The audit follows the process specified in ISO 17021:2015, supplemented by ISO 16919:2014 and is summarised in the following diagram and further described below.
The process starts when the management of a repository believes that it could be beneficial to be certified as trustworthy. It will be useful at this point to contact PTAB using the contact form for an initial discussion. The next step is to fill in the application form which collects the basic information which allows PTAB to check whether it can undertake the audit, for example has the appropriate knowledge about the language used and legal environment. PTAB may seek additional information if necessary. If PTAB accepts the application then it sends a cost estimate and an outline of the audit process. If these are acceptable then the repository signs the contract and makes the initial payment for the audit.
PTAB has taken the view that it should make this first payment as low as possible because it is important to make it easy for repositories to start Stage 1 of the audit.
In Stage 1 of the audit PTAB selects the lead auditor and the rest of the audit team who review the repository’s self-assessment and supporting documents. The aim of Stage 1 is to identify “areas of concern” in the repository’s systems. These are things which are likely to be nonconformities in Stage 2 if not addressed. The aim is to make Stage 2, the on-site visit, run as smoothly and efficiently as possible. Moreover ISO 17021 says: In determining the interval between stage 1 and stage 2, consideration shall be given to the needs of the client to resolve areas of concern identified during stage 1. …. If any significant changes which would impact the management system occur, the certification body shall consider the need to repeat all or part of stage 1. This recognises that, for example, it will take time and the repository may need to request some specific extra funding, to resolve the concerns. Of course the repository may well have identified other things that it needs to fix and they can be done in this time.
The importance of Stage 1, and making an early start on it, should not be under underestimated by the repository.
When the repository believes that it has addressed the areas of concern, Stage 2 can start. This involves an on-site visit by an audit team – usually 2 auditors for two days. Nonconformities are identified in Stage 2. The repository must analyse the causes of these nonconformities and how to fix them, agreeing these with the audit team. The major nonconformities identified in Stage 2, which are things which prevent the repository being judged as trustworthy, have to be resolved in 6 months otherwise another Stage 2 is required.
When the major nonconformities are resolved a separate part of the audit team, people who did not visit the repository, make the decision about whether or not to award certification to the repository. If the repository is successful then it receives a certification mark which it can display on its website etc. The certification mark contains an identifier which others can use to check the validity of the certification.
To maintain its certification the repository must undergo a surveillance audit each year for the next 2 years. These are more limited, cheaper, audits. In the third year a fuller re-certification audit is required.
Throughout the above, PTAB also identifies opportunities for improvement for the repository, in addition to identifying nonconformities. Taken together the whole audit process is one of continuous improvement.