Of course they can!  The more relevant question is whether they can “get involved”.

Firstly there are NO accreditation rules that forbid consultants, registrars rarely have documented policies for consultants involvement and thus the auditor often makes the decision.

Not unreasonably nobody wants any interference in an audit.  A consultant who tries to answer questions asked of other people is interfering.  That is not acceptable and the auditor should talk to the consultant.  However, there is nothing restricting the consultant from being involved.  Perhaps the consultant has a formal role in managing corrective action, conducting audits or providing training.

There is nothing that bans auditors from opening or closing meetings (although some auditors try this) and you should stand your ground when an auditor restricts your access to your experts.  If you don’t involve them they will not be able to help you if things go wrong.

ISO 9001 requires the management representative to be part of the organizations “own management” but it is unlikely that ISO were commenting on the employment status of the person performing this role and that would mean that so long as the consultant has a management role in the organization they can in fact be the management representative.  If your auditor is adamant (many of them are) then simply appoint the consultant to the role of coordinator and assign an internal manager as the management representative.

A well behaved consultant will contribute with answers to difficult ISO type questions and point the auditor in the right direction.  A clever auditor will welcome the consultant and take advantage of his/her expertise and experience with the organization.  Bad auditors are scared of being embarrassed or just believe that ISO should be handled by the organization without any help (a little bit like going to court without your lawyer).

Before the audit, get a copy of your registrars policy for consultants (or at least an email confirming it will be acceptable).  Preferably do this before choose the registrar and only choose those that will allow you access to your experts.

You have two options.  Complain or don’t complain.

Most organizations avoid complaining because they are worried about that auditor coming back.  Even if you can ensure they don’t return, does your complaint affect the registrar organization who is, after all, sending the next auditor?  Worse than this, in our experience registrars simply don”t see anything wrong with what their auditors do.  They put it down to personality conflicts and misunderstandings and they seem completely miss the opportunity for corrective action.  That said an unofficial complaint or “challenge” of a finding is often reviewed favorably.

Of course you do have recourse to complain to the accreditation agencies (e.g. ANAB).  However, these too are rare.  You have to remember that while ANAB is independent, it is funded by the people they are investigating complaints against.  Since September 2006 (3 years) there have been 93 complaints against registrars (check out the ANAB website at ANAB.org).  That’s about 31 per year.  How many registered companies are there?  (figures are hard to tell because there is no one source).  In the US an estimate of 100,000 might be appropriate, all of which are audited for at least one day a year!

So while we would urge you to complain and correct auditors who are wrong, we are realistic.  Choose you battles.   If necessary ask “nicely” for findings to be reviewed.  If its a behavioral issue or once you realize that you deserve to get value for what you pay, the simplest route is to just change registrars.  A new registrar can take over your certification without any extra cost or effort – they simply take up where the last one left off.  When negotiating with the new one you can make your points clear and ensure follow up.

Technically no!  However, there is an argument, used by auditors that if you don’t have a copy, how can you achieve conformance.  Your “old” copies, checklists and other documents may contain the reqiurements but unless you can “prove” they are the same (for which you will need a copy of the standard) you are out of luck.  If you own a copy of the 2000 version of the standard your could try arguing that the 2008 version introduced no new requirements but we don’t think it will work.  In practice you need a copy of the standard.  Available at ASQ.org.

There are many factors that affect the answer to this question.  But generally the answer is “very quickly”.

Although philosophically ISO is about discipline, control, organization and improvement, this is achieved in part through the documentation of processes.  Thus larger and more complex organizations (more and more involved processes) will require more time to complete an ISO project.    Smaller and simpler organizations are relatively easier and can be completed more quickly.

Another important factor is the experience and expertise of the people implementing the ISO program.  If the project is being undertaken completely in-house with limited experience then the project is likely to be slower.  In-house people usually have other important tasks to do and not unsurprisingly ISO is a somewhat involved project.  It is not uncommon for in-house projects to take years to complete (just this week I spoke with two different organizations where the person I was talking with had taken over the ISO project about a year ago from somebody who had been working on ISO for 10-15 years).

The expertise factor has a substantial impact on an ISO project.  Not only does it affect timescales but it impacts  other important factors such as how conforming the project is and how easy the ISO system is to maintain.

Cavendish Scott can complete a full consulting project (where we do all of the work) in about 3 months for a company of up to about 50 people without too much strain.  Obviously the quicker a project is completed, the more compressed the effort.  Much quicker is possible.  We have completed a project for an organization of about 200 people in 30 days.  It required 4 of us to devote ourselves fairly constantly during that time – but it is possible.

So most projects could take between 3-6 months and very rarely do we allow projects to take 6-9 months.  Where they do drag on there is a concern that the project will lose momentum.

In house projects will typically take 3-4 times longer than what we would achieve.

Projects can be completed too quickly.  It is ideal to allow enough time for reflection on the way processes work in the organization.  Frequently we find that organizations have complex processes or that the best way to interpret a requirement requires a little thought.  Where processes are defined immediately within an extremely short timescale you don’t get this luxury.

Cavendish Scott is capable of short timescale projects but is aware of and manages any dangers that are created in this situation.

Technically yes!  However, this is likely to be a struggle and should help you distinguish between a good registrar and a bad one.

There are no accreditation rules about this and thus what an accreditation agency might expect is that a registrar has a documented policy and procedure for doing this.  A good registrar would have this in place and thus simply explain the process – not moan about the difficulties.

If you want to extend your audit temporarily then you probably can without too much difficulty just by arrangement with the scheduler.  It is unlikely you will be able to extend it more than 3 months and you will need a good reason to do so (act of God is usually a good one!).  And a peculiarity of 17021 (the standard that registrars follow) is that the first surveillance audit cannot be more than 365 days from the initial audit – and that is firm.

It is a surprisingly common request to permanently move an audit date.  Registration was frequently achieved by a target such as the end of the year but there is often a more convenient time to have an audit.  If you are audited in November but it would be more convenient in March then you effectively want to move your certificate date by four months.  So for that year of moving you need to extend your audit year by 4 months or shorten it by 8.  That will mean that you should have a more intensive audit for that period and you should expect to pay for it.

Note that for small companies, you may have a one day audit each year but it may be the “required” auditing is actually less than one day.  The guidance table used to calculate duration applies to the initial audit and provides for surveillance audits at 1/3 of that duration.  if your initial audit was calculated to 2 days then your surveillance might be one day but only 2/3 of a day is “mandatory” according to the table.  In this instance your normal days surveillance audit should be sufficient to extend your audit year in order to move your certificate date – and thus the regular date of your surveillance.

Because there is a new certificate to be issued and there are other administrative records to be maintained (justifying all of this) expect an administrative fee also.  If you attempt to move your certificate date during a re-assessment year then it is possible the administrative fees are less or not applicable because a new certificate is issued anyway.  But you need to be careful during a reassessment year.  You do not want a certificate that shows an expiration in December and a new certificate that starts in April.  That gap might cause problems.  Thus an extended certificate or an additional certificate will be necessary.

While all this seems to make sense, and there doesn’t seem to be rules against it, it is strongly recommended that you contact the most senior management in the registrar possible.  And even then you might need a lot of good luck.

Finally, if your registrar is not helpful in this matter, you should consider transferring to another registrar.  It is likely that they would be willing to assign their certificate with a mutually beneficial date and audit schedule in order to gain your business.  And transferring is basically a free exercise.