What is required to have someone qualified as an internal auditor?
Do they have to attend an outside auditor training course?

Please advise
Thanks Achemd.

Requirements are determined by your program, according to what performance is desired from an auditor.

Typical minimum is an auditing course for the applicable standard.

Other possible qualifications are education levels, certification in ASQ, a period of experience, and others as they might apply.

There is one important pre-requisite for internal auditor candidates...
(You may want to pre-qualify your candidate auditors)

Good "people" skills (communication and interacting with people)

I have met many internal and external auditors. They were "qualified" but had no "people" skills whatsoever. I believe that the success of an auditor depends on how well she/he interacts with the auditees.

I'm sure you will hear from some "resident experts" here at The Cove.

Good Luck with auditor selection.

Stijloor.

Being trained and passing the exam of internal audit.

Being trained and passing the exam of internal audit.

WRONG! WRONG! WRONG!

Internal auditing is a role the same as a machine operator, a supervisor, engineer or any other you can think of.

Every person who plays a role in the system and/ or who can effect customer satisfaction must be competent.

Training and passing a test do not show competence, all they show is that some time was spent sitting and hopefully listening along with a bit of memory retention and regurgitation of material presented.

Application of what was taught that can show the ability to do what is required, when required and how required is what must happen.

WRONG! WRONG! WRONG!

Internal auditing is a role the same as a machine operator, a supervisor, engineer or any other you can think of.

Every person who plays a role in the system and/ or who can effect customer satisfaction must be competent.

Training and passing a test do not show competence, all they show is that some time was spent sitting and hopefully listening along with a bit of memory retention and regurgitation of material presented.

Application of what was taught that can show the ability to do what is required, when required and how required is what must happen.


I wholeheartedly agree. But regrettably, that's how most auditors (internal/external) are "approved." Competence is defined as the ability to apply skills and knowledge.

Trained does not mean competent. That's why training records as "proof" of training are worthless. Only when the auditor has effectively and efficiently demonstrated her/his abilities over a predetermined amount of time, I would consider the auditor competent.

Allow me to repeat what I stated in an earlier post: PEOPLE skills should be a pre-requisite for any auditor.

Happy Father's Day.

Stijloor.

Allow me to repeat what I stated in an earlier post: PEOPLE skills should be a pre-requisite for any auditor.:agree1:Right on. The ability to communicate, as well. Communication, IMO is as important as knowledge of the specific requirements being audited. Effective communication is crucial for effective auditing.

Auditors, internal or external, it doesn't matter which, should be able to display those attributes and skills that are necessary in order to be a good auditor. In fact the definition of competence is "the demonstrated personal attributes and demonstrated ability to apply knowledge and skills" (3.14, ISO 19011:2002) and the definition of auditor is "person with the competence to conduct an audit" (3.8, ISO 19011:2002)

A major problem effecting a vast majority of presently existing management systems (and compounded by the auditors reviewing them, myself included) is the horribley poor state of the "competency" processes we sign off on. Very, very few organizations actually do what is required, but because "we" have tolerated sub-standard meeting of requirements we are now in the state of "sit in a class, pass a test" wham, bam, thank-you-mam, auditors.

Back on point, the attributes are those things that are layed out in ISO 19011:2002, clause 7.2 listed below and from where we get those necessary "people skills":

Auditors should possess personal attributes to enable them to act in accordance with the principles of auditing described in clause 4.
An auditor should be:
a) ethical, i.e. fair, truthful, sincere, honest and discreet;
b) open-minded, i.e. willing to consider alternative ideas or points of view;
c) diplomatic, i.e. tactful in dealing with people;
d) observant, i.e. actively aware of physical surroundings and activities;
e) perceptive, i.e. instinctively aware of and able to understand situations;
f) versatile, i.e. adjusts readily to different situations;
g) tenacious, i.e. persistent, focused on achieving objectives;
h) decisive, i.e. reaches timely conclusions based on logical reasoning and analysis; and
i) self-reliant, i.e. acts and functions independently while interacting effectively with others.

Auditors, internal or external, it doesn't matter which, should be able to display those attributes and skills that are necessary in order to be a good auditor. In fact the definition of competence is "the demonstrated personal attributes and demonstrated ability to apply knowledge and skills" (3.14, ISO 19011:2002) and the definition of auditor is "person with the competence to conduct an audit" (3.8, ISO 19011:2002)

A major problem effecting a vast majority of presently existing management systems (and compounded by the auditors reviewing them, myself included) is the horribley poor state of the "competency" processes we sign off on. Very, very few organizations actually do what is required, but because "we" have tolerated sub-standard meeting of requirements we are now in the state of "sit in a class, pass a test" wham, bam, thank-you-mam, auditors.

Back on point, the attributes are those things that are layed out in ISO 19011:2002, clause 7.2 listed below and from where we get those necessary "people skills":

Auditors should possess personal attributes to enable them to act in accordance with the principles of auditing described in clause 4.
An auditor should be:
a) ethical, i.e. fair, truthful, sincere, honest and discreet;
b) open-minded, i.e. willing to consider alternative ideas or points of view;
c) diplomatic, i.e. tactful in dealing with people;
d) observant, i.e. actively aware of physical surroundings and activities;
e) perceptive, i.e. instinctively aware of and able to understand situations;
f) versatile, i.e. adjusts readily to different situations;
g) tenacious, i.e. persistent, focused on achieving objectives;
h) decisive, i.e. reaches timely conclusions based on logical reasoning and analysis; and
i) self-reliant, i.e. acts and functions independently while interacting effectively with others.

Exactly!

Stijloor.

Randy is absoooolutely correct in that we 3rd party auditors have accepted a sub-standard test of competency that has perpetuated a dismal result from internal audit processes.

Although ISO 19011:2002 and QE 19011s:2004 (U.S. revision only) outlines the attributes in section 7.2 for auditors, this doesn't guarantee "competency".

An internal auditor training process should include an apprenticeship program. A potential auditor once trained in the standard and ISO 19011 must work with a competent auditor until they have proven their skills and competency.

Best regards,
MajorHal

Randy is absoooolutely correct in that we 3rd party auditors have accepted a sub-standard test of competency that has perpetuated a dismal result from internal audit processes.

Although ISO 19011:2002 and QE 19011s:2004 (U.S. revision only) outlines the attributes in section 7.2 for auditors, this doesn't guarantee "competency".

An internal auditor training process should include an apprenticeship program. A potential auditor once trained in the standard and ISO 19011 must work with a competent auditor until they have proven their skills and competency.

Best regards,
MajorHal


Hello MajorHal,

Your suggestion is an excellent one!

But didn't we have (3rd Party) auditor levels such as Provisional Auditor, Auditor, and Lead Auditor at some point in the past? I am not quite up to speed with the current (3rd Party) certification requirements.

However, for internal audits, I really like your suggestion to serve an "Auditor Apprenticeship" first. I know how beneficial an apprenticeship can be..I used to be an apprentice (machinist) myself when I was growing up in the Netherlands.

Best!

Stijloor.

Look and study Table 3 in ISO 19011:2002 as an example of how the organizaction can obtain and evaluate auditor competence.

Randy is absoooolutely correct in that we 3rd party auditors have accepted a sub-standard test of competency that has perpetuated a dismal result from internal audit processes.

Although ISO 19011:2002 and QE 19011s:2004 (U.S. revision only) outlines the attributes in section 7.2 for auditors, this doesn't guarantee "competency".

An internal auditor training process should include an apprenticeship program. A potential auditor once trained in the standard and ISO 19011 must work with a competent auditor until they have proven their skills and competency.

Best regards,
MajorHalThe problem is that competence is not easily definable and demonstrable. RABQSA had to seriously re-think their strategy with the competency-based auditor certification program they launched a few years ago. I have written several times about the chronic incompetence of internal auditors for a large percentage of organizations which have their management system certified. What dove tails in the discussion of the pros and cons of outsourcing internal system audits.

The problem is that competence is not easily definable and demonstrable. RABQSA had to seriously re-think their strategy with the competency-based auditor certification program they launched a few years ago. I have written several times about the chronic incompetence of internal auditors for a large percentage of organizations which have their management system certified. What dove tails in the discussion of the pros and cons of outsourcing internal system audits.

Hi Sidney,
My experience is similar. A majority of internal auditors are incompetent. Did you mean for your last sentence to be a question?:)
MajorHal

Whilst agreeing with most of what has been stated in this thread, we have not really answered the OP's question regarding training.

IMO, there is no 'ideal standard' training course for internal auditors. For some, the 2 day course (e.g. IRCA registered) does a decent job of providing a grounding in the basic skills, as long as it includes as much practical work as possible. For others, 2 days barely scratches the surface and is nowhere near enough training.

The real skills can only be obtained by doing 'real' audits under some kind of supervision which gives feedback on the things they do well and those they don't. The other problem I see is that many people seem to do just 1 or 2 audits per year and they get rusty with some of the skills so there may be a need for additional support too.

Did you mean for your last sentence to be a question?Not really. We have had numerous discussions here about pros and cons of outsourcing internal audits. In some circumstances, it might be beneficial for organizations to hire competent people to perform the internal audits, rather than trying to develop employees to do so.

I guess in the utopian world, having an abundance of trained and experienced internal auditors is the norm. For me, it's a bit different. My company has never been audited. They have never conducted an internal audit. To my knowledge, I am the only trained and certified auditor that works here.... and I've been on the job for 2 whole months (but experienced elsewhere).
:bonk:

We will be holding our first-ever internal audit next week. My team of auditors is a rag-tag bunch of departmental managers who would rather have teeth pulled than get involved with auditing. Their training? I have held 4 one-hour meetings/training sessions and sent them several auditing guides and tip sheets. I created their checklists at random. Thanks to some of the folks on the Elsmar site and others (if Google charged, I'd need a mortgage) I have found some very good reference materials to pass on.
:thanx:

So, while not classically trained, my auditors can walk, breathe, and sign their names. If they show up for the audit, I'm ahead of the ballgame. This may not be the best process, but it is far better than no process at all.
:cfingers:

PS
How many of these virtues must an auditor have? Do they grade on a scale?

Auditors should possess personal attributes to enable them to act in accordance with the principles of auditing described in clause 4.
An auditor should be: (should, but not really necessary?)
a) ethical, i.e. fair, truthful, sincere, honest and discreet; (one of them paid me back a buck I loaned)
b) open-minded, i.e. willing to consider alternative ideas or points of view; (some of them are Republicans)
c) diplomatic, i.e. tactful in dealing with people; (we can't have guns at work)
d) observant, i.e. actively aware of physical surroundings and activities; (one guy got lost for 2 days)
e) perceptive, i.e. instinctively aware of and able to understand situations; (huh?)
f) versatile, i.e. adjusts readily to different situations; (all of them drive cars from the 80's)
g) tenacious, i.e. persistent, focused on achieving objectives; (they always show up on payday)
h) decisive, i.e. reaches timely conclusions based on logical reasoning and analysis; and (maybe tomorrow)
i) self-reliant, i.e. acts and functions independently while interacting effectively with others. (mommy, help me)

I agree that most companies don't appreciate the true value of internal auditors, and therefore assign a low a priority to company 'resources' for proper selection and training.

I submit that internal auditors are the most underrated asset in the ISO toolbox -- IMHO, they are probably the most valuable "tool" available to management! They give a "snapshot" in time of the current state of the organization / operation, with OBJECTIVE evidence -- armed with which, mgmt. can make informed decisions about the best path for the company to take.

The objective evidence obtained from a good internal audit can contribute the most dependable "C(heck)" in the PDCA cycle.

Regarding training of auditors, the personal attributes listed in clause 4 of 19011 seem almost too idealistic (we should all be so fortunate to work with such lofty folks). But worse, they are almost impossible to 'measure', much less teach.

And how would one "teach" those largely subjective attributes? So the only recourse is in selection; and I challenge anyone to convince top mgmt that such valuable folks -- if they exist in the company -- should be diverted to auditing.

And how would one "teach" those largely subjective attributes? So the only recourse is in selection; and I challenge anyone to convince top mgmt that such valuable folks -- if they exist in the company -- should be diverted to auditing.Internal auditor selection is CRITICAL. In this post (http://elsmar.com/Forums/showpost.php?p=156017&postcount=16), I attached a presentation that I gave to the Orange County Chapter of ASQ a year ago on THE TOP 10 REASONS WHY INTERNAL QUALITY SYSTEM AUDITS ARE INEFFECTIVE AND HOW TO AVOID THEM. Slide 3 of the presentation covers the importance of auditor selection.

Thank you all, I am however still unsure if I have to have people officially trained by for example BSI or ASQ or if we can determine our own standards, for example I conducted internal audits in the pharmaceutical industry, can I do ISO 13485internal audits or not?
:thanx:

Auditors should possess personal attributes to enable them to act in accordance with the principles of auditing described in clause 4.
An auditor should be: (should, but not really necessary?)
a) ethical, i.e. fair, truthful, sincere, honest and discreet; (one of them paid me back a buck I loaned)
b) open-minded, i.e. willing to consider alternative ideas or points of view; (some of them are Republicans)
c) diplomatic, i.e. tactful in dealing with people; (we can't have guns at work)
d) observant, i.e. actively aware of physical surroundings and activities; (one guy got lost for 2 days)
e) perceptive, i.e. instinctively aware of and able to understand situations; (huh?)
f) versatile, i.e. adjusts readily to different situations; (all of them drive cars from the 80's)
g) tenacious, i.e. persistent, focused on achieving objectives; (they always show up on payday)
h) decisive, i.e. reaches timely conclusions based on logical reasoning and analysis; and (maybe tomorrow)
i) self-reliant, i.e. acts and functions independently while interacting effectively with others. (mommy, help me)

The Principles of Auditing and the Attributes of Auditors are two seperate things as specifically stated in ISO 19011:2002.

Thank you all, I am however still unsure if I have to have people officially trained by for example BSI or ASQ or if we can determine our own standards, for example I conducted internal audits in the pharmaceutical industry, can I do ISO 13485internal audits or not?
:thanx:

As has been stated in the thread, competence is more important than training in this situation. However, to become competent often involves being trained and the typical 2 day course will normally be viewed as appropriate training.

My main judgement of the competence of internal auditors is to look at some of the audit reports. Are they acceptable to you as a company? Do they cover the appropriate points for the scope of the audit? Do they contain sufficient objective evidence of what was seen (good and bad)? Are any NC's/Obs raised valid and well written? etc.

Hello,
This is a little off the topic. I am the Management Rep for the QMS. I am tasked with bringing our company to ISO 14001 and 9001 certification. I would like to go to lead auditor training but would like the company to pay the expense. What benefits to the company would there be for a trained and certified lead audtitor. I am responsible for all of the QMS.

Hello,
This is a little off the topic. I am the Management Rep for the QMS. I am tasked with bringing our company to ISO 14001 and 9001 certification. I would like to go to lead auditor training but would like the company to pay the expense. What benefits to the company would there be for a trained and certified lead audtitor. I am responsible for all of the QMS.

Welcome!

Just for clarification's sake - do you intend to become a fully RABQSA qualified Lead Auditor? Do you intend to lead teams of auditors to audit suppliers or other parts of the organization, say, sister plants, offices etc?

If the answer to these questions is no, then save face, money and time and go to internal auditor training, instead. I have taught the LA course for over 15 years and never understood why people who had no intention of doing those things mentioned above, went through 5 days of class!:mg:

For most people in your situation, the IA course is quite sufficient. Maybe finding a Management Rep's course is more appropriate as an extension to it.

Hello,
This is a little off the topic. I am the Management Rep for the QMS. I am tasked with bringing our company to ISO 14001 and 9001 certification. I would like to go to lead auditor training but would like the company to pay the expense. What benefits to the company would there be for a trained and certified lead auditor. I am responsible for all of the QMS.

I think it depends on where you are starting from. If you already have the skills to develop and maintain an ISO 9001/14001 system and can conduct internal audits, the LA course would improve those skills and expand your knowledge.

On the other hand, as Andy states, if you only intend to conduct internal audits the money could probably be better spent elsewhere.

If you do decide to go on the LA course, which one? QMS or EMS or both? If you do a 5 day course you can do a 3 day conversion course to get you up to speed in the other discipline.