Competence Requirements for Internal Auditors

Nope. In 20+ years, just two bad experiences. But in those years I also learned to pick your battles and how to make things easy for the auditors. While I agree that the number 1 goal of the QMS is to benefit your company and thus you shouldn't do anything "just for the auditor" there is a strong secondary goal which is to pass an audit with as little stress as possible.

So you're claiming the auditor is incompetent because he referenced section 9.2. I see no such reference. The only reference is to "internal audit process." And it wasn't even a finding, more like a heads up. When asked for clarification, he pointed to 7.2 which requires competency criteria.

Linda's question was do they need internal auditor training. Sure the technically correct answer is -- no, not specifically required by the standard. But for a small company of 12, just starting its journey, it's probably a good idea for someone to have such training at some point in their career. As I have said, it's an efficient way to get the knowledge. So when the auditor asks, how do we know auditor Bob is competent -- you can show him Bob did training with xyz and did these 3 audits in which he did a great job. Then your moving on to more important stuff. Or you can argue that Bob doesn't need training and he learned internal auditing thru osmosis.

 

As I said originally , my history is ISO9001 with my previous company of 28 years. We went through multiple iterations before we found a system that worked for us, working with auditors that would tell us..."no do it this way" only to be told by the next one from the same company...."who told you that? it is all wrong"
The end is that I was hired to help implement AS9100 for this company and I want to make sure it happens for them as painlessly as possible, in a manner that will lend itself to becoming an integral part of the day to day of the company, not something that is so painful that no one wants anything to do with it.
If training is required I want to recommend it, but I want it to be training that will be the best for them and give them the best chance of not only getting certified but also maintaining the certification. Spending hours on training that will have little or no application in any environment serves no purpose and wastes money.
It is easy to get soured on auditors, not all of them are good at being objective Andy you are right - it is the legacy we leave for others, I don't intend to be a person who does just enough to get by and lets the rest slide. If I start with internal auditor training it will be up to me to prove my competency going forward and that is the direction I will go.

I appreciate the input from everyone, it keeps a broader perspective doesn't it? Any other thoughts of suggests please add them as you think of them.

Watch this space for updates.

My best to everyone,

Laura

 

You're just arguing in circles. Sure they could contract out internal audits, but if they don't use you, they'll have the same questions in your paragraph 2. How do you know? You don't -- But you ask around and seek out recommendations. Welcome to the real world.

 

So what does Laura do?

Your right there are hundreds of training options. is a 4 hour class good enough? 8 hours? 24 hours? How do we tell if there focus or accreditation is as it should be?

What about hiring someone from outside? what is the cost of that? should I tell our company that hired me to do this that not only they have to maintain a full time rep but they either have to put more money into training or commit to a constant outlay of cash for a auditor to come in 4-6 times a year for internal audits?

 

What was your plan for internal audits? Who did your internal audits to get to your stage 1?

 

The company had a consultant that came in and did the initial set up, I was hired to basically interpret what she set up for them because after she left they still felt in the dark.
They did a internal audit for us just before our stage 1, with Covid, that happened literally a couple days before our Stage 1.

What was your plan for internal audits?

The outside consultant was going to perform them until I got more experienced, then as the Management Rep, the expectation would be that I would do internal audits as well.

 

Laura,

I'm simply gonna tell you what several AS9100 certified companies I know of have done: Send their "lead internal auditor" to a 3-5 day class titled something like "AS9100 Internal Auditing" or "AS9100 Lead Internal Auditor" or "AS9100 Lead Auditor". Have that "lead internal auditor" person "train" and then "certify/verify competence" of other "internal auditors" within the company, and document it. Some form of evaluation or testing often accompanies the "training", especially if the internal auditors are inexperienced.

In the real world where most of us live, working in the middle of the organization with 2 or more bosses above us, there are 2 things you need to do, and do as efficiently as possible: 1. do what you need to do to help your company, and 2. satisfy the registrar auditor so you get/keep your cert. Hopefully there is a lot of overlap there, but invariably there will be some things you do "just to satisfy the auditor". Yeah, I know to some purists that last part is heresy, but nevertheless it is real life for most of us.

 

I went back over my notes from the Stage 1 audit, which was our documentation audit.

from my notes - We have a written procedure for how Internal Audits are to be performed. Our Stage 1 CB auditor said that the auditor qualifications should be noted in the procedure, it should note minimum competence requirements. Then he suggested that AS9100 Internal Auditing Training was a acceptable training record.

from my notes - we need to determine minimum competence for the internal auditor - if it is our internal audits and we are supposed to determine competency - why is he able to tell us that the specific auditor training would be sufficient?


"Did the consultant have any qualifications, like CQA?"

Our consultant came to the company before my hire, I understand that she was recommended to us by the CB company, I have records of her training which seems extensive to my AS9100 untrained eye, but appears to be diverse, it did not give myself or my boss reason to doubt her.

 

Sounds to me like he is simply suggesting that you identify the required competencies for your internal auditors. Your auditing procedure is likely a good spot for it. Since you are using a consultant who I assume has the internal audit competencies, you should be fine. When you are trained and competent, "fire" the consultant. It's really not worth a big fight.

 

You act like people are stupid or something. Obviously, if they have competency determined elsewhere then they can just handle it there.

 

God forbid an auditor gives a client a "heads up" on something to watch out for in the Stage 2 audits. If it's already taken care of then there is no problem. If not, you have a chance to fix it. Auditors aren't robots, they are people. And in most cases they are looking out for the best interests of their clients. And clients aren't stupid. They can figure out if and where they address a particular issue in their system to avoid duplication. They can also choose to ignore 100% of what the auditor says.

 

Good day all;
I'll chime in for a bit if I may.

In my professional experience, most organizations and the individuals within those organizations (often the "gal" or "guy" tasked with the "ISO stuff" responsibility. I'll leave that for another discussion), views the auditor as one views a medical doctor. The doctor (auditor) tells you to disrobe, and we simply obey (even if we are there because of a sore thumb), because we give them a "god like" status. @Laura N. is likely an exception to this, as made clear by her wise and well articulated post on Friday, @ 2:31 pm

@Golfman25 is correct. The majority of the auditors I have dealt with are intelligent, cooperative, and care deeply about their chosen career and their clients.

However, as @Andy Nichols correctly points out, that good-hearted/intelligent nature of most auditors does NOT excuse wrongly placed "suggestions" and bogus "non-conformance findings". Many of my clients have blindly followed an auditor down a foolish path because in most cases, those organizations hear the auditor "tell" them to do something and so they simply follow that "advice/direction" and add burdensome layers of meaningless/cumbersome requirements to their QMS. Often these additions result in "due dates' or "check lists" or...., which require someone in the organization to constantly feed the monster they are creating.

The intent and scope of ISO standards are clearly laid out in the scope of each standard, with the requirements obviously following within the body of the standard. Anything more is simply wrong UNLESS it is at the need/will/in-the-benefit-of, the organization. There's a practical principle to NOT allowing auditors to extend beyond that. @Laura N. sums it up best herself when she states..."it is the legacy we leave for others".

Hope this helps.
Be well.