Here’s a fun game. Go check your last ISO 9001 or AS9100 audit report — heck, this game works for TS 16949, ISO 13485, ISO 14001 and nearly every other management system audit — and look over the auditor’s “opportunities for improvement” (OFIs). If each OFI starts with the word “consider,” congratulations, your CB is openly violating the accreditation rules.

It seems innocent enough, but it’s actually a nasty habit that can lead to expensive and potentially dangerous alterations to your QMS that are imposed by a complete outsider who spent all of one or two days rummaging around your shop.

Those accreditation rules are ISO 17021-1, which I implore you to buy right now, and which dictate that a CB auditor may not engage in “management system consultancy.” This is intended to ensure the CB auditor doesn’t begin to craft the QMS he or she is supposed to be auditing objectively and independently. To see what happens when auditors cross the line into consulting, you only need to look at the Enron scandal and the recent Equifax data breach.

ISO 17021-1 then provides some helpful guidance on what it means by “management system consultancy,” saying that prohibited activities include the auditor providing “specific solutions” to the client. It’s worth breaking those two words down.

“Solutions” means resolutions to audit findings; in other words, the auditor finds a problem and then tells you how to fix it. That’s prohibited, because it means the auditor will later be auditing their own work — the solution he or she gave you — if you take it. It also means that if you reject the solution, the auditor may be emotionally inclined to audit you harder, out of spite. By disallowing the practice entirely, it removes this conflict of interest.

“Specific” means the solution provides certain details on how to fix the problem. Whereas a “solution” such as “you have a problem, go fix it” would be acceptable — the auditor, in that case, hasn’t defined how to “go fix it” — providing specificity in the solution is the main trouble. It’s at that point the auditor would later be auditing his or her own work, should you accept the specific solution.

And so we come back to the word “consider.” As soon as an auditor types the word into an audit report, he or she has violated that ISO 17021-1 prohibition. Anything that will follow the word “consider” will be a specific solution, no matter what, unless the sentence is merely “consider fixing this.” Anything else is a violation, pure and simple.

Here’s a recent audit report from a CB. I won’t name the CB because I’ve been reporting on them recently and don’t want to appear to pile on, but regular readers can figure it out.

  • Consider reviewing the documents required for the job binder for consistency and records.
  • Consider reviewing the numerous final tests in the project to clarify the final signoff.
  • Consider reviewing calibration requirements for [REDACTED] manufacturing
  • Consider reviewing the flow chart in the engineering procedure to include more elements of the design plan.

Now each of these was written as an OFI not a nonconformity, and reflect either the practice of “soft-grading” — writing an NC as an OFI so as not to piss off the client and risk losing the auditing contract — or outright consulting.

Look at the first one. The auditor is providing the “specific solution” that the client should “review documents for the job binder for consistency and records.” If the auditor felt there was a problem here, he should have written an NCR citing a specific ISO 9001 clause and then explaining why in the inconsistency in records was a problem. If he didn’t have any such information, then he needed to be quiet and say nothing. ISO 9001 does require that records be “retrievable,” so it’s not like he didn’t have a clause to bite on if he felt that strongly about it.

The second one is particularly nefarious. “Consider reviewing the numerous final tests in the project to clarify the final signoff.”  The auditor here seems irked that the client has too many final test (“numerous”) and can’t figure out which one counts as the final pass/fail point. n this case, the client actually performs testing of product, and conducts many tests, all of which are equally important. To abide by this advice, the client would have to fundamentally alter its scope of services to comply. Worse, the client was left with the impression that if they didn’t act on the OFIs, they’d be “escalated to nonconformities” in the next audit. I informed them that can’t happen (or if it does, they can file a complaint) so not to worry.

But auditors love that trick: provide consulting advice masked as “improvement opportunities” and then threaten you with a future nonconformity if you don’t take that advice. The number of ISO 17021-1 violations just went up.

Exemplar and IRCA “Lead Auditor” courses teach this is acceptable because they — along with accreditation bodies like ANAB and UKAS — confuse the provision of optional advice (“consider”) with specific advice. But these are two entirely different concepts, and ISO 17021-1 overtly and clearly prohibits specificity; it doesn’t care whether the advice is optional or not. When you think about it, all audit findings are optional, including nonconformities, since the client can tell the CB to go pound sand with their entire audit report and dump their ISO certification whenever they want. Remember, these are “voluntary standards.” So whether or not the advice is optional is moot; it’s the specificity that matters.

Any time an auditor launches an OFI with the word “consider,” whatever follows will be a specific solution. The fact that it’s optional is irrelevant, he or she has still overtly violated ISO 17021-1.

ANAB and UKAS overlook this, and do so intentionally, violating their own accreditation rules (ISO 17011). This is because the CBs provide identical services — the provision of certifications after an audit — and had to resort to promising to “add value” in order to differentiate themselves from their competitors. (Hilariously, TUV SUD — which is now at the heart of the audits related to the deadly dam burst in Brazil which killed over 180 people — puts the phrase “add value, inspiring trust” as their main tagline.) Accreditation bodies like ANAB are not about to incur the wrath of their CBs, who pay them, so they have allowed the unfettered expansion of “opportunities for improvement” despite nearly every single one that was ever written overtly violating the accreditation rules ANAB is tasked with enforcing.

To see how to properly write an OFI, read this article. It can be done, but the results would look radically different than what appears now on your audit report.

In the meantime, if your auditor writes a bunch of nonsensical consulting advice disguised as “OFIs,” you can now confidently push back and reject the advice. When they balk, remind them that providing “specific solutions” is prohibited by ISO 17021-1.

That should be fun.



About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.