Featured Product
This Week in Quality Digest Live
Quality Insider Features
Henning Piezunka
Businesses and leaders influence the kinds of ideas they receive without even realizing it
Having more pixels could advance everything from biomedical imaging to astronomical observations
Chris Caldwell
Significant breakthroughs are required, but fully automated facilities are in the future
Dawn Bailey
Helping communities nurture the skilled workforce of the next generation
Leah Chan Grinvald
Independent repair shops are fighting for access to vehicles’ increasingly sophisticated data

More Features

Quality Insider News
Providing practical interpretation of the EU AI Act
The move of traditional testing toward Agile quality management is accelerating
Easy to use, automated measurement collection
A tool to help detect sinister email
Funding will scale Aigen’s robotic fleet, launching on farms in spring 2024
3D printing technology enables mass production of complex aluminum parts
High-end microscope camera for life science and industrial applications
Three new models for nondestructive inspection

More News

Denise Robitaille

Quality Insider

Self-Certification Is Not a Real Thing

Training, competence, and impartiality are just a few of the benefits of accredited certification

Published: Wednesday, February 12, 2014 - 17:55

Every once in a while we hear of a company that claims to have a self-certification to ISO 9001—or some other management system standard. The company “certifies” that its organization conforms to the requirements of ISO 9001. It sounds pretty good until you start to ask what this self-certification actually means.

For a quality management system (QMS) to be considered certified, the certificate must be received from an independent, accredited certification body upon completion of an assessment against specific documented criteria. It’s possible to be certified by an unaccredited certification body, but these certificates are of questionable value since they don’t carry the backing of an accreditation body. (More about this later.)

For the time being, we’ll assume that certification means by an accredited certification body. Without the certification body, there’s no unbiased appraisal and no evidence that a thorough assessment has even been conducted by competent individuals. Bottom line: There is no such thing as self-certification. It’s just an attractive catchphrase with no substance.

There are also organizations that self-declare that they are ISO 9001-compliant. This phrase is at least not dishonest. In this case, the organization freely acknowledges that it has not incurred the expense of third-party certification. It has determined (through its own internal audit process—which is not certified) that it believes itself to be compliant with the requirements articulated in ISO 9001. It doesn’t purport to have a certificate. This declaration has more candor, in that it says: “We have a pretty good system. We aren’t certified. But, we believe that we comply with ISO.” Although it is a truthful statement, it still doesn’t carry much weight in the world of certification.

Why is certification so special?

What stands behind that framed certificate?

Certification audits are conducted by auditors who have had their qualifications vetted by the certification body (CB). CBs are also referred to as registrars, and the terms are used interchangeably.

Auditors are required to be trained and go through a provisional period in which their skills are witnessed by the CB or by training providers. The training providers who offer certifications such as Lead Assessor credentials must have their courses approved by certifying or accrediting bodies. The training that auditors undergo covers audit planning, developing checklists, time management, auditor attributes, interviewing techniques, evidence sampling, process approach, statistical methods, comprehension of requirements, writing up findings, generating audit reports, and post-audit follow-up.

Auditors must also demonstrate competence in the organization’s field or industry. An individual whose only background is in healthcare does not have the requisite competence to assess a chemical manufacturing facility. The CBs are required by their accrediting bodies to ensure that auditors have both the necessary auditor skills and experience in their clients’ various fields.

Having audits conducted by competent, trained auditors is important for both the CB and the client organization. The CB has the confidence that the auditor will represent it by conducting credible and reliable audits. The auditor conducts the audit, but it’s the CB that issues the certificate. It’s the registrar’s name and logo that appear on the certificate. That certificate is based on the auditor’s recommendation. If the auditor is incompetent or lacks the requisite knowledge, the integrity of the recommendation—and, therefore, the certificate—is impugned. Third-party auditors, meaning the ones doing certification audits, are required to ascribe to a code of conduct that includes objectivity, truthfulness, confidentiality, and freedom from personal interest that would bias the outcome. This is why auditors generally sign nondisclosure agreements and are upfront about the fact that they agree not to consult during the course of the audit or for a defined period afterwards.

An organization that “self-certifies” can’t begin to demonstrate this rigor in terms of training, competence, performance, or impartiality.

Well-conducted audits provide organizations with significant benefits beyond the certificate on the wall. Individuals increase their understanding of their own role in the fulfillment of organizational goals through the audit process—particularly when they are being interviewed. Well-trained auditors are able to frame questions in a manner that elicits productive and informative responses. Responding to auditors, demonstrating various activities, and providing evidence are all facets of the audit process that serve to reinforce the importance of the entire quality system. So, a good audit should be a learning experience for everybody involved.

Audits provide value. Organizations shouldn’t look upon them as painful events that are riddled with accusation and punitive consequences. Auditors produce audits reports that contain useful information about the organization. A well-balanced report should highlight positive features of the quality management system; provide observations of risk, which are usually articulated as opportunities for improvement; and findings of nonconformity, which indicate something is wrong that imperils the integrity of your system and ultimately your ability to serve your customers. It is due to this fact that ISO 9001 and similar management system standards require the inclusion of the results of audits as part of the management review process.

What else do registrars bring to the table?

Why is it important to have an accredited registrar or CB assessing your system and certifying your quality management system?

Registrars are required to play by internationally established rules that are promulgated by such organizations as CASCO, the conformity assessment committee of the International Organization for Standardization (ISO). Some of the more commonly known standards that are used are ISO 17021—“Conformity assessment—Requirements for bodies providing audit and certification of management systems” and ISO 17023—“Conformity assessment—Guidelines for determining the duration of management system certification audits.”

Since I’ve brought up CASCO, which is an ISO committee, it’s appropriate to clarify here another misconception: ISO does not issue ISO 9001 certificates. It is not a certification body. It oversees the development of thousands of standards, among which are found some of the most popular management system standards, including ISO 9001. Saying that you have an ISO certificate is perhaps a tiny unintentional misrepresentation. In actuality, organizations have certificates that indicate that they have a system that conforms to ISO 9001.

CASCO develops criteria that CBs are required to conform to. These requirements mean that they must expend time and resources to ensure the competence and impartiality of auditors. They have to establish procedures for their own organization, develop audit plans, verify the scope of clients’ QMS, review audit reports for completeness, deal with corrective actions and other assessment follow-up, and retain adequate evidence to present to their accrediting body. All of these activities are internationally agreed upon and lend credibility to the entire conformity assessment industry. It means that certifications have value that is recognized around the world. Generally, certificates issued by one CB are recognized by another due to the consistent conformance to accrediting body requirements. A self-certification has none of this foundation.

What, then, are the accrediting bodies?

Accrediting bodies (ABs) ensure that CBs conform to the rules. Just as CBs audit companies, ABs audit CBs. They conduct assessments and periodic surveillance audits that look at CBs’ records dealing with myriad issues, including auditor competence, impartiality, planning, adherence to rules concerning audit days, review of audit reports, issuance of certificates, and follow-up of audit findings. They even go out on audits to witness the CB’s auditors in the field.

It’s worth noting that CBs are required to pay fees to the ABs for these services—which is part of the cost of an organization’s certification. The CBs also pay a fee for each certificate they issue.

So, it’s cheap and easy for an organization to self-certify or self-declare because it doesn’t have to deal with any of these costs. But, it also doesn’t have any of the credentials, expertise, and objective scrutiny that make the certification process a meaningful organizational asset. As the saying goes, you get what you pay for—in this case, a worthless certificate.

Where do the accrediting bodies get their authority?

Accrediting bodies participate in the International Accreditation Forum (IAF). The IAF is made up of organizations around the globe with an interest in conformity assessment. Its focus is “...to develop a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon. Accreditation assures users of the competence and impartiality of the body accredited.” The IAF has liaison status with CASCO and provides input into the development of its standards.

What this all boils down to is a certification to ISO 9001 or any comparable management system standard is backed by tiers of carefully monitored and verifiable processes and organizations. It means that certificates issued anywhere from Bolivia to Botswana to Belgium to Barbados to Britain carry the same level of reliability.

How does all this information flow down to the end-user?

Organizations that choose to become certified to ISO 9001 have a right to know that the registrar they have selected is accredited.

There are multiple factors to consider when selecting a registrar. Probably the single most important is to make sure that it is accredited by a recognized body. This is very important. There are still organizations that purport to provide certification but have no recognized credentials. Remember: Accreditation means that your certificate will be recognized both nationally and internationally. Other registrars and their customers will acknowledge your certificate. When selecting a registrar, ask who its accrediting body is. There are many. A few of the more common ones include ANAB (ANSI-ASQ National Accreditation Board), UKAS (United Kingdom Accreditation Service), and RvA (Raad voor Accreditatie).

If your customers require you to be certified to ISO 9001, they’re probably expecting that certificate to come from a reputable organization. As a customer, you may accept evidence of certification to ISO 9001 as the criterion for approving some of your suppliers.

Accreditors’ logos are always displayed on the certificate along with the registrars’ own logo. Absence of an accrediting body’s logo is an indication that the certificate has been issued by an organization that lacks accreditation and will probably not be recognized. That means that all the money you’ve invested in the actual assessment (on-site audit, travel expenses, etc.) has been wasted.

If you’re looking at a certificate from a potential supplier and the accreditation mark is missing, you may want to reconsider doing business with the company.

Unfortunately, there still are organizations that will sell certification services without having an accreditation to back it up. It might keep a few customers content, but the more discerning ones will recognize the bogus certificates for what they are—wallpaper.

Ironically, some auditors working for unaccredited CBs may actually conduct good audits. But their work is tarnished by the fact that they aren’t forthcoming about the limitations of their unaccredited certificates. It would be more candid to say, “I’ve conducted an audit, and based upon my expertise in this field and my skills as an auditor, I have determined that this quality management system conforms to the requirements of ISO 9001:2008. However, this statement does not constitute nor is it intended to imply certification.” I’ve seen these statements at one or two organizations in the course of my years auditing. And, I found their customers accepted the statement, despite its limitation, probably because of the honesty it reflected.

Bogus certifications and “self-certifications” devalue the work of tens of thousands or organizations that have opted to have their systems assessed and continually monitored by an impartial third party. They undermine the entire conformity assessment community.


About The Author

Denise Robitaille’s picture

Denise Robitaille

Denise Robitaille is the author of thirteen books, including: ISO 9001:2015 Handbook for Small and Medium-Sized Businesses.

She is chair of PC302, the project committee responsible for the revision to ISO 19011, an active member of USTAG to ISO/TC 176 and technical expert on the working group that developed the current version of ISO 9004:2018. She has participated internationally in standards development for over 15 years. She is a globally recognized speaker and trainer. Denise is a Fellow of the American Society for Quality and an Exemplar Global certified lead assessor and an ASQ certified quality auditor.

As principal of Robitaille Associates, she has helped many companies achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as auditing, corrective action, document control, root cause analysis, and implementing ISO 9001. Among Denise’s books are: 9 Keys to Successful Audits, The (Almost) Painless ISO 9001:2015 Transition and The Corrective Action Handbook. She is a frequent contributor to several quality periodicals.


Article feedback

Sorry Denise, Your article here is so short-sighted, naive and completely wrong.  Having been audited for over 20 years at one of the world's largest companies, the one thing I have realized is that the registrars you so elevate in your article are useless!!

In the last 5 years, our registrar has conducted over 20 audits, a total of about 100 audit days and there have been 3 OFIs logged.  Most of the time these auditors come in and don't even know how to apply the standard.

Bottom line the 'certification' you so cherish is a sham.  I see absolutely NO VALUE in it, except to have the PDF posted on a website!  They add no value.

The internal audit program of our company and its auditors outshine any of those from most registrars.  

While "self-certification" is not a real thing; "Self declaration of conformance" can, and in our case, is an exponentially better measure of our QSM!!!

The IATF, ISO, ANAB, etc. need to evolve into the times!  The idea that these auditors and the methods and requirements of these bodies are meaningful is a farce!  

Self-Certification Is Not a Real Thing but may be practical

Hello Denise,

Love your articles and always look forward to reading them.

The actual certificate approach only has a marginal edge versus self certification or conformance in my opinion.

I work for a medium sized manufacturing company who holds over 60 different quality system and product approval certifications for many years now. Our certificate portfolio is across many auditors, registration bodies, and accreditation organizations. All of which are unique in their own way even if they work to a common industry standard.

I can't blame the "self conformists" for taking the position. The reason is customers still insist that even though you hold 60 different certificates, they cannot buy from you until their auditors conduct a QA audit of your system. The next scenario is customer has audited your QA system but still needs a EN 10204 3.2 certificate stamped by a third party.

In short, spending thousands of dollars annually on actual certificates may not get you ANY direct acceptance from customers. This is much like the self-conformance position but without the certification cost.

Of course, there is a myriad of other improvements to system, product, and service that certificate holders will reap over the self conformist approach when comparing the two as stand alones. It is just that for face value holding a legitimate certificate is not much more than the self-conforming position.

Thanks for the great articles and keep them coming!

Ken Kaniecki




Bogus Certifications

They do more than de-value work of real auditors. Using unaccredited certifications to represent your level of expertise is like using counterfeit fasteners on a Boeing 787. One minute your are flying along at 500 mph and the next minute you are free-falling 30,000 feet to the earth. It is like using counterfeit money to pay for goods or services. Somebody gets cheated.

I once worked, in succession, for two firms who wanted me to assess their CMM level of practice. They wanted me to find that the IT departments were performing at Level 5 (scale of 1 to 5). For each company, I did a careful audit and wrote up the findings. I made it clear that it was an internal audit and carried no weight outside of the company. At best it would give the executives some direction for process improvement. I do not know if the executives ever used the findings at the first company. I went to the Persian Gulf War I in 1990 and my job was not held for me. Neither of the companies liked my report that they were at a Level 2 or Level 3 and needed process improvement. The second company did undertake process improvement and managed to institute several working teams that resulted in what one manager called "Isolated pockets of success." The company's software engineers wrote better software afterwards. Both of the experiences were an eye-opener for me. I saw the same tendencies at a third company I was at, later on. I offered some unsolicited advice and kept out of the way. I do not know what transpired.

You wrote a good, concise, comprehensive article on this topic.

Of course self certification is a real thing

Of course sellf certification is a real thing. And unaccredited certificates are still certifications. This debates revolves around operational definitions and models. 

The connotation of always, never, etc. related to these concepts is also based on assumptions about what model you are referring to, the situation, the context, defintions of terms, etc. 

I have studied analyzed my employer's quality system 5 days a week for 10 years. Our third party auditors study it for 2 days a year. I have studied quality standards for 18 years. My conclusions are less reliable than the 3rd party auditors in every case? 

We cannot expect certainty in an uncertain world with open systems. If we accept the PDSA concept, the fact that the processes in a system are inter-related and interact, and that open systems inter-relate and interact with each other, then we need to think about the relativity of things, context, defintions, models, variables, etc. 

Thank you, Dirk