All you need to know… IBAC APM Changes – Revision to IS-BAO and IS-BAH audit procedures

ASA letter to IS-BAO and IS-BAH operators


Please note that the 9th Edition of the IBAC Audit Procedures Manual has just been released.  It is applicable to the IS-BAO / IS-BAH Programmes as of March 01, 2023 and all IS-BAO / IS-BAH audits conducted after this date must be done so in accordance with the provisions established in the 9th Edition.


We have summarised below the changes that affect you as the operator. 


IS-BA Programme Workshop


For IS-BAO, it is a requirement for the auditee organisation to send an employee to the appropriate IBAC training course within the 36 months preceding an initial or renewal audit.  For IS-BAH, the requirement is for IS-BAH initial registrations only – for renewal audits, attendance is encouraged. 


Onsite vs online / virtual audits


With effect from January 2023, onsite IS-BA audits with the auditor visiting the organisation’s facilities are once again the standard for the conduct of the audit.   However, where circumstances so justify (global pandemics, for example), IBAC may authorize the onsite portion of a registration audit, or parts thereof, to be conducted remotely, subject to a number of stated policies and procedures.  ASA will be happy to advise further, according to the particular circumstances. The request for an approval for a remote audit must be submitted at least one month prior to the planned audit date. 


Note 1:  Under the IS-BAO Progressive Stage 3 (PS3) programme, up to 2 of the 3 yearly audits within a single 3-year cycle may be conducted remotely, with operator agreement, with no need of prior authorization from IBAC. However, the auditor must notify IBAC that the audit will be conducted remotely when submitting the Planned Audit Notification (PAN). 


Note 2:  Except for the case outlined in Note 1 above, consecutive or back-to-back remote IS-BAO IS-BA audits for the same operator are not permitted unless deemed in the best interests of the IS-BAO IS-BA Programmes and approved in writing by the IS-BAO relevant Programme Audit Manager prior to the audit.


Note 3:  For IS-BAH, audits covering multiple locations as part of a “regional” group may be conducted with prior authorization from IBAC.  In such cases, the planning of the audit must be agreed upon with IBAC and declared in the PAN. 


Audit Scheduling




For IS-BAO only, even before selecting and/or contracting the auditor(s) who will conduct the audit or determining the audit dates, the auditee organization is required submit to the IBAC Audit Manager through the IS-BAO website the Operator Pre-Audit Summary (OPS), indicating their intent to undergo a registration audit and providing information on their current structure.  An auditor is unable to submit the PAN to IBAC before the organisation has submitted the OPS. 




Once the OPS has been submitted to IBAC (in the case of IS-BAO) and the auditor has submitted the PAN, the auditee organisation should complete the Initial Questionnaire in the protocol spreadsheet – ensuring that “enable macros” is selected to enable full functionality of the protocols.  This will be used to identify the organization’s characteristics before beginning the chapter assessments in order to automatically eliminate the areas that do not apply to the organisation.


Please note that IBAC have increased the pre-audit notification period.  Once the registration audit has been scheduled between the organisation and the auditor, the auditor is required to notify the relevant Audit Manager of the planned audit via the appropriate PAN form as early as possible, but no later than 30 days prior to the planned audit date.


Auditor Time Onsite


For audits at small organisations, the auditor or audit team are now required to spend at a minimum two person-days onsite (for Stage 1 audits) or three person-days onsite (for Stage 2 and 3 audits). These periods must be increased according to the organisation’s size and complexity and Stage of the audit in order for the auditor(s) to be able to appropriately assess the applicable Standards and Recommended Practices.


Post-Audit Timescales


Auditors are required to submit the Audit Summary, Protocols and Findings Form to the applicable IS-BA Programme Audit Manager for review in a timely manner but no later than 20 days from the date of the closing meeting;


Within 30 days from receipt of the Audit Report, IBAC will review the audit and coordinate with auditors on any necessary additional information;


Within 30 days of the closing meeting, the organization is required to develop its own appropriate auditor-accepted Remedial Action Plan (RAP) to address any findings.  The RAP should include the root cause of the finding;  

  • As soon as practicable after the closing meeting and no later than 90 days afterwards, the organization must remediate all findings (if any), and submit evidence of RAP implementation to the auditor;


  • The auditor will then validate the remedial actions and submit the Audit Report, annotated with the auditor’s acceptance of RAP implementation, to IBAC within 15 days of RAP implementation, for review;


  • IBAC will review the auditor’s acceptance of RAP implementation within 5 days;


  • Once an audit is accepted for registration, the Audit Manager will e-mail the results of the audit to the organization with the relevant IS-BA Programme registration or renewal application link;


  • IBAC will issue the Certificate of Registration within 15 days of receiving any applicable registration fee.


Registration Certificates


There have been several changes to the issue of Registration Certificates.  ASA will be pleased to advise further.