Certification Bodies (CBs) couldn’t be ethical if you threatened to drop their mother in a river. They’d rather let mommy drown than start abiding by the rules. So now we see the latest scam by CBs to circumvent an obscure IAF rule that prohibits them from offering both accredited and non-accredited certificates for the same standard.
The rule in question came out of a very official-sounding meeting in Milan way back in 2015. It was labeled “Resolution Number 2015-14,” as if we all don’t know it was a bunch of grinning, half-drunk morons sitting around a hotel folding table pretending to be important. Nevertheless, the IAF resolution states:
The General Assembly, acting on the recommendation of the Technical Committee, resolved that IAF Accreditation Body members shall have legally enforceable arrangements with their accredited CABs that prevents the CAB from issuing non-accredited management systems certificates in scopes for which they are accredited. The General Assembly further agreed that the transition period will be one year from the date of endorsement.
At which point, the General Assembly voted to adjourn so they could get happy ending massages from those cheaply-dressed hookers in the lobby.
OK, so I added that last part, but the first sentence is real. Go check.
The IAF was, at the time, responding to a rash of problems where CBs would offer a lower-cost version of ISO certification that didn’t comply with ISO 17021-1, and which would allow the CB to perform consulting. If they circumvented ISO 17021-1, the CB could certify their own consulting work, basically acting as a certificate mill but while holding full IAF membership. They just wouldn’t put the accreditation logo on the cert. If you wanted them to be ethical and follow ISO 17021-1, they’d make you pay extra.
This was scummy, so the IAF ruled that Accreditation Bodies (ABs) had to have a contract in place with the CBs to stop them from doing it and then, it’s inferred, sue the shit out of CBs who ignored it. (That’s what “legally-enforceable” means.)
Bait and Switch
Now, the CBs have found a way around that, too. Here’s a recent post by the Indonesian certification body PT Heritage Pijar Manajemen:
If you didn’t notice, they sell both accredited (here) and non-accredited (here) ISO certificates. Their Instagram, Facebook, and website posts make this a bit more clear, and even use the IAF name in their ads:
And, yes, also provide consulting services. So how do they get away with it?
Simple: PT Heritage isn’t, itself, a CB at all. They are reselling the services of fully-accredited bodies, which is supposed to be prohibited, but thanks to a recent ruling by UKAS, which just endorsed bribery, the rule is no longer being enforced.
It took some digging, and I won’t go through all the steps, but when you buy an accredited certificate from PT Heritage, they will hand you off to either TNV (a fully accredited CB) or LMS Certification Ltd. That latter one (LMS) is a piece of work itself, having gotten in trouble for developing its own ISO 17021 system using a template kit sold by the Board member of IAS, and for falsely claiming the company is somehow certified or affiliated with CQI/IRCA. LMS was accredited by the Korean Accreditation Board (KAB), one of the most corrupt ABs in the world, but even they got tired of LMS’ bullshit, and apparently, LMS had to run to Egypt to get accredited by the even-more-corrupt EGAC. The sample certificate from the PT Heritage website still shows the KAB logo, though, along with the IAF mark. And, yes, it is ironically a sample certificate for the ISO anti-bribery standard. Cue laugh track.
For their non-accredited certifications, PT Heritage hands over the auditing duties to the non-accredited, fake certificate mill SOA Sertifikasi Indonesia. The logos of SOA and PT Heritage share the same color scheme, so I am sure they are run by the same people. For those certs, they go full-on ballsy and use the ISO logo, which they are most assuredly not supposed to do. But ISO doesn’t have in-house counsel since Holger Gehring was fired quit after failing to sue Oxebridge, so they have no way to stop certificate mills from putting their logos on stuff.
Now, the accreditation bodies involved, like IAS (which accredits TNV) and EGAC (which accredits LMS) are supposed to have “legally-enforceable agreements” to stop this, right? That’s what the IAF Resolution said. But it gets trickier when the CB itself isn’t selling both accredited and non-accredited certs but using a scam company like PT Heritage to do it for them.
But is it okay, after all? I mean, it’s not TNV or LMS that sells the non-accredited versions of the certificates, and PT Heritage is just handing the non-accredited work to a third-party certificate mill, right?
Not so much. The same auditors work for both TNV/LMS and the fake mills. They just switch hats on any given day, switching which company they are auditing on behalf of.
We are supposed to believe that TNV and LMS don’t know all this stuff, and that IAS and EGAC can’t enforce any of it. Of course they can, but it would mean doing their jobs and risking having TNV and LMS stop paying them.
This practice of consultants (like PT Heritage) reselling the ISO certification services of specific CBs (like TNV or LMS) has become a new plague, and one that opens up the door to the widespread proliferation of both “mill certificates” (issued by fake, unaccredited bodies) and “conflicted certificates” (certificates issued by fully-accredited bodies, but in violation of ISO 17021.)
Which makes the ruling over at UKAS all the more troubling. Jackie Burton (or someone in her department) ruled that consultants can re-sell CB services all day long, even though the practice is specifically prohibited by ISO 17021-1. Apparently, now, the words in standards don’t mean anything if UKAS says they don’t.
Well, this is what you get. Of course, the Brits won’t worry about what goes on in Java, because they think it doesn’t affect them. Note, however, that LMS alleges to be a UK-based CB and that they are not getting accredited by UKAS, so UKAS is losing money on this deal. But the IAF is still getting paid, so they aren’t about to do anything about it.
It’s almost as if the IAF isn’t capable of doing the one thing they promise: to ensure the credibility and trust of accredited ISO certifications. Ya think?
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
