Skip to main content Scroll Top

FAQ

FAQ Question 37.13 ISO 17021-1:2015, clause 9.1.3
Question 37.13 ISO 17021-1:2015, clause 9.1.3

This relates to clause 5.2.7 of ISO 17021-1:
“5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.”

Several CABs employ contracted auditors (not ‘subcontractors’ but individuals contracted to work for the CAB, under the CAB’s management system), who are also employees of certified organization, very often engaged as e.g. Quality/Environmental/OH&S Manager/Representative. According to clause 5.2.7, can such situation be understood as significant threat to impartiality of CAB (such persons participate in establishing, implementing or maintaining a management system, so he/she fulfils the definition “management system consultancy”)? If yes, shall the CAB refuse to certify the management system of company where the CAB’s auditor is employed (permanent employee) for a minimum of two years following the end of the consultancy? Or possibly the sufficient mitigation of such threat is that auditor will not be used in any certification activity of such client?

March 2019

An answer to a similar question is already given in the ISO/CASCO Clarifications (http://bit.ly/2phNnqJ)

Based on this, it is also clear that “contracted” auditors are also = to “subcontractors”.

In the question presented, the clause 5.2.7 of ISO/IEC 17021-1:2015 is not the applicable one, but the other clauses 5.2.3 and 5.2.10 are to be applied.

In the case presented, the answer to the first question is: YES.

Therefore, the CAB has two actions to be taken:

  • Not use the contracted auditor as this is posing a significant threat to impartiality
  • Certification process for this client can continue but with appointing another auditor

The mentioned ISO/CASCO clarification is summarized below:

(Date of submission: 2018.09.04)

  1. Clarification request, please formulate the request clearly and where possible in a format that enables a YES or NO answer:

Clause 5.2.7 reads “5.2.7 Where a client has received management systems consultancy from a body that has a relationship with a certification body, this is a significant threat to impartiality. A recognized mitigation of this threat is that the certification body shall not certify the management system for a minimum of two years following the end of the consultancy.”

There is a need for clarification on three issues related to situations where the client of the CB has received MS consultancy from an individual free-lance consultant and this free-lance consultant is also acting as external auditor for the CB:

  1. One could argue that a free-lance consultant is a “body” or one could argue that a person is not a “body”. The grounds for not considering a free-lance consultant to be a body as meant in 5.2.7 is twofold: i) in clause 5.2.3 distinction is made between “… activities of other persons, bodies or organizations …”, and ii) clause 7.3 speaks of individuals contracted as external auditors. If this free-lance consultant is to be considered a “body” then this “body”, because of also having a contract with the CB, has a relationship with the CB and thus this has to be considered a significant threat to impartiality. Is it correct to argue that a free-lance consultant is to be considered a “body” when applying 5.2.7?
  2. Stating a specific method for mitigation of this risk in the text of the clause (instead of in a note as was the case in the previous version of 17021) could be understood that in fact no other possibilities for mitigation are possible. Would it however also be an acceptable way of mitigation if the CB ensures that the individual free-lance auditor will not act as auditor (nor has any other task in the certification process) for the specific clients he/she has provided MS consultancy?
  3. Could it be an acceptable way of mitigation if the CB ensures that the free-lance auditor that has provided MS consultancy to clients of the CB, during audits for this CB is always observed or accompanied (for eyes principle) by an auditor not involved in these kind of consultancy?
  4. The change in wording of 5.2.7 compared to the previous version (2011) could be considered to have the intention to include free-lance consultants. The 2011 version speaks of “the relationship between the consultancy organization and the certification body”. Based on that text it was not common to consider free-lance consultants as consultancy organizations. If the change was intended to sort the effect that free-lance consultants are to be considered “bodies” or “organizations” then this is a significant change in requirements for CBs. Was the change in wording intended to sort this effect?

7. Consensus position of the maintenance group (This section is only to be completed by the maintenance group members)

Question 1: No, a body is considered to be an organisation not an individual. Whether considering a free-lance auditor a “body” or not does not override the requirements in § 5.2.3 & § 5.2.10 that both address requirements that are applicable for “persons” – internal, external, consultants or others.

“5.2.3 The certification body shall have a process to identify, analyse, evaluate, treat, monitor, and document the risks related to conflict of interests arising from provision of certification…..() ….. demonstrate how it eliminates or minimizes such threats and document any residual risk. The demonstration shall cover all potential threats that are identified, whether they arise from within the certification body or from the activities of other persons, bodies or organizations.”

“5.2.10 In order to ensure that there is no conflict of interests, personnel who have provided management system consultancy, including those acting in a managerial capacity, shall not be used by the certification body to take part in an audit or other certification activities if they have been involved in management system consultancy towards the client. A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy.”

Question 2: Yes. In this case, clause 5.2.3 exists to evaluate the risks and find an acceptable solution to eliminate or minimize them. Clause 5.2.10 is also very clear that the requirements applies “if they have been involved in management system consultancy towards the client” and is not intended to extend beyond that.

Question 3: No, this would be in conflict with 5.2.10 which states that “A recognized mitigation of this threat is that personnel shall not be used for a minimum of two years following the end of the consultancy”. In unavoidable situations (e.g. areas of highly specialized competence where extremely few qualified auditors exist) other mitigation solutions may need to sought, but only when a detailed evaluation of the risks has been performed and established whether the proposed solution would be acceptable.”.

Question 4: no, the intent was not to include free-lance consultants under 5.2.7. When they work for CBs, they are considered to be contracted auditors and managed as such.