There’s an industry secret that’s no so secret, because everyone knows about it. Most dismiss it as harmless “cheating” on the part of their ISO certification bodies (CBs), and others view it as a benefit if anything. I’m talking about CB auditors cutting audit time short in order to start their weekend early, or to “catch a plane.”

The only thing is, the practice is likely illegal under most circumstances.

Let’s look.

Example # 1: DNV-GL

During a major audit this year with a large aerospace client, an auditor with DNV launched the opening meeting announcing that he had to leave early on Friday, cutting the planned 10-day audit short by a full man-day. (There were two auditors, so a full day was lost when both left a half day early.)

Sure enough at every meeting, every day, he continued to rant about how he had to leave early. This didn’t stop him from engaging in long-winded conversations, so that by Day 2 we were already at least four hours behind schedule. The auditor was so neurotic about getting done early, on one day he threatened the client with a major nonconformity because the lunch room wasn’t ready when he wanted lunch. I’m not even kidding. He stood in the hallway shouting that he could write a major NC for lack of resources. Again, I wish I was joking, but I am not; worse, he had his meltdown in front of a huge group of client representatives, including a corporate VP.

And so on Friday, he left by 10 AM  (not noon as he originally promised), and the client paid for over a full day of auditing that they never received. That’s illegal: the client has a legally binding contract that requires the CB to adhere to audit schedules. In addition, a company cannot bill a customer for services not rendered, and in this case, DNV nevertheless billed the client for a full 10-man-day audit, when only 9 audit days were provided. That’s theft.

In DNV’s defense, they likely had no idea their audit team cut the audit short. The client holds responsibility, too, for not filing a complaint. Instead, however, they just fired DNV later, and transitioned to another CB. In the moment, they were glad to be rid of the lunatic auditor anyway, so having him leave early was a bonus. They were willing to overlook the billing problem.

Example # 2: NSF-ISR

The same thing happened for another major aerospace client who used NSF-ISR. In this case, two auditors performed a four-week audit, for a total of 8 man-weeks, or 40 audit days. Sure enough, every week they would both leave early on Friday, around 11 AM or noon. That’s a loss of a full audit day per week (two auditors leaving a half day early), and a loss of four full audit-days for the duration of the audit. The paperwork published to OASIS and submitted to the client and CB home office, though, was falsified to show audit events running through until 5 PM on each Friday. And, of course, NSF-ISR later billed the client for 40 audit days, not 36. That was about $5,400 that was billed and paid for, for services which were never delivered.

Example # 3: ABS-QE

Recently an auditor with ABS-QE audited a client of mine, and left early each day because — wait for it — he brought his wife along, and she was sitting in the car, in the parking lot, every day of the audit.  Then again, on Friday, he announced he had to leave early to catch a flight. I don’t have the full details on how many audit days were essentially lost, but it was at least a full day. Yet again, ABS billed the client for the full audit, probably unaware of what the auditor was up to. Making matters worse, because his audit report was so empty (since he didn’t actually audit entire clauses), he just copied data from the client’s last audit report, to bulk up the current report. Astonishing! And, again, the client didn’t file a complaint, knowing that any such complaint could trigger a “hold” on their AS9100 cert, which they couldn’t risk.

Example # 4: SAI Global

This one was a real doozy. The client was located in the northeast USA, and the audit scheduled during a snowy winter month. The SAI auditor made it to his hotel the night before, but then called the client on the first audit day to say the weather was too bad for him to drive from the hotel to the client (a few miles). Instead, he said, he would conduct the audit from the hotel.  The client’s quality representative was new to the job, and had never been audited, so trusted the SAI auditor when he said this was acceptable and entirely routine. The auditor never showed up on site at all, and then falsified the OASIS entries and audit report to indicate that he had. Much of the evidence included in the audit report was wholly fabricated.

Catch Me If You Can

Sure, the individual auditors are the guilty parties here. But they are contractors, and work under a (literal) contract with their parent CBs. Those contracts have (or should have) clauses that require them to only bill for services rendered and not to engage in falsification of audit reports. Legally, the CBs hold the final responsibility to ensure the invoices they send to customer match the actual services provided; if not, the CBs can be held legally liable.

But, as usual, the CBs don’t really try to comply. Why would they want to know if they should bill a client less?  In their minds, that would be crazy. They’re always trying to upsell clients with training and other services, so doing the opposite doesn’t even enter their delicate little heads.

The other problem, however, is that this violates the accreditation rules, as usual. Audit duration is supposed to be carefully calculated based on the IAF Mandatory Document #5 (MD5), and any deviations are supposed to be justified in writing. As we’ve seen with the IAS fiasco in India and the Middle East, however, the accreditation bodies are not enforcing these rules, allowing CBs to engage in bait-and-switch tactics where they quote a low audit day duration in order to win a client initially. (Bait and switch is also illegal, but that’s out of scope for this discussion.)

The CBs could uncover this problem very, very easily. All they need do is check the auditor’s flight or travel arrangements when they submit their expense reports. If they see the auditor’s flight was at noon on Friday, it’s a sure bet he didn’t audit until 5 PM. The CBs could also submit a survey to the client, asking them to verify the arrival and departure times of their auditors. This isn’t rocket science.

That the CBs don’t do this shows they really don’t care about the problem, so long as they can continue to bill clients, and so long as the clients remain too terrified to complain about it.

Accreditation Bodies Have Final Responsibility

So this should fall instead on ANAB, UKAS and the accreditation bodies. Again, it would be super-easy for them to uncover this problem during their mandatory, routine office audits of the CB. They would simply demand to review the travel arrangements for the auditors and compare against the audit schedules. Then, upon finding the irrefutable evidence that the auditors were falsifying audit reports, they would report the auditors to their auditor certification body, and demand their certification be revoked. At the same time, the ABs would cite a major nonconformance against the CB for submitting false audit reports and illegal billing practices. That would get their attention.

The result would be a purge of criminal auditors who claim to have industry expertise and management experience, but who are nothing more than thieves and lazy thugs. We need to dump these guys, after all; they should not be working for any CB, ever.

But this would require the ABs to do their “one job,” and that’s something they simply refuse to do. Consider the case where UKAS helped LRQA cover up contract fraud in the Hoerbiger case. ANAB still hasn’t acted on an auditor who was found to be intentionally falsifying his aerospace experience while performing audits for NQA. Routinely, the ABs are only in the business to sell the CBs an accreditation certificate, then conduct theatrical “witness audits” to justify these certificates to government agencies and the public. ABs are terrified that a CB will fire them and switch to a competing AB, so they do a little as possible to uncover CB malpractice or illegal activities. Even when confronted with evidence, they just close the complaints without action.

The lunatics, in short, run the asylum.

That willfulness makes this even more terrible. It’s one thing to have a few — okay, maybe a lot — of rogue auditors who are stealing from clients. But if the CBs and ABs intentionally deny their responsibilities under both accreditation rules and laws to root this out, then they are active accomplices.

For now, the CBs and ABs enjoy a reality in which no one holds them accountable, and the IAF looks the other way so long as the checks keep coming in. But that’s going to change some day, when a regulator gets involved or people start getting arrested. I almost can’t wait to see how ANAB and UKAS feign shock and horror, saying, “oh my stars, we never knew such things were going on!”

They knew, because I told them.

 

 

 

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.