As written about a lot on this site, ISO 9001 and AS9100 auditors do an awful lot of consulting during audits, even though it’s prohibited; after all, the last time an industry tolerated consultants auditing their own work, we got the Enron scandal and Sarbanes-Oxley regulations. The ISO scheme is refusing to learn this lesson, though, smug that they won’t get caught by regulators, and allowing the violations to go on in order to placate a dwindling pool of thin-skinned auditors who insist on consulting during audits to make themselves feel superior. And, as I have written, they routinely do all of this under the guise of writing “Opportunities for Improvement,” or “OFIs.”

The rules which auditors must follow are published under ISO 17021-1, which bears the unwieldy title “Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements.” That standard has been diluted over time, largely because the committee that writes it (ISO/CASCO) has been corrupted by former or current representatives of the various certification bodies (CBs) and accreditation bodies (ABs) that the rules are supposed to govern. Yes, the lunatics are writing the asylum’s governing procedures. One such dilution has been related to the prohibition against consulting; since nearly every CB also offers “training courses,” they ensured that language in ISO 17021-1 particularly allowed this, for example, even though it’s still a clear conflict of interest to anyone viewing from the outside.

So while ISO 17021-1 says that CBs may not engage in “giving specific advice, instructions or solutions towards the development and implementation of a management system,” the standard has also expanded its allowances for “Opportunities for Improvement.” This appears, when you read it, to be a complete contradiction, and the authors do nothing to reconcile that contradiction. If they had, they would cripple CBs’ ability to provide in-audit consulting and face a backlash, so they had to leave the water murky in order to obscure the swamp.

But there is a way to write OFIs that don’t violate the rule against specific solutions. As I explain it, it will become blindingly obvious, and simple, and yet I imagine you have never seen it done … ever. This is also because not a single “accredited” Lead Auditor class provides this information — nor do they even discuss ISO 17021-1 in any detail — so the entire auditor pool is tainted.

How To Write An OFI

The method is simple: an OFI cannot provide a solution in its text. It can’t even imply a solution. All it can do is indicate something you think could turn into a problem if left unaddressed. Obviously, if the problem already exists, then a full nonconformance must be written instead; softgrading an existing problem down to an OFI is an equally nefarious practice that must be stopped.

Instead, you must phrase the OFI as an open-ended concern without providing guidance on a fix. Here are some examples:

ISSUE: During the audit, you find a leaky roof in the building, but product quality is not at risk; you just think it could be a problem someday.

WRONG WAY TO WRITE OFI:Consider repairing roof to ensure the product is not damaged when it rains.

RIGHT WAY TO WRITE OFI:The roof was observed as leaking, which may impact on product quality.

Notice the “wrong” OFI started with an imperative verb form, making the sentence a command: the reader must “consider” doing something. In this case, the OFI provides the solution (“repair the roof“). In reality, the auditee has a range of options that may not include repairing the roof: perhaps they could move everything away from under the leaky area; perhaps they could put buckets on the floor. Telling them to fix the roof violates ISO 17021-1. And, yes… to all you current CB auditors out there, this means every time you started an OFI with the word “consider…” you violated ISO 17021-1. Sorry to tell you.

The “right” OFI simply states the problem without providing any solution whatsoever, leaving the client free to address the problem however they see fit.

Let’s do another one:

ISSUE: During the audit, you find the company has only implemented the exact documents and records required by ISO 9001, and nothing more; everything else appeared to be communicated verbally or through oral tradition; however, everyone’s answers were consistent and there wasn’t any confusion, and this apparently hasn’t led to any quality issues.

WRONG OFI:You should document the company’s methods better and rely less on verbal instructions.

RIGHT OFI:The company relies heavily on communicating its methods via verbal instructions.”

Nothing drives ISO 9001 auditors battier than a client without any procedures. The truth is that ISO 9001 has now stripped out all requirements for mandatory procedures, and an auditor cannot overrule the standard by demanding clients write procedures anyway. Some companies operate fine with verbal communication, and under the new ISO 9001 standard, that’s entirely allowed, no matter what your instincts or pre-formed opinions might tell you. So, the “wrong” OFI above once against prescribes a solution (“you should document“) to a problem that doesn’t really even exist. The “right” OFI instead just restates the concern, leaving it up to the client to either deal with it, or (more importantly) not.

Note also that making the solution optional (“you should …”) doesn’t make it less of a violation under ISO 17021-1. The standard prohibits providing specific advice or solutions; it is the specificity that is prohibited, not whether the advice is optional. All advice is prohibited, … period.

Here’s more subtle, but equally problematic, example:

ISSUE: During the audit of management review records, the Quality Manager struggled to find the records; he eventually did find them, but it took a long time and he generally seemed flustered.

WRONG OFI: “The staff struggled to find the management review records, these should be readily accessible.”

RIGHT OFI: “Management responsible for management review struggled to find the associated records.”

This one’s trickier; the “wrong” OFI doesn’t include any overt imperative verb or make any clear demand, but instead implies a solution. The ISO 9001 standard doesn’t require that records be “readily” accessible, only that they be accessible; “readily” is subjective and open to personal interpretation. By adding the qualifier “readily,” the auditor has engaged in editorializing and adding requirements that don’t literally appear in the standard. This then implies a solution: the client must make the records readily accessible. At that point, the auditor is helping to craft the management system, not audit it objectively.

The “right” OFI just states the issue and shuts up. That’s it.

The OFI Legality Checklist

There are simple ways to ensure you keep your OFIs compliant with ISO 17021-1:

  • Never use the imperative form of a verb in an OFI; never command the client to do anything; yes, telling them to “consider” something is a command, and is prohibited.
  • Never start an OFI with a verb, period.
  • Never suggest or imply any solution, no matter how much you want to.
  • Never use the word “should” in an OFI, ever. Don’t try to hide your solution by making it appear optional.
  • Only state the concern you witnessed, and even then, don’t brand it as a “problem.” It may not be.
  • Never editorialize.
  • Don’t invent requirements or quote language from the ISO 9001 standard that doesn’t actually exist.
  • Leave room for the client to ignore your OFI entirely. If you feel that strongly about it, then gather evidence, cite the violated ISO clause, and write it up as a nonconformity.

I hate to blow up your worldview, but if you are working for a third party registrar (CB), you are not tasked with improving your client’s QMS. That’s not your job, and it’s not what your home office CB is accredited to do. The CB audits for compliance, cites nonconformities, and then issues a certificate. That’s it.

For decades, the CBs have tried to distinguish their services from their competitors, even as they are all identical because they all have to comply with 17201. So they did this by inventing slick marketing language, and dropping the term “value-added” everywhere. But they are not accredited for this, and prohibited from doing anything other than performing audits and issuing nonconformities and certificates. Anyone telling you otherwise is lying.

Again, the only reason this has been tolerated is that the ABs have abdicated their responsibilities, and one day (perhaps soon) they are going to be held accountable; you don’t want your reports used in evidence in the inevitable trial the next time a bridge collapses or an airplane falls out of the sky. If you have an ego that needs to be fed by bullying clients into giving you praise for your OFIs, then find another job. If you feel empty audits because you can’t put your personal touch on your client’s management systems, find another job. If you really want to do consulting, then quit auditing and do the hard work of opening up a thriving consultancy; if you can’t, then swallow your pride and audit according to the rules.

Inappropriate OFIs are a plague on the profession and cause far more harm than auditors realize. They result in companies spending time and resources fixing problems that don’t exist, and leave clients confused when the next auditor comes in and disagrees with the OFI of the first auditor. Worse, masking consulting as OFIs results in a scenario where the auditor is auditing his own work, invalidating the trust expected of the accredited certification scheme.

The solution, as this article has shown, is simple. Simply state the issue and shut up.

Alternatively, not writing OFIs at all is entirely acceptable.


    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.