It’s no secret that throughout the world, ISO certifications have become more famous for being handed out like candy rather than being earned only by companies who deserve them. In the past, this was mainly due to the (then rare) set of certificate mills that issued unaccredited or self-accredited ISO certificates, flouting all conflict of interest rules. Back then, you could count the number of mills on one hand; IMSM and AGS were nearly the only players in this field. We trusted the certificates of “legitimate” accredited bodies.

Back then, bodies like ANAB and JAS-ANZ fought against the mills. ANAB even went to court a few times, spending real money on their efforts. Perry Johnson was forced to split his companies in two, separating the consulting and certification wings.

Now, however, the script has entirely flipped. The mills have proliferated, due to a general malaise on the part of the IAF to get governments to take the mill threat seriously. In 2023, there are thousands of such mills across the entire world, flooding the market with an estimated half million fake certificates. In come countries, there are more unaccredited ISO certificates than accredited ones.

Without the IAF’s government connections to protect them, the accreditation bodies — including ANAB and JAS-ANZ — surrendered the game, opting to lower their standards and practices. The thinking by the ABs was that it was better to have lesser-performing CBs seek accreditation (and pay them for it) than have those CBs run out and become mill competitors (and not get paid at all.)

UKAS, meanwhile, never took the threat particularly seriously at all, because it is protected under UK law. So it wasted its role as the world’s most powerful accreditation body, and let the problems proliferate. A host of certificate mills have cropped up in the UK, and threaten UKAS’ revenue, but UKAS has so many hooks into government (and into the pockets of key MPs), it’s still not worried. It has other ways to make up for lost accreditation revenue, and it, too, has lowered its standards for applicable CBs.

This only slows the bleeding, but doesn’t stop it. As the ABs continually lower their oversight rules, this only emboldens the certificate mills further. They can argue — convincingly, too — that the “legitimate” ABs like ANAB and UKAS are not any better than they are, and then ask, “why would you hand over your money to them when you don’t have to?” If a CB has to pay $25,000 for accreditation to ANAB or UKAS, but still finds itself competing against certificate mills (and losing!), what’s the point? Why not just go out and issue mill certificates, since there is literally no downside?

The world’s auditor certification bodies learned this early on. IRCA never became accredited and is essentially one of the most powerful certificate mills in the world. RABQSA followed suit, dropping accreditation when it became Exemplar*. Exemplar, too, is just a certificate mill. Both IRCA and Exemplar “Lead Auditor” certificates are dubious at best.

Rules for Thee, Not For Me

Lowering the standards for accredited CBs means that all manner of bad behavior is tolerated now. Whereas consulting by auditors was always a tricky line that CBs struggled to navigate, now the CBs have given up entirely and openly endorse the practice. BSI sells its “Entropy” (seriously, that’s the name) software that includes actual procedures and methods for quality systems that BSI later certifies, in complete defiance of accreditation conflict of interest rules. CBs like BSI and NQA and Alcumus ISOQAR all run “preferred consultant” schemes, openly engaging in — and benefitting from — conflicts of interest. ABs now allow CBs to offer “flat rate” pricing on ISO certifications, ignoring the rules on mandatory audit duration (which affects pricing); now, a 10-day audit costs as much as a 1-day audit, because the audit reports are falsified anyway.

The accreditation rules, in ISO 17011 and ISO 17021-1, have been watered down over years of influence by BSI and other CBs, who convinced ISO/CASCO to permit consulting during auditing. Because CBs were all offering the same service (conformity assessment), they needed a way to market their services as better than the other guy. So they started claiming to offer “value-added auditing,” which was code for “consulting during the audit.” CASCO rolled over and weakened the ISO 17xxx standards to compensate.

Now, it’s actually seen as a bad thing if an auditor doesn’t claim magical powers to somehow “improve” a company after having only spent a few hours on their shop floor. Mind you, “conformity assessment” is literally what they are tasked to do, and yet that role is now demonized.

The end result is ISO 9001 and other certificates being handed out like free balloons at a circus, with everyone passing every audit, everyone reporting “zero nonconformities,” and objective, impartial auditors being forced out for not driving enough business to their CB home office.

Accredited certifications no longer have any more validity than their fake, mill counterparts. If no one ever loses a certificate, then the entire scheme has become a corrupt, pay-to-play scam.

The First Pill

There are two actions the industry must take to correct this, but both are strong medicine. Given the fact that bodies like the IAF, ANAB, UKAS and the rest are very happy with the current condition of the industry, it’s doubtful anyone will take action, but I’ll suggest them anyway.

The first pill is to ban “opportunities for improvement (OFIs) and put back the concept of raw, pass/fail conformity assessment.

As I said, this is strong medicine.

To those auditors who are angrily shaking their heads at the suggestion, I say this: you’re the problem. ISO auditing was never intended to be a feel-good career that won you friends, or so you could make your clients happy no matter what. Conformity assessment is literally that — assessing conformity. And that means you generate a report with one of two results: pass or fail. Nothing in between. And certainly not “pass, and here are some ideas to improve so you’ll be my friend.” That’s the opposite of objective conformity assessment.

It means you have to have thick enough skin to give clients bad news and still walk away at the end of the day. If you can’t do that, then you’re in the wrong industry.

Auditors pepper their reports with praise because the industry has created a wimpy scheme that relies on “customer satisfaction surveys” after each audit. Auditors must pass those surveys or the schedulers back at the CB home office suddenly stop assigning them audits, and their billable days drop to zero. So auditors suck up to clients during audits, engage in soft-grading nonconformities, and provide all sorts of feel-good consulting in the guise of providing OFIs.

The result? Every company passes every audit, and ISO certification no longer means anything. But the auditor gets another positive survey, and he keeps his calendar full.

Oh, but if ANAB or UKAS show up for a “witness audit,” suddenly the auditors will engage in one-off, performative “hard-grading”. After the AB leaves, the auditor goes back to soft-grading and pandering like a wet kitten.

Updating ISO 17011 and ISO 17021-1 to ban OFIs entirely takes this off the table. Overnight, every auditor will be in the same boat, and those satisfaction surveys will become meaningless. Furthermore, it adds a dramatic distinction between valid, accredited audits and those of the certificate mills, who accredit their own work as a matter of practice.

Now, ISO certifications can be trusted again.

Except, there’s one more pill to swallow.

Disband the IAF

The IAF has proven not only unwilling to oversee the accreditation scheme, but complicit in the corruption and collusion that has led to its worldwide disregard.

Created initially as a post-retirement, make-work project for himself, John Owen pitched the IAF as a replacement for QSAR, the program being launched by ISO itself. ISO proposed QSAR in the 1990s to placate a jittery World Trade Organization, which was demanding to know why ISO shouldn’t be held in contempt of trade barrier regulations with its nascent ISO 9001 and ISO 14001 certification schemes. WTO argued that ISO stood to become a de facto barrier to free trade, if not an unfettered, unauthorized world regulator, and it predicted the scheme would become rife with fraud.

So ISO pitched QSAR as the solution, but then — in typical ISO fashion — slow-walked the rollout of the program.

Owen, seeing dollar signs for himself, arranged with a few ABs, including ANAB (then RAB), UKAS and others, on the idea of the IAF. Instead of having ISO oversee the scheme, the industry would police itself, through the IAF. He pitched it to ISO and the WTO, and proved they were rolling out IAF much faster than the dog-slow QSAR.

ISO gave up QSAR with relief, as it was terrified of the legal liability associated with ISO certifications. The WTO was satisfied because the IAF idea all sounded great on paper, and the WTO only works on paper.

So Owen created his home-based project, and began raking in the dough. QSAR was abandoned.

But IAF was corrupt from day one. Owen and his pals at the ABs never did serious self-policing, and only initially resisted even writing governing procedures to control fraud. The IAF even fought, at first, the idea of issuing “Mandatory Documents” to impose on member ABs, because the ABs did not want the IAF telling them what to do. Eventually, the IAF relented, issuing its MD documents, but then secretly agreeing never to really enforce them. It was all for show.

Owen eventually retired, and was replaced by Elva Nilson, who remains in that position to this day. Like Owen, the IAF is just a project to drive a $500,000 per year salary to Nilson, who refuses to take any action to actually enforce accreditation standards. Using willing sockpuppets like Sheronda Jeffries (of the failed TL9000 scheme) and Lori Gillespie (of ANAB), Nilsen can make the IAF appear to be a legitimate world authority, while it actually does nearly nothing at all.

Then, IAF hands out a powerful “Chair” position to shady international characters like China’s Xiao Jianhua, who used the IAF to promote the Chinese Communist Party’s controversial “Belt and Road Initiative,” or Italy’s Emanuele Riva, who continues to refuse to honor EU sanctions against the Putin invasion of Ukraine.

Consider this: ANAB literally prepares the IAF’s annual tax returns, because Nilsen can’t even be bothered to do that. So one of the bodies that the IAF is supposed to be overseeing is actually running its finances. Conflict of interest much? The IAF could never eject ANAB from membership, no matter what level of fraud they might involve themselves in, because they’d have no one to do their books.

Under Nilsen, the IAF’s logo now appears on certificates issued to companies involved in human trafficking, slave labor, child labor, human rights abuses, and other crimes. Nilsen is fine with all of that, so long as her half-million-dollar paycheck clears.

The IAF cannot be trusted as the ISO scheme’s oversight. And so that second pill is a big one: the IAF must be disbanded, or (at least) made irrelevant. ISO must re-launch the QSAR program, and take back oversight of the accreditation scheme and enforcement of the ISO 17000 series of standards.

It can do this by using its trademark as the lever. Under a new QSAR 2.0 scheme, ISO can create a structure that forces companies to pay a licensing fee for using this name and logo on legitimate, accredited certificates. That fee — which would be minimal — would be paid by certified companies, but paid to the associated Accreditation Body.

Then, ISO would conduct oversight audits of each AB, according to ISO 17011, and have actual skin in the game. Combined with a reduction of on-site audits and an increase in record review requirements, and considering that QSAR revenue would mainly come from licensing fees, there would be enough to cover the costs of administering the program. Under QSAR 2.0, ISO would get nearly no revenue from the bodies it would be tasked with overseeing, getting it instead from the certified companies themselves.

Even if ISO charged $100 licensing fee per client, that would generate over $100 million, assuming certified companies only paid once. If they had to pay that fee for each surveillance audit, the QSAR program would be awash with cash, able to fund not only the witness auditing activities, but an international database that far surpasses the current (lame) IAF CertSearch.

Under this scheme, CBs that issued certificates to companies found to be non-compliant would actually lose their accreditation, something that is nearly impossible now. ABs who failed to enforce these rules on CBs would find themselves thrown out of QSAR, left to wander the wastelands with the now-disregarded certificate mills.

And ISO’s QSAR would be financially free to do such things, since it the conflicts of interest would be removed.

Medicine is for the Sick

The two pills combined — a prohibition against auditor consulting and replacing IAF with QSAR 2.0 — would improve the entire ISO certification scheme and nearly destroy the fake mill industry. But dramatic action is needed, seeing as how ISO certificates are routinely found on companies that have killed people with defective products or corrupt practices.

That has to stop.

And, let’s face it: you never heard of Elva Nilsen, so why should the safety of the entire planet be sacrificed so she can have a lovely house in the Canadian woods?

*It’s more complicated than that, but that’s the short version.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation