Contract Compliance audits verify supplier’s compliance to agreements signed with Ericsson. The audits help Ericsson to identify areas for improvement and help suppliers comply with the criteria.
Ericsson has several audit criteria: general criteria for all suppliers and specific criteria applicable depending on type of supplier. The criteria originate from several sources: demands and expectations from customers, shareholders, legislations, policies and standards such as ISO 9001 and ISO 14001.
Evaluation of the criteria are done through self-assessment and on-site audit.
On-site Contract Compliance Audit Process
On-site Contract Compliance audits are performed by certified auditors with in-depth knowledge of the criteria. Not only knowledge about criteria and applicable standards but also high level of auditing skills are requirements on Ericsson Contract Compliance auditors.
Below is a generic description of the audit process:
The Supplier Self-Assessment (SSA) is a web-based questionnaire and is an important tool for evaluating existing and potential new suppliers to Ericsson.
The SSA is used to communicate Ericsson general requirements and expectations to our suppliers, to collect information for supplier and master data management, and to catch potential risks connected to a certain supplier. The outcome from the SSA is analyzed to ensure that proper actions are taken.
Why: To ensure Ericsson suppliers' complies with obligations and responsibilities e.g. statutory law, standards and regulations and customer requirements.
What: To verify how the company is managed and that basic requirements are met; Board of Directors, industry experience, changes in management, ownership structure and Conflicts of Interests among others
Why: To ensure that Ericsson's suppliers are aware of, and comply with all requirements specified by Ericsson, US Export authorities and Local export authorities.
What: To verify how the company handles Trade Compliance related issues such as: C-TPAT or/and EU AEO, knowledge about export rules and sanctioned party list check. Provide product related data: HST, CoO, ECCN and encryption.
Intellectual property Rights (IPR)
Why: To ensure and understand the supplier's strengths and weaknesses regarding IPRs and any potential IPR issues.
What: To verify the supplier's processes related to IPR: how many patents, how many applied for yearly, IPR strategy, lawsuits, exploitation rights and if the supplier offer products to your customer(s) where you do not include unlimited indemnification for IPR infringement claims from third parties
Business Continuity Management (BCM)
Why: A well developed and implemented BCM ensures that the suppliers can meet delivery requirements in spite of occurred crisis.
What: The supplier shall have a BCM system that covers the entire business, including supply chain, services, production facilities, IS/IT, and customer products, in Risk assessment and Business Impact analysis is continuously performed in a systematic way and risk are proactively mitigated. There is also a formal, clearly defined and trained Crisis Management Team in place. Plans are regularly tested and there is a continuous improvement process in place. Their sub-suppliers are required to work with BCM as well. Escalation process to customers is defined.
Code of conduct
Why: To ensure that suppliers are aware of and comply with all requirements specified in Ericsson's Code of Conduct.
What: To verify that suppliers comply to Ericsson's Code of Conduct. It includes human rights, freedom of association, forced labour avoidance, fair employment conditions, working hours, corporal and financial punishment, child labour avoidance, elimination of discrimination, fair working conditions, information and training, environment and anti-corruption.
Occupational Health and Safety (OHS)
Why: To ensure that suppliers are aware of, and comply with all applicable requirements specified in Ericsson's General and Specific OHS requirements, and in all applicable requirements in the 11 Operational OHS Standards.
What: To verify that suppliers comply to Ericsson OHSA requirements: OHS governance, incident reporting and investigation, safety planning, sub-contractor management, training and competence, etc. There are also 11 operational standards: Chemical handling, Climbing and working at heights, Construction and civil work management, Driver and vehicle safety just to mention a few.
Why: To ensure that suppliers are aware of and comply with all requirements specified in Ericsson's Supplier Environmental Requirements.
What: Ericsson's Supplier Environmental Requirements include requirements related to Environmental management (policy, objectives, action plans, law lists, competence and training...), Design for environment & manufacturing, Product information, Transport and compliance with the Lists of Banned and Restricted Substances.
Quality management system
Why: Ericsson's supplier shall have a quality management system certified according to ISO 9001:2015 or similar.
What: Ericsson requires its suppliers to have a Quality Management System. Preferably certified according to ISO 9001:2015 or similar.
Why: To ensure that suppliers manages and control their supply chain.
What: The supplier shall effectively manage and control the supply chain and have a well-defined and fully implemented process for supplier evaluation and supplier selection, clear roles & responsibilities and appropriate measurements.
Why: To ensure a well-defined and fully implemented security management with clearly defined roles and responsibilities at the Supplier.
What: All Suppliers should be evaluated from an information Security perspective and their ability to handle Ericsson assets in a trustworthy way. This criteria evaluates the existence of a structured security work.
Why: To ensure a well-defined and fully implemented claim handling process with clearly defined roles and responsibilities (including managing claims from our end customers)
What: The supplier shall comply with all areas in a claim handling process, inclusive demonstrating an efficient implementation of a claim process in terms of customer communication, determining the requirements for products and services
Ericsson product criteria
Why: To know how Ericsson product related criteria are managed since it is key inputs to the production.
What: The document handling procedure covers accessing and controlling the product criteria related document. The Ericsson product documentation system is well understood.
Why: To understand the design process and how it is implemented.
What: The design process should consist of a proven methodology with well-defined milestones and supplier should be able to show a track record proving required experience and competence.
Why: To assure that Ericsson's product target "Time To Market" could be accomplished, as this is one of the most important key success factors for Ericsson.
What: The supplier's ability to meet the design organizations demands, mainly in terms of time plan and technical specifications.
Time to technology position
Why: To verify that supplier's technology roadmap planning is corresponding to Ericsson development plans
What: The supplier must be able to show when they will have new technology available
Support and maintenance
Why: Ericsson needs to maintain high quality products throughout the products lifetime, incl. beyond Last Time Buy (LTB).
What: Verifying supplier's ability to provide support and maintenance on designed products for the planned lifetime of the product, i.e. beyond LTB and including support during analysis of problems in field.
Why: To know how the suppliers approach product quality in all aspects.
What: The purpose of Product Quality Assurance, is to ensure that suppliers take a systematic approach to identify potential problems before they occur. They shall also take actions to reduce risks to a minimum. The supplier must understand the process and increase yield as well as lower cost. The supplier secures that no non-conforming products are shipped to Ericsson.
Why: To understand how the marking process is according to Ericsson requirements.
What: Verifying that the marking process is defined, documented, understood and implemented to fulfill the requirements for a marking system and that manufactured and delivered products are marked according to product specifications.
Why: Traceability of processes and products is an important aspect of production.
What: Verifying that the traceability process is defined, documented, understood and implemented to fulfill the requirements for a traceability system.
Why: To ensure that the production processes is well defined, documented, understood and implemented to fulfil the product criteria. The supplier is in control of the production process and has a continuous improvement program and uses analysis methods
What: The supplier shall have manufacturing processes to ensure a well-functioning production such as measurement and traceability, calibration and maintenance, product/production conditions, certification of operators
Why: To ensure that suppliers provide a capability in the supply chain that meets Ericsson's requirements.
What: The shall have a well-defined and implemented supply process that can handle elements such as forecasting and planning, phase in, phase out and after sales support, order management, warehousing and after sales support
Why: To minimize Ericsson risk exposes when licensing third party commercial SW
What: To secure Ericsson need and rights of licensing and sub-licensing the purchased SW, including internal handling.
To secure effective handling of SW locks from supplier, since dual locks will generate a massive work-load for SW Supply.
To secure that we do not make any license violations due unknown embedded SW from 3rd party into the suppliers SW
Information security and privacy
Why: To ensure an effective Information Security Risk Management when entrusting Ericsson owned information, or information owned by our customers, to a supplier.
What: To evaluate supplier readiness to comply to the Baseline Information Security and Privacy Requirements for Suppliers, BISPRS.