Competence and reliability of management system auditors (Part 1)



Dear reader, welcome to this blog where issues related to management systems based on standards are analyzed and discussed. I hope you can find valuable information for you.


In this post, as well as in the next one, we will address the issue of the relative lack of competence, as well as the relative lack of reliability, of auditors of management systems based on standards, according to how this situation is presented under the internationally accepted training schemes for those auditors.  


As you surely are aware, in recent years there has been an explosive growth in management system standards issued by the International Organization for Standardization (ISO). There are currently 45 management system standards of the so-called “Type A”, which are those that establish requirements and are, for that reason, certifiable, and 33 of these standards use the so-called “High-level structure” (HLS) or harmonized structure (i.e. clause sequence, identical core text and common terms and core definitions) provided in Annex SL, Appendix 2 of the ISO/IEC Directives, Part 1. This is intended to enhance alignment among ISO and IEC management system standards, and to facilitate their implementation for organizations that need to meet the requirements of two or more such standards. This leads us to consider all the benefits that could be generated by the application of so many standards of these management systems. However, we must also consider the problems and limitations that will be facing the already millions of organizations around the planet, which are using these management systems based on standards.


We currently have dozens of organizations accrediting other organizations as certification bodies for products and services, for management systems or for people. Among these, there are hundreds of organizations that are dedicated to the certification of management systems. Similarly, there are thousands of people or organizations that provide consulting and training services in management systems based on standards, and there are tens of thousands of people who carry out audit activities, whether internal or external, as well as evaluations for certification or accreditation.


All of these individuals and organizations provide support services to millions of organizations that have established and operate management systems in accordance with ISO management system standards.


Although we currently have this vast universe of organizations, services providers and management system standards, which from my point of view is very important and valuable, in this entry I am going to address a topic that I consider to be very delicate, but which has an enormous importance for the proper use of management system standards, as well as for the well-being of those organizations that use them, of all those who provide consulting and training services, and also of the certification and accreditation bodies on which depends the reliability of conformity assessment schemes. I am referring in this post to the competence and reliability of auditors of management system based standards.


It should be a permanent concern for top managers and those responsible for staff training and the establishing, operating, auditing and certification of standardized management systems in all types of organizations. This time I am referring to the auditors of management systems based on standards and the reliability that they should generate with their performance.


Imagine a General Manager or a CEO of an organization who has devoted considerable resources to establish and operate a management system based on standards, be it quality, environmental, occupational health and safety, food safety, among many others, or either a system made up of two or more of these disciplines. This establishment and operation of the system naturally entails the generation of a certain amount of documented information, of conserved evidences, the appropriate training so that its personnel can carry out their activities reliably in relation to their management system, application of large amounts of resources, including hiring of support services, acquisition of equipment, software, time for learning in the management of the new required activities, among many other elements.


Then comes the time when the operation of that management system begins, and linked to this, the internal audit program should be elaborated, approved and executed, and then, most likely, the appropriate negotiations are carried out to receive, in addition, possible audits on behalf of some of its customers, and if they plan to, also receive audits, or evaluations, by a certification body.


All the leadership exercised, as well as the time, effort and all the other resources invested in the establishment, operation and, where appropriate, maintenance of this management system, will depend, in a very important way, on the results of those audits that will be carried out to that system.


From the results of some of these audits, confidence may or may not be generated within the organization, that the system is being operated appropriately and that it complies with the organization's requirements and with the management system(s) standard(s) used, or that adjustments and corrective actions are required; in the same way, the results of some other audit could depend on getting, maintaining or losing a customer; Similarly, from the results of another audit or evaluation, could depend obtaining, maintaining or losing a certification for that management system.


Considering this situation, do you not think that it would be worrying for that manager and for all the people involved in these processes and in this entire management system, if the auditors who were to carry out these audits, whether first, second or third party, had or not the level of competence enough to generate reliable results?


This is a topic that should be of enormous interest to all of these people. However, curiously, in practice it is not. It seems that nobody cares about. It’s indeed difficult to understand this situation, but I will try to explain it why this condition has arisen.


In parallel to all this growth that has occurred worldwide and that I have already mentioned, about management system standards, organizations establishing these management systems, consultancy and training services providers, certification and accreditation bodies, there has been a big growth of franchised programs for the training and certification of management systems auditors, which apparently would be solving this problem of reliability of this type of auditors.


Based on this growth and the acceptance of these auditor training and certification programs, the vast majority of organizations, both those that have already established or are establishing management systems, as providers of consulting and training services, as well as the same certification and accreditation bodies have relied almost completely on the competence of those auditors trained and certified under these schemes.


This whole system looks very interesting and its elements apparently fit together very well. On the one hand we have a growing demand for trained and certified management systems auditors, and on the other we have a relatively small group of organizations that control these auditors training and certification schemes. They are complementary supply and demand schemes, and apparently everyone is happy.


However, from my point of view, there are still some serious limitations in this system. On the one hand, organizations which have established or are establishing standards-based management systems require reliable internal auditors for establishing their internal audit programs, either for one or more management systems, for executing those scheduled audits, and for performing its follow up. The common problem these organizations face is that they mostly lack the ability to assess the level of competence of these auditors, either for a single discipline, or in terms of integrated management systems, so they have to blindly trust the qualifications or certifications presented by the auditor candidates.


This situation is aggravated if we consider that most organizations that provide these auditor training programs do so impersonally, taking care to provide only the information that they must provide in accordance with their franchise conditions, generally related mainly to the ISO 9001: 2015 standard, sprinkled with a little of ISO 19011: 2018, but generally without worrying much about the learning that those who participate in these programs can acquire. The same is true of the certification schemes for these auditors. They are generally based on what the provider of training services has included in its training programs, as well as some evidence from audits carried out by the candidate, but often without making a formal evaluation of the knowledge, experience, skills and attributes that should have an auditor in his/her field of activity.


Just to give you an idea, these are the main elements of competence for management systems auditors established by the ISO 19011: 2018 standard.



Were you evaluated taking all these elements into consideration? I hope so, although I doubt it.


This generates that in a very common way, qualified or certified auditors who have not demonstrated having an appropriate level of competence, in accordance with the elements of auditor evaluation established in the aforementioned ISO 19011: 2018 standard, enter the labour market. By the way, a person could be able to study deeply this standard, he or she could be able to memorize it and even recite the whole text, but that does not make him/her an auditor and, much less, a reliable one.


If this we add the fact that many of these auditors are certified after taking a simple training course on elements of any management system standard and the ISO 19011: 2018 standard, as auditors in training, which theoretically means that the auditor should have sufficient knowledge, although still without the necessary experience and without having been evaluated his /her skills and aptitudes required so that he /she can have a reliable performance. And knowing the elements of ISO 19011: 2018 standard is not all the knowledge an auditor requires.


Then imagine that most of the organizations that are operating management systems hire this type of auditors-in-training, but supported with a certificate as auditor, to schedule and execute their internal audits. Would you trust any of them for those functions?


And if you see this scheme as something not so beneficial, it would still be necessary to consider that it has fallen into a series of bad habits, both to provide that training, and to evaluate the level of competence of the auditors, which has been led us to, I consider, a generalized indolence, within which the level (mediocre or low) of the auditors who are being hired by organizations that operate management systems, as well as by certification and accreditation bodies, is taken for granted. This indolence, or lack of interest, has promoted to have now, from my personal estimate, that about 80% of management systems auditors, worldwide, who are currently executing and following up on audits, with roles as auditors or lead auditors, do not have the full level of competence required to perform those functions.


You may view this estimate as somewhat exaggerated and misguided, right? Well, it really isn't.


I hope you don´t think that I am against successful businesses, much less in conformity assessment. However, in terms of training and recognition, qualification or certification of management systems auditors, it has fallen into an oligopoly, that is, in a few organizations, many of them disguised as "international" organizations, which have significant control on this market. By itself, this control would not necessarily be negative, but if this limited competition facing a demand of explosive growth leads to a deficient training and evaluation of auditors, and in turn this deficiency in training becomes incompetence of trained and certified auditors and their lack of reliability, then it is an important limitation for this entire system of standardization and conformity assessment of management systems.


This is the reason why we have created the specialized training program “Master Auditor of quality management systems”. If you are interested in learning about this proposal, click here. The objective is that an already qualified auditor can increase their level of competence, increasing both their knowledge and the necessary skills in accordance with ISO 19011: 2018. We hope that in a short time it will open up to other disciplines, so that all auditors will be able to access a training scheme that significantly reinforces their level of competence, in addition to take advantage of the experience that they are generating when carrying out their role


In the next entry I will present to you what are the main limitations faced by auditors of management systems who do not have an appropriate level of competence.




Ernesto Palomares Hilton