Competence and reliability of management systems auditors (Part 2)


Welcome again to this blog. In this post I continue with the controversial, but important, topic of the unfortunately common lack of competence of management systems auditors.


As I wrote in the last entry, it is a fact that most of management systems auditors have been trained in a limited way and in that limited way they have also been qualified and certified, and that is why an interesting situation has been generated globally, in which we have thousands of those auditors who have not demonstrated, and apparently a large proportion of them do not have, an adequate level of competence to perform this important function, in accordance with the requirements established by the ISO 19011: 2018 standard.


I have not mentioned this for insulting or disqualifying the currently millions of people who perform this important function, either internally, or as first party, in organizations that have established or are establishing their management systems; externally, or as second party, in those organizations that are evaluated  by their clients, or externally, but as third party, by certification or accreditation bodies, as well as trainers, consultants or independent auditors who provide this type of support.


I am convinced that the majority of management systems auditors, whether or not they have had an appropriate training and / or certification, carry out their role in a professional way, and many of them with great passion for their activity, and therefore help the organizations for which they work, to evaluate whether the management systems they audit are complying with the due requirements and achieving the expected results. I do not have any doubt about that. However, an issue that nobody touches is that the training of a management system auditor is a process that takes many years, among formal education, technical experience in the particular discipline of that management system, specific technical training, both of the corresponding management system standard, and particularly of auditing techniques, as well as active participation in a large number of audits, first as an auditor in training, and later as a qualified auditor, as the case may be, as a lead auditor. And from there, the auditor should continue with their training and constant updating. In fact, you are not a competent auditor because you have attended to one or several auditor training courses.


My doubts about this situation go more towards what may be the effects of having thousands of auditors in office who surely do not have the level of competence according to the ISO 19011: 2018 standard itself. What I have observed in my professional life, in relation to performance of a large number of management systems auditors, is that there are various limitations, such as those indicated below:


a) I start by mentioning that most auditors nowadays do not know well, or do not fully understand, the general elements that make up what a management system is and what a management system standard is, considering obviously that they are not the same concept. It turns out that there are a large number of elements that are part of a management system, in any discipline, that are not identified or established as requirements in the corresponding standard of that management system. Every management systems auditor, in any discipline, should know and understand these differences and perform their role accordingly.


A problem that arises in relation to this limitation is that very few organizations dedicated to the training of professionals in management systems, which is generally considered preliminary course for auditors training, include these topics in their training programs, so in most cases, auditors would have to access this knowledge on their own. It should be clarified that this limitation occurs not only with auditors, but with any professional of management systems.


b) A second limitation that occurs in most auditors that I have met is the lack of knowledge and understanding of requirements of management systems standards. Obviously, I don't mean to say that most auditors are ignorant. What I am referring to is that in most cases, auditors do not have the complete knowledge, or an adequate understanding, of the clauses, sub-clauses and requirements of the support standard of the management system that they are auditing.


Probably the majority of qualified or certified auditors who read this text (hopefully there are many), will think a priori that I am totally wrong in this asseveration. I know that most of them know the full text of the clauses and sub-clauses of the standards of the management systems they audit, and that many of them know very well the text of ISO Annex SL, in which the criteria for identifying and establish the clauses and sub-clauses of many management system standards. However, it is not the same knowing the text of all the clauses and sub-clauses of a standard, than understanding them fully, in the same way that a clause or a sub-clause is not the same as a requirement of that standard, and it is not always true that every time a “shall” term appears in the text of a sub-clause of any standard we should automatically understand it as a single requirement of the same, and unfortunately that is a very common, and wrong, way in which auditors identify and even quantify the elements to be audited in a management system.


In the same way as in the previous point, the problem that arises at a global level is that the majority of organizations providing training on management systems, in their analysis or interpretation requirements programs of the different management systems standards, which are generally also considered as a prerequisite for auditors training, do not provide adequate support to analyse the various requirements of the standards, but rather their own requirements analysis schemes, generally incomplete, but what I consider more serious problem is that they do not include an analysis methodology in those programs, so that the professional in training could carry out this analysis and identification of the standard requirements, during their professional activities. For management systems auditors, it would be a very valuable tool to schedule their audits and, where appropriate, to elaborate the questions in their checklists in a clear and understandable way, both for them and for their auditees.


If the training objective that an auditor knows and understands the requirements of the management system standard in which he/she is specializing is not achieved, there will be launched into the labour market an unreliable person who will systematically carry out his/her audits in an inappropriate manner.


It is not difficult to understand that, in a natural way, the auditor will avoid, during the planning or execution of an audit, those elements, or requirements, that he/she does not understand or in which he/she has doubts. Therefore, for the top management of the organization for which an auditor works, whether for internal or first-party audits, suppliers or second-party audits, or certification or accreditation evaluations, which are third-party audits, it will be extremely difficult to identify those possible deficiencies that are not mentioned either in the checklists or in the audit reports.


Otherwise, if he cannot evade it, the non-competent auditor will tend to consider inappropriate evidence as valid to demonstrate compliance with some requirements, or else to consider as invalid evidence that is appropriate to demonstrate compliance, which in both cases is negative for the audit process, that although these poor performances can be evidenced, it is more difficult to detect it when an element that does not comply with the standard requirement is considered valid, since the audited area or organization will generally not file a complaint for it.


c) Another limitation that we find in a common way, is that many auditors of management systems, could not affirm that the majority, but I do believe they are, have not become aware of the appropriate performance that an auditor should have, in accordance with the principles that identifies the ISO 19011: 2018 standard, nor in the attributes that this standard indicates. That is why there are many cases, and I think most of us know several of them, of auditors who have inappropriate behaviour during the execution of audits, who are arrogant, haughty, unethical, offensive and sarcastic with auditees, who generate conflicts within the audited areas or organizations, creating terror in their wake, or others that, by making them feel that they know everything, provide the auditees with hints or clear recommendations for solutions to the non-conformities that they detect. In all these cases, the auditor detracts from the audit process.


It is difficult to prevent those responsible for the audited organizations or areas from having anxiety or fear facing an audit process, especially if from the obtained result depends on something additional to the management system itself, such as whether the organization is accepted by an important client, or obtaining a certificate. But, if the main cause of that fear is a specific auditor, we may automatically assure that that auditor is incompetent, since that fear that it generates limits the ability of the auditee to provide the correct information. And I have met many auditors who are proud that people fear them.


It is important for us to remember what has been identified in ISO 19011:2018 as the principles of auditing, and that the application of several of them is more dependent on the auditor´s behaviour. In order to remember those principles, I present them to you.



d) An additional limitation, relatively common, is that which refers to poorly trained auditors, that is, those who do not have the necessary competence to carry out an appropriate management of an audit programme, the planning or scheduling of an audit, executing an audit, or reporting properly, truthfully and accurately an audit. If the auditor, either leader or responsible for these activities, does not have that appropriate level of competence, there will be very little value that can be generated with its execution, and that is the reason why thousands of audits of management systems are carried out, in which it may be possible to detect and document some non-conformities, but risk situations that the organization faces are not identified, in terms of the suitability of that management system, much less to identify the level of efficiency of the system or to generate observations that help to strengthen it. This is what prevents the creation of value by the audit process itself.


As we can see, the performance of management systems auditors should be of great concern to many people, in addition to the auditors themselves.


If you are a qualified auditor and are looking for a different and better training program, for increasing you level of competence, I invite you check out the GESTEC´s Master Auditor Program, clicking here. I hope it fulfil your needs and expectations for maintaining your auditor´s qualification.


Based on these limitations that I have mentioned, we could identify the most relevant criteria that should be taken into account by those who evaluate and qualify management systems auditors, and above all, by those responsible for the audit areas for management systems and the auditors themselves, in relation to their ongoing training and maintenance of their qualification.




Ernesto Palomares Hilton