The International Accreditation Forum (IAF) has updated its “Mandatory Document # 5” — called MD5 colloquially — which defines the minimum number of audit days expected for ISO 9001, ISO 14001 and ISO 45001 management system audits. Despite ballooning the MD5 document and adding lots more charts and graphs, it remains a document that certification bodies (CBs) largely ignore, since no one holds them accountable to it.

The MD5 document is supposed to ensure adequate audits by eliminating drive-by audits which can’t possibly assess the management system without the proper time invested. Left to their own devices, CBs will scramble to reduce audit days in order to undercut competitors in an attempt to win 3-year contracts. IAF MD5 is supposed to stop that.

But MD5 only works if it’s enforced by the Accreditation Bodies (ABs) who oversee the CBs. Since CBs pay the ABs, there’s no incentive for ABs to do this, since de-accrediting a bad-acting CB means the AB loses money. So we still see CBs routinely under-bid days, skirting just below the minimums defined in MD5.

It’s supposed to be the IAF’s job to ensure the ABs do their job and hold the CBs accountable to the rules, but the IAF is also conflicted, sitting atop the pyramid, so they largely just publish stuff and call it a day.

The IAF has made this latest version of MD5 even more pie-in-the-sky, layering in lots of official-sounding text that “requires” the CB to consider risk and complexity when calculating adequate audit duration. To which the entire CB community responded with a nasally “snort,” and a gutturally-mumbled, “yeah, right.”

So now a company with 17 employees could get a 3-day audit or a 5-day audit, depending on how the CB calculates the risk. Meaning, of course, the CB will calculate the risk of a competing CB quoting on 3 days, so everyone gets 3-day audits! The CB that quotes 5 days won’t win many contracts.

You can tell whomever wrote this — Elva Nilsen? — has their head up their ass, and is pretending there’s no problem with CBs’ race to the bottom. But then again, MD5 looks good to underinformed government agency directors, so they’ve got that going for them. Surely someone at FDA or OSHA will think this actually means something.

The IAF also reveals that it’s still not in sync with ISO TC 176 on the whole “design clause” thing. Whereas ISO 9001:2015 emphasized that clause 8.3 isn’t just for designing product anymore, but also for the design of services, IAF still allows for excluding 8.3 if a company is not “design responsible.” The problem is, under ISO 9001’s new wording, no one can ever exclude design ever not never, because anything an ISO 9001 certified company does constitutes, technically, a “service” which must be designed before it’s delivered.  Even you build-to-print shops had to design your service of building-to-print.  But the IAF probably realized the global stampede that would ensue if they told everyone they had to go back and add in 8.3, so they punted. Lucky you.

You can grab a free copy of MD5 here.




About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.