Soil Association Certification Ltd
Forestry Sector
Technical Update
COC Internal Audits Covid 19 – updated
This technical update should be kept with your auditor guidance manual
(GM-COC-01) until the next version of the manual is released.
Relevant section(s) of guidance manual(s) affected: COC Auditing Multisites and Groups – Internal Audits.
Prepared by: Meriel Robson
Date (and effective date if different): 24/3/2020
Updated 19.5.2020
Updated 18/6/2020
Subject(s): Internal audits by MultiSite and Group Certificate Holders
Circulation: SA Staff, Agents, all COC Auditors. Relevant Certificate Holders
Reason for update: FSC and PEFC have issued guidance on replacing on-site internal audits with remote audits due to Covid-19 restrictions. This has now (16/6/2020) been updated by FSC with further guidance on remote internal audits of new participating sites by the Central Office.
Certificate Holders: please follow the advice below and stay safe and well, working remotely where possible. Soil Association Auditors will also be working remotely in our own audits and will be contacting you to make arrangements for this in efforts to keep your certificates valid where possible.
Reference or Background Documents: PEFC Guidance for chain of custody audits v 4
FSC: INT-40-003-05 updated 15/6/2020
FSC-DER-2020-005 updated 15/6/2020
Clause 5.3.5 states that desk/remote audits may be carried out for Participating sites where they are:
a) Trading in finished and labelled products (e.g. retailers); or
b) Trading products without taking physical possession of products (e.g. traders); or
c) Exclusively handling certified products made of a single input material (e.g. the whole site production is FSC 100%).
Relevant information on this is contained in the advice below.
*The amended derogation gives additional scenarios where remote internal audits may be carried out.
Appended: RT-COC A3.1 TAB – A3 v.2 FSC-DER-2020-005 PEFC V5-0 Risk Assessment Table
Actions:All relevant Certificate Holders shall follow this guidance if they wish to apply this derogation. See next pages.
Note Certificate Holders need to supply the A3 Risk Assessment table to SA Cert, and gain approval, prior to new sites being added.
Certification Staff: This Risk Assessment then requires approval by SA Cert, kept on file, and processed as a change of scope in our Woody database, choosing the option ”Group member or site list changes WITH REMOTE INTERNAL AUDIT”
Details: FSC:
1. The coronavirus (COVID-19) pandemic justifies applying the option of desk audits (remote audits) not only in the cases as per 5.3.5 of the Standard, but in ALL cases in situations where:
a. the Participating Site is in an area with a health risk (demonstrated through verifiable public sources, e.g. official travel warnings or restrictions) due to coronavirus, or
b. Central Office auditors are prevented from conducting an on-site audit due to travel restrictions imposed by organizational (certificate holder/Central Office) health and safety policies or public authorities.
2. In addition to the option of conducting the internal audit as desk audits (remote audits), the Central Office may also consider postponing the internal audit, but not beyond the end of 2020.
3. For new applicant sites, the initial internal audit may be replaced by desk (remote) audits in cases:
a. the new applicant sites are already meeting the existing requirements of Clause 5.3.5, or
b. the Central Office and the applicant sites meet the requirements specified in FSC-DER-2020-005 then the initial internal audit may be replaced by desk (remote) audits.
If 3b is applied, the following conditions also apply:
i) The Central Office shall conduct a risk assessment of each applicant according to the scenarios/ factors provided in Annex A of FSC-DER-2020-005* to determine the option of conducting a fully remote audit (low risk), a partially remote audit (medium risk), or if a mandatory on-site audit is required (high risk).The risk assessment is to be undertaken at the level of each new applicant site.
• *note SA Cert template “RT-COC A3.1 TAB – A3 v.2 FSC-DER-2020-005 PEFC V5-0 Risk Assessment Table” must be completed by the Central Office and submitted to SA Cert for approval prior to the site being added.
ii) When an applicant falls into more than one risk category, the Central Office shall adopt the precautionary approach and apply the audit type of the higher category.
iii) The risk assessment by the Central Office shall be approved by their certification body prior to conducting remote audits.
iv) Applicants with medium risk shall be audited in a two-stage audit process: A Stage 1 initial desk audit which can lead to inclusion in the FSC group/multi-site certificate, followed by a Stage 2 on-site audit, to be undertaken when the related health risks have abated and/or travel restrictions are no longer applicable or at the first annual audit (see Clause below), whichever is earlier. Stage 2 audit shall cover the factors which lead to the medium risk categorization and include requirements whose compliance cannot be verified though a remote audit or which require an on-site follow-up to verify compliance once processing of FSC material starts.
v) In case the Stage 2 audit cannot be undertaken until the time of the first annual audit (due to health risks and/or travel restrictions), the stage 2 audit shall be replaced by the full surveillance evaluation, which shall be conducted as an on-site audit.
vi) Central office and applicant sites shall:
– have the technical and operational capacity to conduct audits remotely, and
– agree on a secure and confidential data transmission and
– ensure the availability of key staff.
4. The Central Office shall retain documented evidence for each case where this interpretation has been applied.
NOTE: As soon as travel restrictions have been lifted, internal audits shall be conducted as per regular audit procedures.
PEFC:
For an internal audit in a multi-site organisation the following rules apply:
The on-site internal audit may be replaced by other audit techniques, such as documentation and records review, and the period between on-site internal audits shall not exceed two years (plus three months) where:
a. the internal auditor can justify that the audit techniques used deliver sufficient confidence in the certified entity’s compliance with the certification criteria; and
b. no nonconformity was raised during the previous initial, surveillance, recertification or internal audit or the corrective action for the nonconformity can be clearly verified by other audit techniques; and
c. the multi-site members provide the internal auditor with all the records required to be kept by the Chain of Custody standard or a list of all the records that allows the certification body to establish an independent sampling; or
d. the submitted records provide sufficient evidence that the multi-site member has not procured raw material and has not sold any product with a PEFC claim since the last audit.
