Hunkered Down for the Duration
I agree and this could be attributed to ISO 9001:2015's distinct intention:
"...retain appropriate documented information as evidence of competence..." has in my lifetime always been a requirement, even when I was an EEG technician in 1969. HR had to have (and "maintain") records such as my high school transcript and my EEG technician certification and training records on file. That was about 50 years ago. My "competence" was largely based up the opinion of the doctor who oversaw my work on a daily basis. I learned to do EEGs by "on the job" training. To get my "technician" certification I had to have a referral from the doctor to be allowed to sit for the "technician" exam. I then took and passed the "technologist" certification test.
To put this in perspective, even back then there were legal liabilities. Quite often EEGs are, or were - things have changed - done to assess "brain death". Hospitals did not just want anyone doing those studies, especially, and had to have evidence that a qualified competent person was doing the EEG, so certification (via a test) was a requirement. The person had to understand both the equipment (back then Beckman Instruments and a company called "Grass" both made EEG machines, and each one was a bit different) and they had to understand the basics of brain electrical activity.
A Grass analogue EEG machine from back in the day. If I remember correctly they sold for something like $10,000 to $20,000 or so.
I’m talking about systems intended to conform to ISO 9001. So, before inviting in a third party auditor, I’m sure you’d agree, the company would be wise to have completed a round or two of internal audits of its system and its system’s processes.
I can say that almost all of my clients had functioning, and typically reasonably effective, quality systems when I started working with them. The most common "gap" was most either did not do internal audits, at least as we think of them, and in an organized way, or they did them poorly.
Auditors (incl a third party’s) ask employees for evidence of system and process effectiveness.
As a sort of disclaimer at this point... When we use a general term such as "employee", there is a big range. I tend to think of auditing in terms of the girl or guy working on the floor, so to speak. They are the most important people to me and is why I always spent significant time working with them on the floor. Supervisors and above I have a certain expectation that they will be appropriately knowledgable, though I have often been wrong in assuming that. Floor personnel are typically the last to know a lot. They don't always sit in on, for example, design and development teams (admittedly in some cases a company is smart enough the include a floor person in their team, but more often, at least in the past, it more typically a supervisor.
When training auditors my company was careful to stress that we audit the system and its processes, not the employees.
Back when I was working with large companies (over 20,000 employees), the first thing I did at the RFQ stage was submit a response in which I offered to visit the company facilities. I would do that at no charge. I could not quote a contract if I didn't know the company. I went over their procedures, talked with some employees, and within a week I would give the customer a quote (there were companies I would NOT work for), a completed gap analysis, and a general report on what I found. Also included was a project plan (I worked with Microsoft Project a lot back then). Bottom line is, I typically knew more about how the company operated as a whole (does interaction of processes ring a bell?) than anyone in the company.
That was typically a 2 week job - A week onsite and a week back at my office to put the entire proposal together. From there I hoped the company would hire me, which wasn't always the case, of course. The contracts I did win did make me some good money. And I swear, I loved working with the companies from boardroom to shop floor.
As an aside: I was never a person to say "I've done X implementations and every company passed first time" or crap like that. My marker was how many nonconformances were found. Many of the companies I worked with came through their registration audit with zero nonconformances. I was, and still am, proud of that.
/old man rant and campfire tales