Unfortunately, the ISO certification scheme does not enforce good training on auditors working for CBs (certification bodies), and does not have high standards for the requirements for such auditors either. The result is that sometimes auditors write nonconformities that are invalid — in the US we call them “bogus” — but which nevertheless have to be responded to.
(Note: while this article refers to ISO 9001, the information herein works equally well for AS9100, ISO/TS 16949 and most other management system certifications.)
Common Reasons for Invalid Findings
Typically, these write-ups are invalid because of three common errors:
- No objective evidence. Without objective evidence indicated in the finding, the client cannot take immediate “containment” and fix whatever the auditor happened to be looking at. That’s critical first step, and has to happen before the company takes any long-term corrective action. For example, an auditor may say “purchase orders lack approval signatures” but without indicating which exact purchase orders the auditor looked at, the finding is invalid (vs. ISO 17021-1) since the client cannot fix the purchase orders. It also makes it impossible for the client to physically verify what the auditor was looking at, in case the auditor made a mistake (for example, perhaps the purchase orders were signed, but simply on the back side of the paper, and the auditor hadn’t noticed.) Then, the finding could be reversed easily, and no one is harmed.
- No ISO 9001 citation. Without citing the exact clause which is alleged to be in violation, the client (again) cannot take proper corrective action because they don’t know what is actually wrong. Citing the clause in violation is also an accreditation rule requirement, so any finding that doesn’t indicate an exact clause can be thrown out, or the CB must amend the finding to include the proper clause. Be cautious, too, when CB auditors cite clauses or documents other than ISO 9001, such as internal CB documents, “IAF guidance documents” or anything else the auditor may have seen on the internet. Audit findings can only be written against the standard you are being audited against, and that’s a firm contractual requirement.
- Invented requirement. This is the most common problem, where auditors — after years of auditing against their past employer’s QMS, rather than the ISO 9001 standard — come to assume that requirements exist in the standard when they actually do not. Search the ISO 9001 standard for “training matrix,” “annual management review meetings” or “preventive maintenance records” and you can see how much of a problem this is (none of those are actually required, but nevertheless routinely mandated by CB auditors.) And, again, if there is no clear citation of an actual ISO 9001 requirement, the client cannot possibly take proper corrective action. Worse, if the client does act on the finding, they are essentially allowing the CB auditor to build their quality system based on the auditor’s personal whims and expectations, so that afterwards the auditor is essentially auditing their own work… a serious violation.
There are many other reasons why a finding might be invalid, as well, but these are the most common.
ISO 17021-1: The Other Guy’s Playbook
One of the best ways to ensure you can identify an invalid finding, and then challenge it properly, is to understand the accreditation rules under which all accredited ISO 9001 registrars must operate. These are found in the standard ISO 17021-1. All accredited CBs must comply with this standard lest they be de-accredited, and denied the right to issue ISO 9001 certificates. The enforcement of ISO 17021-1 is done by the Accreditation Body (AB) utilized by the particular registrar; common ABs include ANAB in the US, and UKAS in the UK. You’ve seen their logos next to the CB logo on your ISO 9001 certificate.
ISO 17021-1 is a dull document, moreso than ISO 9001, but it’s a treasure trove of rights and privileges that you never even knew you had. It defines your rights, as well as the rules that restrict auditors from writing bogus nonconformities. I can’t stress enough how beneficial it is to purchase a copy of the standard, read it and understand it. The clauses you will want to focus on are 9.4 (Conducting the Audit), 9.7 (Appeals) and 9.8 (Complaints.) It’s worth the effort if you are plagued with suspicious nonconformities.
(I hope to be working with Praxiom on a helpful guide “ISO 17021-1 in Plain English” soon.)
The Fear of Appeals
Companies resist filing an appeal because they believe a number of myths, or hold on to some irrational fears. These are sometimes spread by the CB auditors themselves, in an attempt to get clients to accept all audit findings without question; heck, one registrar trains their auditors on how to hypnotize clients without their knowledge, to make them less resistant to their auditors!
Unfortunately, the timidity of clients to challenge CBs creates a self-inflating problem in the industry: the less clients contest bad findings, the more bad findings the auditors write up, since they have no feedback telling them they are wrong. It’s therefore imperative that clients push back against invalid findings, not only to ensure the health of their QMS, but to ensure that ISO 9001 certificates worldwide remain trusted and respected.
The most common myths and fears are:
- If contested, the auditor can take away my ISO 9001 certificate. This is untrue, since auditors cannot take anyone’s certificate away. Those decisions are made by an internal committee within the registrar, not by the auditor, and they will not de-certify a client because the auditor is being spiteful. You are guaranteed the right to contest nonconformities under ISO 17021-1, and the auditor cannot arbitrarily violate these rules because his ego has been bruised.
- If contested, the auditor will escalate the finding to a major nonconformity. Also untrue, for the same reasons. The definitions of “major” and “minor” nonconformities are defined in ISO 17021-1, and nonconformities don’t magically increase in severity because a client questions them.
- If contested, the auditor will come back angry, and our next audit will be hell. Typically an auditor won’t even remember the issue by the next audit, but even if they do, their behavior is governed by ISO 17021-1, and they cannot begin issuing “spite findings” out of anger. If they do, those new findings can then me challenged, too, and are more likely to be thrown out since they won’t be based on reality, but instead on emotions.
- Challenging a registrar is expensive. Not true, and technically it’s free, other than the cost of the time needed to send the emails. In fact, challenging a registrar can save the company a tremendous amount of money, by avoiding costs associated with changing the QMS to suit an auditor, or by eliminating the need for an expensive “Nonconformity Follow-Up” audit by the registrar.
- We hate conflict. Some companies simply hate conflict, and do anything to avoid it. Unfortunately, at times professional and courteous conflict is a necessary part of doing business, such as pushing back against customers who refuse to pay their bills, or having to fire employees who are insubordinate. If your organization is so conflict-averse as to allow ISO 9001 registrars to do whatever they like, this is an indicator of an entirely different problem, and ISO nonconformities are the least of your worries. Ultimately, companies must remember that the registrar is a vendor, and that you are their customer, and that dynamic grants you certain rights and privileges.
- Top management doesn’t care, they just want the cert on the wall. This is more common than it should be, and often middle managers tasked with defending the QMS find themselves ordered by their bosses to accept the findings, no matter what, just to keep the cert on the wall. It’s a phony argument, since appealing a certificate doesn’t de-certify a company, but if the boss is that worried about it, there’s little you can do other than find a new employer.
- Our certificate will expire while waiting for the appeal to be resolved. This one has some merit, but you should clearly communicate to the CB that you expect the appeal to be resolved by them in a timely manner that does not impact on your certification. There are a lot of minor tweaks the CB can do to ensure your cert does not expire, but clearly they should simply prioritize the issue so that this doesn’t even become a risk. If they don’t, you have an entirely different complaint you can levy against them.
Steps to Contest a Finding
Contesting a finding is incredibly simple, and should be done in the following order. In all cases, the challenge must be made in a manner that is polite, firm and based on evidence. Let’s take a look:
1.) Confirm that the nonconformity is, in fact, invalid. Many clients don’t like nonconformities, and want to oppose them, but if the nonconformity is valid, there is no amount of arguing that can reverse it. If it’s a valid finding, it’s better to work to correct the problem than argue for the sake of arguing.
2.) Don’t worry about the closing meeting. Many clients feel that because they have signed the auditor’s nonconformance report, and held a closing meeting, that this means the finding has been accepted by the company. This is not true, although some CB auditors will lie and say so. Instead, all you are signing for is receipt of the nonconformity, not acceptance of it. You are granted the right to go back, after the audit, and study the nonconformity in greater detail. Even if during the closing meeting every nodded their heads in agreement, you are allowed to change your mind once you study the finding in detail; that is why you do a root cause analysis, after all. So don’t feel obligated to accept the finding as valid if it is not, even if you signed for it and agreed to it verbally during the audit itself.
3.) Gather your facts. Next, you have to be 100% absolutely sure the finding is invalid. You will want to put together internal notes on why the finding may be wrong, such as “auditor didn’t cite a requirement” or “he didn’t indicate what he looked at” or “I can’t find a requirement anywhere in ISO 9001 that requires this.” If you have purchased ISO 17021-1, go over clause 9.4 to find where the auditor may have violated the accreditation rules, which will help your case. Keep copies of any emails from the auditor, as well as copies of the audit report and nonconformity.
4.) Craft your argument. Using the information, put together a strong argument as to why you think the finding is invalid. For now this is an internal discussion only, so you can be as forceful as you like in your internal notes. Be sure your argument clearly describes what the problem is, and why you cannot take corrective action with the finding written in the way it is.
5.) Send an informal email to the auditor. The best first alert to the auditor is a casual email, written in a friendly manner, but which captures — in broad strokes — what your concern is. In the email, you would ask (politely!) that the auditor consider re-wording the finding to address your concerns or ask that they consider withdrawing the nonconformity altogether. Here are a few examples:
As part of our root cause analysis of your finding, we are having trouble coming up with a proper response. We found that as it is written right now, there is no specific ISO 9001 clause cited, and we cannot find where in the standard there may be a violation. Can you help us by rewording the finding by citing the clause you are concerned with, and perhaps explaining better how you feel the clause was violated? If there was an error in the finding and it’s not associated with an ISO 9001, we would then ask that perhaps you could withdraw it. Thanks so much.
We noticed in your finding that you did not indicate the objective evidence you looked at during our audit. As a result, we cannot take immediate containment, since we don’t know for sure what to fix. I understand that indicating the objective evidence is a requirement, so could you amend the nonconformity with an indication of what exact evidence you looked at? That would help us greatly. If not, we would ask that you withdraw the nonconformity, since we are unable to take proper corrective action with the problem as written. Thanks so much.
Now you will notice that both samples are extremely polite and quite cool-headed. Unfortunately. because receiving a challenge is a rare thing for many auditors, they may react with some level of hostility. (Recently, one auditor with registrar SRI threatened to a defamation lawsuit after a mild challenge to a finding!) So you should be prepared for an irrational response, but you must remain professional and calm no matter what.
You should also not let fear of a possible irrational reply dissuade you from pursuing your concern. Eventually it all blows over and everything returns to normal, so if you do get a heated email or phone call from the auditor, just assure them it’s nothing personal and you are only trying to do what’s best to improve your QMS.
Alternatively, you may get a completely professional and polite reply; so don’t assume things will go south just yet.
If you don’t get a satisfactory result from the auditor through an informal email, you have to make a formal appeal.
6.) File a formal appeal. This is a formal request for the nonconformity to be reviewed by the registrar’s internal committee (not the auditor him/herself). This is a right which is guaranteed to you under ISO 17021-1, and which the CB cannot refuse. To file this, you simply send an email to your registrar’s sales contact, and cc a copy to the auditor. Ask that they forward it to the appropriate appeals body within the registrar.
The appeal should more formally state the reason you are requesting the nonconformity to be withdrawn, and should include a copy of the nonconformity, along with specific citations of ISO 17021-1 (if you have purchased it — don’t worry if you do not.) You should politely but firmly request the finding be withdrawn or amended, and specifically request the CB take “appropriate corrective action.”
Typically, the CB office will then attempt to resolve the problem over the phone, so you may get a call from the home office. Resist this, as it means they are trying to avoid having an official, written record of the issue. This is a risk because they could later change their mind, reverse their position, and you would have no documentation to prove it. Worse still, it keeps the appeal off the record; CBs like to do this so they can hide these from their accreditation body (ANAB, UKAS, etc.) and later claim “we never get any appeals or complaints.” Instead, be sure you ask the registrar rep to follow up in writing, with formal corrective action. Keep notes of any phone calls received, and keep copies of any emails received on the matter.
In 90% of the cases that go to appeal, the internal body will side with the client and withdraw the nonconformity. This is true because of two primary reasons: first, the internal committee discovers the finding was, in fact, bogus and agrees with the client. Second, the CB home office does not want of risk losing you as a client, so they would rather throw out the finding, rather than lose your annual revenue. So you stand a very good chance of having the nonconformity dropped entirely.
If not, continue…
7.) Assess the registrar’s response. If the registrar has provided a reason as to why the nonconformity should stand, be sure to assess that response in an objective, open-minded manner. It could be they have a very good argument that you did not consider previously, and the finding should be upheld. If so, write to the CB and alert them that you agree with their result, thank them for it, and proceed with your appropriate corrective action. If the response is lacking, and it’s clear the CB is merely “digging in” because they want to remain inflexible,then push forward…
8.) File a formal complaint. If the appeal goes south, and you are absolutely certain you still have a valid argument, you would then file a complaint with the registrar, and cc their accreditation body. Oxebridge has a separate article on filing complaints here. Once again, however, be sure you remain professional and courteous no matter what. Do everything in writing, and keep records of any and all communication regarding the complaint. CC the registrar’s Accreditation Body as well, which will typically shake up the CB so they take your complaint more seriously.
As I said, typically at least 90% of all contested findings are withdrawn, usually just because the CB wants tokeep your business. But if the CB feels they have a valid finding, and especially if there’s a direct risk that you are releasing defective product in the market, you may not have a good standing, and should probably accept the finding and make the appropriate corrective action.
As always, if you find yourself in a real bind with your CB, we can help with filing appeals, complaints, or simply counseling you on whether the finding is, in fact, valid. Check our page on Audit Defense Services, or post your problem on The O-Forum.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.