I have run into the realism that there is nothing to spare us the agony and pain of developing our own system that works for us including determining our requirements for IA, in this case, as well as methods for determining competency and pushing back, to the extent neccesary, against the EA.
Ah yes, you've got it. There is no simple cookbook, nor a 'one size fits all magic box' - you do have to create it. But I urge you not to think of it as all 'agony and pain' - the
process of getting there is important - I'd say almost as important as the actual being there. Because that's one of the things that strengthens you as an organisation.
part of our efforts to streamline our systems has been to do any with what I refer to as 'ISO speak' in favor of words we regularly use. It's been remarkable to see the buy-in we get when we use terms that we intuitively understand, the "we" being everyone from the top to the bottom. Like keeping IAs focused, we have to keep ourselves focused on activities that add value.
Again yes! As you've already noticed, the more it's your system, the better, and the less you indulge in ISO speak, the better. It has to make sense to the people who do it every day, not just be written for the 2 days a year (or however many) that it's audited. A competent auditor should - indeed will - not have any trouble translating your company's language into 'ISO speak' where need be. Yes, you (or a few people) need to understand it too, obviously, but not everyone has to be beaten over thehead with it.
Re. competency, Andy's comment is a very astute one:
The concept and practicalities of how competency are demonstrated are often misunderstood by people. So, it's often easier for auditors to look for the simple things like training.
He is so right. But good auditors - really competent auditors! - know better. Stay focused on what the requirements actually ask for and what they actually say. The old version used to simply require 'training' (and didn't ask for evaluation of same, as I recall). Any auditor simply following that line is now very out of date.
One would think that the previous audits including the methodology and the same auditors determination that the audits were effective would have been reasonably enough to determine competency....
My frustration is that using a lead internal auditor who didn't pass the exam was better, according to our 3rd party auditor, than one who clearly demonstrated competency (in my opinion) but had not 'experienced' formal training specific to the standard. It occurs to me that this is one of the sorts of situations that allows an organization to satisfy the 3rd party auditor at some risk of compromising the qms.
We are planning to have people trained for Internal Auditing 'specific to the standard' and will probably include our consultant, if for no other reason, to make sure this isn't an issue in the future.
Do you need to have people trained 'specific to the Standard?' If the Standards' requirements are embedded into your system, perhaps you more need them to be trained in your system and auditing requirements... I don't know. But based on what you say, the auditor definitely sounds somewhat off-base. It could well be worthwhile asking for, and having a discussion with his technical manager/whatever they call the role - no need to challenge, more a 'hey, I'd like to understand if this is the generally accepted view of your organisation, because it seems a little off base to me' type of thing. Because I would argue strongly (with virtually every other auditor in the Cove, I think) that the intent - and the wording! - of ISO 9001 sure as hell is NOT to have someone accepted as "OK' simply because they have the training record but are NOT competent and that the Standard itself absolutely does NOT support that kinda erroneous conclusion.
Keep reminding yourself that it's
your system and make it work for you. You may need to revisit how you've defined auditor competency.