by Christopher Paris

The release of ISO 17021:2011, the latest standard governing the practices of accredited registrars for ISO 9001, AS9100 and other standards, included what appeared to be tough talk on monitoring the “behavior” of auditors. Sure, there were the typical Human Resources Department fuzzwords, like “strengths”, to try to minimize any potential insults to less-than-stellar people, but it shook the registrar world a bit.

And by “a bit” I mean for all of five minutes, unfortunately.

The ISO Technical Committee responsible for ISO 17021, which is comprised of registrars and accreditation body members, with very little in the way of representation from actual users of standards, ran away from tackling what is a very serious problem, and one that hurts them directly. When seeing what ISO 17021 could have done, and what the committee actually came up with, I am reminded of the George Kostanza “shrinkage” problem from Seinfeld.


The standard relegated auditor behavior to a non-binding Annex, with a disclaimer that “This annex is informative and not intended to be applied as requirements.” There are then lots of “shoulds” instead of “shalls”, giving license to registrars to tear the pages out entirely, and use them to light their Cubans.

Well, that’s a stretch. Registrars aren’t making enough money to afford Montecristos, and the irony is that it’s directly related to the bad behavior of their auditors who (as I wrote here) are the “face” of ISO 9001 to their customers. When the auditor misbehaves, that pollutes the entire perception of ISO 9001 for not only that company, but everyone their buyers, sales reps and employees talk to, spreading bad vibes like wildfire. So long as registrars refuse to tackle the problem, and continue to allow bad auditors to work, they cut into their own profits.

The thing is, they are typically too dumb to know this. And keep in mind, these are the guys (and gals) claiming to be such “experts” in business, that they will come in and in a few short hours help you improve your operations, streamline processes, reduce risk and “add value” as a result of their auditing.


ISO 17021 presents a great list of what constitutes good auditor behavior, and it can actually be applied in an objective manner that won’t get a registrar sued (unlike the RABQSA fiasco of psychometric testing.) Here’s the list of desired behavioral attributes:

a) ethical, i.e. fair, truthful, sincere, honest and discreet;

b) open-minded, i.e. willing to consider alternative ideas or points of view;

c) diplomatic, i.e. tactful in dealing with people;

d) collaborative, i.e. effectively interacting with others;

e) observant, i.e. actively aware of physical surroundings and activities;

f) perceptive, i.e. instinctively aware of and able to understand situations;

g) versatile, i.e. adjusts readily to different situations;

h) tenacious, i.e. persistent and focused on achieving objectives;

i) decisive, i.e. reaches timely conclusions based on logical reasoning and analysis;

j) self-reliant, i.e. acts and functions independently;

k) professional, i.e. exhibiting a courteous, conscientious and generally business-like demeanour in the workplace;

l) morally courageous, i.e. willing to act responsibly and ethically even though these actions may not always be popular and may sometimes result in disagreement or confrontation;

m) organized, i.e. exhibiting effective time management, prioritization, planning, and efficiency.

Nice, right? It’s not comprehensive, and it certainly misses the most important factor (objectivity), but it’s a good start.

But the cowardly refusal to make this a mandatory requirement cuts the legs out from under this effort entirely. Registrars refuse to process complaints and conduct corrective action, which is an ISO 17021 requirement… why would they obey a non-mandatory recommendation?

I Forgot to Laugh

A few years back, an auditor with NQA was conducting an AS9100 audit for an Oxebridge client. I was present for the audit, so I witnessed what was about to happen first-hand. The auditor was the typical macho type, who reveled in making the client uncomfortable and invented nonconformities out of thin air. At one point I had to ask for a pause in the audit because the client was getting so upset, trying to answer a rapid-fire series of questions which weren’t necessarily connected to what was even being audited, and when the auditor was not giving time for the client to answer. The auditor asked what the problem was, and I said “you are stressing my client out. You need to slow down, ask your questions, and wait for an answer.” The auditor sat back, put his hands on his head, and laughed. He was loving it.

Later, the auditor would go on to bad-mouth NQA (his employer) and brag that he was the “head of aerospace” for rival registrar Intertek (we checked; he wasn’t). But his final blow was when he announced, about halfway through the registration audit, that the entire quality system was a shambles. He reached into his jacket, pulled out a business card for his consulting services, and threw it in front of my client. “Tell you what,” he said. “I am allowed to completely re-write you documents and make sure you pass, and take over as your consultant, but I have to quit the audit first.” He even winked and said that if NQA had a problem with it, he could switch the client to Intertek. Remember, this was during the audit.

My client was smart enough to leave the room, call the registrar and fire the auditor on the spot. NQA provided a different auditor, and the company passed with flying colors. With a complaint so serious that the auditor was not only fired by the client, but where they had actual evidence (the business card) that the auditor had violated the rules separating consulting and auditing, and that he was going to have the client absorb the costs of the half-audit he had conducted, you would think the guy would not be working in the industry anymore, right? Isn’t this the kind of thing that ANAB should be looking out for?

Not quite. Just a few months ago, Smithers SQA sent out a press release announcing their new auditor pool, and made the mistake of listing the names of their new hires. You guessed it, our smug friend was on the list. I wonder if Smithers knows what this guy says about his employers, and how many of their clients he “turns” so he can make a consulting buck on their dime.

You Can’t Make This Stuff Up

I have so many anecdotes like this, it almost becomes statistically valid. Just a few weeks ago, another AS9100 client underwent an audit by NSF, where the auditor told them that they needed to shadowbox their tools for FOD control. Ignoring the fact that an auditor cannot tell anyone to “shadowbox” (it’s a prescriptive solution), the reality was that the parts manufactured by the company were very small in diameter, with openings only a few inches in diameter, and the tools the auditor wanted shadowboxed were much, much larger. How can you possibly expect good conformity assessments when the auditor doesn’t realize that a four inch wide tool can’t fit inside a two inch hole?

Or how about the BSI auditor who failed to write objective evidence for her ISO 9001 nonconformities, even while she was being witness-audited by a BSI exec? When the two of them scrambled to re-write their report to include evidence, they took so long they had to skip the entire closing meeting, and a later BSI auditor said the report was “unintelligible” and wouldn’t pass BSI’s review committee. (It did.)

Or the SGS auditor who demanded to audit the female QA Manager at 1 AM in her hotel room, freaking her out to such a degree she had to book a hotel room under a different name?

Or the IMS auditor who traded a favorable audit report for a piece of scrap metal to shoot muzzleloaders at?

Meanwhile, anyone know if this other guy is still working? Or this guy? I’d bet they are both busy as heck.

(Registrars: before you call your lawyers, I’ve got documented proof and witnesses for all these accounts. Clean your stables, don’t blame the neighbors who have to smell it.)

Standardizing Incompetence

Auditor incompetence has become such a problem, that the industry is scrambling trying to improve training and personnel certification schemes. ANSI recently announced it was seeking input on a future effort to better “define competence” — while they would never actually use the word, this means they are trying to rein in “incompetence” of course.

The IAQG struggled with this, too. I am preparing another piece on what is proving to be a black eye for the AS9100 standard, but with its release of enhanced aerospace auditor training, the IAQG was apparently forced to recognize that companies were being certified to AS9100 and still making junk. Where the IAQG dropped the ball (predictably) is that its subsequent efforts were put on AS9100 end users, effectively blaming them for failing to implement the standard properly, rather than on auditors and registrars who are the ones assessing the systems and issuing certificates. Making matters worse, the IAQG now requires auditors to assess not only conformity (their job) but also to judge the company’s effectiveness and improvement (not their job). That’s like giving the keys to the new Lambo to the kid who already has his fifth juvie DUI.

These efforts show that end users, and the big primes who flow down ISO 9001 and AS9100, are aware of the problem. Too many auditors are doing a monumentally poor job of auditing, and companies are being certified that shouldn’t be. Likewise, end users are spending untold millions of dollars per year fixing bogus findings that should never have been written up in the first place. Is there no wonder people are looking to CMMI, and fed up with the entire ISO/ANAB/registrar triad?

So long as the US remains the dominant force on the standards bodies and technical committees, and so long as the US representatives on these bodies are more obsessed with their own personal gains and careers than the reality facing ISO 9001 and standards end users, we can’t expect any change. A tightly locked infrastructure has been put in place alienating both common sense and the folks who believe in it, in favor of watered down “market friendly” toothless rules, and careerist cronies who promise not to rock the boat.

When the boat is sinking, sometimes rocking it until it flips upside down is the only way you can prevent drowning.

Christopher Paris is founder and VP Operations for Oxebridge Quality Resources International. He is a former member of the US TAG to TC 176, a Senior Member of ASQ, and has personally implemented over one hundred ISO 9001 and AS9100 systems over a 22 year career. He does not own a boat.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


Traditional Tri-System