5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.
Many CB’s external auditors are owners of one man consultancy enterprises and the contracts with the CB are signed by the enterprise.
We have understood the changes in wording of the standard in a way that in such cases the relationship constitutes a significant threat to impartiality as the contractor is the enterprise/body – not an individual and thus 5.2.8 does not apply.
In addition, we recently faced a case where at the same time the CB made an annual surveillance of ISO 9001:2008 certification by auditor X an external auditor Y of the same CB was giving consultancy to the same company for ISO 9001:2015.
What would be your reaction in such cases?
March 2017
Clause 5.2.8 refers to outsourcing (sub-contracting) and this is different to contracting-in external resources.
An individual that has his/her own consultancy company would be considered as a body in terms of ISO/IEC 17021-1 and in this case clause 5.2.8 should be invoked and the CB should not outsource audits to them
An individual used as a contracted-in external resource does not come under 5.2.8 however impartiality rules still apply in terms of ensuring previous relationships do not compromise the impartiality of the audit process.