A whistleblower sent me some case information that alleges a company in Dubai bribed a certification body in that same country, and bought a fully-accredited ISO 9001 certificate even though no audit was ever conducted. I’m being careful about this one because I am still trying to verify the information, but reaching the whistleblower has proven difficult. (If you’re reading this, check your Protonmail account.)
The whistleblower’s report claims that a company in Dubai UAE routinely bribed the management of an ISO certification body, also in Dubai, and consistently received annual ISO 9001 certificates even though the CB never did any actual audits. The whistleblower then provided email evidence that does appear — on the surface — to support these allegations. There were many emails exchanged, but here are the two important ones. I’m redacting identities for now, for reasons I will explain in a moment.
In this email, dated February 26, 2024, the client indicates he’s made payment to the CB via bank transfer:
And here we see, just over five hours later on the same date, the CB sending over the ISO 9001 certificate as an attachment (presumably a PDF).
The whistleblower insists that no audits were ever conducted, and that this was routine. They claim the client company has no actual QMS, and that the certification body has no trained auditors; they simply accept payments or cash, and give out certificates.
I have verified that the CB involved is accredited by the Saudi Arabian accreditation body, GCC Accreditation Center (GAC). The head of GAC, Brahim Houla, is a rising star at the International Accreditation Forum (IAF) and was recently nominated to head the IAF’s “International Recognition Committee.” According to the GAC press release:
The International Recognition Committee is one of the most significant and influential committees within global accreditation organizations, responsible for the international recognition and mutual acceptance of accreditation bodies worldwide. This prestigious nomination highlights the growing role of GAC in the international accreditation community and recognizes its expertise in conformity assessment and accreditation practices. The nomination of Eng. Brahim Houla to this leadership position reflects the trust and confidence placed in GAC’s capabilities and its commitment to upholding high standards in the accreditation sector.
That image is likely to be tarnished if we can verify that GAC’s CB clients are accepting bribes to issue accredited ISO certificates without performing audits.
Now, why am I being careful here? Because there exists one explanation for the emails, assuming we ignore all the other details provided by the whistleblower. The company might have undergone its audit first and simply paid for the certificate after the audit was completed. This is unlikely. Typically, you pay either a portion or the entirety of your audit before they perform the audit; this is true in Dubai, as well, since they don’t want to perform the audit unless they already have payment. But that possibility still exists.
I am seeking additional documentary evidence to prove that, in fact, no audit was ever conducted and those emails above represent exactly what we think they do. Once I have that, I can release the names of those involved.
I could also file a complaint since I know the names. If I do, the CB will merely cook up some fake audit reports and hand them over to GAC as proof, and then have the client play along with the scandal. GAC isn’t likely to ever check very hard since Houla and his gang don’t really care if ISO certificates are generated from bribes, despite him taking on higher roles at IAF. So, filing a complaint would just be an invitation for the parties to cover their tracks.
And if I file a complaint directly with GAC, and try to protect the identity of the whistleblower, GAC is just going to do one of two things? First, they will reject the complaint and tell me “procedures” require it be raised directly with the CB first, which would be stupid. You don’t run to the criminal and warn him that he’s being investigated. Next, GAC will likely just run behind the scenes to the CB anyway, and tell them to cook up the fake audit reports to shut down the complaint. So, no matter what, we will probably never get a resolution to this one.
Worse, the United Arab Emirates is so corrupt that they can just arrest the whistleblower for no reason at all. In 2022, the CB Quality Register of Systems (QRS) claimed that evidence provided in a formal complaint was “forged” (it wasn’t) and then had the whistleblower arrested. In that case, the AB involved (EIAC) found in favor of the whistleblower and said there was no evidence anything was forged. The Dubai office of QRS lost its accreditation, but it was little satisfaction since the guy was still in jail. I never heard from him again, so they might have just taken him out back and shot him, for all we know. UAE is that kind of place, despite all its tourist advertisements.
But it was all moot, because QRS’ Dubai office just ran to Brahim Houla and got a new accreditation from GAC! So that’s the kind of guy Houla is.
As I often write, the IAF scheme does not help uphold “trust and confidence” like the press release above claims. It is a protection racket. Bodies that pay into the scheme get protected by the ABs, the IAF regional bodies, and the IAF itself. IAF has routinely ignored the law, and believes its multilateral agreements and obscure “procedures” trump all laws, and that they are not obligated to follow them. Until the IAF is investigated for fraud, this stuff will likely continue.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world