Competency of internal auditor

If a person can be given instructions to such detail and do a check of procedures, etc. on the behest of a process owner, what is the need for an internal auditor?

Does anyone need to know the standard in order to provide information on whether the quality management system is effectively implemented and maintained? If so, who? How will that knowledge be used to collect the low-knowledge auditors' checkmarked boxes and determine system effectiveness?

I agree that there is a lot of bad information about the standard out there. I've been blocked from a LI forum for pointing it out. There is also variation in training/informational session offerings by registrars and consultants. Some are accredited, some not. I've attended a Lead Auditor course in AIAG in which we were told the client must use the core manuals; TS 16949 lists no such requirement. There is, admittedly not nearly enough oversight of training provided.

All that being the case, I believe there is still no logical reason for internal auditors to not have knowledge and understanding of the standard they are evaluating effectiveness against. How they get it is less of an issue than that comprehension of the subject matter combined with skill to apply it results in the competency that 7.2 asks for.

 

You can get that without knowing chapter and verse of each clause...

 

Internal auditors have, firstly and fore-mostly, to be familiar with business process, what (typically) are the relevant objectives and how the processes are measured to show performance to those objectives.

The main issue I have is NO ONE ever advocates for this, but instead, argue over auditors "knowing" the ISO requirements like it's some kind of rite of passage to do a good job.

Here's the deal: Virtually no training course for auditors goes over the things I've just mentioned, but boy is there a lot of discussion about what's in ISO! Go and check some training courses content - a 2 day course for IA, with 1.5 days going over ISO! Result? People leave the training feeling some kind of "power" that they can "interpret ISO better than anyone, but in truth it means little to nothing when considering their real responsibilities as an auditor. Those of us who have conducted internal audits and coached internal audits (in my case over 20 years of this) will have also seen those hapless candidates searching in the requirements of the standard for something they can "pin" their observations to. I'll even guarantee that if I pose the question - "why is there a requirement to do internal audits?" here - there'll be a significant variety of responses, yet most here have read the ISO requirement many, many times.

Sure, if you believe an internal audit is one which emulates the CB process (which it clearly isn't), then we'll always do what we've always done which is pass audits and delay the value we give to management. While audit findings reference ISO clauses and grades are used to communicate severity auditors will continue to confuse management. While planning for internal audits is done on a "push system" to an (arbitrary) 12 month calendar which ensures internal audits cover all "elements a year" or something similar, no-one will ever see any value from internal audits, other than keeping a certificate on a wall...

 

So, what about the process owners "knowing" ISO requirements? What's being promoted is like making QC people into product designers, so they can second guess the people who are responsible for the designs! That way, nothing can "escape". Why does no-one promote the organization's leadership understanding the relevance of ISO 9001 to their processes etc? Where's the courses and suggested training for them? NOT promoting the Process owners to understand ISO requirements is far more counter productive, IMHO...

 

I have no question that internal auditors should be familiar with business process, what (typically) are the relevant objectives and how the processes are measured to show performance to those objectives. Indeed, that is more important than ever as the process approach is being more strenuously pushed for internal audits.

There is also no question in my mind that process owners should have a greater understanding of the standard than many have had in the past. That too is becoming more important as the Management Rep is no longer an assigned requirement with a list of responsibilities.

The standard's language has been changed to, if I understand the intent right, demystify the requirements and make it less of a Jedi religion and easier for everyone to follow and conform to. After all, the certificate requires demonstrated conformity. Should those process owners gain robust understanding and wish to audit each other, that would be great: eliminate the need for internal auditors. Only they will have become internal auditors. This is also fine. Audits will still be required. Whoever does them should be knowledgeable about the standard so the certification can be transitioned and maintained.

There is still enough confusion surrounding the requirements (people are still overthinking it) that training/education, including self-study, should take place so whoever is doing the audits can be competent (7.2) and organizational knowledge is maintained (7.1.6). No one comes from the egg knowing this stuff. Learning is required. That learning, however does not replace nor should it undermine the pursuit of value-added auditing. I would hope that the activities listed within the standard provide value when effectively implemented. Value and conformance to requirements can and should be complimentary, not mutually exclusive.

 

Sadly, this is what they get as a message from auditor training, since the vast majority of training uses a model of auditing which has it's roots in external audits! And that's the objective of that training, for the most part...