Can an ISO Certification Body Conduct an Internal Audit?

In a recent LinkedIn survey conducted by Certiget, we asked: Can an ISO certification body conduct an internal audit for its client? The survey results showed a variety of opinions.

68% correctly selected the option “No answer,” indicating an understanding of the principles outlined in ISO 17021. 32% of participants chose other options, such as “Yes, according to ISO 9001” or “Yes, if the audit is independent.”

This highlighted the need for clarification on this issue.

Why is "Yes, according to ISO 9001" not the correct answer?

ISO 9001 pertains to quality management systems and specifies requirements for organizations aiming to ensure the quality of their products and services. However, it does not regulate the impartiality principles of certification bodies or the issues related to conducting internal audits by these bodies for their clients.

It is ISO 17021 that outlines the requirements for certification bodies, particularly regarding impartiality. Conducting internal audits by the certification body for its clients is considered a significant threat to impartiality. Section 5.2.6 of this standard clearly states that certification bodies should not offer or conduct internal audits for their certified clients.

Impartiality is crucial in the certification process as it ensures an objective and independent assessment of the organization. Therefore, the response based on ISO 9001 is incorrect in the context of impartiality requirements set out in ISO 17021.

Is "Yes, if the audit is independent" a valid answer?

Although an independent internal audit may seem not to compromise impartiality, ISO 17021 imposes strict limitations in this regard. Even if the audit is conducted by a different team of auditors or in a different location, the impartiality of the certification body can still be jeopardized.

Experts' Views on the Matter

To clear up any doubts, Certiget sought the opinions of experts from leading certification bodies:

• Aneta Sawicka, Assurance Sales Manager, BSI Group Poland
• Alicja Dąbrowska, Director of Management Systems Certification, CeCert
• Krzysztof Binkowski, Technical Manager, DNV Poland

The experts unanimously emphasized that, according to ISO 17021, a certification body should not conduct internal audits for its clients. Such actions pose a significant threat to impartiality and may undermine the credibility of the certification process.

Aneta Sawicka from BSI Group Poland noted that the certification body must manage its impartiality in accordance with section 5.2 of ISO 17021. This means that neither the certification body nor any part of the same legal entity, nor any entity under its control, can provide internal audit services to its certified clients. A two-year waiting period is necessary to maintain objectivity.

Alicja Dąbrowska from CeCert highlighted that the impartiality of the certification body is also subject to verification by accreditation bodies. A certification body cannot have any prior relationship with the certified organization that could influence the certification decision. The standard explicitly prohibits conducting internal audits for its clients to ensure the independence and objectivity of the certification process.

Krzysztof Binkowski from DNV Poland confirmed that, according to section 5.2.6 of ISO 17021, conducting internal audits by the certification body for its clients is unacceptable. Such actions pose a significant threat to impartiality and contradict international standards.

Waiting Period as a Key Element of the Standard

To minimize the risk of impartiality being compromised, ISO 17021 introduces a minimum waiting period. If a certification body has conducted an internal audit for a client, it should not initiate the certification process for at least two years after the audit's completion. This waiting period ensures objectivity and independence in certification decisions.

Interesting Fact: The Question of Consulting Services

When organizations undergo ISO certification, they often work with consulting firms that help them prepare for audits and successfully implement the standard’s requirements. As a result, certification bodies frequently ask whether an organization has used consulting services when gathering information for an offer. If you’ve ever wondered why this question is asked, it’s not out of the certification body’s curiosity. It plays a role in ensuring impartiality and preventing potential conflicts of interest.

Don’t avoid answering this question – the consequences can be severe, and the certification body may even refuse certification if it identifies a potential conflict of interest. Transparency in this area helps keep the ISO certification process reliable, and organizations can fully trust the awarded ISO certificate.

Certification Bodies and the Challenge of Impartiality

For global certification bodies, impartiality requires special attention. Due to their large organizational structures and operations in multiple countries, there is a risk that different branches may unintentionally violate impartiality rules. If certification bodies do not effectively monitor and coordinate services across the entire organization, it may lead to situations where one branch conducts an internal audit while another certifies the same client, creating a potential conflict of interest.

Therefore, global certification bodies must have detailed procedures in place to monitor their activities in different countries and branches to ensure these processes are properly managed and coordinated, minimizing the risk of impartiality violations.

In smaller certification bodies, impartiality is equally important, though the challenges may differ due to a smaller number of employees and a more limited geographical reach. The risk of impartiality breaches still exists, especially when the body offers additional services. In such cases, the lack of clear separation between certification functions and other services may lead to bias and undermine the trust in the certificates issued.

To prevent this, smaller certification bodies must have clear guidelines for managing conflicts of interest and ensure that no consulting or internal audit services are provided to organizations they certify.

Conclusion

ISO 17021 clearly states that a certification body cannot simultaneously conduct certification and internal audits for its clients. Such actions pose a threat to impartiality and may undermine the credibility of the certification process. Even independent audits or activities carried out in different locations do not eliminate this restriction. The two-year waiting period further reinforces these principles, ensuring that certification decisions are based on objective criteria.

How to Ensure That a Certification Body Complies with International Standards?

To verify whether a certification body operates in accordance with international standards, companies can:

• Check accreditation – Ensure that the body holds accreditation from a recognized accreditation institution, which confirms compliance with ISO 17021.
• Use the ISO Certifying Bodies Catalog – Certiget offers a comprehensive catalog containing verified information about certification bodies, including accreditations, scope of services, and reviews from other companies.
• Analyze reviews and ratings from other companies – The experiences of other businesses can provide valuable insights into the professionalism and impartiality of the certification body.

As a platform supporting transparency in certification processes, Certiget enables companies to make informed decisions when choosing a certification body. Through our catalog, users have access to comprehensive and up-to-date information, helping to avoid risks associated with impartiality violations and ensuring that the chosen body operates in line with international standards.

Full Expert Statements

Aneta Sawicka, Assurance Sales Manager, BSI Group Poland:

"According to the standard EN ISO/IEC 17021-1:2015 'Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements,' the certification body must manage its impartiality (section 5.2). What does this mean in practice? The certification body, as well as any part of the same legal entity or any entity under the control of the certification body, cannot provide internal audit services to its certified client. The rule includes a two-year waiting period, meaning that if the certification body conducted an internal audit in an organization, it should not certify its management system for two years after completing the internal audits (EN ISO/IEC 17021-1:2015, section 5.2.6)."

Alicja Dąbrowska, Director of Management Systems Certification, CeCert:

"The fundamental assumption of assessments conducted by certification bodies is impartiality. This is maintained if the body has no prior relationship with the certified organization and is not subject to its influence, ensuring that the certification decision is objective and independent. The impartiality of the certification body is also verified by the accreditation body. According to section 5.2.6 of the PN-EN ISO/IEC 17021-1:2015 standard, conducting internal audits by the certification body for its certified clients is a significant threat to the body’s impartiality. Bodies should neither offer nor conduct such audits. For clients where the certification body has conducted such audits, it should not carry out certification processes for at least two years after completing the internal audits."

Krzysztof Binkowski, Technical Manager, DNV Poland:

"According to the requirement of ISO 17021-1:2015, section 5.2.6, conducting internal audits by the certification body for its certified clients poses a significant threat to impartiality. Therefore, the certification body or any part of it should neither offer nor conduct internal audits for its certified clients."

Information Sources:

• ISO/IEC 17021-1:2015 Standard

"Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements."

• Expert Opinions from:

BSI Group Poland
CeCert
DNV Poland