Value adding third party audits


In June 2010 I  presented to several hundred representatives from the third party certification industry in Japan, at the IRCA 2010 Conference in Yokohama. This was my topic

I think I know why I was asked. I’ve had a lot to say about weaknesses in third party audit systems on this blog and a few other places, and I have expressed strong views on the need for modernisation of traditional and (dare I say it) out-dated conformity focussed approaches. It may be that the industry is starting to agree with some of the things I have been saying. I hope …

Anyway, I really need to start constructing something. An argument. Something that is challenging enough to make people think differently, but engaging enough not to turn people off and create a defensive response. A dilemma and no mistake

Fortunately I have been able to review a JIBDEC/JAB action document, so I know a little about where they are coming from. That document talks about the need for a balanced effectiveness/conformity assessment. Not so much “does it work to its own procedures?” more like “does it do what the customer wants it to?” The JIBDEC/JAB document also talks about how the audit needs to add value. It is this second aspect that has got me thinking. What do we mean when we say we want the third party audit to “add value?”

Third party audits – adding value for whom?

When we talk about “value adding” third party audits are we really suggesting that a third party auditor, without performing any meaningful research or necessarily having any great expertise in the sector, should be able to go into an established company for a couple of days and tell them much that they did not already know? Come on, let’s take a trip to planet earth for a second, is that realistic?  I think anyone who thinks that a third party audit is going to yield a treasure trove of hitherto unknown and valuable management information is living in a dream world. It is not going to happen. The good news, though, is that it doesn’t matter. It doesn’t matter because third party certification schemes were never designed or intended to do that in the first place. Its just that somehow over the years we’ve lost sight of what the primary purpose actually is, and for whose benefit they exist. Third party certification schemes exist primarily to provide information not to the audited organisation, but to customer organisations. It is these organisations that we really should be thinking about. What do CUSTOMER organisations want from third party certifications? How can we improve third party certifications to increase value for CUSTOMER organisations?

It’s the customer, stupid

How could we be so blind? The reason the vast majority of companies seek registration is not because they want it for some intrinsic reason (although I accept one or two may do), nor is it because they believe the CB will send along a kind of Tom Peters to sort out all their problems and tell them how to conquer the world. It isn’t these companies we should be focussing on. We must think about the external value of certification and what that is supposed to mean in the public domain. When we think about adding value we should be asking questions like

  • What is it supposed to say about a company that has certification?
  • How high are the standards?
  • Dare we trust the certification?
  • Is it consistently applied?

What if every hotel was rated 5 star?

Maybe we need to start thinking about it in the same way that we think about star rating systems on hotels, because the same principle applies. When we choose a hotel for a family holiday we look at the hotel’s star rating and this adds value to us as customers. The ratings are extremely useful so long as we feel we can trust them. They give us information and help us to reduce the risk of choosing a hotel that might not suit our needs

But what would happen if we lost faith in the integrity of the star rating system? Well, for a start, we’d pay no attention to it. We would not use it as a selection tool, hotels would stop going through the rating process and the scheme would soon fall into disuse. Pretty soon there would be no more pointless star ratings. That is what would happen if the integrity was lost

I think it is this parallel we need to consider when we talk about breathing new life and credibility into third party management system certification. Above all else the system has to be consistent, trusted and enforced to a level that means something to prospective CUSTOMER organisations. We need to be clear about what the badge means and go back to basics to a certain extent. Maybe there needs to be more fails too. Think about it. Should it be our aim to get everyone certified? Great for CBs in the short-term, lots of fees, but in fact it is the last thing we should ever want if we think about it properly. All differentiation would effectively be lost

The day everyone achieves certification is the day that nobody needs it any more


This entry was posted in Auditing, Certification schemes and tagged , , , , , , . Bookmark the permalink.

6 Responses to Value adding third party audits

  1. Rob Peddle says:


    I hope my comments are going to be helpful – apologies in advance for the length of them, but this is a critical topic! Just read through the post a few times and I will only try to address the ‘added value’ issue, as this seems to be the one you are asking about, although, the solution is tied closely to answering the first part as well… Adding value can only be achieved if we look at the overall audit process and tools being used – as you so rightly say, adding value by doing audits in the same way we always have is not going to happen.

    If we do not fundamentally address the way we plan and carry out audits and report findings, then we are merely tinkering at the edges. Too often, people have tried a tweak here, tweak there to improve auditing, but this has only been able to deliver minimal benefit. There is a need to stand back and look at the whole process and the way it is carried out if we are to discover the ‘golden nugget’ of ‘added value’ auditing.

    I agree that third party audits have never been designed to deliver added value – just a confirmation of suitable application of a standard was taking place. However, auditing should always have been about both conformance and effectiveness, although too often it stayed firmly at the conformance end of this continuum. I think what organisations are really saying when they talk about ‘added value’ is that they want much more of the effectiveness auditing than in the past – more information about how effectively the application of the standard is supporting their business.

    I would argue that the third party certification is not only there for the benefit of the customer of the organisation, but it is also for the benefit of the organisation itself. Generally speaking, what is good for one is also good for the other. The problem is that conformity alone is not good enough for either of these parties, hence the demands from both for ‘added value’.

    So what do these two want by way of ‘added value’ from auditing (both internal and third party)?

    Customers want to know the risk of their supplier not being able to (continue to) deliver what they need from them i.e. the right ‘product quality’ to specification, on time and to agreed cost. Increasingly, they also want to be assured that the environmental, social and ethical impacts of the supplier are being managed alongside these ‘product quality’ areas. This means that they want to be assured that the supplier is operating in a mature way, balancing and managing their business risks. Some may also want to know specific areas of interest, such as that they are working with a company that is ‘pushing boundaries’ in development areas that are relevant to themselves, etc. What they are looking for is an indication of the mature application of the standard being assessed (9001, 14001, etc.), beyond pure conformance into effectiveness alongside all of the other things they are applying, and that they are likely to continue to do so or improve further in the future.

    The old ‘tick in the box’ compliance ‘pass or fail’ result is no longer adequate, as you so clearly show in the 5 star hotel example, the World is getting ever more complex with increasing numbers of requirements that have to be applied alongside each other. When 9001 auditing and certification was initiated, it was almost alone, so could have a focus just on itself, but this is no longer the case. Customers need a much more strategic report from a third party certification, showing how mature the supplier is compared to a continuum that goes well beyond conformance, which is just a step towards effectiveness, not the end game that too many registration bodies seem to see it as. Better still, they need to be able to benchmark different suppliers against each other in a meaningful way, which certification currently cannot do.

    Not surprisingly, those suppliers getting the registration actually need to know the same information, as described above for the customers. They need this to be able to manage their operations in this increasingly complex business World. So by satisfying customer needs from the ‘added value’ certification, you also satisfy the supplier as well. One small problem may be that some suppliers do not want to let their customers know their real level of maturity beyond conformance, but I suspect that once customers know it is possible, they will be demanding to see it anyway ….

    So, going back to the earlier part of the reply above, if we think about the process and tools we use for auditing, then we can start to address the ‘lack of value’ issue. You rightly say we cannot send in a Tom Peters to every certification audit – indeed, even Tom Peters himself could not really get to the bottom of the real risks in the time available. We therefore need to find assessment tools that by pass the inevitable shortcomings we get by expecting auditors to go much beyond compliance. To do so would require far too much evidence gathering (especially for the soft issues and the way different standards and frameworks are embedded into the day-to-day business) and auditors that have a very wide knowledge of different business disciplines. And even then, how do we ensure consistency in evaluation of the evidence gathered one day to the next, one organisation to the next?

    The solution we have created is to develop IT-based tools that collect behavioural-based evidence in a 360 degree confidential and non-threatening way from anyone with direct experience of the organisation (the more the merrier!). This evidence is then consistently analysed in a knowledge-based analysis engine, reporting what it sees in two or more directions (against the clauses of the standard itself and also against good practice business drivers, such as the 8 principles of ISO9000). Finally, the result is reported against a scale where compliance with the clause of a standard (the typical level at which certification is given) is set at 40%, with higher levels indicating the maturity of the application of the standard in a whole-business context.

    This reporting in reality provides the ‘added value’ that both customers and the organisation being audited need to help them move beyond the tick box into risks to effectiveness. I am more than happy to share more details of what we have done if it would be useful – equally, I hope our version of ‘added value’ will be useful in your thoughts for the presentation in Japan.

  2. Rob says:


    Being on the receiving end of LOTS (and I mean LOTS) of 3rd party audits, I can say that almost without question they add very little value to the company, system, process, people or procedures. By their very nature they skip across the company at a high level, resulting in a few non-conformances about things you already know about. 1st party audits tend to throw-up routine issues. For me 2nd party audits are where you get real value. Here the customer is saying, this is how you can add value to my processes, this is what I want and expect.

    Also, can you please change the link in your sidebar from to I’m moving away from a self-hosted blog: too expensive and it got massively bloated.


  3. shaun says:

    I’ll amend that link today Rob

    Thanks for your comments. You have actually echoed a sentiment that I have been leaning towards for a while, that is that 3rd party audits should take a leaf out of the 2nd party book. I have been thinking this way for a couple of reasons

    1. They are unquestioningly more thorough. Probably as there is more at stake, and there will be consequences if a poor job is done (not so on a 3rd party audit, I’d suggest)

    2. They are by definition aligned to actual customer requirements, whereas 3rd party audits tend to take a literal and/or superficial view of the ISO standard and for the most part ignore any specific contract requirements a company is supposed to be working to

    This has given me some food for thought. Thanks Rob

  4. Nice article.
    I feel strongly against the malpractices in certification (at least in India it is rampant!)
    Like-minded veterans should come together and raise our voice against it, I feel.

  5. Shaun says:

    Yes, I know about India. Unfortunately I have found it impossible to maintain a presence in India with our IRCA courses. Certification is the same, but the problem is no way limited to India. The Certification Bodies all want to have their cake and eat it. They simply don’t care about maintaining standards – none of them – despite their noble words, the actions are different

  6. Vasu Krishnan says:

    Perhaps the Certification process should consider star ratings.I am reminded of Hyundai’s 5 star audit system in which weightage was given to performance(During receiving inspection and during warranty),Quality system audit,and supplier development.Not more than 5-8% of Tier 1 Suppliers to Hyundai in India could qualify for 5 Star rating,even though all of them were certified to ISO/TS 16949:2009,and ISO 14001.
    The added incentive was apart from retaining share of business,5 Star rating changed the status from Suppliers to Business Partners.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.