In a stunning example of … well, something … a poll run on LinkedIn revealed that a whopping 70% of ISO standards users trust their certification bodies to assess their compliance to regulatory requirements of ITAR and EAR.

This is nothing less than mind-blowing.

The poll was run by Mark Stevens of Aerospace Exports Inc., and asked, “Do you trust your ISO Registrar (for example) PRJ, NSF, DNV, TUV, BSI, SAI, etc. to accurately assess compliance to the EAR or ITAR?” As of this writing over 180 respondents voted, and 70% answered “Yes,” with the remaining 30% answering “No.”

For those not familiar, ITAR is the US “International Traffic in Arms Regulation,” and EAR is the “Export Administration Regulations.” Among other things, these laws try to prevent the leak of sensitive data to potential enemies of the US, and the sale of products to certain restricted countries. For example, under ITAR regulations, a company cannot share controlled data with any non-US citizen, including any employees or suppliers who might not have a US green card or citizenship.

The reason the results of this poll are so incredibly revealing is that auditors for ISO 9001 and other such standards receive no training at all on ITAR or EAR, since the regulations are entirely out of scope for the standard. These regulations do fall into play under AS9100, the aerospace and defense industry standard, but generally are not even in play for typical, commercial companies. EAR may fall into play — a manufacturer of baby bottles still can’t sell them to North Korea, for example — but even then, the ISO auditors are not trained on this.

Furthermore, the ISO 9001 standard only references “statutory and regulatory requirements” related to the quality of products or services, and not every other possible regulation that might exist.

Next, consider that ISO registrars are required to develop an audit plan before the audit is conducted, and these never include any statements indicating they will be auditing ITAR or EAR. I mean … never. So any auditor engaging in assessing a company against ITAR, for example, is not only violating the accreditation rules which say the audit shall be constrained to the standard being audited (i.e., ISO 9001), they are then violating their own audit plan.

I think the explanation here has to do with the tendency of the majority of people to willingly yield obedience to authority figures. Multiple studies have been conducted on “obedience theories,” the most prominent being those of Stanley Milgram. In his famous experiment, a group of strangers willingly gave increasingly inhumane electric shocks to other people when told to do so my people they believed to be authority figures. Other less controversial theories and experiments have shown that the average person is willing to subjugate their own beliefs and logic in order to grant decision-making to others, although there are differing conclusions as to why this may be.

Either way, it’s telling that ISO 9001 users would believe their registrars would somehow be able to assess their compliance against ITAR when all facts show that this is impossible. Worse, it’s dangerous: allowing auditors to audit you on a subject they are, first of all, not allowed to and, second of all, untrained in is lunacy.

But it’s keeping with the dark side effects of ISO audits. CB auditors routinely write up findings that are invalid, often based on made-up interpretations, even as they do so under an accreditation scheme which prohibits them from making up such interpretations. Clients, however, overwhelmingly yield to these interpretations, adding costs and risks to their resulting quality systems.

Take this example. A small client of mine runs a tiny distribution shop. Its “warehouse” is roughly the size of a normal home garage, and consisted of shelves along the left and right walls, with a garage door in the back. An auditor with NSF-ISR told them to move all the things on the left wall to the right wall, without every giving a proper explanation. The client, rather than fighting back on this insane “requirement,” hired day laborers over a weekend, and obeyed the auditor. They pulled everything off the shelves and piled them into the middle of the room, then put them back up on the shelves on the opposite side. When the auditor returned a year later, they showed the auditor their handiwork, and the auditor admitted he didn’t even remember telling them to do it. It was a massive waste of time and money, but the client could not summon the courage to challenge their auditor.

Typically this occurs because the client makes a silent assessment of risk: they feel challenging an auditor will cause them to “fail the audit” out of spite, so they roll over. This makes no sense, but it is pervasive. Auditors know this, too, and will sometimes threaten clients to begin to apply back-pressure and force a client to respect his authorotah. Another auditor with NSF (coincidentally) once shouted at one of my clients, saying, “I have never had a nonconformity overturned in twenty years, and I am not about to have one now!” An auditor with SRI threatened to sue a client for “defamation” for challenging a nonconformity. In both cases, the client should have pressed on, as they would have won, but instead yielded to the so-called “authority figure.”

The lack of ITAR experience by auditors is troubling, too. One NQA auditor wrote a client of mine up against ITAR, claiming they did not have a sign-in sheet at the front desk for guests. The problem is that ITAR doesn’t require any such sign-in log, and it’s a common myth; in fact, the Dept. of State calls these logs “death logs” because once they see you have one, they know which follow-up questions to ask, and you’ll be “dead” afterward. For example, did you verify the citizenship status of everyone listed on the log, and keep records? Did you maintain copies of each visitor’s birth certificates or passports? A “death log” opens you up to these questions, but the NQA auditor knew none of this.

So the client implemented a death log anyway, based on NQA’s ridiculous advice, and now probably thinks they comply with ITAR. Meanwhile, it only increased their noncompliance, putting them in legal risk. Will NQA foot the bill if they get fined by State? I doubt it.

So, no… you shouldn’t trust your ISO auditor to verify your compliance to ITAR any more than you should have your podiatrist diagnose your car’s fuel injectors. They are not qualified to audit against ITAR, not trained for it, and not even supposed to in the first place.

 

Advertisements

ISO 45001 Implementation