In Part 1 we examined an unaccredited registrar operating as a sole proprietorship. But that’s not representative of the full range of certificate mill companies. There are also auditing firms that offer a more formal looking conformity assessment service, but which just happen to not be accredited. In a way, they are more nefarious because of their appearance of legitimacy.

Exhibit B: QualityMasters is an unaccredited registrar operating out of The Netherlands. Their website reveals precious little, other than an ironic tagline plastered over their logo: “ISO Certification – Only This Time, No Nonsense.”

Naturally, there’s some nonsense.

First, the email link to their sales department bounces any message sent through it by their spam software. (More on that later.) Their fax number also fails (at least as of press time, when dialing internationally), and the site presents no names of any representatives, sales or otherwise, with whom to contact. Reaching out to their webmaster, I was able to discover the company is run by one “D. A. Roeland,” but Mr. Roeland did not respond to my questions.

Of course, there is no information on the site regarding formal accreditation of their services.The web page does include a graphic link to ISORegister.nl, a Dutch site which provides a list of registrars, mixing both accredited and unaccredited ones, further blurring the lines.

Questions Are a Burden to Others

But it’s not all radio silence with QualityMasters. A Lead Auditor working for the firm, Mike Kuklewski, was an active participate on LinkedIn. For the longest time, Mr. Kuklewski did not reveal that he worked for a certificate mill, leaving that detail only to those that clicked his contact information, and then subsequently researched his employer’s status. When the issue was mentioned, Mike would appeal to the moderators to have the posts removed (usually successfully) citing defamation. Apparently, admitting the truth about QualityMasters is libelous. Who knew?

Not only that, according to Mr. Kuklewski, questions about QualityMasters’ accreditation status are full-on religious persecution.

After multiple attempts to get him to explain the accreditation status of QualityMasters, Mr. Kuklewski gave a cryptic half-answer, saying the company was “in the process” of getting accredited:

[Like] kids and drivers licences, unaccredited CB’s have a right to make the miles before they become accredited. Their status does not make them bad. After all,before you BECOME accredited, you are UNaccredited.

There are more than a few problems with this statement.

First, QualityMasters has been issuing unaccredited certificates from at least 2005, when it issued a certificate to DAP Technology. Another certificate for Sophia Engineering included a statement that the company had been “certified with QualityMasters since 2007.” An online resume for Ron Sprokholt indicates he had worked with QualityMasters as far back as 2004.

All of this means that QualityMasters has been driving “unlicensed” (to borrow Mr. Kuklewski’s metaphor) for almost a decade.

The DAP Technology certificate is interesting for another reason. On it, QualityMasters uses the logo of Dutch accreditation body SRTCI. Official IAF records reveal that SRTCI was disbanded in 2008, as Dutch officials felt the Netherlands could not support two competing AB’s:

At the end of September [2008] the SRTCI had forwarded a letter to IAF formally withdrawing their application for membership. They had met with representatives of the Ministry concerning the recently published EU Accreditation Regulations and had agreed that SRTCI would be dissolved and the accreditation of its CBs transferred to RvA.

However, QualityMasters was never transferred. According to RvA Account Manager Maureen van den Wijngaart:

QualityMasters is not accredited by the RvA. There also is no current application for accreditation by QualityMasters known within the RvA.

This can only mean a few things: QualityMasters lost its SRTCI accreditation prior to the collapse, or QualityMasters never had the SRTCI accreditation to begin with, and there was nothing to transfer to RvA, and so they were using the logo illegally. We may never know, but since SRTCI was never recognized by the IAF, it was a pointless accreditation to claim anyway.

So, contrary to Mr. Kuklewski’s comments, QualityMasters has been operating for almost a decade, and does not appear to pursuing any accreditation at all. Per RvA, QualityMasters has not applied for accreditation in the only AB operating in their home country, and their website has no news at all on attempts to pursue accreditation.  Multiple requests for clarification on the issue from Mr. Kuklewski have gone unanswered, even though he responded to other questions or posts on LinkedIn. And, as I noted, all attempts to contact QualityMasters directly have failed.

And Answers a Prison to One’s Self

As if playing out some predestined script, no interaction with an unaccredited CB ever plays out without some degree of wackiness.

After launching a campaign on LinkedIn to have consultants held to third party certification (and having any posts calling out the irony of his position removed as “defamation”), Mr. Kuklewski suddenly announced that he was — like Del Straight before him — closing his account and moving on. But he wasn’t going out without throwing one last bomb. In an email to the board moderator, he accused Oxebridge of hacking the QualityMasters website, resulting in a Denial of Service (DoS) attack.

I shall be advising [Chris Paris] and the group about a Denial of Service prob we encountered yesterday after opening unsollicited mail from Oxbridge, CP’s company. Might cause a flap, but I feel morally obligated. I post tmw. Just so u r advised, as moderator.

This remarkable claim came after I attempted to contact QualityMasters for comment on this very article, and to answer questions related to their accreditation. As I mentioned earlier, emailing “info@qualitymasters.com” resulted in the message being bounced by a Dutch “SpamWall” server, so the message was never delivered. This was tested from three different accounts, to see if this was due to QualityMasters blocking international traffic (some sites do this to prevent spam.) In all cases, even using a generic Gmail account, the emails received the following notice:

It’s not uncommon for companies to have overstrict anti-spam measures which accidentally block legitimate traffic, but where it gets strange is that a follow-up FAX to the number on the site also produced a “could not deliver” message. 

Now I began to wonder if QualityMasters physically existed anymore. A Google search showed their address as a business location, but when viewed with StreetView, there was no obvious sign for QualityMasters. Could it be that QualityMasters was no longer even operating, despite Mr. Kuklewski claiming to work there?

Contacting QualityMasters’ webmaster, Martijn van der Laak of Joseph Design, was the last possible chance to get a message through. (Joseph Design is listed as the webmaster in the DNS records for the QualityMasters domain name.) I sent Mr. van der Laak an email, explaining how I could not get either the email nor the fax to work. I included the questions I intended for QualityMasters, and Mr. van der Laak forwarded them — through his own email account — to QualityMasters.

Which means that the only email that QualityMasters ever received was actually from their own webmaster from the josephdesign.nl domain, and which merely included my questions in the text of his email. No email from Oxebridge was ever delivered, and had it been, there were no attachments included. Denial of Service attacks are rarely attempted by way of email, but it’s feasible if the email were to contain a malware attachment. Since the email to QualityMasters included only text, a DoS is therefore impossible.

Of course there’s the more obvious question: why would I want to shut down a website of a company right before I publish an article about them, when I need their site to be available as evidence?

Is it possible that Mr. Kuklewski’s employer finally saw his posts on LinkedIn, including the “crusade” one, and simply demanded that Mr. Kuklewski stop posting? After all, he did publicly commit QualityMasters to achieving international accreditation in the near future. We may never know.

It seems the clients of QualityMasters, when finding out their registrar is unaccredited and their certificate internationally unrecognized, may have far more motive to shut down the company than Oxebridge.

Perhaps realizing that making a false public accusation of hacking was not in the best interests of QualityMasters, Mr. Kuklewski soon recanted. In a follow up email to the LinkedIn moderator, he backpedaled:

Now our ICT is up and running again, we have taken time to deliberate. We cannot prove direct connection to CP’s mail and the DOS. On the backup *before* his mail, all is working optimally. I shall not post anything anymore.

Quoth the Raven

Doing business with an unaccredited registrar has its obvious risks — lack of international oversight, and their freedom to engage in conflicts of interest — but then there’s the less obvious risks. As soon as one interacts with the people behind them, it’s like a sudden detour into skulduggery.  Perhaps because accreditation is not only time consuming, but also expensive, it rules out those who want to do things on the cheap. And nothing is cheaper than buying a printer and selling certificates.

And so between Del Straight of QSRD and Mike Kuklewski of QualityMasters, we see a consistent theme: the unaccredited certificate mills operate in the shadows, their websites making boastful claims but providing no verifiable details, many of which actually sit in contradiction to facts obtained by others. When questioned about accreditation, their representatives obfuscate, dodge, insult, mislead, and shut down any way of confirming their claims. Then, with all other options exhausted, they flee the room entirely.

None of this is in keeping with ISO 17021 accreditation rules to ensure transparency, objectivity and freedom from conflicts of interest.

Despite much bluster by ISO and registrars that ISO 9001 is “not a product certification,” it nevertheless sends a signal that a company’s product is likely to be better than one produced by a non-ISO 9001 company. When unaccredited certificate mills flood the market with worthless, conflict-laden fake certs, this can lead to a gross misunderstanding of a company. Such a company could be producing toxic, dangerous and deadly products, but buyers would be given the impression that everything had been vetted and assessed by an objective third party. A direct risk to public safety, not to mention confidence in ISO 9001, results.

This is why their actions are indefensible, and even they know it.

(If QualityMasters provides a response to the questions sent to them, this article will be updated accordingly.

If you know of an unaccredited ISO 9001 registrar operating in the wild, and would like them to be featured in a future installment of The Indefensibles, contact Oxebridge.)

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.

Advertisements

ISO 45001 Implementation