“Value Added” Auditing May Be Illegal

Despite only being accredited for “conformity assessments,” Conformity Assessment Bodies (see? it’s in their name) nevertheless market their services as “value added auditing” in order to distinguish themselves from competitors. Of course nowadays nearly every registrar uses the phrase, so they aren’t differentiating from anything, but the term has stuck.

The shift away from raw conformity assessment is defended by registrars who claim ISO 9001 now requires “continual improvement” and value added auditing not only assesses conformity, but can help the client meet the requirement for improvement. They ignore the fact that registrars should not have a role in crafting or influencing the quality system they audit, as that is a clear-cut violation of accreditation rules such as ISO 17021. The accreditation bodies, such as ANAB, look the other way, buying into the notion that registrars can magically improve a company by walking a complete stranger through a client’s plant for a week.

But as annoying as it is to take advice from an unqualified, self-appointed expert with only 36 hours of auditor training, it may also be illegal.

We Don’t Need No Stinkin’ Badges

I recently underwent an audit where the auditor – a former employee of Raytheon – spent weeks making suggestions to my client on how to adopt various Raytheon methods. Naturally, the auditor defended such consulting suggestions as being “just passing on best practices I’ve seen at other companies.” The client was irked for two reasons: first, the auditor’s experience was from nearly 30 years prior, and no longer at all useful in a contemporary setting. Second, the client company was specifically built around a corporate culture that rejected the practices of “old guard” companies, and instead wanted to build a modern, from-the-ground-up QMS that was totally its own.What was the most troubling, however, is that it quickly became apparent that this auditor would then do the opposite: go to other clients and tell them about the “best practices” of my client.

This is where the legal question comes into play. My client has technology that it guards fiercely, with ITAR regulation in place, a horde of security guards roaming the grounds, doors with electronic locks that can only be opened by individuals with proper clearance, and IT restrictions on what data can be seen by each employee. Competitors have appealed to the U.S. Congress (unsuccessfully) to obtain information on my clients methods.

Wink-Wink, Say No More

Nevertheless, with permission of ANAB, a registrar auditor is free to spread verbal explanations of such process information to his other clients, including the same competitors who were defeated by Congress, provided he merely not mention my client by name. Such “anonymizing” of the “best practices” is perfectly acceptable under the current ANAB interpretation of the rules. But because my client is developing entirely new technologies, they are hardly concerned if the information is passed on under their name or not… they don’t want it passed at all. But there isn’t a thing they can do to stop the auditor from blabbing to anyone he comes in contact with.

If this sounds far-fetched, it’s not. In fact, it’s already happened.

Hackers Get Arrested; Auditors Get Promoted

About two years ago an auditor with NSF-ISR conducted a Stage 1 certification audit of a company that later became a client of mine. He began providing consulting advice, under the usual guise of “value added auditing.” But he went further than normal, providing the client with “sample Quality Manuals.”  The manuals came from two of his other clients: Star Aviation (Mobile AL) and Lifesaving Systems Corp. (Apollo Beach FL). He also provided a sample Customer Survey Form from JC Machine Corporation.

I called the three companies; only two replied (Star and Lifesaving) and they both were unaware that their Quality Manuals had been distributed publicly; they were, to put it mildly, furious. This was a clear breach of nondisclosure agreements in place, as well as copyright and trademark infringement.

(I notified NSF-ISR, but declined to provide them the name of the auditor, on the request of my client. I instead asked that NSF-ISR merely notify their entire auditor pool not to share client information. They declined to take action since I would not name the individual auditor.)

In another infamous case, an auditor with SGS gave a 90-minute training presentation during an audit (a violation in itself) using a presentation stolen from a competing registrar, BVQi, going so far as to falsely add his name as the author. When alerted BVQi was livid.

Adding Value… to Your Competitors

Accreditation Bodies could crack down on “value added auditing” by merely enforcing existing rules against registrars providing consulting services. It requires a strict reading of the requirement, rather than the lax interpretation under which they currently operate; but it’s feasible, and would help stop the flood of bad advice perpetrated by auditors, enabling them to focus on conformity assessment. In addition, it would stop exposing registrars to potential lawsuits, and help maintain the secrecy of ISO 9001 client organization’s intellectual property.

Will they? It’s unlikely. ANAB is paid by the certification bodies, and they are terrified of cutting off their primary source of revenue by applying too much pressure. But one wonders what any of these CB’s or AB’s would do if someone started leaking their intellectual property. (Don’t tempt me.)

So the next time your ISO 9001 auditor starts to say, “here’s what I’ve seen in other companies,” you may want to stop him, knowing that in the next few days it’s likely that he will be revealing all your secrets to your competitors.