It’s consistently stunning just how powerless and sycophantic the world’s Accreditation Body community is, led by the IAF (International Accreditation Forum) and its sister regional organization EA (European Accreditation). Together with the ISO committee, they sit on (ISO/CASCO), they write the rules governing the world’s entire management system certification scheme, including how certificates to ISO 9001 and 14001 are issued. And with disturbing regularity, IAF, EA and CASCO work to dilute published standards which govern the actions of Certification Bodies (CBs), in order to legitimize their corrupt and incompetent actions.
Let’s get this out of the way. CBs issue certs to anyone these days, with shocking results. They grant quality management certifications to anyone who can pay, and then hide when it’s later discovered their certified clients were responsible for deadly product defects, incredible global scandals, or environmental disasters. Because on paper the accreditation rules codified in ISO 17021 and ISO 17011 say the CBs are not supposed to do such things, the only way to keep the CBs protected is, therefore, to secretly un-write those rules. That falls on CASCO, led by IAF and EA.
As more and more scandals were reported in the press as being perpetrated by ISO certified companies, the CBs worked to remove the requirement which forced them to maintain public registries of their clients. CASCO dutifully acquiesced and allowed the registry requirement to be removed from ISO 17021-1. Now consumers — and, more importantly, investigators or journalists — have no way of confirming who issued an ISO certificate to any given company involved in a scandal.
As more and more cases of CB auditors breaking the law were revealed, CBs managed to get language removed from ISO 19011 that required auditors to comply with local laws of a given client. The CBs claim such a statement was unnecessary, but in fact it was critical: for auditors traveling internationally, the requirement forced CBs to ensure their auditors understood the laws of the country where they were assigned, which may be different from those of their home country. Now, CBs don’t have to spend time and money on such research, and if their auditors violate laws, it’s on the individual auditor, not the CB. A subtle change that could save an offending CB millions of dollars in fines or court awards.
Because issuing ISO certificates to clients wasn’t enough, CBs started to issue such certs to each other; however, this was an overt violation of an ISO 17021-1 rule which prohibited one CB from certifying another. To get around this, the CBs pushed on the CASCO to issue a nearly-entirely-hidden “clarification” document which simply un-did the rule, saying that, sure, CBs can issue certs to each other now. ISO can meanwhile posture about the strength of its standards, never revealing that there’s some hidden memo floating around that essentially says, “never mind.”
Now comes the notion of “flexible scopes,” a new angle pushed by EA and IAF which allows CBs to issue certificates for things not explicitly listed in their scope of accreditation. There is no way to read a recent EA publication without seeing it was drafted entirely to placate CBs, thus providing yet more evidence of the total corruption of the system. “EA-2/15 M: 2019 EA Requirements for the Accreditation of Flexible Scopes” — which you can read here — wears its sycophancy on its sleeve, by opening up with a 3-point explanation of why having accurate scopes of accreditation is important for customers and “other interested parties,” and then throws them under the bus by announcing, “However, this method of describing a scope can be considered as restrictive by some [CBs].”
The rest of the 9-page document then goes on to justify why having accurate scopes is no longer required, and how CBs can get around doing so. The concept of “flexible scope” would allow a CB to issue certificates for things they are not explicitly accredited for, if they can put together enough justification paperwork — which you’ll never see, mind you, because of confidentiality rules — to cover them. From the EA publication:
5.1 The differing needs of [Certification Bodies] means that there is no single way of implementing flexible scopes. Instead, it is the responsibility of each CAB to determine exactly what its requirements are, how it can approach this within the framework of the standard used for accreditation, and how it can demonstrate to its [National Accreditation Body] that this approach is fit for its intended use and capable of being maintained within control.
Again, you will never be allowed to see any documentation on how a CB self-determined it can breach its published scope. I’ve requested similar documents from CBs before, specifically their risk assessments for identified conflicts of interest, and been rejected every time. When it comes to protecting their internal files, suddenly CBs get very picky about adhering to key sentences in the accreditation rules.
The ironic justification EA gives is that CBs can accredit things out of their scope if they’re “close enough” (my words) and if the CB “is competent to carry out” (their words) the additional certification activities. This reliance on CB “competence” to justify this huge change in rules is stunning, since CB “competence” has been a thing that has plagued the industry and bedeviled the IAF for decades.
It’s not yet clear how far the CBs will take this. You won’t see a CB who is accredited for ISO 9001 quality management suddenly start issuing ISO 14001 environmental management certs, for example. But you could start to see some dangerously close overlaps and blending, especially for CBs who certify people and training programs. Say a company that certifies boiler inspectors suddenly wants to certify nuclear facility inspectors, but doesn’t want to pay the money for a second scope; now they can just write … umm, something … and invoke the new rules, granting them overnight expertise in something they had no experience in just five minutes ago.
If you think this is ludicrous, go check the list of official “IAF Codes,” which take the thousands of international SIC industry codes and crunch them down to only 40, so that an auditor with prior work experience at McDonald’s is fully qualified under the IAF to audit a baby food manufacturing plant, because it all falls under IAF Code 3. A guy who ran a liquor store would fall under the same code, too, and be equally qualified to audit baby food.
The ultimate boon for CBs is that if they are approached to certify something outside of their scope, rather than reject the work (and money), they can accept it if they document the justification. This way, the CB gets paid, which means their attendant Accreditation Body gets paid, too, and so does the IAF. Everyone’s happy.
Until shit blows up.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.