Consultants who Audit on behalf of CB's - An ISO 17021:2011 violation?

Wes Bucey

Quite Involved in Discussions
#1
ISO 17021:2011, paragraph 5.2.8 states

In my opinion, most CB's operating in the USA have subcontracted auditors who also perform consulting services. When I read the above paragraph of 17021, I have an impression that this requirement is not scrutinized during AB audits.

The bit about the requirement not applying to individuals contracted as auditors is deceiving, because there are hundreds of independent auditors who consult who are a one man company.

Just another requirement of 17021 that takes a pass from AB auditors....
Not necessarily deceiving. The point is "an individual practitioner can avoid auditing companies he/she has consulted, but an organization with multiple consultants also has multiple clients and the "Chinese Wall" theory has proven itself to be often breached, notoriously with Wall Street investment banks in the last few years and with accounting firms which advocate for clients rather than deliver "independent" opinions."

It appears the paragraph you cite merely recognizes the difficulty in maintaining independence when ANY part of an organization has an advocate relationship with the organization to be audited.
 
Elsmar Forum Sponsor
B

Boingo-boingo

#2
What happened to my post??:mg:

Once again, the requirement reads: "The certification body shall not outsource audits to a management system consultancy organization as this poses an unacceptable threat to the impartiality of the certification body (see 7.5). This does not apply to individuals contracted as auditors covered in 7.3."

The way I read this it is ok for a CB to outsource audits to an individual, but IF that individual is ALSO a consultant, then the CB would be violating the requirement above.

Other opinions?
 
P

pldey42

#4
What happened to my post??:mg:

Once again, the requirement reads: "The certification body shall not outsource audits to a management system consultancy organization as this poses an unacceptable threat to the impartiality of the certification body (see 7.5). This does not apply to individuals contracted as auditors covered in 7.3."

The way I read this it is ok for a CB to outsource audits to an individual, but IF that individual is ALSO a consultant, then the CB would be violating the requirement above.

Other opinions?
For me it means that the CB can't outsource audits to a management system consultancy organization (a company comprising many consultants) but it can outsource to individuals - who might be consultants - contracted as auditors provided that, under 7.3, they have signed a statement to the effect that there is no conflict of interest.

There's no blanket ban on using consultants as auditors (in an ideal world there might be, but it would be impractical not least because there's not much money in auditing). The auditor simply must not be consulting to the organization being audited, not now, not in the recent past, and not in the near future.

The intent as I understand it is to avoid auditors writing nonconformities in order to get consulting business and to assure an audit of independent mind. Not perfect, there are still ways round, but maybe as good as it gets.

In some ways it's not a bad idea. Auditors who only audit can gradually lose touch with the realities of implementation and write NCs that are theoretically correct but unhelpful in the real world. An individual who consults for some organizations and audits for others can be valuable in that they are up to date with latest practices on the ground provided that conflict of interest is properly and ethically managed.

Arguably, lack of implementation experience in CBs is a disservice to clients. For example, CBs will sometimes try to schedule the initial certification audit about six months after the gap analysis (because they want to book the business), when real implementation experience (which they lack) shows that it is more likely to take from 9 to 18 months to implement a management system, sometimes longer.

Just my 2c,
Pat
 
P

pldey42

#5
Boingo-boingo also said, "The bit about the requirement not applying to individuals contracted as auditors is deceiving, because there are hundreds of independent auditors who consult who are a one man company. "

Yes, this is the loop-hole, and probably a drafting error in ISO 17021. Is a one-man company an "organization"? Legally, I suspect that it is.

It's true that most independents operate through their own one-man companies. I think that these are not the target of 5.2.8.

I think that ISO 17021 recognizes the business realities of CBs, which feel obliged to use external resources to cover the peaks in demand: if they did not, it would be harder for them to make money. Equally, it would be hard for the external resources to make money if they only audited - and if they did only audit, they'd be more inclined to work for several competing audit companies, and they'd often take clients from one to another.

There's nothing to stop an auditor (whether external resource or full time CB employee) from quietly referring potential consultancy business to another friendly party in exchange for some kind of reward -- nothing but the contract and penalties for being found out, the auditor's personal integrity and the integrity of the client. Mileage varies, no doubt.

One root of the problem is that customers want certifications, yet do not want to pay directly for them. So they get suppliers to pay to be audited by CBs. Suppliers do not want to pay more than they absolutely must in order to get the certificate, and often do not care about the quality and integrity of the audit: as long as they get the certificate, they're happy. Same with ABs, who are paid by CBs, who want minimal AB audit costs, and maximum freedom to make money through audits. Weak governance is built into the entire system because nobody wants to pay what it really costs. The experience of an audit client relies more upon the integrity of the individuals involved, at the CB and the client, than upon the system itself, IMHO.

Just my 2c,
Pat
 

kalehner

Involved - Posts
Advertiser
#6
It's interesting to see how the accounting profession addresses this issue. It is a much more considered approach than the CASCO version of ISO 17021(5.2.5). I believe that unless CASCO revises 17021 to eliminate the prohibition on consultancies performing audits, the bean counters will take over the non-financial assurance profession. The bean counters have much more liberal requirements on the same organizations performing consulting services and auditing services. CASCO needs to face up to the fact that consultants make better auditors and auditors make better consultants as long as the threats to impartiality are controlled. Placing an absolute ban on consultancies performing audits will ultimately lead to the demise of CASCO and ISO as we know it and it's not going to take very long.
 

Attachments

Wes Bucey

Quite Involved in Discussions
#7
It's interesting to see how the accounting profession addresses this issue. It is a much more considered approach than the CASCO version of ISO 17021(5.2.5). I believe that unless CASCO revises 17021 to eliminate the prohibition on consultancies performing audits, the bean counters will take over the non-financial assurance profession. The bean counters have much more liberal requirements on the same organizations performing consulting services and auditing services. CASCO needs to face up to the fact that consultants make better auditors and auditors make better consultants as long as the threats to impartiality are controlled. Placing an absolute ban on consultancies performing audits will ultimately lead to the demise of CASCO and ISO as we know it and it's not going to take very long.
Those "liberal" policies and rules allowed many abuses, not necessarily by the auditing organization, but by the individuals within the organization BECAUSE the controls were lax. Fact is, there is a LOT of pressure for organizations to keep an ISO or AS certificate and desperate people (either auditor or auditee) bow to such pressure. That's really the problem - individuals who will exploit any chinks in the controls set up to prevent abuses. The fewer controls, the more chinks in the armor.
 
Thread starter Similar threads Forum Replies Date
R ISO 9001 Internal Quality Audit by Consultants (External agency) Internal Auditing 5
S MDR consultants - in search of recommendations for a consultant for MDR transition. Paid Consulting, Training and Services 7
B Available Calibration Consultants Paid Consulting, Training and Services 1
Q Did you use consultants for UDI? Other US Medical Device Regulations 4
S How to evaluate "competency" of consultants ? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
H Any ISO 9001 consultants/auditors in Oahu, Hawaii ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Suitable form or questionnaire for approving consultants Document Control Systems, Procedures, Forms and Templates 9
L Do HR consultants need to be on Approved Supplier List? Supplier Quality Assurance and other Supplier Issues 5
D Using consultants for Internal Audits Internal Auditing 24
bobdoering Available SPC and Metrology Consultants Paid Consulting, Training and Services 0
Marc Available ISO 13485 Consultants Paid Consulting, Training and Services 14
V Looking for Russian Regulatory Affairs Consultants Other Medical Device Regulations World-Wide 2
J0anne US Working Permit Requirements for European Consultants Career and Occupation Discussions 2
T The Consultants Guide to Successfully Implementing 5S review Book, Video, Blog and Web Site Reviews and Recommendations 1
A Evaluation of Service Providers such as Consultants and Calibration Companies 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
T Consultants' and Contractors' Heaven Consultants and Consulting 15
S Industry Best Practices for managing outside Engineering Consultants Design and Development of Products and Processes 3
T Why Are Consultants' Fees so High? Consultants and Consulting 13
T Registrar Question/Audits/Consultants/Clause numbers/minors and majors Registrars and Notified Bodies 25
O US FDA Consultants in Mumbai - Orthopaedic Devices 510K Submission help US Food and Drug Administration (FDA) 9
R Control of Documents - Drawing (soft copy) for further work by other Consultants Document Control Systems, Procedures, Forms and Templates 1
K Consultants and Certification Organizations are Working Together Consultants and Consulting 11
J Use of Consultants - Design Output Approval 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
K PRI approved Sources & Consultants in Canada AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 16
B References for GMP Consultants in Illinois (trade/commercial printer/packaging) Quality Manager and Management Related Issues 3
C Selecting Consultants for getting drug approval in USFDA Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
B Design & Development of Professional Services - Consultants to manufacturing industry ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
Stijloor UN Certification Consultants - Would like to hear from those in the NC-SC-VA area Other ISO and International Standards and European Regulations 3
P What are ISO 14001 requirements for Sub-consultants, Contractors, Suppliers ISO 14001:2015 Specific Discussions 3
B Approving Suppliers - Consultants AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
D TBM Consultants - Has anyone used them? Lean in Manufacturing and Service Industries 2
Stijloor Consultants, have you received calls from Registrars lately? Registrars and Notified Bodies 9
S Pre-Assessment Mock Audits by Different Consultants IATF 16949 - Automotive Quality Systems Standard 7
J How much do we need to pay for consultants? Consultants and Consulting 38
Sidney Vianna ANAB HU # 96 Commissions and Incentives to Consultants by Certification Bodies ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 17
G Looking for Quality Auditors/Consultants in Canberra/Sydney/Melbourne Australia Career and Occupation Discussions 5
Antonio Vieira ISO 10019:2005, for who? Selection of quality management systems consultants Consultants and Consulting 2
D Should consultants be accredited or hold ISO9001 certification themselves? Consultants and Consulting 32
Marc Available AS9100 and Aerospace related Consultants Paid Consulting, Training and Services 3
B TS 16949 auditors and consultants requirements IATF 16949 - Automotive Quality Systems Standard 1
D Is the market still good for consultants? Thinking about becoming a consultant Consultants and Consulting 16
M Registrars as consultants? Registrars and Notified Bodies 6
M External Consultants Fees/Timing - 9K:2K Transition ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Marc Available IATF 16949 Consultants Paid Consulting, Training and Services 4
Marc Available 17025 - Laboratory Consultants ISO 17025 related Discussions 2
Marc Available FDA / Medical Device Consultants Paid Consulting, Training and Services 9
Marc Available ISO 14001 Consultants Paid Consulting, Training and Services 2
Marc Available ISO 9001 Consultants Paid Consulting, Training and Services 20
M QSR Purchasing Controls governing evaluation and use of consultants ISO 13485:2016 - Medical Device Quality Management Systems 1
Q ISO 9001-2015 Internal audit finding Internal Auditing 12

Similar threads

Top Bottom