How competent are your Internal Auditors?

Internal Audit 3

And have you any objective evidence to demonstrate such competence?

ISO Management System Standards require that persons involved in such systems be competent and training is an essential part of building such competence.

Let’s consider internal auditing of the 2 most popular management system standards ISO 9001, the quality system standard (QMS), and ISO 14001, the environmental management system (EMS). And the frequently heard claim that 'we've not had a problem with internal auditing until now'. Well, that has changed; in fact it changed 5 years ago but few noticed!

Historically, internal auditors have not been formally trained and certification bodies (CBs) have accepted this practice. Furthermore, CBs have accepted internal audit programs based solely on the auditing of procedures, work instructions and other lower level documents.  With many organisations now migrating to the 2015 standards, the question arises as to whether the traditional approach will continue to be acceptable. Examination of ISO 9001:2015 and/or ISO 14001:2015 clearly indicates that formal training will be necessary.

And why have we selected 5-year old Standards? it's because Internal Audit Programmes and Internal Audit Reports continue to demonstrate on a very regular basis that the requirements relating to Internal Audits are not adequately addressed and that incompetent internal auditors are commpnplace.  And this 5 years after requirements changed!

In this article we set of 5 reasons why such training is a ‘must’, the first 3 arising directly from the Standards themselves and the final 2 being concerned with maximising the benefits can be achieved with best internal auditing practice.

Reason 1: Major Changes to Both Standards

Major changes have been made to both standards, including many for which documented procedures are unlikely to exist. Consider just four such examples...

  1. Context of the organisation, where the monitoring and review of information regarding external and internal issues affecting the organisation is an entirely new concept
  2. Leadership, where the involvement of management is greatly expanded and the need to involve top management in internal audits is a requirement,
  3. Planning, where the auditing of actions to address risks and opportunities is now a requirement and, consequently, an understanding of the application of these terms is needed, and
  4. Organisational knowledge, where both the consideration of tangible and intangible assets is needed.

Internal Auditors will need to understand these terms as well as their interpretation and application.

Reason 2: The requirements of clause 9.2 Internal Audits

Could someone auditing the effectiveness of implementation of procedures alone fulfil the requirements here?  Sub clause 9.2.1 a) 2) requires audit evidence on whether the QMS/EMA conforms to ‘the requirements of this International Standard’.

Without training, it is unlikely that an internal auditor will understand the requirements relating to policy, processes, procedures and other documentation (including records).

Reason 3: The requirements of clause 7.2 Competence

Sub-clause b) here describes competence as an appropriate combination of ‘education, training or experience’. Note that here the word ‘or’ is inclusive and should be interpreted as ‘and/or’.

Sub-clause c) requires the organisation to ‘take actions to acquire the necessary competence’.

Education and experience alone cannot make someone a competent internal auditor. And ‘sit by Nellie’ is hardly an effective or credible training method.

Any reasonable interpretation of clause 7.2 requires internal auditors to be formally trained.

 ISO 9001:2015 Internal Auditor

We next turn to two reasons concerned with turning internal auditing into an opportunity…

Reason 4: To secure the benefits of good Auditing Techniques

To thoroughly audit a QMS/EMS it is necessary that internal auditors mimic the behaviour of CB auditors.   External auditors use many sources of information, which will vary depending on the scope and complexity of the audit, and may include the following…

  1. interviews with employees and other persons;
  2. observations of activities and the surrounding work environment and conditions;
  3. documents, such as policy, objectives, plans, procedures, standards, instructions, licences and permits, specifications, drawings, contracts and orders;
  4. records, such as inspection records, minutes of meetings, audit reports, records of monitoring programmes and the results of measurements;
  5. data summaries, analyses and performance indicators;
  6. information on the auditee’s sampling programmes and on procedures for the control of sampling and measurement processes;
  7. reports from other sources, for example, customer feedback, other relevant information from external parties and supplier ratings;
  8. computerized databases and web sites.

Without training in these techniques, it is likely that weaknesses and non-compliances will be left undetected, and be found subsequently by external auditors.

Reason 5: To harvest improvement suggestions

Internal audits offer a convenient and relaxed opportunities for personnel at all levels and functions within the organisation to point out defects in systems and procedures, and to suggest many small improvements (and occasionally a major improvement) to management systems. By capturing, reviewing and implementing these suggestions, you help ensure the robustness of the QMS/EMS.  And every nonconformance avoided represents a real saving of time, money and other resources.

Consider for a moment how much better your internal audits would be in gathering interview evidence, and in identifying improvement opportunities, if they followed the following 6-step guide…

  1. Begin with an Open Questions (as in ‘open-ended’ - What is the role of your function? How do you do that?)
  2. Ask Specific Questions to get specific information (Which were the lot numbers involved?)
  3. Ask ‘What-if’ Questions go get more information on a topic.
  4. Ask to see the records, documents & other evidence
  5. Listen; don’t talk except to ask questions or paraphrase answers.

It is only with trained internal auditors familiar with these methods that your organization can benefit.

Conclusion

We would suggest that formal ISO 9001 internal auditor training and/or formal ISO 14001 internal auditor training (with certification examinations) is the best approach...

1. to ensuring the competency of internal auditors and

2. to maximising the potential benefit arising from the internal auditing process, which process you cannot be avoided.

Of course, we have a vested interest; we are an online ISO Auditor Training Company, after all.  However, that doesn’t mean that everything stated above isn’t absolutely true!

 ISO 14001 Internal Auditor

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in manufacturing industry John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems. 'Our objective is to be a world-class provider of e-training using the best proven technology so to satisfy and, hopefully, delight all of our Learners. Great commercial success and professional esteem will surely follow.' Full profile: https://degrandson.co.uk/team/john-fitzgerald/
Find me on:

Related Articles…