You may recall that we had filed formal complaints against the certification body URS for continuing to issue certificates in Russia despite an IAF mandate not to, and despite those pesky EU and UK sanctions. URS went so far as to certify Gazprom, one of the most notorious state-run Russian companies which is under specific sanctions.
URS ignored the complaint when it was sent over a year ago, so we escalated it to URS’s accreditation body, UKAS. That escalation complaint demanded that UKAS investigate URS’ obviously broken complaints handling system to see how a significant issue like this could have been ignored for a year. UKAS didn’t do that and instead just re-contacted URS and gave them another turn at bat, one year later.
UKAS ignored the demand to probe URS’ complaints processing entirely. This is actually the routine response taken by bodies like UKAS, ANAB, IAS, DAkkS, RvA and other IAF member accreditation bodies: they always ignore how their CB clients blow off complaints, and simply help them paper over the problem when they get caught.
A whistleblower has since found three more examples of URS certificates being issued in Russia: here, here, and here. Meanwhile, URS’ David Riggs took up the matter, saying that the former URS rep had since left. He tried to feign an earnest response and do some due diligence on the original complaint, but remember: the issue now no longer about URS operating in Russia in violation of sanctions, but instead how the hell did they drop a complaint for an entire year? Riggs didn’t dig into that at all, likely knowing that UKAS didn’t care about it.
In a shockingly honest response, however — and we need to give Riggs credit for that — he admitted that the UK office of URS had no actual control over its Russian operations. This surprises no one, but at least Riggs was forthcoming about it, even if his prose isn’t the best:
You may be aware that we have tried to support our Russian office in the past as we are NOT a political organization and the initial advice given in relation to Sanctions was not as clear as it might have been from certain bodies.
We produced protocols and put these in place to ensure that such clients above should NOT be certified given their wider business scope. A clear breach of the stated protocols occurred and after a full review as to why and understanding for all, it was decided that we do not have sufficient control, or legal expertise and thus, we decided we had no choice but to suspend the URS Russian office and all clients at this time.
I included the first paragraph only because it’s a bit of bizarre logic to suggest that URS doesn’t need to obey laws because it’s “NOT a political organization.” By that measure, I guess I can commit genocide because Oxebridge isn’t political? Laws apply no matter what.
But Riggs does admit that URS did “not have sufficient control or legal expertise” over its Russia office. Again, points for honesty. The problem is this: ISO 17021-1, which URS is accredited to by UKAS, requires those controls as a part of accreditation:
5.1.2 Where there are multiple offices of a certification body or multiple sites of a client, the certification body shall ensure there is a legally enforceable agreement between the certification body granting certification and the client that covers all the sites within the scope of the certification.
And:
7.5.1 The certification body shall have a process in which it describes the conditions under which outsourcing (which is subcontracting to another organization to provide part of the certification activities on behalf of the certification body) may take place. The certification body shall have a legally enforceable agreement covering the arrangements, including confidentiality and conflicts of interests, with each body that provides outsourced services.
And:
8.4.1 The certification body shall be responsible, through legally enforceable agreements, for the management of all information obtained or created during the performance of certification activities at all levels of its structure, including committees and external bodies or individuals acting on its behalf.
And:
9.5.1.2 The person(s) [excluding members of committees (see 6.1.4)] assigned by the certification body to make a certification decision shall be employed by, or shall be under legally enforceable arrangement with either the certification body or an entity under the organizational control of the certification body.
Let’s step back for a minute. If ISO 17021-1 requires multiple “legally enforceable agreements” between the CB and its remote offices, subcontractors and others that work for it, but contracts handed out in Russia are not enforceable in the UK because Russia doesn’t honor UK laws… then how does any CB operating in Russia meet ISO 17021?
Answer: they don’t and never have. The IAF bodies, including UKAS, have been ignoring these four entire clauses ever since CBs began operating in Russia decades ago. And it’s not limited to Russia. UK contracts are not “enforceable” in countries like China, Qatar, United Arab Emirates, Saudi Arabia, Thailand, or Malaysia… to name a few.
What should have been happening is that during annual ISO 17021-1 accreditation assessments, UKAS was verifying that CBs like URS not only have the means to enforce their contracts but that they have the legal expertise to do so. In the case of URS, they just admitted they never had either of these things. Ever. So they have been in violation of ISO 17021-1 for a decade or more.
But, again, it’s not just URS. Other CBs and ABs operate in countries like Russia and are happy to take money from those countries. UKAS has a huge presence in China, and there is no way a Chinese court will uphold a UK contract. If UKAS ever gives China any problems, China’s state-run accreditation body, CNAS, will just step in and take over their market with full government support. So, the thousands of UKAS-accredited certificates in China are meaningless.
The debacle shows just how corrupt and fraudulent the IAF’s pyramid scheme is. Clients pay for audits by a CB, which include fees to be paid to the CB’s accreditation bodies. Eventually, some of that money reaches Victor Gandy at the IAF, who does nothing to earn it. The IAF has a legal obligation, under the laws of the United States, to actually perform the thing they say they do (accreditation) since the US grants them tax-free status in exchange for doing that thing. However, the IAF does not do that thing, and merely acts as a protection racket to help companies violate laws while giving them sober-looking certificates referencing unenforced standards. The IRS should be all over the IAF for decades of tax fraud, but they can’t really be bothered; the IAF isn’t making that much money, even if they are enabling global fraud and the release of deadly products across the world.
To be clear: no one is overseenig anything. We are all paying for fake accreditation and oversight.
The United States needs to step up and investigate the IAF. The world’s governments need to abandon the IAF and take over the control of their individual nations’ accreditation bodies. ISO 17011 audits of ABs can be done by government agencies with the power to disband an AB if it fails to comply. This is the only solution.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
