Selecting a Registrar
If you choose to have your management system certified by a third party, there are some important realities to consider. Unfortunately, turmoil in the market has led to some confusion, much of it intentionally created by unaccredited “certificate mills” who are trying to steal market share. You’re going to spend a lot of money on your registrar, you need to make the right decision. Here’s a handy guide on selection of your third party Certification Body (CB), or “registrar.”
Accreditation is king
Be sure your certification body is accredited by an IAF-signatory body. In the US this is ANAB, although you may on occasion see one accredited by UKAS from England. Hiring an unaccredited “certificate mill” is like buying a diploma from a website in Slovakia. Your customers will reject it when they find out, forcing you to just get an accredited cert anyway, making you look like the guy who got his medical degree from Colombia… the country, not the university.
The growth of unaccredited “cert mills” has exploded in recent years, and they have learned a new trick: to claim accreditation with an equally bogus “accreditation body” that either doesn’t exist at all, or is merely the same guy using a different logo. So to check if a Certification Body is legitimately accredited, you have to conduct two steps:
First, check if the certification body is listed as accredited by ANAB; their searchable database can be found here. Alternatively, you can search the UKAS website here. If you find a listing, be sure it is the exact registrar you are considering, by carefully checking the name and home office address. Cert mill operators are famous for creating fake registration companies with slightly-off spellings. If they check out on ANAB or UKAS, then you can stop and don’t have to go to step two.
If the registrar is not listed, ask they why not. If they claim to be accredited by a body other than ANAB or UKAS, get the name, and then search the IAF members list to see if their accreditation body is legitimate. It could be the registrar is accredited in another country, other than the US or UK, and it’s perfectly legitimate. Or it could be that the accreditation body is as fake as the registrar.
Contrary to their claims, there is little difference in pricing, so you won’t save much on hiring a certificate mill, and you will save yourself a lot of embarrassment, or accusations of fraud.
Here are some examples of “fake” certificates (meaning not accredited to ISO 17021) and a legitimate one.
The fake certificate above can be identified by its lack of an accreditation logo. Only the logo of the “certification body” is shown. Legitimate certificates must have two logos: one for the CB and one for the accreditation body.
This cert mill slathers on logos, confusing things further. Verifying the IAF website reveals that none of the logos actually mean anything, as none of the alleged “accreditations” are internationally recognized.
Know the auditor’s playbook
Registrars are accredited to ISO 17021. It’s a good idea to buy the standard and read up on it so you know when the CB violates the rules… which, unfortunately, will be a lot. This isn’t necessarily because the auditors are cheating, but rather that the individual auditor was never trained on this properly. In other cases, their desire to “make friends” with you (and keep your business) overrides their objectivity, and gets them into consulting, which is disallowed.
If you know ISO 17021 ahead of time, be sure to tell your selected registrar that you expect the home office and the assigned auditors to stick to those rules, and that you will send (polite) complaints when they don’t.
You can buy a copy of ISO 17021 here.
Hiring local is bad advice
Unfortunately, most companies attempt to hire “a local guy” to conduct audits, under the thinking that this saves money. It’s not always the case, since often a local auditor may be flying in from another client across the planet, and you have to pay their airfare anyway. But most of all, the focus on hiring a local auditor denies you the ability to hire the best auditor. If you get a bad auditor who routinely saddles you with bogus audit findings, it can cost you far more than the travel expenses ever would.
Understand the Pricing
The going rate for ISO 9001 audits is $1200 a day, and for AS9100 or other specialty certifications, as high as $1350. The number of audit days is generally based on your employee count, illustrated by the table at right (for ISO 9001 only — additional days are required on top of the ISO 9001 days, for standards such as AS9100 or ISO 13485.)
You will sign a 3-year contract with a registrar, but don’t panic. You can cancel at any time, and you only pay for what you used. The three-year contract is just so you have a firm end period, and a chance to reconsider your relationship with the CB at the end of that three year period.
A three year contract will consist of:
- Application fee (normally waived if you ask) – normally about $500
- OASIS fee (for AS91xx only, cannot be waived) – $500- 600
- First year’s initial audit days (see table)
- Second and third years’ surveillance audit days; surveillance audits are shorter than the initial audit (see table)
- Expenses: travel, hotel, rental car, etc.
If you sign a follow-on contract after three years, you don’t start over, but instead undergo a “Recertification Audit” which is about 2/3 the number of days of your first year’s initial registration audit. This is normally true even if you switch registrars, but not if you are doing so to “get out of” any existing nonconformities with your previous one; the new guys will check, so don’t try it.
The first year will be the highest of the contract, because the initial audit is the longest. using the table at right, calculate the number of days and multiply by $1300 ( a good average), then factor in expenses. When you receive a quote from a registrar, and you see the numbers are wildly different, you must be on guard. Occasionally an registrar may “low ball” the audit days, which is not allowed and could get both you and the registrar in hot water with the accreditation body. Or the CB may sense a “dupe” and jack up the price unrealistically.
A few caveats: the number of audit days may deviate from the table above depending on a few other factors. The following may result in less days required:
- If you take any clause exclusions (such as design responsibility)
- If you have a large number of people doing one task
On the other hand, these factors may result in a higher number of audit days:
- You have multiple sites, geographically spread out
- You have a complex management system, perhaps integrated with other standards
- You are in a highly regulated industry, such as medicine or food, which requires additional time to consider regulations
Check the fine print
As we said, most accredited registrars will have similar prices. This means that most auditor quotes will be similar, so you will need to check more than just the day rate, since some CB’s will want to sneak a few extra dollars in through a side window.
Look for bogus “application fees” (you can usually get those waived just by asking) or per diem expenses. You should pay hotel, rental car and travel… and that’s it. If the CB is going to charge you for every trip to the minibar, find another registrar.
Consultant Recommended a Registrar? Be Careful!
Often your consultant will recommend a third party registrar. At times this can be helpful, since some consultants have a great deal of experience with the various certification bodies. But at times this could be the sign that the consultant has a secret “handshake deal” with the registrar, where they swap favorable audit results for leads. This doesn’t help anyone, and just promotes corruption in the ISO certification scheme, and must be avoided at all costs.
If your consultant is being particularly heavy-handed about recommending a single registrar (or individual auditor), take care. A good consultant may provide you some recommendations, but should offer at least three, and allow you to contact their clients to discuss the suggested registrars’ performance. A really good consultant won’t recommend any registrars at all, and only advise you on how to ensure you have an accredited certification body.
Quid Pro Quo: Registrar Recommending Consultants?
The opposite is also true: more and more, registrars are recommending consultants. This is usually a red flag that indicates the CB has an improper relationship with some consultants, usually those that in turn bring their consulting clients to the registrar. While there’s no cash exchanging hands, there is a financial quid pro quo in effect.
For now, the Accreditation Bodies are not cracking down on this behavior, since it’s being done by some of the biggest CBs in the world. But you will want to be wary no matter what. If a registrar has a “preferred consultant” or “consulting business partner” program, you may want to tread carefully with that registrar, even if they are accredited.
The best registrars maintain a strict firewall between themselves and consultants.
The registrar is not your friend
Forget any notion that you will build a “relationship” with your CB. Their sales people will tell you this, but it’s code for, “I want a lifetime contract.” Ultimately whatever the sales person says is pointless, because the final measure of a registrar is your interaction with the assigned auditor. And their job is to assess you, not make friends. The auditors, too, may try to befriend you, but don’t let them, as it just leads to problems later. Remember you are hiring someone to assess you, which may mean giving you bad news. Approach the selection of a registrar objectively, and don’t let feel-good marketing spin knock you off of critical judgment.