by Don Brecken
What should an auditor expect to find when auditing an organization’s internal quality audit program? What level of audit skills should be present? Where should he or she look to find these skills? Where should he or she begin?
The most obvious place to start when auditing an organization’s internal quality audit program is with the quality audit procedure. Requirements for this procedure are described in ISO 9001 clause 8.2.2. Though not required, the organization should reference ISO 19001 for guidance when developing its quality audit procedure and program. If an organization’s internal audit program is found to be subpar, it’s often a result of its failure to embrace ISO 19001’s guidance when developing its program.
The ISO 9001 Auditing Practices Group has published several helpful guidance documents on various topics related to the ISO 9000 series of standards. “Making Effective Use of ISO 19011” is one such guidance document. This document provides guidance for first-, second-, and third-party auditing of quality management systems (QMS).
Although ISO 9001 references ISO 19011 in its clause 8.2.2, third-party auditors shouldn’t expect the organization to comply with these guidelines. The standard contains options relating to auditing methods and auditor competence, but these suggestions aren’t mandatory. The guidance document further indicates, “It is up to each third-party auditing body to use the guidelines to the extent appropriate to their needs and relevance to their own working practices.” Although helpful, this shouldn’t include expecting an audited organization to conform to ISO 19011.
Often forgotten when auditing an internal audit program is ISO 9001’s clause 6.2.2, which pertains to employee competence, training, and awareness. Audit team members, just like anyone else in an organization, need to maintain certain skills to perform their jobs effectively. Another ISO 9001 Auditing Practices Group paper, “Making Effective Use of ISO 19011” provides guidance on the competence and evaluation of auditors. The latest version of this document emphasizes the importance of employee competence and minimizes the prescriptive qualification criteria for auditors that was described in ISO 10011-2. The paper defines competence as “demonstrated personal attributes and demonstrated ability to apply knowledge and skills.” This guidance places less importance on “prescribed levels of education, workplace, and auditing experience, and numbers of completed audits.”
Peter G. Northouse, author of Leadership: Theory and Practice (Sage Publications Inc., 2009), defines leadership skills as “…the ability to use one’s knowledge and competencies to accomplish a set of goals or objectives.” Can we as third-party auditors expect to find different kinds of skills required at different levels of an audited organization? Should we expect to find the same within an internal quality audit program? According to Northouse, technical skills necessary at different levels of the organization will vary depending on the level of leadership. He suggests that technical skill is more important for lower- and middle-level leaders than it is for top leaders.
The Northouse claim may not hold true for an organization’s internal audit program, in which the audit program leader will likely have far more experience and be more highly credentialed than those performing the audits. Consider figure 1, which shows how competence of auditors are documented for my organization. Third-party auditors should expect to find some type of evidence about auditor competence and qualification, such as this matrix, which shows how the organization tracks the qualifications (the skills required to perform the job) of its internal auditors.
This matrix, albeit a good practice, is only a representation of auditor credentials. A third-party auditor should expect to find source documentation to back up the claims made in the matrix. In the case of this matrix, our third-party auditor will find training attendance records and auditor course certificates that are maintained and readily available for access by the auditor.
Figure 1: Auditor competence: Internal auditor qualification matrix
What should we expect to find when auditing an organization’s internal quality audit program? What level of audit skills should be present? This answer is this: We should expect compliance with applicable standards. If we expect anything more than the skills required to support the organization, then we are not being objective auditors.
About the author
Don Brecken is the director of quality for Commercial Tool & Die Inc. His background includes quality leadership, management consulting, registration and surveillance audits, and quality system implementation.
Brecken is a fellow of the American Society for Quality (ASQ), a certified manager of quality and organizational excellence, an RABQSA business improvement auditor, and has served on the board of examiners for the Malcolm Baldrige National Quality Award. He is also a deputy regional director for ASQ’s region 10.
Brecken earned his MBA in strategic management from Davenport University’s Sneden Graduate School. He also has three undergraduate degrees in business with a technical specialty in quality leadership. He instructs a variety of quality and management-related courses for Ferris State University and Davenport University’s undergraduate and graduate programs.
Tags: auditor competence, auditor qualification.