Oxebridge has filed a comprehensive complaint against the US-based accreditation body International Accreditation Service (IAS) of Brea, California. The complaint was submitted to the Asian-Pacific Accreditation Cooperation (APAC) at the direction of the International Accreditation Forum (IAF). The complaint alleges that IAS fundamentally violated its obligations under the standard ISO 17011:2017 by not enforcing accreditation rules on multiple Certification Bodies (CBs) bearing its mark.

IAS entered the US market as a competitor to accreditation behemoth ANAB, but has not reached a fraction of ANAB’s US market, instead opting to focus on serving CBs in India and the Middle East by offering them an accreditation with a US address. IAS has defended certification bodies who offer ultra-low cost services, primarily relying on underpaid Indian auditors, insisting that ISO and IAF rules do not dictate audit pricing.

The Oxebridge complaint was prompted by multiple incidents spanning over two years. Since 2017, Oxebridge has been inundated with offers to form “partnerships” or marketing alliances with various IAS-accredited CBs, despite rules in ISO 17021-1 indicating that CBs cannot engage in such relationships with consulting firms. In other cases, various CBs claiming to hold IAS accreditation were found to be using the logo without permission, pointing to a significant problem on the part of IAS with regard to enforcing the validity of its mark. ISO 17011 demands that accreditation bodies take actions against companies that use their mark illegally, up to an including “legal action,” but IAS has not done so, allowing its mark to proliferate throughout Asia.

The complaint also escalates two serious concerns previously raised against the IAS-accredited certification bodies AQC Middle East FZE and ACS W3 Solutionz. The two CBs were reported through Oxebridge’s ISO Whistleblower Program as having quoted dramatically low prices for a simultaneous ISO 9001, ISO 14001 and ISO 45001 integrated management system certification. When Oxebridge analyzed the quotes, it found that the CBs had violated the “minimum audit duration” rules codified in IAF Mandatory Document #5 (MD5). That document dictates the length of audits based on employee count and other factors, and the IAS-accredited CBs appear to have ignored these rules in order to assure a low price.

Website for IQMS which offers both ISO 9001 certification and consulting, while falsely claiming IAS and other accreditations. (Click to enlarge)

In one case, a CB quoted the same price for a two-stage initial certification audit as they did for a subsequent one-stage surveillance audit. MD5 indicates that surveillance audits are to be calculated at approximately 1/3 the duration of the initial audit, so having an initial audit and surveillance audit reflect the same price is mathematically impossible unless the initial audit was artificially reduced.

In another case, a CB responded to Oxebridge’s complaints by attaching a confidential application form submitted by their client in order to bolster their defense. That resulted in the CB violating additional requirements set forth in ISO 17021-1 requiring that CBs ensure the confidentiality of client information.

Both CBs responded to Oxebridge by denying the complaints, making the unusual argument that CBs cannot violate ISO 17021-1 or IAF MD5 during quoting, since at that point no contract has been signed nor any certificate issued. Oxebridge then escalated both complaints to IAS for adjudication by their accreditation body.

IAS Adopts Identical Ruling

IAS then denied the complaints, siding with its CBs entirely and closing them without action. IAS then parroted nearly exactly the excuses provided by the CBs. In his official reply to the AQC Middle East FZE complaint, IAS Vice President Mohan Sabaratnam wrote:

Upon receiving an enquiry AQC submitted a Quotation, no application was signed or agreed at this point. No audit program was established and no audit dates were confirmed so I am confused as to how Oxebridge can claim that AQC is not following MD5.

Mr. Sabaratnam then used the same explanation to excuse ACS W3 Solutionz, writing:

The above organization informed us that it had not issued the certificate to the client.  

The view that accreditation rules do not apply until either a contract is signed or after a certificate is issued is a stunning rejection of nearly the entirety of ISO 17021-1 and IAF MD5. Both those standards have entire clauses dedicated to the requirements for processing “applications” and “audit planning,” which — in the case of initial certification clients — always comes before a contract is signed. IAS’ argument that such rules only apply after a certificate is issued is even more bizarre, since nearly all the rules are intended to ensure the CB acts properly before the certificate is issued.

With regard to the complaint against its CB violating confidentiality rules, IAS ignored the issue entirely, forcing Oxebridge to add an additional allegation that IAS violated ISO 17011 rules on complaints processing.

Invitation to Contract Fraud

IAS’ ruling opens it to accusations that it is endorsing “bait and switch” pricing by its CBs. Taking the Sabaratnam ruling to its natural conclusion, if a CB is not held to audit duration rules MD5 during quoting, it can thus quote single-day audits for any scope whatsoever, at  highly reduced rates. Then, per Sabaratnam’s logic, once the contract is signed, MD5 would apply, forcing the CB to re-quote the work and increase the number of audit days, and thus the cost. Such “bait and switch” is likely illegal in the US under the Lanham Act and other consumer and B2B regulations, as well as the laws of other countries.

It does not appear that Mr. Sabaratnam consulted with legal counsel before issuing his official ruling.

Escalation to APAC

The next highest authority in the ISO Accreditation scheme “Regional Accreditation Body,” which in this case is APAC. IAF explained that this is because the bulk of IAS’ work is in Asia, despite their US address.

If APAC does not rule to uphold the complaint, it will mean that CBs can rightfully ignore the entirety of ISO 17021-1 and the various IAF mandatory documents until after a certificate is issued, turning the accreditation scheme on its head. This would allow CBs to perform marketing, quoting and even audits in whatever manner they choose, violating all normal accreditation rules, saying the rules don’t apply until after the audit is complete and the certificate issued.

Such a ruling would also cause problems for the entire accreditation scheme which obtains US Federal Government contracts on the promise that the scheme works as advertised, through the ISO 17021 rules.

Expectations Low

Traditionally, the IAF rules on the side of the Accreditation Bodies and CBs, since it sits at the top of the revenue pyramid. Oxebridge has only had to escalate a complaint once to IAF, when UKAS failed to act after its logo — and that of its CB Lloyds Register QA — was found on a forged contract document intended to gain illegal bidding access to a lucrative oil contract. Rather than enforce their mark or report the crime to the authorities, Lloyds and UKAS rewarded the company responsible for the forgery with a legitimate certificate, in exchange for a 3-year auditing contract, helping clean up the crime. The regional body European Accreditation (EA) ruled that nothing wrong had occurred, but did not give any explanation to justify the ruling.

Any ruling by APAC is likely to be similarly opaque.