Internal vs. external audit training course differences?

[Peter West]

I have just come off of an Internal EMS Auditor course and on review, despite the fact we were constantly told "it is different for an external audit" I feel that I am more aware of what I need to do as an external auditor and not internal.

We touched upon correct procedure for introduction, site tours and the auditing investigations, however none of it came across as being internal (i already know the people who I will be meeting when carrying out audits - all of our offices are offices, not factories etc so this seemed unrelated to any internal pratice I have, and the auditing investigations were made out as from a viewpoint of someone who is not of the company).

I realise objectivity is essential but after this course i feel i am more ready to audit someone else's EMS and not our own. Does this ring a bell with any of you following training?

 

[Helmut Jilling]

I have just come off of an Internal EMS Auditor course and on review, despite the fact we were constantly told "it is different for an external audit" I feel that I am more aware of what I need to do as an external auditor and not internal.

We touched upon correct procedure for introduction, site tours and the auditing investigations, however none of it came across as being internal (i already know the people who I will be meeting when carrying out audits - all of our offices are offices, not factories etc so this seemed unrelated to any internal pratice I have, and the auditing investigations were made out as from a viewpoint of someone who is not of the company).

I realise objectivity is essential but after this course i feel i am more ready to audit someone else's EMS and not our own. Does this ring a bell with any of you following training?

I just answered a similar discussion in another thread. Yes, you are right. A well designed internal audit program should look and feel a lot different than an external audit program. The raw materials are the same, but the end product should be tailored for internal.

I offer a well developed internal audit training. However, I doubt you would want to fly from the UK to attend it. If you are interested, maybe we could work out a way to have you use the course materials on your own, and still get a lot of value from it. I think it would do a very good job of filling in what you are missing.

Send me a private email if you'd like, and we could discuss it.

 

[AndyN]

I have just come off of an Internal EMS Auditor course and on review, despite the fact we were constantly told "it is different for an external audit" I feel that I am more aware of what I need to do as an external auditor and not internal.

We touched upon correct procedure for introduction, site tours and the auditing investigations, however none of it came across as being internal (i already know the people who I will be meeting when carrying out audits - all of our offices are offices, not factories etc so this seemed unrelated to any internal pratice I have, and the auditing investigations were made out as from a viewpoint of someone who is not of the company).

I realise objectivity is essential but after this course i feel i am more ready to audit someone else's EMS and not our own. Does this ring a bell with any of you following training?

You have identified a significant weakness (Helmut and I totally agree on this) in training of auditors!

Most courses available today use external audit techniques/protocols etc. as their basis - with the result that it drives some really strange behaviours for internal auditors.

For example, the Lead Auditor course (RABQSA) I taught had 10 'Open Meeting Agenda' topics, including 'Security', 'Confidentiality', 'Impedements' etc.

What a joke! If the internal auditor isn't 'cleared' for security purposes, can't be shown company confidential information and doesn't know of the management/union relationship's status, what the h*ck are they doing at the audit? Who assigned them? The Opening Meeting's not the place to find this out!!

I could go on about any number of major differences between what internal auditors should do, which 'outside' training doesn't adequately address, but maybe I'll write a book instead.....

It's high time IRCA or the RABQSA (or maybe someone totally different) took this problem by the horns and set up some criteria for training courses which fully and appropriately conveyed the true nature of the skills and abilities needed to manage and perform effective, management supported internal audits.......

 

[Colin]

I agree, and I think one of the main culprits here is ISO 19011. It purports to be a standard for all audits but is, in my opinion, far more relevant to external audits rather than internal ones.

Even the IRCA registered internal audit course I present has to have some coverage of 19011 and whilst I understand why, I do think that it is just too heavy for internal audits.

 

[Stijloor]

I agree, and I think one of the main culprits here is ISO 19011. It purports to be a standard for all audits but is, in my opinion, far more relevant to external audits rather than internal ones.

Even the IRCA registered internal audit course I present has to have some coverage of 19011 and whilst I understand why, I do think that it is just too heavy for internal audits.

The American version of ISO 19011 (ANSI/ISO/ASQ QE19011S-2004) addresses 1st, 2nd, and "Use by small organizations" audits.

I like this version better.

Stijloor.

 

[Peter West]

I'm glad to see there is a chance that it was not me taking the completely wrong lessons away from the course. It is paid for by the company so will press as much as possible for them to send me to Ohio...I'm not that sure they will agree.

I am a little wary as when i see my boss on Monday and she asks me what I learnt I will end up describing external audit preparation.

Thanks for the input though. It is clear that it is something I need to be wary of as I take my ISO training further.

 

[db]

I agree, and I think one of the main culprits here is ISO 19011.

I do think that 19011 is much better for internal auditing than the old 10011 series was. I remember teaching an internal auditor class (with a previous employer) that was based on the 10011 series. The class mentioned submitting auditor credentials before a board. I don't know of a single internal audit program where the auditors have to go before a board, yet, because the standard mentioned it, the class treated it as an expectation for internal audit programs.

 

[Randy]

I've been busy trying to change IA courses to reflect reality. Whereas the external "Lead" course have to cover all that 19011 jumbo I have been changing the EMS & OHS internal courses to be more relevant to IA type of work. One change is that for internal courses the client is identified as Top management (they need the results of the audit and only they can authorize audit programs and allocate resources) and another is that formal opening meetings are not necessary or even required (informal communication like an email can accomplish what's needed).

Peter is right.

 

[Stijloor]

I've been busy trying to change IA courses to reflect reality. Whereas the external "Lead" course have to cover all that 19011 jumbo I have been changing the EMS & OHS internal courses to be more relevant to IA type of work. One change is that for internal courses the client is identified as Top management (they need the results of the audit and only they can authorize audit programs and allocate resources) and another is that formal opening meetings are not necessary or even required (informal communication like an email can accomplish what's needed).

Peter is right.

Right on Randy!

Too many Internal Audit processes emulate external audits. Including the 30-day corrective action request processing time!!

Yes, we (trainers) should stress more the internal audit process including Top Management as the "beneficiaries."

Other thoughts Covers?

Stijloor.

 

[Sidney Vianna]

Other thoughts Covers?

At the risk of giving Randy ideas...Besides top management, PROCESS OWNERS should also be a target "customer" for the results of internal audits. Over the years, we have had numerous discussions on this. In my opinion, the main detractors from value added internal audits are:

Resources:

• internal auditors are "selected" for the wrong reasons
• many of the people selected to become internal auditors do not have the traits, knowledge and competence necessary for the task, such as professional maturity, knowledge of processes and systems, true knowledge of the applicable standards, etc.

Process:

• Focus on conformance rather than process effectiveness, and, dare I say, efficiency.
• Checklist based
• Disconnected from the performance indicators: customer feedback, processes KPI's, etc.
• not based on status and importance
• inadequate planning
• auditors don't know the expected answers to the questions they ask
• lack of focus on higher risk issues. Waste time on trivial matters, rather than focus on critical issues.
• little time allowed for audits (preparation and execution)

Results:

• Reports are written in ISO-ese or Quality-ese and are not clearly presented as connected from the business objectives, especially from the process owners and top management perspective? For example, what are the business risks, including potential effect on profitability, if we do not have a robust order review process?
• Opinion based, rather than fact based results.
• Trivial issues, with no real business risks being addressed
• Top management disinterest in internal audit results due to the above mentioned.

I could go on and on.....