The New Jersey-based consultant Praadis Consulting is alleged to have created its own CMMI and ISO certifications using the logo of the unaccredited certification body QAS Ltd. The certificates indicate Praadis holds valuable Maturity Level 5 appraisal status but without any official recognition by The CMMI Institute. The problem prompted the Institute to issue a press release denouncing the QAS certificates as “illegitimate.”

In the majority of instances, the illegitimate certificates that are reported to us have been issued by organizations with no CMMI credentials; these companies are not CMMI Institute Partners, and do not employ certified CMMI Instructors, SCAMPI Lead Appraisers, or SCAMPI B&C Team Leaders. These companies purport to offer CMMI appraisals and services without authorization from CMMI Institute, and the certificates they issue are not recognized by CMMI Institute.

The press release included a typo, however, referring to QAS as “QSA” by accident, but Oxebridge has confirmed that CMMI was referring to QAS Ltd.

Prior reporting by Oxebridge incorrectly stated that QAS formally issued the certificates; see update below.

The “Capability Maturity Model Integration” is a process maturity appraisal method originally developed for software developers, but which has expanded to be applicable to a wide range of organizations. It is considered a step far above that of typical ISO 9001 certification, although the two methods are wildly dissimilar. All CMMI activities are governed by the CMMI Institute, and are highly guarded through various legal and licensing agreements.

Attorneys for QAS reported the following to Oxebridge:

Praadis Consulting is not nor ever has been a client of our client. Whilst the font and heading of the Certificate illustrated are the same as one would find on Certificates issued by our client, the document you have illustrated is false, and not issued by our client.  We can only surmise that either a representative at Praadis Consulting has either doctored/produced this document themselves or else a third party has done so at its behest.

The Praadis certificate indicates the company holds Maturity Level 5 for CMMI, a level which is seen as the high water mark for CMMI appraised companies. Actual recipients of CMMI ML 5 are rare, and the Institute has created significant hurdles to prevent companies from achieving it if they are cannot demonstrate the appropriate process controls.

The company claims simultaneous “certification” for CMMI Level 3 and Level 5 which is impossible; companies only receive a single rating, not two simultaneous ratings.

The fake certificates also fail to indicate which “constellation” was appraised; there are currently three such constellations: CMMI-DEV for developers, CMMI-SVC for service providers, and CMM-ACQ for acquisition companies. The QAS certs merely indicate “CMMI” without any constellation indicated, which is impossible.

Praadis also created false certificates using the QAS logo for ISO 9001 and ISO 27001.

If Praadis were to use these certificates to gain access to US Federal contracts requiring a CMMI maturity level, this would likely be a felony violation of laws against defrauding the US Federal government.

The Praadis certs also claimed QAS held “accreditation” by an organization known as UK Akkreditering Forum Limited, but this is also an unrecognized entity. “UKAF” simultaneously offers both certification to ISO 9001 and accreditation of ISO 9001 certification bodies, something which is not possible under current accreditation rules. UKAF is not a member of the IAF, and the bulk of its “accredited bodies” could not be verified, or are known Indian certificate mills. UKAF itself appears to have been formed by one Vijay Kumar of New Delhi, and its UK address is an office of a different company, “Cloudbuy.” That company is also Indian-owned and claims ISO certifications by NQA, none of which could be verified. UKAF then claims membership in a number of organizations which do not exist, such as the “International Association for ISO Standards.”

QAS has denied any accreditation by UKAF, and instead has confirmed that it “is not accredited, and never has claimed to be so.”

QAS is one of the largest “certificate mill” operations in the world, and is known for having issued an ISO 9001 certificate to a Leicester UK furniture company that was found to be a front for an illegal heroin smuggling ring. Even after the company’s employees were arrested, tried and imprisoned, QAS sales representatives were still allowing the company to use its ISO 9001 certification mark.

QAS has the backing of the British Quality Foundation, which has as its patron HRH Princess Anne, the daughter of Queen Elizabeth. BQF has rejected calls to cut off its relationship with QAS, even after the news of their certifying a heroin smuggling ring was relayed to them. BQF’s CEO Ian Swain is reportedly close friends with QAS Director Michael Bright, and the two use each other’s organizations to market the other. BQF has twice honored QAS/IMSM with prestigious awards handed out at black-tie annual dinner events.

In a related story, multiple US defense contractors in the IT sector have been found holding actual ISO 27001 information security management system certifications issued by QAS, which likely helped land them contracts with US Federal agencies and branches of the military. These include the defense contractor Integral Consulting, which has won multiple contracts which urge ISO 27001 certification. Oxebridge is investigating whether the use of certificate mills such as QAS violates the bid requirements for Dept. of Defense contract vehicles, which would raise both ethical and legal questions for the companies using QAS.

The UK-based IT consulting firm OrionGMS also boasts ISO 27001 issued by QAS, as does Amatis, a UK cloud services organization. Maryland IT firm Quotient advertised ISO 9001 and ISO 20000 certs from QAS in 2014, but it’s not clear if they still hold them. Other companies holding unaccredited certs from QAS include Alpein Software in Switzerland, scientific consulting firm CheMin from Germany, Toronto software developer Roadmunk, and data security firm Athena Software from Canada.

QAS asserts these certificates, while unaccredited, are nevertheless “entirely legitimate.” Industry experts, however, have called unaccredited ISO certificates “fake,” “false,” and “bogus.” The mills typically respond by pointing out that accreditation is not legally required. If a government contract requires accredited certification, however, then submitting an unaccredited certificate in order to win such a contract would be illegal.

UPDATE 4 JULY 2019: A prior version of this story incorrectly claimed that QAS knowingly issued the certificates to Praadis. QAS has alleged that the certificates were falsified by Praadis. QAS also asserts it is not accredited by UKAF, and that such claims are false; the UKAF website continues to list QAS as an accredited body, however, but for an office in Malaysia.

Indian-based executives of Praadis received requests for clarification from Oxebridge, but have not replied.

In its statement, QAS did acknowledge that its ISO certifications are unaccredited and that it has the support of BQF.

This article has been corrected to include the information given by QAS, and to remove the incorrect information; we apologize for errors in the prior article.