As you know, ISO 9001 and AS9100 certification body (CB) auditors are disallowed from providing consulting. This is to prevent conflicts of interest where the auditor then winds up assessing their own work; if you take their advice, they are more likely to grant you certification; if you reject it, they might unfairly deny you certification. Prohibiting auditors from doing consulting just takes this off the table.

ISO 17021-1 prohibits CBs from providing “management system consultancy,” which it then defines as follows:

Participation in establishing, implementing or maintaining a management system.”

EXAMPLE 1 Preparing or producing manuals or procedures.

EXAMPLE 2 Giving specific advice, instructions or solutions towards the development and implementation of a management system.

Except that the IAF and its accreditation bodies, including ANAB and UKAS, really don’t give a shit. Decade after decade, they have allowed CBs — who pay them, after all — to violate this clause with complete and total impunity.

It was so entrenched, that going back to 2000 the old RAB accredited training courses by providers such as AQS actually taught auditors how to write up consulting advice, under the guise of “opportunities for improvement.” They did this by telling you that you could provide consulting through two tricks: first, start every sentence with the word “consider…” and then give your advice. Next, phrase it as “I can’t give advice, but I can tell you what I’ve seen at other companies.”

Let’s dissect those.

All Animals Are Equal, But Some Animals Are More Equal Than Others 

First of all, the idea that making the advice optional by prefacing it with the word “consider” is bullshit. The reality is that all advice is optional anyway, and the rules don’t allow for optional advice any more than mandatory advice. It’s still advice, and it’s still prohibited, because it’s still a conflict of interest.

The second one is even worse, since it relies on auditors essentially violating both your own nondisclosure agreements and the various laws against criminal dissemination of corporate trade secrets. It also ensures every auditor violates the confidentiality clauses in the contracts you have with the CB! They totally cannot “tell you what they’ve seen at other companies” without breaking the law. It doesn’t matter if they obfuscate the actual source (which client) or not. They cannot do it. Period. Just remember, every time your auditor starts to say, “here’s what I have seen at other companies,…” that means they are spreading your approaches, ideas and QMS secrets to everyone else, like gossipping chickens.

ISO 17021-1 does allow auditors to “share non-confidential information on related best practices,” but the legal burden is on the CB to ascertain, formally, if the “best practices” they are spreading are “non-confidential” or not. Auditors just pretend — or assume — the information is non-confidential, without any actual vetting. This is a lawsuit waiting to happen for some plucky client who wants to make a buck.

The problem is that the latest edition of ISO 17021-1 was written by the registrars, and that last allowance contradicts the first, but we’ll get into that in a moment.

RAB was broken up into ANAB and RABQSA (because of its own historical conflicts of interest), the latter of which has become today’s Exemplar, but the practices remain part of the “accredited Lead Auditor” training classes to this day; they are just more sneaky about it. Multiple complaints have been filed over this, and no one cares; they often don’t even respond anymore.

Coming back to the purpose of third-party accredited management system certification, the entire point is to provide “trust” in the resulting ISO 9001 or AS9100 certificate. ANAB (again, back when it was RAB) and its pals invented the entire certification scheme on the promise that they could be trusted, and that your customers wouldn’t need to conduct multiple audits on you every year since their one-stop-shop approach was better and more independent.

So the rule about “no consulting” was intended to ensure that trust. As a result, we can unbox the rules to break down the confusion. The first rule – that auditors cannot provide “specific advice, instructions or solutions” trumps all others. The two caveats — dilutions, if you will — are that they can provide opportunities for improvement as well as describe “best practices.” The CB auditors wrongly interpret this to mean they can do both of those at once, which violates the first rule. They provide a specific solution, couched as a generic “best practice” and then write it up as an “opportunity for improvement.” But it’s still a specific solution, and it’s still a violation.

Here’s an actual audit report from the much-beleaguered SAI Global, from 2017. I conducted a contract internal audit on this particular client and found some 30 nonconformities, at least three of which were “majors.” The SAI auditor, having audited only about five months earlier, found exactly none. He did, however, have a host of “opportunities for improvement,” every single one of which violated ISO 17021-1.

Notice how he employed every old trick in the book. He framed them as OFIs, used the word “consider” to make them seem optional, and — you can’t see this since it’s blurred — generally traded in “generic” advice.

But again, the rules prohibit specific solutions. In each case, following with word “consider” is a specific solution; the fact that he’s making it optional doesn’t negate the specificity, and it is the specificity that ISO 17021-1 prohibits. That specificity is the toxic element– if the client takes the advice, now the auditor is more likely to be receptive during the next audit, because he will essentially be auditing his own work. If the client rejects the advice, they will be up against an auditor they have just personally insulted, and he may audit them with an entirely different posture.

Now we don’t know for sure how the auditor will react. Maybe he will be fine with the fact that my client ignored his advice. Maybe not. But the only way to avoid this potential conflict is to not get into it in the first place. 

Independent Review, With Blindfolds

The next question is how this audit report survived SAI’s allegedly robust internal review process. Each report is supposed to be reviewed by someone at the home office specifically to determine if there are any violations of 17021-1, such as the auditor providing consulting advice. Presumably, this guy has worked for SAI for years and done this for every one of his clients, and these “OFIs” appear on every one of his audit reports. Why didn’t SAI catch them? Not even once?

Next, SAI is audited by ANAB every year. How is it possible that ANAB didn’t catch this?

Simply put, it’s not. Both SAI and ANAB are well aware of the problem, and it’s not just one auditor. It’s not just SAI. In fact, I see this on hundreds of CB audit reports every year. The various powers are doing two things: first, they are intentionally confusing their understanding of what constitutes “specific advice, instructions or solutions” by interpreting the rules backward: they assume that making the advice optional and generic somehow trumps the rule against specificity, which is patently untrue. They get away with this because no one hauls them into court over it. Next, they feign ignorance about the entire thing; if there’s one thing CBs and ABs are good at, it’s pretending to look stupid.

As we’ve seen, writing nonconformities costs the auditors money out of their pockets, so they’ve stopped doing it. Instead, auditors can compensate for their low pay by puffing themselves up as “experts” using the audit time to flood you with meaningless “expert advice.” In their minds, everyone wins: they come away with an inflated sense of ego, and don’t have to spend unpaid time reviewing your corrective actions. The client walks away with “zero nonconformities!” and feels like their QMS is awesome. Meanwhile, products are going out the door that are probably killing people, even as they have an ISO certificate on their website.

If only ANAB and its pals, like UKAS, would do their job. Writing up an auditor just once on something like this would stop them in their tracks; and it’s so easy to spot. Eventually the auditors would get the message and stop this.

Instead, you will have to do their job for them. If you get an audit report with specific advice couched as an OFI, reject it. Report it to the CB, and copy the accreditation body. Quote the ISO 17021-1 clause above.

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.