ISO 17021 is the standard under which ISO 9001 certification bodies (CBs) are accredited. That standard explicitly prohibits CB auditors from providing “specific advice, instructions or solutions towards the development and implementation of a management system.” The requirement is routinely ignored by CBs, who provide unending consulting services camouflaged as “opportunities for improvements”, all under the direct watch of their Accreditation Body overseers, like ANAB and UKAS. In fact, CBs are now so bold about it, they include such “specific solutions” right in their audit reports.
Here’s an audit report excerpt from SGS, which is accredited by ANAB. The following are examples of actual “opportunities” incorporated into the official audit report, later reviewed by an SGS review committee, and presumably subject to review by ANAB. Now, ANAB could claim that they never saw this particular audit report, due to the inexact art of sampling, however given that this particular auditor has dozens of clients, audits each at least once a year, and has been auditing for about 15 years, it is safe to say that ANAB would have to either have the worst luck in sampling, or simply not given a damn. Since SGS pays ANAB, you guess which is more likely.
Let’s have a look at a few of the “opportunities” presented, and see if you agree that none of these violate the definition of “specific advice, instructions or solutions.” Any information which could identify the client in question has been redacted, to ensure there is no retaliation on the part of either SGS or ANAB. I have left the opportunity numbering from the auditor intact, although have not included all the opportunities he provided.
Opportunity # 2: Here the SGS auditor calls for the creation of a specific form, going so far as to suggest a specific name for the form (“NC Log”) and then defining the full extent of its specific purposes.
Opportunity # 4: Here the auditor proposes creating a new job in the company, something normally considered taboo:
Opportunity # 5: In this example, the auditor gives a wordy, near-unintelligible recommendation to change the company’s current training program to include specific “levels,” going so far as to give each level a name:
Opportunity # 6: Now the auditor not only suggests a specific inspection method, he goes so far as to provide the sampling rate (“100%”). In this case, the auditor is literally devising the product inspection methods he will later audit:
Opportunity # 10: Here the auditor again proposes a specific inspection method, this time for receiving inspection, going so far as to define the the physical method of sampling and conducting the inspection, even advising in what specific direction the inspector should physically move.
Opportunity # 11: Now the auditor not only advises on the method of labeling the raw material should have, but also indicates that this method should be imposed on the vendor of the raw material. He even indicates where the labels should specifically be placed, and what specific information should be put on them. Worse till, his advice contradicts industry best practice, which is to put roll labels on the inside of the core, so they are not stripped off when handled by forklifts, or obscured when hung on racks.
Opportunity # 9: I left this one for last, because it’s a bit more complex, but also cuts to the very heart of the ISO 17021 prohibitions. The rules say that an auditor may provide such opportunities for improvement, but with one important restriction:
126.96.36.199 The audit team may identify opportunities for improvement but shall not recommend specific solutions.
In the example below, we see the SGS auditor providing the rationale for needing the OFI (“several boxes of returns were identified…. but no disposition had been determined”) which is fine. But he then provides the specific solution explicitly prohibited by 17021, when he directs the client to “create a log.” The given problem could be solved in a number of ways, without the 1950’s go-to answer of “create a log.”
Clearly by any measure of the definitions provided by ISO 17021, this auditor has violated the rules not only once, but eleven times. And this is just one auditor; another client of mine was handed a list of over 25 such suggestions, including one to reorganize the entire warehouse so that everything on the left side was moved to the right, and vice versa. I’m not kidding, and it’s all documented.
In another example, an audit was witnessed by two major customers of my client, and they both wrote official reports condemning the audit, citing the CB auditors for having spent more time consulting than gathering objective evidence. The client was put on notice that their status as a supplier would be at risk if they did not fire the registrar.
Here’s an example of a list of “recommendations” included in an official audit by QMI/SAI Global. Notice again how the auditor specifies the creation of certain forms, and even what to use them for:
You can see throughout that auditors are trained to preface such suggestions with the term “consider….” You can blame RABQSA for that one, as it appears to be something they require in all their auditor training courses. It’s also seen by CBs and ABs as the way to legally provide a suggestion, since it gives the client the option to ignore it.
Here’s the problem. The ISO 17021 does not allow specific solutions even if they are phrased as optional. It prohibits them outright, period. The prohibition is not based on whether advice is compulsory or not, but rather on the specificity of the advice.
An optional suggestion containing specific advice is as prohibited as a mandatory suggestion containing specific advice. Don’t believe me, ANAB? Ask your lawyer.
The Costs of Doing Bad Business
There are real-world implications and costs associated with this bad behavior. First, ISO 17021 specifically prohibits threats to impartiality based on “familiarity.” The thinking is that if a client adopts an auditor’s suggested solution, the auditor will then have a natural positive predisposition towards the action, and audit it with less scrutiny than if the client ignores the advice, and takes an alternate action. CB auditors will deny this is possible, but they are denying their humanity by doing so. This kind of thing is natural, embedded in our DNA, and utterly unavoidable. That’s why nearly every other inspection and auditing profession prohibits it, and enforces that prohibition.
Consider the “opportunity” by the SGS auditor above, who suggested the roll material be labeled on the outside of the cardboard core. It the client took his advice, and had the rolls labeled on the outside, the auditor would be happy. But now the labels would be subject to physical wear and tear, and the next time the auditor arrived, they might be worn off entirely. The auditor is now faced with a conflict of interest: if he writes a finding against unidentified material, he would be admitting that the advice he gave was actually really, really bad. So he might be inclined not to write it at all, thus allowing the company to increase its risk of using unidentified material. All because he couldn’t keep his opinions to himself. These are the exact scenarios ISO 17021 intended to prevent.
Next, there are massive financial costs. To implement a casual OFI that may take the auditor only a few seconds to type, could cost the client weeks or months of implementation time. Even creating a simple “log form” involves creation of the form, incorporating it into document control, implementing it, training everyone on it, and then ensuring it’s used properly. That’s not free, and the CB doesn’t pay those costs.
A larger “suggestion” of hiring an entire person is irresponsible beyond imagination. This involves not only job interviews, but hiring, orientation, benefits enrollment, and then … you know… paying the person. It’s easy for an auditor to say “create a new position,” because it’s not their money they are spending.
The IAF signatory ABs need to stop kowtowing to their CB clients in order to keep their revenue flowing, since as more and more companies drop ISO 9001 because of this kind of expensive misbehavior, they will have less and less CBs to accredit. Instead, ANAB and UKAS and the rest need to start doing their jobs, adhering to their marketing and accreditations, and enforce the rules.
Have more examples of audit reports with CB consulting? Send them here!
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.