Trust but verify

In the conformity assessment industry, specifically for management systems certification, the certification decision review is the one time any other certification body personnel, besides the auditor, can make a technical determination regarding the effectiveness of a management system. That being the case, the certification decision is the last firewall protecting certification bodies from malpractice, ambiguity and liability when it comes to their certified customers.

The devil is in the details

One of the most commonly overlooked requirements related to the certification decision section within the ISO/IEC 17021-1 standard is clause 9.5.1.4 (ISO Staff, 2016):

“The certification body shall record each certification decision including any additional information or clarification sought from the audit team or other sources”

Sure, certification bodies almost always record the certification decision, this is a no-brainer; but what about the second part of the clause?

From personal experience conducting technical reviews of reports, I have observed that in a high percentage of cases, clarification is needed from the team (or other sources) regarding a statement or observation made during the audit/assessment. Let’s face it, humans aren’t always the best communicators which can lead to different interpretations of what a sentence really means within a conversation, not to mention an audit/assessment report. When this issue comes up, it is up to the certification decision reviewer to clarify with the auditors (or other sources) and determine what was meant by what has been written. Assuming you, the reader, work in a certification body, how many times have you seen such clarification requested? How many times have you seen it recorded?

The 40th president of the USA, Mr. Ronald Reagan, was known for his signature phrase, (adopted from a Russian proverb; “Doveryáy, no proveryáy”) “Trust but verify”; this is the attitude that persons charged with certification decision review should adopt (Porzucki, 2014). You are trusting the competence of your auditors but verifying the details and results of the audit. You are trusting that the statements included in the report are factual but verifying that your understanding is correct. You are trusting your system but verifying its effectiveness.

Another great way to relate this concept is by considering the Plan, Do, Check, Act concept. A certification body (and/or its auditors) plan an audit, the auditors conduct (do) the audit, the certification decision reviewer(s) check the audit, and the corrective action process is used if any action is necessary. I challenge readers to present a situation in which the details included in an audit report are clear beyond a shadow of a doubt. The reality is, with all forms of communication, a certain level of uncertainty is expected. Ever played a game of telephone? Our mandate, as conformity assessment professionals, especially as certification decision reviewers, is to find these points of ambiguity and clear them up before we assume the liability and responsibility for an organization’s system certification.

Additionally, your auditors will thank you for conducting a thorough review of the statements made in assessment/audit reports. Not only do you protect the interests of the certification body with a detailed review, but you can also provide your auditors with input regarding continuous improvement and professional development. Not to mention in-part fulfilling the requirements in clause 7.2.10 of the standard. This is not to say that certification decision reviewers should be hunting through each line of the audit report looking for typos or misspellings; not only is this an impractical waste of time, but you also run the risk of alienating subject matter expert auditors just because their typing skills aren’t word perfect. However, responsible reviewers should certainly take the time to read into the details of the report and ask themselves, from a third-party perspective, ‘what does this really mean’?

From a certain point of view

Another reason that an in-depth technical review should be conducted, and the clarifications sought resulting from that technical review be recorded is that different viewpoints notice different aspects. If we all read something and walked away with the exact same understanding, not only would this article be pointless, but philosophy wouldn’t be taught in institutions worldwide. Why? Philosophy is the study of viewpoints. Different individuals have different experiences which leads them to develop distinct points of view. Something that is extremely clear for one person, may invoke hundreds of questions in another. The same goes for auditors. One auditor may observe a process or situation and come up with one determination of its effectiveness or conformity; while another auditor observing the same process or situation would have entirely different conclusions. The role of the technical reviewer is to ensure that the viewpoints expressed in an assessment/audit report are understandable and unambiguous to the greatest number of people.

Why does it all matter?

Not only does an in-depth technical review process increase your own confidence in your certification process but it also gives third-party assessors/auditors confidence in the overall system. From a customer relations perspective, detailed technical reviews can also serve to calibrate auditors, resulting in greater customer satisfaction and a reduction in hearing “the previous auditor said this, while this auditor said the opposite”. This not only reduces the prevalence of appeals, complaints, and general dissent from your customers, but empowers them to know that someone from the home office of their certification body is paying attention and won’t stand for auditors auditing their personal interpretation of compliance to a requirement, but the compliance to the requirement itself.

In-depth technical reviews, recording the results of those technical reviews, and acting upon the information gleaned from the reviews is one of the most effective ways to improve your certification process and can have far-flung positive effects on the other parts of your management system.

References:

• Porzucki, N. (2014, March 7). Suzanne Massie taught President Ronald Reagan this important Russian phrase: ‘Trust but verify’.
• ISO Staff. (2016, December 1). ISO/IEC 17021-1:2015. Retrieved November 4, 2019, from https://www.iso.org/standard/61651.html.

Disclaimer: The views and opinions expressed by the author in this article are not necessarily representative of International Accreditation Service Inc. policy or interpretation and should be taken as informative commentary on the subjects contained within.