appropriate for professionals who have attended an internal auditor
training course, but that do not or have not had the opportunity to
conduct audits, yet wish to receive formal recognition of their ability.
The auditor grade is appropriate for those who conduct full system
audits as a member of an audit team and/or as a sole auditor. They
may be conducting internal full system audits, second-party full
system audits, or conducting third-party audits for certification
purposes but do not yet have sufficient experience of leading audit
teams.
Whilst the auditor grade requires the applicant to have conducted
audits, the provisional grade does not. It is therefore appropriate for
professionals who have attended an auditor training course, but that
do not or have not yet had the opportunity to conduct audits.

Partial system audits are audits that do not


cover the entire management system in a
single audit. They are commonly
departmental, or focused on a particular
process, procedure or requirement.
It is important to note that the training
course certificate is valid for initial
application for a period of three years, after
which it will no longer be accepted for
auditor certification in an initial application.
Internal full system audits are accepted.
See 4.3 f (p.10).

Auditor

Provisional
Auditor

Lead Auditor

Principal
Auditor

This grade applies to competent auditors experienced at managing


audits and at leading audit teams. This would be the case for
auditors working as audit team leaders for certification bodies or
those who perform supplier audits for organisations.
This grade is appropriate for Senior Audit professionals with an
extensive and demonstrable history of conducting full system audits
as lead auditors, who may no longer lead audit teams, or conduct
audits on a regular basis. Principal Auditors are not required to
submit evidence of audits at regrade, as they may have progressed
into audit training or management roles. However, submission of
any audits carried out is recommended.

Training course certificates are valid for a


period of three years, after which they will
typically no longer be accepted for auditor
certification in initial application (see 4.3b).
However, once registered at the provisional
auditor grade and as long as the CPD
requirements are met, you will be eligible to
apply to upgrade to Auditor and Lead Auditor
status, should you start to conduct audits
and lead audit teams at any point in the
future.
Internal full system audits are accepted.
See 4.3 f (p.10).

3. Instructions for Initial Certification, Maintenance of Certification, Renewal


of Certification and Changing Your Certification Grade (Regrade)
3.1 How to: Make an initial application
Step 1
Select the grade you want to apply for by reviewing Section 2 of this document (p. 5), and checking
that you meet the requirements outlined in Section 5 (p. 15) and the relevant scheme appendix
(p.26-58), in terms of:

Relevant work experience

Required education/qualifications

Required auditor training

Required audit experience (except for provisional grades).

Step 2
Complete the IRCA auditor certification application form (available at www.irca.org):
Indicate which discipline(s) and grades you are applying for, and attach evidence as required.
We accept applications and supporting documentation in the following languages:

English
Japanese
Spanish.

For all other languages, the application must be accompanied by a certified translation (into
English) of the original text. This is particularly important for educational qualifications,
training courses and work experience.
Step 3
Submit your completed application form and fee:
Current auditor certification application fees are available at the IRCA website
(www.irca.org). You may submit your form electronically by email, or by post to:
Email:
Address:

registration@irca.org
IRCA, Chancery Exchange, 10 Furnival Street, London, EC4A 1AB, UK

See the What we do box later in this section to learn how we manage your application. Do not send the annual
certification fee. If your application is successful, we will write and ask you to pay the annual certification fee.

Step 4: Pay your first annual certification fee.


After we have evaluated your application, we will communicate the grade of certification we can
offer you or indicate what extra evidence is required to achieve auditor certification. If you wish

to accept our offer of certification, pay your first annual fee and you will receive your first IRCA
auditor certification card, and be placed on the IRCA online register of auditors. Once your
application is successful, we award certification for a period of three years beginning from the
month we award certification. This three-year period is referred to as the certification period.
During the certification period, at the end of the first and second years you may maintain
certification by payment of the annual certification fee, and by compliance with the Code of
Conduct. We dont, however, require you to submit any other documentation at the end of year
one and year two. At the end of the third year, all certificated auditors are required to complete
the triannual renewal of certification process.
3.2 How to: Maintain your certification
Your entry onto the IRCA online register of certificated auditors is dependent on you paying your
annual certification fee every 12 months (starting from your initial certification date) and by
compliance with the IRCA Code of Conduct.
3.3 How to: Renew your certification
We dont require you to submit any other documentation at the end of year one and year two. At
the end of the third year, all certificated auditors are required to complete the renewal of
certification process by providing evidence of continuing professional development, audit
experience (depending on grade) and declarations of ongoing compliance with the IRCA Code of
Conduct, including any complaints against you. If you are successful at renewal, we will award you
certification for a further three-year certification period, and so on. Please refer to Section 6 (p.21)
for the grade-specific renewal criteria.
We will write to you two months prior to your certification expiring to remind you that your renewal
is due.
3.4 How to: Regrade
You can apply to be regraded at any time. When we offer you initial certification, we will indicate the
audit experience and Competencies you need to attain the next grade(s) of certification.
To apply for regrade, you should complete IRCA/106 log sheets, enclose any additional information
requested, and send it to us with the regrade fee. Please visit www.irca.org for costs.
A successful application for regrade will not normally result in a change to your renewal of
certification date.
There is no regrade fee if you are regraded as part of the (three-year) renewal of certification
process.
Please contact us if you need any further advice on how to regrade.

3.5 IRCAs evaluation process: What we do


We usually take about four weeks to process each application, but that time may vary depending on
the time required to verify the information submitted with the application. Giving us all the
information we need will speed up the application process, which has four stages:
1) Administrative Check
All applications are checked first by our certification staff to make sure you have included all of the
information that we need.
2) Technical Evaluation
This phase is performed by IRCA's technical experts; the reviewing officers. The reviewing officers
evaluate the information submitted against the certification requirements, then they will perform a
verification of some or all of this information. At the conclusion of the technical evaluation, the
reviewing officers will make a recommendation on certification to the certification manager.
We consider verification to be an essential element supporting the overall credibility of the
certification process. Consequently, great care is taken by the reviewing officers in reviewing and
verifying applications against all aspects of the certification requirements. We will perform the
evaluation as speedily as we can, but sometimes it is not possible to be as quick as we (or you) would
like. Processing your application is likely to take longer if you have unusual educational
qualifications, if your current (or former) employers are slow to provide verification information, or
if the auditee organisations are not helpful.
Typically, certification decisions will be made based on the documented information provided
by the applicant. However, IRCA will, at its own discretion, invite a number of applicants for
interview to verify the information provided, and evaluate the understanding of the auditor.
3) Certification
The final decision on your certification is made by the certification manager. The certification
decision is performed independently of the technical evaluation process detailed above.
4) Offer and award of certification
The certification manager will write to you formally with an offer of certification to the appropriate
grade. We will send you this offer and ask you to pay your first annual fee. Certification will be
awarded when we receive your payment of the annual fee. Your details are then added to our online
register of certificated auditors, and we will send you your certification card. Although the card is
issued to you, it remains our property and you must return it to us should we ask you to. The IRCA
certificate is intended for display as a formal recognition of your certification to a specific grade
you should not use it as proof of certification. Please contact us if you wish to purchase a certificate.

4. Essential Guidance For Application


4.1 General
a) Certification is available, without restriction, to all individuals worldwide who satisfy the
certification requirements
b) You must meet the requirements within Section 5 (Auditor Certification Criteria) and any
additional requirements contained within the respective scheme-specific requirements (see
Appendix I).
4.2 Guidance on educational requirements
a) All qualifications submitted must be supported by documentary evidence. An example of
acceptable evidence would be a good-quality photocopy of the original certificate indicating
the awarding body, the title and date of the award, and the name of the person to whom
the award was made. If any of this information is not available or not clear, we may ask you
to supply us with more evidence. The same applies if a copy of a certificate is not available,
such as when it has been lost or destroyed for example. Acceptable evidence would include
an official letter from the awarding body confirming the award. A transcript of an award (ie
an official, detailed account of the course content) would also be acceptable evidence if it
clearly states the date and title of the award. If no documentary evidence can be supplied by
the awarding body, it is unlikely we would accept your qualification. IRCA reserves the right
to verify this information with the relevant organisation and/or individual(s)
b) Where our criteria states degree or near degree, all postgraduate diplomas, undergraduate
and postgraduate degrees awarded in a relevant subject will normally be accepted
c) We use the UK definition of a degree as the degree benchmark. But we recognise that not all
degrees awarded in the UK and in other countries meet this standard. Many fall just short,
either in content or in duration, and we call these near degrees. For the purposes of
auditor certification, we recognise a near degree as meeting the tertiary education
requirement.
4.3 What audits do we accept for certification?
a) Normally, we will only accept audits performed during the previous three-year period. We
define previous period as being that period immediately prior to the date that we received
your completed application.
b) Audits can only be accepted once the respective training course has been successfully
completed. (For example, lead audits conducted before a Lead Auditor course has been
successfully completed will not be counted).
c) We will only accept audits that have been performed in accordance with the auditing
guidance standard ISO 19011 or ISO 17021, and against the relevant ISO standard for the
scheme you are applying for (or an alternative standard we accept as being equivalent).
Audits performed against alternative national, international or company standards may be
acceptable.
d) We must be able to verify all audit experience you submit in your log sheets. Please make

sure you include detailed information of the audits you perform, and provide sufficient
contact details so that we are able to perform a verification
e) Applying for second and subsequent auditor schemes:
If you are already certificated as an Auditor, Lead Auditor or Principal Auditor on one of our
other schemes and you are applying for certification or regrade to a second or subsequent
scheme then a minimum of 75% of the audit days shall be to the relevant scheme you are
applying for. The remainder may be to the scheme(s) you are already certified to. Note: This
does not apply to renewal where you need to demonstrate you meet the audit requirements
for each scheme.
f)

Acceptability of combined/integrated audits:


For new applications, where two or more standards are being audited during a
combined/integrated management system audit, we will only accept the audit days
allocated to the relevant scheme you are applying.
For recertificaiton, where two or more standards are being audited during a
combined/integrated management system audit the full audit duration will be accepted.

g) Acceptability of internal audits:


We will consider accepting internal audits for Auditor, Lead Auditor and Principal grades,
providing you can demonstrate that the audit was of the full management system covering
all clauses and requirements of the applicable management system standard, and that it was
of a part of the organisation from which you are entirely independent (eg separate business
unit or sister company). Audits submitted must demonstrate this. We require you to submit,
with your audit log;

An organisation structure diagram of the company showing the auditors


independence from the system audited.
A sample audit report.
Any other information that you feel is supportive and relevant, such as written
description of the type of audit, charts, reports, etc

h) Acceptability of consultancy audits:


We will accept audits performed by you when acting as a consultant for a client if all of the
following are satisfied:

The client (auditee) already had a fully established management system prior to the
audit
You had no part in setting up the management system being audited (except in such
specific circumstances as described below)
You were independent of the auditee
The scope of the audit included all elements of the management system.

We will also accept pre-assessment audits performed by you on a management system that
you were involved in developing, if the certification body subsequently awarded certification
at the first attempt

10

i)

Acceptability of surveillance (partial system) audits:


We do not normally accept surveillance (partial system) audits when submitted for initial
certification or at regrade (except for Internal Auditor). However, we do accept surveillance
audits for renewal of certification

j)

Acceptability of on-site and off-site audits:


IRCA will only accept on-site audits that have involved a significant amount of interaction
with the auditee(s). If the audit is limited to conducting a document review (eg records or
data analysis), observation of work performed, completing checklists and sampling (eg
products) without interaction with the auditee(s), it is not acceptable. Further, significant onsite preparation time (eg half a day) may not be counted towards the days on site. A
maximum of one days off-site per audit will be accepted

k) Acceptability of remote audits:


IRCA will accept remote audits as a substitute for the required on-site audit days, where
there has been as much interaction between the auditor and the auditee as would occur
during an on-site audit. Interaction may be achieved remotely through such means as video
conferencing, document and record-sharing systems, etc (remote audit activities are
performed at any place other than the location of the auditee, regardless of the distance). If
you have conducted extensive remote audits that you feel are suitable, please provide
additional information including the scope and nature of the audit, and, if possible,
supporting documentation such as audit plans and reports
l)

Acceptability of audits to standards other than those issued by the ISO:


We will accept audits performed against standards that we have evaluated as being
equivalent to the relevant ISO standard. We maintain a list of acceptable alternative
standards for each auditor scheme, but it is possible that you may claim audits against a
standard that is not on this list. We have a formal process for evaluating new standards,
and you are advised to contact us for advice where you consider an alternative standard
may be acceptable to us.

m) Audits we do not accept:


Audits of the same management system that are repeated more frequently than once
every 12 months
Audits of less than one days duration (six hours of audit activity, exclusive of breaks),
except for the internal auditor grade, where we will accept audits of three hours
exclusive of breaks
Gap analysis, close out or follow-up visits
Audits performed before successful completion of the formal training requirement
Audits performed outside the accepted three-year period.
4.4 What training course certificates does IRCA accept?
a) We are looking for you to have a certificate for the successful completion of an IRCA-

11

certified training course. IRCA does accept a very small number of non-IRCA-certified
training courses as being equivalent to its own courses. Please refer to this page on our
website: http://www.irca.org/en-gb/certification/How-to-apply/accepted-alternatives/ or
contact head office for information about accepted alternatives
b) You should normally have successfully completed auditor training within the three-year
period immediately prior to application for certification. We may accept training completed
prior to this period if you provide evidence of recent and relevant continuing professional
development (CPD), work experience and currency of your auditing skills. We advise you to
refer to the IRCA website (www.irca.org) for a current listing of all IRCA-certified training
organisations offering IRCA-certified management system auditor training courses
c) All training course certificates submitted must be supported by documentary evidence. An
example of acceptable evidence would be a good-quality photocopy of the original
certificate indicating the awarding body, the title and date of the award, and the name of
the person to whom the award was made. If any of this information is not available or is not
clear, we may ask you to supply us with more evidence. If no documentary evidence can be
supplied by the awarding body, it is unlikely we would accept your training course
certificate. IRCA reserves the right to verify this information with the relevant organisation
and/or individual(s)
d) IRCA does not accept certificates of attendance. Certificates must be of successful
completion of a course. The only exception to this rule is that IRCA will accept a certificate
of attendance of an Auditor/Lead Auditor course, as meeting the training requirement for
the Internal Auditor grade.

4.5 Guidance on continuing professional development (CPD)


CPD is a framework that encourages you to continuously update your professional knowledge,
personal skills and Competencies. The purpose of CPD is to make you more effective as an auditor,
and to make the auditing profession more credible. The concept of CPD and the value it contributes
is now recognised and accepted throughout all professional fields.
Any CPD submitted must be in subjects that are broadly related to auditing and the relevant
management system. Because there are so many topics that we recognise will enhance your
auditing competence, we do not attempt to list them all here. But we categorise them into four
areas and three types:
CPD Areas: (Not in order of significance)
1) Management system related (eg learning about a new standard or learning about
updates to standards)
2) Auditing related (eg auditor skills refresher training)
3) Technical knowledge related (eg legislation and regulatory updates, industry changes,
relevant technology changes, technical process knowledge and other technical
knowledge that will enable you to audit more effectively)
4) Soft skills training (eg communication skills, conflict resolution and negotiation,
personal effectiveness, creative problem solving, strategic thinking,
management/business training, team building, influencing skills and other related
training).

12

a) CPD Types:
1. Unstructured;
Included in this category would be;

Reading and contributing to a relevant online forum such as IRCAs discussion


group on LinkedIn, is also accepted.
reading IRCA INform, our e-magazine available from www.irca.org
distance and open-learning study that is not assessed and does not lead to a
qualification
the reading of professional and technical journals, books and other
publications

2. Semi-structured;
Included in this category would be;

non-interactive lectures, talks etc


professional body meetings
the research, preparation and first delivery of lectures/courses
technical research, either at work or at an external institution
forms of open and distance-learning that involve assessment, and that result
in the acquisition of a qualification
Note: Repeated training deliveries and lectures/presentations cannot be
counted more than once.

3. Structured;
Included in this category would be;

relevant aspects of on-the-job training and development where specific


outcomes have been planned, identified and recorded by you (only new
activities, training and development will be considered). General day to day
tasks, activities that do not help maintain/enhance your skills as an auditor, or
that are not relevant to auditing, will not be accepted.
interactive and highly participative training courses
seminars and formal lectures,
active participation in the development of applicable standards.

b) CPD Focus
CPD should be focused on appropriately developing ones knowledge and skills to maintain
ones effectiveness as an auditor.
In determining what your CPD objectives should be, you should consider;
1. what has changed / is changing? This could be a standard update, a technical change

13

(such as to legislation or regulation) or an important change in industry, such as


technology or techniques used.
2. what your strengths and weaknesses are
3. what your ambitions are for the future are
4. feedback you have been given.

c) CPD Approach
You should consider carefully what CPD you wish to do in the three year certification
period. You should identify some objectives early on, and plan your CPD activities in
advance to ensure you continue to meet the CPD requirements.
You may conduct CPD in a number of ways (types and areas). IRCA will not prescribe how
you should accomplish your personal CPD objectives, however IRCA will normally only
accept a maximum of 20 hours unstructured CPD. In certain circumstances, IRCA may
accept a greater number of hours of unstructured CPD, if the auditor can demonstrate;
a) good reason for not conducting enough semi-structured or structured CPD.
b) that there have been no significant changes that would warrant a semi-structured or
structured approach. (For example; an update to the standard may require formal
update training).
If you have conducted 45 hours of CPD, but IRCA determines that you have not conducted
CPD in a specific area, which it believes to be critically important, IRCA will advise you of
this and you will be required to submit evidence of this CPD to IRCA within an agreed
timeframe.
For each CPD entry on your log, you are required to state/describe;
1. what type of CPD it was
2. what areas the CPD was focused on
3. what skills/knowledge have you gained, and how these have enhanced your
capabilities as an auditor.
4. the contact details of someone who can confirm that the CPD took place (for
structured and semi-structured).
It is your responsibility to provide a case for acceptance of any activity you submit, and this
must be supported by sufficient and appropriate evidence, such as records of your activities,
provision of the contact details of someone who can verify the CPD took place (for nonindependent CPD) and any formal certificates or qualifications you may have received.
Completing the CPD log sheet clearly, fully and providing an accurate description of the CPD
undertaken and the skills/knowledge attained, will help ensure your CPD log is accepted.
4.6 Guidance on work experience
a) Please refer to the scheme-specific appendix document and the guidance section of the
application form for information about what will be accepted as experience relevant to the
auditor scheme you are applying for

14

b) Short periods of training cannot be included in this work-experience requirement,


however apprenticeships and the like may be considered as acceptable work experience.
Please provide additional information if you wish any training to be considered towards
your work experience.

4.7 Guidance on flexibility and potential concessions within IRCAs criteria.


For any auditor certification grade on any IRCA scheme, IRCA may certificate an auditor who
does not meet fully the criteria as displayed, so long as the auditor can demonstrate their
competence and suitability for the grade by other means.
To be considered for a certification grade for which you do not fully meet the critiera, please
provide the following with your application:

A cover letter highlighting which grade you are seeking to be certified at. (This letter
should also explain why you believe yourself to be suitable for this grade)
A copy of your curriculum vitae
All releveant traininig certificates and educational certificates
A recommendation from an IRCA certified Lead/Principal Auditor (if possible).
Any other supporting documentation, for example an auditor certification from another
auditor certification body.
Completed IRCA Audit Logs and CPD logs to support your application.

Note: The Certification Process will still require you to make a non-refundable application
payment before your application can be formally reviewed. IRCA will review applications
that request such consessions on a case by case basis, and will provide a full and justified
explanation for any decisions made. Any flexibility or concessions to the IRCA requirements
will be entirely at discretion of the Certification Manager.

15

5. Auditor Certification Criteria


Below are the generic IRCA criteria for becoming an auditor. You must refer to and meet the
additional scheme-specific requirements within the relevant part of Appendix 1 also.

5.1 Internal Auditor (see the bottom of the page for Provisional Internal Auditor)
Education
At least to secondary education level.
Work experience
Four years full-time experience, or two years with a degree or near degree
One years full-time experience relevant to the auditor scheme.
Auditor training
A relevant IRCA-certified Foundation course and a relevant IRCA-certified Internal
Auditor training course
or
The relevant IRCA-certified Auditor/Lead Auditor training course. (Refer to 4.4 for
guidance on what training IRCA accepts.)
Note: IRCA will consider, on a case-by-case basis, auditors applying for an internal auditor
grade that have successfully completed an Internal Auditor course, but not the respective
Foundation course. The decision will be based on the information provided in the work
experience and sector understanding parts of the application form.
Auditing experience
You need to have performed at least five internal audits, each of which must have been
of at least three hours duration, have included all elements of the audit cycle audit
planning, document review, auditing, interviewing and audit reporting and must not
have involved areas or activities in which you yourself perform. However, we will
accept audits of activities for which you are directly or indirectly responsible, eg as a
line manager. (Refer to 4.3 for guidance on what audits are accepted.)

Provisional Internal Auditor


No audits are required. All other requirements are the same as those for an Internal Auditor.

16

5.2 Auditor (See the bottom of the page for Provisional Auditor)
Education
At least to secondary education level.
Note: If you have a degree or near degree level qualification, we will reduce the
requirement for work experience. Acceptable qualifications include those awarded by an
institution recognised by a national governmental body or accredited by a national
professional body.
Work experience
Four years full-time experience, or three years with a degree or near degree
Two years full-time experience relevant to the auditor scheme you are applying for.
Please refer to the scheme-specific appendix document for information about what will
be accepted as experience relevant to the auditor scheme you are applying for.
Auditor training
A relevant IRCA-certified Auditor/Lead Auditor training course.
Or the relevant IRCA-certified Auditor/Lead Auditor Conversion training course only
acceptable if you have previously completed a five-day Auditor/Lead Auditor training
course in another discipline. (Refer to 4.4 for guidance on what training IRCA accepts.)
Auditing experience
You need to have performed at least four full management system audits covering all
clauses (requirements) of the applicable management system standard. Auditing activity
must include document review, preparation and performance of on-site audit activities,
and audit reporting. The total duration of these audits must not be less than 20 days, 15
of which must have been acquired on site. (Refer to 4.3 for guidance on what audits are
accepted.)
Note: Although we recommend you should complete all of the audits under the direction
and guidance of an auditor competent as a team leader (one currently certificated as a
lead auditor or who has equivalent competence), we acknowledge that for many auditors
this will be very difficult and costly to arrange. Consequently, we will accept a minimum
of one audit under these conditions. We may require this team leader to attest to your
competence to audit as a team member.

Provisional Auditor
No audits are required. All other requirements are the same as those for an Auditor.

17

5.3 Lead Auditor


Education
At least to secondary education level.
Note: If you have a degree or near degree level qualification, we will reduce the
requirement for work experience. Acceptable qualifications include those awarded by an
institution recognised by a national governmental body or accredited by a national
professional body.
Work experience
Four years full-time experience, or three years with a degree or near degree
Two years full-time experience relevant to the auditor scheme you are applying for.
Please refer to the scheme-specific appendix document for information about what will
be accepted as experience relevant to the auditor scheme you are applying for.
Auditor training
A relevant IRCA-certified Auditor/Lead Auditor training course.
Or the relevant IRCA-certified Auditor/Lead Auditor Conversion training course only
acceptable if you have previously completed a five-day Auditor/Lead Auditor training
course in another discipline. (Refer to 4.4 for guidance on what training IRCA accepts.)
Auditing experience
Four full management system audits as an auditor-in-training, totalling 20 days, including
a minimum of 15 days on site and;
Three full management system audits as the leader of an audit team that includes at
least one other auditor, totalling 15 days, 10 of which must have been spent on site. (Refer
to 4.3 for guidance on what audits are accepted.)
Note: Although we recommend you should complete all of the audits under the direction
and guidance of an auditor competent as a team leader (one currently certificated as a lead
auditor or who has equivalent competence), we acknowledge that for many auditors this will
be very difficult and costly to arrange. Consequently, we will accept a minimum of one audit
under these conditions. We may require this team leader to attest to your competence to
lead an audit team. If you are already certificated to the relevant auditor grade, you need
only perform the three lead audits as above.

18

5.4 Principal Auditor


This grade is for Senior Audit professionals with an extensive and demonstrable history of
conducting full system audits and lead audits. Principal Auditors may or may not conduct audits
on a regular basis, as it is not uncommon for some to have progressed into managerial roles
later in their career.
Some examples of the sorts of individuals that may qualify for this grade include (but are not
limited to): Full time third party auditors, audit managers, certification managers, audit training
and development personnel (including management system auditor training course designers),
and persons involved in the development of relevant audit and management system standards
(such as ISO 19011).
Work experience
8 years full-time experience relevant to the auditor scheme you are applying for. Please
refer to the scheme-specific appendix document for information about what will be
accepted as experience relevant to the auditor scheme you are applying for.
Other Requirements:

Six years certification to Lead Auditor grade by IRCA (or acceptable alternative) prior to
certification.
Note 1: You must have completed 6 years certification as a lead auditor and meet
the criteria for Lead Auditor Certification at the second recertification (this is the
earliest time possible to be eligible for Principal Auditor). If you have already
completed 2 recertifications as a Lead Auditor, you may transition to Principal
Auditor at any time.
Note 2: You may choose to maintain your lead auditor certification, rather than
progressing to Principal Auditor, however, you will need to continue to meet the
renewal requirements for lead auditor if you do so.

Or

Submission of evidence of 3 years full time employment as a management systems


auditor with an accredited certification body (or demonstrable and significant evidence
of contracted 3rd party audits with an accredited certification body).
Note: Acceptable evidence of employment as a management systems auditor would
typically include a letter from Senior Management confirming the duration and
nature of the employment.

19

6. Renewal of Certification Criteria and Requirements


You must renew your certification every three years, ie at the end of the third complete year. We
will write to you two months before your certification period expires and ask you to send us your
audit and CPD log, CPD objectives log and other documents. We will evaluate these against the
renewal requirements listed below and make a certification decision. We will then write to you
with the results. All criteria must be met for each individual scheme for which you hold
certification.
The renewal of certification process involves the following six requirements:
1)
2)
3)
4)
5)
6)

Continuing professional development (CPD)


Audit experience
Other requirements
Declaration of complaints
Compliance with the IRCA Code of Conduct
Payment of the annual fee.

1) Continuing professional development


For Internal Auditor and Provisional Internal Auditor
There is no CPD requirement.
For Provisional Auditor, Auditor, Lead Auditor and Principal Auditor
CPD Log:
You must have completed at least 45 hours of appropriate CPD during the three-year
period immediately prior to renewal of certification. (A maximum of 20 hours
unstructured is permitted unless an exeption is agreed with IRCA see guidance).
Through CPD, you are required to demonstrate your currency of knowledge and skills
through updates in subject areas within the four main categories, as stated in 4.5:

Management system related


Auditing related
Technical knowledge related (eg legislation and regulatory updates).
Soft skills training (eg communication skills, conflict resolution and negotiation,
personal effectiveness, creative problem solving, strategic thinking,
management/business training, team building, influencing skills and alike.
(Not in order of significance)

Note: CPD does not have to be conducted in all categories. You should identify CPD which is
essential to maintianing your currency and effectiveness as an auditor, and CPD that can
enhance your effectiveness as an auditor.

20

2) Audit experience
We need you to record and submit your audit experience on the audit log sheets
(IRCA/106) that we supply.
For Internal Auditor:

You need to have completed a minimum of five internal audits, the total
duration of which must have been at least 15 hours.

For Provisional Internal Auditor and Provisional Auditor

There is no audit requirement.

For Auditor:

Five audits, two of which must be full system audits. Three of the five audits may be
surveillance or partial system audits.

Audit experience within the three-year certification period shall be not less than eight
on-site audit days. You must have performed these audits within the previous three-year
certification period.

For Lead Auditor:

Five audits, two of which must be full system audits. Three of the five audits may be
surveillance or partial system audits.
A minimum of one full system audit shall be while leading a team that includes at least
one other person (total team of 2 persons minimum).
Note: IRCA may exercise discretion on this requirement, should the auditor have a
substantial and demonstrable history of conducting lead audits.
Audit experience within the three-year certification period shall be not less than eight
on-site audit days. You must have performed these audits within the previous three-year
certification period.

For Principal Auditors:

There is no formal audit requirement, however we stongly encourage you to submit a


record of any audits that you do conduct, to support your application for
recertification. Evidence of continuing involvement in auditing such as the
management of audit programmes, auditor training design or management, audit
standards involvement and/or other responsibility in audit management should be
provided.

21

3) Additional Requirements
For all grades other than Principal Auditor:
There are no other requirements
For Principal Auditor:
You must submit evidence of continued work expereience related to the relevant
management system(s) and evidence of continued involvement in auditing or audit related
activities.
4) Declaration of complaints
We need you to tell us about any complaints made against your professional conduct. It is
important we know of any complaints, as we need to consider these as part of the renewal of
certification process. We will investigate all instances of complaints. If complaints are made
against your conduct and you do not declare them, the consequences will be far more serious
and may result in suspension or withdrawal of your certification.
5) Compliance with the Code of Conduct
We need you to make a declaration that you have always acted in compliance with the Code of
Conduct (see Appendix III).
6) Payment of the annual fee
And finally, we need you to pay the annual fee. Because the fee will be dependent on the grade
we offer you after renewal, we do not ask you to pay this fee until we have completed renewal.
We will write to you with the results of the renewal, enclosing the invoice and fee-due date.
Failure to pay your annual fee within 28 working days of the date of the invoice will result in
your certification being withdrawn, and the removal of your details from the online register.
Once we have received your payment, we will write to you again enclosing your new
certification card.

22

7. Terms and Conditions


7.1 Appeals and complaints
You have the right to appeal against any certification decision taken by us. We operate a quality
system that includes established procedures for considering appeals and complaints.
7.2 Enforcement of certification
We enforce (ie suspend or withdraw) certification for three reasons:
1) If you fail to meet the certification criteria for the grade to which you are certificated. This
enforcement occurs when you apply to renew your certification. In most cases, withdrawal
will be preceded by an offer of an alternative grade, for a period during which you have the
opportunity to meet the requirements of, and be reinstated to, the grade you originally held
2) If you breach the Code of Conduct. We reserve the right to undertake action against your
certification if we find you to have acted contrary to the Code of Conduct options available
include suspending or, in instances of serious or sustained breach, withdrawing your
certification
3) If you fail to pay the requisite fees.
7.3 Confidentiality
We undertake to consider as strictly confidential all information, correspondence and
documentation you submit to us in support of your certification activities.
We reserve the right to publish relevant details of each certificated auditor in our register,
available online at www.irca.org.
We reserve the right to disclose details of your certification record to other auditorcertification and accreditation bodies. We will do so with discretion and only in instances
where we consider withholding this information will compromise the integrity of
certification, eg where we have taken action against (ie suspended or withdrawn) your
certification, and you have applied to another auditor-certification body without fully
disclosing your record while certificated by us.
7.4 Legal status
The certification of auditors by us and all activities associated with the administration of the register
is governed in accordance with English law, and is subject to the exclusive jurisdiction of the English
courts.
7.5 Fees
Fees are set annually and apply to the calendar year (1 January-31 December). Contact us direct or
see www.irca.org for details of current fees applicable for your country.

Application fee: We need you to pay this fee when you send in your application.
Alternatively, we will invoice you on receipt of your application. This fee covers the costs of
the application process and is not refunded if the application is unsuccessful. Failure to pay
this fee will cause a delay in the processing of your application

23

Annual certification fee: This fee covers the annual cost of administering your certification.
We will normally invoice you for this fee when we first offer you certification following your
application, and each year thereafter, three months before payment is due.

Failure to pay your fees within 28 days of them being due will result in withdrawal of your
certification. Upon receipt of your fee, your card will be issued.

Application for regrade fee: This fee covers the costs of evaluating your regrade. We need
you to pay this when you submit your request and, as with the application fee, the regrade
fee is not refundable. If you are regraded during the year, we will not ask you to pay any
further certification fees for that current year. You may request a regrade at any stage
during the certification period. There is no regrade fee if we regrade you as part of the
(three-year) renewal of certification process.

Except for every third year, when your renewal is due we invoice you after we have completed your
renewal, on the basis that your grade (and fee) may have changed as a result. Upon receipt of
payment, your card will be issued.

24

Appendix I Part 1
Quality Management System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Knowledge of basic quality management principles


Understanding of quality management tools and techniques that are applied in
organisations that will enable the auditor to assess a quality management system, and
generate audit findings and conclusions
An understanding of an organisations operational activities and its interactions, to enable
you to understand the relationship with product quality.

The QMS Scheme is based on the auditing key standard:

ISO 9001: Quality management systems Requirements

Guidance for who this scheme is intended for

Quality management system auditors, such as those employed by third-party certification


bodies/registrars or by purchasing organisations (second-party auditors)
Quality management practitioners, such as quality management consultants, quality
managers and third-party certification managers
Employees conducting quality management system audits within their own organisations
(internal audits).

25

Appendix I Part 2
Environmental Management System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
Within the sector understanding and work experience sections of the application form, you are
required to demonstrate the following knowledge and competencies:

Knowledge of environmental aspects and impacts


Ability to judge aspect significance
Knowledge of local environmental legislation
Understanding of methods and techniques of environmental management that enable the
auditor to examine an environmental management system, and to generate appropriate
audit findings and conclusions
Understanding of environmental science and technology that enables the auditor to
understand the fundamental relationships between human activities and the environment
Understanding of technical and environmental aspects of operations that enables you to
understand the interaction of an organisations activities, products, services and operations
with the environment.

The EMS Scheme is based on the auditing key standard:


ISO 14001: Environmental management systems Specification with guidance for use (latest issue).
Guidance on who this scheme is intended for

Environmental auditors, eg those employed by third-party certification bodies/registrars or


by purchasing organisations
Environmental practitioners, eg environmental consultants, environmental managers and
other environmental personnel
Employees conducting environmental audits within their own organisation, ie internal
audits.

26

Appendix I Part 3
Occupational Health and Safety System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Generic auditing skills as detailed earlier in this document (IRCA 1000)


OH&S management methods and techniques that enable you to examine OH&S
management systems, and to generate appropriate audit findings and conclusions
OH&S technical Competencies, such as the management of risk, health and safety activities
in the workplace, including chemical/physical/biological hazards; legal and organisational
factors within the country or area of operation, etc
Acceptable work experience would include:
o
o
o
o
o
o
o

Full-time role as manager, supervisor, engineer or technician, involved in technical


aspects of facility operation in compliance with OH&S regulations
Implementation and maintenance of OH&S or integrated management systems
involving health and safety compliance management
Monitoring compliance with health and safety law and regulation, on behalf of a
regulating body
Auditing OH&S management systems on behalf of an accredited certification body
Assessment of supplier probity against an acceptable OH&S management system
standard on behalf of an employing organisation
Provision of appropriate consultancy services involving OH&S
Full-time role relating to the performance of OH&S risk assessment and management of
safety audits of all types (not necessarily system audits).

The OH&S Scheme is based on the auditing key standards:


BS OHSAS 18001: Occupational health and safety management systems. Requirements (latest issue).
HSG65, and BS8800 (latest issues).
Guidance on who this scheme is intended for

Occupational health and safety professionals intending to demonstrate a core competency


in audit management performance
Management systems auditors (eg quality, environmental, IT, etc) who possess a
considerable understanding and knowledge of OH&S issues, and who are able to
demonstrate sufficient competence to participate in OH&S or integrated management
system audits
Occupational health and safety management system auditors who wish to have their
auditing competence recognised.

27

Appendix I Part 4
Information Security Management System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Knowledge of the range of application for an ISMS


Knowledge of information security-related legislation applicable to the country(s) of
operation
Knowledge of the techniques and tools used in information security management
Understanding of the potential business impacts of ISMS
Understanding the importance of asset and owner identification
Knowledge of control objectives and how these are addressed
Knowledge of risk assessment and identification
Understanding of the threats, vulnerabilities and impacts
Understanding the difference between risk assessment and risk evaluation
Understanding of the methodology of risk treatment, application, residual risk and review of
risk treatment plan
Knowledge of the understanding of the importance of the statement of applicability in the
ISMS, and how it is used
Knowledge of the difference between an IS event and incident.

The ISMS Scheme is based on the auditing key standards:

ISO/IEC 27001:2005 Information technology Security techniques Information security


management systems Requirements
ISO/IEC 17799:2005 Information technology security techniques Code of practice for
information security management
EA 7/03: Guidelines for the accreditation of bodies operating certification/registration of
information security management systems
ISO/IEC 27001:2005 which provides correspondence and alignment with ISO 9001:2000
Quality management systems Requirements and ISO 14001:2004 Environmental
management systems Requirements with guidance for use.

28

Guidance on who this scheme is intended for

ISMS auditors, eg those employed/contracted by third-party certification/registration bodies


and those involved in first or second-party ISMS audits
Information security practitioners, eg information security consultants, IT security managers
and IT personnel
Employees conducting ISMS audits within their own organisation, ie internal ISMS audits.

29

Appendix I Part 5
Information Technology Service Management System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Knowledge of the role of IT service providers and their responsibilities


Knowledge of the importance of governance in relation to the ITMS
Basic training in IT service management knowledge (eg IRCA will accept the ITIL Foundation
certificate or equivalent training)
Knowledge of ITIL. (IRCA will accept the ITIL Foundation certificate or equivalent training
as satisfying this requirement)
Understanding identification and management via risk analysis applied to ITMS
Understanding of service level agreement (SLA), service management system (SMS), and
service management plans and their interaction
Understanding of release and deployment management and the importance of the agreed
release policy
Understanding configuration management and the importance of configuration items (CI)
Understanding of the service delivery, including continuity and availability, and problem
resolution process
Understanding of the business relationship management and of the importance of SLAs.

The ITSMS Scheme is based on the auditing key standard:

ISO 20000: Information technology Service management (current edition).

Guidance on who this scheme is intended for

Employees conducting IT service management system audits within their own organisation,
ie internal audits
IT service management system auditors, eg those employed by third-party certification
bodies/registrars or by purchasing organisations
IT service management practitioners, eg IT service management consultants and other IT
service management personnel.

30

Appendix I Part 6
Business Continuity Management System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
Within the sector understanding and work experience sections of the application form, you are
required to demonstrate the following knowledge and competencies:

1) Knowledge of business continuity management principles that cover:

BCM policy and programme management


Understanding the organisation impact and risk
Determining BCM strategies
Developing and implementing BCM responses
Exercising, maintaining and reviewing BCM arrangements
Embedding BCM in organisational culture.

Note: IRCA will accept completion of the BCI Certificate Examination (CBCI) as evidence of
the above.
2)

3)
4)
5)
6)
7)
8)

Understanding the core processes involved in business continuity management and the
interrelationships that enable you to examine BCMS, and to generate appropriate audit
findings and conclusions
Understanding the relationship processes based on business continuity management and
supplier continuity management
Understanding resolution processes based on identifying potential threats and impacts, and
handling disruptions and business continuity incidents
Knowledge of processes and products, including services, that enable you to comprehend
the business context in which the audit is being conducted
Knowledge of relevant standards, regulatory or legal requirements pertaining to BCM, within
the specific sector and geography being audited
Understanding the need for BCM to be a top management-led embedded business process,
and the experience to evaluate whether this is being maintained effectively
Understanding the nature of continual improvement through the use of top management
leadership, planning and performance evaluation.

The BCMS Scheme is based on the auditing key standard:

ISO 22301: Societal security Business continuity management Requirements

Guidance on who this scheme is intended for

BCMS auditors, eg those employed by third-party certification bodies/registrars or by


purchasing organisations
BCMS practitioners, eg senior managers, BCMS consultants and other BC personnel
Employees conducting BCMS audits within their own organisation, ie internal audits.

31

Guidance on transitioning to ISO 22301 from BS 25999


Please find guidance on transitioning to ISO 22301 from BS 25999 on the scheme page on
the IRCA website: http://www.irca.org

32

Appendix I Part 7
Energy Management System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Knowledge of energy management and the principles of energy efficiency


Understanding the principles of fuel combustion, heat transfer and energy flow
Understanding the relevant sources of energy regulation, guidelines and standards
Understanding the typical methods and technologies for increasing energy efficiency
Ability to interpret energy measurement units, sources, costs, tariffs and scheduling
Ability to scrutinise energy-use data analysis methods
Ability to analyse energy baselines, energy targets, performance indicators, monitoring
and performance measurement
Understanding the impact of organisational processes and equipment on energy
efficiency
Understanding of methods and techniques of energy management that enable the
auditor to examine an energy management system, and to generate appropriate audit
findings and conclusions.

Note: As a guide, courses such as the Energy Institutes Certificate in Energy Management Essentials
(or equivalent) would meet this requirement, as would higher-level energy management-related
qualifications.
The EnMS Scheme is based on the auditing key standard:
ISO 50001: Energy management systems Requirements with guidance for use (latest Issue).
Guidance on who this scheme is intended for

Energy management system auditors, eg those employed by third-party certification


bodies/registrars or by purchasing organisations
Energy management practitioners, eg energy consultants and other energy personnel
Employees conducting energy management system audits within their own
organisation, ie internal audits.

33

Appendix I Part 8
Pharmaceutical Management System GMP Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Understanding of the lifecycle of a pharmaceutical medicinal product

Knowledge and understanding of pharmaceutical GMPs and the relevant pharmaceutical


legislation eg EudraLex Volume 4 or the 21 CRF standards associated with them
This should be supported by;
Evidence of successful completion of a GMP awareness training course
Or
2 years demonstrable work experience in a GMP environment

Knowledge and Understanding of the pharmaceutical supply chain and the context of
individual suppliers within the globalisation of the pharmaceutical supply chain and the
associated storage and distribution requirements

Knowledge of ICH Q8 (current edition) and the interaction of ICH Q9 risk management
(current edition) and ICH Q 10 pharmaceutical quality system (current edition)
This should be supported by;
Evidence of successful completion of a GMP awareness training course
Or
2 years demonstrable work experience in a GMP environment

Understanding of patient risk and general risk management to establish the control strategy
that can include parameters and attributes related to drug substance, finished product,
starting materials and components. This should embody a working relationship with
applicable GMP.

Understanding the requirements of a Pharmaceutical Quality Management System and the


importance of this in maintaining control and facilitating continual improvement throughout
the product lifecycle.

Understanding of the required GMPs for the processes which the auditor is intending to
audit for example:

34

An auditor who is responsible for assessing the conformance of suppliers of active


pharmaceutical ingredients must be familiar with Eudralex Vol 4 Part 2: (ICH Q 7)
Manufacture of drug substances and ICH Q11 if the drug substances are being
developed as well.

An auditor performing internal audits on behalf of a biotech company must be familiar


with EudraLex Volume 4 (Good manufacturing practice guidelines) and with Annex 2:
Manufacture of biological medicinal products for human use.

Audit requirements:
For Internal Auditor grade, for initial certification, and renewal of certification, all GMP audits will be
accepted, including those that are not full management system audits.
For Auditor / Lead Auditor grade, for initial certification and renewal of certification only full
management system GMP audits will be accepted.
Note: Please indicate on the audit log any audits that are full management system audits.
The Pharmaceutical GMP Auditor Scheme is based on the auditing key standards:
In Europe - The GMP Directive 2003/94/EC and EudraLex Volume 4
In the USA - CFRs Title 21 Parts 210 and 211
ICH Q10: Pharmaceutical quality system (current edition)
ICH Q9: Quality risk management (current edition)
ICH Q8: Pharmaceutical development (current edition)
ICH Q7: Good manufacturing practice guide for active pharmaceutical ingredients
ISO 19011: Guidelines for auditing management systems (current edition)
ISO 17021: Requirements for bodies providing audit and certification of management systems
(current version).
Guidance on who this scheme is intended for:

Internal auditors who conduct full or partial GMP and pharmaceutical quality management
system audits within their own organisation.
Pharmaceutical auditors conducting audits of:
o
o
o
o
o
o

suppliers of starting materials and packing components


contract service providers
manufacturing operations
packing operations
Testing laboratories
warehouse and distribution operations

Third Party Pharmaceutical auditors working for clients within the pharmaceutical industry

Pharmaceutical quality practitioners consultants, audit programme managers and other


related personnel

Audits of pharmaceutical operations performed by regulators to ensure compliance

35

Pharmaceutical auditors working for third-party certification bodies/registrars who complete


full GMP and pharmaceutical quality management system audits of suppliers, including:
o

Audits of raw material and component suppliers

Audits of different phases of the product lifecycle (ie research and development,
clinical trial manufacture, commercial manufacture, distribution and supply, and
product discontinuation)

Note:
If you are seeking auditor training or auditor certification to the PQG supplier standards
for packaging and excipients you should visit the CQI's Pharmaceutical Quality Group's
website for further information.

36

Appendix I Part 9
Aerospace Quality Management System Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
Within the sector understanding and work experience sections of the application form, all applicants
are required to demonstrate knowlege and competence in the application of aerospace
requirements. This means services and products that have airworthiness, regulatory, legal or
aerospace-specific requirements. It will not be sufficient for you to have experience of products such
as seats and cabin equipment, simple fasteners, general forgings, castings, fabrications or machined
parts that, while used in aerospace applications, are subject to general engineering requirements
rather than the airworthiness requirements detailed below.
You should demonstrate on the form knowledge and competence in the majority of the following
aerospace industry-specific aspects of aerospace industry quality, regulatory and/or military
aerospace requirements:

First article inspection


Airworthiness and safety requirements
Aerospace material traceability requirements
Aerospace subcontractor approval and control
Variation management of key characteristics
Flow-down of aerospace QMS requirements
Foreign object damage/debris (FOD) prevention
Use of customer-supplied products
Calibration controls and positive recall systems
Acceptance authority media
Nonconforming material management
Sampling inspection/statistical process control requirements and limitations
Special processes
Configuration management/requirements control
Aerospace manufacturing techniques
Tool control
Design development verification and validation.

Auditor Training Requirements:


For all aerospace auditor grades, you must have successfully completed (at a minimum) an IRCA
certified QMS auditor training course appropriate to the grade for which you wish to apply.
For all aerospace auditor grades, your work experience must have been within the last 5 years unless
you have successfully completed an aerospace specific auditor course within the last 5 years, such as
the AS 9100 Auditor Training course, in which case your work experience may still be accepted.

37

Adding additional aerospace scopes to your registration: 9100/9110/9120


Auditors who wish to have the 9100/9110/9120 aerospace auditing scopes added to their
certification shall undertake recognised AQMS 9100/9110/9120 courses in order to have these
certifications. Self study is not acceptable.
Additional Audit Requirements:
For all grades:
If you wish your aerospace certification scopes to include the 9100/9110/9120 aerospace standards,
the audits you submit must cover some or all of these. (Scopes asigned to you will be aligned to the
audits submitted).
CPD Requriements:
For all grades other than Internal Auditor and Provisional Internal Auditor:
45 hours of appropriate CPD must have been completed over the previous three years. At least a
minimum of 15 hours of this must be directly related to development of specific aerospace industry
or services auditing skills, and address currency of aerospace standards and regulations.
Examples of acceptable ways of keeping up-to-date might include:

Audits in aerospace companies while employed by a certification body or consultant


Attendance on aerospace QMS training courses, such as AS/EN9100, AS/EN9110 and EASA
Part 21 or Part 145
Courses run by aerospace primes for their suppliers, other training courses, or membership
of a quality group run by the CQI or similar.

Guidance on acceptable work experience


Note 1:
Acceptable aerospace experience means employment in an organisation that is an aerospace prime
or major supplier to a prime, designing or producing engine parts, avionics, landing gear, airframe
components or auxiliary equipment, or a repair/maintenance organisation that has one or more of
the following:

AS9100/EN9100 certification
AS9110/EN9110 certification
FAR/EASA Part 21 or Part 145 approval
CAA, JAA or FAA approval to airworthiness standards
ISO 9001, where the applicant can clearly show the experience was not of products such as
seats, fasteners, general forgings, castings or fabrications that, while used in aerospace, are

38

subject to general engineering requirements rather than the airworthiness requirements


detailed above.
Employment in one of the following is also considered as satisfying the aerospace work experience
requirements:
Civil, military (including armed forces personnel) or space organisations such as a national aviation
authority (NAA), European space agency (ESA), NASA, or a government ministry or department of
defence (MOD/DoD) where the prime responsibility was for aerospace.
Note 2
For acceptable aerospace experience within the organisation as described in Note 1, the applicants
role is required to have been related to the Aerospace QMS. Examples would include quality
manager or engineer; production or manufacturing engineer, if involved in setting quality standards
or validating compliance of products or methods of manufacture in accordance with design intent;
design engineer, if working with airworthiness requirements; supplier quality engineers, if evaluating
suppliers QMS or products in compliance with aerospace requirements; applicants working in a
national aviation authority (NAA), space agency or government department of defence, having
responsibilty for monitoring the design, manufacture and procurement of aerospace products from
appropriately approved aerospace prime organisations or suppliers to prime organisations, the
assessment and approval of such organisations quality management systems and compliance with
airworthiness requirements. Also, armed forces personnel who have direct experience of the repair
and maintenance of military aircraft and associated aircraft systems and subsystems.
The Aerospace QMS Scheme is based on the auditing key standards:
ISO 9001: Quality management systems Requirements (latest edition)
or
AS/EN/JSIQ 9100: Quality management systems Aerospace Requirements (latest edition)
or
AS/EN 9110: Quality management systems Aerospace Requirements for maintenance
organisations (latest edition).
Note a): AS9120: Quality management systems Aerospace Requirements for stockist distributors
also exists, but is not deemed to be comprehensive enough for the IRCA Aerospace Sector Scheme,
and so audits to this standard alone are not acceptable audit experience.
Note b): The IRCA Aerospace QMS Scheme must not be confused with the International Aerospace
Quality Group ICOP Scheme. The IRCA Scheme is not sufficient for auditors conducting certification
audits to the standards referenced above to gain entry on to the OASIS database.

Guidance on who this scheme is intended for

QMS auditors expected to check the effectiveness and compliance with aerospace
requirements, such as those employed by third-party certification bodies/registrars (but not
for ICOP certification), or to conduct second-party audits on behalf of purchasing
organisations, or on behalf of organisations carrying out first-party audits of a size or
complexity beyond the capability of internal auditor grades

39

Quality practitioners, eg quality consultants, quality managers and other quality personnel
that require the greater understanding or professional standing conferred by the grade
Technical personnel/airworthiness surveyors etc with employment experience with civil
aerospace regulatory authorities and government military aerospace organisations.

40

Appendix I Part 10
TickIT Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Generic QMS auditing competence and skills as detailed in Appendix I - Part 1


An understanding of quality assurance issues in rapid application development
environments, especially those concerning customer involvement, system documentation
and control of non-conforming product
An understanding of the importance of industry-recognised lifecycle methods in computer
system development, how they should be deployed and their relative strengths and
weaknesses.
An awareness of major contemporary issues in software development and quality assurance
both technically and standards-related
An in-depth knowledge of at least one industry-recognised software process (not necessarily
hands-on programming experience) and associated process management techniques
A working knowledge of key lifecycle activities, such as project management, risk
management, requirements capture, feasibility, analysis, design, coding, configuration
management, testing, integration, implementation, operation, support and maintenance
An understanding of the importance of configuration management and change control in
modern software development environments
A broad understanding of current computer system architectures
An awareness of integration issues in hardware/software systems, particularly when bought
in or subcontracted software components are being utilised
A wide knowledge of IT and IT applications/issues, such as database software, embedded
systems, expert systems, real-time systems, data warehousing, communication systems,
networks, web-based system design, information security, safety-critical systems, formal
methods, development tools, etc.

The TickIT Scheme is based on the following standards:


ISO9001, ISO90003, ISO12207, ISO15288 and TickIT Guide (latest issues).
Guidance on who this scheme is intended for
Auditors working in the information technology industry, or in organisations involved in the
development and/or procurement of:

Software products
Products that include software
Software systems that facilitate service provision.

41

Appendix I Part 11
Food Safety Management System Auditor Scheme
Specific Requirements and Guidance
Important notes:

For Part 1 of this scheme, all of the IRCA auditor grades are available (see table on p.5)
For Part 1 of this scheme, the generic auditor criteria apply (Section 5)
For Part 2 of this scheme, only one grade is available ISO 22003: Auditor
For Part 2 of this scheme, all the generic criteria for auditor grade apply (see Section 5.2).

Scheme specific (additional) requirements


In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:
For Part 1 of FSMS Scheme:

Experience of working within the food chain, preferably with an understanding of


implementing and/or operating a management system
Understanding the food sciences associated with food safety programmes
Knowledge of relevant key food safety legislation
Understanding prerequisite programmes
Knowledge of relevant good practice guides, such as GMP, GHP, GAP, GVP, etc
Understanding the principles of HACCP, as defined by the Codex Alimentarius
Understanding the principles of food safety risk management and risk mitigation, including
the processes used for determination of risk levels
Understanding of methods and techniques of food safety management that enable the
auditor to examine a food safety management system, and to generate appropriate audit
findings and conclusions.

For Part II of FSMS Scheme


As with Part 1, plus the following:

Acceptable qualifications corresponding to post-secondary education, within general


microbiology and general chemistry, in the category in which you are seeking certification
(see categories below). This may be part of a science-based degree or near degree
qualification, or a separate award by a recognised institution. Each additional category
requires this qualification
For those meeting the training requirements through an FSMS Auditor Conversion course, a
minimum of a one-day course in HACCP principles, hazard assessment and hazard analysis,
and food safety management principles including relevant prerequisite programmes (PRPs) of
the Codex Alimentarius.

42

Part II: Auditing experience

For initial certification to your first category, you need to have performed a minimum of 12
FSMS audit days and all under the direction and guidance of a Lead Auditor (or similarly
qualified) competent to attest to your competence. The audits must have been conducted
within four different organisations in the category you are applying for
Each additional category requires four FSMS audits under the direction and guidance of a
qualified auditor in the new category.

Part II: Renewal of certification

You need to have completed at least five external audits per year, including at least two
FSMS audits

or
A minimum of four FSMS on-site external audits per year
or
Ten FSMS audit days per year.

The FSMS Scheme is based on the auditing key standards:


Part 1: ISO 22000: Food safety management systems Requirements for any organisation in the food
chain (latest issue)
Part II: As with Part I, but including additional requirements based on ISO/TS 22003, for auditors
who only carry out third-party certification audits.

Guidance on who these schemes are intended for


Part 1:

Environmental health officers


Quality, environmental or health and safety management systems auditors who possess a
considerable understanding and knowledge of food safety issues, and who are able to
demonstrate competence to participate in food safety or integrated management system
audits
Food safety auditors who wish to have their auditing competence recognised.

Part II:

Auditors conducting third-party audits on behalf of an accreditation or certification body,


and performing audits to ISO 22000 (latest issue) and ISO/TS 22003 (latest issue) or an
acceptable alternative.

43

FSMS Scheme Part II Food chain categories (as per ISO/TS 22003)
Category codes

Categories

Examples of sectors

Farming 1 (Animals)

Animals, fish, egg production, milk production,


beekeeping, fishing, hunting and trapping

Farming 2 (Plants)

Fruits, vegetables, grain, spices and horticultural


products

Processing 1
(Perishable animal products,
including all activities after
farming, eg slaughtering

Meat, poultry, eggs, dairy and fish products

Processing 2
(Perishable vegetable
products)

Fresh fruits and fresh juices, preserved fruits,


fresh vegetables and preserved vegetables

Processing 3
(Products with long shelflife at an ambient temperature)

Canned products, biscuits, snacks, oil, drinking


water, beverages, pasta, flour, sugar and salt

Feed production

Animal feed and fish feed

Catering

Hotels and restaurants

Distribution

Retail outlets, shops and wholesalers

Services

Water supply, cleaning, sewage, waste disposal,


development of product, process and
equipment, and veterinary services

Transport and storage

Transport and storage

Equipment manufacturing

Process equipment and vending machines

(Bio)Chemical
manufacturing

Additives, vitamins, pesticides, drugs, fertilizers,


cleaning agents and biocultures

Packaging material

Manufacturing packaging material

44

Appendix I Part 12
Social Systems Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
In the sector understanding and work experience sections of the application form, you are required
to demonstrate the following knowledge and competencies:

Internationally accepted human rights norms, laws and regulations relating to labour and
ethics issues
Relevant industry codes of practice, legal requirements, guidelines and standards relating to
labour, ethics, health and safety, and environmental issues
Relevant international, national and local judicial systems and legislative frameworks
Relevant social responsibility and labour culture, trade unions, non-governmental
organisations (NGOs) and other interested parties within the country or area of operation.

Auditors are required to have the ability to:

Plan, conduct and report a social systems audit


Communicate responsibly and clearly, both orally and in writing, with personnel at all levels
of an organisation, including workers
Apply methods and techniques to gather and evaluate objective evidence (including payroll)
and determine the conformance of a system designed to meet the audit criteria
Generate accurate, appropriate and responsible audit findings and conclusions
Uphold the principles of proper ethical conduct, fair presentation and due professional care.

The Social Systems Auditor Scheme is based on any of the following audit criteria:

The Worldwide Responsible Accredited Production (WRAP) programme


The Ethical Trading Initiative (ETI) Base Code performed in accordance with the SEDEX
Members Ethical Trade Audit (SMETA) Best Practice Guidance
The current versions of the EICC-GeSI Validated Audit Process (VAP) Audit Criteria, using the
Electronic Industry Code of Conduct (EICC) and performed in accordance with the EICC-GeSI
VAP Audit Operations Manual
Any suitable proprietory scheme that includes the following United Nations (UN) and
International Labour Organization (ILO) Conventions and core management principles.
Relevant UN Conventions:
Universal Declaration of Human Rights adopted and proclaimed by the General Assembly of the United Nations
in resolution 217A (iii) 1948
UN Convention on the Rights of the Child 1924/1959 and 1989
UN Convention on All Forms of Discrimination Against Women 1979
ILO Tripartite Declaration of Principles Concerning Multinational Enterprises and Social Policy 2000

45

Core ILO Conventions:

ILO Conventions 29 and 105 and Recommendation 35 (Forced and Bonded Labour)
ILO Convention 87 (Freedom of Association)
ILO Convention 98 (Rights to Organise and Collective Bargaining)
ILO Conventions 100 and 111 and Recommendations 90 and 111 (Equal Remuneration for Male and Female
Workers for Equal Value; Discrimination in Employment and Occupation)
ILO Convention 138 and Recommendation 146 (Minimum Age)
ILO Convention 135 and Recommendation 143 (Workers Representatives)
ILO Convention 155 and Recommendation 164 (Occupational Safety and Health)
ILO Convention 159 and Recommendation 168 (Vocation Rehabilitation and Employment of Disabled Persons)
ILO Convention 177 and Recommendation 184 (Home Working)
ILO Convention 170 (Safe Use of Chemicals)
ILO Convention 110 (includes reference to Provision of Housing for Migrant Workers)
(A total of 185 ILO Conventions are published and others may be relevant)

Core management principles:


The requirement for management commitment, including establishing policies relating to social and labour
issues, and appointing a member of management to be responsible for its implementation
The requirement for defined operational controls to address the audit criteria and relevant industry and
legislative requirements
The requirement for effective organisation controls, definition of documentation, operational controls and
crisis management
The requirement for monitoring and measurement, audits, corrective and preventative action, and
management review
The requirement for improvement based on monitoring and review activities
The requirement for record-keeping to demonstrate that audit criteria are being met.

Note: Audits performed to the standard SA8000, developed by Social Accountability


International (SAI), may also be used to demonstrate audit experience.

Guidance on who this scheme is intended for


Certification to this scheme is generic and relevant to social systems audits performed within any
industry, and therefore does not require any industry sector-specific Competencies. There is a
specialist scheme for social systems auditors operating within the electronics industry, which
requires specific auditor training and sector competence as defined within the EICC-GeSI Auditor
Scheme. The purpose of both these Social System Auditor Schemes is to provide confidence that
auditors who are certified are competent to audit for a variety of stakeholders, including:

Purchasing organisations
Supplier organisations
Regulatory authorities
NGOs
Contracted verification agencies.

Note: EICC-GeSI Auditor training courses are accepted for registration onto this scheme.

46

Appendix I Part 13
EICC-GeSI Auditor Scheme
Specific Requirements and Guidance
Important note: This scheme only has three grades Provisional Auditor, Auditor and Lead Auditor.
The generic criteria still apply.
Scheme specific (additional) requirements
The certification grades applicable to this scheme are limited and fall into two scopes, as below:
Grade

Scopes *

Provisional Auditor

As a Provisional Auditor you must meet the requirements for at least one of
these:

Auditor

Labour and ethics scope and/or

Environmental, health and safety scope.

As an Auditor you must meet the requirements for at least one of these:

Lead Auditor

Labour and ethics scope and/or

Environmental, health and safety scope.

As a Lead Auditor it is mandatory that you meet the requirements for the
labour and ethics scope.
You may also meet the requirements for the environmental, health and
safety scope.

* Scope
requirements

Qualifications/
experience

Five years general work experience, including


either:

Five years general work experience, including


either:

Two years of relevant labour and ethics work


experience

or

Two years of relevant environmental and health


and safety systems work experience

or
Qualification(s) in a closely related field.

Either

Auditor training

Environmental, health and safety scope for all


grades

Labour and ethics scope for all grades

Qualification(s) in a closely related field.

Either
EICC-GeSI Labour and Ethics Lead
Auditor course

or

EICC-GeSI Environmental, Health and Safety


Lead Auditor course

or

EICC-GeSI Environmental, Health and


Safety Lead Auditor course, plus EICCGeSI Labour and Ethics Conversion
course.

* Note: Only the Labour and Ethics scope is currently available.

47

EICC-GeSI Labour and Ethics Lead Auditor


course, plus EICC-GeSI Environmental, Health
and Safety Conversion course.

Within the sector understanding and work experience sections of the application form, you are
required to demonstrate the following knowledge and competencies:

Internationally accepted human rights norms, laws and regulations relating to labour and ethics
issues
Relevant industry codes of practice, legal requirements, guidelines and standards relating to
labour, ethics, health and safety, and environmental issues
Relevant international, national and local judicial systems, and legislative frameworks
Relevant social responsibility and labour culture, trade unions, non-governmental organisations
(NGOs) and other interested parties within the country or area of operation.

Auditors are required to have the ability to:

Plan, conduct and report an EICC-GeSI audit


Communicate responsibly and clearly, both orally and in writing, with personnel at all levels of
an organisation, including workers
Apply methods and techniques to gather and evaluate objective evidence (including payroll) and
determine the conformance of a system designed to meet the EICC requirements
Generate accurate, appropriate and responsible audit findings and conclusions
Uphold the principles of proper ethical conduct, fair presentation and due professional care.

The EICC-GeSI Scheme is based on the following audit criteria key documents:

Electronic Industry Code of Conduct (current version):


The EICC Code of Conduct establishes standards to ensure that working conditions in the
electronics industry supply chain are safe, that workers are treated with respect and dignity, and
that business operations are environmentally responsible. The EICC Code of Conduct encourages
broad adoption of CSR best practices by all ICT companies and suppliers, through guidelines for
performance and compliance with critical CSR policies. The EICC Code of Conduct is the primary
reference document for the EICC-GeSI Audit Criteria. EICC-GeSI provides the tools for audit
compliance with the code and helps companies report progress, hence the significance of the
following two key criteria documents:

EICC-GeSI Validated Audit Process (VAP) Audit Criteria (current version)


EICC-GeSI VAP Audit Operations Manual (current version)

Guidance on who this scheme is intended for


Certification to this scheme is specific to social systems audits performed within the electronics industry, and
therefore requires industry sector-specific competencies. If you dont meet this requirement and your
experience is in other industry sectors, you will find the IRCA social systems generic scheme more suitable for
your needs. The purpose of this EICC-GeSI Auditor Scheme is to provide confidence that auditors who are
certified to it are competent to audit for a variety of stakeholders:

Purchasing organisations
Supplier organisations
Regulatory authorities
NGOs
Contracted verification agencies.

48

Background to the EICC-GeSI Auditor Scheme:


The Electronic Industry Citizenship Coalition (EICC) and the Global e-Sustainability Initiative (GeSI) are nonprofit organisations composed of members of the information and communications technology (ICT)
industries, collaborating to promote social and environmental responsibility, and shared efficiencies in the
global electronics supply chain. Through their joint efforts, they are committed to upholding strong standards
for labour, ethics, health and safety, environmental impact and management systems in the supply chain. GeSI
and the EICC have introduced a common audit programme intended to save suppliers, and EICC and GeSI
members the time and expense of multiple audits. Suppliers are audited once and can share the findings with
all EICC and GeSI member companies. The audits are carried out by independent auditors, with coordination
and communication managed by an independent audit project manager, to keep relationships between
buyers and suppliers confidential, and prevent anti-competitive behaviour.

49

Appendix I Part 14
Maritime Auditor Scheme
Specific Requirements and Guidance
Scheme specific (additional) requirements
Within the sector understanding and work experience sections of the application form, you are
required to demonstrate the following knowledge and competencies:

Knowledge of ship management and/or ship operations


Related experience in quality assurance, marine safety or environmental management
Knowledge of relevant maritime legislation/documentation, eg SOLAS, MARPOL, IMDG and
STCW to latest IMO amendments and resolutions
Understanding of methods and techniques of marine management that enable the auditor
to examine a maritime safety management code system, and to generate appropriate audit
findings and conclusions.

Work experience
You must have four years work experience in any of the positions below:

Master, chief engineer, first mate, second engineer, superintendent or manager engaged in
organising, managing and operating ships, surveying ships, or providing specific marine
consultancy
Deck and engineer officers sailing as chief mate or second engineer, having obtained their
master and/or chief engineer certificates/qualifications
Principal or senior lecturer in a marine college, teaching the above relevant marine courses
and with supporting records of sea service.

Note 1: Sea time is most important, and IRCA will not only review qualifications and work experience
but also records of sea-time experience, so please make sure this is made clear in your application.
Note 2: Experience as a cargo surveyor, shipbuilder, ship designer, ship repairer or a ship inspector is
not acceptable.

Academic qualifications
Applicants are expected to hold at least one of the following:

A degree in Nautical Science, Marine Engineering or Naval Architecture


Under STCW 95 basic training; Deck Officer Certificate II/2 or Engineering Officer Certificate
III/2 or a recognised equivalent.

50

Auditor training
All applicants must have successfully completed a QMS Auditor/Lead Auditor Training course and a 2
day approved ISM Code Training course OR an approved combined QMS Auditor/Lead Auditor/ISM
Code training course, within a three-year period immediately prior to any application for
certification. Such training courses must meet the requirements of ISO 19011:2011.
Audit experience
Auditor
Requires a minimum of five audits, consisting of a maximum of four against the ISM code for the
issue of the Ships Safety Management Certificate, and a maximum of two audits for the purpose of
issuing the Document of Compliance for the shipping company. Applicants shall state on their audit
log sheets (IRCA/106) which certificate has been issued for each audit, and further details of at least
five audits shall be included on the Supplementary Audit log form (IRCA/150).
Lead Auditor
Requires a minimum of a further five audits (in addition to those specified above) as team leader,
leading a team of two or more auditors. The overall total of 10 audits shall include one audit (as
team leader) for issuing the Document of Compliance to a company managing a minimum of 10
vessels, or include two audits (as team leader) for issuing the Document of Compliance for
companies managing less than 10 vessels.
Note: Details of the above audits must be included on the Supplementary Audit form IRCA/150.
Renewal of certification
The generic requirements for renewal of certification apply (see Section 6), although all qualifying
audits shall have been performed against a management system that includes all the elements of
the ISM code. In addition to the IRCA/106 audit log sheet, all auditors are required to complete the
IRCA/150 Supplementary Maritime (ISM) audit log form for each audit claimed.
The maritime scheme is based on the following key document:
ISM Code: The International Management Code for the Safe Operation of Ships and for Pollution
Prevention (latest issue).
Guidance on who this scheme is intended for
Maritime auditors, such as those employed by:

Flag administrations

Recognised organisations

Third-party certification bodies/classification bodies/registrars

Charterers, oil majors or P&I clubs.

51

Maritime practitioners, such as:

Marine consultants

Ship managers

Other marine personnel.

Employees conducting ISM code audits within their own organisation, ie:

Internal audits

Second-party audits.

52

Appendix I Part 15
SSiP Assessor Scheme
Requirements and Guidance
Important notes:
Not all of the generic criteria apply to this scheme. This is indicated in the requirements below.
This scheme has three grades that differ from the generic IRCA grades. These are Provisional
Assessor, Assessor and Reviewer. There is also a separate application form and assessor log for the
SSiP Scheme (IRCA/4007/11/01 and IRCA/4006/11/1). The scope of certification is general, ie it does
not include any detailed industry sector-specific safety Competencies.
The scheme criteria for initial certification are detailed below:
Education (generic criteria does not apply)
For all grades:

At least to secondary education level


Minimum of NEBOSH General Certificate.

Work experience (generic criteria does not apply)


For all grades:

Five years, or four years with a degree or near degree


Two years of relevant health and safety work experience.

Examples of acceptable work experience include:

A full-time role as manager, supervisor, engineer or auditor involved in technical aspects


of construction-related site work in compliance with OH&S regulations
The implementation and maintenance of OH&S or integrated management systems
involving construction-related site health and safety compliance management
Monitoring compliance on behalf of a regulating body against health and safety laws and
regulations
Auditing construction OH&S management systems on behalf of an accredited
certification body
The assessment of supplier probity against an acceptable OH&S management system
standard on behalf of an employing organisation
Provision of appropriate consultancy services involving OH&S
Full-time role relating to the performance of OH&S risk assessment and management of
safety audits of all types (not necessarily systems audits)
Irrespective of the nature of your job, a key requirement is that you have acquired and
can demonstrate knowledge and understanding of risk assessment and risk mitigation. If
you submit OH&S work experience that is not included in the examples above, you will
need to provide us with evidence that supports your claim that your work experience is
acceptable.

53

Auditor training (generic criteria does not apply)


For all grades:

Successful completion of an IRCA-certified SSiP Assessor course and examination.

Auditing experience (generic criteria does not apply)


For the Provisional Assessor:

None.

For the Assessor:

You need to have performed at least 10 complete assessments against Core Criteria Stage 1;
this assessment activity must include document review, preparation and performance of the
assessment activities, and assessment reporting. Although we recommend you should
complete all of the assessments under the direction and guidance of an SSIP reviewer, we
acknowledge that for many small SSIP Forum members this will be very difficult and costly to
arrange. Consequently, we will accept a minimum of one assessment under these
conditions. We will require the reviewer to attest to your competence to assess.

For the Reviewer:

In addition to the assessment requirement for the SSIP Assessor grade listed above, you
must have completed five acceptable assessment verifications.

Additional requirements:
For the Reviewer:

You must provide a letter of recommendation from the SSiP Committee

Please note:

For both an assessor and reviewer, assessment verifications must have taken place during
the previous two-year period, and assessments must have taken place during the previous
three-year period. We must be able to verify all assessment and verification experience you
submit in your log sheets
We will only accept assessments that have been performed in accordance with the
requirements of the CDM 2007 ACOP Appendix 4 for Core Criteria Stage 1
Assessments performed against alternative national, international or company standards
may be acceptable, as long as the issues required in Core Criteria Stage 1 are addressed as a
basic minimum
We will accept OHSAS 18011 audits performed by you if the scope of the audit included all
elements of CDM 2007 ACOP Appendix 4 for Core Criteria Stage 1.

54

Renewal of certification

The renewal of certification process involves five requirements:

Continuing professional development (as per generic criteria)

Assessment experience (generic criteria does not apply)

Declaration of complaints (as per generic criteria)

Compliance with the IRCA Code of Conduct (as per generic criteria)

Payment of the annual fee (as per generic criteria).

Assessment experience

We need you to record and submit your assessment experience on the assessor log sheets
(IRCA/4006) which we supply.

For SSIP Assessor grade:

You need to have completed at least 15 acceptable assessments.

For SSIP Reviewer grade:

You need to have completed at least 15 acceptable assessments, of which at least


five must have been assessment verifications
You must have performed all assessments within the previous three-year
certification period.

Background to the SSIP Scheme


The revised Construction (Design and Management) Regulations, which came into force in April
2007, introduced the Stage 1 Core Criteria for assessing health and safety competence of contractors
and consultants working in the construction industry. The introduction of these competence criteria
provided an opportunity for existing health and safety prequalification schemes to build on and
formalise mutual recognition already in operation amongst some schemes.
The Safe Systems in Procurement (SSIP) Forum (www.ssip.org.uk):

Acts as an umbrella organisation to facilitate mutual recognition between health and


safety prequalification schemes, wherever it is practicable to do so
Actively advises and influences clients about acceptable interpretation and
appropriateness of health and safety competence standards in UK schemes
Embraces the core guidance on competence and training in the Approved Code of
Practice (ACoP) of the Construction (Design and Management) Regulations 2007.

55

The SSIP Scheme Assessor Certification Scheme:


To have credibility, the SSIP scheme requires competent and consistent assessors. To be efficient
and competitive, SSIP Forum member organisations need competent assessors. The purpose of the
IRCA SSIP Assessor Certification Scheme (SSIP Scheme) is to provide confidence to SSIP Forum
member organisations and contractors/clients using assessed service providers and
organisations/contractors who apply for approval via the SSIP scheme, that assessors certified to this
scheme are competent.
As part of the certification process, we will evaluate you against requirements that reflect the key
skills and attributes that define competence, and which you, the SSIP assessor, need to have and
demonstrate during an assessment process.
The management of health and safety in construction requires that a competency assessment of
organisations (including principal contractors, contractors, designers and CDM coordinators) should
be carried out as a two-stage process:
Stage 1 is an assessment of a companys health and safety organisation and arrangements to
determine whether these are sufficient to enable the organisation to carry out the work safely and
without risk to health.
Stage 2 is an assessment of the organisations experience and track record to establish that it is
capable of doing the work.
In order to provide more consistency in the way in which competency assessments of companies are
carried out, a set of core criteria has been agreed by industry and HSE. These core criteria are set
out in Appendix 4 of the CDM Regulations 2007.
HSE encourages clients to accept a valid accreditation from any of the SSIP Forum member schemes
as having met Stage 1 of the Core Criteria, and should not then require any further evidence in
relation to Stage 1. The possession of an SSIP Forum accreditation cannot be taken on its own as a
sufficient assessment of competence for a business to commence construction work, and all clients
must ensure that before engaging an accredited business to carry out construction work, a further
Stage 2 assessment of the core criteria will always be needed. This Stage 2 assessment is the
responsibility of the client.

The SSIP Scheme is based on the following key document:


Construction (Design and Management) Regulations 2007.
Guidance on who this scheme is intended for
Individuals and managers carrying out assessments against CDM 2007 Core Competence Stage 1
who wish to have their assessing competence recognised.

56

Assessor Competencies
Provisional SSIP Assessor and SSIP Assessor grades:
Activity

Generic Competencies Assessment

Understanding
business and safety
implications

A1

Establishes and clearly understands the applicants business and safety risks.
Establishes awareness of the stakeholder expectations including customer expectation and regulator requirements,
especially those associated with safety and safety compliance.
Develops an assessment plan to:

Plan the assessment

A2

Meet the purpose, scope and criteria of the assessment against Core Criteria Stage 1

Reflect the risks, customer/stakeholder expectations and SSIP requirements

Request additional data when considered necessary, and manages the assessment timeline to accommodate
the receipt of this data

Be aware of and able to prepare for typical problems encountered in assessments (incompleteness, generic
submissions, lack of understanding of requirements, falsification, etc).

Work process

B1

Operates independently whilst working collaboratively within the company or SSIP membership.

Opening discussions
with applicant

C1

Contacts the applicant in a credible and positive manner that sets the tone for an effective assessment and reporting
dialogue.

D1

Deploys appropriate techniques for assessing top management commitment and involvement in the safety management
and application process.

Understand safety
needs in the context
of the application
and apply that
knowledge to the
assessment process
Manage the
assessment process

Gather assessment
evidence

Evaluate findings
and decide
conformity and
effectiveness of the
safety system

D2

Applies assessment criteria appropriately to the size, risk and type of business.

E1

Maintains and monitors the progress of individual assessments against realistic timelines, when the process requires
additional data or clarification of evidence supplied in support of core competence criteria requirements.

E2

Maintains open communication with the applying organisation with respect to assessment progress.

F1

Acquires all required information effectively using appropriate techniques, to ensure conformity to the core competence
criteria requirements.

F2

Selects samples and topics that are relevant and commensurate with the safety risks associated with the business
activity or service provided by the applicant.

F3

Remains focused on assessment objectives and is not deflected away from required assessment trails.

F4

Collects information effectively through a variety of means, such as observing and reviewing documents, records and
data, and where necessary interviewing and listening.

F5

Effectively tests the level of compliance and robustness of the applying companys processes.

F6

Demonstrates effective assessment of stated processes via review of supplied inputs, outputs, controls, reviews and
resources.

F7

Analyses data effectively and makes rational judgements.

G1

Is aware of and acts upon factors that can affect the reliability of the assessment findings and conclusions.

G2

Evaluates the effectiveness of the system within the context of the business/industry sector.

G3

Evaluates and reports to the applying organisation as to whether the design and implementation of the safety system is
appropriate to the required application, and the advancement of safety standards within the applying organisation.

57

Activity
Identify
opportunities
for use of
simplification/
best practice
beyond
conformance

Communicating
giving feedback and
effective verbal and
written responses

Adapting and coping

Generic Competencies Assessment

H1

Adopts a value-added approach to the assessment, but does not offer consultancy

I1

Practices effective verbal communication through personal linguistic skills

I2

Discloses and discusses assessment findings openly and honestly with the applicant

I3

Communicates the findings of the assessment in a style that is credible and which is of value to the applying organisation

I4

Makes requests for additional data or clarification in a style that is accurate, easily understood and straightforward to
follow

I5

Writes an assessment report that accurately and succinctly summarises the assessment findings using only verifiable
facts

J1

Adapts to changing circumstances, and is open to new ideas, approaches and methods

J2

Deals with ambiguity

J3

Works productively in high-pressure environments

J4

Keeps emotions under control, handles criticism well and learns from it

SSIP Reviewer Grade


In addition to the Competencies for a Provisional Assessor and Assessor, a Reviewer also needs the following
Competencies:

Activity

Generic Competencies Assessment

Ensure assessments
are appropriate

K1

Appropriately samples the assessment process to confirm consistency

L1

Reviews assessors outputs to confirm standard assessment across the scheme

L2

Identifies and provides necessary assessors of CPD

L3

Identifies any trends with specific assessors

M1

Reviews the complaint or dispute fairly and without pre-judgement

M2

Concludes the investigation in a thorough and appropriate manner

Confirm assessors
are competent

Resolve complaints
and disputes

58

Appendix II
Definitions
Audit
A systematic, independent and documented process for obtaining audit evidence and evaluating it
objectively, to determine the extent to which audit criteria are fulfilled.
Auditee
The organisation being audited.
Audit client
The person or organisation requesting an audit.
Audit team
Two or more auditors performing an audit, one of whom is appointed as leader.
Lead audit
An audit where the auditor performed the audit whilst leading a team of at least one other auditor.
Sole audit
An audit where one auditor performed all phases of the audit.
First-party audit
An audit performed within an organisation by that organisations own auditing resource. Also
referred to as an internal audit.
Second-party audit
An audit of contractors/suppliers undertaken by, or on behalf of, a purchasing organisation. This
may include the audit of companies or divisions supplying goods or services to others within the
same group. Also referred to as a supplier audit.
Third-party audit
An audit of an organisation performed by a body that is independent of the organisation being
audited, eg certification body or registrar.

59

Appendix III
IRCA Code of Conduct
It is a condition of certification that you agree to act in accordance with, and be bound by, the
following Code of Conduct:
a) To act in a strictly trustworthy and unbiased manner in relation to both the organisation to
which you are employed, contracted or otherwise formally engaged (the audit organisation), and
any other organisation involved in an audit performed by you or by personnel under your direct
control
b) To disclose to your employer any relationships you may have with the organisation to be audited
before undertaking any audit function in respect of that organisation
c) Not to accept any inducement, gift, commission, discount or any other profit from the
organisations audited, from their representatives or from any other interested person, or
knowingly allow personnel for whom you are responsible to do so
d) Not to disclose the findings, or any part of them, of the audit team for which you are responsible
or of which you are part, or any other information gained in the course of the audit, to a third
party, unless authorised in writing by both the auditee and the audit organisation to do so
e) Not to act in any way prejudicial to the reputation or interest of the audit organisation
f)

Not to act in any way prejudicial to the reputation, interests or credibility of the IRCA

g) In the event of any alleged breach of this code, to cooperate fully with any formal enquiry
procedure.

60