Competence Requirements for Internal Auditors

Hi Laura and welcome to QFO! To help us a little more, can you share the basic report wording on the Area of Concern?

Having worked for a Leading AS91XX Certification Body and having taught AS9100D Auditor courses for a while, I don't specifically remember a requirement which stated that the internal auditors HAD to be identified. What I DO detect is "mission creep" which happens a LOT in the Certification world. The CB auditors are held to a standard for their performance and then, BLAM, as if by magic, that requirement is flowed down to clients. Let me go check my copy of AS9100D, but I was an internal auditor for a few 9100/9120 clients and NO-ONE ever questioned my competency being written down. Indeed, we didn't EVEN WRITE an audit procedure.

The answers to your questions are coming to a post near here soon...

 

Let me begin to answer this by saying DO NOT GO to "Lead Auditor Training". You will pay more than is necessary for stuff you don't need and will end up seeing all audits through the eyes of the external auditor and that's NOT what internal auditors do!

Let's call "full on" auditing as Internal Auditing. There are literally hundreds of classes available, in all kinds of media - classroom, self paced and Youtube videos. An effective instructor-led course is no fewer than 24 hours, if the fullest value is to be had for the cost. Anyone who thinks they can attend/deliver such training in 2 or fewer days is off their meds. I mean that seriously. Some courses have an accreditation by "Probitas" or Exemplar Global, but often they also teach internal audit through external auditor optics. Beware. Your local MEP might have training which can help - there's often state funding to help small businesses.

 

In the cold light of morning, here's a thought: Maybe your CB auditor saw something about the results of your audits which gave rise to them thinking your audits were "immature" (a euphemism for "not cutting it"). It's like other things in life, it's one of those "know it when you see it" deals. So, the auditor thinks your audits could do with being more effective and yet, there's nothing much in the standard which describes what that is. A default position for them to comment upon is the competency of the auditor, since the auditor must not be seen to be pushing auditor training (many CBs offer such ~ see comments above). Let us help you:

If you would post examples of your internal audit documentation, sanitized as necessary to protect identity of company etc. this will give a clue to the genesis of the auditor's comments.

 

No, it isn't! Training is training! Competency is the ability to apply that training (and other stuff). TBH - your auditor isn't competent because they are making that assertion! If they were to think about it, coming out of driver's ed, does that make you a good driver? Not in any way I've seen...

That is a conclusion the auditor would like you to drawn, especially since the CB which employs them probably offers such training courses.

Of course, however, competency can be shown by other means. You don't mention if you had a QMS before AS9100D. If you did, auditing is auditing. If some folks had already had training, they really only need to know the AS9100D requirements. That could be accomplished internally, if YOU believe your auditors need to be competent in the standards.

I happen think it's better to have someone who knows the processes of the company really well than can list the "shalls" in AS9100D and when they write their report they know the difference between "there", "their" and "they're"...

 

No, no, no! All this does is pass an audit (which is a very low bar as you well know) and create a monster! That monster will require feeding and it leaves Laura to do that...

The auditor has done the wrong thing. He has determined what he thinks is the root cause. It's a symptom. He a) should have reported the FACTS and b) allowed the client to determine a course of action to get them to meet their objective! We've know each other here to know we don't see eye to eye over many aspects of implementation of Quality Systems. It's simply a case of knowing what the options are and understanding what the pros and cons are. Your comments don't even address whether the organization have a clue this was a requirement and then did nothing about it, preferring to react when written up! There's the root cause!

Why shouldn't Laura's organization bring in - in some manner - a competent auditor? What course should they select, if they reset and choose to get trained? Should that training be in a course on done on site? You claim you're competent which may be, but that is only viewed through your eyes. Laura has plenty of options and automatically going down the path the auditor has set for them IS NOT necessarily the most effective. Offering a simple "this is what I did" is very dangerous to everyone who reads this without understanding what I just described as options

 

Not at all. Facts are facts. Not assumptions.

You have NOT quoted the auditors words correctly. Facts! You stated:

He reported the wrong thing! Nowhere in the standard does it say anything about the internal audit process and competency. You are both projecting what you want to see, which is erroneous at best.

Many people starting off have no clue what the competency criteria are. They send "volunteers" to training, without that and, as a result, the training is wasted, because the volunteer cannot construct a grammatically correct sentence! What YOU did may have accomplished your goal of passing an audit, but that's NOT what implementing an AS9100D QMS is about.

 

Where did THIS come from? And NO, a training record is NOT competency. Period.

 

Aha. Actually, it doesn't change a thing. Training is NOT evidence of competency. It's evidence of training. The CB auditor cited section 9.2. That's not the correct requirement, since there's no requirement in there which mentions competency. That's 7.2. Doubly wrong. I wouldn't be asking this auditor back, since they are clearly demonstrating a lack of competency in AS9100D requirements...(but it's OK, because they have a certificate from a Lead Auditor course, right?)

 

Exactly. The standard requires retained documented information (in 7.2, not 9.2) of competency, not training. Training is an option to take as action to develop competency and NOT the only thing which may be done. A record of training, is (for the most part) meaningless.

Laura: Having been in the certification world for 30+ years, too many CB auditors will audit you against their "wish list". Some have less experience than you do in the requirements. It's simply not a case of dismissing such situations as "minutiae" (the devil is IN THE DETAILS) and it's not about arguing with auditors - it's understanding what's required, not opinion. I believe Golfman, from reading his many contributions here, has had many bad experiences with auditors - that's his choice to pay the money and not to engage with them on poor service. His choice. Laura, you may not have that luxury. Your job may depend upon it. It's the legacy you leave for others...