ISCC CORSIA 204 Audit Requirements and Risk Management PDF
Document Details
Uploaded by Deleted User
2023
ISCC System GmbH
Tags
Related
Summary
This document provides guidelines and requirements for audits and risk management in ISCC CORSIA and ISCC CORSIA PLUS systems, used for assessing sustainability in supply chains. It details audit procedures, risk assessment, and other relevant aspects for various supply chain components like farms, traders, and processing units.
Full Transcript
ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Version 2.0 II...
ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Version 2.0 II ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Copyright notice © 2023 ISCC System GmbH This ISCC document is protected by copyright. It is freely available from the ISCC website or upon request. No part of this copyrighted document may be changed or amended. The document may not be duplicated or copied in any form or by any means for commercial purpose without permission of ISCC. Document Title: ISCC CORSIA 204 Audit Requirements and Risk Management Version 2.0 III ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Content Summary of Changes................................................................................................................ 4 1 Introduction....................................................................................................................... 5 2 Scope and Normative References................................................................................... 5 3 Audit Requirements.......................................................................................................... 5 3.1 Definitions and General Requirements................................................................... 5 3.2 Audit Procedures and Reports.............................................................................. 11 3.3 Specific Audit Requirements................................................................................. 12 3.3.1 Farms and Plantations................................................................................. 12 3.3.2 Points of Origin............................................................................................ 14 3.3.3 Central Office............................................................................................... 14 3.3.4 First Gathering Point and Collecting Point.................................................. 14 3.3.5 Processing Unit............................................................................................ 15 3.3.6 Storage Facilities and Logistic Networks..................................................... 16 3.3.7 Traders......................................................................................................... 16 3.3.8 Other Elements of the Supply Chain........................................................... 16 3.4 Mandatory Surveillance Audits............................................................................. 17 3.5 Non-Conformities.................................................................................................. 17 3.4.1 Definition and General Requirements......................................................... 17 3.4.2 Sanctions..................................................................................................... 17 3.4.3 Conflict Resolution....................................................................................... 18 4 Risk Management........................................................................................................... 18 Definitions, Process and Levels of Application..................................................... 18 4.1.1 ISCC............................................................................................................. 18 4.1.2 Certification Bodies...................................................................................... 19 4.1.3 ISCC System Users..................................................................................... 20 Risk Assessment................................................................................................... 21 4.2.1 Identification of Risk..................................................................................... 21 4.2.2 Evaluation of Risk........................................................................................ 24 Identification and Implementation of Risk Control Measures............................... 25 © ISCC System GmbH 4 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Summary of Changes The following is a summary of all content changes to the previous version of the document (ISCC CORSIA Document 204, v1.1). Minor amendments which do not affect the content, e.g. corrections of phrasings, marginal notes, amendments of graphics, etc. are not listed. Summary of changes made in version 2.0 Chapter No material changes have been made from v1.2 to v2.0 of this document. 3.1 Addition: Two paragraphs on rules for conducting remote audits under ISCC 3.1 CORSIA. Addition: Chapter on mandatory surveillance audits for high-risk supply chains. 3.4 Deletion: Chapter on non-conformities deleted and instead reference to ISCC 3.5.1 CORSIA Document 102 “Governance”, which gives detailed information on the topic © ISCC System GmbH 5 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT 1 Introduction In compliance with CORSIA requirements, ISCC has a documented plan for High quality addressing the risks to the integrity of the ISCC CORSIA and ISCC CORSIA verification PLUS systems. Clear requirements on how to conduct audits and how to manage risks are an integral part of ISCC’s quality policy. They are key factors for ensuring the integrity, reliability, credibility, and quality assurance of ISCC. The requirements specified in this document describe the relevant aspects to Audit process be considered and procedures to be followed when carrying out ISCC and aspects CORSIA and ISCC CORSIA PLUS audits. The audit requirements include the aspects relevant to all ISCC CORSIA and ISCC CORSIA PLUS audits as well as the criteria which are only relevant to specific types of operation to be audited. Certification bodies (CBs) are required to apply the audit objectives to meet the respective certification requirements. 2 Scope and Normative References This document covers the requirements on how ISCC CORSIA and ISCC Best practice CORSIA PLUS audits are to be conducted at different elements of the supply principles chain, the risk management process under ISCC CORSIA and ISCC CORSIA PLUS applicable to all activities of ISCC and the implications of risks for ISCC CORSIA and ISCC CORSIA PLUS audits. The risk management process takes into account best practice principles of the ISEAL “Code of Good Practice for Assuring Compliance with Social and Environmental Standards”. The principles for risk management and carrying out audits complement the requirements laid down in the ISCC CORSIA system documents. They apply to ISCC, System Users and recognised CBs conducting ISCC CORSIA and ISCC CORSIA PLUS audits. Requirements with regard to auditing and risk management are largely the References same for ISCC CORSIA and ISCC CORSIA PLUS. Therefore, as a basic principle, all references made to ISCC CORSIA in this document apply to ISCC CORSIA PLUS as well. Whenever requirements differ between the two systems, this is explicitly stated. 3 Audit Requirements 3.1 Definitions and General Requirements General audit requirements apply to all ISCC CORSIA audits irrespective of General audit the individual specifications or conditions of the audited site or operation. The requirements general requirements are mandatory for all types of System Users audited in the framework of ISCC CORSIA. Specific audit requirements apply only to audits of specific System Users or Specific audit under specific circumstances. Such audit requirements depend on the requirements © ISCC System GmbH 6 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT particular type of operation being audited or the materials handled by the audited System User, e.g. waste, residues or by-products. Certification audits1 are audits which are the basis for a CB to issue an ISCC Certification CORSIA certificate. audit Surveillance audits can be imposed by the CB to verify compliance with ISCC Surveillance CORSIA requirements during the validity period of a certificate issued by the audit respective CB. Surveillance audits may focus only on the implementation of partial aspects of ISCC CORSIA requirements. ISCC may require CBs to conduct surveillance audits, if necessary, for example in high-risk supply chains. System Users that register with ISCC and want to receive a certificate are Registration with subject to an audit during which a recognised CB verifies compliance with the ISCC applicable ISCC CORSIA requirements. An ISCC CORSIA audit must always be conducted before a certificate can be issued. Prior to any ISCC CORSIA audit, System Users must have concluded a Certification certification contract with one of the recognised CB’s cooperating with ISCC. contract After concluding the contract with a CB, the System User must register with ISCC. During the registration process, the System User provides basic information to ISCC including the applicable scope for certification (e.g. the type of operation). The ISCC CORSIA certificate must only cover the scope that correctly represents the activities of the System User. It is not possible to audit a scope or type of operation which does not correctly represent the activity of the System User or is not actually relevant for the System User. Prior to any ISCC CORSIA audit, the certification history of the System User Certification must be evaluated. The CB is obliged to assess if the System User is not history currently suspended from certification due to major non-conformities under another relevant sustainability certification system, especially under one of the systems recognized by the ICAO Council within the framework of CORSIA. If a System User is suspended (or “blacklisted”) by another sustainability certification system, a certification under ISCC CORSIA is not possible, until the suspension expires. The System User is obliged to report to ISCC and to its CB immediately, if certificates from other sustainability certification systems are withdrawn due to non-conformities. If the CB receives notice of such a withdrawal of a certificate, the CB is obliged to inform ISCC immediately. Likewise, if an economic operator seeks re-certification under ISCC CORSIA and was previously found to be in major non-conformity with any other certification system, the CB is required to bring this to the attention of ISCC. ISCC will assess and evaluate such situations and possible consequences on a case-by-case basis taking into account the potential risk for the integrity of ISCC CORSIA. System Users are obliged to provide accurate and true information to ISCC Accurate and and to the CB. Furthermore, System Users are obliged to declare to ISCC and true information 1 In the following the term „audit“ refers to a certification audit unless specified otherwise. © ISCC System GmbH 7 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT to the CB the names of all other sustainability certification systems they are participating in simultaneously to ISCC, or sustainability certification systems they have previously been participating in (certification history). System Users are obliged to make available to the CB all relevant information including the mass balance data and the auditing reports also regarding other sustainability certification systems used. If a System User that was previously in major non- conformity with these requirements or with any other aspect of the mandatory sustainability criteria seeks recertification, the CB is obliged to inform ISCC. ISCC CORSIA audits are retrospective and focus on the verification of claims Retrospective made during the previous period of certification. An exception to this rule is audit the first (initial) audit of a System User during which a retrospective audit of claims is not possible and thus the focus of the audit is on the necessary procedures to appropriately implement and apply ISCC CORSIA. An audit to verify compliance of a System User is required at least every Annual audit twelve months. System Users should arrange for audits to be conducted in a way that reduces the risk of a gap between two certificates. If there is indication of non-conformity or fraud the frequency or intensity of audits may be increased. This means, that a CB is entitled to conduct additional (surveillance) audits e.g. in case there is reasonable doubt of compliance with the ISCC requirements or in order to verify substantiated allegations of fraudulent behaviour. It is the CB’s responsibility to define the intensity of the audit or the size of a sample that will permit the CB to reach the level of confidence necessary to issue a certificate. ISCC CORSIA audits have to be conducted on-site at the location of the On-site audit System User registered for certification. Audits are conducted throughout the entire CORSIA eligible fuel supply chain. All System Users need to be audited individually. Group auditing and sampling can only be applied at the beginning of the chain of custody as well as for storage facilities according to the requirements specified in ISCC CORSIA Document 206 “Group Certification”. ISCC CORSIA audits (including, in particular, initial audits) should be Audit modality / performed on-site. Particular aspects of an audit, including for instance the remote audits verification of a life cycle emissions calculation, can be based on a desk assessment. Fully remote audits by the CB are only permitted under the following conditions: > The audit risk as assessed by the certification body is low. > The same level of assurance can be achieved with remote audits as with on-site audits. > Sufficient traceability and mass balance records, life cycle emissions data and other forms of appropriate evidence are available. > The systems in place for collecting and processing traceability and life cycle emissions data and ensuring data quality are reliable. © ISCC System GmbH 8 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Before CBs are allowed to conduct any particular ISCC CORSIA audit Remote audit remotely, they will have to hand in a filled in justification template to ISCC, justification outlining and justifying in detail how the abovementioned conditions are fulfilled for that particular audit. ISCC provides the justification template in the CB section of the client section on the ISCC website. In particular, risk assessments and the analysis of land use change after 1 Use of tools in desk audits January 2008 on a specific area may be conducted on-site, or by using tools which may even provide a more reliable level of assurance than an on-site audit, or by a combination of on-site and desk audit. The use of independent traceability databases may also allow for an equivalent level of assurance as an on-site audit. Precondition for verifying compliance with ISCC requirements based on such tools is the analysis and approval of the respective tool by ISCC as being appropriate to provide at least the same level of assurance as an on-site audit. ISCC will carry out assessments of such tools based on the following criteria: Assessment process > Methodology and algorithms of the tool are transparent > Information sources used are transparent and reliable > The tool must allow for clearly reproducible and consistent results > The tool should include latest available data > Traceability databases must cover all sustainability data required by ISCC > CBs must have access to the tool and must be enabled to verify compliance with the requirements > Mechanisms to avoid fraud and misuse must be in place If a tool has been approved by ISCC, ISCC will communicate this to its System Publishing of Users and will publish this information on the website. ISCC will indicate the approved tools scope for which the tool has been approved and for which countries or regions the tools can be used. In any case, audits must follow a risk-based approach and take into account Risk based the risk according to the principles specified in chapter 4. This means, if the approach result of a desk audit based on tools or systems approved by ISCC does not provide a sufficient level of assurance or even indicates non-conformity with ISCC requirements, the CB must take appropriate further actions to sufficiently verify compliance, e.g. the verification on-site. The verification of compliance with the land-related sustainability Verification of requirements may be conducted equivalently to an on-site audit by using compliance with land-related remote sensing tools, high quality satellite images of the cultivation area and sustainability databases (e.g. regarding protected areas, areas with high biodiversity, requirements peatland, etc.) which are approved by ISCC. © ISCC System GmbH 9 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT The address or location of the operational unit registered and audited will be Site-specific published on the ISCC CORSIA certificate. The address of the operational certificate unit to be certified cannot be a post box. So-called “letterbox companies” cannot participate in the ISCC CORSIA system. Each System User registered for certification under ISCC CORSIA must Internal conduct an internal assessment (self-assessment) of compliance with the assessment ISCC CORSIA requirements at least once a year. This internal assessment should focus on the ISCC CORSIA requirements applicable at the respective type of operation and on relevant risks (also see chapter 4.1.3). The results of the internal assessment must be documented, reviewed and signed by the management of the System User. The results of the internal assessment must be made accessible to the CB during the certification audit. During each audit a risk-based approach according to the principles specified Risk-based audit in chapter 4.3 should be followed by the CB. This means, that a higher risk approach classification results in a higher sample size (in case sampling is part of the audit) and/or in an increased number of documents to be verified by the CB. During the audit, the CB must identify the activities undertaken by the System User which are relevant for ISCC. This includes the identification of relevant systems and the overall organisation especially with respect to the applicable ISCC CORSIA requirements and the effective implementation of relevant control systems. During the audit the CB should draw up a verification plan which corresponds to the risk analysis and the scope and complexity of the System User’s activities and which defines the sampling methods to be used with respect to the System User’s activities. The CB should carry out the verification plan by gathering evidence in accordance with the defined sampling methods, plus all relevant additional evidence, upon which the CB’s verification decision will be based. It is the System Users obligation to provide any missing elements of audit trails, to explain variations, or revise claims or calculations, before the CB can reach a final verification decision (i.e. the decision to issue a certificate). In the case a System User participates in or has recently participated in more Verification of than one sustainability certification system, the CB must always verify that claims multiple claiming (so called “double accounting”) of sustainability characteristics cannot and did not occur. For this verification, the CB is entitled and obliged to assess the relevant documentation (e.g. mass balance, auditing reports) of all relevant certification systems. This is especially necessary to verify the overall plausibility of incoming and outgoing sustainable material and ensures that not more sustainable material is sold than has been received. The CB must be given access to all documentation that is deemed necessary to get a complete understanding of the individual situation. Access to be given to the CB includes access to databases used by the System User to handle sustainable material. System Users must have a documentation and quality management system Documentation which can be audited by the CB. Such a system must include evidence related and quality management to the claims the System Users makes under ISCC CORSIA, e.g. © ISCC System GmbH 10 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Sustainability Declarations, Proofs of Sustainability, or related contracts. The relevant documentation must be kept for at least five years. System Users are responsible and obliged for preparing any information related to the auditing of such evidence and documentation. Such a system should normally include the following aspects: > a description of the relevant products, > quality objectives and the organisational structure, responsibilities and powers of the management, > corresponding manufacturing, quality control and quality assurance techniques, processes and systematic actions that will be used, > quality records, such as inspection reports and test data, calibration data, qualification reports on the personnel concerned, etc. If an audit includes the verification of individual life cycle emission calculations, Verification of the requirements specified in ISCC CORSIA Document 205 “Life Cycle individual calculations Emissions” must be met. Audits should be conducted taking into account the principles specified in ISO Plan, Do, Check, 19011 (plan, do, check, act) or a justified equivalent. The CB must establish Act at least a “reasonable assurance level” when conducting audits. A “reasonable assurance level” in the context of ISCC CORSIA and following Reasonable the International Standard on Assurance Engagement (ISAE) 3000 (revised) assurance level is an “assurance engagement in which the practitioner reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the practitioner’s conclusion”.2 It should obtain a level of assurance that is higher than in a “limited assurance level” approach. This means for example that the auditor focuses less on inquiring the economic operator’s staff as he/she would in a limited assurance level approach; and relatively more emphasis is placed on assessing documents and records. Furthermore, the sample size of assessed evidence should be greater than in a limited assurance level scenario. If compliance with the ISCC CORSIA requirements has been verified during Issuance of the the audit, the CB can issue an ISCC CORSIA certificate. The certificate must certificate be issued no later than 60 calendar days after the audit of the System User registered for certification was conducted. CB’s conducting ISCC CORSIA audits must comply with the requirements specified in ISCC CORSIA Document 103 “Requirements for Certification Bodies and Auditors”. The CB is responsible to properly plan, conduct and report on the audit especially with respect to nature, timing and extent of evidence gathering procedures. The audit must be conducted in such a way that a meaningful level of assurance for a decision regarding compliance with the ISCC CORSIA requirements is available. 2 International Federation of Accountants (2020), International Standard on Assurance Engagement (ISAE) 3000 revised. © ISCC System GmbH 11 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT An overview on the certification process based on the principles of ISO 19011 is provided in figure 2. Figure 1: Certification process based on the principles of ISO 19011 Independent of the type of operation participating in ISCC CORSIA Documents with certification, the CB must especially consider the requirements specified in the relevant requirements for following documents during each audit to be conducted: the audit > ISCC CORSIA 201 System Basics > ISCC CORSIA 201-1 Waste, Residues, By-Products > ISCC CORSIA 202 Sustainability Requirements > ISCC CORSIA 203 Traceability and Chain of Custody > ISCC CORSIA 204 Audit Requirements and Risk Management > ISCC CORSIA 205 Life Cycle Emissions > ISCC CORSIA 206 Group Certification 3.2 Audit Procedures and Reports On the basis of the ISCC CORSIA system documents, ISCC provides Audit procedures technical (working-) documents to CBs and System Users. These “audit (checklists) procedures” or “checklists” ensure that all ISCC CORSIA audits are conducted on the basis of the requirements specified in the ISCC CORSIA system documents. The audit procedures support the work of the CBs and facilitate a consistent and comparable verification of the ISCC CORSIA requirements during ISCC CORSIA audits. CB’s have to use the audit procedures in the latest applicable version provided by ISCC during any ISCC CORSIA audit. System Users can use the audit procedures to conduct internal assessments, for internal training or to prepare for an audit. The audit procedures include relevant details of the audit including e.g. the length of the audit, the address © ISCC System GmbH 12 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT where the audit was conducted, the audit participants, audited documents as well as information relevant for the certificate (e.g. type of sustainable material, scope of certification). The audit procedures may contain relevant data about the amounts of Data collection sustainable material handled by System Users. This is necessary to enable and reporting ISCC to accumulate reliable information about the total amounts of sustainable material covered by ISCC CORSIA certification and/or the total cultivation area complying with ISCC CORSIA requirements. ISCC will treat the information from individual System Users confidential if not required otherwise by law or by competent authorities. ISCC is entitled to gather, accumulate and publish such data about the system (in anonymised form), especially in order to fulfil reporting obligations in the framework of CORSIA. Specific reporting obligations of ISCC are specified in ISCC Document 102 “Governance”. The CB verifies the correctness of such data during the audit and submits the data to ISCC. System users are obliged to provide correct and complete data about the sustainable amounts handled to the CB. After the audit has been conducted, the CB submits the audit procedures used Audit procedures during the audit to ISCC. In the case of a positive certification decision, the and report CB is obliged to prepare a report, containing the relevant audit results. This report must be provided to ISCC. The ISCC CORSIA procedures and the audit report must be submitted together with the certificate issued by the CB. The audit report may be published on the ISCC website. In the event that the external audit showed that the audited System User did not meet the requirements of ISCC CORSIA, the audit procedures must be submitted to ISCC immediately after termination of the audit. If elements of the supply chain (which are part of a group) were audited non-compliant the CB must sent the information of such group members to ISCC. 3.3 Specific Audit Requirements 3.3.1 Farms and Plantations The ISCC CORSIA Document 202 specifies the principles for the cultivation ISCC of sustainable biomass under ISCC CORSIA and ISCC CORSIA PLUS. Under sustainability principles ISCC CORSIA, the relevant approved CORSIA sustainability criteria must always be complied with. Under ISCC CORSIA PLUS, the ISCC Principles 1- 6 are relevant.3 Here, the requirements of ISCC Principle 1 must always be complied with in any case. Violations of the applicable CORSIA sustainability criteria and/or ISCC Principle 1 are critical non-conformities and cannot be subject to corrective measures. ISCC Principles 2 to 6 are comprised of major and minor must requirements. All major must requirements must be complied with in order to be considered compliant with ISCC CORSIA PLUS. Additionally to the major must requirements, at least 60% of the minor must 3 Please note that, to be compliant under ISCC CORSIA PLUS, in addition to auditing with regard to ISCC Principles 1 to 6, separate attestations for CORSIA Themes 10-14 are still needed. Please see ISCC CORSIA 202 document, chapter 3, page 10. © ISCC System GmbH 13 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT requirements must be complied with. Within EU Member States which have implemented Cross Compliance (CC), farmers that fulfil the criteria through the implementation and official recognition of CC, are only audited with respect to the requirements set out in ISCC Principle 1. A farm is either defined as a distinct legal entity or as an organisation Full compliance managing an agricultural operation and having control regarding compliance with relevant sustainability with the ISCC CORSIA requirements. The audit of a farm must always cover requirements the entire land (agricultural land, pasture, forest, any other land) of the farm including, any owned, leased or rented land. Under ISCC CORSIA, biomass produced on land which is in compliance with the applicable approved CORSIA sustainability criteria is considered to be sustainable. Under ISCC CORSIA PLUS, biomass produced on land which is in compliance with the ISCC Principles 1 to 6 is considered to be sustainable.4 Partial compliance (e.g. only fulfilling Principle 1 requirements) is not sufficient to declare the biomass produced as sustainable under ISCC CORSIA PLUS. Farms participating in ISCC CORSIA are obliged to enable the full Service assessment and evaluation of all applicable ISCC CORSIA requirements, providers and sub-contractors including relevant activities which are outsourced to sub-contractors or service providers. Relevant sub-contractors or service providers, e.g. for the application of plant protection products, must be included in the farm audit if this is necessary to evaluate full compliance with ISCC CORSIA. This should be included appropriately in contractual agreements between the farmer and the relevant sub-contractors and service providers. Contractual agreements must be accessible during the ISCC CORSIA audit. Farms are either audited and certified as single entities or as part of a producer Individual or group. It is the choice of the farm to decide whether to be audited and certified group certification as a single (individual) entity or as part of a group. The group certification process and rules for sampling are specified in ISCC CORSIA Document 206. Farms participating in group certification must conduct a self-assessment and Self-assessment fill in and sign a self-declaration either to the first gathering point or to the and self- declaration central office responsible for the group. On the self-declaration the farmer declares conformity with the ISCC CORSIA requirements based on the self- assessment. By signing the self-declaration, the farmer furthermore gives permission to the CB and to ISCC to verify compliance with the ISCC CORSIA requirements during an audit. Farms which are audited non-compliant or which do not agree to participate Non-compliance in an audit must be excluded from ISCC CORSIA. This is valid until the respective farm based on its own initiative passes a successful ISCC CORSIA audit. ISCC must be informed by the CB about such farms, which are audited non-compliant or which refuse to be audited as a part of a sample. 4 Please note that, to be compliant under ISCC CORSIA PLUS, in addition to auditing with regard to ISCC Principles 1 to 6, separate attestations for CORSIA Themes 10-14 are still needed. Please see ISCC CORSIA 202 document, chapter 3, page 10. © ISCC System GmbH 14 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT 3.3.2 Points of Origin Points of origin delivering sustainable material under ISCC CORSIA are Waste obliged to enable an assessment and evaluation of all applicable ISCC prevention CORSIA requirements to ensure that the material generated is a genuine waste or residue. A major requirement for points of origin to comply with, is to demonstrate that any waste or residue material occurring at their premises is not generated deliberately. The specific requirements for points of origin are specified in ISCC CORSIA Document 201-1. Self-declaration Points of origin participating in group certification must fill in and sign a self- declaration either to the collecting point or to the central office. On the self- declaration the point of origin declares conformity with the ISCC CORSIA requirements. By signing the self-declaration the point of origin furthermore gives permission to the CB or to ISCC to verify compliance with the ISCC CORSIA requirements during an audit. A copy of the self-declaration should be available during the audit. Points of origin participating in group certification will not receive an individual certificate, as they will be covered by the certificate of the collecting point or the central office. Points of origin registered for individual certification do not need to fill in and sign a self-declaration. They will receive an individual certificate upon a positive audit. 3.3.3 Central Office The audit of a central office always consists of an audit of the central office List of group itself (head office responsible for the group) and a sample of group members. members A central office can either represent a group of farms or a group of points of origin. For the ISCC CORSIA audit of members of the group, the requirements for farms or for points of origin apply respectively. A list of all farms participating in group certification must be available during the audit and must be submitted to ISCC together with the audit documents. This list must include at least the name and address or location of the individual group members. ISCC is entitled to further specify the information to be provided on the list of farms. ISCC is entitled to require that a list of all points of origin participating in group certification is to be submitted to ISCC including at least the name and address or location of the point of origin. ISCC is entitled to further specify the information to be provided on such a list. 3.3.4 First Gathering Point and Collecting Point All first gathering points and collecting points that want to receive and deliver Individual sustainable material to downstream customers must be certified. Group certification certification of first gathering points or collecting points is not possible. First gathering points and collecting points must keep all contracts and related List of suppliers documentation about incoming sustainable material received from suppliers, e.g. directly from farms, from points of origin, or from other certified suppliers. Furthermore, they must keep the respective documents for all outgoing deliveries of sustainable material. Material, which is received from farms or from points of origin, complying with the ISCC CORSIA requirements (having © ISCC System GmbH 15 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT completed and signed the ISCC self-declaration) must be considered as sustainable input. However, the first gathering point or collecting point can choose to sell the sustainable input as non-sustainable. A list of all farms participating in group certification must be available during the audit and must be submitted to ISCC together with the audit documents. This list must include at least the name and address or location of the individual group members. ISCC is entitled to further specify the information to be provided on the list of farms. ISCC is entitled to require that a list of all points of origin participating in group certification is to be submitted to ISCC including at least the name and address or location of the point of origin. ISCC is entitled to further specify the information to be provided on such a list. The first gathering point or collecting point is responsible for ensuring the Traceability and traceability of sustainable material back to its origin and to comply with the mass balance mass balance requirements under ISCC CORSIA. A mass balance must be kept for each location where sustainable material is stored on behalf of the first gathering point or collecting point. Warehouses or collection sites that store sustainable biomass entirely on Storage facilities behalf of a certified first gathering or collecting point are considered as dependent warehouses or collecting points. These are such supply chain elements that do not individually buy biomass from suppliers and sell it to customers in their own name. Such dependent supply chain elements can be covered by the certificate of the first gathering or collecting point. All warehouses or other storage facilities, which are used by the certified first gathering point or collecting point to store sustainable biomass have to be included in the certification process. A sample must be audited. It is the responsibility of the first gathering point or collecting point to provide Responsibility to evidence to the CB, which sustainable materials are (or will be) received from provide evidence farms or from points of origin. Evidence regarding the type of sustainable material can include self-declarations, delivery documentation, or contracts with suppliers. The respective materials will be published on the ISCC CORSIA certificate. 3.3.5 Processing Unit All processing units (e.g. oil mills, oil refineries, ethanol plants, HVO plants, Individual SAF producers or other processing units) that want to deliver sustainable certification material must be certified individually. Sampling or group certification of processing units is not possible. During the audit of a processing unit the CB must especially verify the Traceability and traceability and plausibility of the incoming and outgoing amounts of conversion factors sustainable material as well as the conversion procedure applied within the processing unit. A part of the assessment of the conversion process is the determination of conversion factors describing the relation between sustainable input and sustainable output. It is the responsibility of the processing unit to provide evidence to the CB, which types of sustainable material are (or will be) received and processed at the respective unit. © ISCC System GmbH 16 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Evidence can include production reports from the previous year, delivery documentation, or contracts with suppliers. The respective materials will be published on the ISCC CORSIA certificate. 3.3.6 Storage Facilities and Logistic Networks Storage facilities that are used by certified System Users for storing Traceability and sustainable material must be audited. If the storage facilities belong to a mass balance logistic network the logistic centre (head office) plus a sample of the associated storage facilities must be audited. The requirements with respect to traceability and mass balance apply for all storage facilities. In case of a logistic network, the certificate to be issued includes an annex listing all storage facilities covered by the certificate. During the re-certification audit already audited storage facilities shall not be List of storage part of the sample again unless all storage facilities have been audited. A list facilities of all storage facilities participating in group certification must be submitted to ISCC including at least the name and address or location of the storage facility. ISCC is entitled to further specify the information to be provided on the list. Operators of storage facilities must enable the CB to verify compliance with Ensuring access the ISCC CORSIA requirements including granting access to all relevant premises. The CB must at least verify the physical inventory and the related documentation (e.g. weighbridge tickets), the technical equipment (e.g. weighbridge, calibrations, etc.), and the data transfer between the operator of the storage facility and the owner of the sustainable material. 3.3.7 Traders Traders are responsible for demonstrating the traceability of the sustainable Traceability material and compliance with the chain of custody requirements. During the audit a sample of storage facilities will be audited, which are not certified individually or as a logistic network, if applicable. The audit includes the respective contractual agreements, procedures to transfer information about deliveries and other supporting documents or processes. If a trader uses non- certified storage facilities, it is the responsibility of the trader to enable an on- site verification of the storage facilities. The System User is obliged to grant the CB access to the relevant contractual Access to agreements, documenting all transactions related to sustainable material. relevant documents 3.3.8 Other Elements of the Supply Chain Audits may be conducted at other elements of the supply chain that have Relevant system registered for ISCC CORSIA certification. Based on the individual type of documents operation, the CB verifies whether the relevant ISCC CORSIA requirements are fulfilled, especially those requirements as laid down in this document and in the following documents: > ISCC CORSIA 201 System Basics © ISCC System GmbH 17 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT > ISCC CORSIA 203 Traceability and Chain of Custody > ISCC CORSIA 205 Life Cycle Emissions 3.4 Mandatory Surveillance Audits Mandatory surveillance audits have to be conducted by the certification body High-risk supply six months after the first (initial) certification of any economic operator in a chains high-risk supply chain. A high risk applies to economic operators that are collecting, processing, storing or trading materials, which may lead to particularly high life cycle emissions savings for CEF, such as waste and residues or waste and residue-based products.5 For collecting points and traders that are dealing with both waste and residues Additional audits (e.g. used cooking oil or tallow) and with virgin vegetable oils (e.g. palm oil, for collecting points and rapeseed oil), a surveillance audit shall be conducted three months after the traders first (initial) certification (covering the first mass balance period). This surveillance audit shall be conducted in addition to the surveillance audit that has to take place six months after the first certification and shall follow the same risk-based approach. This additional surveillance audit three months after the first certification may be conducted remotely if a risk assessment for the individual system user by the certification body has demonstrated a regular risk. If the risk assessment has shown a risk higher than regular, the surveillance audit shall be conducted on-site. 3.5 Non-Conformities 3.4.1 Definition and General Requirements Non-conformity means the non-fulfilment of an ISCC CORSIA requirement Definition non- either by a CB or by a System User. Non-conformities with ISCC CORSIA conformity requirements are classified according to the impact of the non-conformity and the fault of the responsible actor (System User or CB). ISCC CORSIA Document 102 “Governance” lays out the definitions and general provisions around non-conformities. Minor 3.4.2 Sanctions Depending on the type of non-conformity and the individual situation, ISCC Non-conformities may impose sanctions against non-compliant System Users. Sanctions may during audits include the withdrawal of the certificate and the exclusion of System Users. The general procedure regarding sanctions in case of non-compliant or fraudulent behaviour of System Users is specified in ISCC CORSIA Document 102 “Governance”. 5 This requirement applies to new system users who aim to become certified for the first time. System Users that are already certified and want to become recertified will not be subject to the above surveillance audits. © ISCC System GmbH 18 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT 3.4.3 Conflict Resolution Should any conflicts occur during ISCC CORSIA audits the principles Conflicts during specified in ISCC CORSIA Document 102 “Governance” apply. audits 4 Risk Management Definitions, Process and Levels of Application A risk is the probability of an event happening that may or will have an impact Definition risk on the mission, the goal or the integrity of ISCC CORSIA. It is measured in terms of a combination of the probability of the event to occur and its consequences if it does occur. Risk assessment is the process of identifying and evaluating a risk according Definition risk to its probability to occur and the significance of its consequences. Risk assessment indicators can be used to identify potential risks. A risk indicator is an example describing an event or situation which could possibly pose a risk to ISCC CORSIA. Once a risk is identified it must be evaluated according to its relevance in the specific situation. The result of the evaluation leads to the classification of the risk. During ISCC CORSIA audits the risk is evaluated and classified with a risk level (regular, medium, high) and a risk factor (1,0, 1,5, or 2.0). Risk management means the overall process of risk assessment Definition risk (identification and evaluation of the risk) followed by the identification and management implementation of risk control measures to reduce the probability and/or the negative consequences associated with a risk. Therefore, the risk management process within the scope of ISCC CORSIA is carried out in two main steps: 1 Risk assessment: > Identification, > Evaluation, and > Classification of risk level and risk factor 2 Identification and implementation of appropriate risk control measures Risk management is relevant on three different levels in the ISCC CORSIA Levels of system: For ISCC as an organisation, for CBs cooperating with ISCC, and for application System Users being certified according to ISCC. On each level the principles for risk management must be taken into account and applied appropriately. 4.1.1 ISCC Risk management is an integral part of all operations and decisions in the Continuous ISCC systems. ISCC continuously monitors potential risks to the integrity of monitoring ISCC through: © ISCC System GmbH 19 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT > the multi-stakeholder dialogue of ISCC and the ISCC stakeholders, e.g. during Stakeholder Committees and Working Groups, > regular meetings with recognised CBs to exchange feedback and practical experiences, > continuous feedback from System Users including complaints or reports of non-compliance or alleged fraudulent behaviour, > the ISCC Integrity Program, and > a continuous internal review of audit documentation submitted to ISCC. If risks for ISCC are identified in specific regions or regarding specific topics, Stakeholder ISCC will engage with relevant stakeholders and may implement a involvement Stakeholder Committee or Working Group for the development of appropriate risk control measures. For the development of appropriate risk control measures a fact-based analysis of the risk must be taken into account. Furthermore, ISCC promotes new developments, tools and other measures Promotion of risk to improve the risk management process. This includes for example the use management tools and application of risk assessment tools e.g. for remote sensing analysis, to assess land use change and other land related sustainability criteria, or databases improving the traceability of sustainable material and the respective sustainability claims and thus reducing the risk of fraud. The ISCC Integrity Program is an important tool used by ISCC to continuously ISCC Integrity identify and analyse potential risks for the ISCC system, the practical Program application of ISCC by System Users, and the verification by CBs. Within the ISCC Integrity Program, ISCC conducts independent Integrity Assessments to evaluate the performance of CBs as well as of certified System Users. Integrity Assessments can be conducted at the cooperating CBs head office or at the sites of the certified System Users. The results of the Integrity Program are a basis of ISCC’s risk management and are used to improve the quality of the system and to reduce the risk of non-conformity. Audit documentation has to be submitted to ISCC after an audit has been Internal review conducted. The ISCC head office internally reviews this documentation as a part of the risk management process. Such internal review ensures a consistent application of ISCC and a level playing field for CBs and System Users. 4.1.2 Certification Bodies For CBs cooperating under ISCC CORSIA, risk management focuses on Risk internal processes of the CB as well as on the services the CB provides to management procedures System Users (ISCC audits). Internally, CBs should have appropriate risk management procedures in place covering potential risks for the integrity of ISCC which may derive from the activities of the CB. As CBs are conducting ISCC audits for external parties (System Users) CBs must also have an internal procedure on how to perform reliable risk assessments for System © ISCC System GmbH 20 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Users to be certified. The general requirements for CBs are specified in ISCC CORSIA Document 103 “Requirements for Certification Bodies and Auditors”. Recognised CBs are obliged to participate in office audits scheduled by ISCC in the framework of the ISCC Integrity Program. It is recommended (but not mandatory) that CBs also participate in Integrity Assessments at System Users certified by the respective CB. On a regular basis, ISCC invites the recognised CBs to exchange feedback and practical experiences and to discuss potential risks identified during the day-to-day work of the CBs and of ISCC. At the beginning of each ISCC CORSIA audit, the CB must conduct a risk Risk assessment assessment for the System User to be certified. During this risk assessment during audits the CB identifies, evaluates and classifies the risk according to one of the three ISCC risk levels (regular, medium, high). The risk assessment is conducted according to the principles specified in chapter 4.2. Relevant risk indicators applicable to the individual situation must be taken into account for the risk assessment. Based on the CBs professional knowledge and the information submitted by the System User, the CB must especially analyse such risks which could lead to a material misstatement. During the risk assessment for System Users CBs may also investigate ISCC CORSIA documents or other reliable sources, whether country-specific information is available for the region where the audit will be conducted. This can include for example a web-based inquiry of current reports from NGOs, journals or other media regarding social or environmental issues relevant for ISCC CORSIA in the respective region. The result of this investigation must be taken into consideration for the identification and evaluation of a risk and when the audits are planned and conducted. Depending on the result of the risk assessment the intensity and focus of the Sample size and audit is determined according to the principles specified in chapter 4.3. This audit intensity means, the higher the determined risk factor the more thoroughly the audit needs to be conducted to verify and to ensure compliance with ISCC CORSIA requirements. In case sampling is applied during the audit (group certification), the risk factor determined by the CB drives the sample size of group members to be audited (see ISCC CORSIA Document 206 “Group Certification”). During audits, the CB should follow a risk-based approach and put a special focus on areas for which the risk assessment has indicated higher risks instead of areas with a lower risk. Furthermore, the CB should take into account the results from previous audits. Depending on the fact-based findings during the audit, the CB is entitled to increase (or reduce) the risk level. 4.1.3 ISCC System Users Each System User must start the implementation process of ISCC CORSIA Self-assessment by conducting an internal risk assessment (self-assessment) in view of potential risks of its activities for the integrity of ISCC CORSIA. In analogy to the external risk assessment conducted by the CB, the self-assessment can be conducted based on the principles and risk indicators specified in chapter © ISCC System GmbH 21 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT 4.2. Corresponding to the result of the self-assessment, the System User should design its internal (quality) management system in a way to appropriately address and minimise the identified risks of its activities for the integrity of ISCC CORSIA. Prior to the audit of a System User, the CB conducts an independent risk Independent risk assessment. During this risk assessment the CB should take into account the assessment results of the self-assessment performed by the System User and the design of the System User’s management system especially with respect to the identified risks. The risk assessment on the level of System Users focuses on the (internal) Internal processes of the System User and the risk of non-conformity with the processes applicable ISCC CORSIA requirements and principles specified in the ISCC system documents. All System Users are obliged to participate in Integrity Assessments Integrity scheduled by ISCC in the framework of the ISCC Integrity Program. Program Risk Assessment 4.2.1 Identification of Risk The first step during the risk assessment is to identify potential risks by Analysis of risk analysing the risk indicators listed in this document. Furthermore, an analysis indicators of the geographic conditions and/or the relevant processes must be conducted. This may require the definition of further risk indicators applicable to the individual situation but not explicitly specified within the ISCC CORSIA system. A risk assessment may be conducted partially via a desk assessment, e.g. by verifying land use change with satellite data, by analysing biodiversity information in databases, or by searching databases on protected areas. However, a desk assessment requires a verification of the results at the specific location (so-called “ground-truthing”). The risk indicators identified by ISCC form the basis for the risk assessment in the framework of ISCC CORSIA. They shall be considered during all ISCC CORSIA audits in order to identify potential risks of non-conformity with the ISCC CORSIA requirements or for the integrity of ISCC CORSIA. If ISCC CORSIA audits include the verification of farms, a risk assessment Assessment of must be conducted to determine the risk of non-conformity with the ISCC farms CORSIA or ISCC CORSIA PLUS sustainability requirements (see ISCC CORSIA Document 202 “Sustainability Requirements”). Particularly, the risk of violations of either the applicable approved CORSIA sustainability criteria or ISCC Principle 1 must be taken into account, depending on the certification system chosen. This means, it must be assessed if a farm is located within the proximity of areas where the cultivation of biomass is prohibited under ISCC CORSIA or ISCC CORSIA PLUS. The risk of non-conformity of farms should be assessed with appropriate and reliable databases or remote sensing tools allowing for a meaningful and well-balanced result for the respective region. © ISCC System GmbH 22 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT If ISCC CORSIA audits include waste and residues, the risk assessment must Assessment of be conducted to determine the risk of false claims and the risk of “intentional” waste or production of waste and residues. This means that the focus should be on the residues verification if a material is a genuine waste or residue, and on the correct and consistent classification and declaration of the material by the point of origin and by the collecting point (see ISCC CORSIA Document 201-1 “Waste, Residues and By-Products”). The traceability and chain of custody of sustainable material is a relevant Traceability and aspect for risk assessment for all System Users (see ISCC CORSIA chain of custody Document 203 “Traceability and Chain of Custody”). It must be assessed if there is a specific risk that non-sustainable material is sold or delivered as being sustainable and if the requirements on mass balance are complied with. With regards to the life cycle emissions value of CORSIA eligible fuels, it must Life cycle be assessed if there is a risk of an incorrect calculation or false declaration of emissions the emissions (see ISCC CORSIA Document 205 “Life Cycle Emissions”). A non-exhaustive overview on significant risk indicators for ISCC CORSIA and ISCC CORSIA PLUS is provided in table 1. Table 1: Overview on typical risk indicators Risk Indicators for Risk Indicators for General Risk Indicators Farms and Plantations Waste and Residues > Determination, structuring, > Proximity to and/or > Type of point of organisation and overlap with no-go origin (e.g. documentation of the areas (forest land, restaurant, number of work flows and peatland, wetlands, processing plant, their complexity (in-house highly biodiverse landfill, etc.) processes) grassland, etc.) > Size of point of > Number, structuring, > Land conversion origin and amount organization, expertise, shortly before or of waste/residue management, involvement after January 1st material generated and controlling of the 2008 per month (high subcontractors and external > Factors influencing amounts of service providers significantly the waste/residues may > Number and structuring of output per acreage indicate a higher the workflows that are and the output per risk of non- carried out by ha. conformity or fraud) subcontractors compared to > Employment of > Status of the the ones that are carried out migrant workers material (genuine by permanent in-house staff > Ratification and waste/residue) > In-house quality degree of > Declaration or management system, implementation of labelling of the internal audits (structure and ILO core labour material according documentation) standards. to the ICAO positive > Transparency (public list reporting, involvement of local interest groups, © ISCC System GmbH 23 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT Risk Indicators for Risk Indicators for General Risk Indicators Farms and Plantations Waste and Residues independent audits, social, > Risk of intentional environmental and “production” of economical aspects of waste or residues sustainability) > Risk of intentional > Mechanisms for conflict modification of resolution established products to be independently, documented declared or claimed and implemented as waste or > Management of conflicts of residues interests and corruption prevention > Risk of corruption and fraud (e.g. according to OECD list, Transparency International Corruption Perceptions Index, etc.) – i.e. how serious is the external risk of corruption and how does this influence the implementation > Yield or conversion factors in internal processes > Certification history, including previous or current ISCC certification as well as certification under other sustainability certification systems, especially those recognized by ICAO within the framework of CORSIA > Frequency of changes in certification system (so- called “scheme hopping”) > Accuracy of records and documents > Degree of topicality, updating frequency of records and documents > Accessibility of records and documents > Completeness of records and documents > Individual calculation of life cycle emissions > Risk of single consignments (batches) being claimed more than once (so-called “double-accounting”) © ISCC System GmbH 24 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT 4.2.2 Evaluation of Risk The second step of the risk assessment is to evaluate and classify the Aspects for identified risk. For the evaluation of the identified risk, the following elements evaluation and classification must be taken into consideration: > Sources and reasons of the risk > Identification of potential consequences from the risk if it would occur, the impact (e.g. negligible, moderate, critical) and the probability of its occurrence (e.g. unlikely, occasional, likely) > Factors influencing the consequences and the probability of the risk to occur > Differing importance or emphasis of the risk by different stakeholders Based on the risk evaluation, the risk is classified according to one of the three Risk levels and risk levels: factors > Regular (risk factor 1,0) > Medium (risk factor 1,5) > High (risk factor 2,0) A risk assessment matrix may be used to facilitate the classification of the risk (see example in table 2). Table 2: Example of a risk assessment matrix Probability of Occurrence Consequences Likely Occasional Unlikely Critical High High Medium Moderate Medium Medium Regular Negligible Medium Regular Regular With respect to the evaluation of the risk on farm level, the principles and Risk evaluation requirements specified in ISCC CORSIA Document 202 “Sustainability on farm level Requirements” must be considered. Especially the differentiation between “major must” and “minor must” criteria should be taken into account for the evaluation and classification of a risk. Relevant risks on farm level include: > Biomass production on land with high carbon stock as well as on land with high biodiversity value and with high conservation value (see ISCC Principle 1), > Biomass production with a negative environmental impact, e.g. on soil, water and air (see ISCC Principle 2), © ISCC System GmbH 25 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT > Unsafe working conditions (see ISCC Principle 3), > Violations of human rights, labour rights or land rights (see ISCC Principle 4), > Violations of applicable legislation (see ISCC Principle 5), and > Not implementing good management practices (see ISCC Principle 6). With respect to the risk of a flawed or deficient documentation the following Documentation guidance can be given for the risk evaluation and classification: > If the necessary records and documents are kept accurately, up to date, complete, easily accessible and there is no indication of non-conformity with ISCC CORSIA requirements the risk can be classified as regular. The risk for non-conformity with traceability requirements can e.g. be considered to be regular, if appropriate track-and-trace databases are used and can be accessed by the CB during the audit. > If the necessary records and documents are not kept accurately and are not easily accessible, the risk should be classified as medium. > If the records and documents are not continuously up to date and not kept to full extent, i.e. files are missing, files are not accessible, files are not disclosed, or if there is indication for non-conformity or fraud the risk should be classified as high. Accounting for Specific indication of non-conformity with ISCC CORSIA requirements must indications of be taken into account appropriately during the risk evaluation and non-conformity classification. If non-conformities are detected during an ISCC CORSIA audit that relate to Non-conformity claims made by the System User during the certification period, a high-risk level must be applied during the audit. This especially applies in case of non- conformities that have an impact on the downstream supply chain, e.g. non- conformity with the mass balance requirements, non-conformity of sustainability declarations (e.g. false information), non-conformity with the life cycle emission requirements (e.g. incorrectly determined life cycle emission value). In this case a high-risk classification must also be applied during the subsequent recertification audit of the respective System User. It is up to the CB’s judgement to discontinue the audit if the risk is ranked high Adjustment of and if either the documentation is not easily accessible or the amount of risk level unavailable documentation does not allow for a professional audit. Depending on the actual findings during the audit, the CB is entitled to increase or reduce the risk level applied during the audit. Identification and Implementation of Risk Control Measures Elements of risk control © ISCC System GmbH 26 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT After the risk is identified and evaluated it must be managed properly to ensure that the probability of non-conformity with ISCC CORSIA requirements is continuously minimized. This is done by applying the following elements: > Adjusting the intensity of audits to adequately take into account the risk. In case of group certification this means that the size of the sample may be adjusted. With regards to traceability, this means adjusting the number of documents to be verified by the CB. > Carrying out announced or unannounced surveillance audits if necessary > Adjusting the tasks of the management of a System User, in particular with regards to > Specification of responsibilities > Training of employees > Documentation > Duty to report (including reporting and submitting documents to the CB or to ISCC) > Internal auditing and management system > Extending the definition of risk factors for certain areas by ISCC Adjustment of If the audit includes sampling of third party locations, i.e. farms, points of origin sample size or (dependent) storage facilities, the minimum sample size must be multiplied with the determined risk factor (1,0, 1,5 or 2,0). The risk factor therefore determines the number of locations which must be audited (see ISCC CORSIA Document 206 “Group Certification”). In case of non-conformity of individual group members, the determined sample size (s) of the current audit must be doubled. If the audit includes chain of custody verification, i.e. traceability and Verification plausibility of amounts, the risk factor drives the intensity of the audit with intensity of documents respect to documentation to be verified. The entire documentation relevant for ISCC CORSIA for a complete year must be available during an ISCC CORSIA audit in order to evaluate the mass balance calculation and allow for plausibility checks between company reporting and mass balance results. However, it is (usually) not required that the CB verifies every single document (e.g. weighbridge tickets, Sustainability Declarations, contracts, etc.) of an entire year. Instead, the CB is entitled and must be able to take random document samples to check whether records and documents meet the requirements for traceability. It is the CB’s responsibility to define the size of the sample that will permit the CB to reach the level of confidence necessary to issue a certificate. Following guidelines can be applied: © ISCC System GmbH 27 ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT > If the risk is classified as “regular” random document samples from three successive months are sufficient to assess whether the applicable ISCC CORSIA requirements are met. > If the risk is classified as “medium”, random document samples from three successive months as well as all documents from one complete month should be checked. > If the risk is classified as “high”, the documents of three successive months should be checked completely. © ISCC System GmbH