Despite having a critical tool in their arsenal which would have helped their survival during the coronavirus pandemic, the majority of ISO certification bodies (CBs) haven’t prepared. That tool is called “Information and Communication Technology,” or ICT. Accreditation rules allow for CBs to utilize ICT in order to conduct audits remotely, something which suddenly seems crucial as companies disallow visitors and business travel, and are pressing employees to work from home.
ICT was previously referred to as Computer Aided Auditing Techniques (CAAT) under older accreditation rules. Oxebridge was pressing some clients to use this, especially in cases of small IT consulting firms whose employees largely telecommuted, and who had little reason to have an auditor physically on-site for an audit. Nevertheless, major CBs never developed the procedures necessary for CAAT, and never reached out to ANAB or their accreditation bodies for approval to conduct remote audits.
The problem was so bad, that eventually ANAB dropped CAAT entirely, claiming no one had ever even used it.
CAAT was rebooted as ICT more recently, but the major CBs still have not done the due diligence to implement it… even after the IAF and accreditation bodies loosened rules on requiring advance approval. Even under the lax rules, ICT still requires a CB develop procedures for conducting remote audits, and then providing the technical resources (web conferencing platforms, software, login credentials, etc.) to auditors to allow enable them to do it. Then there’s the issue of training auditors on how to use those tools, something CBs will never do since it comes out of their pockets.
So now we sit in the middle of the coronavirus pandemic, and the best ANAB can do is offer a murky, wimpy extension of certification dates so that if a company can’t be physically audited before their cert lapses, they won’t lose it. It’s a half-measure, and one that remains ignorant. What if the virus’ impact goes far beyond the six-month allotment granted by ANAB? What about surveillance audits? (The ANAB rule doesn’t fix that problem at all.)
The problems are likely to extend, too, even after the virus has burned itself out. When people start to return to work, they are going to have to do a lot of catch-up, and hosting an ISO 9001 audit is not likely to be a priority. It may take another full six months before a company is ready to resubmit itself for audits. They will have lost their certification in that time.
The CBs don’t mind, as they will get much more money charging such companies for “new” certifications, rather than recertifications. But here’s the rub:
Because of their failure to develop ICT methods previously, CBs are not prepared or approved to conduct remote audits now that the virus has hit. This means that we could conceivably see some CBs go out of business entirely, as they are either prohibited or discouraged from conducting audits via on-site appraisals. This also means the audit pool will shrink further, as auditors quit or retire, given they won’t have work. For the AS9100 scheme, which is already dramatically lacking in auditors, this may be a serious blow that will take years to recover from.
As usual, the root causes of this lack of preparedness are laziness and greed. CBs never want to spend money on anything other than marketing, so never put effort into pursuing either CAAT or ICT. Most CBs develop their procedures once — before they get accredited — and then never revisit them again. Revising documents takes effort and staff time, two things CBs really hate to use.
Now the entire community that’s been telling everyone else to engage in “risk-based thinking” finds itself crippled and facing huge losses, all because of a lack of planning. The irony would be hilarious if so many innocent companies weren’t going to be the ones to face the repercussions.
What can you do? Write to your CB right now, and ask them if they have procedures and approval to conduct ICT-based audits. IF so, invoke them. If not, ask the CB when they will have these protocols implemented. If the answer isn’t to your liking, shop around and change registrars now.
BTW, right now Oxebridge has implemented methods to perform much of its consulting and training via various online platforms. We’ve always had these capabilities — they aren’t hard — so we haven’t been caught flatfooted. If we can do it, you’d think BSI or DQS could muster it.