Audit Process Overview

Overview
Emagine Compliance is committed to impartiality and with complying to ISO/IEC 17021:2015  for ISO/IEC 27001. The following disclosures demonstrate our commitment to impartiality, independence, and building trust with our customers and stakeholders in the work that we do.

‍Audit and Certification Process
‍Emagine Compliance offers certification services that fully comply with all relevant standards. Our process is clearly outlined for prospective customers, covering key stages of the audit and the certification journey, while also informing them of their rights and obligations during both the application process and post-certification activities.

General Requirements
‍Emagine conducts thorough impartiality reviews for all new and existing client engagements. To maintain independence, we prohibit certification services in these situations:

- When the relationship compromises impartiality, including certification requests from Emagine subsidiaries
- For other certification bodies
- For organizations that received our management system consulting within the past two years
- For clients using our internal audit services
- Where management system consulting or internal audits create partiality concerns
- Using consultants in certification activities within two years of their consulting work

Scoping and Planning
‍Before developing the audit plan, clients complete an
assessment questionnaire covering:

- Audit parameters and desired certification standards
- Organizational scale, complexity and locations
- Third-party relationships and outsourced functions
- Prior consulting engagements
- Past audit findings, when applicable
- Preferred timing and project schedule

To prepare an effective audit plan, Emagine requires each certification applicant to complete an initial assessment covering:

- Target certification scope and standards

- Organization profile (size, locations, complexity)
- External partnerships and service providers
- Previous consulting relationships
- Historical audit findings
- Timeline preferences and scheduling needs

Based on the assessment, Emagine evaluates certification readiness. We proceed with certification contracts when:

- Client information is sufficient for audit execution
- Certification requirements are documented and acknowledged
- All parties align on expectations
- We’ve confirmed our capability to perform the audit
- Scope, locations, and timing requirements are feasible
- Records of these evaluations are maintained for verification.

If we decline an application, the prospect receives written notification within four weeks explaining our decision. For approved engagements, we use questionnaire responses to schedule audits and assign team members. New clients receive comprehensive information about:
‍
- Certification process
- Maintenance audit requirements
- Appeals and complaints procedures
- Standard business terms

This information, along with contractual agreements for ISO certification services, is documented in the SOW
- Upon signed agreement, clients receive planning documents including:
- Detailed audit testing plan
- Key dates and deadlines
- Assigned audit team roster

Audit Management
Emagine's standardized audit plan includes: 

- Detailed task assignments for team members
- Scheduled interview and testing dates
- Flexibility for timeline adjustments

Auditor Requirements:
- Review organization's management system doucmentation
- Verify compliance with certitifcation scope
- Evaluate implementation effectiveness
- Report findings and areas for improvement
- The plan allows adequate preparation time while maintaining audit objectives
‍
Sampling
Emagine follows IAF MD-1 sampling methodology for multi-site assessments. Sample size and location requirements are determined base on site function and management system standards.

Non-Conformities
Audit teams promptly communicate nonconformities to client personnel. Clients must then: 

- Analyze and document issues
- Develop corrective actions
- Perform root cause analysis
- Create remediation timeline
- Provide evidence of fixes

Emagine reviews submitted corrective actions to determine if additional testing is needed. If required, clients receive notification of supplemental audit scope and timing. All retesting results are documented internally.

Audit Deliverables
‍Upon completing each audit stage (certification, surveillance, or recertification), Emagine provides comprehensive written reports. The lead auditor includes either a certification recommendation or detailed explanation for withholding certification. Reports undergo rigorous review by our certification decision maker, who evaluates:

1. Nonconformity Resolution Effectiveness of corrective actions
Evidence of systematic management standard failures  
Impact on system performance capabilities  
Verification of implemented fixes

2. Documentation Requirements
- Completeness of audit evidence  
- Alignment with certification scope
- Compliance with standards

Certificate Issuance
Following approval from the decision maker, all certificates undergo Emagine’s quality assurance review. Final certificates are issued in accordance with relevant normative standards, ensuring the highest level of certification integrity.

Certification Cycles
Certifications are not a one-time event, but a continuous three-year cycel that follows the following cycle.

Initial Certifications

Stage 1 - Information gathering and analysis. Identification of nonconformities.
Stage 2 - Tests of operating effectiveness.

Stage 2 will be scheduled to be performed no less than one month and no more than nine months following the completion of Stage 1.

Surveillance Audits
Surveillance audits verify ongoing compliance with ISO standards after initial certification. These periodic assessments ensure organizations maintain certification requirements and continue to meet the standard’s controls and objectives throughout their certification period. Need to take place no more than 12 months from the previous audit.

Recertification Audits
At the end of 3 years this audit is completed and is similar to the detail and intensity of the initial certification. It’s a review of operating effectiveness, processes and commitment to continual improvement.
‍
STAGE 1
‍Stage 1 evaluates your management system framework. Emagine typically conducts portions of Stage 1 at client locations, beginning with an opening meeting to align audit objectives. Our comprehensive review process includes:

Framework Evaluation
- Reviews management system documentation
- Assesses site conditions and operational environment
- Evaluates standard requirements comprehension
- Examines key processes and performance indicators

Information Gathering
- Documents system scope and processes
- Reviews regulatory compliance requirements
- Maps operational risks and controls
- Evaluates resource requirements for Stage 2

Readiness Assessment
- Verifies internal audit processes
- Confirms management review procedures
- Determines Stage 2 preparation status
Results Communication

The Stage 1 assessment concludes with:
- Documented findings and potential nonconformities
- Stage 2 timeline planning
- Formal closing meeting
- Detailed readiness evaluation

The interval between Stage 1 and Stage 2 is determined collaboratively based on organizational readiness and assessment findings.

STAGE 2
Emagine conducts comprehensive testing through either on-site or remote assessment to verify:
- Framework implementation
- Control design effectiveness
- Operational compliance
- Management system performance

Each standard undergoes thorough evaluation against specific requirements to confirm both compliance and operational effectiveness.Results Communication Upon completion, our audit team:

- Conducts detailed closing meeting
- Presents conformity findings
- Addresses client questions
- Reviews identified issues
Certification Decision Process:

Our team analyzes evidence from both stages to prepare certification recommendations. The decision package includes:
- Detailed audit report
- Nonconformity analysis and remediation status
- Application information verification
- Formal recommendation with conditions or observations
Timeline Commitments
- Certification decision provided within 4 weeks of Stage 2 completion
- Major nonconformities must be resolved within 6 months
- Unresolved major findings require additional Stage 2 assessment

Final certification recommendations consider audit findings, conclusions, and relevant external information, ensuring a comprehensive evaluation of your management system.