Yes, ISO 9001 and AS9100 Are Totally About Detecting Fraud

Purely because no one else is doing it, the Oxebridge website has become the de facto outlet for news related to the scandals and product recalls involving ISO 9001 and AS9100 certified companies. This is probably killing our business — we’re likely turning more people off of such certifications than anyone else — but at least I get to sleep at night. The other consultants are OK with selling defective products, like used car salesmen pitching lemons to unsuspecting dupes. At least I’m telling you the pros and cons, allowing you to make an informed decision. When you hire Oxebridge, you know nobody is going to lie to you.

So, yes, we’re reporting on the certified companies, naming names and asking questions, when a scandal arises or deaths occur that could have been prevented. It’s uncomfortable business, but it has to be done.

For about two decades, the go-to defense argument trotted out by ISO, the certification bodies and their various apologists is that such scandals are going to happen anyway, and “ISO 9001 isn’t a guarantee of quality.” They also point to official-sounding ISO/CASCO rules which require registrars to say “the audit was just a sample,” as if that’s some sort of excuse. They also insist that “ISO audits are not meant to root out fraud.”

Of course, the actual language appearing on the certificates includes exactly none of these wimpy disclaimers, and instead boldly declares the entire company’s entire QMS was found entirely in compliance with the entirety of whatever standard they are certifying to. The words “just a sample” and “isn’t a guarantee” only appear on paperwork produced afterwards, when the shit hits the fan, as if that matters.

But is it true? Was ISO 9001 never intended to root out fraud?

No, it’s not true. In fact, BSI and the ANAB precursor company “RAB” — along with a handful of other international accreditation bodies — invented the IAF by selling the world — via the World Trade Organization (WTO) — on an argument against fraud. Back then, in the late 1980’s and early 1990’s, they warned of a world where people would “self-declare” compliance to standards, while not actually complying at all. In fact, they are still running dubious articles from that period which attempted to scare everyone along these lines. The IAF website still features an article (“Self-Certification Is Not a Real Thing“) by go-to apologist Denise Robitaille, she of ISO/TC 176, that has to be at least 15-20 years old:

Without the certification body, there’s no unbiased appraisal and no evidence that a thorough assessment has even been conducted by competent individuals. Bottom line: There is no such thing as self-certification. It’s just an attractive catchphrase with no substance.

An organization that “self-certifies” can’t begin to demonstrate … rigor in terms of training, competence, performance, or impartiality.

We’ll ignore the fact that Robitaille still allows her name to be put on an article that so clearly denies the truth: accreditation has become meaningless because the IAF, the ABs and CBs all collude to issue certs to anyone who can pay, they routinely hire idiots to work as auditors, and then won’t even pull certificates after scandals reach the mainstream press. Then they use dupes like her to carry their water, writing articles that deny reality. She, in return, gets invited to seminars and gets publishing deals in return. Sweet.

What’s actually important, though, is the argument that third-party accredited certification is intended to mean something more than self-certification. This is so because we cannot trust anyone who says they, themselves, are perfect. It has to be proven. Because these certificates are then used to award multi-million dollar contracts for parts used in airplanes, rockets, automobiles, medical implants and baby cribs, we have to verify the veracity of any certification statement. Whereas Ronald Reagan said, “trust but verify,” when it comes to building automobile airbags and airplane wings, the motto becomes, “never trust, always verify.”

Think about it: what do you call it when a company falsely claims “ISO 9001 certification” but doesn’t actually comply at all with the standard? Guess what; you call it fraud. That word is literally defined as “wrongful or criminal deception intended to result in financial or personal gain.”

So when ISO, the IAF or an auditor says “certification audits were never intended to root out fraud,” let’s be clear about what they are doing: they are lying. In fact, the entire ISO certification scheme was dreamt up overnight and then sold to the WTO and others on the argument that only accredited registrars could prevent the fraud associated with self-certification. The alternative, they argued, was an uncontrolled Wild West show where anyone claimed compliance with anything, all while selling defective products and falsifying test data.

Ironically, the argument against self-certification was made by claiming they’d prevent exactly what we’re seeing certified companies doing anyway: claiming compliance with an international standard and then falsifying inspection data and releasing defective products into the market.  Now we see companies doing it while not only having IAF-logoed certificates, but then maintaining those certificates even after the scandals are publicly exposed and reported about in the news. Shameless.

Now we’re into three decades of accredited certification, all managed by the same handful of people within the IAF and ISO, and the situation is only worsening. By refusing 30 years of data that shows the system is broken, these bad actors are ensuring that their logos get slathered on products which kill people.

I keep going back to this well, but remember the Hoerbiger/LRQA scandal. In that case, Hoerbiger Hungary was found to have submitted a criminally fraudulent counterfeit ISO 9001 certificate in order to illegally gain a bidding advantage while pursuing an oil contract with INA Oil. The photoshopped certificate had the logos of LRQA and UKAS on it, and later both parties admitted that the certificate was forged. Yet LRQA never sued Hoerbiger over the illegal use of their logo, nor reported them to law enforcement for having violated Hungarian law. LRQA, instead, issued Hoerbiger a valid ISO 9001 certificate, ignoring the entire scandal, all within 24 hours (the certificate was dated the same day as the audit.) Apparently, LRQA didn’t even issue a nonconformity against Hoerbiger for improper logo use, as required by ISO 17021. Then, when the problem was reported, everyone ignored it: LRQA, UKAS and IAF all ruled that nothing wrong had been done, and the certificate was allowed to stand. They admitted the crime — claiming Hoerbiger had committed fraud — and then rewarded them with an ISO 9001 certificate. And they’ve still got it, even after the scandal was reported; go look for yourself.

So we now operate under a scheme that was originally promised to root out fraud, and instead rewards it… literally. LRQA, UKAS and IAF have all established a precedent whereby you can use their logo to commit a crime, and if you get caught, the worst thing that will happen is they will give you a valid certificate, so long as you pay them for a few audit days.

Obviously, the world’s governments need to wake up to the fact that handing over standardization to ISO was a mistake, and then granting the IAF and the national ABs special privilege was even worse. These are corrupt organizations working to put their revenue into the pockets of their executives, and then giving nothing back to society. In fact, they are willing accomplices to one of the world’s largest commercial scams in history. Few other industries can boast that they not only invented themselves overnight, but then managed to dupe every government in the world that they provided a trusted service, while all evidence points to the exact opposite.

And does anyone think that ISO and IAF — both of which are now run by Chinese executives coming from companies involved in such scandals — will do anything about it now? Please.

What’s needed is a single government — just one — to file a complaint against ISO with the World Trade Organization. That would get the ball rolling to have an international discussion about the failures of ISO certifications and the direct risk it presents to human life. Failing that, governments must start pulling the requirements for ISO certifications from their government tenders, to starve the beast until it fixes its problems.

The solution is not to yield to fraud and begin a cycle of self-certification or buying certs over the internet from certificate mills. The scheme can be fixed, but first we may have to haul a few of those responsible to jail for committing a worldwide confidence scam.

That’s how you root out fraud!