deGRANDSON Global Blog

Why Checking the Competency of ISO Internal Auditors is Essential

Written by Dr John FitzGerald | Feb 28, 2025

Question: What's the one thing that ISO Auditor Training can't give you?

Answer: Competency.

ISO Management System Standards require competence in internal auditing, and ISO training is essential to building such competence. This post will consider internal auditing of the two most popular management system standards: ISO 9001, the quality management system (QMS)standard, and ISO 14001, the environmental management system (EMS) standard.

Also, we'll consider the frequently heard claim that 'we've not had a problem with internal auditing until now.' Well, that has changed; ISO training changed in 2010, but few noticed!

The Importance of ISO Auditor Certification Training

Time and again, as a Certification Body auditor, I have found training records for internal auditors and for audit program managers/management representatives that claim competence but satisfy only one of the four criteria, the third one – technical expertise. Historically, internal auditors have not been formally trained, and Certification Bodies (CBs) have accepted this practice.

Furthermore, CBs have accepted internal audit programs based solely on the auditing of procedures, work instructions, and other lower-level documents and not an audit against the requirements of the standard itself.  The question arises whether the 'traditional' approach continues to be acceptable or whether something more professional is needed. An examination of ISO 9001:2015 and/or ISO 14001:2015 clearly indicates that formal training is necessary, and here are five reasons why.

Reason 1: Major Changes in ISO 9001 and ISO 14001 Standards

Major changes have been made to both standards, including many for which documented procedures are unlikely to exist.  Consider just four such examples:

  • Context of the organization, where the monitoring and review of information regarding external and internal issues affecting the organization is an entirely new concept
  • Leadership, where the involvement of management is greatly expanded, and the need to involve top management in internal audits is a requirement,
  • Planning, where the auditing of actions to address risks and opportunities is now a requirement and, consequently, an understanding of the application of these terms is needed and
 

Reason 2: The requirements of ISO 9001:2015 Clause 9.2 Internal Audits

Could someone auditing the effectiveness of the implementation of procedures alone fulfill the requirements here?  Sub-clause 9.2.1 a) 2) requires audit evidence on whether the QMS/EMA conforms to 'the requirements of this International Standard.'. Without training, it is unlikely that an internal auditor will understand the requirements relating to policy, processes, procedures, and other documentation (including records).

Reason 3: The requirements of ISO 9001:2015 Clause 7.2 Competence

Sub-clause b) here describes competence as an appropriate combination of 'education, training or experience.'.  Note that here, the word 'or' is inclusive and should be interpreted as 'and/o.'. Sub-clause c) requires the organization to 'take actions to acquire the necessary competence.'. Education and experience alone cannot make someone a competent internal auditor.

Since the 2010 version of ISO 19011, an ISO Auditor Certificate cannot be considered to bestow competence on the holder. Competence being defined in terms of one's ability to apply knowledge and skills has meant that since 2010 Certification Bodies have been required to keep records of the auditing practice and participation of their Lead Auditors that is the basis of the claim of their competency.

So, it's not about having a card in your wallet that says you've been registered on a meaningless ISO Auditor Register; it's not about having a Certificate on the wall behind your desk. It's about having put the skills and knowledge gained during your ISO Auditor training into practice by undertaking an ongoing series of audits.

And a minimum of three audits per year has traditionally been taken as the minimum number of audits needed to maintain your Competence. We next turn to two reasons concerned with turning internal auditing into an opportunity:

Reason 4: To Secure the Benefits of Good Auditing Techniques

To thoroughly audit a QMS/EMS, it is necessary that internal auditors mimic the behavior of CB auditors.  External ISO auditors use many sources of information, which will vary depending on the scope and complexity of the audit and may include the following:
  • interviews with employees and other persons;
  • documents, such as policy, objectives, plans, procedures, standards, instructions, licenses and permits, specifications, drawings, contracts, and orders;
  • records, such as inspection records, minutes of meetings, audit reports, records of monitoring programs, and the results of measurements;
  • data summaries, analyses, and performance indicators;
  • information on the auditee's sampling programs and on procedures for the control of sampling and measurement processes;
  • reports from other sources, for example, customer feedback, other relevant information from external parties, and supplier ratings;
  • computerized databases and websites.

Without training in these techniques, weaknesses and non-compliances will likely be left undetected and found subsequently by external auditors.

Reason 5: To Harvest Improvement Suggestions

Internal audits offer convenient and relaxed opportunities for personnel at all organizational levels and functions to point out defects in systems and procedures.  They also suggest many minor improvements (and occasionally major improvements) to management systems.

By capturing, reviewing, and implementing these suggestions, you help ensure the robustness of the QMS/EMS.  Every non-conformance avoided represents a real saving of time, money, and other resources. Consider for a moment how much better your internal audits would be in gathering interview evidence and in identifying improvement opportunities if they followed the following 5-step guide:

  1. Begin with Open Questions (as in 'open-ended' - What is the role of your function?  How do you do that?)
  2. Ask Specific Questions to get specific information (Which lot numbers were involved?)
  3. Ask 'What-if' Questions to get more information on a topic.
  4. Ask to see the records, documents & other evidence
  5. Listen; don't talk except to ask questions or paraphrase answers.  Only with trained internal auditors familiar with these methods can your organization benefit.
 

What can you do to demonstrate competence in auditing?

1 of 2: Get auditor training

But then again, I would – I have a vested interest. But don’t let that blind you to the real benefits that you can get.  These include…

  1. With good auditing skills, auditors will record a variety of evidence types, not just checks that records exist, and have a credible body of evidence to confirm that the management system is adequately implemented and maintained.

Benefit: External auditors, including those from customers and potential customers, will have far fewer nonconformities to find during their audits.

  1. With an adequate understanding of the Standard in question, your auditors will be able to …
    1. confirm compliance not only with the documentation of your management system manual but also,
    2. To check that all the requirements of the Standard are adequately addressed and
    3. To seek out applicable regulations, standards, and contractual requirements.

Benefit: Customer satisfaction and regulatory compliance is not left to chance.  You’ll have objective evidence of the fulfilment of requirements here.

  1. Be aware of the opportunity to identify improvements that internal audits provide. Too often audits are a useless box-ticking exercise done to satisfy external auditors and not to benefit the organization. What better time is there to discuss improvements than when interviewing the very persons who are doing the work.

Benefit: Step-change improvements are rare. But, with the myriad of small improvements that internal audits can provide, significant reductions of waste, and improvements in efficiency can be achieved. Historically, finding training courses for internal auditors has been problematic especially if standards other than ISO 9001 and ISO 14001 are involved.  No more.

With our online Auditor Training Courses, you can plan training to suit your own schedule.  And the cost savings versus traditional training methods are significant too.

2 of 2: Gain Technical Skills and On-the-Job Experience

An appropriate combination of technical skills (such as a relevant university degree, apprenticeship or other third level qualification) and of experience within the sector being audited is essential if an auditor doing internal audits, supplier audits or managing an audit programme if that auditor is to understand the context, processes, methods and the culture of the organization concerned.  Three years of experience would be an absolute minimum here.

Related Articles

 

deGRANDSON Global is an ISO Certified Educational Organization

In October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of…
  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because it is based on independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised).  It is a 'university grade' standard globally by schools, colleges, and universities to demonstrate competence.

We provide Courses on ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection, Risk Management, and more.

 
View full post