Execution of Initial audit

The audit plan are communicated and the dates of the audits is   upon, in advance, with the client organization. The three-year certification cycle begins with the initial assessment programme executed in two stages Stage-I & stage-II. With the subsequent surveillance audit on annual basis in the first and second year of the registration of the client. Before expiry of the registration period 2 months prior the operations manager issues a notification for recertification. The determination of the audit programme and any subsequent adjustments considers the size of the client organization decide the audit programmes. and the scope and complexity of its management system, products and processes as well as demonstrated level of management system effectiveness and the result of any previous audit. Where the MERLION is taking account of certification or other audits already granted to the client, it collects sufficient, verifiable information to justify and record any adjustments to the audit programme. 

  • The MERLION provides a written report for each audit. The report is based on relevant guidance provided in ISO/IEC 17021-1:2015. The audit team may identify opportunities   for improvements but does not recommend specific solution. Ownership of the audit report is maintained by the MERLION.
  • The MERLION requires the client to analyse the cause and describe the specific correction and corrective action taken, or planned to be taken, to eliminate detected nonconformities, within a 10 working days of audit.
  • The MERLION reviews the correction and corrective action submitted by the client to determine if these are acceptable.
  • The audited organization is informed if any addition full audit, an additional limited audit, or documented evidence ( to be confirmed during future surveillance audits) is needed to verify effective correction and corrective action.
  • The MERLION ensures that the persons or committee that make the certification or recertification decision are deferent from those who carried out the audits.
  • The MERLION confirms, prior to making a decision that,
  • The information provided by the audit team is sufficient with respect to the certification requirements and the scope of certification.
  • It has reviewed, accepted and verified the effectiveness of correction and corrective action, for all nonconformities that represent failure to fulfil  one or more requirements of the management system Standards, or a situation that raises significant doubt ability of the clients management    

       System to achieve its intended outputs. it has reviewed and accepted the Clients planned correction and corrective action for any other Nonconformities.

The MERLION provides the name of and, when requested, make available background information on each member of the audit team, with sufficient time for the client organization to object to the appointment of any particular auditor or technical expert and for the certification body to reconstitute the team in response to any valid objection.

Initial Audit and certification

The MERLION requires an authorized representative of the applicant organization to provide the necessary information; The Marketing manager of MERLION sends the application form to the applicant client organization or if possible personal visits and gather the following information:

to enable it to established the following:

  1. the desired of the certification
  2. the general feature of the applicant organization, including its name and any relevant legal obligation;
  3. general information, relevant to the field of certification applied for, concerning the applicant organization such as its activity, human and technical resources, functions and relationship in a larger corporation, if any;
  4. Manpower in the organization and repetitive task
  5. Information concerning about all outsourced processes used by the organization that affects conformity to requirements.
  6. The standard or other requirements for which the applicant organization is seeking certification;
  7. Information concerning the use of consultancy relating to the management system.
  8. Scope of application for which a certification is sought.
  9. Expected date of audits or readiness of organization to plan the activity as per auditors and client’s conveyance.
  10. Sites or multisite covered by the scope.
  11. Specific requirements of ISO  9001, 14001, 45001, 22000, 27001 required in order to understand client domain.
  12. Integration level of client documentation.

On receipt of the application form before proceeding with the audit, the operations manager of MERLION reviews the application( Application review form ) and supplementary information for certification to  ensure that,

  1. The information about the applicant organization and its management system is sufficient for the conduct of the audit.
  2. The requirement for the certification is clearly defined and documented, and has been provided to the applicant organization.
  3. Any known difference in understanding between the MERLION and the applicant organization is resolved.
  4.  Has the competence and ability to perform the certification activity,.
  5. The scope of certification sought, the location (s) of the applicant organization’s operation, time required to complete audits and any other points inflecting the certification activity are taken into account (language, safety condition, threats to impartiality etc)
  6. Record of the justification for the decision to undertake the audits are maintained.
  • MERLION reviews the applications for suitability and based on review either accepts or decline an application for certification once reviewed, and if declined the applicants notified of the reason for decline.
  • Based on the review, the MERLION determines the competence it needs to include in it team and for the certification decision. ( Certification registration status sheet)
  • The audit team is appointed and composed of auditors (and technical experts, as necessary) who, between them, have the totality of competence identified by the MERLION for the certification of the applicant organization. The selection of the team has been performed with reference to the designation of competence of auditors and technical experts made and may include the use of both internal and external human resources.
  • The individual(s) who is conducting the certification decision has been appointed to ensure appropriate competence is available.

The initial certification audit of a management system is conducted in two stages stage-1 and stage-2 Stage-1 audit

  • The stage –1 audit are performed at the clients premises only:
  • To audit the clients management systems documentation.
  • To evaluate the client location and site specific conditions and to undertake the discussion with the client’s personnel to determine the preparedness for the stage-2 audit.
  • To review the client’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or 
  • Significant aspect, processes, objectives and operation of the management system.
  • To collect the necessary information regarding the scope of the management system,
  • Processes and location(s) of the client, and the related statutory and regulatory aspects and compliance (e.g. quality, legal aspects of the client’s operation, associated risk etc)
  • To review the allocation of resources for stage-2 audit and agree with the client on the details of the stage-2 audit;
  • To provide a focus for planning the stage-2 audit by gaining a sufficient understanding of the client’s management system and site operations
  • To evaluate if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiate that the client is ready for stage-2 audit.
  • Stage 1 plan will be sent to client by email or hardcopy by courier or by hand delivery by marketing person (if required)
  • Stage-1 audit findings are documented as Area of concern and communicated to the client, including identification of any area of concern that could be classified as nonconformity during the stage-2 audit.
  • In determining the interval between the stage-1 and stage-2 audits, consideration is given to the needs of the client to resolve areas of concern identified during the stage-1 audit. The certification body may also need to revise its arrangements for stage-2. There will be minimum 3 days gap between stage 1 and stage 2 audit. 

  Stage 1 Audit Report – MERLION/CERT/F09

The Stage 1 audit report will be submitted by auditor/ team leader within 2 days of conducting the audit. Once report is received by operations manager , it is sent to qualified technical reviewer of the EA code for review . Once report is successfully reviewed by technical reviewer, stage 2 audit is planned in confirmation with client. stage-2 audit

The purpose of the stage-2 audit is to evaluate the implementation, including effectiveness, of the client’s management system. The stage-2 audit takes place at the site(s) of the client. It includes at least the following:

  • Information and evidence about the conformity to all requirements of the applicable management system standard or other normative document.
  • Performance monitoring, measuring, reporting and reviving against key performance objectives and targets(consistent with the expectations in the  applicable management system standard or other normative document)
  • The client management system and performance as regards legal compliance.
  • Operational control of the client’s process.
  • Internal auditing and management review.
  • Management responsibility for the client’s policies;
  • Links between the normative requirements policy, performance objectives and targets   (consistent with the expectations in the applicable management system standard or other normative document) any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit finding and conclusions.
  • The stage-II audit is performed at client premises and not more than 60 days from the date of stage-I audit.

The information can be gathered by interviewing peoples at relevant section, by monitoring the processes, by reviewing the documentary evidences.

Conduct the formal opening meeting which should include the following:

The meeting should be chaired by Team Leader of the audit.

  • Introduce the audit team.
  • Confirm the audit plan.
  • Confirm the channel of communication between the audit team and Auditee.
  • Confirm the language to be used during the audit.
  • Take the attendance record for all present evidence.
  • Explain Assessment criterion.
  • Explain Assessment Schedule. 
  • Explain the Confidentiality Requirements.
  • Explain the Audit Methodology i.e. how the audit activities are undertaken.
  • Explain the Audit Reporting Method. That is Nonconformity like – Minor, Major & Area for Improvement, Positive Observations (positive and negative ) 

Major Non conformity – Total lapse of an activity (Complete failure in fulfilment of the requirements i.e. no addressal of requirements of standards, series of minor non-conformities in the same area, or where the impact of non-conformity turns in complete failure of Management System in particular standard)

Minor Non conformity – Failures in isolation (Where the impact may not be immediate in complete failure of Management System in applicable standard)

Observations – Potential non-conformity which cannot be classified into non-conformity.

  • Explain Audit plan and approach.

Outcome of the audit:

  • If the quality management system of the organisation meets all the requirements as per the standard for which the assessment is carried out i.e. ISO 9001:2015 without any non-conformity y(s) in this case the auditor/audit team recommends the organisation for certification to applicable standards.
  • If any minor non conformity(s) observed and concern organisation has submitted the corrective action plan. The Corrective plan submitted by organization is acceptable to the audit team in such instance the team leader can announce the conditional recommendation for ISO certification subject to submission of evidences of closure of non conformity to MERLION office within four week of time frame. Corrective action and effectiveness of corrective action will be verified in next audit.
  • In case of major non conformity(s) observed in the assessment. In this case the team leader cannot recommend the organisation for ISO certification. The non conformity(s) observed are rectified by the organisation and would be verified by the auditor in subsequent follow up audit. Upon satisfaction of auditor he can recommend to organisation for ISO certification.

Only the area from where major nonconformity identified is audited in follow up audit.

  • Confirm Safety/Emergency/Security related matters.
  • Confirm the facilities available/ request.

In closing meeting cover the following points:

  • Restate Confidentiality requirements.
  • Make the verbal; comments and audit conclusions and findings.
  • Discuss recommendation for certification.
  • Discuss MERLION policy on clearance of non-compliance.
  • Discuss MERLION policy on surveillance assessments.
  • Discuss MERLION process for certification decision, issuing certificate of registration and registered symbol.
  • Discuss MERLION policy on Certificate of Registration and use of registered symbol.
  • Confirm that the audit plan is fully covered

Stage 2 Audit Report – MERLION/CERT/F13

The audit team analyzes all information and audit evidence gathered during the stage 1 and stage 2 audits to review the audit findings and agree on the audit conclusions. The team leader announces the necessary recommendation of the audit conclusion at the time of closing meeting before the organization representative before exit.

The information provided by the audit team to the certification body for the certification decision include as a minimum

  • The audit report
  • Comments on the nonconformities and where applicable, the correction and corrective actions taken by the client.
  • Confirmation of the information provided to the MERLION used in the applicable  review and
  • A recommendation whether or not to grant certification, together with any conditions or observations.
  • The MERLION makes  the certification decision on the basis of an evaluation of the audit       

   findings and conclusions and any other relevant information (public information, comments on the audit report from the client)

The Stage 2 audit report will be submitted by auditor/ team leader within 2 days of conducting the audit. Once report is received by operations manager , it is sent to qualified technical reviewer of the EA code for review . Once report is successfully reviewed by technical reviewer, it is sent to certification committee. Certification committee reviews the certification records as per Certification decision committee report MERLION/CERT/F17. Certification decision committee meets every saturday to review decisions.

Certificate is issued to client with re-certification date of 3 years and expiry date of 1 year . New certificate is isssed after successful surveillance is conducted.

 After the decision is made for the issue of Certificates to the audited organization, certification executive prepares the Certificate with all necessary relevant data and get it approved by the   

 Director Certification. Certificate Template MERLION/CERT/F18

After the signature of Director certifications , the certificate is forwarded to the dispatch department for dispatch with relevant documents like Use of trademark/Logo, art work CD; and covering letter

Surveillance activities

  • The MERLION develops its surveillance activities so that representative areas and functions covered by the scope of the management system are monitors on a regular basis, and into account changes to its certified client and its management system.
  • The surveillance activities includes on-site audits assessing the certified client’s management system’s fulfilment of specific requirements with respect to the standard to which the certification is granted. Other surveillance activities may include
  • Enquiries from the certification body to the certified client on aspects of certification.
  • Reviewing any clients statements with respect to its operations (e.g. promotional material, website)
  • Request to the client to provide documents and records (on paper or electronic media) and
  • Other means of monitoring the certified client’s performance.

Surveillance audits are on-site audits, but are not necessarily full system audits, and are planned together with the other surveillance activities so that the certification body can maintain confidence that the certified management system continues to fulfill requirements between recertification audits. The surveillance audit programme includes, at least

  1. Internal audit and management review
  2. A review of actions taken on non conformities identified during the previous audits,
  3. treatment of complaints,
  4. Effectiveness of the management system with regard to achieving the certified objectives.
  1. Progress of planned activities aimed at continual improvement,
  2. Continuing operational control,
  3. Review of any changes, and
  4. Use of marks and/or any other reference to certification.

MERLION has decided to conduct the surveillance audits once a year, the date of first surveillance audit following initial certification are not more than 12 months from the date of issue of registration certificate. 

Key responsibility lies with Client Relations Manager. He/ She is responsible for Surveillance audit planning till execution.

Surveillance audit plan MERLION/CERT/F19

Surveillance audit report MERLION/CERT/F20

The MERLION maintains certification based on demonstration that the client continues to satisfy the requirements of the management system standard. It may contain a client’s certification based on a positive conclusion by the audit team leader without further independent review, provided that

  1. For any nonconformity or other situation that may lead to suspension or withdrawal of certification, the MERLION has a system that requires the audit team leader to report to the certification body the need to initiate a review by appropriately competent personnel different from those who carried out audit, to determine whether certification can be maintained.
  2. Operation Manager/Director Certifications of the MERLION monitor its surveillance activities, including monitoring the reporting by its auditors, to confirm that the certification activity is operating effectively.

The MERLION takes cases of Transfer of Certification from other certification bodies to MERLION as a fresh client and follow the same procedure mentioned in 03 for initial certification.


Operational manager is responsible for planning and intimating or interacting with certified client for the recertification activity. A recertification audit is planned and conducted to evaluate the continued fulfilment all of the requirements of the relevant management system standard or other normative document. The purpose of the recertification audit is to confirm the continued conformity and effectiveness of the management system as a whole and its continued relevance and applicability for the scope of certification.

The recertification audit considers the performance of the management system over the period of certification, and include the previous surveillance audit reports.

Recertification audit activities may need to have a stage 1 audit in situations where there have been significant changes to the management system, the client, or the context in which the management system is operating. (e.g. change in legislation) in the case of multiple sites or certification to multiple management system standards being provided by the confidence in the certification.

Re – Certification audit has to be planned from 10 months of the date of surveillance 2 due audit. The re-certification audit is conducted in such a manner that any non – compliance reported during the re – Certification audit of the applicant organisation must be resolved before the expiry of the certificate or from 4 weeks from the date re-certification audit.

Re – certification audit is executed in such a manner to ensure the continuity of the certificate of registration issued to the applicant organisation 

In case , re-certification audit is not conducted before expiry date of certificate, stage 1 has to be conducted again with stage 2.

The recertification audit includes an on-site audit that addresses the following:

  1. The effectiveness of the management system in its entirely in the light of internal and external changes and its continued relevance and applicability to the scope of certification;
  2. Demonstrated commitment to maintain the effectiveness and improvement of the management system in order to enhance overall performance.
  3. Whether the operation of the certified management system contributes to the achievement of the organizations policy and objectives.

When during a recertification audit, instances of nonconformity or lack of evidence of conformity are identified; the certification body has defined time limits of two weeks after the assessment audit, for correction and corrective actions to be implemented. The client has to submit the evidence of corrective actions to the MERLION head office for closure of the NCR.

Information for granting recertification

          The MERLION makes decision on renewing certification based on the result of the recertification audit, as well as the result of the review of the system over the period of certification and complaints received from users of certification. New certificate is issued with the re-certification date of three years from the date of decision of recertification and expiry date of 1 year.

Recertification audit plan MERLION/CERT/F21

Recertification audit report MERLION/CERT/F22

  • Extension of scope

The MERLION , in response to an application for extension to the scope of a certification already granted, undertake a review of the application and determine any audit activities necessary to decide whether or not the extension may be granted. This may be conducted in conjunction with a surveillance audit. 

  • Short-notice audits

It may be necessary for the MERLION to conduct audits of certified clients at short notice to investigate complaints, or in response to changes, or as follow up on suspended clients. In such cases;

  1. The MERLION describes and informs in advance to the certified clients  the conditions under which these short notice visits are to be conducted, and
  2. The MERLION exercises additional care in the assignment of the audit team because of the lack of opportunity for the client to object to audit team members.



To decide the method of Suspending, withdrawing or reducing the scope of certification


The MERLION suspends certification in cases when, 

  • The client’s certified management system has persistently or seriously failed to meet certification requirements, including requirements for the effectiveness of the management system,
  • The certified clients does not allow surveillance or recertification audits to be conducted at the required frequencies, or
  • The certified client has voluntarily requested a suspension.
  • If clients does not follow the agreed terms and conditions for certification services.


 The key responsibility lies with Director Certifications


When information is received from either by customer or auditor regarding the suspension, MERLION sends the suspension of certification letter to the client for the period of  one month.

  • Issue a suspension letter to the client. Stating reason, suspension period etc.
  • Under suspension the client’s management system certification is temporarily invalid, the MERLION have made enforceable arrangements with its client to ensure that in case of suspension the client refrains from further promotions of its certification. The MERLION has established a method for putting the information of suspension of certificate on website to make publicly accessible the suspended status of the certification and takes any other measures it deems appropriate.
  • If within the given period of time the customer resolves the issue and asking for reassessment of the management system for continuation of the certificate, the operations manger arranges the assessment arrangement.
  • Failure to resolve the issues that have resulted in the suspension in time established by the MERLION maximum period can be given four weeks only, result in withdrawal or reduction of the scope of certification.
  • Communication of the same to stop the use of same Certification Logo to all concerns.
  • Inform the client for not using the certification status during the period of suspension 
  • If the client does not respond within the suspension period. The same information is put up in front of certification committee. Upon approval of certification committee, the request is send to Director Certifications for authorization to withdrawal of certificate. Upon the withdrawal of the client the status of client on MERLION website is changed to withdrawn. 
  • Withdrawn certificate is collected and destroyed as per the procedure established in for control of records i.e. by shredding/tearing to avoid the misuse of the certificate. 
  • The MERLION reduces the client’s scope of certification to exclude that part not meeting the requirements, when the client has persistently or seriously failed to meet the certification requirements for those parts of the scope of certification. Any such reduction is in line with requirements of the standard used for the certification.
  •  The MERLION has enforceable arrangements with the certified client concerning conditions of withdrawal, ensuring upon notice of withdrawal of certification that the client discontinues its use of all advertising matter that contains any reference to a certified status.
  • Upon request by any party, the certification body  correctly state the status of certification of a client’s management system as being suspended, withdrawal or reduced.
  • On suspension of client, the status on website is changed to suspended for the client




Basic intent of this procedure is to establish a guideline for receive, evaluate and make decisions on appeals at MERLION Quality Assurance Pvt. Ltd. (MERLION) 


The MERLION has incorporated the communication method for acknowledge receipt of the appeals and providing the appellant with progress reports and the outcome. 

The decision to communicate to the appellant made by, or reviewed and approved by, individuals(s) not previously involved in the subject of the appeal.

4.1.3      Responsibility

An Administrative manager is appointed to handling Appeal handling, because he/she has no active part in the certification or audit activities.

4.2     Receiving

Any appeal received at MERLION is received by the Administrative Manager who records the same into Appeal form; Access to these documents is restricted to the administrative manager only. Acknowledgement of the appeal is given to the appellant by email without any delay after submission of appeal.

4.3   Appeal Handling Process

4.3.1    Investigation

The Appeal Committee is formed for the investigation of the appeals received at MERLION. After the proper investigation the report is submitted by the committee to the Administrative manger. Managing director approves the decision of what actions to be taken in response to it. It is ensured that the person involved in appeal handling process is having no involvement in audit or certification decision. The committee has to investigate the root cause of the conflict which cited the applicant for appeals. The committee has to submit the report of investigation within the fifteen working days before the Managing Director / Director Certifications

4.3.2     Tracking and Recording 

After the investigation is completed a meeting is called upon for decision or action in response to the appeal. The decision of what actions to be taken in response appeal investigation are by the Administrative Manager. Reference of previous same appeals can be taken to take the proper decision on the appeal. The decision reviewed, approved or made the individual not previously involve in the subject of the appellant. 

The actions decided are incorporated within the agreed time frame and the responsibility of the actions is clearly indicating the responsible person to carry out the same. 

Administrative manger ensures that the correction, corrective action is taken by the concern person and record of the same are maintained.

4.4 Decision and actions:

The MERLION is responsible for all decision at all levels of the appeals handling   

 Process. The decision taken by the administrative officer in consultation with the Appeal committee is brought in the review meeting in front of the Managing Director for approval. The appropriate actions suggested for after investigation on the appeal are noted and Administrative manger ensures that the corrections and corrective and preventive actions are taken by the concern department or person.

Decision is documented on appeal form 

4.4      Communications to appellant

Progress of the appeal handling process is conveyed to the appellant through progress report.  The administrative manager informs outcome of the appeal handling process after end to the appellant in the written form that the appeal process is ended up and the result are conveyed to him.

Appeal Form – MERLION/MGMT/F15

Appeal Committee – MERLION/MGMT/F16



              To enable and facilitate to receive, evaluate and make decision on complaint. This process is be subject to requirements for confidentiality; as it relates to the complaint and to the subject of the customer complaint handling


 The key responsibility lies with Director Certifications


  • Complaints can be sent to MERLION on
  • Upon receipt of the complaint, The MERLION confirms whether the complaint relates to certification activities that it is responsible for and, if so, deals with it.
  • if the complainant relates to a certified client, then examination of the complaint considers the effectiveness of the certified management system.
  • Any complaint about the certified client is  referred by the MERLION to the certified client in question at an appropriate time which is not more than two weeks from the date of receipt of the complaint to MERLION.
  • MERLION has process outlined below for receipt, evaluate and make decisions on complaints are as


  • Director Certifications is responsible for receiving the complaints. He receives the complaint from customer through emails, letters, telephonic or in person. 
  • Record the complaint into customer complaint register
  • Whenever possible The MERLION acknowledges the receipt of the complaint, and provides complaint with progress report and the outcome.
  • Upon receipt of the complaint, The MERLION confirms whether the complaint relates to certification activities that it is responsible for and, if so, deals with it, if the complainant relates to a certified client, then examination of the complaint considers the effectiveness of the certified management system.
  • Root cause analysis is done to identify the causes of the Customer complaints.
  • Decide the possible corrective action.
  • Analyse whether the action decided is correct action or any further correction is possible.
    • Take the necessary corrective action
    • Ensure the effectiveness of corrective actions taken.
    • Description of the complaint-handling process is publicly accessible through website
  • The Review of customer complaint has to be done by the person independent of the activity or area being complaint by the customer to MERLION.
  • Whenever possible MERLION gives formal notice of the end of the Complaint- handling process to the complainant.
  • MERLION is responsible for gathering and verifying all necessary information to validate the complaints.

The decision to be communicated to the complainant is made by or reviewed and approved by individual(s) not previously involved in the subject of the complaint.

The MERLION determines together with the client and the complainant whether and if so to what extent, the subject of the complainant and its resolution is made public.


1.0 Purpose

To document, establish, implement and maintain the system for conducting the audit of a multi -site organization, in accordance with requirements ISO/IEC 17021-1:2015 and IAF Mandatory Document for the Certification of Multi-Sites Based on Sampling, IAF MD 1:2007.

2.0 Scope

This procedure is applicable to the audit of a multi-site  and does not apply to organizations that have multi-sites where fundamentally different processes or activities are used at different sites or a combination of sites, even though they may be under the same management system. This procedure is applied to all types of audits; initial, surveillance and re-certification, of a multi site organization.

3.0 Responsibility

Operations Manager

4.0 Policy & Procedure

4.1 General Requirements 

4.1.1. Multi-site organization is defined as an organization having an identified central function (central office) at which certain activities are planned, controlled or managed and a network of local offices and branches (sites) at which such activities are fully or partially carried out. Examples of possible multi-site organizations are,:

  1. Organizations operating with franchises
  2. Manufacturing companies with a network of sales offices (applying to sales network)
  3. Service organizations with multiple sites offering a similar service
  4. Companies with multiple branches

4.1.2. A multi site organization need not be a unique legal entity, but all sites shall have a legal or contractual link with the central office and be subject to a common management system. The management system is laid down, established and subject to continuous surveillance and internal audits by the central office. This means that the central office has rights to ensure that the sites implement corrective actions when needed at any site.

4.1.3. The processes at all the sites have to be substantially of the same kind and have to be operated to similar methods and procedures. Where some of the sites under consideration conduct similar, but fewer processes than others, they may be eligible for inclusion provided that the site or sites, which conduct most processes or critical processes, are subject to full audit. All the sites shall be in the same country.

4.1.4. Organizations, which conduct their business through linked processes in different locations, are also eligible for sampling under multi-site. Where processes in each location are not similar but are clearly linked, the sampling plan shall include at least one example of each processes conducted by the organization (e.g. fabrication of electronic component in one location, assembly of the same components – by the same company in several other locations)

4.1.5. The organization’s management system shall be under a centrally controlled and administered plan and be subject to central management review. All the relevant sites including the central office shall be subject to the organization’s internal audit program and all sites have been audited prior to certification audit. Following certification an internal audit shall be done at each site within the certification period.

4.1.6 The central office has established management system in accordance with the relevant ISO and/ or other international management system standards and the whole organization meets the requirements of the standard including relevant legal regulations

4.1.7 The organization should demonstrate its ability to collect and analyze data (system documentation and changes, management review, complaints, corrective actions, internal audit, legal requirements etc) from all sites including the central office and its authority and also demonstrate its authority and ability to initiate organization changes if required.

4.1.8 If all the sites of an organization where the activity subject to certification is performed are not ready to be submitted for certification at the same time, the organization shall be required to inform MERLION in advance of the sites that it wants to be included in the certification and those which are to be excluded

4.2 Audit process 

4.2.1. Multisite Organization: 

 In case of a multi-site organization the application review & agreement are conducted as per procedure. At this stage the review shall identify the following,

 a]. The complexity and the scale of the activities covered by the management system and any differences between sites as a basis for determining the level of sampling.
b]. Identify the central function of the organization with which MERLION has a legally enforceable agreement for the provision of certification.
c]. To what extent sites of an organization operate substantially the same kind of processes according to the same procedures and methods.
d]. Are all the sites included in the certification are ready to be submitted for certification at the same time. Sites not ready shall be excluded from the scope of certification

4.2.2. The planning & preparation for audit including selection of audit team are done as per documented procedure in procedure manual.

4.2.3The audit of the multi-site including stage-1 and stage-2 audit is performed as per the procedure for initial audit MERLION/PR/03. If more than one audit team is involved in the audit, MERLION shall designate a unique audit leader whose responsibility is to consolidate the findings from all audit teams and to produce a combined report 

4.2.4The central office and the sites selected are audited as per this procedure.

4.2.5 Whenever any non-conformity is found at an individual site, either through the organization’s internal auditing or auditing by MERLION, the auditor shall investigate whether it leads to a system deficiency affecting all other sites or limited to the particular site only. If it is found a system deficiency correction and corrective action should be performed both at central office and at the individual sites. If the corrective action is found limited, to only the site where the nonconformity has been reported, the auditor should seek the justification for limiting its follow up corrective action.

4.2.6. The auditor shall verify the evidence of these actions and accordingly increase its sampling frequency and / or the size of the sample until it is satisfied that the control is re-established.

4.2.7 At the time of the decision making process, if any site has nonconformity pending the certification shall be denied to the whole network pending satisfactory corrective action.

4.2.8 If any site has nonconformity; the exclusion of that problematic site from the scope is not permitted at this stage. Such exclusion should have been agreed before the certification as stated in 4.2.1 (d).

4.3 Certification Document 

4.3.1. The certification documents are issued as per MERLION/PR/03.The sites included in the certificate are either individually audited or audited as per sampling scheme outlined in section 4.4

4.3.2 These documents shall identify the central office and a list of all sites to which the certification document relate. This document shall indicate clearly the certified activities performed by the network of sites on the list. If the certification scope of the sites is only issued as part of the general scope of the organization, its applicability to all sites shall be clearly stated.

4.3.3.The certificates may be issued to the organization for each site under condition that they contain the same scope or sub-scope of that scope and make a clear reference to the main certification document.

4.3.4. MERLION shall withdraw the entire certificate if the central office or any of the sites does not fulfill the necessary provisions for the maintenance of the certification.

4.3.5. MERLION shall inform the organization, about additional requirements for granting multi- site certification and this document shall be sent along with the quotation (MERLION/PR/03). This document shall also be made publicly available on the MERLION web site.

4.3.6. MERLION shall grant additional sites to the existing certification either through the routine surveillance , special audit  or re-certification audit . Sampling for the additional sites shall be done as specified in section 4.4 & 4.7 

4.4 Sampling 

4.4.1. Methodology Part of the sample shall be selected based on factors stated in section & partly non selective and should result in a representative of different sites selected, including the random element of sampling. At least 25% of the sample should be selected at random The site selection may include among others the following aspects,

  1. The sizes of the sites and the number of employees (e.g. more than 50 employees on a site);
  2. The complexity or risk level of the activity and of the management system 
  3. Variations in working practices (e.g. shift working);
  4. Variations in activities undertaken;
  5. Records of complaints and other relevant aspects of corrective and preventive action;
  6. Any multinational aspects;
  7. Results of internal audit and management review. When the organization has a hierarchical system of branches (e.g. Head or central office, National Offices, regional offices, local branches), the sampling model for the initial audit as defined above applies at each level. For example, (for other management systems)

  1. 1 Head office: visited at each audit cycle (initial or surveillance or re-certification)
  2. 4 national offices: sample =2: minimum 1 at random
  3. 27 regional offices: sample=6: minimum 2 at random
  4. 1700 local branches: sample=42: minimum 11 at random

4.5. Audit times

4.5.1. MERLION shall justify the time spent on multi-site audits in Audit time estimation sheet and the number of man days per site, including central office shall be calculated as per procedure MERLION/PR/01

4.5.2. MERLION may apply reduction in auditor time  taking into account clauses that are not relevant to the central office and /or the local sites and shall record the reasons for the justification of such reductions in Multisite registerf. The sites, which carry out most or critical processes, shall not be subject to reductions.

4.5.3. The total time spent on initial assessment and surveillance is the total sum of the time spent at each site plus the central office and should never be less than that which would have been calculated for the size and complexity of the operation if all the work had been undertaken at a single site (i.e. with all the employees of the company in the same site)

4.6. Temporary site

4.6.1. A temporary site is one set up by an organization in order to perform specific work or a service for a finite period of time and which will not become a permanent site (e.g. construction site)

4.6.2. Temporary sites that are covered by the organization’s management system may be subject to audit on a sample basis to provide evidence of the operation and effectiveness of the management system

4.6.3. If the organization desires to include the temporary sites within the scope of certification MERLION shall do so under an agreement with the client organization. Where included in the scope such sites shall be identified as temporary.

4.7. Additional sites

4.7.1. It is a new site or group of sites that will be added to an existing certified multi-site network

4.7.2. On application of a new group of sites to join an already certified multi site net work, each new group of sites should be considered as an independent set for the determination of the sample size as per the steps detailed in sections 4.4.1 & 4.4.2.

4.7.3 After inclusion of the new group in the certificate, the new sites should be cumulated to the previous ones for determining the sample size for the future surveillance or re-certification audits.


Logo Rules

A company certified by MERLION may use the MERLION logo on company letterheads and literature, subject to the conditions below:

(A) Use of the symbols on stationary or other media shall not be used by a certified client unless the use relates in whole or in part to certification endorsed by MERLION.

Note: Clients where MERLION has certified subsidiaries, divisions, departments or offices of a company and not the company as a whole is most affected by this requirement. Clients must exercise care in the use of certification logo and marks to ensure no misrepresentation of scope for which certification is granted.

(B) The symbol shall not be used on a product, packing, packaging, laboratory test, calibration or inspection reports or certificates or tests reports from test or in any way that may be interpreted to denote product conformity.

(C) Use of certification marks to indicate that a product has been made under a certified quality management system.

(D) The Mark may only be reproduced in a single colour which is unlimited, but where practical should conform to existing preprinted stationery, brochures, letterheads or other promotional materials of the Company.

(E) Client can use any statement on product packaging material that client has certified management system. The statement shall in no way imply that the product, process or service is certified anyway. The statement shall include:

  • Identification like brand name of the Client
  • The type of management system certified
  • The name of MERLION which is issuing the certificate.

(F) The Client company can use the logo in the same color combination as specified or in any single

Use of Accreditation Board Logos and Symbols
      1. Accreditation body logo can be use only when the client’s SCOPE is covered under accreditation of MERLION.
      2. The logo shall not be used in any way that it misleads the reader about the accredited status of the certification body or the certified body.
      3. The accreditation body’s logo shall not be used on the packaging of a product, labels, publicity material, written announcements etc, that in any way suggest that the accreditation body has certified or approved any product, process or service of the certified body or in any other misleading manner.
      4. The logo shall not be displayed on vehicles except in publicity material like part of a large advertisement.
      5. The logo shall not be displayed on buildings and flags.
      6. The logo shall not be used on the visiting cards
      7. The logos can be reproduced in any size, as long as they do not distort or alter the relative proportions of the logo
      8. Accreditation mark should be used with MERLION logo and shouldn’t be used alone.
Discontinuation of the MERLION Certification Logo and / or Accreditation Logo
  1. A client certified by MERLION shall discontinue the use of the MERLION certification logo and / or accreditation mark immediately when any of the following conditions exist:
  2. A lapse of certification, suspension or withdrawn;
  3. The client has made a change to his Quality System which has not been accepted by MERLION, and which could reasonably be expected to affect the client’s qualification for certification;
  4. The client has failed to implement a change to the system requirements issued by MERLION;
  5. Any other circumstances, which arise, which could reasonably be expected to adversely affect the client’s Quality System certified by MERLION, as identified in the contract agreement.
Misuse and Penalty

Misuse of MERLION certification logo and / or accreditation mark would lead to corrective action, withdrawal of certification, publication of the transgression and, if necessary, other legal action.


·         Management System Certification Rules

In today’s fiercely competitive environment of the global marketplace, it has become imperative for companies over a wide range of manufacturing and service sectors to provide assurance of the quality of their products or services through an implementation of a variable ISO 9001/14001/45001/22000/27001 management system. International standards ISO 9001, 14001, 45001, 22000 & 27001 series stipulate the minimum requirements for a documented Quality/Environmental/Food Safety/Occupational Health Safety/ Information Security Management System to be established and a Certificate of Compliance to these standards has now become an international criteria of assessing a company’s credibility and capability to consistently meet quality standards to the customer satisfaction.


The purpose of this description of the MERLION Certification Rules is to provide relevant information regarding MERLION services for conducting our impartial and competent assessment of a company’s management system for issue and maintenance of an accredited certification ISO 9001, ISO 14001, ISO 45001, ISO 22000 & ISO 27001 Standard.


The accredited certification scheme operated by MERLION is a third party system certification scheme with an objective of giving recognition to companies who have effectively implemented and operate a verifiable documented system. It covers the following scope

  • Preliminary meeting to establish scope of registration and the applicable standard.
  • Conduct of independent audits for certification
  • Issue of accredited certifications as per accredited scope sectors
  • Surveillance visits for verification of conformance of quality systems to certification standard.
  • The organization need to develop a system in respect to ISO 9001:2015/ ISO 14001:2015 /ISO 45001:2018/ ISO 22000:2018 / ISO 27001:2013 as per the applicable management system for which they need the certification.
Certification Procedure
  • Enquiry and Fee Quotation:- Upon receipt of an enquiry, the MERLION Questionnaire is required to be completed by the applicant company. Based upon the information provided, a detailed offer is submitted for client’s consideration and acceptance.
  • Application:- Upon confirmation of acceptance of MERLION fee offer and the receipt of client’s application together with the application fee, the process of certification commences with scheduling of audits on mutually agreeable dates.
  • Extension of Certification:- Whenever the clients applies for the extension of Scope/ addition of sites, facilities etc. the same is verified during a special visit or at the next surveillance audit and based upon the recommendations of Lead Assessor and verification of audit reports a decision is taken for issue of amended certification for scope extension.
Audit Process
  • Documentation Review and Stage 1 Audit : For most management system, it is recommended that at least part of the stage-I audit be carried out at the client promises in order to achieve the objectives. An onsite review of the client’s optional Quality/ Environmental/ Occupational Health Safety/ Food Safety/ Information Security management systems documentation is conducted to verify that the requirements of the applicable ISO standard are satisfactorily addressed. A report is issued listing any non-conformity against which corrective actions requires to be taken as per a corrective action plan to be submitted. The degree of implementation of the quality systems is also assessed to agree on a tentative stage 2 audit schedules. In particular, the records of the Internal Audit, Corrective Actions and the Management Reviews shall be verified to assess the level of Implementation of the Organization’s documented management System, so as to ensure that the Quality management System is mature before the Stage-II assessment is scheduled to be conducted. The evaluation may be carried out during Stage-I by the Organization’s. Management and risk analysis is carried out before proceeding to the next stage of audit
  • Stage 2 Audit : Following the Stage-I audit, MERLION will conduct a Stage-II certification audit to assess conformity with the requirements of the applicable ISO standard. A report categorizing any non conformities or weakness in the implementation of the documented quality systems are issued.
  • Corrective Actions and Follow-up : The company is required to submit a Corrective Action Plan addressing the non-conformities within a given time frame. Corrective actions against all major conformities require to be verified during a follow up visit and / or through provision of objective evidence of effective implementation, prior to confirmation of certification. Observations are also recorded relating to various elements of the documented management systems as per the certification standard which do not significantly affect the operation of the system but do nevertheless indicate a problem which may need correction.
  • In the event of major non conformities being identified (Category ‘A’) in respect of the implementation of any element of the quality system or several minor non-conformities being recorded against any one element which renders the system deficient but operable, a recommendation for certification is made subject to a CAP being submitted within 2 weeks and corrective actions being verified onsite and closed out through a special visit within 8 weeks of the assessment date, before certification is granted or as decided by CEO.
  • Where the audit has revealed only minor non conformities (Category ‘B’) which need to be addressed through corrective actions, the certification may be recommended subject to the CAP ( Corrective Action Plan) being submitted by the company within 2 weeks together with objective evidences of the corrective actions taken. The corrective actions plan is required to be closed out upon physical verification of the satisfactory implementation at the first subsequent audit.
  • In the case of where “opportunities for improvement: (Category ‘C’) having been recorded during the certification audit, the actions, as applicable, are observed for effectiveness at the subsequent audit visit.
Issue of Certificate

Upon completion of the review of all audit documentation and corrective actions being closed out, MERLION will issue the Certificate of Registration to the company. VALIDITY AND RENEWAL OF CERTIFICATE : Certificates issued by MERLION remain valid for three years subject to the conformance of the quality management systems to the certification standards being verified and found satisfactory during periodical surveillance audits. Upon expiry, Certificate of Registration is renewed for a further term of three years after conduct of a satisfactory reassessment.

Surveillance Audit

MERLION Certifications are issued subject to the maintenance and continual conformance of the documented Quality/ environmental/ OHSAS/ Food Safety/ Information Security systems to the certification standards. Surveillance audits shall be conducted at periodic interact at least once a year during the three year term of validity of the Certificate followed by a re-assessment of the quality systems for renewal of the certification prior to its expiry. The frequency of the surveillance audits has to be at least once in 12 months from the date of closing meeting of the certification audit i.e., two surveillance audits to be conducted during the three year period of validity at annual interact. In case of nine monthly surveillance audit 3 surveillance audits will be conducted and in case of six monthly surveillance audit 5 surveillance audits will be conducted. The nine monthly and six monthly surveillance audits will be conducted in case the organization demands the same during the singing of the contract.

Special Audits

A special visit may require to be made to the certificate company’s premises in the following circumstances

  • MERLION has reason to believe that the documented systems are inadequately maintained with major deficiencies in operation.
  • In case of any change in the management system standard due to which the certification requirements are going to be changed, clients will be intimated in advance for the transition audit and the audit will be scheduled after the consent of the organization. But the audit has to be done before the defined time frame.
  • Upon intimation by the certified company, of any significant change in the certified documented system. Including extension of scope visit will decide, whether the extension of scope sector can be granted or not. This may be clubbed with the surveillance audit this surveillance audit program shall include at least
    (A) Internal audit and management review
    (B) A review of actions taken on NC identified during the previous audit.
    (C) Treatment of complaint
    (D) Effectiveness of the management system w.r.t. achieving the certified client objectives.
    (E) Progress of planned activities aimed at continual improvement
    (F) Continuing operational control
    (G) Review of any changes
    (H) Use of marks and or any other reference to certification
Short Notice Audit

As a result of a complaint, by any party, any adverse publicity or contravention of the conditions of certification or other information received and suspended client. The special visits will be undertaken after due notice has been given and details agreed between MERLION and visits will be undertaken after due notice has been given and details agreed between the certified company. Due care is taken of the following.

  • Information is given to the client in advance regarding the resource of the visit with details.
  • Due care is taken to select the auditor to Safeguard Lack of Reason to client for objection to the auditor.

Suspension, Withdrawal, Extension and reduction of Certification

Suspension : The grounds for suspending the certificate are as follows

  • If the certified organization is not getting the Surveillance audit conducted as per the certification agreement.

If the client is found to misuse the logo of the Certification Body or is using any kind of misleading statement which might affect the reputation of the certification body and the accreditation board.


·         The Certification process shall consist of the following key stages:
  1. Application
  2. Application/Contract Review
  3. Initial Certification Audit (stage-1 audit)
  4. Assessment (stage-2 audit)
  5. Continual Assessment (surveillance audit)
  6. Recertification
1. Application:

Enquiries may be received in several forms, by telephone, letter, e-mail or facsimile or online as available on the website under the Tab Application. In case client need the physical copy of the application form then client can write us on and demand a copy of an application.

2. Application / Contract Review:

After getting the complete application the Certification Manager will send the application to application review and after application review a work order shall be sent to client including the copy of client agreement.

3. Initial Certification Audit (stage-1 audit):

MERLION shall proceed with Initial Certification Audit (Stage-1) audit activity on completion of earlier activities.. A pre-assessment is a trial audit which is conducted before the Certification audit at client’s option to provide a macro level assessment of the status of implementation and identification of any major deficiencies in the compliance of the documented quality system with the requirements of the certification standards, for corrective actions to be taken in advance of the certification audit. It provides valuable inputs to give confidence to the clients and saves time for taking necessary corrective action, later. However pre-assessment is done in special cases and it is also ensured that the auditor signs the conflict of interest before every visit.

A detailed report shall be prepared by the Team Leader and a copy shall be given to the client. The report shall be evaluated by AM and plan for the subsequent audits of the organization is discussed with the client.

A detailed report shall be prepared by the Team Leader and a copy shall be given to the client. The report shall be evaluated by AM and plan for the subsequent audits of the organization is discussed with the client.

4. Assessment (stage-2 audit) :

The purpose of the Assessment (STAGE-2) is to ensure that the requirements of relevant ISO standards as addressed by the documented quality system are being complied with. The Auditors will be looking for objective evidence of compliance with the standards, and Non compliances are brought to the attention of the guide and noted on a report form. At the end of assessment, these are discussed and the company’s management representative is asked to sign the report acknowledging that he understands and accepts the findings.

The Assessment is concluded with a “Closing Meeting” at which the Team Leader presents the findings and makes a recommendations, either for certification to the applicable standards of ISO otherwise with a requirement for a verification audit in case of major non-conformances having been identified. 2.5.3 In case where non-compliances are of a minor nature, certification is recommended subject to a corrective action plan that addresses the non compliances and observations raised in the report being submitted together with objective evidences for all non compliances within 60 days. When this corrective action plan and the objective evidences are received at the MERLION office, the audit reports shall be verified for conformance against the requirements of the certification standard. The client’s file is reviewed to ensure an independent verification of compliance against certification checklist and grant of certification.

The stage 2 audit shall take place at the site(s) of the client. It shall include at least the following :

  1. Information and evidence about conformity to all requirements of the applicable management system standard or other normative document.
  2. Performance monitoring, measuring, reporting and reviewing against key performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document);c) the client’s management system and performance as regards legal compliance; d) operational control of the client’s processes.
  3. Internal auditing and management review.
  4. Management responsibility for the client’s policies.
  5. Links between the normative requirements, policy, performance objectives and targets (consistent with the expectations in the applicable management system standard or other normative document), any applicable legal requirements, responsibilities, competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.

Each certified organization shall be required to undergo a surveillance audit at once a year during the term of validity of its certification. The continual conformance of the organization management system with the certification standard shall be verified by auditing selected elements of the management system at each visit besides verification of the effectiveness of the corrective actions against the non-conformities raised during the previous audit.

The Auditors are required to complete the Reports in a precise and accurate manner. The justification for non inclusion of any element as per the ISO standards e.g. Design Control etc from the company’s quality system should be carefully verified and recorded in the Report.

Information for granting initial certification

The information provided by the audit team to MERLION for the certification decision shall be as per MERLION procedure shall include, as a minimum,

  1. The audit reports.
  2. Comments on the nonconformities and, where applicable, the correction and corrective actions taken by the client.
  3. Confirmation of the information provided to MERLION used in the application review.
  4. A recommendation whether or not to grant certification, together with any conditions or observations.

MERLION shall make the certification decision on the basis of an evaluation of the audit findings and conclusions and any other relevant information (e.g. public information, comments on the audit report from the client).

The audit team/AM shall analyze all information and audit evidence gathered during the stage 1 and stage 2 audits to review the audit findings and agree on the audit conclusions.

QC shall issue the certificate as per procedure.

5. Surveillance Audits:

Surveillance audits are on-site audits, but are not necessarily full system audits. Surveillance audits planned together with the other surveillance activities so that the certification body can maintain confidence that the certified management system continues to fulfill requirements between recertification audits.The surveillance audits conducted at least once a year and the date of the first surveillance audit following initial certification shall not be more than 12 months from the last day of the stage 2 audit.

The objective of surveillance audit is to:

  1. Ensure that the client’s management system which was basis of grant of certificate has been maintained on continuous basis.
  2. Verify and ensure that any changes to management system which might have taken place since last audit meet the requirement of the standard/ specification and implemented effectively.
  3. Ensure on-site audits assessing the certified client’s management system’s fulfillment of specified requirements with respect to the standard to which the certification is granted.
  4. Ensure that the management system continues to be appropriate to the product/ process/ service offered by client, with the capability of managing and improving performance.
  5. Assess continual improvement in client’s management systems.
6. Recertification Audit

There shall be recertification after every 3 year of certification .Conduct re-certification audit prior to certification period for continuation of Certificate of registration and subsequently followed up by Surveillance audits as per the accepted proposal. Re-certification audit shall be completed, preferably prior to one month of expiry of the present certificate of registration including the provision of adequate time to close any NCRs.

Need Help? We Are Here To Help You