ISCC_CORSIA_204_Audit_Requirements_and_Risk_Management_2.0.pdf

Full Transcript

ISCC CORSIA 204
AUDIT REQUIREMENTS AND
RISK MANAGEMENT
Version 2.0
 II

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Copyright notice

© 2023 ISCC System GmbH

This ISCC document is protected by copyright. It is freely available from the ISCC website
or upon request.

No part of this copyrighted document may be changed or amended. The document may not
be duplicated or copied in any form or by any means for commercial purpose without
permission of ISCC.

Document Title: ISCC CORSIA 204 Audit Requirements and Risk Management
Version 2.0
 III

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Content

Summary of Changes................................................................................................................ 4

1 Introduction....................................................................................................................... 5

2 Scope and Normative References................................................................................... 5

3 Audit Requirements.......................................................................................................... 5
3.1 Definitions and General Requirements................................................................... 5
3.2 Audit Procedures and Reports.............................................................................. 11
3.3 Specific Audit Requirements................................................................................. 12
3.3.1 Farms and Plantations................................................................................. 12
3.3.2 Points of Origin............................................................................................ 14
3.3.3 Central Office............................................................................................... 14
3.3.4 First Gathering Point and Collecting Point.................................................. 14
3.3.5 Processing Unit............................................................................................ 15
3.3.6 Storage Facilities and Logistic Networks..................................................... 16
3.3.7 Traders......................................................................................................... 16
3.3.8 Other Elements of the Supply Chain........................................................... 16
3.4 Mandatory Surveillance Audits............................................................................. 17
3.5 Non-Conformities.................................................................................................. 17
3.4.1 Definition and General Requirements......................................................... 17
3.4.2 Sanctions..................................................................................................... 17
3.4.3 Conflict Resolution....................................................................................... 18

4 Risk Management........................................................................................................... 18
Definitions, Process and Levels of Application..................................................... 18
4.1.1 ISCC............................................................................................................. 18
4.1.2 Certification Bodies...................................................................................... 19
4.1.3 ISCC System Users..................................................................................... 20
Risk Assessment................................................................................................... 21
4.2.1 Identification of Risk..................................................................................... 21
4.2.2 Evaluation of Risk........................................................................................ 24
Identification and Implementation of Risk Control Measures............................... 25

© ISCC System GmbH
 4

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Summary of Changes
The following is a summary of all content changes to the previous version of the document (ISCC
CORSIA Document 204, v1.1). Minor amendments which do not affect the content, e.g.
corrections of phrasings, marginal notes, amendments of graphics, etc. are not listed.

Summary of changes made in version 2.0 Chapter

No material changes have been made from v1.2 to v2.0 of this document. 3.1
Addition: Two paragraphs on rules for conducting remote audits under ISCC
3.1
CORSIA.
Addition: Chapter on mandatory surveillance audits for high-risk supply chains. 3.4
Deletion: Chapter on non-conformities deleted and instead reference to ISCC
3.5.1
CORSIA Document 102 “Governance”, which gives detailed information on the topic

© ISCC System GmbH
 5

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
1 Introduction
In compliance with CORSIA requirements, ISCC has a documented plan for High quality
addressing the risks to the integrity of the ISCC CORSIA and ISCC CORSIA verification
PLUS systems. Clear requirements on how to conduct audits and how to
manage risks are an integral part of ISCC’s quality policy. They are key factors
for ensuring the integrity, reliability, credibility, and quality assurance of ISCC.

The requirements specified in this document describe the relevant aspects to Audit process
be considered and procedures to be followed when carrying out ISCC and aspects
CORSIA and ISCC CORSIA PLUS audits. The audit requirements include the
aspects relevant to all ISCC CORSIA and ISCC CORSIA PLUS audits as well
as the criteria which are only relevant to specific types of operation to be
audited. Certification bodies (CBs) are required to apply the audit objectives
to meet the respective certification requirements.

2 Scope and Normative References
This document covers the requirements on how ISCC CORSIA and ISCC Best practice
CORSIA PLUS audits are to be conducted at different elements of the supply principles
chain, the risk management process under ISCC CORSIA and ISCC CORSIA
PLUS applicable to all activities of ISCC and the implications of risks for ISCC
CORSIA and ISCC CORSIA PLUS audits. The risk management process
takes into account best practice principles of the ISEAL “Code of Good
Practice for Assuring Compliance with Social and Environmental Standards”.
The principles for risk management and carrying out audits complement the
requirements laid down in the ISCC CORSIA system documents. They apply
to ISCC, System Users and recognised CBs conducting ISCC CORSIA and
ISCC CORSIA PLUS audits.

Requirements with regard to auditing and risk management are largely the References
same for ISCC CORSIA and ISCC CORSIA PLUS. Therefore, as a basic
principle, all references made to ISCC CORSIA in this document apply to
ISCC CORSIA PLUS as well. Whenever requirements differ between the two
systems, this is explicitly stated.

3 Audit Requirements
3.1 Definitions and General Requirements
General audit requirements apply to all ISCC CORSIA audits irrespective of General audit
the individual specifications or conditions of the audited site or operation. The requirements
general requirements are mandatory for all types of System Users audited in
the framework of ISCC CORSIA.

Specific audit requirements apply only to audits of specific System Users or Specific audit
under specific circumstances. Such audit requirements depend on the requirements

© ISCC System GmbH
 6

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
particular type of operation being audited or the materials handled by the
audited System User, e.g. waste, residues or by-products.

Certification audits1 are audits which are the basis for a CB to issue an ISCC Certification
CORSIA certificate. audit

Surveillance audits can be imposed by the CB to verify compliance with ISCC Surveillance
CORSIA requirements during the validity period of a certificate issued by the audit
respective CB. Surveillance audits may focus only on the implementation of
partial aspects of ISCC CORSIA requirements. ISCC may require CBs to
conduct surveillance audits, if necessary, for example in high-risk supply
chains.

System Users that register with ISCC and want to receive a certificate are Registration with
subject to an audit during which a recognised CB verifies compliance with the ISCC
applicable ISCC CORSIA requirements. An ISCC CORSIA audit must always
be conducted before a certificate can be issued.

Prior to any ISCC CORSIA audit, System Users must have concluded a Certification
certification contract with one of the recognised CB’s cooperating with ISCC. contract
After concluding the contract with a CB, the System User must register with
ISCC. During the registration process, the System User provides basic
information to ISCC including the applicable scope for certification (e.g. the
type of operation). The ISCC CORSIA certificate must only cover the scope
that correctly represents the activities of the System User. It is not possible to
audit a scope or type of operation which does not correctly represent the
activity of the System User or is not actually relevant for the System User.

Prior to any ISCC CORSIA audit, the certification history of the System User Certification
must be evaluated. The CB is obliged to assess if the System User is not history
currently suspended from certification due to major non-conformities under
another relevant sustainability certification system, especially under one of the
systems recognized by the ICAO Council within the framework of CORSIA. If
a System User is suspended (or “blacklisted”) by another sustainability
certification system, a certification under ISCC CORSIA is not possible, until
the suspension expires. The System User is obliged to report to ISCC and to
its CB immediately, if certificates from other sustainability certification systems
are withdrawn due to non-conformities. If the CB receives notice of such a
withdrawal of a certificate, the CB is obliged to inform ISCC immediately.
Likewise, if an economic operator seeks re-certification under ISCC CORSIA
and was previously found to be in major non-conformity with any other
certification system, the CB is required to bring this to the attention of ISCC.
ISCC will assess and evaluate such situations and possible consequences on
a case-by-case basis taking into account the potential risk for the integrity of
ISCC CORSIA.

System Users are obliged to provide accurate and true information to ISCC Accurate and
and to the CB. Furthermore, System Users are obliged to declare to ISCC and true information

1
In the following the term „audit“ refers to a certification audit unless specified otherwise.

© ISCC System GmbH
 7

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
to the CB the names of all other sustainability certification systems they are
participating in simultaneously to ISCC, or sustainability certification systems
they have previously been participating in (certification history). System Users
are obliged to make available to the CB all relevant information including the
mass balance data and the auditing reports also regarding other sustainability
certification systems used. If a System User that was previously in major non-
conformity with these requirements or with any other aspect of the mandatory
sustainability criteria seeks recertification, the CB is obliged to inform ISCC.

ISCC CORSIA audits are retrospective and focus on the verification of claims Retrospective
made during the previous period of certification. An exception to this rule is audit
the first (initial) audit of a System User during which a retrospective audit of
claims is not possible and thus the focus of the audit is on the necessary
procedures to appropriately implement and apply ISCC CORSIA.

An audit to verify compliance of a System User is required at least every Annual audit
twelve months. System Users should arrange for audits to be conducted in a
way that reduces the risk of a gap between two certificates. If there is
indication of non-conformity or fraud the frequency or intensity of audits may
be increased. This means, that a CB is entitled to conduct additional
(surveillance) audits e.g. in case there is reasonable doubt of compliance with
the ISCC requirements or in order to verify substantiated allegations of
fraudulent behaviour. It is the CB’s responsibility to define the intensity of the
audit or the size of a sample that will permit the CB to reach the level of
confidence necessary to issue a certificate.

ISCC CORSIA audits have to be conducted on-site at the location of the On-site audit
System User registered for certification. Audits are conducted throughout the
entire CORSIA eligible fuel supply chain. All System Users need to be audited
individually. Group auditing and sampling can only be applied at the beginning
of the chain of custody as well as for storage facilities according to the
requirements specified in ISCC CORSIA Document 206 “Group Certification”.

ISCC CORSIA audits (including, in particular, initial audits) should be Audit modality /
performed on-site. Particular aspects of an audit, including for instance the remote audits
verification of a life cycle emissions calculation, can be based on a desk
assessment. Fully remote audits by the CB are only permitted under the
following conditions:

> The audit risk as assessed by the certification body is low.
> The same level of assurance can be achieved with remote audits as
with on-site audits.

> Sufficient traceability and mass balance records, life cycle emissions
data and other forms of appropriate evidence are available.

> The systems in place for collecting and processing traceability and life
cycle emissions data and ensuring data quality are reliable.

© ISCC System GmbH
 8

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Before CBs are allowed to conduct any particular ISCC CORSIA audit Remote audit
remotely, they will have to hand in a filled in justification template to ISCC, justification
outlining and justifying in detail how the abovementioned conditions are
fulfilled for that particular audit. ISCC provides the justification template in the
CB section of the client section on the ISCC website.

In particular, risk assessments and the analysis of land use change after 1 Use of tools in
desk audits
January 2008 on a specific area may be conducted on-site, or by using tools
which may even provide a more reliable level of assurance than an on-site
audit, or by a combination of on-site and desk audit. The use of independent
traceability databases may also allow for an equivalent level of assurance as
an on-site audit. Precondition for verifying compliance with ISCC requirements
based on such tools is the analysis and approval of the respective tool by
ISCC as being appropriate to provide at least the same level of assurance as
an on-site audit.

ISCC will carry out assessments of such tools based on the following criteria: Assessment
process
> Methodology and algorithms of the tool are transparent
> Information sources used are transparent and reliable
> The tool must allow for clearly reproducible and consistent results
> The tool should include latest available data
> Traceability databases must cover all sustainability data required by
ISCC

> CBs must have access to the tool and must be enabled to verify
compliance with the requirements

> Mechanisms to avoid fraud and misuse must be in place
If a tool has been approved by ISCC, ISCC will communicate this to its System Publishing of
Users and will publish this information on the website. ISCC will indicate the approved tools
scope for which the tool has been approved and for which countries or regions
the tools can be used.

In any case, audits must follow a risk-based approach and take into account Risk based
the risk according to the principles specified in chapter 4. This means, if the approach
result of a desk audit based on tools or systems approved by ISCC does not
provide a sufficient level of assurance or even indicates non-conformity with
ISCC requirements, the CB must take appropriate further actions to
sufficiently verify compliance, e.g. the verification on-site.

The verification of compliance with the land-related sustainability Verification of
requirements may be conducted equivalently to an on-site audit by using compliance with
land-related
remote sensing tools, high quality satellite images of the cultivation area and sustainability
databases (e.g. regarding protected areas, areas with high biodiversity, requirements
peatland, etc.) which are approved by ISCC.

© ISCC System GmbH
 9

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
The address or location of the operational unit registered and audited will be
Site-specific
published on the ISCC CORSIA certificate. The address of the operational certificate
unit to be certified cannot be a post box. So-called “letterbox companies”
cannot participate in the ISCC CORSIA system.

Each System User registered for certification under ISCC CORSIA must Internal
conduct an internal assessment (self-assessment) of compliance with the assessment
ISCC CORSIA requirements at least once a year. This internal assessment
should focus on the ISCC CORSIA requirements applicable at the respective
type of operation and on relevant risks (also see chapter 4.1.3). The results of
the internal assessment must be documented, reviewed and signed by the
management of the System User. The results of the internal assessment must
be made accessible to the CB during the certification audit.

During each audit a risk-based approach according to the principles specified Risk-based audit
in chapter 4.3 should be followed by the CB. This means, that a higher risk approach

classification results in a higher sample size (in case sampling is part of the
audit) and/or in an increased number of documents to be verified by the CB.
During the audit, the CB must identify the activities undertaken by the System
User which are relevant for ISCC. This includes the identification of relevant
systems and the overall organisation especially with respect to the applicable
ISCC CORSIA requirements and the effective implementation of relevant
control systems. During the audit the CB should draw up a verification plan
which corresponds to the risk analysis and the scope and complexity of the
System User’s activities and which defines the sampling methods to be used
with respect to the System User’s activities. The CB should carry out the
verification plan by gathering evidence in accordance with the defined
sampling methods, plus all relevant additional evidence, upon which the CB’s
verification decision will be based. It is the System Users obligation to provide
any missing elements of audit trails, to explain variations, or revise claims or
calculations, before the CB can reach a final verification decision (i.e. the
decision to issue a certificate).

In the case a System User participates in or has recently participated in more Verification of
than one sustainability certification system, the CB must always verify that claims
multiple claiming (so called “double accounting”) of sustainability
characteristics cannot and did not occur. For this verification, the CB is entitled
and obliged to assess the relevant documentation (e.g. mass balance,
auditing reports) of all relevant certification systems. This is especially
necessary to verify the overall plausibility of incoming and outgoing
sustainable material and ensures that not more sustainable material is sold
than has been received. The CB must be given access to all documentation
that is deemed necessary to get a complete understanding of the individual
situation. Access to be given to the CB includes access to databases used by
the System User to handle sustainable material.

System Users must have a documentation and quality management system Documentation
which can be audited by the CB. Such a system must include evidence related and quality
management
to the claims the System Users makes under ISCC CORSIA, e.g.

© ISCC System GmbH
 10

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Sustainability Declarations, Proofs of Sustainability, or related contracts. The
relevant documentation must be kept for at least five years. System Users are
responsible and obliged for preparing any information related to the auditing
of such evidence and documentation. Such a system should normally include
the following aspects:

> a description of the relevant products,
> quality objectives and the organisational structure, responsibilities and
powers of the management,

> corresponding manufacturing, quality control and quality assurance
techniques, processes and systematic actions that will be used,

> quality records, such as inspection reports and test data, calibration
data, qualification reports on the personnel concerned, etc.

If an audit includes the verification of individual life cycle emission calculations, Verification of
the requirements specified in ISCC CORSIA Document 205 “Life Cycle individual
calculations
Emissions” must be met.

Audits should be conducted taking into account the principles specified in ISO Plan, Do, Check,
19011 (plan, do, check, act) or a justified equivalent. The CB must establish Act
at least a “reasonable assurance level” when conducting audits.

A “reasonable assurance level” in the context of ISCC CORSIA and following Reasonable
the International Standard on Assurance Engagement (ISAE) 3000 (revised) assurance level
is an “assurance engagement in which the practitioner reduces engagement
risk to an acceptably low level in the circumstances of the engagement as the
basis for the practitioner’s conclusion”.2 It should obtain a level of assurance
that is higher than in a “limited assurance level” approach. This means for
example that the auditor focuses less on inquiring the economic operator’s
staff as he/she would in a limited assurance level approach; and relatively
more emphasis is placed on assessing documents and records. Furthermore,
the sample size of assessed evidence should be greater than in a limited
assurance level scenario.

If compliance with the ISCC CORSIA requirements has been verified during Issuance of the
the audit, the CB can issue an ISCC CORSIA certificate. The certificate must certificate
be issued no later than 60 calendar days after the audit of the System User
registered for certification was conducted. CB’s conducting ISCC CORSIA
audits must comply with the requirements specified in ISCC CORSIA
Document 103 “Requirements for Certification Bodies and Auditors”. The CB
is responsible to properly plan, conduct and report on the audit especially with
respect to nature, timing and extent of evidence gathering procedures. The
audit must be conducted in such a way that a meaningful level of assurance
for a decision regarding compliance with the ISCC CORSIA requirements is
available.

2
International Federation of Accountants (2020), International Standard on
Assurance Engagement (ISAE) 3000 revised.

© ISCC System GmbH
 11

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
An overview on the certification process based on the principles of ISO 19011
is provided in figure 2.

Figure 1: Certification process based on the principles of ISO 19011

Independent of the type of operation participating in ISCC CORSIA Documents with
certification, the CB must especially consider the requirements specified in the relevant
requirements for
following documents during each audit to be conducted: the audit
> ISCC CORSIA 201 System Basics
> ISCC CORSIA 201-1 Waste, Residues, By-Products
> ISCC CORSIA 202 Sustainability Requirements
> ISCC CORSIA 203 Traceability and Chain of Custody
> ISCC CORSIA 204 Audit Requirements and Risk Management
> ISCC CORSIA 205 Life Cycle Emissions
> ISCC CORSIA 206 Group Certification

3.2 Audit Procedures and Reports
On the basis of the ISCC CORSIA system documents, ISCC provides Audit procedures
technical (working-) documents to CBs and System Users. These “audit (checklists)
procedures” or “checklists” ensure that all ISCC CORSIA audits are conducted
on the basis of the requirements specified in the ISCC CORSIA system
documents. The audit procedures support the work of the CBs and facilitate a
consistent and comparable verification of the ISCC CORSIA requirements
during ISCC CORSIA audits. CB’s have to use the audit procedures in the
latest applicable version provided by ISCC during any ISCC CORSIA audit.
System Users can use the audit procedures to conduct internal assessments,
for internal training or to prepare for an audit. The audit procedures include
relevant details of the audit including e.g. the length of the audit, the address

© ISCC System GmbH
 12

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
where the audit was conducted, the audit participants, audited documents as
well as information relevant for the certificate (e.g. type of sustainable
material, scope of certification).

The audit procedures may contain relevant data about the amounts of Data collection
sustainable material handled by System Users. This is necessary to enable and reporting
ISCC to accumulate reliable information about the total amounts of
sustainable material covered by ISCC CORSIA certification and/or the total
cultivation area complying with ISCC CORSIA requirements. ISCC will treat
the information from individual System Users confidential if not required
otherwise by law or by competent authorities. ISCC is entitled to gather,
accumulate and publish such data about the system (in anonymised form),
especially in order to fulfil reporting obligations in the framework of CORSIA.
Specific reporting obligations of ISCC are specified in ISCC Document 102
“Governance”. The CB verifies the correctness of such data during the audit
and submits the data to ISCC. System users are obliged to provide correct
and complete data about the sustainable amounts handled to the CB.

After the audit has been conducted, the CB submits the audit procedures used Audit procedures
during the audit to ISCC. In the case of a positive certification decision, the and report
CB is obliged to prepare a report, containing the relevant audit results. This
report must be provided to ISCC. The ISCC CORSIA procedures and the audit
report must be submitted together with the certificate issued by the CB. The
audit report may be published on the ISCC website. In the event that the
external audit showed that the audited System User did not meet the
requirements of ISCC CORSIA, the audit procedures must be submitted to
ISCC immediately after termination of the audit. If elements of the supply chain
(which are part of a group) were audited non-compliant the CB must sent the
information of such group members to ISCC.

3.3 Specific Audit Requirements

3.3.1 Farms and Plantations
The ISCC CORSIA Document 202 specifies the principles for the cultivation ISCC
of sustainable biomass under ISCC CORSIA and ISCC CORSIA PLUS. Under sustainability
principles
ISCC CORSIA, the relevant approved CORSIA sustainability criteria must
always be complied with. Under ISCC CORSIA PLUS, the ISCC Principles 1-
6 are relevant.3 Here, the requirements of ISCC Principle 1 must always be
complied with in any case. Violations of the applicable CORSIA sustainability
criteria and/or ISCC Principle 1 are critical non-conformities and cannot be
subject to corrective measures. ISCC Principles 2 to 6 are comprised of major
and minor must requirements. All major must requirements must be complied
with in order to be considered compliant with ISCC CORSIA PLUS.
Additionally to the major must requirements, at least 60% of the minor must

3
Please note that, to be compliant under ISCC CORSIA PLUS, in addition to auditing with
regard to ISCC Principles 1 to 6, separate attestations for CORSIA Themes 10-14 are still
needed. Please see ISCC CORSIA 202 document, chapter 3, page 10.

© ISCC System GmbH
 13

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
requirements must be complied with. Within EU Member States which have
implemented Cross Compliance (CC), farmers that fulfil the criteria through
the implementation and official recognition of CC, are only audited with
respect to the requirements set out in ISCC Principle 1.

A farm is either defined as a distinct legal entity or as an organisation Full compliance
managing an agricultural operation and having control regarding compliance with relevant
sustainability
with the ISCC CORSIA requirements. The audit of a farm must always cover requirements
the entire land (agricultural land, pasture, forest, any other land) of the farm
including, any owned, leased or rented land. Under ISCC CORSIA, biomass
produced on land which is in compliance with the applicable approved
CORSIA sustainability criteria is considered to be sustainable. Under ISCC
CORSIA PLUS, biomass produced on land which is in compliance with the
ISCC Principles 1 to 6 is considered to be sustainable.4 Partial compliance
(e.g. only fulfilling Principle 1 requirements) is not sufficient to declare the
biomass produced as sustainable under ISCC CORSIA PLUS.

Farms participating in ISCC CORSIA are obliged to enable the full Service
assessment and evaluation of all applicable ISCC CORSIA requirements, providers and
sub-contractors
including relevant activities which are outsourced to sub-contractors or service
providers. Relevant sub-contractors or service providers, e.g. for the
application of plant protection products, must be included in the farm audit if
this is necessary to evaluate full compliance with ISCC CORSIA. This should
be included appropriately in contractual agreements between the farmer and
the relevant sub-contractors and service providers. Contractual agreements
must be accessible during the ISCC CORSIA audit.

Farms are either audited and certified as single entities or as part of a producer Individual or
group. It is the choice of the farm to decide whether to be audited and certified group
certification
as a single (individual) entity or as part of a group. The group certification
process and rules for sampling are specified in ISCC CORSIA Document 206.

Farms participating in group certification must conduct a self-assessment and Self-assessment
fill in and sign a self-declaration either to the first gathering point or to the and self-
declaration
central office responsible for the group. On the self-declaration the farmer
declares conformity with the ISCC CORSIA requirements based on the self-
assessment. By signing the self-declaration, the farmer furthermore gives
permission to the CB and to ISCC to verify compliance with the ISCC CORSIA
requirements during an audit.

Farms which are audited non-compliant or which do not agree to participate Non-compliance
in an audit must be excluded from ISCC CORSIA. This is valid until the
respective farm based on its own initiative passes a successful ISCC CORSIA
audit. ISCC must be informed by the CB about such farms, which are audited
non-compliant or which refuse to be audited as a part of a sample.

4
Please note that, to be compliant under ISCC CORSIA PLUS, in addition to auditing with
regard to ISCC Principles 1 to 6, separate attestations for CORSIA Themes 10-14 are still
needed. Please see ISCC CORSIA 202 document, chapter 3, page 10.

© ISCC System GmbH
 14

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
3.3.2 Points of Origin
Points of origin delivering sustainable material under ISCC CORSIA are Waste
obliged to enable an assessment and evaluation of all applicable ISCC prevention

CORSIA requirements to ensure that the material generated is a genuine
waste or residue. A major requirement for points of origin to comply with, is to
demonstrate that any waste or residue material occurring at their premises is
not generated deliberately. The specific requirements for points of origin are
specified in ISCC CORSIA Document 201-1.
Self-declaration
Points of origin participating in group certification must fill in and sign a self-
declaration either to the collecting point or to the central office. On the self-
declaration the point of origin declares conformity with the ISCC CORSIA
requirements. By signing the self-declaration the point of origin furthermore
gives permission to the CB or to ISCC to verify compliance with the ISCC
CORSIA requirements during an audit. A copy of the self-declaration should
be available during the audit. Points of origin participating in group certification
will not receive an individual certificate, as they will be covered by the
certificate of the collecting point or the central office. Points of origin registered
for individual certification do not need to fill in and sign a self-declaration. They
will receive an individual certificate upon a positive audit.

3.3.3 Central Office
The audit of a central office always consists of an audit of the central office List of group
itself (head office responsible for the group) and a sample of group members. members
A central office can either represent a group of farms or a group of points of
origin. For the ISCC CORSIA audit of members of the group, the requirements
for farms or for points of origin apply respectively. A list of all farms
participating in group certification must be available during the audit and must
be submitted to ISCC together with the audit documents. This list must include
at least the name and address or location of the individual group members.
ISCC is entitled to further specify the information to be provided on the list of
farms. ISCC is entitled to require that a list of all points of origin participating
in group certification is to be submitted to ISCC including at least the name
and address or location of the point of origin. ISCC is entitled to further specify
the information to be provided on such a list.

3.3.4 First Gathering Point and Collecting Point
All first gathering points and collecting points that want to receive and deliver Individual
sustainable material to downstream customers must be certified. Group certification
certification of first gathering points or collecting points is not possible.

First gathering points and collecting points must keep all contracts and related List of suppliers
documentation about incoming sustainable material received from suppliers,
e.g. directly from farms, from points of origin, or from other certified suppliers.
Furthermore, they must keep the respective documents for all outgoing
deliveries of sustainable material. Material, which is received from farms or
from points of origin, complying with the ISCC CORSIA requirements (having

© ISCC System GmbH
 15

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
completed and signed the ISCC self-declaration) must be considered as
sustainable input. However, the first gathering point or collecting point can
choose to sell the sustainable input as non-sustainable. A list of all farms
participating in group certification must be available during the audit and must
be submitted to ISCC together with the audit documents. This list must include
at least the name and address or location of the individual group members.
ISCC is entitled to further specify the information to be provided on the list of
farms. ISCC is entitled to require that a list of all points of origin participating
in group certification is to be submitted to ISCC including at least the name
and address or location of the point of origin. ISCC is entitled to further specify
the information to be provided on such a list.

The first gathering point or collecting point is responsible for ensuring the Traceability and
traceability of sustainable material back to its origin and to comply with the mass balance
mass balance requirements under ISCC CORSIA. A mass balance must be
kept for each location where sustainable material is stored on behalf of the
first gathering point or collecting point.

Warehouses or collection sites that store sustainable biomass entirely on Storage facilities
behalf of a certified first gathering or collecting point are considered as
dependent warehouses or collecting points. These are such supply chain
elements that do not individually buy biomass from suppliers and sell it to
customers in their own name. Such dependent supply chain elements can be
covered by the certificate of the first gathering or collecting point. All
warehouses or other storage facilities, which are used by the certified first
gathering point or collecting point to store sustainable biomass have to be
included in the certification process. A sample must be audited.

It is the responsibility of the first gathering point or collecting point to provide Responsibility to
evidence to the CB, which sustainable materials are (or will be) received from provide evidence
farms or from points of origin. Evidence regarding the type of sustainable
material can include self-declarations, delivery documentation, or contracts
with suppliers. The respective materials will be published on the ISCC
CORSIA certificate.

3.3.5 Processing Unit
All processing units (e.g. oil mills, oil refineries, ethanol plants, HVO plants, Individual
SAF producers or other processing units) that want to deliver sustainable certification
material must be certified individually. Sampling or group certification of
processing units is not possible.

During the audit of a processing unit the CB must especially verify the Traceability and
traceability and plausibility of the incoming and outgoing amounts of conversion
factors
sustainable material as well as the conversion procedure applied within the
processing unit. A part of the assessment of the conversion process is the
determination of conversion factors describing the relation between
sustainable input and sustainable output. It is the responsibility of the
processing unit to provide evidence to the CB, which types of sustainable
material are (or will be) received and processed at the respective unit.
© ISCC System GmbH
 16

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Evidence can include production reports from the previous year, delivery
documentation, or contracts with suppliers. The respective materials will be
published on the ISCC CORSIA certificate.

3.3.6 Storage Facilities and Logistic Networks
Storage facilities that are used by certified System Users for storing Traceability and
sustainable material must be audited. If the storage facilities belong to a mass balance
logistic network the logistic centre (head office) plus a sample of the
associated storage facilities must be audited. The requirements with respect
to traceability and mass balance apply for all storage facilities. In case of a
logistic network, the certificate to be issued includes an annex listing all
storage facilities covered by the certificate.
During the re-certification audit already audited storage facilities shall not be List of storage
part of the sample again unless all storage facilities have been audited. A list facilities
of all storage facilities participating in group certification must be submitted to
ISCC including at least the name and address or location of the storage
facility. ISCC is entitled to further specify the information to be provided on the
list.

Operators of storage facilities must enable the CB to verify compliance with Ensuring access
the ISCC CORSIA requirements including granting access to all relevant
premises. The CB must at least verify the physical inventory and the related
documentation (e.g. weighbridge tickets), the technical equipment (e.g.
weighbridge, calibrations, etc.), and the data transfer between the operator of
the storage facility and the owner of the sustainable material.

3.3.7 Traders
Traders are responsible for demonstrating the traceability of the sustainable Traceability
material and compliance with the chain of custody requirements. During the
audit a sample of storage facilities will be audited, which are not certified
individually or as a logistic network, if applicable. The audit includes the
respective contractual agreements, procedures to transfer information about
deliveries and other supporting documents or processes. If a trader uses non-
certified storage facilities, it is the responsibility of the trader to enable an on-
site verification of the storage facilities.
The System User is obliged to grant the CB access to the relevant contractual Access to
agreements, documenting all transactions related to sustainable material. relevant
documents

3.3.8 Other Elements of the Supply Chain
Audits may be conducted at other elements of the supply chain that have Relevant system
registered for ISCC CORSIA certification. Based on the individual type of documents

operation, the CB verifies whether the relevant ISCC CORSIA requirements
are fulfilled, especially those requirements as laid down in this document and
in the following documents:

> ISCC CORSIA 201 System Basics

© ISCC System GmbH
 17

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
> ISCC CORSIA 203 Traceability and Chain of Custody
> ISCC CORSIA 205 Life Cycle Emissions

3.4 Mandatory Surveillance Audits
Mandatory surveillance audits have to be conducted by the certification body High-risk supply
six months after the first (initial) certification of any economic operator in a chains

high-risk supply chain. A high risk applies to economic operators that are
collecting, processing, storing or trading materials, which may lead to
particularly high life cycle emissions savings for CEF, such as waste and
residues or waste and residue-based products.5

For collecting points and traders that are dealing with both waste and residues Additional audits
(e.g. used cooking oil or tallow) and with virgin vegetable oils (e.g. palm oil, for collecting
points and
rapeseed oil), a surveillance audit shall be conducted three months after the traders
first (initial) certification (covering the first mass balance period). This
surveillance audit shall be conducted in addition to the surveillance audit that
has to take place six months after the first certification and shall follow the
same risk-based approach. This additional surveillance audit three months
after the first certification may be conducted remotely if a risk assessment for
the individual system user by the certification body has demonstrated a
regular risk. If the risk assessment has shown a risk higher than regular, the
surveillance audit shall be conducted on-site.

3.5 Non-Conformities

3.4.1 Definition and General Requirements
Non-conformity means the non-fulfilment of an ISCC CORSIA requirement Definition non-
either by a CB or by a System User. Non-conformities with ISCC CORSIA conformity
requirements are classified according to the impact of the non-conformity and
the fault of the responsible actor (System User or CB). ISCC CORSIA
Document 102 “Governance” lays out the definitions and general provisions
around non-conformities.
Minor
3.4.2 Sanctions
Depending on the type of non-conformity and the individual situation, ISCC Non-conformities
may impose sanctions against non-compliant System Users. Sanctions may during audits
include the withdrawal of the certificate and the exclusion of System Users.
The general procedure regarding sanctions in case of non-compliant or
fraudulent behaviour of System Users is specified in ISCC CORSIA Document
102 “Governance”.

5
This requirement applies to new system users who aim to become certified for the first time.
System Users that are already certified and want to become recertified will not be subject to
the above surveillance audits.

© ISCC System GmbH
 18

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
3.4.3 Conflict Resolution
Should any conflicts occur during ISCC CORSIA audits the principles Conflicts during
specified in ISCC CORSIA Document 102 “Governance” apply. audits

4 Risk Management
Definitions, Process and Levels of Application
A risk is the probability of an event happening that may or will have an impact Definition risk
on the mission, the goal or the integrity of ISCC CORSIA. It is measured in
terms of a combination of the probability of the event to occur and its
consequences if it does occur.

Risk assessment is the process of identifying and evaluating a risk according Definition risk
to its probability to occur and the significance of its consequences. Risk assessment
indicators can be used to identify potential risks. A risk indicator is an example
describing an event or situation which could possibly pose a risk to ISCC
CORSIA. Once a risk is identified it must be evaluated according to its
relevance in the specific situation. The result of the evaluation leads to the
classification of the risk. During ISCC CORSIA audits the risk is evaluated and
classified with a risk level (regular, medium, high) and a risk factor (1,0, 1,5,
or 2.0).

Risk management means the overall process of risk assessment Definition risk
(identification and evaluation of the risk) followed by the identification and management
implementation of risk control measures to reduce the probability and/or the
negative consequences associated with a risk. Therefore, the risk
management process within the scope of ISCC CORSIA is carried out in two
main steps:

1 Risk assessment:

> Identification,
> Evaluation, and
> Classification of risk level and risk factor
2 Identification and implementation of appropriate risk control measures

Risk management is relevant on three different levels in the ISCC CORSIA Levels of
system: For ISCC as an organisation, for CBs cooperating with ISCC, and for application
System Users being certified according to ISCC. On each level the principles
for risk management must be taken into account and applied appropriately.

4.1.1 ISCC
Risk management is an integral part of all operations and decisions in the Continuous
ISCC systems. ISCC continuously monitors potential risks to the integrity of monitoring
ISCC through:

© ISCC System GmbH
 19

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
> the multi-stakeholder dialogue of ISCC and the ISCC stakeholders, e.g.
during Stakeholder Committees and Working Groups,

> regular meetings with recognised CBs to exchange feedback and
practical experiences,

> continuous feedback from System Users including complaints or
reports of non-compliance or alleged fraudulent behaviour,

> the ISCC Integrity Program, and
> a continuous internal review of audit documentation submitted to ISCC.
If risks for ISCC are identified in specific regions or regarding specific topics, Stakeholder
ISCC will engage with relevant stakeholders and may implement a involvement

Stakeholder Committee or Working Group for the development of appropriate
risk control measures. For the development of appropriate risk control
measures a fact-based analysis of the risk must be taken into account.

Furthermore, ISCC promotes new developments, tools and other measures Promotion of risk
to improve the risk management process. This includes for example the use management
tools
and application of risk assessment tools e.g. for remote sensing analysis, to
assess land use change and other land related sustainability criteria, or
databases improving the traceability of sustainable material and the
respective sustainability claims and thus reducing the risk of fraud.

The ISCC Integrity Program is an important tool used by ISCC to continuously ISCC Integrity
identify and analyse potential risks for the ISCC system, the practical Program
application of ISCC by System Users, and the verification by CBs. Within the
ISCC Integrity Program, ISCC conducts independent Integrity Assessments
to evaluate the performance of CBs as well as of certified System Users.
Integrity Assessments can be conducted at the cooperating CBs head office
or at the sites of the certified System Users. The results of the Integrity
Program are a basis of ISCC’s risk management and are used to improve the
quality of the system and to reduce the risk of non-conformity.

Audit documentation has to be submitted to ISCC after an audit has been Internal review
conducted. The ISCC head office internally reviews this documentation as a
part of the risk management process. Such internal review ensures a
consistent application of ISCC and a level playing field for CBs and System
Users.

4.1.2 Certification Bodies
For CBs cooperating under ISCC CORSIA, risk management focuses on Risk
internal processes of the CB as well as on the services the CB provides to management
procedures
System Users (ISCC audits). Internally, CBs should have appropriate risk
management procedures in place covering potential risks for the integrity of
ISCC which may derive from the activities of the CB. As CBs are conducting
ISCC audits for external parties (System Users) CBs must also have an
internal procedure on how to perform reliable risk assessments for System

© ISCC System GmbH
 20

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Users to be certified. The general requirements for CBs are specified in ISCC
CORSIA Document 103 “Requirements for Certification Bodies and Auditors”.
Recognised CBs are obliged to participate in office audits scheduled by ISCC
in the framework of the ISCC Integrity Program. It is recommended (but not
mandatory) that CBs also participate in Integrity Assessments at System
Users certified by the respective CB. On a regular basis, ISCC invites the
recognised CBs to exchange feedback and practical experiences and to
discuss potential risks identified during the day-to-day work of the CBs and of
ISCC.

At the beginning of each ISCC CORSIA audit, the CB must conduct a risk Risk assessment
assessment for the System User to be certified. During this risk assessment during audits
the CB identifies, evaluates and classifies the risk according to one of the
three ISCC risk levels (regular, medium, high). The risk assessment is
conducted according to the principles specified in chapter 4.2. Relevant risk
indicators applicable to the individual situation must be taken into account for
the risk assessment. Based on the CBs professional knowledge and the
information submitted by the System User, the CB must especially analyse
such risks which could lead to a material misstatement. During the risk
assessment for System Users CBs may also investigate ISCC CORSIA
documents or other reliable sources, whether country-specific information is
available for the region where the audit will be conducted. This can include for
example a web-based inquiry of current reports from NGOs, journals or other
media regarding social or environmental issues relevant for ISCC CORSIA in
the respective region. The result of this investigation must be taken into
consideration for the identification and evaluation of a risk and when the audits
are planned and conducted.

Depending on the result of the risk assessment the intensity and focus of the Sample size and
audit is determined according to the principles specified in chapter 4.3. This audit intensity

means, the higher the determined risk factor the more thoroughly the audit
needs to be conducted to verify and to ensure compliance with ISCC CORSIA
requirements. In case sampling is applied during the audit (group certification),
the risk factor determined by the CB drives the sample size of group members
to be audited (see ISCC CORSIA Document 206 “Group Certification”). During
audits, the CB should follow a risk-based approach and put a special focus on
areas for which the risk assessment has indicated higher risks instead of
areas with a lower risk. Furthermore, the CB should take into account the
results from previous audits. Depending on the fact-based findings during the
audit, the CB is entitled to increase (or reduce) the risk level.

4.1.3 ISCC System Users
Each System User must start the implementation process of ISCC CORSIA Self-assessment
by conducting an internal risk assessment (self-assessment) in view of
potential risks of its activities for the integrity of ISCC CORSIA. In analogy to
the external risk assessment conducted by the CB, the self-assessment can
be conducted based on the principles and risk indicators specified in chapter

© ISCC System GmbH
 21

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
4.2. Corresponding to the result of the self-assessment, the System User
should design its internal (quality) management system in a way to
appropriately address and minimise the identified risks of its activities for the
integrity of ISCC CORSIA.

Prior to the audit of a System User, the CB conducts an independent risk Independent risk
assessment. During this risk assessment the CB should take into account the assessment
results of the self-assessment performed by the System User and the design
of the System User’s management system especially with respect to the
identified risks.

The risk assessment on the level of System Users focuses on the (internal) Internal
processes of the System User and the risk of non-conformity with the processes
applicable ISCC CORSIA requirements and principles specified in the ISCC
system documents.

All System Users are obliged to participate in Integrity Assessments Integrity
scheduled by ISCC in the framework of the ISCC Integrity Program. Program

Risk Assessment

4.2.1 Identification of Risk
The first step during the risk assessment is to identify potential risks by Analysis of risk
analysing the risk indicators listed in this document. Furthermore, an analysis indicators
of the geographic conditions and/or the relevant processes must be
conducted. This may require the definition of further risk indicators applicable
to the individual situation but not explicitly specified within the ISCC CORSIA
system. A risk assessment may be conducted partially via a desk assessment,
e.g. by verifying land use change with satellite data, by analysing biodiversity
information in databases, or by searching databases on protected areas.
However, a desk assessment requires a verification of the results at the
specific location (so-called “ground-truthing”). The risk indicators identified by
ISCC form the basis for the risk assessment in the framework of ISCC
CORSIA. They shall be considered during all ISCC CORSIA audits in order to
identify potential risks of non-conformity with the ISCC CORSIA requirements
or for the integrity of ISCC CORSIA.

If ISCC CORSIA audits include the verification of farms, a risk assessment Assessment of
must be conducted to determine the risk of non-conformity with the ISCC farms
CORSIA or ISCC CORSIA PLUS sustainability requirements (see ISCC
CORSIA Document 202 “Sustainability Requirements”). Particularly, the risk
of violations of either the applicable approved CORSIA sustainability criteria
or ISCC Principle 1 must be taken into account, depending on the certification
system chosen. This means, it must be assessed if a farm is located within
the proximity of areas where the cultivation of biomass is prohibited under
ISCC CORSIA or ISCC CORSIA PLUS. The risk of non-conformity of farms
should be assessed with appropriate and reliable databases or remote
sensing tools allowing for a meaningful and well-balanced result for the
respective region.

© ISCC System GmbH
 22

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
If ISCC CORSIA audits include waste and residues, the risk assessment must
Assessment of
be conducted to determine the risk of false claims and the risk of “intentional” waste or
production of waste and residues. This means that the focus should be on the residues
verification if a material is a genuine waste or residue, and on the correct and
consistent classification and declaration of the material by the point of origin
and by the collecting point (see ISCC CORSIA Document 201-1 “Waste,
Residues and By-Products”).

The traceability and chain of custody of sustainable material is a relevant Traceability and
aspect for risk assessment for all System Users (see ISCC CORSIA chain of custody
Document 203 “Traceability and Chain of Custody”). It must be assessed if
there is a specific risk that non-sustainable material is sold or delivered as
being sustainable and if the requirements on mass balance are complied with.

With regards to the life cycle emissions value of CORSIA eligible fuels, it must Life cycle
be assessed if there is a risk of an incorrect calculation or false declaration of emissions

the emissions (see ISCC CORSIA Document 205 “Life Cycle Emissions”).
A non-exhaustive overview on significant risk indicators for ISCC CORSIA and
ISCC CORSIA PLUS is provided in table 1.

Table 1: Overview on typical risk indicators

Risk Indicators for Risk Indicators for
General Risk Indicators
Farms and Plantations Waste and Residues
> Determination, structuring, > Proximity to and/or > Type of point of
organisation and overlap with no-go origin (e.g.
documentation of the areas (forest land, restaurant,
number of work flows and peatland, wetlands, processing plant,
their complexity (in-house highly biodiverse landfill, etc.)
processes) grassland, etc.) > Size of point of
> Number, structuring, > Land conversion origin and amount
organization, expertise, shortly before or of waste/residue
management, involvement after January 1st material generated
and controlling of the 2008 per month (high
subcontractors and external > Factors influencing amounts of
service providers significantly the waste/residues may
> Number and structuring of output per acreage indicate a higher
the workflows that are and the output per risk of non-
carried out by ha. conformity or fraud)
subcontractors compared to > Employment of > Status of the
the ones that are carried out migrant workers material (genuine
by permanent in-house staff > Ratification and waste/residue)
> In-house quality degree of > Declaration or
management system, implementation of labelling of the
internal audits (structure and ILO core labour material according
documentation) standards. to the ICAO positive
> Transparency (public list
reporting, involvement of
local interest groups,

© ISCC System GmbH
 23

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
Risk Indicators for Risk Indicators for
General Risk Indicators
Farms and Plantations Waste and Residues
independent audits, social, > Risk of intentional
environmental and “production” of
economical aspects of waste or residues
sustainability) > Risk of intentional
> Mechanisms for conflict modification of
resolution established products to be
independently, documented declared or claimed
and implemented as waste or
> Management of conflicts of residues
interests and corruption
prevention
> Risk of corruption and fraud
(e.g. according to OECD list,
Transparency International
Corruption Perceptions
Index, etc.) – i.e. how
serious is the external risk of
corruption and how does this
influence the implementation
> Yield or conversion factors
in internal processes
> Certification history,
including previous or current
ISCC certification as well as
certification under other
sustainability certification
systems, especially those
recognized by ICAO within
the framework of CORSIA
> Frequency of changes in
certification system (so-
called “scheme hopping”)
> Accuracy of records and
documents
> Degree of topicality,
updating frequency of
records and documents
> Accessibility of records and
documents
> Completeness of records
and documents
> Individual calculation of life
cycle emissions
> Risk of single consignments
(batches) being claimed
more than once (so-called
“double-accounting”)

© ISCC System GmbH
 24

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
4.2.2 Evaluation of Risk
The second step of the risk assessment is to evaluate and classify the Aspects for
identified risk. For the evaluation of the identified risk, the following elements evaluation and
classification
must be taken into consideration:

> Sources and reasons of the risk
> Identification of potential consequences from the risk if it would occur,
the impact (e.g. negligible, moderate, critical) and the probability of its
occurrence (e.g. unlikely, occasional, likely)

> Factors influencing the consequences and the probability of the risk to
occur

> Differing importance or emphasis of the risk by different stakeholders
Based on the risk evaluation, the risk is classified according to one of the three Risk levels and
risk levels: factors

> Regular (risk factor 1,0)
> Medium (risk factor 1,5)
> High (risk factor 2,0)
A risk assessment matrix may be used to facilitate the classification of the risk
(see example in table 2).
Table 2: Example of a risk assessment matrix

Probability of Occurrence
Consequences
Likely Occasional Unlikely

Critical High High Medium

Moderate Medium Medium Regular

Negligible Medium Regular Regular

With respect to the evaluation of the risk on farm level, the principles and Risk evaluation
requirements specified in ISCC CORSIA Document 202 “Sustainability on farm level
Requirements” must be considered. Especially the differentiation between
“major must” and “minor must” criteria should be taken into account for the
evaluation and classification of a risk. Relevant risks on farm level include:

> Biomass production on land with high carbon stock as well as on land
with high biodiversity value and with high conservation value (see ISCC
Principle 1),

> Biomass production with a negative environmental impact, e.g. on soil,
water and air (see ISCC Principle 2),

© ISCC System GmbH
 25

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
> Unsafe working conditions (see ISCC Principle 3),
> Violations of human rights, labour rights or land rights (see ISCC
Principle 4),

> Violations of applicable legislation (see ISCC Principle 5), and
> Not implementing good management practices (see ISCC Principle 6).
With respect to the risk of a flawed or deficient documentation the following Documentation
guidance can be given for the risk evaluation and classification:

> If the necessary records and documents are kept accurately, up to date,
complete, easily accessible and there is no indication of non-conformity
with ISCC CORSIA requirements the risk can be classified as regular.
The risk for non-conformity with traceability requirements can e.g. be
considered to be regular, if appropriate track-and-trace databases are
used and can be accessed by the CB during the audit.

> If the necessary records and documents are not kept accurately and
are not easily accessible, the risk should be classified as medium.

> If the records and documents are not continuously up to date and not
kept to full extent, i.e. files are missing, files are not accessible, files are
not disclosed, or if there is indication for non-conformity or fraud the risk
should be classified as high.
Accounting for
Specific indication of non-conformity with ISCC CORSIA requirements must indications of
be taken into account appropriately during the risk evaluation and non-conformity
classification.

If non-conformities are detected during an ISCC CORSIA audit that relate to Non-conformity
claims made by the System User during the certification period, a high-risk
level must be applied during the audit. This especially applies in case of non-
conformities that have an impact on the downstream supply chain, e.g. non-
conformity with the mass balance requirements, non-conformity of
sustainability declarations (e.g. false information), non-conformity with the life
cycle emission requirements (e.g. incorrectly determined life cycle emission
value). In this case a high-risk classification must also be applied during the
subsequent recertification audit of the respective System User.

It is up to the CB’s judgement to discontinue the audit if the risk is ranked high Adjustment of
and if either the documentation is not easily accessible or the amount of risk level
unavailable documentation does not allow for a professional audit. Depending
on the actual findings during the audit, the CB is entitled to increase or reduce
the risk level applied during the audit.

Identification and Implementation of Risk Control Measures
Elements of risk
control

© ISCC System GmbH
 26

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
After the risk is identified and evaluated it must be managed properly to ensure
that the probability of non-conformity with ISCC CORSIA requirements is
continuously minimized. This is done by applying the following elements:

> Adjusting the intensity of audits to adequately take into account the risk.
In case of group certification this means that the size of the sample may
be adjusted. With regards to traceability, this means adjusting the
number of documents to be verified by the CB.

> Carrying out announced or unannounced surveillance audits if
necessary

> Adjusting the tasks of the management of a System User, in particular
with regards to

> Specification of responsibilities
> Training of employees
> Documentation
> Duty to report (including reporting and submitting documents to the
CB or to ISCC)

> Internal auditing and management system
> Extending the definition of risk factors for certain areas by ISCC
Adjustment of
If the audit includes sampling of third party locations, i.e. farms, points of origin sample size
or (dependent) storage facilities, the minimum sample size must be multiplied
with the determined risk factor (1,0, 1,5 or 2,0). The risk factor therefore
determines the number of locations which must be audited (see ISCC
CORSIA Document 206 “Group Certification”). In case of non-conformity of
individual group members, the determined sample size (s) of the current audit
must be doubled.

If the audit includes chain of custody verification, i.e. traceability and Verification
plausibility of amounts, the risk factor drives the intensity of the audit with intensity of
documents
respect to documentation to be verified. The entire documentation relevant for
ISCC CORSIA for a complete year must be available during an ISCC CORSIA
audit in order to evaluate the mass balance calculation and allow for
plausibility checks between company reporting and mass balance results.
However, it is (usually) not required that the CB verifies every single document
(e.g. weighbridge tickets, Sustainability Declarations, contracts, etc.) of an
entire year. Instead, the CB is entitled and must be able to take random
document samples to check whether records and documents meet the
requirements for traceability. It is the CB’s responsibility to define the size of
the sample that will permit the CB to reach the level of confidence necessary
to issue a certificate. Following guidelines can be applied:

© ISCC System GmbH
 27

ISCC CORSIA 204 AUDIT REQUIREMENTS AND RISK MANAGEMENT
> If the risk is classified as “regular” random document samples from
three successive months are sufficient to assess whether the
applicable ISCC CORSIA requirements are met.

> If the risk is classified as “medium”, random document samples from
three successive months as well as all documents from one complete
month should be checked.

> If the risk is classified as “high”, the documents of three successive
months should be checked completely.

© ISCC System GmbH