The other day I wrote an article “Auditors Hide Consulting Under “Opportunity For Improvement Guise” and it got tremendous feedback. One reader from a large aerospace manufacturing firm wrote the following, and it’s republished with permission:

I just had the opportunity to read the above referenced opinion you posted and not only agree with your opinion but can assure you that it does indeed still continue. We have two (2) different registrars and multiple auditors. It does not seem to matter whether it is ISO 9001, AS9100 or ISO 13485 – each auditor has observations for improvement. Of course, we as the organization want to improvement our QMS and eagerly listen to their “advise”, make changes to incorporate their recommendation, and wait for the next audit where they review our efforts toward their improvement suggestions as their first order of business for which we receive an “atta boy” on the audit report.

Some of the auditors have taken the step to omit their observations and recommendation from the audit report only to tell us “off the record” or produce a separate piece of paper that is not part of the report a list of their recommendations. This recently happened on an ISO 13485 audit where for the second year in a row, no findings were observed yet the auditor produced a list of seventeen (17) different recommendations for improvement.

As an organization we want the audit to go smoothly and yes, we fully believe the auditor is here to give us a fair shake. So for the next six weeks after the audit is complete, I work on the recommendations in anticipation of the next audit and another “atta boy”.

It is a vicious cycle. You have to have a ticket to be in the game but that only makes you a member of the team. As you have shown by example, people can be killed even though a third party certificate can be produced. I have been in the “quality” industry since 1971 and have often wondered at what point, by what specification, under what circumstances do the efforts of manufacturers result in “Zero” scrap. I have seem quality systems come and go, each one sold to the industry as the “greatest thing since sliced bread” and yet there is always another one to take its place.

This story is not new; in fact, I am sure many readers are nodding their heads in agreement right now, having experienced the same thing. Back in 2011 I wrote an article calling this practice “yellow pad auditing,” so named because auditors like to have a client write down their verbal musings (on a yellow pad) while saying, “I’ll do you a favor and not write these up, if you promise to work on them yourself.” In reality, “yellow pad auditing” is a way for the auditor to (a) reinforce his fragile ego by proving how he’s smarter than everyone in your organization, and has ideas on how to fix things, and (b) perform consulting without a written record. Your “yellow pad” notes never get formally documented, so the CB’s home office and — more importantly — the Accreditation Body, never know it happened.

Here’s an example of one of the most egregious cases of yellow pad auditing I have ever seen. Back in 2011, an auditor with NSF was performing an AS9100 audit on a client of mine. The auditor’s consulting was without any limits, and as you can see from the client’s resulting yellow pad notes, it was flagrant and damning:

A few of them are outright crazy: in point # 19, he suggests an ITAR sign-in log, oblivious to the fact that (a) sign-in logs don’t mean you comply with ITAR and (b) the client didn’t have any ITAR requirements flowed down to them anyway.

But look at point 6. The NSF auditor told them to “take exclusion to AS9100 Servicing.” (This was under the old standard, AS9100 Rev C.) Under accreditation rules, any issues related to exclusions should have been uncovered during the Stage 1 documentation review.  Instead, the auditor not only did not write a finding, he instead told the client what to do to make the problem go away. (In fact, the company totally did servicing, but the auditor couldn’t wrap his head around it, meaning had they taken his advice, they would have faced a major nonconformity from another auditor later.)

Now look at # 11. In that finding, the auditor notes that there were no training records for the welder; if so, then that should have been a minor nonconformity, since welding is a special process requiring additional certification evidence for the welders. Again, the NSF auditor soft-graded the nonconformity into a verbal suggestion, kept off the books. And then, despite providing the client a list of twenty (!) recommendations, here’s what the final report looked like when submitted back to the NSF home office:

This ensured the NSF auditor didn’t have to do any unpaid “corrective action follow-up” work, while being able to walk away feeling smug for having made himself look smart.

It’s not just NSF. Here’s an example of notes taken (by me) during an ISO 9001 audit by SAI Global. Again, the resulting final report showed zero nonconformities:

This practice is so prevalent, back when I worked as an auditor for the Tampa-based registrar International Management Systems — which was later bought outright by NQA — I was literally taught this was how to audit. I wasn’t told that it was to save me time in processing nonconformities, but instead taught that this was somehow beneficial to the client, since they’d be happy they got some off-the-books suggestions rather than a rack of nonconformities. I engaged in this practice myself, until one day I read the accreditation rules and found out that it was a serious violation of the rules governing conflicts of interest.

Now take a look at another example. In this case, an auditor with NQA not only provided consulting advice, but handed the registration client a series of actual documents, some stolen from other clients! These are actual screenshots of just some of the documents given to the client:

The documents were: (A) Quality Manual used without permission from Star Aviation (now CarlisleIT) of Mobile AL; (B) a turtle diagram whose metadata shows it was created by Jim Robison, a trainer with competing registrar SAI Global; (C) another turtle diagram, author unknown; (D) a Training Matrix created by the NQA auditor himself; (E) a “document pyramid” illustration, author uknown; and (F) an FMEA form whose metadata shows it was created by Keith Aldridge, which he likely created at a previous employer called Mainstream Engineering Corp. Other documents (not shown) included the entire Quality Manual for Lifesaving Systems Corp (Apollo Beach FL); an AS9100 Rev. C “Transition Plan” written by the consultancy Whittington & Associates; and a “Customer Survey Form” taken from JC Machine (Lakeland FL).

Here’s another example, this one from NSF and (ironically) conducted by a Lead Auditor who NSF touted as one of their “best” and who was then used by them to train other auditors. These are my own notes (written on a tablet, so pardon the janky format) and you see the auditor noted about thirteen undocumented “findings,” then gave an additional six “verbal suggestions.” But when the final report was written it only included three nonconformities. My notes show my personal frustration, where I wrote the NSF auditor was “pretty damn prescriptive” and noted how “minor issues” were exaggerated by the auditor as if they were earth-shattering, but “in the end weren’t even written up.

The auditors know what they’re doing, too; they simply don’t give a shit if they violate accreditation rules. In fact, some publicly talk about how they provide consulting except when ANAB is hanging over their shoulder during witness audits. On the forum board Quality Forum Online, DQS (UL) auditor Jennifer Kirley admitted how she resented being audited herself, and that auditor behavior changes during such events, a comment later “liked” by DNV-GL aerospace auditor Sidney Vianna:

Kirley wasn’t done, and went on to just admit that “It’s well documented that we have more NCs when we’re being watched“:

(Seriously, just go read that thread. The site is essentially dead, but was run by pissed-off CB auditors from DQS, DNV, NQA, BSI and others, and watching them whine about getting audited themselves is hilarious. But it’s also disgusting to see them so overtly discuss breaking accreditation rules, while ANAB remains pretends to remain oblivious.)

Yet again, the accreditation bodies like ANAB don’t really care provided the client pays the CB, and the CB then pays ANAB. It’s just about money.

If you’ve got audit notes like this, feel free to send them my way. I can add them to the file for when it comes time to drop these in front of someone who matters, like perhaps a regulator or judge.


    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.