by Ver-Non T. Wakefield
You are establishing your company’s quality management system (QMS) and you have to establish an internal audit program, but you have one problem: Whom do you choose to become your organization’s internal auditors? Before you can make this decision, you have to determine how to qualify a candidate before you choose one. The auditor qualification process has plagued many an audit manager.
Determining what exactly is required for qualifying an internal auditor is an audacious task in and of itself. The scopes of ISO 9001:2008 and ISO 19011 include guidance in establishing an effective internal audit program, as well as guidelines for qualifying an internal auditor. Yet the system allows enormous organizational latitude in establishing an auditor qualification program or system. The smaller the organization, the more latitude it will have in determining how many auditors are qualified; if they will be a dedicated staff or part-time auditors; and, most important, what their organizational empowerment will be.
Auditor qualification–Evaluation criteria
To establish a baseline for the auditor qualification program, the audit manager should review the applicable standard that the auditors will be auditing to and know the definition of internal audits and auditing.
As internal auditing and the internal auditors are doing the audits for the benefit of the company, one can define internal audits as the validation of the organization’s processes against the known standard.
Auditor qualification–Understanding the requirements
Three clauses of ISO 9001:2008 in particular need to be understood clearly to guide development and evaluation of the internal auditor and auditing process: 6.2.1, 6.2.2, and 8.2.2. Brief descriptions of the content are provided here. For precise wording refer to ISO 9001:2008.
- Clause 6.2.1—General. People performing work affecting quality should be competent.
- Clause 6.2.2—Competence, training, and awareness. Likewise, these people will be trained. Whereas, the meaning of competency can be best defined when segregated into two distinct categories: knowledge and ability or skills. People will have to be trained or evaluated to determine what is necessary for successful implementation. Additionally, training will be evaluated to determine its effectiveness and records will be maintained.
- Clause 8.2.2—Internal audits. For an organization’s successful QMS implementation, internal audits will be scheduled and conducted. Auditors’ assessments will be unbiased and impartial. Most important, auditors won’t be allowed to assess their own work and management will diligently work to resolve any findings and/or QMS breakdowns.
The relevance of clause 6.2.1 of ISO 9001 in establishing an auditor qualification program is doubtful. Even though the relevant takeaway from this section concerns product requirements and competency, it’s undecided whether an internal auditor would affect these factors. Clause 6.2.1 is relevant, however, because it’s the first section to point out that employee competency is critical. Clauses 6.2.2 and 8.2.2 are areas that should be reviewed, as clause 8.2.2 ultimately directs us to ISO 19011, a supplement to ISO 9001, for further guidance.
In utilizing ISO 9001 and ISO 19011 to determine what’s really necessary when qualifying an internal auditor, managers must consider the complexity of the company’s processes and QMS. Yet, these standards don’t really define, and, in some cases, don’t help the manager to define the requirements of a program’s implementation. As the audit manager, defining these requirements is your responsibility and understanding what you are auditing is critical. In the end, ISO 19011 allows for the audit criteria to fall under the discretion of the audit manager.
Nothing prevents a company from establishing systems that fit its resources and budget. The key questions that have to be answered are whether the process is effective, how it’s measured to determine its effectiveness, and if it’s measured against the agreed-upon standard. As a reminder, the expected outcome should always be directed to a satisfied customer base.
The use of ISO 9001 and ISO 19011 throughout is not a directive on an organization’s internal audit program, but these standards will help any audit manager to establish the program’s foundation. Because not all organizations audit to the International Organization for Standardization (ISO) family of standards, the language in the audit programs will trend to discussing the “known standard.”
Most important in structuring any internal audit program and applying the principles of competency is that auditors have a technical understanding of what they are auditing, be objective, and know audit principles and practices. This information should be addressed in the internal audit procedure. At a minimum, the procedure should address:
- Communication: The ability to read, write, and talk in a professional manner.
- Knowledge: The ability to independently work, think, and rationalize practices.
- Technology: Auditors must understand the technology they will be expected to use.
- Auditing practices: Auditors must understand basic audit practices and procedures.
Auditor qualification–Customize to fit
The issue of auditor competency begs the question of what standards are used to evaluate the internal auditors’ abilities. At a minimum, your organization’s evaluation criteria should include evidence of these elements:
- Classroom training on the standard, e.g., in-house training, consultant, college coursework
- Training under a qualified trainer
- An understanding of the organizational quality manual and procedures
- Familiarity with the organizational internal auditor procedure
Once the above items have been completed, the criteria should focus on assessments of:
- Audit preparedness, i.e., working on audit schedule, audit planning, and audit review
- Time management skills
- Interview techniques and skills. Focus on asking open-ended questions during audits
- Audit trail and follow-through
- Ability to manage the entire audit
- Audit to the defined scope
The auditor qualification process could also include a requirement that an auditor be able to:
- Interpret the required standard.
- Interpret the organization’s QMS.
- Understand organizational metrics and measures.
- Work independently.
- Speak in a professional manner.
- Follow audit trails and complete the nonconforming process when necessary.
- Avoid the desire to consult.
After the organization determines the criteria that fit it best, it can determine internal auditor competency through tests, interviews, employee performance appraisals, or by evaluation of the effectiveness of the internal audit process by comparing its results with third-party audit results. In some cases, these results will be compared to the overall customer satisfaction.
Additionally, the effectiveness of internal auditor training can be assessed through reviewing completed internal audits and looking for effective balanced feedback (i.e., strengths, opportunities for improvement, and nonconformances). These results of the effective feedback would clearly show improvement of the processes as an output of the audits.
High-risk processes, such as health and safety and environmental, should be audited by auditors that have technical knowledge of them. Auditing processes where the risk levels are high may require additional training. Note that a substitution for industry experience to perform these audits cannot be overridden.
Auditor qualification–Effectiveness of the QMS
There are no specific requirements about what an internal auditor program should be. A company will be compliant with ISO 9001 if its organizational structure has adhered to the intent of the standard—management has documented, implemented, controlled, and demonstrated that the organization’s systems are verifiable and evidence shows that it’s reliably registered with a robust system. One would note that organizations audit and evaluate to improve and having competent internal auditors helps organizations to achieve this.
ISO 9001 provides organizations with a set of tools and direction for guidance and understanding, but it gives them the freedom and latitude to design their QMS according to their individual needs. As the organization and audit managers develop their understanding of the standard, it’s important that they not get lost in its details. The criteria presented here can serve as a baseline for discussion and interpretation of standard.
Whether the organization is using ISO 9001 as a baseline for quality improvements or interpreting an organizational/customer-defined standard, the organizational structure has to keep these central points for establishing an effective internal audit program in mind. The outcomes should indicate that the organization’s goals are to manage risks, define whether or not processes effective, add value for the customer, and continuously improve the organization as a whole.
Realistically, the audit team will have to understand that ISO 9001 is a fluid, objective goal and as the customer’s requirements change, so will their understanding of the standard and their auditing practices. In some organizations, the audit team’s training will have to focus on multiple standards and the audit team’s skill set will have to include the ability to easily adapt to change.
“Auditing may be thought of as the process of comparing reality with requirements,” says Dennis Arter, trainer and author of Quality Audits for Improved Performance (ASQ Quality Press, 2002) and several other books. “This comparison results in an evaluation to the stakeholders or interested parties. Managers want to know if their requirements are achieving the necessary controls. Stockholders want to know if the company is being efficiently run. Regulators want to know if laws are being obeyed. Auditors provide us with that information.”
In some corners of the auditing community this discussion generates debate, but ultimately, the organization that is implementing ISO 9001’s requirements has the ability and right to design and implement its own auditor qualification structure. The debate tends to focus on the perception of what’s “right” and/or “wrong.” However, the relevant point is “perception,” as ISO 9001 allows for flexibility; ISO 19011’s requirements aren’t required as a supplement. The other criteria as previously identified under the “Personnel competency” and “Minimum requirements” sections are elements I would recommend. As an auditor, it’s important step back to make sure that I am not trying to impose my will on the auditee or trying to consult. My guidance and any other auditor’s guidance should come only from the approved and accepted requirements—the standard.
ISO 9001 defines the scope of auditor qualification, but it doesn’t clearly define its minimum requirements. Therefore, it allows company to determine the required skills and knowledge for its internal auditors, the necessity of the requirements, and what the overall qualification structure will entail. However, auditors and registrars will continue to debate the inclusion of suggested criteria against the intent of the standard and the will of the qualifying organization.
I hope that these recommendations will be helpful, but I know that they won’t override ISO 9001’s intent or the objective of an organization to meet its requirements and comply with customer criteria.
About the author
Ver-Non T. Wakefield is a RABQSA-certified quality management systems lead auditor and principal management consultant; an ASQ Certified Quality Auditor and Certified Quality Engineer; and an SME Certified Manufacturing Engineer.
He holds a bachelor’s degree in business administration and a master’s degree in organizational management and has worked in textiles, management consulting, and ordnance-defense and aerospace contracting. Wakefield has worked to train and promote quality and engineering principles throughout his career.