A while back, Oxebridge reported on the disturbing trend within the AS9100 certification scheme of third party registrar auditors offloading the completion of their official audit reports onto the clients themselves. In effect, this meant that clients were auditing themselves, and then the registrars were merely signing the reports, and then issuing a certificate claiming the clients were independently assessed. This blurred the lines between first- and third-party audits to the point of near fraud. After all, the resulting AS9100 certificate indicates the registrar audited the client, not that the client audited themselves and the registrar merely signed the report.

Norbert Borzek

Norbert Borzek

Within aerospace, it’s not clear if the practice has abated, either. The aerospace auditors’ “PEAR” form was the source of this problem, and despite widespread derision and complaints by auditors, the IAQG has merely doubled-down, and rather than drop the PEAR, has given it new powers under the upcoming revisions to AS9100 auditing rules. For those not familiar with it, the Process Effectiveness Assessment Report is the (wait for it…) report that auditors use to assess process effectiveness, and AS9100 registrars were caught having clients assess their own effectiveness by pre-filling the PEAR prior to audit, and then having the registrar auditor merely sign it afterward.

That’s bad enough, but when we pushed for an official ruling to denounce the practice, ANAB, IAQG and the IAF all ruled that it was entirely acceptable. In what became known as “Borzek Rule” — because it was written by IAF’s Norbert Borzek of the German accreditation body DAkkS — the IAF claimed that while ISO 17021 does require “the audit team” to complete the audit report, it was perfectly fine to offload this responsibility to the client. Of course that makes no sense, so you’re not alone scratching your head over that interpretation. Despite multiple requests, Borzek did not address the issues of conflict of interest nor the fact that clients were being forced to do the work that they were paying their registrars for.

The IAGQ’s Tim Lee of Boeing, the alleged creator of the PEAR form and its strongest advocate, took it further into the realm of surreal performance art. Lee argued:

There is no requirement in AS9104-1 nor AS9101 for a client to complete a PEAR form,  prior to an assessment. In addition, there is no requirement that prevents a CB from requesting that their clients complete the form as an audit prep activity.

What this means is that despite the rules literally requiring that the “audit team” will fill out the report, there is nothing in the rules that says they don’t not have to fill it out. If that sounds like a double negative it is; under the Lee’s interpretation — clearly tortured to support the certification bodies — every rule in the ISO 17021 and AS910x standards can be violated because there’s no rule saying you can’t violate it.  And, yes, that defeats the purpose of having rules, making all of them entirely optional. For example, while the auditing rules say the registrar will issue a certificate, there’s nothing saying the registrar can’t “request that their clients” issue their own certificate… right? It’s still a mystery why Boeing hasn’t fired Lee yet, since he’s a one-man wrecking ball for their already damaged reputation.

I warned of the dangers of this position back in 2012. Specifically, this creates two major problems: first, it might constitute contract fraud and malpractice on the part of registrars, whose contracts and fees are tied to the idea that they are doing the work, and not being paid for work they just offload back to the client. After all, if you go to the doctor for surgery, you shouldn’t pay the surgeon for the privilege of conducting surgery on yourself.

Second, it utterly violates the concept of such certifications, which declare that they are “independent and objective” assessments of a company, resulting in a certificate that is supposed to be trusted on the basis of this independence. Third party certifications are supposed to be better than self-declarations, because of the objectivity that comes with hiring a third party. If the third party merely signs reports and evidence provided by the first party, then it destroys that trust and credibility. It turns the entire IAF accredited certificate scheme into a giant certificate mill operation, where anyone can get a certificate no matter what, and you pay only for the piece of paper; auditors don’t actually have to audit, since you can just audit yourself.

Stephanie Erdman was injured from a faulty Takata airbag.

Stephanie Erdman was injured from a faulty Takata airbag. Under the Borzek Rule, ISO auditors would have no responsiblility to audit design records not pre-selected by the manufacturer themselves.

We Saw This Coming

It was just a matter of time before the problems in the AS9100 scheme infected the ISO 9001 scheme, and now they have. The other day a client forwarded me an email sent to them by their registrar, which asked them to fill out an “ISO 9001:2015 Transition Checklist” in advance of their upcoming audit; the client already has ISO 9001:2008, and is updating to the 2015 standard at their next surveillance audit.

Confused, the client sent me the form to fill out on their behalf. Immediately, it was evident something was wrong: the form included “merge fields” designed to be populated by the registrar’s database, and not intended to be filled out by hand. Next, the form contained a clause-by-clause checklist of ISO 9001:2015 requirements, which “yes” or “no” checkboxes to be clicked as evidence of compliance with each clause. Then, most of the clauses included a text field to manually enter the evidence to support the option checked. For example, one text field prompted the user to fill in a list of “interested parties” right onto the form. Finally, the form ended with a place for the auditor to sign off, indicating its readiness for submission back to the registrar for processing.

In short, it was clearly obvious the form was to be filled out by the auditor and not the client. I double checked the email sent by the registrar, an sure enough, he literally instructed the client to fill out the form “prior to my arrival.” I then checked the metadata on the form, and confirmed it was created by the registrar, although the big logo on the top of the page was probably proof enough. Then, I checked and found the Word form had comments embedded, all of which were between various representatives of the registrar. There’s no way this document should have been released to a client, with the registrar’s own editorial comments in the margins.

Representatives from the registrar later did confirm that it was intended as an internal form, and not intended to be used by clients. I could make a huge fuss, but thanks to Norbert Borzek, he’s already cut the legs out of any such argument and telegraphed to the registrars of the world that this sort of thing is perfectly fine. According to him, auditors need only “verify” the evidence hand-picked by their client, and that’s that. Easy-peasey.

So in reality here is what will happen: I, on behalf of my client, will do my duty and represent my client by filling in the form, being sure to put whatever evidence I think is best. That will be the evidence I know about — and thus leave out any I don’t know about — which will skew the results in my client’s favor. I’m a forthright guy dedicated to whatever ethics remain in this profession, so I am not about to intentionally falsify the report; but another consultant would gladly add insert unbridled praise for their client that claims they can walk on water, turn water into wine, and then walk on the wine, too. They would intentionally leave out any evidence of nonconformity because, why not? Why would a consultant willingly invite the registrar to look into things that might constitute malpractice?  The auditor will just sign it anyway, and the IAF said that’s perfectly fine. My client could be producing poison-tainted baby bottle nipples, and no one cares. The paperwork is filled out, the auditor didn’t have to do it, and everyone gets paid. Win-win, unless you’re the baby.

The IAF May Just As Well Sell Shrapnel

Imagine this scenario. The ISO 9001 registrars have sniffed their noses indignantly at the suggestion that they should have spotted the Takata airbag design record problems, which happened under the ISO 9001 certified supplier Inflation Systems Inc., and which has since killed multiple people by turning airbags into face-bombs. The registrars claim they have no means of rooting out fraud since they can’t  check every possible record. Naturally, no such disclaimers appear on their certificates, which are later used by companies like Inflation Systems Inc. to gain contracts with firms like Takata, but the CBs ignore such facts. Now, however, thanks to the Borzek Rule, if it were discovered that Inflation Systems Inc. had willingly completed their own ISO 9001 audit and intentionally left out the records of the defective air bags by populating the audit form with only conforming records and glowing self-praise, this would be entirely fine, and they could still obtain an ISO 9001 certificate. Meanwhile, the marketing of ISO and the registrars insists that their certifications “improve quality” and are based on “independent assessments” of “objective evidence.” In reality, we now see that the exact opposite happens, all with IAF permission.

Clearly — clearly — this is a huge conflict of interest. It’s also a literal violation of the accreditation rules, despite what nonsense Tim Lee and Norbert Borzek manage to spit out. The auditor must be finding and reviewing the evidence they select, not simply signing off on evidence and report data provided by the client or their consultant.

So yet again we see the real world results of lax oversight on the part of the deeply conflicted International Accreditation Forum, led by deeply conflicted, self-interested individuals like Borzek. The solution, of course, is simple and not particularly revolutionary: we must follow the rules we have. We don’t need massive overhaul, we need to simply abide by the standards that are already developed. Yes, they could probably use minor tweaking, but generally they appear — on paper — to provide a robust and independent assessment scheme. But so long as Borzek and his ilk prioritize the financial posture of the Accreditation Bodies and Certification Bodies that pay for the scheme, and twist common sense definitions to suit his Certification Body masters, we will continue to labor under a fraudulent ISO certification scheme.

If you missed it, be sure to read Forget FIFA: Investigate the IAF. And remember, to fix this you need to get my ass to Congress.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.

Advertisements

ISO 45001 Implementation