Probe Into Saudi ISO 9001 Corruption Widens, Multiple ABs Now Implicated

The fraud scandal related to TUV Middle East (TUVME) is not going away any time soon, but has been dramatically hampered by the certification scheme’s ability to use its complexity and bureaucracy to constantly shift focus. What appeared, at first, to be an open-and-shut case of a CB certifying the work of their own consulting firm has turned into a massive scandal involving at least a dozen countries, multiple ISO accreditation bodies, the IAF regional bodies EA and APAC, and the IAF itself.

If you recall, we reported a relatively simple case of the Dubai office of TUVME certifying the work of a consulting firm known as FAHHS. That led to the revelation that FAHHS is actually an official division of TUVME and the parent organization, TUV Nord from Germany.

The complaint followed the usual path. TUVME denied any wrongdoing, but took no action. The CEO of the CB sent a quasi-threatening email hinting at legal action for impugning his name. The complaint was then escalated to Accreditation Bodies (ABs), when things got much, much more complicated.

Accreditation Body Complicity

First, we escalated the complaint to EIAC, the United Arab Emirates body that accredited TUVME in Dubai. EIAC claimed the subject of the complaint was actually TUVME from Saudi Arabia, and threw it out entirely, saying it had no authority over the Saudi company. EIAC claimed the Dubai company was entirely separate from the Saudi company.

That, we have since found out, was a complete lie. TUVME currently holds three accreditations, and two of them list both the Dubai and Saudi offices together, both as “official locations” of the same CB company. One of those accreditations specifically says the Dubai office is “wholly or partly owned or employed by” TUVME in Saudi Arabia. The certificates also openly include the FAHHS address and name in the scope of accreditation for TUVME.

We then were put off the scent entirely, when it was reported that TUVME reports to TUV Germany, and thus falls under the German Accreditation Body, DAkkS. I filed a complaint with them, and DAkkS did not throw it out for lack of jurisdiction, but did close the matter without taking any action at all. I then rejected their response, and DAkkS ignored it for another two years.  That has since earned DAkkS an official complaint with its oversight body, the IAF regional body called EA.

More recently, we cleared up the accreditation to some extent, learning that TUVME is actually accredited by three bodies: EIAC (for the UAE office only), and then ANAB and IAS for all the offices together. So DAkkS managed to delay the proceedings for years, helping to protect TUVME and FAHHS in the process.

I’ll now be filing separate complaints with ANAB and IAS for their role in this, since it is impossible for the ABs involved not to know that TUVME and FAHHS are the same company.

Why? Because the official FAHHS website is, literally, “https://fahsstuv.com“. So this is not a secret at all, and common, public knowledge. In fact, TUV is brazen about the entire thing.

So, if you’re keeping track, so far in order to protect TUV, everyone in the mix has lied. The Saudi office at TUVME lied. The CEO of FAHHS/TUVME lied. DAkkS lied. EIAC lied. Throughout this entire multi-year spectacle, the IAF and regional bodies (EA and APAC) have been kept in the loop, and done nothing. They cannot feign ignorance, because we have the receipts.

Auditor-Swapping Scandal Discovered

The matter grows much, much worse, however. I now have credible evidence that says TUVME is engaged in full-on fraud.

According to witnesses, TUVME intentionally falsifies ISO certification audit reports, and does so as a matter of internal policy, not because of some rogue office employee. In order to save money, TUVME uses low-paid, unqualified staffers — usually Indians — to perform actual on-site audits. But the auditors then leave a blank space on the audit report where they are supposed to write in their names. The report goes back to the TUVME office, and officials there then insert the name of a fully-qualified, certified Lead Auditor, falsely asserting that the qualified auditor performed the audit. That auditor never actually audited anything.

This allows TUVME to save money on auditors, using unqualified staffers as the “laborers,” thus avoiding the need to pay the higher-qualified Lead Auditors for audit time. What’s not clear is if the Lead Auditors themselves are in on this scam, and get a small fee or allowing TUVME to use their names, or if they are in the dark about it, too.

The fraud here has a lot of angles to it. First, TUVME contractually obligates itself to follow ISO 17021-1 rules for assigning qualified auditors to clients, so they are stealing from their clients. Next, TUVME is falsifying official audit reports which are then used to help clients get government tenders and other work; this drags the clients into the fraud loop, as their tenders are now suspect. Finally, TUVME is clearly not complying with either accreditation rules or laws, so things just keep getting worse the more you look at it.

The evidence is pretty damning, too. TUVME recently laid off a lot of its staffers, during some internal reshuffling. Those staffers now cannot get work as ISO 9001 auditors because they have no audit logs to prove they did audits. Why? Because according to TUVME official records, they never did any audits; their names were left off all records. This means there are a lot of disgruntled former TUVME folks ready to come forth with the evidence against them. (If you’re one of them, feel free to contact me.)

Worse, still, the practice of auditor-swapping is apparently common in the Middle East, and everyone knows about it: CBs, ABs, IAF regional groups, etc. They simply don’t care, because everyone is getting paid, and clients are getting guaranteed ISO certificates based on complete — and potentially criminal — fraud.

Accreditation Bodies Could Fix This

It probably surprises no one that the Middle East in general, and Saudi Arabia in particular, is engaged in widespread ISO certificate fraud. But this auditor-swapping practice was new to me, and opens up a lot of questions.

There is also a racist component to this. When I posted on LinkedIn that DAkkS was involved, a lot of folks acted shocked. They could not imagine “the Germans” engaged in fraud, but they had no problem imagining this in the Middle East or India. The reality is that the entire ISO scheme is corrupt, because the IAF is corrupt. The skin color of the fraudsters makes no difference.

We need to stop giving DAkkS a free pass because they are run by white guys in pinstripe suits.

It would not be difficult for oversight bodies to flush out the practice, either. All ABs need to do is check records (payroll, travel logs, expense reports) to verify the auditor named on the report actually did the audit. Then, the ABs could cold-call certified clients to verify, firsthand, who actually showed up. Finally, the ABs are authorized to do unannounced “Special Audits” on CBs to uncover fraudulent practices.

Will ANAB, IAS, DAkkS, or EIAC do any of those things? Unlikely. We have already seen two of the parties — EIAC and DAkkS — work to cover up the scandal. The expectation that the US bodies  (ANAB and IAS) will do any differently is low.

As more witnesses come forth, there’s even more to this story that I have not yet reported. We’re also trying to gather as much evidence as we can before filing more formal complaints. But even then, the corruption in the IAF-led certification scheme is so entrenched, we shouldn’t expect a sudden change in behavior by the various actors. To them, they are all getting paid millions of dollars, and there’s only some poor blog calling them out on it.

As always, the only way to bring the IAF to heel will be to get international government support and oversight. The IAF must be disbanded entirely, its regional groups thrown to the wind, and accreditation oversight taken back over by ISO. Then, individual governments must either pass laws, or enforce existing laws, that hold the bodies accountable. Governments should ban bad-acting CBs and ABs from operating in their borders when fraud is uncovered, regardless of accreditation status.

In the US, meanwhile, the US Dept. of Defense must be pressured to move away from its gravitation toward the IAF scheme actors, and other government agencies must follow suit. The US government should not be in the business of creating trade or security agreements that rely on a proven, corrupt scheme… until it’s fixed.