Compliance Certification and Auditing

So the (not so quiet) elephant in the room at the ISO 20121 meetings is always certification. I have heard conflicting (and very confidently expressed) opinions/facts on the role of an auditor. On one hand I have been told that an auditor MUST include an informed opinion on whether an event has adequately identified its issues. (and put a plan in place to address them). On the other hand I have been told that an auditor must ONLY review the issues that the event/organisation has indicated are relevant to them.

Which is it?

Will an auditor look at an event and if there are glaringly obvious issues which have not been addressed, do they say there is a non-conformity as an issue is not being identified (e.g. staff don't have the skills and competencies to identify the issue, or top management are not really committed).

If the auditor would identify issues missed by the event and state a non-conformity then we have a few things at play:

1) the potential for a value judgement by the auditor/audit team
2) who makes the call on the significance and relevance of an issue?
3) the necessity for the auditor/audit team to have skills and competencies in events sustainability in order to understand what the issues may be in a certain set of circumstances.

If the other is the case, in that the event dictates what their issues are and that is the only thing the auditor looks at, isn't that a big old get out of jail card, leaving the standard virtually meaningless?

I understand that some issues will not be managed completely, for various logistical, commercial, resource and financial reasons, but it is the identifying and acknowledgement of them which is important, and a plan for continual improvement to eventually address all issues. (ok ISO, let's call them risks and opportunities).

Does anyone have an answer on this. (i.e. reference an ISO standard dictating this - I can't find it in ISO 17021 for example - let me know where it is if it is in that standard).


