by Denise Robitaille
Every once in a while we hear of a company that claims to have a self-certification to ISO 9001—or some other management system standard. The company “certifies” that its organization conforms to the requirements of ISO 9001. It sounds pretty good until you start to ask what this self-certification actually means.
For a quality management system (QMS) to be considered certified, the certificate must be received from an independent, accredited certification body upon completion of an assessment against specific documented criteria. It’s possible to be certified by an unaccredited certification body, but these certificates are of questionable value since they don’t carry the backing of an accreditation body. (More about this later.)
For the time being, we’ll assume that certification means by an accredited certification body. Without the certification body, there’s no unbiased appraisal and no evidence that a thorough assessment has even been conducted by competent individuals. Bottom line: There is no such thing as self-certification. It’s just an attractive catchphrase with no substance.
There are also organizations that self-declare that they are ISO 9001-compliant. This phrase is at least not dishonest. In this case, the organization freely acknowledges that it has not incurred the expense of third-party certification. It has determined (through its own internal audit process—which is not certified) that it believes itself to be compliant with the requirements articulated in ISO 9001. It doesn’t purport to have a certificate. This declaration has more candor, in that it says: “We have a pretty good system. We aren’t certified. But, we believe that we comply with ISO.” Although it is a truthful statement, it still doesn’t carry much weight in the world of certification.
Why is certification so special?
What stands behind that framed certificate?
Certification audits are conducted by auditors who have had their qualifications vetted by a certification body (CB). CBs are also referred to as registrars, and the terms are used interchangeably.
Auditors are required to be trained and go through a provisional period in which their skills are witnessed by the CB or by training providers. The training providers who offer certifications such as lead assessor credentials must have their courses approved by certifying or accrediting bodies. The training that auditors undergo covers audit planning, developing checklists, time management, auditor attributes, interviewing techniques, evidence sampling, process approach, statistical methods, comprehension of requirements, writing up findings, generating audit reports, and post-audit follow-up.
Auditors must also demonstrate competence in the organization’s field or industry. An individual whose only background is in health care does not have the requisite competence to assess a chemical manufacturing facility. The CBs are required by their accrediting bodies to ensure that auditors have both the necessary auditor skills and experience in their clients’ various fields.
Having audits conducted by competent, trained auditors is important for both the CB and the client organization. The CB has the confidence that the auditor will represent it by conducting credible and reliable audits. The auditor conducts the audit, but it’s the CB that issues the certificate. It’s the registrar’s name and logo that appear on the certificate. That certificate is based on the auditor’s recommendation. If the auditor is incompetent or lacks the requisite knowledge, the integrity of the recommendation—and, therefore, the certificate—is impugned. Third-party auditors, meaning the ones doing certification audits, are required to ascribe to a code of conduct that includes objectivity, truthfulness, confidentiality, and freedom from personal interest that would bias the outcome. This is why auditors generally sign nondisclosure agreements and are upfront about the fact that they agree not to consult during the course of the audit or for a defined period afterwards.
An organization that “self-certifies” can’t begin to demonstrate this rigor in terms of training, competence, performance, or impartiality.
Well-conducted audits provide organizations with significant benefits beyond the certificate on the wall. Individuals increase their understanding of their own role in the fulfillment of organizational goals through the audit process—particularly when they are being interviewed. Well-trained auditors are able to frame questions in a manner that elicits productive and informative responses. Responding to auditors, demonstrating various activities, and providing evidence are all facets of the audit process that serve to reinforce the importance of the entire quality system. So, a good audit should be a learning experience for everybody involved.
Audits provide value. Organizations shouldn’t look upon them as painful events that are riddled with accusation and punitive consequences. Auditors produce audits reports that contain useful information about the organization. A well-balanced report should highlight positive features of the QMS; provide observations of risk, which are usually articulated as opportunities for improvement; and findings of nonconformity, which indicate something is wrong that imperils the integrity of your system and ultimately your ability to serve your customers. It’s due to this fact that ISO 9001 and similar management system standards require the inclusion of the results of audits as part of the management review process.
What else do registrars bring to the table?
Why is it important to have an accredited registrar or CB assessing your system and certifying your quality management system?
Registrars are required to play by internationally established rules that are promulgated by such organizations as CASCO, the conformity assessment committee of the International Organization for Standardization (ISO). Some of the more commonly known standards that are used are ISO 17021—“Conformity assessment—Requirements for bodies providing audit and certification of management systems” and ISO 17023—“Conformity assessment—Guidelines for determining the duration of management system certification audits.”
Since I’ve brought up CASCO, which is an ISO committee, it’s appropriate to clarify here another misconception: ISO does not issue ISO 9001 certificates. It is not a certification body. It oversees the development of thousands of standards, among which are found some of the most popular management system standards, including ISO 9001. Saying that you have an ISO certificate is perhaps a tiny unintentional misrepresentation. In actuality, organizations have certificates that indicate that they have a system that conforms to ISO 9001.
CASCO develops criteria that CBs are required to conform to. These requirements mean that they must expend time and resources to ensure the competence and impartiality of auditors. They have to establish procedures for their own organization, develop audit plans, verify the scope of clients’ QMS, review audit reports for completeness, deal with corrective actions and other assessment follow-up, and retain adequate evidence to present to their accrediting body. All of these activities are internationally agreed upon and lend credibility to the entire conformity assessment industry. It means that certifications have value that is recognized around the world. Generally, certificates issued by one CB are recognized by another due to the consistent conformance to accrediting body requirements. A self-certification has none of this foundation.
What, then, are the accrediting bodies?
Accrediting bodies (ABs) ensure that CBs conform to the rules. Just as CBs audit companies, ABs audit CBs. They conduct assessments and periodic surveillance audits that look at CBs’ records dealing with myriad issues, including auditor competence, impartiality, planning, adherence to rules concerning audit days, review of audit reports, issuance of certificates, and follow-up of audit findings. They even go out on audits to witness the CB’s auditors in the field.
It’s worth noting that CBs are required to pay fees to the ABs for these services—which is part of the cost of an organization’s certification. The CBs also pay a fee for each certificate they issue.
So, it’s cheap and easy for an organization to self-certify or self-declare because it doesn’t have to deal with any of these costs. But, it also doesn’t have any of the credentials, expertise, and objective scrutiny that make the certification process a meaningful organizational asset. As the saying goes, you get what you pay for—in this case, a worthless certificate.
Where do the accrediting bodies get their authority?
Accrediting bodies participate in the International Accreditation Forum (IAF). The IAF is made up of organizations around the globe with an interest in conformity assessment. Its focus is “…to develop a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon. Accreditation assures users of the competence and impartiality of the body accredited.” The IAF has liaison status with CASCO and provides input into the development of its standards.
What this all boils down to is a certification to ISO 9001 or any comparable management system standard is backed by tiers of carefully monitored and verifiable processes and organizations. It means that certificates issued anywhere from Bolivia to Botswana to Belgium to Barbados to Britain carry the same level of reliability.
How does all this information flow down to the end-user?
Organizations that choose to become certified to ISO 9001 have a right to know that the registrar they have selected is accredited.
There are multiple factors to consider when selecting a registrar. Probably the single most important is to make sure that it is accredited by a recognized body. This is very important. There are still organizations that purport to provide certification but have no recognized credentials. Remember: Accreditation means that your certificate will be recognized both nationally and internationally. Other registrars and their customers will acknowledge your certificate. When selecting a registrar, ask who its accrediting body is. There are many. A few of the more common ones include ANAB (ANSI-ASQ National Accreditation Board), UKAS (United Kingdom Accreditation Service), and RvA (Raad voor Accreditatie).
If your customers require you to be certified to ISO 9001, they’re probably expecting that certificate to come from a reputable organization. As a customer, you may accept evidence of certification to ISO 9001 as the criterion for approving some of your suppliers.
Accreditors’ logos are always displayed on the certificate along with the registrars’ own logo. Absence of an accrediting body’s logo is an indication that the certificate has been issued by an organization that lacks accreditation and will probably not be recognized. That means that all the money you’ve invested in the actual assessment (on-site audit, travel expenses, etc.) has been wasted.
If you’re looking at a certificate from a potential supplier and the accreditation mark is missing, you may want to reconsider doing business with the company.
Unfortunately, there still are organizations that will sell certification services without having an accreditation to back it up. It might keep a few customers content, but the more discerning ones will recognize the bogus certificates for what they are—wallpaper.
Ironically, some auditors working for unaccredited CBs may actually conduct good audits. But their work is tarnished by the fact that they aren’t forthcoming about the limitations of their unaccredited certificates. It would be more candid to say, “I’ve conducted an audit, and based upon my expertise in this field and my skills as an auditor, I have determined that this quality management system conforms to the requirements of ISO 9001:2008. However, this statement does not constitute nor is it intended to imply certification.” I’ve seen these statements at one or two organizations in the course of my years auditing. And, I found their customers accepted the statement, despite its limitation, probably because of the honesty it reflected.
Bogus certifications and “self-certifications” devalue the work of tens of thousands or organizations that have opted to have their systems assessed and continually monitored by an impartial third party. They undermine the entire conformity assessment community.
About the author
Denise E. Robitaille is a member of the U.S. TAG to ISO/TC 176, the committee responsible for updating the ISO 9000 family of standards. She is committed to making your quality system meaningful. Through training, Robitaille helps you turn audits, corrective actions, management reviews, and processes of implementing ISO 9001 into value-added features of your company. She’s an Exemplar Global-certified lead assessor, ASQ-certified quality auditor, and ASQ Fellow. She’s the author of numerous articles and several books, including The Corrective Action Handbook and The Preventive Action Handbook, and a co-author of The Insider’s Guide to ISO 9001:2008, all published by Paton Professional.
This article appeared in Quality Digest Daily, an electronic publication from Quality Digest magazine (www.qualitydigest.com).