After implementation of your management system, having the auditors from a certification body come to verify that the policies and processes you have put in place meet the requirements of the standard is almost always the next step you will take. This goes for various kinds of ISO standards, like ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 20000, and ISO 13485, but also for other ISO-related standards like IATF 16949 and AS9100.
There are many benefits to having auditors from a third-party company perform this certification audit, including having a second set of eyes looking at what you have implemented, and the certification audit can be a great way to help you improve your overall management system. But what if you have a complaint about an ISO certification body? Sometimes a company will disagree with what the certification auditor does or says and, if this happens, it is important to know that there is a process for what to do.
Step 1: Start with discussing with the auditor
Certification auditors are there to verify that your processes and activities comply with your own policies and procedures, but also with the requirements of the standard you are being certified against. However, if they find that a requirement is not being met, they will need to raise a nonconformity for you to correct. Sometimes when a nonconformity is identified, a disagreement occurs, so how do you address this with the auditors?
Remember, the auditor cannot raise a nonconformity if there is not a requirement, or if there is no evidence that a requirement is not being met. Nonconformities are not a matter of opinion; they are a statement of fact. It is often helpful, and completely reasonable, for you to ask the certification auditor exactly what requirement is not being met for the nonconformance they have identified. They should be able to quote for you exactly what the requirement is, and if not, then there should not be a nonconformity given. Having this short discussion in a respectful manner can very often clear up any misconceptions that a company would want to complain about. Further, you should judge whether an auditor has evidence to support the nonconformity – if not, again, the nonconformity should not be raised.
For more information on dealing with certification auditors, see this article: How to approach an auditor in a certification audit.
Step 2: Discuss at the closing meeting
If discussions with the auditor are not satisfactory, your next step is to discuss this at the closing meeting with the lead auditor. The lead auditor has the authority to determine what will be recorded as a nonconformity in the audit report, and can make a decision to interpret the findings of other auditors as either nonconforming or conforming. The decision of the lead auditor will be what is recorded in the final audit report.
Step 3: Formal written complaint to the certification body
If you have tried to discuss your concern with the auditor and the lead auditor at the closing meeting, but have not been able to come to a satisfactory conclusion, then you still have the ability to appeal to the certification body. This can be followed up with a formal written complaint to the certification body to assess your concern. There are employees at the certification body level who will look at your concern, and make a judgement or work with the certification auditor to correct the situation. All accredited certification bodies must have their complaints procedure publicly accessible, such as on their web site, so that it is easy to determine who to contact in case of complaints. This step is very rarely done – most complaints of this type are settled in the closing meeting.
Another time you may wish to contact the certification body is due to the behavior of the auditor. While this is not a common occurrence, behavior on the part of an auditor can, unfortunately, be problematic sometimes. The management system audit is based on seven principles per the ISO 19011:2018 guidelines for management system auditing, which auditors are required to uphold: integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, and risk-based approach. If you are not satisfied that an auditor is acting to uphold these principles, such as breaches in confidentiality where you believe private information has been exchanged with others, then you are well within your right to contact the certification body about the situation.
For more about how the certification body thinks, see this Infographic: The brain of an ISO auditor – What to expect at a certification audit.
When should you contact the accreditation body?
Certification bodies are intended to be monitored and managed by an accreditation body, and if you have a serious complaint about the certification body, you can contact them. These serious issues might include unethical business practices such as asking for bribes to ignore nonconformities, evidence that certifications have been issued for organizations without due professional care to ensure conformity to the standard, or even issuing certifications without any audit being performed.
If you believe that a certification body is conducting these serious breaches of the certification process, the accreditation body will want to know and take action. It is in everyone’s best interest that the certification process be robust and the results acceptable.
Remember: Certification is for your company, not for the auditor
When going through the certification process, it is important to remember that you have implemented, and are certifying, your management system to benefit you and not the certification auditors. The auditors are there to ensure that your system meets the requirements of the standard, and your planned arrangements, and not to tell you how you should perform your processes. Make sure that the management system works for you, and don’t complicate things just because your auditors think you should if there is no benefit to you.
For some help in understanding the certification audit, see this white paper: What to expect at the ISO certification audit: What the auditor can and cannot do.