News & Commentary on ISO Management System Standards

    Why Checking the Competency of ISO Internal Auditors is essential
    Why Checking the Competency of ISO Internal Auditors is essential

    Auditor examining items on a checklist

    Have you any objective evidence to demonstrate such competence?

    ISO Management System Standards require that persons involved in internal auditing be competent, and ISO auditor training is essential to building such competence.

    This post will consider internal auditing of the two most popular management system standards: ISO 9001, the quality management system (QMS)standard, and ISO 14001, the environmental management system (EMS) standard.

    Also, we'll consider the frequently heard claim that 'we've not had a problem with internal auditing until now.'

    Well, that has changed; ISO training changed nine years ago, but few noticed!

    But why choose 9-year-old Standards as Examples?

    It's because Internal Audit Programmes and Internal Audit Reports continue to demonstrate regularly that the requirements relating to Internal Audits are not adequately addressed.  Furthermore, incompetent internal ISO auditors are commonplace.  What's worst is this is nine years after the requirements changed!

    In this article, we set 5 reasons why such training is a 'must', the first three arising directly from the Standards themselves, and the final two is concerned with maximizing the benefits achieved with best internal auditing practice.

    Reasons why Assessing the Competence of Your Auditors is a Must

    Historically, internal auditors have not been formally trained, and Certification Bodies (CBs) have accepted this practice.

    Furthermore, CBs have accepted internal audit programs based solely on the auditing of procedures, work instructions, and other lower-level documents.

    All organizations have migrated to the 2015 standards, and the question arises as to whether the traditional approach will continue to be acceptable.

    Examination of ISO 9001:2015 and/or ISO 14001:2015 clearly indicates that formal training will be necessary, and here are five reasons why.

    Reason 1: Major Changes in ISO 9001 and ISO 14001 Standards

    Major changes have been made to both standards, including many for which documented procedures are unlikely to exist.  Consider just four such examples:

    • Context of the organization, where the monitoring and review of information regarding external and internal issues affecting the organization is an entirely new concept
    • Leadership, where the involvement of management is greatly expanded, and the need to involve top management in internal audits is a requirement,
    • Planning, where the auditing of actions to address risks and opportunities is now a requirement and, consequently, an understanding of the application of these terms is needed and

    Internal Auditors will need to understand these terms and their interpretation and application.


    ISO 9001 Internal Auditor Training and Certification course button


    Reason 2: The requirements of ISO 9001:2015 Clause 9.2 Internal Audits

    Could someone auditing the effectiveness of the implementation of procedures alone fulfill the requirements here?  Sub-clause 9.2.1 a) 2) requires audit evidence on whether the QMS/EMA conforms to 'the requirements of this International Standard.'.

    Without training, it is unlikely that an internal auditor will understand the requirements relating to policy, processes, procedures, and other documentation (including records).

    Reason 3: The requirements of ISO 9001:2015 Clause 7.2 Competence

    Sub-clause b) here describes competence as an appropriate combination of 'education, training or experience.'.  Note that here, the word 'or' is inclusive and should be interpreted as 'and/o.'.

    Sub-clause c) requires the organization to 'take actions to acquire the necessary competenc.'.

    Education and experience alone cannot make someone a competent internal auditor.  And 'sit by Nellie' is hardly an effective or credible training method.

    Any reasonable interpretation of clause 7.2 requires internal auditors to be formally trained.

     We next turn to two reasons concerned with turning internal auditing into an opportunity:

    Reason 4: To Secure the benefits of Good Auditing Techniques

    To thoroughly audit a QMS/EMS, it is necessary that internal auditors mimic the behavior of CB auditors.  External ISO auditors use many sources of information, which will vary depending on the scope and complexity of the audit and may include the following:

    • interviews with employees and other persons;
    • documents, such as policy, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts, and orders;
    • records, such as inspection records, minutes of meetings, audit reports, records of monitoring programs, and the results of measurements;
    • data summaries, analyses, and performance indicators;
    • information on the auditee's sampling programs and on procedures for the control of sampling and measurement processes;
    • reports from other sources, for example, customer feedback, other relevant information from external parties, and supplier ratings;
    • computerized databases and websites.

    Without training in these techniques, weaknesses and non-compliances will likely be left undetected and found subsequently by external auditors.


    ISO 14001 Internal Auditor Certification Course button


    Reason 5: To Harvest Improvement Suggestions

    Internal audits offer convenient and relaxed opportunities for personnel at all organizational levels and functions to point out defects in systems and procedures.  They also suggest many minor improvements (and occasionally major improvements) to management systems.

    By capturing, reviewing, and implementing these suggestions, you help ensure the robustness of the QMS/EMS.  Every non-conformance avoided represents a real saving of time, money, and other resources.

    Consider for a moment how much better your internal audits would be in gathering interview evidence and in identifying improvement opportunities if they followed the following 5-step guide:

    1. Begin with Open Questions (as in 'open-ended' - What is the role of your functionHow do you do that?)
    2. Ask Specific Questions to get specific information (Which lot numbers were involved?)
    3. Ask 'What-if' Questions to get more information on a topic.
    4. Ask to see the records, documents & other evidence
    5. Listen; don't talk except to ask questions or paraphrase answers.  Only with trained internal auditors familiar with these methods can your organization benefit.

    Here's what you should do...

    We would suggest that formal ISO 9001 internal auditor training and/or formal ISO 14001 internal auditor training (with certification examinations) is the best approach in:

    1.  ensuring the competency of internal auditors and

    2.  maximizing the potential benefit arising from the internal auditing process, which process you cannot be avoided.

    Of course, we have a vested interest; we are an online ISO Auditor Training Company, after all.  However, that doesn't mean that everything stated above isn't absolutely true!


    Image showing a checklist of what you'll learn from deGRANDSON's Internal Auditor training courses and a button leading to their overview page


    Click on the image thumbnail to see the image in full size, or click the button on the other side to go to our ISO auditor overview page to learn more about our courses.


    Related Training Courses


    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of…

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because it is based on independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised).  It is a 'university grade' standard globally by schools, colleges, and universities to demonstrate competence.

    We provide Courses on ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection, Risk Management, and more.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts