Oxebridge has filed a 12-page complaint with the International Accreditation Forum (IAF) against the United Kingdom Accreditation Service (UKAS), alleging violations of ISO 17011, the IAF Code of Conduct for Members, as well as violations of EU regulations and UK law.
The move stems from two separate 2014 complaints filed against UKAS accredited certification bodies, LRQA and BSI.
In the LRQA case, the registrar was found to have issued a valid ISO 9001 certificate to a company that had been reported as having circulated a counterfeit “photoshopped” certificate, in order to gain access to a contract that required ISO 9001 certification. Rather than cite the company for violation of international trademark law, LRQA awarded the company a valid certificate, which was dated the same day as the actual audit. Normally certificates are dated from the time they are approved by the CB’s internal review board, and only after a client has closed any audit findings. In response to the complaint, LRQA threatened to sue Oxebridge for defamation, and then implemented a server “blacklist” on all emails originating from the oxebridge.com domain sent to any recipient in the LRQA.com domain. Oxebridge escalated the complaint to UKAS, who sided unilaterally with LRQA on all counts, while failing to address significant portions of the complaint.
In the second case, Oxebridge filed a complaint alleging that BSI was routinely violating the ISO 17021 prohibition against CBs providing consulting services, primarily through the sale of its Entropy and Action Manager software products. These products provide software tools for internal auditing, corrective action, preventive action and management review, among other ISO 9001 requirements, and are accompanied by documented procedures defining how the user will perform these actions. BSI then certifies users of its Entropy products. The complaint was rejected immediately by BSI, without any evidence of an investigation, resulting in the complaint being escalated to UKAS. Again. UKAS sided unilaterally with BSI, claiming that the Entropy software provided “templates” and not documents; UKAS did not provide any rationale for its distinction that templates are not, themselves, documents. BSI again ignored portions of the original complaint.
UKAS is a signatory of various IAF multilateral agreements, which bind it to complying with ISO 17011, the standard for Accreditation Bodies. The Oxebridge compliant alleges that the two incidents prove UKAS has not been able to overcome the inherent conflicts of interest in the CB-AB relationship, whereby Certification Bodies pay their Accreditation Bodies for accreditation; the relationship creates negative incentive for ABs to enforce the rules on the their CB clients, and as a result ABs are nearly never de-accredited.
The Oxebridge complaint also alleges that UKAS has violated British law, specifically Statutory Instrument 2008 No. 1276: Trade Descriptions – The Business Protection from Misleading Marketing Regulations on the grounds that UKAS is engaged in deceptive advertising by failing to comply with ISO 17011, and Statutory Instrument 2009 No. 3155 Market Standards – Accreditation of Services – The Accreditation Regulations, which itself invokes EU Regulation EC No. 765/2008, on the grounds that UKAS has failed to enforce rules on its CBs due to conflicts of interest.
Oxebridge emphasizes that at this time the allegations are just that — allegations — and yet to be definitively decided.
The escalation of the complaint to the IAF is a rare event, and represents the first time Oxebridge has done so, formally. The only other time Oxebridge has reached out to the IAF was to obtain a preliminary reading on the practice by AS9100 auditors of requiring clients to complete audit reports for them; accreditation rules indicate the registrar must complete such reports, not the client. Nevertheless, IAF representative Norbert Borzek ruled that:
I can confirm that we do not see a problem, if the organization knowing it’s processes very well is filling in the requested audit forms provided that the auditor [or] audit team is verifying what is stated in the forms by the organization. Objective evidence for the verification shall be provided by the auditor [or] audit team.
Oxebridge argued that by allowing clients to hand-pick evidence and fill in the audit reports prior to the actual audit, this excused CB auditors from having to gather their own evidence, and increased the risk that clients would “spike” the reports with predominantly positive evidence, thereby making AS9100 certification worthless.
The IAF oversees Accreditation Body activities and has come under increasing criticism for enabling an environment whereby ISO 9001 registrars provide consulting services to certification clients, and where CBs are not held accountable for even violations of law. The management system certification industry is late in adopting basic ethical practices that other industries, such as accounting and product safety inspection, have long since implemented.
Oxebridge is engaged in a decades-long campaign to improve the validity and trust of ISO 9001 certificates by ensuring existing rules are enforced, and by strengthening the rules by ensuring end user engagement in the development of accreditation standards.