First Round of QMS Internal Audits - Ethical Dilemma

[cjeighkay]

Looking for tips and advice. My company was just registered to the ISO 9001:2105 standard in May. Long story short -our ISO Project Leader (who happens to be my direct manager and our corporate level quality and CI resource) did not fully research our registrar and we ended up essentially passing the cert audit with flying colors -no records or samples were taken during the audit, no NCs noted, and with just few OFI's later we had our "certificate" in hand. I uncovered (after the fact) they they were an unaccredited outfit and essentially nothing more than a certificate mill. I know there is no requirement to use an accredited cert body - but as a professionally trained and certified ISO internal auditor for my company I know we were not assessed in a way that added much value to our newbie QMS. It almost makes a mockery of all of the hard work we did as an implementation team.... I brought the research to my manager who wants to keep the info under wraps ( he was recently commended by our president for getting the project done early and under budget ) and let any negative outcome or inquiry from our customers drive any further action on our parts. He does not intend to have us re-audited. He has directed me to conduct our first round of internal QMS audits not according to how I was trained, not according to the standard, but in a way that mirrors the way we were "audited"(Using their checklist, methodology, etc.) He said because we hold a certificate that is not accredited, we are not held to the guidance found in 19011 and that he would like me to limit any findings to just a "Few OFI's" like they did. I expressed that the internal auditor certification I hold required me to agree to an auditor code of conduct and of ethics and now we find ourselves at an impass.... This may end up being more of a personal decision for me to make long term, however I am wondering if anyone has any insight or has ever found themselves in a similar ethical pickle and if so, how you handled it as an auditor.

 

[Sidney Vianna]

did not fully research our registrar

Are you sure this was an "accident"? Based on the description of the situation, it seems he knew very well what he was getting. Only you can determine how to move forward, but the expectations of your boss are pretty clear: keep up the façade.

 

[Guest]

This may end up being more of a personal decision for me to make long term, however I am wondering if anyone has any insight or has ever found themselves in a similar ethical pickle and if so, how you handled it as an auditor

While you work for this joker, don't beat yourself up. When you find a better outfit to work for, the issue won't be an issue. Polish up that resume, instead.

 

[Pjservan]

All your points are valid. Why did your company undergo the ISO 9001 certification? If you have customers expecting the certification then you can expect the issue surface sooner or later. This is something that you can not hide as an educated customer will soon realize that your certificate comes from a cert- mill or by the mere absence of accreditation seal. If no customers are asking for it, then it is more of an internal issue. However the sooner management is aware of what is happening then you can let them make the decision.

 

[Jim Wynne]

This is a no-win situation. Some enlightened customers have had the foresight to require accredited certification, while others will remain oblivious, but sooner or later it will come to light in one way or another. Do what you need to do, and remember that the best time to look for a job is when you have one.

 

[Randy]

Waste not, want not.

Time, effort and money wasted on non-accredited certification, and most likely just to save a couple bucks. Y'all are now going to spend at least twice as much to get something of value out of the process. I'd lay odds it was a short quickie as well. How many folks you got and I'll tell you how much time it should have take.

Sorry, but that's the way it is.

 

[Sidney Vianna]

Y'all are now going to spend at least twice as much to get something of value out of the process

Why? If unaccredited, pseudo-accredited, self accredited CB's and certificate-mills did not deliver something that is "accepted", they would not exist.
Trying to get a financially reasonable ISO Certification Body
Is your registrar (CB) accredited?
Interesting Discussion The proliferation of Accreditation Bodies in the USA
Is your registrar (CB) accredited?
Accredited/Unaccredited Certification - The Credibility of some Certification Bodies
Do you scrutinize your supplier's choice of certification body (registrar)?
Should customers influence a supplier's registrar selection?
Registration bodies that are not accredited?
Are Unethical Registrars a Small Minority of the Registration Community?

 

[Ninja]

Sounds like you have a clear direction from management, and a deeply held belief of what you think is acceptable or right, and they are in conflict.

You have four options:
1. change the direction from management.
2. change your beliefs.
3. find a path that satisfies both (unlikely).
4. disobey either management or your beliefs or both.

All of the above except the unlikely one are distasteful...which has the least amount of distaste for you? Do that one immediately following getting you resume up to date. At the same time...see if #3 is at all possible.

At the end of the day...is it the QMS, or the opinion of your manager that is important to you? Can you build something you believe in while you give your direct supervisor what they asked for?

 

[malasuerte]

Late to this - but in general a good company would/should have a code of conduct policy and ethics reporting path. I would simply proceed through that path if it is in place. If there is no CoC in place, then there is not much that can be done.

But, I would ensure these directives from said manager are documented formally (letter, comms, whitepaper, etc) so that it is fully know that it is his decision. The last thing we would want happen is a customer issue, then this gets highlighted as a contributing factor and then guess who gets the brunt of the blame? rolls downhill!

 

[cjeighkay]

Late to this - but in general a good company would/should have a code of conduct policy and ethics reporting path. I would simply proceed through that path if it is in place. If there is no CoC in place, then there is not much that can be done.

But, I would ensure these directives from said manager are documented formally (letter, comms, whitepaper, etc) so that it is fully know that it is his decision. The last thing we would want happen is a customer issue, then this gets highlighted as a contributing factor and then guess who gets the brunt of the blame? rolls downhill!

thank you... so true. UPDATE since i wrote this post: Said manager is no longer with the company. A mutual parting of ways from what i understand. I have now inherited the mess, but without him here I was able to present the information to top leadership and the situation is now in their hands... I explained that I felt it was a risk to customer satisfaction and to our reputation to do nothing about aligning ourselves with a less than reputable cert body. Waiting to hear what they decide to do - i was told there are 3 options. 1 is to ride it out and continue to have me help manage, audit, build, and improve the QMS the way it is supposed to be and take no shortcuts - just PDCA all the way.... 2, is that they may decide to abandon formality all together and simply swap ISO 9001 "certified" for ISO 9001 "compliant" in all of our marketing materials, etc. 3, would be reinvesting in an accredited registrar and repeating the process with a new gap analysis, cert audit, etc. to ensure it is implemented properly. Either way, the decision lies in the hands of our BOD as part of our FY22 strategic directives, and i couldn't feel more relieved.... Thanks everybody for the feedback. This was a doozie!