Hardly a week goes by without more evidence that the third-party certification scheme has been corrupted to the point of criminality, even as its overseers ignore the problem entirely. Now over 180 people have died from a deadly mudslide which caused a faulty Brazilian dam to collapse, resulting in a criminal investigation that is embroiling the certification bodyTUV Sud. Reporters and official police inquiries reveals that TUV auditors felt pressured to ensure the mining company responsible for the dam, Vale, receive a passing safety certification, and in response Vale would award TUV Sud additional auditing contracts. According to the German news outlet Der Spiegel, that’s exactly what happened:

Prosecutor Coelho suspects that the Germans were so lenient in their dealings with Vale because they did not want to jeopardize future business with the mining giant.

There is a risk that Vale “still uses a pending contract as extortion,” wrote a Brazilian TÜV South employee on May 14, 2018 in a mail to colleagues. The agreement, which Vale signed a few weeks later, includes new orders for TÜV Süd in the amount of around 2.4 million euros. Specifically, it’s about services for 18 more Vale dams.

Two TUV auditors were arrested but later released, apparently because they are cooperating with police and providing information on TUV’s questionable activities.

In the case of the Vale dam disaster, auditors intentionally “softgraded” audit findings, a practice whereby the certification body (CB) intentionally lessens the severity of a discovered nonconformity, relegating it to a “suggestion” or otherwise minimizing the problem in order to assist the client in obtaining or retaining its certification. The thinking here is that if CB auditors actually report the truth, they would be forced to de-certify clients, thus resulting in less clients. Clients faced with truthful write-ups would simply “registrar shop” for the CB with the laxest auditing attitude, willing to look the other way.

This latter point is also on display in the Vale controversy: Vale fired its prior CB after that agency indicated the dam was unsafe, and the rewarded TUV Sud for its less-intense audit posture. Prosecutors allege Vale then dangled additional contracts in front of TUV in order to get the dam’s satisfactory rating.

But the CB auditors in the Vale case went further, actually falsifying data in order to softgrade their findings. That’s particularly nefarious, and worse than merely downgrading a nonconformity to an “opportunity for improvement.” It puts human lives at risk solely so a CB can land contracts. It violates the core reason for existence for such bodies, and raises the question as to why we need them at all.

Vale’s not the first. The Deepwater Horizon oil rig explosion resulted in the worst man-made environmental disaster in all of human history, killing rig workers and dumping massive quantities of oil into the Gulf of Mexico. Yet the BP Oil management company that managed the Deepwater Horizon rig, from Houston, held ISO 9001 certification from BSI, who holds influential positions on key ISO standards development committees.

A while back, a client reported to me that their BSI auditor had boasted about auditing the Houston company, and specifically the Deepwater Horizon rig, even before the accident happened. After the disaster, the auditor returned to my client and claimed he knew about the problems all along, had reported them to BSI, and was shot down. Now this information comes third-hand, and we can’t be sure the auditor wasn’t just needlessly boasting, something ISO auditors are known to do. But if true, it indicates the same problem behind the Gulf of Mexico disaster was behind for the Vale dam collapse: an allegedly “objective and independent” CB ignoring safety or quality evidence in order to retain a contract with a giant client.

In the Deepwater Horizon case, BSI escaped all scrutiny. Again, maybe this was just an auditor loudmouthing; but it deserves investigation nevertheless.

Certainly the same is true right now in much of South America. The Brazilian construction firm Odebrecht has been found guilty of bribing political leaders and government officials in multiple countries in South and Central America. In Peru alone, the scandal has seen the long-term house arrest of Peru’s former President Ollanta Humala, the detention of former President Alan Garcia, the conviction of former President Alejandro Toledo (who remains on the run in the US, while Peru seeks extradition) and the forced resignation of former President Pedro Pablo Kucynski. Yet despite the scandal and criminality being so massive that it ensnared four presidents of the country, Bureau Veritas continues to issue ISO 9001 certificates to Odebrecht’s Peruvian construction operations. For sure the thinking is that if BV doesn’t do it, Odebrecht will just give their massive spend on someone else, perhaps TUV. If the company has already been found guilty of crimes and forced to pay over $3.5 billion in settlements, it’s not clear how BV is looking the other way during its ISO 9001 audits, unless some very serious softgrading is going on.

We next turn to Equifax, whose lax security protocols led to the largest breach of private financial data in human history. Equifax hired the famous Ernst & Young accounting firm to audit its financial records, which would have included a perfunctory look at the IT controls protecting those records. Equifax then hired EY Certifypoint for its ISO 27001 certification, which certified those very same IT controls. EY Certifyponit, of course, is owned by Ernst & Young, meaning the two companies essentially audited their own work, then softgraded any problems found to ensure Equifax maintained its ISO 27001 certification. Neither EY company had any incentive to beat up the other and risk one or both of the EY contracts. Government investigators later found the hardware examined by both EY companies dated back to the 1970s, meaning it would have been impossible for Equifax to have been certified unless some kind of malpractice was going on.

So whereas in the old days these conflicts were typically seen as consultants and auditors swapped envelopes of cash under tables to ensure clients passed audits, now the corruption is nearly entirely institutionalized. And now people are being killed and put at risk. Governments — most especially that of the UK — look the other way, happy to have “privatized standardization” and to boast about third-party accreditation schemes, while ignoring the corruption. It’s so bad in the UK that HRH Princess Anne feted an organization that supports a CB who literally issued an ISO 9001 certificate to a heroin smuggling ring; we have no idea how many people were killed by their client.

The scheme is supposed to be overseen by a network of official “Accreditation Bodies” (ABs) who are all signatory members of the International Accreditation Forum (IAF), a shadowy organization answerable to no one, but with its hooks in the governments of various nations. Bodies such as UKAS, ANAB and DAkkS — the latter of which should be overseeing TUV in the Vale disaster — routinely look the other way after such scandals, and are never called on the carpet by regulators or investigators. They escape scrutiny through a convenient mix of obscurity and complexity — no one knows who they are, nor really what they do — and yet their executives probably have more information on these disasters than anyone on the planet.

At some point, a government will have to take notice, and pull in the entire troika — the CB, AB and IAF — after enough people die. This doesn’t imply guilt, mind you, but it would recognize that the auditors involved must have information that is critical to the investigation and public safety. If corruption is uncovered, then so be it, and the appropriate parties should be arrested. If not, at least we can say we had a thorough investigation.

If, in the Vale case, DAkkS and the IAF remain unquestioned, then this will be yet another travesty.




About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.