Hi there, I was wondering if anyone could help settle a dispute!

I was a bit perturbed earlier this year when our head office decided that our branch needed 2 internal auditors trained, nothing wrong with that you may say, but the 2 individuals knew diddly squat about ISO 9001 to start with, and had no training whatsoever into the actual subject they were being trained to audit!

I strongly disagreed with this, but was told in a management meeting that this was quite alright and that you did not need to understand ISO 9001 in order to audit it.

Does anybody agree with this or is it just me, who is wrong?

Obviously, in order to be a competent internal auditor, knowledge of the standard is a component of competence.

Looks like your management provides inspiration material to Scott Adams....:tg:

Hi there, I was wondering if anyone could help settle a dispute!

I was a bit perturbed earlier this year when our head office decided that our branch needed 2 internal auditors trained, nothing wrong with that you may say, but the 2 individuals knew diddly squat about ISO 9001 to start with, and had no training whatsoever into the actual subject they were being trained to audit!

I strongly disagreed with this, but was told in a management meeting that this was quite alright and that you did not need to understand ISO 9001 in order to audit it.

Does anybody agree with this or is it just me, who is wrong?

Hello Andy,

Obviously, your internal auditors need to be competent to audit the company's processes. Familiarity with the ISO 9001:2000 Standard is a plus, but is not required. What's most important is that they are well prepared to conduct process-based internal audits.

Stijloor.

There appears to be two seperate issues here. The first is that going in to auditor training, people don't (indeed won't) necessarily need to know anything about the standard. In many cases, accredited training materials require the students to do some preparatory work on the standard before attending the course - one of the benefits of taking accredited (RABQSA, IRCA etc) courses.

The other issue is more likely to lead to a problem. Conventional wisdom says that anyone can audit a process/system to the standard, once trained. That is a myth, and a dangerous one at that. It is of importance that the auditor be familiar with the process they are auditing - as long as they don't audit their own work!

So I'm going to side, somewhat with your management, about the ISO bit, but their other comments may be based on mythology..........:notme:

Looks like my colleagues disagree with me and ISO 19011, which suggests that knowledge of the management system standard should be a part of the BoK for auditors.

Well, I guess in the end, management can do whatever they want. If they want to go down a list and check a "Have internal auditors?" box, then so be it. But the value of that program will be substantially diminished.

Treating the QMS like pest control or city permits (well, we gotta have it) is doing nothing but hurting the management. There is a huge amount of value that can be ascertained by a good internal audit program.

Likewise, there is a lot of no-value that can be generated through lack of internal auditor training. No value in internal audit reports, poorly written citations, fights, territory issues, cowering-down, opinion issues, etc. are just a start.

You would not ask a machinest to do their job without the proper tools; nor should you ask that of your internal auditors.

Could knowledge of ISO 9001 be part of the upcoming training? Why does one have to be knowledgable of the standard before the training? Couldn't it be lerarned during the training; as part of the training?

I agree with Sidney. Kind of hard to audit against of set of requirements to which you have no awareness, let alone understanding or knowledge.

Ask management if they hire financial and regulatory complaince auditors that have no knowledge of those requirements.

I would assume that if this approach applies to internal ISO 9001 audits, it applies to all auditors in all areas.

Brad:
I too lament much of what you describe. In too many organizations, management don't aspire to do anything (or maybe actaully get around to doing anything) unless they are pushed into it. And that's even without considering those people in management who don't see 'anything wrong' with what they do, nor have a vision for another way - if they do see things need fixing!

Hi there, I was wondering if anyone could help settle a dispute!

I was a bit perturbed earlier this year when our head office decided that our branch needed 2 internal auditors trained, nothing wrong with that you may say, but the 2 individuals knew diddly squat about ISO 9001 to start with, and had no training whatsoever into the actual subject they were being trained to audit!

I strongly disagreed with this, but was told in a management meeting that this was quite alright and that you did not need to understand ISO 9001 in order to audit it.

Does anybody agree with this or is it just me, who is wrong?

Andy,
You mentioned that the two individuals would need to be trained per the head office. What type of training did they have in mind? Was it both the standard and auditing or just auditing? Was the head office specific, or can you decide what type of training they shall receive.

At my comapny we have auditors from Quality, Manufacuring, Purcahsing, HR, & Engineering. The Quality dept has received Lead Auditor training thru BSI. The other auditors have received auditorr training and ISO Standard training.

I would request from your head office the type of training they had in mind.

Phil

Hi there, I was wondering if anyone could help settle a dispute!

I was a bit perturbed earlier this year when our head office decided that our branch needed 2 internal auditors trained, nothing wrong with that you may say, but the 2 individuals knew diddly squat about ISO 9001 to start with, and had no training whatsoever into the actual subject they were being trained to audit!

I strongly disagreed with this, but was told in a management meeting that this was quite alright and that you did not need to understand ISO 9001 in order to audit it.

Does anybody agree with this or is it just me, who is wrong?

I'm going to guess that your organization is ISO 9001 registered. If that's so, my question would be: "Did your management follow the process for identifying what competency requirements are necessary for someone to be an internal auditor?" Or did they do, as so many do, just identify arbitrarily a couple of people to be trained as auditors.........?

Our Director of Quality chose the auditors, this was an informal process. I am not sure of all of the criteria he used, but he looked if the person was detailed oriented, and their personality in dealing with other people.

Phil

I agree with Sidney. Kind of hard to audit against of set of requirements to which you have no awareness, let alone understanding or knowledge.



Unfortunately this problem is not just with internal auditing...

During my last registration audit, one of the auditors had no clue about ISO 9k. He claimed to be an expert in Medical...
This auditor started lecturing the client manager and I about Process Approach and the next day asked the client manager (lead auditor) to define COP, SOP, and MOP.....
While auditing Sales, he told informed me that my sales process is "no acceptable" because the performance is lower than goal....
For training record, he asked me to show him the proof that a manager was trained in filling out a form...
I tried to tolerate him...till he asked me to show job descriptions, I got mad and told him to show me the Shalls... He went to a corner and started reading...I bet that was the first time he was looking at the standard....

His overall attitude and mission was to find something wrong!!!!

Hello Andy,

Obviously, your internal auditors need to be competent to audit the company's processes. Familiarity with the ISO 9001:2000 Standard is a plus, but is not required. What's most important is that they are well prepared to conduct process-based internal audits.

Stijloor.

HUH??? :mg: :confused:

If they are doing a generic internal audit, perhaps.

If they are auditing to ISO 9001, I would categorically disagree. :nope:

I fully agree with Sidney's reminder that knowledge of the standard is required.

I do agree that it can be part of the training, (as it frequently is). You can't audit what you do not know.

HUH??? :mg: :confused:

If they are doing a generic internal audit, perhaps.

If they are auditing to ISO 9001, I would categorically disagree. :nope:

I fully agree with Sidney's reminder that knowledge of the standard is required.

I do agree that it can be part of the training, (as it frequently is). You can't audit what you do not know.

Hello Helmut,

I certainly understand and appreciate your response. :) External auditors such as Sidney, you and others "live by" the Standard while auditing. :yes:

My response to the OP was based on the assumption that they were already ISO 9001 certified. Once it has been verified through internal and external audits that the QMS meets ISO 9001:2000 requirements, auditing against the standard becomes less important. Now you want audit against the specific provisions that the organization has put in place.

For example, I see an audit question: "Do you have a procedure for control of documents?" Well, once it has been established that the company has one, I do not expect the internal auditors to repeat that question every time they go out auditing. Now, I'd be more interested how the document control process works and if it delivers the expected results.

Sadly, too many internal audit check lists (for ongoing audits) are purely based on ISO 9001:2000 requirements and eventually quit providing true audit value.

In my internal audit courses, I obviously can not ignore the Standard, in fact, I spend quite some time explaining and helping to interpret the Standard. It is even part of the pre-course assignment. For on-site courses, I use company-specific examples to explain the Standard.

But going back to the OP's dilemma, if I was in this person's situation, I would emphasize auditing the existing processes, and I would be less concerned about ISO 9001:2000.

I hope my early morning ramblings make sense....

Stijloor.

His overall attitude and mission was to find something wrong!!!!

If that was the required criteria, then he was perfect. ;)

I like the analogy of would one hire financial auditors who have no knowledge of financials... very good question. "Don't you worry, Mr Jones, our auditors know zippo about accountancy, but they're very good at process." Uh huh, bet people'd be lining up to hire that firm!

No defined criteria for an 'auditor' + no adequate training = trivial results & probably a waste of time. :(

I've just spent some hours seeing the 'results' (or rather, lack of) from that particular approach. Big waste of time, just for a start. Sigh.

Whether a knowledge of the standard is required or not depends on the actual management system in question and its context - if the auditors don't have it - who does have it? Who oversees the audit program and audit reports, for example? At the very least, I'd call it distinctly beneficial.

Reading this remended me of a story I read a while ago, although intended to be humorous, when you think about it there is a lot of truth in the story. IMHO Management rarely appreciate the benefits of a well structured QS and the benefit from trying to improve that with a robust internal audit program performed by suitably qualified/experienced personnel. It's as mentioned before a tick in the box they need to complete and they look at the most cost effective way of getting the tick with the least amount of "percieved" hassle. I could go on and on but I think that the point has been made.

A man in a hot air balloon realised he was lost. He reduced altitude and

spotted a guy below. He descended a bit more and shouted, "Excuse me,

can you help me? I promised a friend I would meet him an hour ago, but I

don't know where I am."

The guy below replied, "You're in a hot air balloon hovering

approximately 30 feet above the ground. You're between 40 and 41 degrees

north latitude and between 59 and 60 degrees west longitude."

"You must be in QA," said the balloonist.

"I am," replied the guy, "How did you know?"

"Well," answered the balloonist, "everything you told me is correct, but I've no idea what to make of your information, and the fact is I'm still lost. Frankly, you've not been much help at all. If anything, you've delayed my trip."

The guy below responded, "You must be in Management."

"I am", replied the balloonist, "but how did you know?"

"Well," said the guy, "you don't know where you are or where you're

going. You have risen to where you are due to a large quantity of hot

air, you made a promise which you've no idea how to keep, and you expect

people beneath you to solve your problems. The fact is you are in

exactly the same position you were in before we met, but now, somehow,

it's my fault.

Many Thanks to everyone for there response, it seems this is quite a contentious issue.

To answer a few queries - yes we are certified, and yes it was an audit of the ISO system, it was mainly managements attitude that anybody could do this that bugged me.

The individuals sent on the course had no previous knowledge of the standard at all, never mind any knowledge of the requirements of any other department, not only that but I was told they were sent on a basic introduction course to audit - 1 day course no certificate even.

When I raised my concern over this in line with many of your comments on this thread, I was told that they only had to follow the questions! and that anybody could do this. I thought the idea of the audit was to identify areas or issues which were not in keeping with the standard. This system of auditing relies heavilly therefore on the questions to be asked, and by whoever it is who writes the questions knowledge.

It really is just a case of lets get people to fulfill this requirement and tick the boxes, in this instance.

Hello Helmut,

I certainly understand and appreciate your response. :) External auditors such as Sidney, you and others "live by" the Standard while auditing. :yes:

My response to the OP was based on the assumption that they were already ISO 9001 certified. Once it has been verified through internal and external audits that the QMS meets ISO 9001:2000 requirements, auditing against the standard becomes less important. Now you want audit against the specific provisions that the organization has put in place.

For example, I see an audit question: "Do you have a procedure for control of documents?" Well, once it has been established that the company has one, I do not expect the internal auditors to repeat that question every time they go out auditing. Now, I'd be more interested how the document control process works and if it delivers the expected results.

Sadly, too many internal audit check lists (for ongoing audits) are purely based on ISO 9001:2000 requirements and eventually quit providing true audit value.

In my internal audit courses, I obviously can not ignore the Standard, in fact, I spend quite some time explaining and helping to interpret the Standard. It is even part of the pre-course assignment. For on-site courses, I use company-specific examples to explain the Standard.

But going back to the OP's dilemma, if I was in this person's situation, I would emphasize auditing the existing processes, and I would be less concerned about ISO 9001:2000.

I hope my early morning ramblings make sense....

Stijloor.

No confusion with 3rd party audits. If they are already certified, I agree that internal auditors can and should audit to company procedures. But, the audit still is verifying whether the system is continuing to meet ISO requirements, through the filter of the company procedures. To audit without ultimately knowing the underlying ISO requirements would not be an acceptable situation, nor effective.

Auditors must know about the ISO requirements to be effective. Whether they read it themselves, or get trained on it, somehow they need to know it or it will show in the results results. I am convinced this is part of why so many internal audits are poor. If you are relying on trainees to just read it for themselves, I would suggest that is not very effective.


For example, I see an audit question: "Do you have a procedure for control of documents?" Well, once it has been established that the company has one, I do not expect the internal auditors to repeat that question every time they go out auditing. Now, I'd be more interested how the document control process works and if it delivers the expected results.


Good example. Sure, they have established the procedure exists. But, often these procedures are very generic, and say little. If they have no further insight and understanding on what the requirements expect, they have no basis to decide whether the process achieves "the desired results," let alone have ahope of identfying potential improvements. The whle internal exercise grinds to the very lowest level of performance. It is unlikely to produce much value.

This is part of the frequent issue that AndyN often mentions. Internal audits should strive for the highest, not lowest perfomance. And, that requires some decent level of BoK of the underlying standard, in a clear process context.

No confusion with 3rd party audits. If they are already certified, I agree that internal auditors can and should audit to company procedures. But, the audit still is verifying whether the system is continuing to meet ISO requirements, through the filter of the company procedures. To audit without ultimately knowing the underlying ISO requirements would not be an acceptable situation, nor effective.

Auditors must know about the ISO requirements to be effective. Whether they read it themselves, or get trained on it, somehow they need to know it or it will show in the results results. I am convinced this is part of why so many internal audits are poor. If you are relying on trainees to just read it for themselves, I would suggest that is not very effective.


Good example. Sure, they have established the procedure exists. But, often these procedures are very generic, and say little. If they have no further insight and understanding on what the requirements expect, they have no basis to decide whether the process achieves "the desired results," let alone have ahope of identfying potential improvements. The whle internal exercise grinds to the very lowest level of performance. It is unlikely to produce much value.

This is part of the frequent issue that AndyN often mentions. Internal audits should strive for the highest, not lowest perfomance. And, that requires some decent level of BoK of the underlying standard, in a clear process context.

Helmut,

Thank you for your excellent points and very thoughtful response. :agree:

Stijloor.

Many Thanks to everyone for there response, it seems this is quite a contentious issue.

To answer a few queries - yes we are certified, and yes it was an audit of the ISO system, it was mainly managements attitude that anybody could do this that bugged me.

The individuals sent on the course had no previous knowledge of the standard at all, never mind any knowledge of the requirements of any other department, not only that but I was told they were sent on a basic introduction course to audit - 1 day course no certificate even.

When I raised my concern over this in line with many of your comments on this thread, I was told that they only had to follow the questions! and that anybody could do this. I thought the idea of the audit was to identify areas or issues which were not in keeping with the standard. This system of auditing relies heavilly therefore on the questions to be asked, and by whoever it is who writes the questions knowledge.

It really is just a case of lets get people to fulfill this requirement and tick the boxes, in this instance.

Sounds like management wants a label and certificate, not a system.
I think someone ought to introduce these guys to ISO19011 as Sidney pointed out.

Was there at least an experienced lead auditor to guide the auditors? I'm going to guess that the "lead auditor" was their boss who came up with the checklists and said "have at it!".

Without a basic grasp of the ISO requirements, tools and techniques - plus - real knowledge of what effective systems look like, an internal auditor will not only default to doing compliance audits (we were/not following the procedure) but when the system starts to crumble due to a lack of management support/involvement/ownership, fundamental breaks can occur and the auditors can be oblivious.

For example, an experienced auditor found that the document control system had been changed over time and the procedure no longer addressed how document changes were handled! It was a result of someone in management issuing a dictate that all procedures were to be reduced to only three pages, because he thought they were too wordy/complex! None of the previous internal audits had discovered that omission!

Clearly, Andyf's management haven't had a good grasp of the benefits of auditing. But I'm also going to lay much of the reason at the door of trainers who don't teach auditors how to get management involved in an approriate way. It's too easy to balme management for not 'getting' audits, but then when did any auditors/audit management know how to position audits to actually do more than maintain a certificate..........??

But going back to the OP's dilemma, if I was in this person's situation, I would emphasize auditing the existing processes, and I would be less concerned about ISO 9001:2000.The OP's dilemma had to do with the fact that his management disagreed with him about the need for auditors to be knowledgeable of the standard his organization complies to. Quality systems are dynamic, and just because a system has been assessed and deemed to comply with a standard, there is no guarantee that it will remain like that. For example, more than once I have seen organizations which used to have "robust" corrective action processes let it slide backwards and people start accepting corrections for corrective actions. If an internal auditor does not know the difference between correction and corrective action, their audit of the corrective action process will be ineffective and a major improvement opportunity will be missed.

Most experienced Q professionals know that the vast majority of the internal auditing activities happening out there is a wasted effort. And for the sake of sustainability, we better do our part to change that.

The OP's dilemma had to do with the fact that his management disagreed with him about the need for auditors to be knowledgeable of the standard his organization complies to. Quality systems are dynamic, and just because a system has been assessed and deemed to comply with a standard, there is no guarantee that it will remain like that. For example, more than once I have seen organizations which used to have "robust" corrective action processes let it slide backwards and people start accepting corrections for corrective actions. If an internal auditor does not know the difference between correction and corrective action, their audit of the corrective action process will be ineffective and a major improvement opportunity will be missed.

Most experienced Q professionals know that the vast majority of the internal auditing activities happening out there is a wasted effort. And for the sake of sustainability, we better do our part to change that.

Sidney,

Excellent points. Even mature quality systems are subject to gradual deterioration due to internal and external dynamics and possible neglect by Top Management.

I agree that auditors must verify that the system and its processes are not drifting away from what was originally put in place.

Thanks for your clarifying points.

Stijloor.

Sidney and Stihjloor, I agree with you both.

But are there not two issues here?
One is whether auditors should/should not be knowledgeable of the Standards - ie, can they just be trained to audit to checklists or the like? I can't hold a blanket 'Yes/No' position on that, and would answer 'that depends'... in certain situations, the use of lower trained auditors might be acceptable.

No, it's definitely not an optimal solution - but sometimes budget, resources & the like mandate less than optimal solutions! If these audits were only part of an internal audit program, it might be OK. I'd certainly want to see at a minimum that someone was managing the audit program overall, that someone was ensuring the system remained with requirements of the Standard, that some effective auditing for risk/importance/improvement was occurring, and naturally ensuring that said checklists (if that's what were used) were revised/updated at times. But if they were the only audits happening at all, I doubt one would be getting very good results.

The second is how can a system remain effective, including keeping up with changes? Audit isn't the only way of doing that. And particularly if only minimally trained internal auditors are used, I'd query how that was done effectively.

If an internal auditor does not know the difference between correction and corrective action, their audit of the corrective action process will be ineffective and a major improvement opportunity will be missed.
True.

Most experienced Q professionals know that the vast majority of the internal auditing activities happening out there is a wasted effort. And for the sake of sustainability, we better do our part to change that.

Hell, yes. Given some of the audits & audit reports I've seen, I'd query their value if I were a top manager too! Also, also some external audits. We can't blame 'management' for 'just not getting it' when these things are far from uncommon.

May I jump on this bandwagon too? I agree with Jane, Stijloor and Sidney with regard to this topic.

A debate I have regularly on training courses is around the fact that there is a belief that just because a certification body has awarded a certificate, their system fully meets the standard.

Sure, it should be pretty close (or maybe it was) but things change - practice, processes, requirements, technology, etc. They also make changes to procedures to reflect these changes and in doing so, may take the system away from compliance with the standard.

Besides, how much more effort is there involved to get auditors to pick up the relevant bits of the standard when they are in specific areas? We are not asking them to be expert in the whole standard.