by Andy Hofmann
I was teaching a class not too long ago when the discussion turned to “the rules” of auditing. The individual who started the discussion is an employee of a tier 1 automotive parts supplier that delivers its outputs directly to original equipment manufacturers (OEM). Those of us in the ISO-based auditing world will recognize the reference to “the rules” as meaning the International Automotive Task Force (IATF) Automotive Certification Scheme for ISO/TS 16949:2002—the rules on auditor qualifications for achieving IATF recognition.
I wasn’t teaching an ISO 9001 or ISO/TS 16949 class; instead, I was teaching a class about internal auditing to ISO 14001. The class included people from many industrial sectors including food, electrical distribution, and general manufacturing. Generally, instructors try to avoid subject matter that does not engage their entire audience. In this case, the interchange of ideas between participants took off before any instructor intervention was possible. What kind of question related to an industry-specific rule book would engage participation from across industrial boundaries? A good one. It went something like this:
Our company produces injection-molded parts for the automotive industry. Our three largest customers are GM, Chrysler, and Honda. For GM and Chrysler, we are obligated to conform with ISO/TS 16949 and ISO 14001, and for Honda, with its ISO 9001-based supplier handbook. We have been registered to ISO 14001 since 1996, to ISO/TS 16949 since 2002. Our plantwide performance record for the customers we serve is less than 30 parts per million. We have an exemplary environmental performance record, diverting more than 90 percent of our waste from landfills.
Like many companies, in 2008 we reduced our head count significantly to survive the Great Recession. North American automotive production went from more than 17 million vehicles per year to 10 million or lower. Many of our competitors went out of business. In 2011, the market began to recover in earnest and we are back to running two shifts with a small third for some long cycle time finishing operations. We have not added any managers, but we have a few new supervisors. The bulk of our new employees are temporary contract workers. We went from a low of 40 workers to now having more than 180.
Clause 6.2.2 of ISO/TS 16949 requires that: “… Personnel performing specific assigned tasks shall be qualified as required, with particular attention to the satisfaction of customer requirements.
Clause 4.4.2 of ISO 14001 requires that: “… Any person(s) performing tasks for it or on its behalf that have the potential to cause a significant environmental impact(s) identified by the organization is (are) competent on the basis of appropriate education, training or expertise, and shall retain associated records.
The IATF’s rules for accreditation of certification bodies outlines at section 4 the qualification requirements for TS/16949 auditors. Similarly, ISO 19011 outlines the requirements for the qualification of ISO 14001 auditors. To satisfy the requirements of the two ISO standards, our organization implemented a process in which we request objective evidence of competence from any ISO/TS 16949 and ISO 14001 auditor assessing our facility. The auditors definitely affect our satisfaction of customer requirements and our significant aspects.
We have repeatedly requested objective evidence of auditor competency from our current registrar, but have not been provided with it. Recently, our ISO/TS 16949 audit was witnessed by the IATF. We requested evidence that the witness auditor was qualified. None was provided. We believe that as a result of this situation we do not satisfy the requirements of ISO/TS 16949 or ISO 14001. How do we resolve this?
The comments in the classroom went from trying to understand how this person had time to so thoroughly research the requirements to trying to understand why registrars and auditors are not forthcoming with evidence of competency and auditor qualifications. The students’ main points about their colleague’s question were:
- Auditor credentials. Auditors that take their responsibility to be credible seriously maintain certifications through various bodies. For ISO/TS 16949 auditors, the certification is issued directly by the IATF in the form of a card and certificate per the standard’s clause 4.3. Auditors should have this card with them when performing an ISO/TS 16949 audit. An auditor that cannot produce one may be in process of completing the examination process. Evidence of this can be obtained from the registrar or the IATF.
For ISO 14001 auditors, the most recognized credentials can come from RABQSA International Inc., International Registrar of Certificated Auditors (IRCA), and/or the Canadian Environmental Certification Approvals Board (CECAB). These organizations require initial certification through a combination of education and experience as well as practical evaluation. A successful auditor will also have been issued a card that can be requested. Each of the auditor qualifications processes requires annual ongoing education, ongoing audits, and evidence of witnessed audits and client feedback. The auditor’s card should be reviewed carefully to be sure it is not expired.
- Registrar oversight. Both the technical specification and ISO 17021, which governs accreditation of ISO 14001 registrars, require that registrars maintain witness programs for their auditor teams. These witness audits are to be recorded and to assess the competency of the auditor in the criteria and the technical aspects of the assessment. It’s reasonable to request evidence that this program is operating effectively from the registrar, particularly for the auditors assigned to the engagement.
- Accreditation body oversight. Annual accreditation body audits of certification bodies should include an assessment of auditor competency. The accreditation body for ISO/TS 16949 is the IATF, though the accreditation body for ISO 14001 varies by country. In the United States, it is the ANSI-ASQ National Accreditation Board (ANAB), but international registrars may have been assessed by their home country accreditation body. Registrars must present current accreditation documentation when so requested.
The most interesting piece of the ensuing discussion was, “Why is this all so complex?” ISO 19011 and the IATF rules identify the basic requirements for auditors. Like the temporary agencies that provide contract workers to automotive plants, the screening criteria are in place and known to the temporary worker, the temporary agency, and the employer of the contract worker. Sending a person to a job site that is not qualified wastes the staffing organization’s time because he or she will need to be replaced. Registrars are basically staffing agencies for auditors. However, they do not behave accordingly, often stone walling requests for competency evidence.
My students were gobsmacked to learn that there is no central database that tracks third-party auditors. If there was one, any organization employing auditors could easily verify their credentials and auditor qualifications. Everyone agreed that there is probably a business idea in that need. A voluntary database of auditors that would be accessible for a charge by the organizations interested in its content might be a viable service.
The conclusion of this dialogue was that auditors are service providers to the organizations they audit. They have a responsibility to obtain and maintain their qualifications to provide the minimum level of service to their clients. They have a further responsibility to improve their minimum auditor qualifications through ongoing study and experience. Finally, the users of audit services have a right to know the status of the resource they are employing. As a career auditor, these conclusions were quite enlightening. It’s clear that the users of our services have high expectations for our auditor qualifications.
About the author
Andy Hofmann has been involved with management systems for more than 30 years. He has audited more than 2,500 systems, giving him a unique opportunity view of organizations that are performing well and those that struggle. A regular contributor to American Society for Quality management systems conferences and publications, Hofmann’s intellectual property has received wide acceptance. Currently the president of ICS Certification Services, Hofmann continues to work with management systems professionals throughout North America. He has an MBA from the University of Toronto and is a Certified Engineering Technologist.