The first thing you need to do when you are evaluating a potential supplier based on their ISO 9001 certificate is request that they provide you with a copy of the certificate itself. If the company is indeed certified, they shouldn't have a problem providing you with a copy of their certificate. When you have it, then you can make the following checks:
1. Only registrars are allowed to give ISO 9001 certificates. An organization cannot self-grant a certificate. So, look for the name of the registrar (e.g., DNV, BSI, ABS etc.).
2. Look for the name of the accreditation body (e.g., ANAB, UKAS, etc.). If you see a stamp from an accreditation body, you can find out if this accreditation body is a member of the International Accreditation Forum (IAF). If there is no stamp from an accreditation body on the certificate then you should be suspicious as to whether the registrar is competent to audit. A registrar may opt to not seek accreditation, but that may or may not be an indication of their ability and competency. Here is an excerpt from the ISO web site:
"In most countries, accreditation is a choice, not an obligation and the fact that a certification body is not accredited does not, by itself, mean that it is not a reputable organization. For example, a certification body operating nationally in a highly specific sector might enjoy such a good reputation that it does not feel there is any advantage for it to go to the expense of being accredited. That said, many certification bodies choose to seek accreditation, even when it is not compulsory, in order to be able to demonstrate an independent confirmation of their competence."
3. If there is a registrar name on the certificate, the quickest way to find out if the certificate is valid is to call the registrar directly and ask them to verify that they have issued such a certificate. Explain to their registrar what you are trying to do and they should be able to put you in touch with the specific department that can help with you with such situations.
4. Bear in mind that if an organization certifies Plant A, it doesn't mean that Plants B and C are also certified. Usually the certificate will tell you exactly which processes and locations are certified. So verify that your vendor's specific location and processes are certified.
5. Ensure that the certificate has not expired. If it has, then you can ask the company the reason why the certificate is expired. Valid reasons could be:
a. They already had their recertification audit but the registrar failed to provide the audit report on time and therefore they were unable to answer the nonconformities on time. In this case you should be able to get a copy of the recertification audit report. I have experienced this situation and the organization truly may not be at fault.
b. They were not ready for their recertification audit and decided to postpone it. In this case, you should expect to see an audit agenda, describing the new audit date. I have seen this situation also. In this case the organization itself is admitting they have shortcomings. See if they are actually working on improving the system.
6. If you have some time and access to the internet, you can actually go to the registrar web site directly and look for a list of their clients. An easy Google search could use the search words: ISO 9001 registrar.
Like it or not, not all registrars conform to the same audit standards or principles. Simply put, some registrars are better than others. I'm not being biased, but rather speaking from my own experience and what I hear in the ISO standards world.
In the case of an accredited registrar that is operating while its accreditation is under suspension, they are not authorized by the accreditation to give certificates bearing the logo of the accrediting agency (e.g., ANAB, UKAS, etc.) until their auditing practices are up to par with the accreditation body auditing practices and the ISO 9001 auditing standard as well.
When an organization is audited by a registrar that doesn't have good practices, the only one that stands to lose is the organization, because they are made to believe that their management system is conforming to the standard, when in fact, such a management system may have many opportunities for improvement. In some cases, the need for this improvement is severe. The problem is not just “not conforming to the standard” but rather not getting the full benefit of being certified, which means improving the processes and the business.
Of course, all audits are based on a sampling plan, however if a registrar decides to audit less days than those recommended by the International Accreditation Forum or another similar entity, then you may not be able to truly obtain a representative sample from which to audit.
A good supplier should be able to help you improve your quality by providing you with excellent products and services. If you have done your homework, verified at the certificate, and audited the company and you still think that the processes from your potential supplier don't match the level of quality that an ISO 9001-certified company should demonstrate, then go with your assessment. The fact that a company has a legitimate ISO 9001 certificate doesn't guarantee that they still meet your standards. Trust your instincts.
For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”