So, in their self-created, mad rush to get companies certified before a self-created mad September 2018 deadline, the world’s ISO 9001 and AS9100 registrars have come up with a new trick: ignore major nonconformities!

In what is a disturbing trend, I am seeing more and more companies who have open major nonconformities, sitting in broad daylight, but who are getting certified by their IAF-matrixed registrars anyway. Specifically, the three majors are: not having conducted any internal audits to ISO 9001:2015, not having performed a management review, and a lack of addressing the new “risk and opportunity” clause of 6.1 in any fashion whatsoever.

ISO 17021-1 defines “major” nonconformity as follows:

Nonconformity that affects the capability of the management system to achieve the intended results.

Note 1 to entry: Nonconformities could be classified as major in the following circumstances:

– if there is a significant doubt that effective process control is in place, or that products or services will meet
specified requirements;

– a number of minor nonconformities associated with the same requirement or issue could demonstrate a
systemic failure and thus constitute a major nonconformity.

Traditionally, this is also interpreted as not having addressed an entire clause of ISO 9001.

Oxebridge is finding that as we get closer to the September deadline companies have simply waited too long and didn’t complete their upgrade to ISO 9001:2015 in time. As a result, many are going through scheduled surveillance audits expecting the worst, only to find that they passed the “upgrade” audit without having even done anything. In multiple cases, we found companies that had not performed internal audits to ISO 9001:2015, and yet the registrar auditor attested that they had.

If your alarm bells are going off thinking, “isn’t that fraud?” — well, you’re probably right. The certification bodies are paid to provide a service which, in their contract, alleges it complies with ISO 17021-1, the accreditation rules. They then allege to be independently audited by an Accreditation Body (AB), like ANAB, who is also attesting that they comply with ISO 17021-1. Funny thing: nowhere in ISO 17021-1 does it allow auditors to falsify audit records and say a company has satisfied an ISO 9001 requirement when, in fact, it hasn’t. In fact, pretty much the entire ISO 17021-1 standard says the opposite.

Below is an actual image from an audit report provided by SAI Global, the registrar that still (as of this writing) has its AS9100 accreditation suspended because they pissed off ANAB of audit scheduling issues. SAI can still audit existing clients, and apparently perform upgrade audits, so they are combining the activities in order to get out from under their backlog (I assume.) For the client below, they performed a simultaneous ISO 9001:2008 surveillance audit alongside an ISO 9001:2015 “Upgrade Transition Audit.” Essentially the auditor did a 2008 audit, and then just filled out a 2015 checklist on the last day, without actually auditing anything related to the new standard. The final reports only included evidence of the 2008 questions, and the second report — for the 2015 Transition part — only provided checkboxes, without any requirement to record evidence at all. Here’s a shot of their ISO 9001:2015 Upgrade Transition checklist:

In the case above, the client had not performed any audits to ISO 9001:2015, and I was actually brought in weeks after to do just that. So unless SAI had a time machine, it appears the auditor just checked a box indicating that the audits were completed. In addition, he checked off that they had already had a management review related to the COTO stuff (“external and internal issues”) which also had not happened, which became a finding in my internal audits. In my client’s case, it will all be moot since they are pushing ahead anyway, and will get compliant afterwards. But they were prepared for a bloodbath under the ISO 9001:2015 audit portion, and instead watched as SAI just handed them a certificate. That instilled exactly zero confidence in the system.

Since SAI’s forms don’t require the auditor to actually record any evidence for an “Upgrade Transition Audit,” there’s no way for anyone to know later that the auditor was essentially fabricating the audit report. Now, ANAB must have approved SAI’s transition audit forms already, since registrars were required to submit a plan — with documents — to ANAB prior to being accredited for the new standard. If so, this rather predictably means ANAB is totally cool allowing its registrars to issue audit reports utilizing evidence-free checkboxes, and are also OK with knowing the auditors are just faking the reports.

If so, that utterly contradicts ISO 17021-1, which requires “audit reports … shall include or refer to … audit findings, reference to evidence and conclusions.Evidence is mandatory. Checkboxes don’t allow for evidence.

Auditors and consultants know that it’s typically an instant major nonconformity if you don’t do a full round of internal audits before the registrar shows up. During “upgrade” years, it’s at least required to show proof you audited the delta gaps between the old standard and the new. Likewise, a failure to do a management review, or a failure to address any other entire clause of the standard, is treated as an “instant major.”  But those rules are out the window.

Now, even if you disagree with my parsing of the definition of the term “instant major,” we can all agree when we see blatant report falsification. The final section of the SAI report boldly claimed that “all the applicable requirements of ISO 9001:2015 were audited and considered to be adequately implemented” which was factually untrue and literally impossible.

It’s not just SAI, of course, and in the past they were the least offending of the large US registrars. As reported earlier, a client of mine miraculously passed an AS9100 Rev. D audit by NQA even though I had spent only 6 hours on updating their Quality Manual, and they had not yet done any internal audits or COTO work before the audit either. They were using my COTO Log and showed it to the auditor, who apparently didn’t notice it was totally blank. Take a look:

Once again, I was brought in weeks after to finish internal audits, COTO work and assist with the management review, so they got compliant anyway. But my clients tend to be the ones who care, since they are willing to spend some money to ensure they actually implement ISO 9001; just imagine all the certs being handed out to those that don’t really care one way or the other!

I’ve seen this in multiple other cases involving about three other registrars, as well: companies handed certs despite not having done any internal audits, no risk or opportunity work, and no management review of the new requirements.

It appears clear that in order to get ahead of the crush created by this absurd September 2018 deadline — which, as I argued, was a self-created mess that is justified by absolutely nothing except a desire to force people to buy new standards and pay for new audits — the registrars are just pencil-whipping clients and printing certificates. Taking this further, then, it means that certificates issued under ISO 9001:2015 and AS9100 Revision D are less trustworthy than ever, and that the likelihood that your certified suppliers will provide you defective product has increased.

This has got to stop.

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.