I was recently involved in a surveillance and scope extension ISO 14001 audit at a facility that has outstanding regulatory issues. Compliants have been received from neighbours and the environmental regulatory agency is not yet satisfied that the complaints (violations) are sufficiently resolved.

When we were on site we asked the company's regulatory office how they were handling the compliants. They provided evidence that they had addressed the issues and were working with the regulatory agency towards a resolution. From the company's perspective they thought the issues were resolved - the regulatory agency does not share their opinion. Our audit concluded that the company was actively dealing with the outstanding issues and we could find no conclusive evidence that they were operating outside the terms of their approvals.

So the audit team recommended continued certification and acceptance of the scope extension. However, the certification body that retained us is reluctant to accept the findings of the audit and the scope extension, essentially because of the political ramifications of extending the certification to a part of the operation that has caused community compliants.

The only guidance I can find dealing with this type of an issue is from an ANAB advisory, as follows:

" A CB may register an organization or permit its registration to continue despite observed legal noncompliances, provided that the CB is satisfied that the EMS does address such non-compliances and when in the aggregate such non-compliances are not determined to indicate a major nonconformity."

Has anyone else ran into a similar situation? If so, any ideas on how to break the logjam? Is anyone else aware of any precidents/guidance on similar situations?

I am leaning toward recommending a special audit (a short-notice audit under ISO 17021) to gauge the company's progress on resolving the complaints (the company is currently on an annual surveillance cycle). Any other thoughts or comments?

Thanks in advance.

When we were on site we asked the company's regulatory office how they were handling the compliants. They provided evidence that they had addressed the issues and were working with the regulatory agency towards a resolution. From the company's perspective they thought the issues were resolved - the regulatory agency does not share their opinion. There's the rub! One or other is wrong. Your assessment should be looking at the evidence of compliance with regulatory compliance. If, as you say later the evidence supports the organization's claims then they have an effective management system - certification should be offered. "Working towards" is different from regulatory compliance - if they are not compliant and the agency is not happy about it then I can understand not offering certification.

Our audit concluded that the company was actively dealing with the outstanding issues and we could find no conclusive evidence that they were operating outside the terms of their approvals. Difficult to see how they are dealing with the issues if the agency is not happy. Evidence against is very different from the organization providing evidence they are compliant - which they are required to do.

So the audit team recommended continued certification and acceptance of the scope extension. However, the certification body that retained us is reluctant to accept the findings of the audit and the scope extension, essentially because of the political ramifications of extending the certification to a part of the operation that has caused community compliants. Certification bodies are political animals and it is easy to understand their reluctance to certify an "illegal" operation. They should have a justification for overturning the lead auditor's recommendation, however.

I am leaning toward recommending a special audit (a short-notice audit under ISO 17021) to gauge the company's progress on resolving the complaints (the company is currently on an annual surveillance cycle). Any other thoughts or comments? A bit of a cop out if you don't mind me saying so. :truce: My recommendation would be to go for a suspension until the overhanging compliance issues are dealt with.

I have had experience of companies who have had legal compliance issues (no further details available!). The deciding issues for my CB has always been the issues of
Effective corrective action
Effective communication with the regulator

From the sound of it these are the key issues for you .... good luck! :agree1:

I am not an auditor but a user of ISO 14k. My view is that the company is/was in serious breach of some of the fundamental requirements of the standard - irrespective of whatever mitigating actions that they might had taken subsequently.

I think a major CAR should be issued (shouldn't we also look into actions to prevent the occurrence of similar events in future) and the certificate renewal be subject to disposition of this said CAR. Convincing evidence of which should be a letter or any other communication from the authorities confirming that the outstanding issue/breach had been resolved.

My :2cents:

I'm kinda lost and a bit new at this, so could somebody please show me where in ISO 14001:2004 "compliance" and the achievement of it is an absolute?

Randy - What do you mean by 'absolute'?

What we seem to be fixed on here is an organization having a regulatory problem and trying to take the step to fix it. The problem seems to be compounded by complaints ( possibly suffering from "Chicken-Little Syndrome) and regulatory agency personnel not agreeing with the "fix".

What is not happening in this discussion so far ( as I see it anyway) is a systems way of understanding the issue and resolution of the problem. Let's just issue non-conformances, de-register, decertify and all that 1st.

There is absolutely no such thing as an absolute guarantee that total compliance (or at least the perception of compliance) can be 100% all the time, it won't happen.

ISO 14001 doesn't mandate compliance, it requires committment to compliance, taking steps to achieve compliance, evaluating compliance activities, correcting non-compliance when found or preventing potential non-compliance from happening, and keeping top management informed about all of this so that it can determine the need for change and resources to put into the compliance effort. This is all done as a continually improving process.

Nowhere in the standard does it say that compliance "must" happen, it just states in essence what I wrote above.

What I've seen in preceeding posts is compliance assessment and decisions from a compliance aspect and not from a systems approach.

I am looking at this from the angle of a waste treatment company in my country where the authorities issue you a licence to carry out your activities with a string of conditions and requirements. Meeting these requirements (or law as some like to call it) are absolute (at least on paper) whether you are ISO 14k certified or not.

These requirements will come under 'legal and other requirements'. Breaching these requirements can actually result in suspension of your license. I am also keen to know what auditors will do in such situation - where the company is technically operating illegally and having breached 'legal and other requirements'.

With regards to your lengthy write up in ISO 14k, I agree and I like it for its spirit and business friendliness.

Malaysia is no different then the US, break the law, get hammered by the law.

ISO 14001 is if you break the law, determine the cause, fix the cause so it can't happen again (at least from the original cause) and perform any necessary documentation and communication as required by both the law and the standard throughout the process. That's the real short version of course.

Thanks. At least I am on the right track.

My thought process is this:

You're auditing an organization's quality system. They're following their own system; you really have no heartache. So you give them a thumbs-up. But, they make a really poor quality product. Their sales may be even going down. Failures may be evident in the marketplace, and the organization is developing a bad reputation. Does the certification body have political savvy to pass on this organization? Would you certify them as the certification body? I'd probably pass on my example, and the one for the OP.

I would think that a primary objectives for the 14001 system would be to assure compliance with local regulatory agencies.

They may be in compliant with their own system, but it is the wrong one.

You're off base Brad. Read the stuff up above objectively.

EMS isn't about compliance it's about overall improvement and the management of it. Compliance is just part of the total process, and it goes beyond local agencies.

Looks like another pop, Randy. Perhaps you are reading too much or too little into a few lines. Please let me explain my post.

Here is the OP.
I was recently involved in a surveillance and scope extension ISO 14001 audit at a facility that has outstanding regulatory issues. Compliants have been received from neighbours and the environmental regulatory agency is not yet satisfied that the complaints (violations) are sufficiently resolved.

When we were on site we asked the company's regulatory office how they were handling the compliants. They provided evidence that they had addressed the issues and were working with the regulatory agency towards a resolution. From the company's perspective they thought the issues were resolved - the regulatory agency does not share their opinion. Our audit concluded that the company was actively dealing with the outstanding issues and we could find no conclusive evidence that they were operating outside the terms of their approvals.

So the audit team recommended continued certification and acceptance of the scope extension. However, the certification body that retained us is reluctant to accept the findings of the audit and the scope extension, essentially because of the political ramifications of extending the certification to a part of the operation that has caused community compliants.

The only guidance I can find dealing with this type of an issue is from an ANAB advisory, as follows:

" A CB may register an organization or permit its registration to continue despite observed legal noncompliances, provided that the CB is satisfied that the EMS does address such non-compliances and when in the aggregate such non-compliances are not determined to indicate a major nonconformity."

Has anyone else ran into a similar situation? If so, any ideas on how to break the logjam? Is anyone else aware of any precidents/guidance on similar situations?

I am leaning toward recommending a special audit (a short-notice audit under ISO 17021) to gauge the company's progress on resolving the complaints (the company is currently on an annual surveillance cycle). Any other thoughts or comments?

Thanks in advance.

Maybe tigerfan51 can add some detail without breaching confidentiality (or encourage the organization to post?).

The way I understand it they have had a breach of regulations, they have taken corrective action to deal with cause (immediate, root we do not know). The regulator is not satisfied. Now I can't speak for every country but that is considered to be still in breach. On that basis my earlier recommendation is for a suspension of certification until the matter can be resolved between the company and the regulator. This is not taking sides in the matter. I believe it is wrong to claim an effective EMS if the regulator is saying you are in breach.

What we seem to be fixed on here is an organization having a regulatory problem and trying to take the step to fix it. The problem seems to be compounded by complaints ( possibly suffering from "Chicken-Little Syndrome) and regulatory agency personnel not agreeing with the "fix". IMHO the complaints are a side issue. I haven't commented on them. Provided the auditor is happy the organization is dealing with them then all well and good. My recommendation was to let the organization sort it out with the regulator regardsing the breach.

What is not happening in this discussion so far ( as I see it anyway) is a systems way of understanding the issue and resolution of the problem. Let's just issue non-conformances, de-register, decertify and all that 1st. As above - the suspension option just allows a bit of breathing space. More on systems later.

There is absolutely no such thing as an absolute guarantee that total compliance (or at least the perception of compliance) can be 100% all the time, it won't happen. Agreed. My issue is that if the regulator does not agree that actions are effective then the issue is not resolved. Rather than get embroiled in the debate (and bringing the CB's reputation into question) it is better to take a step back.

ISO 14001 doesn't mandate compliance, it requires committment to compliance, taking steps to achieve compliance, evaluating compliance activities, correcting non-compliance when found or preventing potential non-compliance from happening, and keeping top management informed about all of this so that it can determine the need for change and resources to put into the compliance effort. This is all done as a continually improving process. "Taking steps to achieve compliance." :confused: If you're advocating certification based on intent that's another thread. The systems approach that you claim to understand better than others says a bit more than the above. Think of what a breach of regulations says in terms of system failure:

Policy requirement to commit to meeting legal requirements (4.2) - not met
EMS to address legal requirements (4.3.2) - not met
Objective doesn't address compliance with legal requirements (4.3.3) (or not met)
Operational control doesn't ensure legal compliance is achieved (4.4.6)
Periodic determination of legal compliance is not effective (4.5.2.1)


There may be others in terms of Monitoring and Measuring (4.5.1), Corrective Action (4.5.3) and communication (4.4.3) but the list above will do for a start.

Nowhere in the standard does it say that compliance "must" happen, it just states in essence what I wrote above. So in essence you would be happy to certify an organization that fails to address the clauses of the standard (as above)? and is polluting or creating a nuisance? I can't speak for your employer but mine would not accept that I have carried out an effective audit if I allowed that.

What I've seen in preceeding posts is compliance assessment and decisions from a compliance aspect and not from a systems approach. :mg: No comment.

Hi,

This is an interesting case - worth using as a case-study material in a course. My approach will be similar to that of Randy. In addition, I would like to bring to your consideration the following:

a) If I understand you right, you concluded, based on the evidence collected during the audit, that the organization had taken sufficient steps to handle the complaints from neighbours ("Our audit concluded that the company was actively dealing with the outstanding issues and we could find no conclusive evidence that they were operating outside the terms of their approvals"). I think that should be the basis of your recommendation.

b) Unless you have a say in the decision to be taken by the Certification Body any amount of arguments for or against de-recognition will not help; if you have a say, you should go by your audit conclusion.

c) In my more than twenty years of E,OH & S audit experience I have not come across an organization that met all the relevant legal and other requirements all the time, in all the locations without deviation.

d) I have come across many regulators whose positions on environmental issues were not scientific or technologically sound (this is not to say that all are like that). To withdraw a certification just because the regulator is not satisfied in unfair; regulators are not infallible. And in the Asia Pacific Region (where I have enough experience) the subject is new to many regulators and there is a tendency to play it safe.

e) If the organization that you had audited is a TNC, there is an additional issue if the complaints have originated from NGOs. No regulator would like to give the organization a clean chit on his own and take on the NGO ire. (please do not mistake me I do not say that NGOs are wrong always; many times they bring out fantastic findings that eluded many auditors).

f) I have not touched upon all the points that I would like to....but one thing that I can say is that you will be doing a great disservice to the organization if you de-recognize the certification even though the surveillance audit concluded that the organization had indeed addressed the regulatory issue adequately.


With best regards,

Ramakrishnan

Sorry Paul but Policy is nothing more than intent or a promise the organization makes and in order to do so initiates all of the requirements of the standard to make it happen.

1. As for the agreement of regulators, many times they cannot even agree amongst themselves, You ever dealt with the US EPA or a state environmental agency?

2. The alleged breach may be purely administrative and the resolution consist of what is called a CAO (Consent Administrative Order).

3. Objectives don't have to address legal requirments, they only need to take them under consideration.

4. Operational controls can't necessarily guarantee compliance because there is one factor that cannot be absolutely controlled - - PEOPLE. And please don't hit the competency button. No matter how competent you can always press the wrong button.

5. The line between compliance and non-compliance can be so thin you cannot even see it. Also it may be days before non-compliance is detected when talking air and water issues, and the non-compliance comes about because of self reporting to the agency. Been there, done that myself.

6. The complaints can be nothing more than some nut case Chicken-Littles running around because the sky is falling. They complain because they have nothing else to do. Been there and done that as well with people getting migraines and nausea from asbestos fumes and complaining about it to the fed's.

7. Lot's more....

This thread is pretty good and the passions are fun.

As for me, being a actual real world enviromental professional by trade and education, when I look at what organizations are doing I can make good decisions about what is or isn't important when I make my recommendations at the end of an audit, and yeah I just might make a recommendation for registration with an existing non-compliance if the system can take care of it even if the regulator may not agree with a fix (The acceptance of CA's by regulators may take years because of the courts)

Let the system work, and remember the small piece about improvement.

I'm with Randy and Dr. R. Unless you have some real serious, heavy duty proof that this company is not attempting to correct the situation, I do not see how it would be possible to pull their cert just because they had a notice of violation. There will be violations, and sometimes bureaucrats will grandstand in order to impress other bureaucrats, I could tell you some stories.

Sometimes, prior experience with "bad" companies that were not environmentally friendly can set off a huge witch hunt that harms many good solid companies that truly do commit to doing the right thing. With just the information that was provided, I really cannot see that the certification should be pulled.

I'm with Randy and Dr. R. Unless you have some real serious, heavy duty proof that this company is not attempting to correct the situation, I do not see how it would be possible to pull their cert just because they had a notice of violation. There will be violations, and sometimes bureaucrats will grandstand in order to impress other bureaucrats, I could tell you some stories.

Sometimes, prior experience with "bad" companies that were not environmentally friendly can set off a huge witch hunt that harms many good solid companies that truly do commit to doing the right thing. With just the information that was provided, I really cannot see that the certification should be pulled.

I think you are on to something here. My experience in EHS is limited, but from my 9001 experience, and from what the experts have posted here, I would like to add to this and see what others think.

An audit is a snapshot, a moment frozen in time. There will sometimes be closed eyes or funny expressions. There also may be nonconformances and brief instances of conflict with rules and regulations. While there may be a tendency to take the snapshot at "face" value, we really should dig a little deeper to see if subject has a way of addressing the blemish. If so, is that method being used properly, and, overall, have the methods in place proved to be effective over time?

As our esteemed Steel has pointed out, if this statement is correct, then it follows that as long as there is a system to address the regulatory problem, and it is being used properly, then the certificate stands. Conversely, if the approach to the problem has been to ignore or deny it, then the certification should be suspended.

As far as the politics goes (sheesh) any attempt to turn the situation into a scandal should be met with the facts. Specifically, the steps the company has taken should be revealed.

Am I on the right track?

Am I on the right track?

Only as long as I was:lmao:

thanks for the vote of confidence....I'm only a psuedo environmental engineer. Polluting my brain with environmental knowledge was not on the aspect and impact list.

You're off base Brad. Read the stuff up above objectively.EMS isn't about compliance it's about overall improvement and the management of it. Compliance is just part of the total process, and it goes beyond local agencies.

Good check. And to an extent I agree. In my world, though, EMS should be more about compliance to regulatory/community requirements. IF you are going to have an EMS, then it should be able to manage a process that satisfies the stakeholders.

This OP is written like a game. We have several players here: The customer, the regulatory agency, the auditors, the certification body, the quality system.

AUDITOR: Call it like you see it. If it is good, then say so and make that recommendation. In my opinion, the auditor is in the right, here. Make the recommendation and move on. I am asking my expert auditor friends here: Is that woefully naïve?

CERTIFICATION BODY: It is their product, to sell to whom they choose. If they have higher order power in this to override their auditors (which is not a good idea to do) then fine; go with it.

While I don't always agree or understand, many times people make decisions as they are privy to information others may not know about.

REGULATORY AGENCY- Completely, totally agree on all parts regarding the woeful inefficiencies/ subjective nature of them. Problem is: you can’t get around them. In this case: Is this the ONLY company getting their chops busted by the regulatory agency? If it’s that bad, move. Or get a lawyer.

EMS-
IMO: Their system is inadequate. It is not satisfying the community or regulatory environment.
****
The customer is the one driving this boat. They need to determine the proper course.

Please, correct my thought process if I am still out in space. It just seems to me that everyone here is in the right and done their job, except the customer and their system.

My last post on this one unless anything substantive comes up .... I can only go round the circle so many times before I get dizzy! :)

Sorry Paul but Policy is nothing more than intent or a promise the organization makes and in order to do so initiates all of the requirements of the standard to make it happen.Don't be sorry, Randy. There are a few other threads where the importance of policy is downplayed. I'm not a fan of the "gotta have it so we've got it" argument. Policy has an important part to play in any ISO assessment. To say it just sits there as an empty promise is ridiculous.

1. As for the agreement of regulators, many times they cannot even agree amongst themselves, You ever dealt with the US EPA or a state environmental agency? Second question first - No. F

irst point - tigerfan51 says the organization recognizes they are in breach - so there is no argument from them of the need for corrective action - and they think thy've taken it.

As with all these things it is for them to deal with the issue with the regulator - hence my suggestion to give them some space.

2. The alleged breach may be purely administrative and the resolution consist of what is called a CAO (Consent Administrative Order). You are right - we don't have the information and can only go by what the OP has said. It sounds to me as if it is more substantive than an admin breach.

3. Objectives don't have to address legal requirments, they only need to take them under consideration.The exact wording is "consistent with," it may be the organization can have objectives that allow for breach of regulations but it sounds like a half baked system that condones this.

4. Operational controls can't necessarily guarantee compliance because there is one factor that cannot be absolutely controlled - - PEOPLE. And please don't hit the competency button. No matter how competent you can always press the wrong button. It's great to have someone who knows exactly what I am going to post before I do! ;) You don't pick lottery numbers as well do you. I apprecite the fallibility of the human being - present company excluded! :lol:

We don't however have any details of the nature of the breach - surmising what the root cause is / was is just so much wasted time.

5. The line between compliance and non-compliance can be so thin you cannot even see it. Also it may be days before non-compliance is detected when talking air and water issues, and the non-compliance comes about because of self reporting to the agency. Been there, done that myself. Again maybe .... we don't know.

6. The complaints can be nothing more than some nut case Chicken-Littles running around because the sky is falling. They complain because they have nothing else to do. Been there and done that as well with people getting migraines and nausea from asbestos fumes and complaining about it to the fed's. As I said before I think the complaints may be a side issue .... of no bearing to the potential suspension.

7. Lot's more....

This thread is pretty good and the passions are fun.

As for me, being a actual real world enviromental professional by trade and education, when I look at what organizations are doing I can make good decisions about what is or isn't important when I make my recommendations at the end of an audit, and yeah I just might make a recommendation for registration with an existing non-compliance if the system can take care of it even if the regulator may not agree with a fix (The acceptance of CA's by regulators may take years because of the courts) Most CBs (including yours from memory) fight shy of recognizing a company system when there are "issues" due to their past activity. We look at any historical breaches very carefully - check with your assessment guys as to what they say - you may be unpleasantly surprised. :mg:

One of the reasons is that a registration for a proven polluter says something about the EMS certification scheme that they would not want said - anyone remember the "concrete life preserver" discussions?

Let the system work, and remember the small piece about improvement. I prefer to think of the slightly larger piece that says:
The organization shall ensure that these applicable legal requirements and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its environmental management system.

I'm with Randy and Dr. R. Unless you have some real serious, heavy duty proof that this company is not attempting to correct the situation, I do not see how it would be possible to pull their cert just because they had a notice of violation. There will be violations, and sometimes bureaucrats will grandstand in order to impress other bureaucrats, I could tell you some stories. I agree. As long as the organization is addressing the issue, they should not be deemed to be in breach of ISO 14001.
In the ISO 9001 world, we don't yank a certificate because the organization produced non-conforming products. In the E-world, we all agree that commitment to comply with regulatory requirements does not guarantee compliance. Even because regulatory compliance, as already alluded to, is somewhat subjective. Inspectors from Regulatory Agencies also bring bias, subjectivity and variation into the picture.

One thing we don't know and could be of significance here. Many times the residential neighbors are the ones who "invade" the space previously occupied by "nothing". And the complaint starts... Especially in places where urban planning is weak. So, should a company be penalized due to the fact that the authorities permitted the construction of residences too close to industrial parks? It happens all the time and everywhere. In the US alone, a huge number of small airports had to be closed due to surrounding community complaints about noise. For the most part, those airports were developed decades ago and urban sprawl allowed for the surrounding area to be developed as a residential community.

An audit is a snapshot, a moment frozen in time. There will sometimes be closed eyes or funny expressions. There also may be nonconformances and brief instances of conflict with rules and regulations. ...

Am I on the right track?An individual audit is limited in coverage. However, a certification program exists over time. That is why the CB has to assess the EMS performance and continual improvement over time. And let's not forget. 61. Outputs Matter! (http://www.anab.org/HTMLFiles/docs/HeadsUp/HU61.pdf)

Good post Sid.:agree1:

Let me echo Randy's last point. Thanks, Sidney.

Ok, please be patient with me. But this thread has been bugging me for a few days, now. Don't really care who's right or wrong; but I am concerned with understanding.

The glasses one wears always colors everything they see. I interpret that most of the posters here are full time, professional auditors. Thus, you see this from the OP perspective. The objectivity and impartiality is commendable, too. I agree with you. As long as the company is following their stated goals and objectives, they have satisfied the requirements. I also agree that the certification body should accept their auditors recommendations.

But then I put on my reality glasses, and see things how they are (no matter how ugly they may be). Maybe a Shallow Hal in reverse. I am a hands-off, laissez-faire kind of guy, and am under the impression that the regulatory agency has probably overstepped their case (as most often they do), or are internally at-odds. As Sidney stated, the organization probably was encroached.

But to the original post, the OP asked what he/she should do about this. My suggestion is that there is nothing to do. If the Certification Body does not want to certify this organization, that is their right. I'm not saying I agree, just that is their right.


The organization has some decision-making to do. Maybe it's time to talk to the local elected officials and see what's up. In the classic song: Should I stay or should I go? These same community people griping are the ones who benefit from the jobs and commerce brought by the business. Some tough decisions need to be made, by the organization and the citizens.

My ideal response and the realistic response by me, unfortunately, have to be at odds on this one.

Am I missing something, or do we fundamentally agree?

This thing has kinda gotten off center probably. I think the focus became "Oh, my goodness, they're in violation of the law, they have citizen complaints, and the regulatory agency does not agree with their corrective actions. Let's slam em and jam em and make 'em scream, those horrible violators".

Not knowing what the violation is we could be looking at something as simple as control of parking lot run off, paticulate matter exceedance from woodworking operations or peceptions of exceedance due to an odor like styrene or ammonia. I have been in this situation myself...PERSONALLY, and the regulator would not listen, and the complainers kept running in circles bemoaning their sorry fate in life! It took a couple of years before everyone was happy and you know what? Nothing actually changed other than some fine print on some paperwork.

At least until Chicken Little showed up again.

If the Certification Body does not want to certify this organization, that is their right. I'm not saying I agree, just that is their right.For the CB to deny continued certification to this organization, they have to justify it. Soundly. Otherwise, the organization could file a complaint with the Accreditation Body and even pursue a legal case against the CB. CB's can not deny certification if they can not demonstrate glaring breaches of the certified system against applicable requirements.

As always, I am sure that there is much more to this story than we will ever find out.

Sidney is correct Brad, I've just been more longwinded about it.

We have to go beyond the violation itself and look at the total system response to the problem. If every cert for evey client was jerked, regardless of who the CB is, there would be far, far fewer organizations with "wall adornment" that presently exist.

Compliance is important, but not any more important than achieving O&T's, reducing negative impact, improving positive impact, and all that other neat stuff when we talk systems. It's just one of the pieces.

Randy, Sidney... Thank you. Seeing a little more of the inside regarding the operation of the certification body helps.

So... I am to infer that certification bodies have a compelling (legal and other) interest to follow the recommendations of their auditors. Correct?

As Sidney alluded to, there is probably a lot more going on here than we might infer from the post. Given the information so far, are the actions of this certification body a common thing, or a rarity? Should the auditor(s) (OP) do anything, or should the forceful action come from the organization? What would you recommend is the organization's first step?

I am assuming that since the organization is the customer, the auditor submitted a copy of the audit report to the organization. So they know (and have documented evidence) the auditors recommended continued certification.

I said I wouldn't post further here but as the thread seems to be going into other areas ....

Randy, Sidney... Thank you. Seeing a little more of the inside regarding the operation of the certification body helps.Now BradM, just because a couple of the "big dogs" are on the thread and happen to agree on this doesn't mean you have to bow to their vast experience. :yes:

As you have seen in earlier posts there is some disagreement. :notme:

So... I am to infer that certification bodies have a compelling (legal and other) interest to follow the recommendations of their auditors. Correct? Absolutely not! Any certification body has a head office review of the report. Only when this review is carried out is the recommendation confirmed. All 3rd party auditors should state this in the closing meeting. I usually start with "I've never had a recommendation overturned yet but ...."

As Sidney alluded to, there is probably a lot more going on here than we might infer from the post. Given the information so far, are the actions of this certification body a common thing, or a rarity? Should the auditor(s) (OP) do anything, or should the forceful action come from the organization? What would you recommend is the organization's first step? Correct. This is all guesswork. My posts are based on a significant breach indicating the system is failing. I accept all of the points that regulations can be a pain in the proverbial but again, in the case of my CB, we would not offer an extension of scope if there are outstanding issues. If it is as simple as a documentary breach then we might reconsider.

I am assuming that since the organization is the customer, the auditor submitted a copy of the audit report to the organization. So they know (and have documented evidence) the auditors recommended continued certification. Typically yes - hence the importance of the auditor saying this is only a recommendation. You know it is going to create a stink if the CB overturns the recommendation but that goes with the territory!

Well thank you about the Big Dog comment Paul, I guess you meant that due to my stature and size (6ft 270lbs):lol:

Paul,

Thank you very much for your insight on this.

I do greatly appreciate when any of the posters take the time to explain their rationale.

I still hold to my belief in the rights of the Certification Body, and of the organization. However, I do like to find out all the options available. This way, I have a much richer view of things.

Sometimes things in life are not clear-cut, and fit neatly into a box. If this is a realistic scenario presented to us, it will not be fixed overnight, and I am not sure if there will be any winners.