by Christopher Paris
The debate over whether ISO 9001 certification body (CB) auditors should offer “OFI’s” (opportunities for improvement) cuts to the core of some of the problems facing the international standard. While most auditors and CB reps insist that clients want OFI’s and receive “added value” from them, clients and others argue this is not the case. Often clients will tolerate OFI’s, and even act on them, purely to placate an auditor who they feel will escalate the OFI into a full nonconformity if it is ignored. This is only partly the fault of erroneous thinking on the part of clients; it’s sometimes a myth perpetuated by the auditors themselves.
Some background: ISO 17021 — the accreditation standard under which CB operate — prohibits CB auditors from providing advice or “specific solutions” for nonconformities. Anything outside of that (vague) definition is fair play. So long as an auditor says “here’s what I see other companies do” he can consult all day long.
Here is why clients must reject OFIs, and even prohibit their registrars from issuing them (which can be mandated during the upfront contract negotiation with the CB):
CONFLICT OF INTEREST: Auditors who provide advice will wind up auditing their own advice at a later audit. Since auditors cannot objectively audit their own work, this is a conflict of interest. If a client rejects an OFI, and the auditor escalates this to a nonconformity, can it be clear to everyone that this escalation is not due to the auditor feeling slighted? If the client accepts the OFI, can the auditor be trusted to evaluate his suggestion properly, and be sure it doesn’t introduce other nonconformities that the client may not perceive? It’s a tangle.
AUDITORS ARE NOT QUALIFIED. Auditors are assigned by the CB, and almost never vetted and approved by the company ahead of time. The average minimum wage line worker gets more vetting than the CB auditor. In fact, ISO 9001 requires it. Key management positions are filled by the company with much more review and investigation into the individual before they are allowed to make important decisions about the company’s management system or business. CB auditors arrive and within a few minutes are offering sometimes dramatic, company-changing suggestions, without any evidence of their expertise, and with less of an interview process than the maintenance guy. An auditor who has just arrived on site cannot know the client’s company, history, customer expectations, industry, sales, challenges, equipment, staff or any other other myriad things that go into making important changes to a QMS.
AUDITORS LACK EXPERIENCE. Registrars typically assign auditors to clients using the IAF industry codes as a guideline. Consider, however, that there are over 10,000 SIC codes to encompass all of human professions. The IAF has diluted that to only 40 industry codes.
This gross dilution of the world’s professions results in laughable — and sometimes dangerous — auditor assignments. Under the IAF code 38, veterinarian experts share the same code with human health experts, meaning an auditor who’s only experience was in horse farm medicine can audit a children’s hospital. A tobacco farmer is a “qualified expert” to audit a dairy plant (IAF 03). A flight attendant is qualified to audit a space agency (IAF 21). A high school football coach is qualified to audit a radio station (IAF 39). A librarian is qualified to audit a sanitation plant (IAF 39).
Making matter worse is the fact that this is entirely optional. Despite CB sales rep chatter to the contrary, the reality is that ISO 17021 accreditation rules do not require a CB assign a “qualified” auditor at all. ISO 17021 clause 7.2.5 only requires the CB utilize “auditors and audit team leaders possessing generic auditing skills and knowledge, as well as skills and knowledge appropriate for auditing in specific technical areas.”
LEAKING PROPRIETARY INFORMATION. Auditors who collect experiences from their clients, and then share them to others, risk leaking proprietary information even if they don’t mention the names of the companies. Often an auditor will suggest something he’s seen at another company, and it’s abundantly clear which company he means. In other cases, the auditor will directly name the company he’s discussing, thinking the information is vague enough to “exist in the public domain” — a concept no auditor receives any formal training on.
Then there’s the another aspect: do you really want the auditor “suggesting” your company’s best practices to his other clients, which may include your competitors? Doesn’t this free sharing of information dilute one of the primary benefits of ISO 9001, which is to improve your market position in relation to those competitors?
CONTRARY TO PURPOSE. Remember, the purpose of the CB is compliance assessment. That is the only thing they are accredited to do. They are not accredited to “improve” or “add value” … that’s not on their accreditation cert, and it is not audited by the AB’s. It’s out of scope. It’s tolerated because the IAF and AB’s are overrun with former CB sales reps and the AB’s allow the influence of CB’s because that is their revenue source, but it’s still out of scope of the accreditation scheme.
So the next time your ISO 9001 registrar suggests an “OFI,” politely decline and tell them to write a nonconformity instead. That requires they ground their opinion with an actual ISO 9001 clause, and provide objective evidence. It also puts their advice under (a bit) more scrutiny with the CB’s accreditation body.
Watch how fast they say “oh, forget it, then.”
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
