With this week’s ruling by the IAF — through its cohort the EA — clearing UKAS despite overwhelming evidence of failure to enforce accreditation rules, it’s become evident to the world that the ISO 9001 certification scheme is meaningless. While companies certainly will benefit from using the standard for their internal purposes, third party certification has devolved into a full-fledged “pay to play” scheme whereby any company can have ISO 9001 if they are willing to pay for it, and certification bodies (CBs) can engage in whatever unethical and illegal practices they like in the process.
Let’s look at some of the rulings the IAF has issued in the past year or two.
- CB auditors may have clients fill out their own audit reports. This decision, prompted by the AS9100 “PEAR fiasco,” gives CB auditors the right to offload completion of audit reports back to the client, effectively allowing the client to audit themselves; afterwards, of course, the CB may issue a “certificate” that claims the CB performed the audit, effectively making the final certificate a fraudulent document. This clearly violates the letter of ISO 17021 — which says “the [CB] audit team” will complete audit reports, not the client. It also violates the contract with the client, which requires the CB to do the work they are being paid to do, not make the client do it and then just cash the check afterwards.
- CBs can sell software for implementation and maintenance of a QMS, and then certify that QMS. The IAF rulings support the claim that software does not constitute consulting, even thought ISO 17021 specifically prohibits them from “participation in designing, implementing or maintaining a management system” they later certify. The creates serious conflicts of interest, as it raises questions as to whether CB auditors would audit competing software more aggressively, in order to swing clients over to their CB’s software products.
- CBs may write the client’s QMS documentation. The IAF rulings support the CB position that documented procedures provided by a CB are not a form of consulting, despite ISO 17021 specifically defining consulting as including “preparing or producing manuals or procedures.” This even applies to the “required six” procedures of ISO 9001:2008, which can now be written entirely by the CB, and later certified.
- CBs may unilaterally cut off complaints at will. The IAF allows CBs to cut off the processing of official complaints at will, and even to take actions to cut off all future communication with the complainant, such as permanently banning the entire domain of the complainant to prevent all email correspondence. This violates a whole host of ISO 17021 rules, but most of all the governing “principles for inspiring confidence” which includes “responsiveness to complaints.”
- CBs may withhold information on complaints from the public, despite ISO 17021 requiring it to “determine, together with the client and the complainant, whether and, if so to what extent, the subject of the complaint and its resolution shall be made public.”
- CBs may threaten clients who file official complaints with legal action despite — again — the overarching “principle for inspiring confidence” of “responsiveness to complaints.”
- CBs may issue ISO 9001 certificates to companies that it knows broke the law. ISO 17025 shouldn’t need to tell CBs that they shouldn’t help cover up, clean up or assist a company that engages in criminal acts, since we have other documents — you know, actual laws — that dictate this.
- CBs may issue ISO 9001 certificates without requiring clients to correct violations of trademark or logo usage rules despite ISO 17021 specifically requiring that the CB ensures its clients do “not use or permit the use of a certification document or any part thereof in a misleading manner” and that the CB must take action to enforce this, such as “requests for correction and corrective action, suspension, withdrawal of certification, publication of the transgression and, if necessary, legal action.”
- CBs can violate an ISO 17021 requirement at will, unless there is a specific clause telling them not to. This ludicrous interpretation, issued by IAF’s Norbert Borzek, defies all reasonable human comprehension. In short, the “Borzek Interpretation” makes rules optional, unless each rule comes with a host of additional rules prohibiting every possible way the rule could be violated. So even though laws say “don’t kill,” you are allowed to kill someone with a fork because the law doesn’t specifically mention forks. Make sense?
Follow the Money
To anyone outside of the CB world, and with the tiniest smidgen of an ethical core, these rulings are insane. None of them make any sense, since they all work to undermine the notions of trust and objectivity we are supposed to have about ISO 9001 and related certifications.
But, these ruling make complete sense if one assesses them from the point of view of the CB. Despite dealing with vastly different issues, all these positions share a single theme: they always find CBs innocent, and protect the certification scheme… and the money that flows through it.
Third party certification is supposed to mean that the certification is awarded objectively, fairly, and only to those organizations that actually comply with the standard. Instead, we see certifications issued to anyone who can pay, by companies that are deeply conflicted and utterly drowning in conflicts of interest. The accreditation standards — ISO 17021 for CBs and ISO 17011 for ABs — are either ignored, or openly violated. And now, through its recent rulings, we see the IAF has utterly abdicated its duties to enforce those rules.
The solution is to disband the corrupt IAF, its EA and other cohort organizations, and replace it with an independent scheme operated by an agency that does not generate revenue in any way from certifications. The best option would be for ISO to take on this task, since ISO generates revenue on the sale of standards, and not certifications.
The certification scheme, with its CB/AB/IAF triad of conflicted partners, must be investigated for corruption and collusion with even more vigor than the corrupt FIFA soccer organization, since FIFA isn’t certifying companies that produce dangerous products that kill people. The heads of the accreditation bodies such as ANAB, UKAS and DaKKS must be investigated with as much seriousness as Sepp Bladder, and held accountable. These IAF positions are glaring, shocking evidence the system is corrupted, and action must be taken to fix it.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.