ISO 9002 has not existed since 2003. So that may be a red flag.

Quickest way is to ask them for their certificate. Registered companies are always willing to send that out (it's a bragging point). Then verify it with whoever their registrar is. Most registrars have web sites with listings of their registered clients.

Failing that, you can search for them at whosregistered.com. Results here are not always dependable. Some firms I know are registered are not listed there. But it's another avenue.

Short answer: Until they can prove they are registered, I would consider them not registered.

I'm confused. Have you not done any internal audits?

If you're asking what the external (certification) auditor is going to stress during your surveillance, the answer is: since you're on an annual surveillance, they're going to cover a lot of ground. They'll certainly focus on your processes for creating your deliverable for your customer. They'll look at metrics and customer satisfaction. And they'll take a close look at internal audit, management review, and corrective action. Hope this helps.

This issue is somewhat subjective. Here are some guidelines based on our experience.

A major can also be raised on an uncorrected minor - I have seen this happen - and that can threaten decertification also. Our experience with majors is minimal (in 15 years we have only had 1 client ever get one), and we have never seen a client of ours decertified. But my observation is that to be decertified, you basically have to turn your back on the system and throw it away with both hands.

A "major" can be either complete lack of compliance to a requirement of the Standard, or a deficiency that adversely affects a customer. A "minor" can be occasional lapse in a particular requirement of the STandard, or some other deficiency that does not adversely affect the customer. These are the basic guidelines. It is not an exact science. My clients normally do not rank internal audit noncompliances as "major" or "minor" because, in an internal audit, the distinction is meaningless.

In a certification audit, several minor noncompliances against a particular clause of the Standard can be rendered as a single major. This is to some degree up to the discretion of the auditor. Again, not an exact science.

I would not necessarily always audit what they audit every time. Your audit frequency should be organized by process. Generally you set a baseline frequency (i.e. 1x year) and then audit, more often as a rule, processes that are a) seriously customer-affecting (customer oriented or "core" processes), and/or b) processes that have a less than sterling track record in prior audits. So your schedule / frequency evolves over time.

Good luck today and tomorrow! I know you're prepared; I know you've got a good system; I know you'll do well.

Word to the wise: Just because the auditor seems friendly doesn't mean he's a friend. Many certification auditors do as much consulting as auditing. You do NOT have to take his consulting advice as gospel. Only what he calls out as problems with the Standard do you have to react to. If he says you're noncompliant, have him show you in the Standard EXACTLY where the problem is. That'll help you flush out what's actionable and what's advisory.

It's your company, your system. You, not the auditor, are the process experts. Don't lose sight of that.

You state that you are "ISO 900X compliant," and then mention a registration logo. I'm going to assume that you are in fact registered and have a certificate to that effect. (Some companies are advertising that they are "ISO 9000 compliant" without being registered; there's a difference.)

The rules vary from registrar to registrar, so your best bet is to check with your own registrar. Usually their rules etc. are included in their published information. Generally they tell you what logo(s) you can use (registration and accreditation). They caution you not to exceed your "scope of registration" (i.e. you need to be clear about what process(es), locations, etc. are covered by the registration), and the publicity must never imply that the "products" are certified in any way.

But as I said, best course is to check with the registrar.

Darn good question.

What I would do is call the company and ask to speak to their ISO 9000 management representative. They are required to have an individual with this title / function. That's the person responsible for the quality system. I would brief him or her on the chronic anti-customer events. I would ask them whether they have carried out documented corrective action on these problems. Specifically I'd ask them if they have ever audited their "contract review" process. Many of the problems you cite are directly related to problems in their contract review process.

Suppliers can be de-certified, but it is rare. (Unfortunately.) As an escalation step, you could contact their ISO 9000 registration body and complain to them. I can help you find out who their registration body is if you'd tell me who the supplier is.

Bottom line: One of the weaknesses in the whole ISO 9000 process is that the registration body auditing process is, in my view, not nearly rigorous enough. This allows certain suppliers to continue to provide deficient product / service. At the end of the day, how well ISO 9000 helps suppliers depends on how determined and committed their top management is.

1. No, no fines.

2. There is no such thing as a surprise ISO 9000 audit. Surveillance audits are scheduled, usually every six months or so.

Special follow up audits are scheduled to look at corrective actions taken on major noncompliances.

3. Yes, it can. But the company is given every opportunity to correct problems before such drastic action is taken.

When it becomes not just tolerated, but accepted. And not just accepted, but an automatic, reflexive part of "the way we do things here."

The term for this is "transparency." When your ISO 9000 system is really working, it is transparent in your organization.

But (surprise, surprise) this does not happen overnight. It usually does not even happen before registration. Up to that point, and

beyond, the ISO 9000 system is new, different, intrusive. It forces people to change how they do things, most in small ways, some in large. People resent this, as they tend to resent all change. Some resist, at least passively. Others ignore it and hope that it will go away.They can run, but they cannot hide. For once the internal audit process starts, employees are confronted with the quality system, and their obligations under it, on a regular basis. Most elect to join em, having failed to beat em. And that is the big turning point.

Once the euphoria of registration has passed, and the company has a couple of successful surveillance assessments under its belt, the ISO 9000 process starts to become transparent. Here are some definitive clues that this is happening:

Unfortunately, some companies never reach the transparency stage. This happens to companies who implement "for the certificate only," "to get the customer off our back." They do the minimum needed to get registered. They allot meager resources to implementation and maintenance. They communicate to their employees, by word and deed, that, lip service notwithstanding, "this is just a big joke and it really doesn't matter."

Which makes their ISO 9000 system a cost, rather than a benefit. And that is a shame.

In my experience with dozens of firms, there is one thing that almost always amazes them. That is the discovery that the system actually helps their businesses to do better.

Why should they be surprised? Doesn't the typical company expect that to happen?

No.

The typical client implements ISO 9000 or QS-9000 systems because a customer is forcing them to. The client goes into it grudgingly, and with much skepticism. The client feels its system and quality is already very good (and in virtually all cases it is!).

The client expects ISO 9000 or QS-9000 to be nothing more than a headache and an expense -- one more hoop to jump through. The client is willing to endure all this, in order to satisfy their customer.

What the typical client discovers, once its system reaches 'steady state,' is that the system is helping them in ways they never expected. They seem especially surprised that it is saving them money--and they are able to prove it.

The most important thing is to know the details of the procedure(s) that affect how you do your job. You need to know where those procedures are and how to get them changed when needed, and you need to demonstrate that you work in a way that is consistent with the way the procedures are written.

Beyond that, it's important that you know your company's "quality policy statement" and be able to explain it in your own words.

You also need to know how your firm's corrective action process works -- at least how you, as an employee, can initiate a corrective action when there is a quality related problem.

Don't get too uptight. This is not an "IRS" type of audit. Most assessors are very fair and very patient and, if you know your system and can explain the things I've mentioned, you'll do fine.

The executive management people need to be prepared to explain how the system affects how they do their jobs. They need to show that they are familiar with the procedures that affect how they do their jobs, and are working in a way that is consistent with them. Like everyone else, they need to know the firm's quality policy statement, the name of the system, etc.

More important, since these people set policy, they need to be fully fluent in the requirements of Section 5 (Management Responsibility). This section has specific requirements for "top management." There are some 13 different areas that top management can expect to be quizzed about. Brief them. Have them ready.

Don't let them be embarrassed. Top managements tend not to like that.

I've only ever had one client not pass registration audit the first time. That time it was because there were no preventive actions processed all the way through. A very lame major, in my opinion. So I can't really speak as to what elements tend to cause registration problems.

Most registration bodies provide quotes based on the size of your organization (headcount), number of locations, scope of the system, etc. There are guidelines for this that they are obliged to follow, with lots of wiggle room. They are free to set their own pricing schedules per auditor day and other fees, though. And the quotes can vary considerably. The amount charged per auditor day isn't really very helpful information because it doesn't give you the whole picture. It's important to get quotes from several organizations, line them up, and compare them apples-to-apples etc.

Price is a factor but by no means the most important one. There are some very inexpensive registration bodies who are cheap because they are not very good, their registration is not well respected, they do poor audits and provide lousy service. This is very much a "caveat emptor" type of scenario. There are at least 60 registration bodies operating in the U. S. today -- some very well known names, some fly by nights. If what you want is a fast cheap easy audit that means little and puts a diploma on your wall, there are firms that will be glad to accommodate you -- like Jesse James, they'll take the money and run.

In my view, besides price, you need to look at a) the registrar's experience in your own industry -- who else have they registered? They are required to make that information available to you. b) Their business practices and policies. They are required to provide you with detailed information about how they operate. c) Their attitude. You need to feel comfortable with them. They will be around for at least 3 years and it's important that you find someone who's a "good fit." d) scope of accreditation. RvA accreditation is the easiest to get, in my opinion. I suggest aiming for someone who has not only that, but also RAB, UKAS, maybe a handful of others. Not a bad notion to lean toward someone who was around before ISO was (1987).

As part of our consulting service we help clients select a registration body. We are not tied to any of them and receive no favors from any of them. Typically we start by giving the client a list of 4 or 5 that we think meet all the criteria and seem to be a good "fit" for that particular client (by then we have been working with the client for some time). Even if I had current pricing of registration bodies (which I don't) I would not give you names in "lower, middle, and top" price ranges since, as I've said, price is only a small part of the picture and I think it is a grievous mistake to select on price alone.

If all that's happened is a name change, and surveillance audits have continued on schedule, the registrar should change the name on the certificate. I can't imagine why any further action would be needed.