Let's begin with a question: What is an ISO Internal Auditor?
When the expression Internal Auditor is used, it refers to an auditor who participates, perhaps leads, an ISO management system audit of his/her own organization's management system.
Are Internal Audits Necessary?
Internal audits are a mandatory and necessary part of an organization's obligation to demonstrate ongoing compliance with the requirements of the ISO Management System Standard(s) to which the organization subscribes.
At a practical level, internal audits help ensure that when external auditors come to check compliance - either a Certification Body auditing as the basis of continuing certification of compliance or Supplier Audits as the basis of placing business with the organization - there will be few if any non-compliances to be discovered.
Additionally, internal audit programmes are a great occasion to identify opportunities for improvement. After all, it is during internal audits that auditors are talking with the very people most familiar with the day-to-day workings of the organization.
The Internal Audit Process
ISO Internal Auditing then is not a boring box-ticking exercise but instead an engrossing set of activities involving:
- the interviewing of people doing the work that makes your organization a success,
- observing the workplace in action,
- checking workplace activities and processes, as well as
- scrutinizing documents and records,
Advantage of Being Certified Internal Auditor
As experienced internal auditors have knowledge of the processes and activities at many levels and functions within the organization, they are frequently chosen for promotion ahead of their colleagues.
Internal Audits: Business Applications
The finance profession tends to use terms like internal auditor and lead auditor as if they only apply to the finance sectors.
It's best to refer to ISO Internal Auditors and ISO Lead Auditors in regards to these standards.
Where do the different ISO Standards fit in?
An auditor trained in the requirements of ISO 9001, the quality system standard, is not equipped to audit against the requirements of, say, ISO 14001, the environmental management system standard. This is for the simple reason that the two standards have very different objectives and significantly different detailed requirements.
So, an ISO 9001 Internal Auditor would need additional training (an ISO 14001 Extension Course) before they were capable of conducting an ISO 14001 audit.
How then does one become an Internal Auditor?
It’s not about getting a Certificate
Once upon a time it was 'certification equals competency' and organizations like IRCA built a recognized Register of Auditors.
As ‘the only game in town,’ Lead Auditor training was taken not only by Certification Body Lead Auditors but also by Consultants and QHSE Managers (especially in their role as Audit Programme Managers) wishing to develop their skills and expertise.
Since 2011, a Lead Auditor Certificate alone is no longer acceptable as proof of competency. ISO 19011, the Guidelines for auditing management systems, made this clear by defining competence as the ‘ability to apply knowledge and skills to achieve intended results’.
Registers of Lead Auditors are redundant. And a register of internal auditors was 'never a thing'.
And what then is the relationship between internal auditor certification and competency?
Required Competencies for Internal Auditors
ISO 19011 sets out 4 headings in determining auditor competence. They apply equally to internal auditors and to lead auditors. namely,
- General: organizational knowledge, skills and experience; working experience is essential.
- Personal behaviour: a range of personal attributes and professional behaviours are needed including ethical, open-minded, diplomatic, observant, perceptive, tenacious, decisive, culturally sensitive, ability to act with fortitude, etc.
- Knowledge and skills: to successfully complete an audit, generic competence (including auditing skills) and a level of discipline and sector-specific knowledge and skills (i.e. of the applicable ISO Standard and of the economic sector being audited) are required.
- Achieving Auditor Competence: after ISO Auditor Certification building experience by regular participation audits.
So, what are the steps involved in becoming a competent ISO Internal Auditor?
5-steps to ISO Internal Auditor Competency
Here are the steps you need to take …
- Satisfy yourself that you have the temperament and personal attributes needed to be a successful Internal Auditor.
- Check that you have the technical experience, subject expertise, supervisory and managerial experience needed to conduct an audit.
- Complete an ISO Internal Auditor Certification Course – either a 2-day conventional course or 12-hour online course.
- Undertake internal audits as often as possible – 3 times-a-year is considered the minimum needed to maintain auditing skills.
- Finally, have yourself evaluated as a competent internal auditor. Typically this is done by a QHSE Manager, or equivalent and recorded in your personal training/competency record.
‘Horses for Courses’
Of course, internal auditing of a single ISO Standard (usually ISO 9001) may not be the limit of your ambition.
You can extend range and type of audit you conduct by adding another standard to the scope of your auditor certification (e.g. take an ISO 14001 Internal Auditor Extension Course - 8 hours) or raise your game by taking a Lead Auditor Course (those responsible for Supplier Audits often do this to ensue the depth of knowledge necessary to adequately carry out such an audit).
For more in-depth information we recommend you read ISO 19011:2018, especially:
- Part 7: Competence and evaluation of auditors, and
- Annex A: Additional guidance for auditors planning and conducting audits.