So you’ve selected your ISO 9001 or AS9100 certification body (CB) after doing due diligence, checking their accreditation status, reading up on them here at the Oxebridge website, and confirming they aren’t a bogus certificate mill. They’re the real deal, you think. After paying them a hefty sum, they finally schedule an audit date and assign a Lead Auditor. Everything is going well, right?

Then, the auditor sends you an email. Perhaps about the schedule, perhaps about dress code, it doesn’t matter. Just an email. And as a result, there’s probably a 50-50 chance they violated international accreditation rules governing CBs with that one action. And, naturally, no one will give a damn, and your freshly approved CB will have revealed itself to be another registrar that really doesn’t follow the rules, giving you a clear indicator that it’s all going to be downhill from here.

How, exactly? How would a simple email, regardless of the subject, be a violation of ISO 17021-1, the rules which govern CB activities?

Let’s look at those rules, and specifically ISO 17021-1 clause 5.2.9:

5.2.9 The certification body’s activities shall not be marketed or offered as linked with the activities of an organization that provides management system consultancy.

Clear enough: the CB cannot link its marketing with that of a consultant. This is intended to build a strong firewall between the consultants and the registrar, otherwise all sorts of nasty conflicts of interest emerge, such as consultants making deals with auditors to “go easy” on their clients in exchange for referrals.

Now go back and look at the signature line or email address of the auditor. There’s a strong chance either one of those — or both — include the name of the auditor’s own consulting company, and the signature line may even include a link to his consulting company’s website.

You see, in the ISO standards biz, there’s a quest by many to become consultants; consulting, however, is difficult because it takes some level of marketing savvy and is highly unpredictable. Auditing, however, provides a steady stream of work, and the auditor isn’t required to do his or her own marketing; the pay is far less, but it’s less risky. As a result, I’ve found at least half — and I’d bet more than that — of auditors simultaneously operate their own consulting firm while working as an auditor. Their consulting business rarely has work, so they think they’ve backfilled their consulting gaps with regular auditing work; in fact, all they’ve done is ensure their consulting work will never get off the ground, since they’re too busy doing the low-paying auditing to ever commit to a higher-paying consulting client. But it doesn’t matter how much or little consulting they are actually doing, it’s still a violation of ISO 17021-1.

Now, to be clear, ISO 17021-1 allows consultants to be contracted by CBs as auditors. The rules just say there must be contracts in place to ensure their work complies with the rest of ISO 17021-1. The rules also say a consultant can’t audit for a client if they provided consulting to the same client within the last two years. (That’s always been a bullshit rule, since it means a consultant can create your entire QMS and then audit it on the third year of your 3-year CB contract. It’s not an accident that the rules demand a three-year certification cycle, and only a two-year consulting firewall; it exists to put up a veneer of concern over conflicts of interest, while still allowing CBs to issue certificates to their consulting clients.)

But no matter what, the other rule in 5.2.9 still applies; the CB auditor can be a consultant, sure, but he can’t link the marketing of his consultancy with the official work being done by him for his CB.

And yet we regularly find internationally accredited CBs, including BSI, NSF-ISR, NQA, PRI and a host of others, allowing their contract CB auditors to send emails that market their consulting services. Then, they use their personal email addresses, which many times will include the name of their consulting firm (““).

As a result, whenever a CB auditor sends an email that in any way mentions his consulting firm, it literally “links” his consulting firm with the official assessment work of the CB. And that violates clause 5.2.9 of ISO 17021-1.

Right now, ANAB, UKAS and the usual IAF suspects are rolling their eyes. They think this is ludicrous. But these are the same people who also roll their eyes when an ISO 9001 certified organization floods the market with deadly products that kill consumers. They rolled their eyes at Takata, at Deepwater Horizon, at Kobe Steel, at Mutti food processing, at PIP breast implants; so their ability to eye-roll on command is legendary.

There is a simple fix: the CBs must provide every contract auditor an official, CB-hosted email, using the CB’s domain name. That ensures all communication remains in compliance with ISO 17021-1 and there is never a whiff of conflict of interest. But this would cost the CBs money, having to get their IT staff to create emails addresses and then, when the auditor quits or retires, do something with the dead addresses afterwards. CBs don’t like to spend money on anything, and to spend it on something related to reducing conflicts of interest? Never gonna happen.

The auditors hate it, too, since it would provide the CB with insight into their often troublesome emails to clients, which are a trove of various other violations. It would also require the CB auditor to use a proper email client program, rather than Hotmail (is that still a thing?) or Yahoo. Most don’t have this technical savvy.

So go back and play this fun game: see how many emails you received from your auditor that included the name or email address of their consulting company. Then, think for a minute: if my CB can’t care enough to give my auditor an official email address, what the heck are they doing when they are issuing certificates?


    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015, which can be purchased here.