IATF 16949:2016 Internal Auditor & 2nd Party Auditor Qualifications & Competency

Crimpshrine13

Involved In Discussions
We have a bit of a problem right now regarding internal and 2nd party auditor competency. This popped up as a result of renewal audit for IATF 16949.

We have two people who have been trained in some form of auditing from external organizations in the past for ISO 9001, QS 9000, and TS 16949. We grandfathered these certificates as a proof that these people had been trained as internal auditors. These internal auditors were training new internal auditors within our organization and also did internal audits as well, and this never came up as an issue in any of previous audits for 20 years and all audits included review of the qualification and competency in the past, all auditors reviewing the same documents. Suddenly during this audit, the auditor said that these certificates are "too old" and experience doesn't count and apparently the auditor doesn't think we can read either (also the auditor thought that the internal auditor trainee had high potential, but disregarded the two who were training him that they had no competency - but who's training whom???)...enough ranting.

As a part of the corrective action, we are planning to have three internal auditors take AIAG training course for internal auditors (that comes with an exam at the end and certificate issued after completion).

  • But does this external internal auditor training also meet the requirements for the 2nd party auditors? Or for the 2nd party auditors, do you have to take the lead auditor training?

  • We're also planning to have internal auditors take various core tools trainings available from AIAG. These are on-demand eLearning courses which are free of charge to AIAG members, and while they come with certificates of completion, I don't believe exams are included (may be some quiz at the end to test the understanding of the material). In which case, do we have to take their core tools exams? My understanding was that AIAG hosts these core tools exams quarterly for the 3rd party auditors who need to be certified as IATF 3rd party auditors (and if they cannot maintain them periodically, they lose their certification as the 3rd party auditors), and while anyone can take them, the primary purpose of them was for the 3rd party auditors, not for the internal or 2nd party auditors. Or is my understanding incorrect? It would be nice to have all these certificates, but I just thought these core tools exams were a bit an overkill for the internal auditors and 2nd party auditors...not to mention we are only a 10-employee small organization (having to have 3 internal auditors is to prevent conflict of interests and auditors not auditing their work, and split up the internal audits)...
This is only the part of corrective actions (direct containment), but we will also be revising the procedures and incorporate what's missing from existing procedures based on what's required in ISO 19011 and clarify the definitions of qualification and competency (and ISO 9000 Fundamentals and vocabularies for definition of competency...).

The question here is not so much of arguing whether external trainings are needed or not - rather which training would be acceptable training for internal and 2nd party auditors?
 

Ashland78

Quite Involved in Discussions
Do you mean 3rd party auditor, like a registrar told you that? I would be interested in knowing the outcome of this. What clause did this go against?

When I hear 2nd party auditor, I think of another auditor that is from a different location/sector but same company.

I may be interested in a private dm.
 

John C. Abnet

Leader
Super Moderator
these certificates are "too old" and experience doesn't count
Good day @Crimpshrine13 '
The auditor's statements are unprofessional, not based on the rules that auditors are to follow. Unless there is an OEM CSR that applies to your organization (GM comes to mind as one that has specific auditor requirements), then the only requirement for internal auditors is...
- Competent
- Impartial

If indeed you are speaking about 3rd party issued nonconformance, then your organization should appeal.

If you're so inclined...


Hope this helps.
Be well.
 

Golfman25

Trusted Information Resource
Sounds to me like you have a lazy auditor. Training does not equal competency. What evidence did the third party auditor cite to indicate lack of competency? Have you reviewed your internal auditor competency with the requirements in 7.2.3 and sanction interpretations (or 7.2.4 for second-party auditors)?

We had an auditor once who it us with the same thing -- "lack" of training because we didn't record that the auditors read thru the new version of the standard; as if they couldn't read it when they did their audits. Complete joke. We have also had auditors who wanted to see our internal people go thru the same suffering they went thru to get lead auditor certification.
 

Crimpshrine13

Involved In Discussions
Do you mean 3rd party auditor, like a registrar told you that? I would be interested in knowing the outcome of this. What clause did this go against?

When I hear 2nd party auditor, I think of another auditor that is from a different location/sector but same company.

I may be interested in a private dm.
This was against 7.2.4.

The 2nd party audits are for audits of suppliers, etc. We audited our parent company because they have total breakdown of the quality system and constant customer complaints and quality issues, which triggered another NC for 2nd auditor competency. This 2nd party audit we did last year produced 28 findings and they're so incapable of fixing them correctly (they only do superficial fixes, but they don't know how to fix from the real root cause) and I'd been rejecting the corrective actions, which left these NCs open for so long, which backfired on us that we were leaving these open too long. :confused: When it is a parent company and not a supplier outside of your organization, there isn't much options other than keep working with them unfortunately. On the other hand, our parent company that is constantly getting customer complaints finally got IATF certification last year after 3 or 4 attempts of failed stage 1 audits, but they still continue to make bad parts, and they still maintain IATF certificate this year, and I am 200% certain that all 3rd party auditors audit differently, some are very biased, some are more neutral, some are only interested in certain things and dig much deeper than just doing random sampling, some are too lenient and not issue NC over something that should be a NC, some make NCs minor when it really should be major. Including this auditor, they insist they audit the same way "to the standard," but they don't, and as this was also mentioned in the other thread, too, a lot of auditors put too much of personal opinions.

In this case, of course the auditor wouldn't say that the certificates were too old on the report (because that is only her opinion), but she did verbally say that they were too old. As I am going through the standard again and reading word to word, maybe it was her inability of better communicating the issue and the certificates being "too old" was not the whole point, but that she didn't like that we only grandfathered the internal auditors based on the past internal audit training certificates, but actually not "reverifying" the competency.
 

Crimpshrine13

Involved In Discussions
Good day @Crimpshrine13 '
The auditor's statements are unprofessional, not based on the rules that auditors are to follow. Unless there is an OEM CSR that applies to your organization (GM comes to mind as one that has specific auditor requirements), then the only requirement for internal auditors is...
- Competent
- Impartial

If indeed you are speaking about 3rd party issued nonconformance, then your organization should appeal.

If you're so inclined...


Hope this helps.
Be well.
She was definitely unprofessional in terms of her attitude. She came with this attitude as if she knows everything and we know nothing.

As I am going through the standard again and reading word to word, maybe it was her inability of better communicating the issue and the certificates being "too old" was not the whole point, but that she didn't like that we only grandfathered the internal auditors based on the past internal audit training certificates, but actually not "reverifying" the competency. She made it sound like as if we must take external training courses for IATF specific, but I think it was more of the verification of competency that she thought that we were lacking. But because of her poor communication style, it made it sound in a wrong way. We found a few other items in the report that were also incorrect so I will be making an appeal.
 

Crimpshrine13

Involved In Discussions
Sounds to me like you have a lazy auditor. Training does not equal competency. What evidence did the third party auditor cite to indicate lack of competency? Have you reviewed your internal auditor competency with the requirements in 7.2.3 and sanction interpretations (or 7.2.4 for second-party auditors)?

We had an auditor once who it us with the same thing -- "lack" of training because we didn't record that the auditors read thru the new version of the standard; as if they couldn't read it when they did their audits. Complete joke. We have also had auditors who wanted to see our internal people go thru the same suffering they went thru to get lead auditor certification.
I was going over 7.2.3 and 7.2.4 again, which made me think that what the auditor wanted to make her point was not so much of the past certificates being too old (which she did verbally say), but more so that we were not reverifying the competency of those who had been previously trained in internal audits. But the, how do we reverify the ability of being able to audit? If audit records are not good enough, then only route we can go would be external training with exams.

We had also been cited for the 2nd party auditor competency, too for the same reason.

Does the 2nd party auditor require the lead auditor training?

While these external trainings can be helpful and somewhat assuring, it is also a money grabbing business, too unfortunately. So are the standards (and now it has become stricter and stricter with copies) that even if you have the original copy, you can't copy a page for internal purpose either - the pdf versions even don't want to be opened on a separate computer even though the user is the same so I have to login and open it in the browser or buy hard copies, or you have to buy corporate subscription for $1,600, which is not practical for a company of 10... Maintaining IATF is becoming more costly each year.
 

Golfman25

Trusted Information Resource
I was going over 7.2.3 and 7.2.4 again, which made me think that what the auditor wanted to make her point was not so much of the past certificates being too old (which she did verbally say), but more so that we were not reverifying the competency of those who had been previously trained in internal audits. But the, how do we reverify the ability of being able to audit? If audit records are not good enough, then only route we can go would be external training with exams.

We had also been cited for the 2nd party auditor competency, too for the same reason.

Does the 2nd party auditor require the lead auditor training?

While these external trainings can be helpful and somewhat assuring, it is also a money grabbing business, too unfortunately. So are the standards (and now it has become stricter and stricter with copies) that even if you have the original copy, you can't copy a page for internal purpose either - the pdf versions even don't want to be opened on a separate computer even though the user is the same so I have to login and open it in the browser or buy hard copies, or you have to buy corporate subscription for $1,600, which is not practical for a company of 10... Maintaining IATF is becoming more costly each year.
NOBODY has to have "training." They need to be COMPETENT. Period, end. My son graduated a few years ago with a business degree in Info Systems. During the course of his studies he went to accounting "training." Learned just enough to "pass the test." Today, couldn't account himself out of a wet paper bag. He's trained, but far from competent.

Bottom line, did your auditor cite any evidence of lack of competency -- and to do so, they would need to review the internal auditor's work product to make any statement at all. Do you have records of their competency, i.e.; reviews of their work?
 

Crimpshrine13

Involved In Discussions
NOBODY has to have "training." They need to be COMPETENT. Period, end. My son graduated a few years ago with a business degree in Info Systems. During the course of his studies he went to accounting "training." Learned just enough to "pass the test." Today, couldn't account himself out of a wet paper bag. He's trained, but far from competent.

Bottom line, did your auditor cite any evidence of lack of competency -- and to do so, they would need to review the internal auditor's work product to make any statement at all. Do you have records of their competency, i.e.; reviews of their work?
I think the auditor was upset by the fact that we didn't have the greatest control plan with PFMEA (which I knew and had started working on AIAG CTS software earlier this year), therefore she decided that we did not have enough knowledge in core tools, which she also thought that we weren't competent as internal auditors. I believe one of the trigger was also when MPA was done, PFMEA was not reviewed therefore that the internal auditor was competent.

Which brings back to the original question - how do we verify the competency of core tools...? At this point she thinks the external training was the only thing that can prove her that we have competency (she was pushing for it).
 

Golfman25

Trusted Information Resource
I think the auditor was upset by the fact that we didn't have the greatest control plan with PFMEA (which I knew and had started working on AIAG CTS software earlier this year), therefore she decided that we did not have enough knowledge in core tools, which she also thought that we weren't competent as internal auditors. I believe one of the trigger was also when MPA was done, PFMEA was not reviewed therefore that the internal auditor was competent.

Which brings back to the original question - how do we verify the competency of core tools...? At this point she thinks the external training was the only thing that can prove her that we have competency (she was pushing for it).
Like I said, lazy auditor. Get your certificate and you'll magically become competent. :)

Each core tool has a blue book. You could read and study the book. Then work on applying it to your application. Aske a few questions here, and eventually it will all fall in place.
 
Top Bottom