Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

Introduction:
SA8000: 2014 requires certified organisations to build, maintain and continually improve a functional
management system to ensure full and sustained compliance with the Standard. As this management
systems matures, it must be regularly assessed to identify improvement opportunities, set priorities, and
establish action plans to achieve sustained, successful implementation of SA8000. The methodology of
this assessment under SA8000: 2014 is called Social Fingerprint. Social Fingerprint is a set of tools that
helps organisations measure and improve their management systems for social performance. Social
Fingerprint includes a self-assessment taken by the organisation and an independent evaluation
conducted by the auditor. By incorporating Social Fingerprint into SA8000: 2014, SAI aims to increase the
integrity, credibility and effectiveness of SA8000 certification and build the capacity of SA8000 certified
organisations to develop mature management systems.
Social Fingerprint provides organisations and auditors with a clear, consistent methodology for assessing
management system maturity and compliance with the SA8000 management system requirements. This
enables organisations to identify weak areas within their own management systems so that they can make
specific, targeted improvements. It also enables auditors to consistently evaluate the organisations
management system to determine their readiness for certification and assess their implementation of
improvements. By using one, consistent methodology, all organisations and auditors will now have the
same understanding of SA8000 management system requirements, which will improve the
standardization and implementation of SA8000 compliance across sectors and countries.

The Social Fingerprint Tools:

Social Fingerprint measures management systems maturity across 10 key categories that correspond to
the 10 criteria of SA8000: 2014 Element 9: Management System.
Organisations are scored on a maturity scale of 1-5 (1=lowest, 5 = highest) in each of the 10 categories.
Social Fingerprint includes three key tools:
1. Management system self-assessment conducted by the organisation.
2. Independent evaluation of the management system conducted by the certification body (CB) Lead
Auditor.
3. Rating Chart that explains the maturity levels for each of the 10 categories.
Organisations and auditors can use this as guidance while completing the self-assessment and
independent evaluation, respectively.
Additional reference tools:
1. Glossary of Relevant Terms
2. Guidance for SA8000 Certification Auditors on Social Fingerprint for SA8000: 2014
3. SA8000:2014 Guidance Document

1|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

The 10 Criteria of an SA8000

Management System:
1. Policies, Procedures and Records: How the organisation defines its principles, objectives, and
commitment to SA8000, and instructs its personnel to implement those principles on a day-to-day
basis.
2. Social Performance Team: The group of trained people who lead and facilitate the organisations
SA8000 implementation.
3. Identification and Assessment of Risks: How the organisation determines its risks and prioritizes its
actions to address them.
4. Monitoring: How the organisation tracks its SA8000 implementation and performance to achieve its
objectives and targets.
5. Internal Involvement and Communication: The organisations methods and channels for
communicating with workers and getting their input for SA8000 implementation.
6. Complaint Management and Resolution: How the organisation receives and addresses grievances or
other suggestions from workers or interested parties.
7. External Verification and Stakeholder Engagement: How the organisation cooperates with external
auditors or involves interested parties to get comprehensive input to its SA8000 implementation.
8. Corrective and Preventive Actions: How the organisation addresses risks and gaps in its SA8000
implementation and makes system changes to prevent recurrence and drive continual improvement.
9. Training and Capacity Building: How the organisation trains its personnel and develops their
attitudes, skills and knowledge to effectively implement SA8000.
10. Management of Suppliers and Contractors: How the organisation conducts due diligence on its
business partners and encourages them to implement SA8000 and improve.

The Social Fingerprint Rating System:

SAI has not selected a minimum mandatory Social Fingerprint score for SA8000:2014 certification.
However, the program has been built so that Level 4 generally corresponds to compliance with SA8000:
2014.
Social Fingerprint Level 1: Organisation has no awareness of SA8000 or any system in place to manage its
social performance.
Organisations at a level 1 may have some very basic processes to comply with local laws or their
customers requirements for labour practices, but have no systems in place to monitor the workplace.
Social Fingerprint Level 2: Organisation has a partially developed management system but its
implementation is reactive, inconsistent and mostly ineffective.
Organisations at a level 2 have the beginnings of a management system in place, but the system is mostly
intended to ensure that it is in compliance with local laws or customers requirements. They may have
2|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

developed specific policies and procedures, but are not implementing them regularly or effectively. Such
companies are primarily focused on risk management and mitigation for business reasons.
Social Fingerprint Level 3: Organisation has developed a management system, but has not fully
implemented it.
Organisations at a level 3 have developed a management system, but are not fully implementing it
regularly or consistently. Such organisations may have written policies and procedures addressing all
aspects of SA8000 in place with some personnel implementing some of the procedures, but
implementation is not consistent throughout the organisation and is not a part of the organisations
operations on a daily basis. Such organisations may be implementing certain aspects of the management
system well, such as its OHS policies and procedures, but may not be addressing issues in a holistic way.
Their social performance may still be more reactive than proactive, and they may make changes only when
require by external bodies. They have set their plan for improvement, with goals and targets, but are not
consistently meeting those goals or targets.
Social Fingerprint Level 4: Organisation has developed a management system and implements it
consistently and regularly.
Organisations at a level 4 have developed and implemented a fully functioning SA8000 management
system. The management system is proactive and preventive, and it is being implemented regularly and
effectively. Such organisations have written policies and procedures for their SA8000 implementation and
have trained personnel appropriately to ensure that the procedures are being followed. They have
improvement plans in place with goals and targets and are making changes to meet those goals.
Compliance with SA8000 is a dynamic, not static process, so organisations in compliance need to
continually improve their performance in order to remain compliant.
Social Fingerprint Level 5: Organisation has developed and implemented a mature management system,
and is continually improving that system.
Organisations at a level 5 have mature management systems that are proactive and preventive, and are
implemented regularly and consistently by well-trained personnel. They regularly review the system itself
to ensure that it is as effective as possible, and are continuously striving to improve. Such organisations
meet their improvement plan goals and targets, and then change those goals and targets to push
themselves to improve even more. They integrate their social performance with business strategy and
planning, so that business decisions are made with consideration for the potential social impact both on
workers and interested parties. In order to achieve this level, an organisation must provide evidence of
continual improvement, so organisations may need to sustain certification over a period of time.

3|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

The Social Fingerprint Process:

Generally, Social Fingerprint is a three-step cycle:
The organisation takes the self-assessment online.

CB auditors conduct the SA8000 audit and then the Lead Auditor completes the independent
evaluation online.

The CB identifies areas of improvement and the organisation makes the necessary process
changes to improve its compliance.
Please see pg. 7 for more information about how Social Fingerprint fits into the SA8000:2014 certification
process.
THE SOCIAL FINGERPRINT SELF-ASSESSMENT:

Many Management System standards, such as ISO9001, include a self-assessment that allows
organisations to measure the maturity of their management systems. The self-assessment provides an
overall understanding of how the organisation views its own performance and enables an organisation to
identify its strengths and weaknesses to promote continual improvement over time. Due to the centrality
of the management system to SA8000: 2014, SAI has incorporated the Social Fingerprint self-assessment
into the audit process.
Thus, organisations interested in pursuing SA8000: 2014 certification must take a Social Fingerprint selfassessment as part of the application process.
Currently certified organisations must take the Social Fingerprint self-assessment in advance of their
transition audit from SA8000: 2008 to SA8000: 2014 or recertification audit to SA8000: 2014. Please see
Advisory 4Afor more information.
Practical Information about the Self-Assessment:

The self-assessment primarily serves as a capacity-building tool for the organisation; it teaches the
organisation about the components of the management system through the questions and answers, and
highlights the aspects of the system and the documentation that the organisation should have in place
and available for the audit.
Once the organisation has completed the self-assessment, its answers become available to the CB auditor
in the Question and Answer Report (Q&A Report) in the SAI Training Center. (Please see the Technical
Instructions for information on how to access the Q&A Report online).
4|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

Auditors should review the Q&A Report as part of their audit preparation but should not plan to verify the
accuracy of the self-assessment scores during the audit. Rather, auditors use the self-assessment results
to gauge the maturity and level of understanding about management systems within the organisation.
Low scores in certain areas indicate that the auditor should concentrate in those areas, whereas high
scores in certain areas indicate that the organisation may be more mature in those areas and the auditor
would expect to see evidence of this during the audit. Furthermore, inconsistent maturity levels (a high
score in one section and a low section in another section) across related areas may point to important
management system gaps that should be explored during the audit. Overall, the self-assessment score
does not represent the absolute maturity level of the organisation; the auditor must complete the
management system audit to accurately assess the organisations management system maturity and
complete the independent evaluation.
THE SOCIAL FINGERPRINT INDEPENDENT EVALUATION:

The SA8000 Lead Auditor completes the Social Fingerprint Independent Evaluation online (or using the
offline tool in the case of poor internet access at the audit site) after conducting the audit and collecting
evidence about the maturity of the organisations management system. The Independent Evaluation
should be completed at the same time as the writing of the audit report it can be conducted onsite, but
does not have to be. (Please see the Technical Instructions for information on how complete the
independent evaluation online.) This independent evaluation produces an externally validated Social
Fingerprint score for the organisation.
Social Fingerprint judges the maturity of an organisations SA8000 management system from both the
organisation and the CBs perspective; it is not a checklist to evaluate an organisations compliance.
Auditors must still conduct a comprehensive audit of the company and its management systems, and
input information into the independent evaluation as data points. The Social Fingerprint score provides
another perspective of an organisations management system maturity and feeds into the overall audit
findings and into the certification decision-making process. The scores do not replace the submission of
findings or non-conformances and auditors cannot write non-conformances against a Social Fingerprint
score. Auditors should still identify and write non-conformances as required by Procedure: 2015.
Practical Information about the Independent Evaluation:

The Social Fingerprint self-assessment and independent evaluation use the same set of questions. There
are 3 to 7 questions for each of the 10 management system categories. Each question has 5 answers, each
representing one of the 5 levels of maturity. (Please see the Technical instructions for information on how
to view the Independent Evaluation results).
The questions and answers generally assess an organisations compliance with the criteria of the SA8000;
however, they do not necessarily match the language of the Standard or the order of the requirements in
the Standard. Some criteria within each category may be addressed by more than one question, and some
questions may address more than one criteria within each category. Furthermore, there is some overlap
between questions in different categories. (For example, there are questions about senior management
commitment in both Category 1: Policies, Procedures and Records, and Category 2: Social Performance
Team).
The independent evaluation utilizes the same questions and answers as the self-assessment for the
organisation. Therefore, all of the questions are written using personal plural pronouns: we or our.
5|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

The CB Auditor should read the questionnaire by replacing we and our with they or the
organisation.
Example:
Social Fingerprint Question: The following best describes our operating procedures for our labour policies.
Answer Options:

1.
2.
3.
4.
5.

We dont have such procedures because the people at our organisation know that they are
expected to follow the rules.
We have some written procedures that tell people how to follow our rules regarding labour
practices.
We have specific written procedures that tell people how to follow our labour policies.
We have written procedures that tell people how to follow our policies in order to implement
SA8000. We have updated them in response to specific issues.
We have written procedures that tell people how to implement SA8000. We regularly check
to make sure that our procedures are working and revise them accordingly.

The auditor should read the question and answers above as follows:
Question: The following best describes the organisations operating procedures for its labour policies.
Answer Options:

1.
2.
3.
4.
5.

The organisation doesnt have such procedures because the people at the organisation know
that they are expected to follow the rules.
The organisation has some written procedures that tell people how to follow its rules
regarding labour practices.
The organisation has specific written procedures that tell people how to follow its labour
policies.
The organisation has written procedures that tell people how to follow its policies in order
to implement SA8000. They have updated the procedures in response to specific issues.
The organisation has written procedures that tell people how to implement
SA8000. They regularly check to make sure that the procedures are working and revise them
accordingly.

The Social Fingerprint Scores:

Each organisation that completes the Social Fingerprint process, including the self-assessment and the
independent evaluation, will receive a Social Fingerprint Scorecard. This Scorecard contains two sets of
scores (from 1 to 5): 1) the self-assessment scores and 2) the independent evaluation scores. Each set of
scores contains an average score for each of the 10 categories, and an average overall score.

6|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

Social Fingerprint and the SA8000: 2014

Certification Process:
ORGANISATIONS PURSUING SA8000:2014 CERTIFICATION:

1. Organisation completes the Self- Assessment through the SAI online training center before the
Stage 1 Audit.
2. During the initial certification cycle, auditors conduct a Social Fingerprint Independent
Evaluation at the following audits:
a. Stage 1
b. Stage 2 (Certification to SA8000:2014)
c. Surveillance 1
d. Surveillance 3
e. Recertification
3. After the initial certification cycle, the Social Fingerprint process (self-assessment and
independent evaluation) occurs at the recertification audit (every 3 years).
SA8000:2008 CERTIFIED ORGANISATIONS UP FOR RECERTIFICATION FROM SEPTEMBER 1, 2015 TO DECEMBER 31,
2016:

1. Organisation completes the Self-Assessment through the SAI online training center before the
Recertification Audit.
2. Auditors conduct a Social Fingerprint Independent Evaluation at the following audits:
a. Recertification Audit to SA8000:2014
b. Surveillance 1
c. Surveillance 3
d. Recertification
3. After a full recertification cycle that includes Social Fingerprint, the Social Fingerprint process
(self-assessment and independent evaluation) occurs during the recertification audit (every 3
years).
SA8000:2008 CERTIFIED ORGANISATIONS THAT TRANSITION TO SA8000:2014 FROM SEPTEMBER 1, 2015 TO
DECEMBER 31, 2016:

1. Organisation completes the Self-Assessment through the SAI online training center before the
Transition Audit.
2. Auditors conduct a Social Fingerprint Independent Evaluation at the following audits:
a. Transition Audit to SA8000:2014.
b. After the Transition Audit, auditors follow the schedule below:
i. If transition audit occurs during a Surveillance 1 or 2 Audit: Auditors conduct a
Social Fingerprint Independent Evaluation at the Surveillance 3 and
Recertification Audit.
ii. If transition audit occurs during a Surveillance 3, 4 or 5 Audit: Auditors conduct a
Social Fingerprint Independent Evaluation at the Recertification Audit.
3. After completing the certification cycle with the transition, the Social Fingerprint process (selfassessment and independent evaluation) occurs during the recertification audit every 3 years.
7|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

BEFORE THE STAGE 1 AUDIT:

Organisations interested in Social Fingerprint and SA8000 have two avenues for entering the system:
1. The organisation can take the Social Fingerprint self-assessment directly from the SAI website and,
depending on the results, decide to pursue certification or not. If the organisation decides to pursue
certification, it will then contract with a CB.
2. The organisation can sign a certification contract with a certification body as an applicant for SA8000:
2014. The CB will then direct the organisation to the SAI website to complete the Social Fingerprint
self-assessment.
After the organisation completes the self-assessment, it can decide to continue to pursue certification or
not. At this point, some organisations may realize that their management system is not ready for SA8000
and decide to pursue further capacity building to improve their systems before advancing further. SAI
encourages organisations to fully consider the maturity of their management system before moving
forward in the process.
If the self-assessment score is less than 3: As part of its due diligence, the CB should take this information
into account when planning the Stage 1 Audit. The CB may caution the organisation about proceeding to
the Stage 1 Audit because its management system may not be mature enough to achieve SA8000
certification based on this score. The organisation should seek to improve its system in areas identified as
weak by the self-assessment. If the organisation decides to proceed anyway, the CB should inform it that
it needs to create a plan to improve upon the weak areas. During the Stage 1 audit, the auditor will
evaluate the management system and investigate the organisations implementation of this plan.
STAGE 1 AUDIT:

The CB Lead Auditor creates a Stage 1 Audit Plan that includes enough time to perform an onsite
management system documentation review and the Social Fingerprint independent evaluation. The Lead
Auditor sends the audit plan to the applicant organisation prior to the Stage 1 audit.
Note: All document reviews must now be performed onsite.
The auditor will conduct the Stage 1 audit, in accordance with SAAS Procedure 200, and then complete
the Social Fingerprint independent evaluation.
If the independent evaluation score is less than 3: The CB should caution the applicant organisation about
proceeding to the Stage 2 audit because its management system does not appear to be mature enough
to achieve SA8000 certification based on this score. If the CB allows the organisation to proceed to the
Stage 2 audit, the CB must record this in the Stage 1 Audit Report.
STAGE 2 AUDIT:

The CB Lead Auditor creates a Stage 2 Audit Plan that includes enough time to perform an onsite
management system documentation review and the Social Fingerprint independent evaluation. The Lead
Auditor sends the audit plan to the applicant organisation prior to the Stage 2 audit.
If the independent evaluation score is 1: Organisations with a score of 1 likely have significant major nonconformances and are not ready for certification.

8|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

If the independent evaluation score is 2: Organisations with a score of 2 will likely have a small number
of major non-conformances and numerous minor non-conformances. Organisations at this level are likely
not ready for certification, but may be able to make some improvements to become ready over time.
If the independent evaluation is 3: Organisations with a score of 3 will likely have several minor nonconformances and areas of improvement, and may have one or two major non-conformances.
Organisations at this level may be ready for certification if they make specific improvements to their
system. The auditor should provide justification for providing certification to organisations at this level.
If the independent evaluation score is 4: Organisations with a score of 4 may have a small number of
minor non-conformances but should be ready for certification, provided they meet the other
requirements of the Standard.
If the independent evaluation score is 5: It is unlikely, although possible, for an organisation to achieve a
score of 5 after the Stage 2 Audit because it must demonstrate evidence of continual improvement against
their targets and objectives.
The auditors will review any management system gaps identified by the independent evaluation during
the next surveillance audit. The organisation can use the self-assessment as input into its management
review process.
SOCIAL FINGERPRINT DURING SURVEILLANCE AUDITS:

Surveillance audits only assess specific sections of the organisations management system. SAAS
Procedure 200 Section 15 outlines the mandatory items to be reviewed during surveillance audits.
Practically, the review of those items will enable the auditor to evaluate the organisations performance
for 7 of the 10 management system criteria and answer the independent evaluation questions for those
items. If the other three criteria (Social Performance Team, External Verification and Stakeholder
Engagement and Management of Suppliers and Contractors) are not covered during the specific
surveillance audit (i.e. if they are not related to a non-conformance), then the auditor should use the
evidence from a prior audit to complete the independent evaluation for those criteria.
SOCIAL FINGERPRINT DURING TRANSFER AUDITS:

Transfer audits should be considered the same as Stage 2 Audits for the use of Social Fingerprint. The
transferee client must complete a self-assessment before the transfer audit.

9|P a g e
v1: 6/30/15

Social Fingerprint for SA8000: 2014

Guidance for SA8000 Certification Auditors

Frequently Asked Questions for

Auditors:
1. How much time should it take to complete the Social Fingerprint Independent Evaluation online (or
offline if need be)?
It should take approximately 60-90 minutes to complete the Independent Evaluation online or offline.
2. Do I have to show the time allocated to the Independent Evaluation in the Audit Plan?
Yes, the audit plan should show all elements of the audit, including the Independent Evaluation.
3. Im having trouble deciding between two answer choices for the independent evaluation, how do I
decide which one to select?
Generally, auditors should be able to collect sufficient evidence to support the selection of an answer
choice. However, if there is ambiguity, the auditor should generally select the lower answer choice to
avoid inflating the scoring.
4. None of the answer choices are appropriate for the organisation, what do I do?
Auditors should make a judgement call on the correct answer for the organisation, based on their
management system auditing expertise. If the answer choices specifically do not seem relevant, the
auditors should use the rating chart to determine the appropriate level for the organisation and select
the answer choice that reflects that level of maturity.
5. The organisation is new to the SA8000 system and doesnt have evidence of its management system
implementation, how should I answer the questions?
The
questionnaire
has
been
designed
to
assess
both
management
system development and implementation. If the organisation has developed a management system
and has the documentation (e.g. policies and procedures), but it does not have evidence
of implementation, it should receive a lower score.
6. What do I do if there is no internet connection at the facility during the audit?
You can use the offline independent evaluation tool.
7. How can I give SAI feedback about Social Fingerprint?
SAI will be reviewing the use and effectiveness of Social Fingerprint over the course of the next year in
order to improve the system in 2016. If you have specific feedback to provide, please contact SAI at
SA8000@sa-intl.org.

10 | P a g e
v1: 6/30/15