When ANAB observes certification bodies auditing organizations, it seems they sometimes forget about digital content during the audit.
Information abounds in our digital world, so much so it can be overwhelming. In this digital age, people and organizations add a lot (including articles like this one) to online content, where information is disseminated, opinions are shared, claims are made, marketing and sales occur, and on and on.
It’s said that we’ve just scratched the surface as far as what we can do with the information available to us in digital form. After almost 20 years of the internet and web services, we are amazed every day with the functionality, efficiency, and productivity of digital content. When ANAB observes certification bodies (CBs) auditing organizations – especially those with physical products or people-based services, it seems they sometimes forget about digital content during the audit.
What do I mean? I’m talking about the claims and information that the clients of CBs holding certificates publish on their websites. During file reviews and witnessed audits, ANAB has encountered numerous instances in which the scope and client information that the CB and client contracted differs vastly from what’s publicly advertised. Let me offer some QMS certification examples:
- Scope non-applicability: The organization wants to declare that design and development doesn’t apply to their scope of certification. So why do they offer design and development services on their website? Is the scope limited for the certification? How is it that that organization states it’s fully in conformance with the certificated standard on its website while offering services not included in the scope of certification?
- Scope coverage of the certificate: We understand some organizations don’t want to have their certificates cover the entire organization, so they’re limited to a subset of people and processes to satisfy certain customers. However, their websites and organizational information indicate their certificates covers all of their organizations, sites, people, or products.
- Definition of processes and their interactions: Organizations like to brag about their accomplishments and good ideas. In fact, they do so to try to garner new business, especially when first starting out or developing their digital presence. How long ago was that claim posted? Is it still applicable three or seven years later? Does it match what’s defined by the organization as its current processes and capabilities? Are the organization’s structure and its locations still the same?
If ANAB wanted to make sure we had NCRs to issue to CBs with respect to them validating what’s being certificated matches what the client organization states publicly, we’d have plenty of material to work with. This is easy to check and verify, but many CBs, auditors, and clients fail to identify the discrepancies between their internal documentation and external sales and marketing materials available online.
Not to be morbid, but what happens to your digital life when you die or quit monitoring it? Nobody’s in charge of checking obituaries and hitting the delete button for the digital remains (email messages, texts, photos, etc.) of the deceased. Your digital content doesn’t go “poof” and disappear. Unless someone is dedicated to editing or deleting content or you have specific self-delete instructions built into all your content, it lives on forever in the ether.
The same is true for organizations. Unless they maintain their digital content and keep it up to date, whatever they once put online stays there for all to see at least until their domain expires or is deleted. I can find presentations on the internet that I did 25 years ago that contain woefully outdated information. I didn’t post them and they're not tied to me directly, but it’s still there. The point is, certificated organizations need to be responsible for the content that’s digitally available. So CBs need to verify this content during audits.