1.0 Purpose

To document, establish, implement and maintain the system for conducting the audit of a multi -site organization, in accordance with requirements ISO/IEC 17021-1:2015 and IAF Mandatory Document for the Certification of Multi-Sites Based on Sampling, IAF MD 1:2007.

2.0 Scope

This procedure is applicable to the audit of a multi-site  and does not apply to organizations that have multi-sites where fundamentally different processes or activities are used at different sites or a combination of sites, even though they may be under the same management system. This procedure is applied to all types of audits; initial, surveillance and re-certification, of a multi site organization.

3.0 Responsibility

Operations Manager

4.0 Policy & Procedure

AMERICO policy is to audit each sites under the scope of certification and do not use multi site  policy for audit. However AMERICO has procedure in place in case of such multisite audit is required in extreme conditions which will be carried out only after approval of Director Certifications.

4.1 General Requirements 

4.1.1. Multi-site organization is defined as an organization having an identified central function (central office) at which certain activities are planned, controlled or managed and a network of local offices and branches (sites) at which such activities are fully or partially carried out. Examples of possible multi-site organizations are,:

a.     Organizations operating with franchises

b.    Manufacturing companies with a network of sales offices (applying to sales network)

c.     Service organizations with multiple sites offering a similar service

d.    Companies with multiple branches

4.1.2. A multi site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central office and be subject to a common management system. The management system is laid down, established and subject to continuous surveillance and internal audits by the central office. This means that the central office has rights to ensure that the sites implement corrective actions when needed at any site.

4.1.3. The processes at all the sites have to be substantially of the same kind and have to be operated to similar methods and procedures. Where some of the sites under consideration conduct similar, but fewer processes than others, they may be eligible for inclusion provided that the site or sites, which conduct most processes or critical processes, are subject to full audit. All the sites shall be in the same country.

4.1.4. Organizations, which conduct their business through linked processes in different locations, are also eligible for sampling under multi-site. Where processes in each location are not similar but are clearly linked, the sampling plan shall include at least one example of each processes conducted by the organization (e.g. fabrication of electronic component in one location, assembly of the same components – by the same company in several other locations)

4.1.5. The organization’s management system shall be under a centrally controlled and administered plan and be subject to central management review. All the relevant sites including the central office shall be subject to the organization’s internal audit program and all sites have been audited prior to certification audit. Following certification an internal audit shall be done at each site within the certification period.

4.1.6 The central office has established management system in accordance with the relevant ISO and/ or other international management system standards and the whole organization meets the requirements of the standard including relevant legal regulations

4.1.7 The organization should demonstrate its ability to collect and analyze data (system documentation and changes, management review, complaints, corrective actions, internal audit, legal requirements etc) from all sites including the central office and its authority and also demonstrate its authority and ability to initiate organization changes if required.

4.1.8 If all the sites of an organization where the activity subject to certification is performed are not ready to be submitted for certification at the same time, the organization shall be required to inform AMERICO in advance of the sites that it wants to be included in the certification and those which are to be excluded

4.2 Audit process 

4.2.1. Multisite Organization: 

 In case of a multi-site organization the application review & agreement are conducted as per procedure. At this stage the review shall identify the following,

 a]. The complexity and the scale of the activities covered by the management system and any differences between sites as a basis for determining the level of sampling.
b]. Identify the central function of the organization with which AMERICO has a legally enforceable agreement for the provision of certification.
c]. To what extent sites of an organization operate substantially the same kind of processes according to the same procedures and methods.
d]. Are all the sites included in the certification are ready to be submitted for certification at the same time. Sites not ready shall be excluded from the scope of certification

4.2.2. The planning & preparation for audit including selection of audit team are done as per documented procedure in procedure manual.

4.2.3The audit of the multi-site including stage-1 and stage-2 audit is performed as per the procedure for initial audit AMERICO/PR/03. If more than one audit team is involved in the audit, AMERICO shall designate a unique audit leader whose responsibility is to consolidate the findings from all audit teams and to produce a combined report

4.2.4The central office and the sites selected are audited as per this procedure.

4.2.5 Whenever any non-conformity is found at an individual site, either through the organization’s internal auditing or auditing by AMERICO, the auditor shall investigate whether it leads to a system deficiency affecting all other sites or limited to the particular site only. If it is found a system deficiency correction and corrective action should be performed both at central office and at the individual sites. If the corrective action is found limited, to only the site where the nonconformity has been reported, the auditor should seek the justification for limiting its follow up corrective action.

4.2.6. The auditor shall verify the evidence of these actions and accordingly increase its sampling frequency and / or the size of the sample until it is satisfied that the control is re-established.

4.2.7 At the time of the decision making process, if any site has nonconformity pending the certification shall be denied to the whole network pending satisfactory corrective action.

4.2.8 If any site has nonconformity; the exclusion of that problematic site from the scope is not permitted at this stage. Such exclusion should have been agreed before the certification as stated in 4.2.1 (d).

4.3 Certification Document 

4.3.1. The certification documents are issued as per AMERICO/PR/03.The sites included in the certificate are either individually audited or audited as per sampling scheme outlined in section 4.4

4.3.2 These documents shall identify the central office and a list of all sites to which the certification document relate. This document shall indicate clearly the certified activities performed by the network of sites on the list. If the certification scope of the sites is only issued as part of the general scope of the organization, its applicability to all sites shall be clearly stated.

4.3.3.The certificates may be issued to the organization for each site under condition that they contain the same scope or sub-scope of that scope and make a clear reference to the main certification document.

4.3.4. AMERICO shall withdraw the entire certificate if the central office or any of the sites does not fulfill the necessary provisions for the maintenance of the certification.

4.3.5. AMERICO shall inform the organization, about additional requirements for granting multi- site certification and this document shall be sent along with the quotation (AMERICO/PR/03). This document shall also be made publicly available on the AMERICO web site.

4.3.6. AMERICO shall grant additional sites to the existing certification either through the routine surveillance , special audit  or re-certification audit . Sampling for the additional sites shall be done as specified in section 4.4 & 4.7 

4.4 Sampling 

4.4.1. Methodology

4.4.1.1 Part of the sample shall be selected based on factors stated in section 4.4.1.3. & partly non selective and should result in a representative of different sites selected, including the random element of sampling.

4.4.1.2 At least 25% of the sample should be selected at random

4.4.1.3 The site selection may include among others the following aspects,

1.     The sizes of the sites and the number of employees (e.g. more than 50 employees on a site);

2.     The complexity or risk level of the activity and of the management system

3.     Variations in working practices (e.g. shift working);

4.     Variations in activities undertaken;

5.     Records of complaints and other relevant aspects of corrective and preventive action;

6.     Any multinational aspects;

7.     Results of internal audit and management review.

4.4.2.6. When the organization has a hierarchical system of branches (e.g. Head or central office, National Offices, regional offices, local branches), the sampling model for the initial audit as defined above applies at each level. For example, (for other management systems)

1.     1 Head office: visited at each audit cycle (initial or surveillance or re-certification)

2.     4 national offices: sample =2: minimum 1 at random

3.     27 regional offices: sample=6: minimum 2 at random

4.     1700 local branches: sample=42: minimum 11 at random

4.5. Audit times

4.5.1. AMERICO shall justify the time spent on multi-site audits in Audit time estimation sheet and the number of man days per site, including central office shall be calculated as per procedure AMERICO/PR/01

4.5.2. AMERICO may apply reduction in auditor time  taking into account clauses that are not relevant to the central office and /or the local sites and shall record the reasons for the justification of such reductions in Multisite registerf. The sites, which carry out most or critical processes, shall not be subject to reductions.

4.5.3. The total time spent on initial assessment and surveillance is the total sum of the time spent at each site plus the central office and should never be less than that which would have been calculated for the size and complexity of the operation if all the work had been undertaken at a single site (i.e. with all the employees of the company in the same site)

4.6. Temporary site

4.6.1. A temporary site is one set up by an organization in order to perform specific work or a service for a finite period of time and which will not become a permanent site (e.g. construction site)

4.6.2. Temporary sites that are covered by the organization’s management system may be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system

4.6.3. If the organization desires to include the temporary sites within the scope of certification AMERICO shall do so under an agreement with the client organization. Where included in the scope such sites shall be identified as temporary.

4.7. Additional sites

4.7.1. It is a new site or group of sites that will be added to an existing certified multi-site network

4.7.2. On application of a new group of sites to join an already certified multi site net work, each new group of sites should be considered as an independent set for the determination of the sample size as per the steps detailed in sections 4.4.1 & 4.4.2.

4.7.3 After inclusion of the new group in the certificate, the new sites should be cumulated to the previous ones for determining the sample size for the future surveillance or re-certification audit

Multisite for ISO 45001:2018 ( AS PER IAF MD 22)

Sampling for multiple sites will depend upon

1. Risks associated  with the nature of activities
2. Processes carried out at each site included in scope of certification

Audit time for such instances will be carried out as per B.10 in Appendix B of IAF MD 22

Where there are multiple sites not covering the same activities, processes and OH&S risks, sampling is not considered

Although a site performs similar processes or manufactures similar products to other sites, the CAB shall take account of the differences between the operations of each site (technology, equipment, quantities of hazardous materials used and stored, working environment, premises ).

When sampling is permitted the CB shall ensure that the sample of sites to be audited is representative of processes, activities and OH&S risks that exist in the organization to be audited.

Multisite for iso 27001

Americo does not conduct multisite audits for iso 27001 . However the procedure is maintained in case of requirements of the same in extreme conditions

Incase client has multiple sites, sample based approach will be used by AMERICO

a) all sites are operating under the same ISMS, which is centrally administered and audited and subject to central management review;

b) all sites are included within the client’s internal ISMS audit programme;

c) all sites are included within the client’s ISMS management review programme.

For getting multisite benefit,AMERICO shall consider below factors

a) The initial contract review identifies, to the greatest extent possible, the difference between sites such that an adequate level of sampling is determined.

b) A representative number of sites have been sampled by the certification body, taking into account:

 1) the results of internal audits of the head office and the sites;

2) the results of management review;

3) variations in the size of the sites;

4) variations in the business purpose of the sites;

5) complexity of the information systems at the different sites;

 6) variations in working practices;

variations of design and operation of controls;

9) potential interaction with critical information systems or information systems processing sensitive information;

            10)  any differing legal requirements;

            11)  geographical and cultural aspects;

12) risk situation of the sites;

13) information security incidents at the specific sites.

c) A representative sample is selected from all sites within shall be based upon judgmental choice to reflect the factors presented in item b) above as well as a random element.

d) Every site included in the ISMS which is subject to significant risks is audited by the AMERICO prior to certification.

e) The audit programme will be designed in the light of the above requirements and covers representative samples of the scope of the ISMS certification within the three year period.

f) In the case of a nonconformity being observed, either at the head office or at a single site, the corrective action procedure applies to the head office and all sites covered by the certificate.

The audit shall address the client’s head office activities to ensure that a single ISMS applies to all sites and delivers central management at the operational level. The audit shall address all the issues outlined above.

Food safety mgmt system – iso 22000 multisite requirements

Americo does not conduct multisite FSMS audits but audits each site individually.  However requirements in case of extreme conditions of conducting multiside audits are documented as below.

Sampling of multi-site organizations shall cover all activities as per below criteria. AMERICO shall demonstrate that the sampling of sites does not undermine effective auditing. When multi-site sampling is undertaken, AMERICO shall justify and document the rationale based on the following conditions:

Where multi-site sampling is permitted, AMERICO ensures (e.g. via contractual arrangements) that the organization has conducted an internal audit for each site within one year prior to certification and when applicable the effectiveness of corrective actions shall be available. Following certification, the annual internal audit shall cover all sites of the organization included in the certification scope of the multi-site organization and ongoing effectiveness of corrective actions shall be demonstrated

Where multi-site sampling is permitted, AMERICO defines and utilize a sampling programme to ensure an effective audit of the FSMS where the following conditions apply.

a)  At least annually, an audit of the central function for the FSMS shall be performed by the certification body prior to the sampled site audits.

b)  At least annually, audits shall be performed by the certification body on the required number of sampled sites.

c)   Audit findings of the sampled sites shall be assessed to ascertain if these indicate an overall FSMS deficiency and therefore can be applicable to some or all other sites.

d)  Where audit findings of the sampled sites are considered indicative of the entire FSMS, corrective actions shall be implemented accordingly.

e)  For organizations with 20 sites or fewer, all sites shall be audited.

AMERICO increases the size of sample or terminate the site sampling where the FSMS subject to certification does not indicate the ability to achieve the intended results.

The sample is partly selective and partly random and shall result in a representative range of different sites being selected, ensuring all processes covered by the scope of certification will be audited.

At least 25 % of the sample shall be selected at random. The remainder shall be selected so that the differences among the sites selected over the period of validity of the certification are as large as possible.

The site selection shall consider, among others, the following aspects

a)   results of internal audits, management reviews or previous audits;

b)   records of complaints, product withdrawals/recalls, and other relevant aspects of corrective action;.

c)   variations in the site characteristics;

other relevant changes since the last audit.

If any site has a major nonconformity and satisfactory corrective action have not been implemented in the agreed time frame, certification shall not be granted or maintained for the whole multi-site organization pending satisfactory corrective action.

Americo has identified and included in the scope of certification the processes of the FSMS implemented at each sampled site.

For ISO 37001:2016 , Multisite audit is not conducted by Americo and each site is audited separately.