using ISO 17021
by Thea Dunmire
It’s important for auditors to be competent. As stated in subclause 7.1 of ISO 19011:2011—Guidelines for auditing management systems, "Confidence in the audit process and the ability to achieve its objectives depends on the competence of those individuals who are involved in planning and conducting audits …"1 ISO 19011 suggests an evaluation of auditor competence should be an explicit part of an organization’s audit program.
Management system auditor competence is not the same as the competence needed to implement a management system. To use an analogy from the Olympics, the knowledge and skills needed to judge gymnastics are not the same knowledge and skills needed to be a gymnast. To be a competent gymnast, you must have the skills—that is, the athletic ability—to complete the required routines.
The competence required of judges is different: It is the ability to assess an athlete’s skills. Even though judges do not have to perform the routines, they must be knowledgeable about what is required. The best judges, however, are often those who have performance experience.
To use another Olympic analogy: It’s not true that an individual who is an excellent judge for gymnastics will be a competent ice skating judge. The knowledge needed to judge athletic performance is sport-specific. Similarly, an individual who is a competent environmental management systems (EMS) auditor may not have the appropriate competencies to audit quality management systems (QMS). The knowledge needed to be a competent auditor is discipline-specific.
A recurring criticism of third-party certifications of management systems has focused on auditors’ competencies or perceived lack of it. Although this is sometimes raised as a concern about the auditing skills of an individual, it is more often associated with a lack of the discipline-specific expertise needed to adequately evaluate an organization’s management system implementation.
The International Organization for Standardization (ISO) has developed standards that set out competence requirements for conducting third-party quality, environmental, and occupational health and safety management system (OHSMS) audits.
These standards—ISO 17021-1, 17021-2 and 17021-10, respectively—are part of the standards portfolio from ISO and the Committee on Conformity Assessment (CASCO). These standards are being developed as joint projects between the CASCO and the ISO project or technical committee that developed the discipline-specific management system specification standards.
The ISO 17021 series of standards sets out requirements for conformity assessment organizations—that is, certification bodies. In this respect, these standards are different from the guidelines set out in ISO 19011. ISO 19011 provides guidance with regard to generic criteria that could be used to select auditors for internal (first-party), supplier (second-party) and certification (third-party) audits. The ISO 17021 standards are, instead, specific for third-party audits, and they are requirements, not suggestions.
ISO 17021-2, 17021-3 and 17021-10 are intended to be discipline-specific supplements to the general auditor competence requirements set out in ISO 17021-1:2015—Conformity assessment, Requirements for bodies providing audit and certification of management systems—Part 1: Requirements. Annex A.2 of ISO 17021-1 lists generic competence requirements for all management system auditors. These requirements include:
- Knowledge of generic audit principles, practices and techniques.
- Knowledge of the standard being certified to.
- Note taking, communication, interviewing, report writing and presentation skills.
- Audit management skills (the capability of conducting an audit that meets the audit objectives within the agreed time frame).
- Knowledge of the certification body’s audit processes and procedures.
The auditor also is required to have knowledge about the business management practices and processes for the technical sector in which the audit is being performed, such as aerospace or banking.
In addition, the auditor must have sufficient knowledge about the types of products being made and processes being audited for the auditor "to understand how such an organization can operate, and how the organization can apply the requirements of the management system."2
Requirements for QMS auditors
A draft revision of ISO 17021-3:2013—Conformity assessment, Requirements for bodies providing audit and certification of management systems—Part 3: Competence requirements for auditing and certification of quality management systems was issued for comment on July 19. The final revision of this standard is expected to be published before the end of 2016.
The draft international standard (DIS) version (ISO/DIS 17021-3) sets out additional competence requirements for QMS audit teams in these areas:
- Fundamentals, vocabulary, principles, practices and techniques of quality management.
- QMS standards and normative documents.
- Context of the organization—that is, business-sector knowledge to determine whether an organization has appropriately identified its issues and needs, the expectations of interested parties, and the scope and applicability of the organization’s QMS.
- Client products, services, processes and organization.
- Subclause 5.2 of ISO/DIS 17021-3 lists several quality management areas in which an audit team is required to have knowledge. These include knowledge of:
- The process approach and plan-do-check-act cycle.
- Applying risk-based thinking.
- The structure and interrelationships of documented information and quality management-related tools, methods, techniques and their applications.3
The standard sets out these examples of quality management tools and techniques: process mapping, improvement tools such as Six Sigma, statistical techniques, measuring of processes and root cause analysis.
ISO/DIS 17021-3 focuses on audit-team competence and states: "It is not necessary for each individual to have the same competence, however, the collective competence of the audit team needs to be sufficient to achieve the audit objectives."4
This is a fundamentally different approach from that proposed in ISO 17021-2 or ISO 17021-10. A focus on audit-team competence may obscure what competence is actually needed by individual auditors. Note that in a one-person audit team—which is common in certification audits—individual auditors would need all of the listed audit-team competencies.
In addition to ISO 17021-3, there are other standards and additional competence requirements for individuals performing QMS audits in specific industry sectors, such as aerospace and food safety.
Requirements for EMS auditors
A draft revision of ISO 17021-2:2012—Conformity assessment, Requirements for bodies providing audit and certification of management systems—Part 2: Competence requirements for auditing and certification of environmental management systems was issued on May 5 for comment. The final revision of this standard also is expected to be published before the end of 2016.
ISO/DIS 17021-2 sets out these additional competency requirements for EMS auditors:
- Knowledge of environmental terms, definitions and concepts.
- Knowledge and skills to determine an organization has identified its context.
- Knowledge of techniques for identification and assessment of environmental aspects and impacts, including site-related factors that might influence an organization’s environmental impacts.
- Knowledge of methods for determining risks and opportunities, and how these methods apply in an organizational context.
- Sufficient knowledge to determine whether an organization has determined its compliance obligations.
- Knowledge of processes for operational control.
- Knowledge of life-cycle concepts and the application of a life-cycle perspective.
- Sufficient knowledge to determine whether an organization has identified potential emergency situations and planned relevant responses.
- Knowledge and skills related to auditing the communication of environmental information.
- Knowledge of environmental performance evaluation, including metrics, monitoring and measuring techniques.5
A unique feature of ISO 17021-2 is that it also includes aspect-specific competence requirements for EMS auditors. The standard requires the certification body to define specific competence criteria for its auditors in these areas:
- Emissions to air.
- Releases to land.
- Releases to water.
- Uses of raw materials, energy and natural resources.
- Energy emissions.
- Waste generation.
- Use of space (facility issues).
OHSMS auditor requirements
ISO 17021-10—Conformity assessment—Requirements for bodies providing audit and certification of management systems—Part 10: Competence requirements for auditing and certification of occupational health and safety management systems is currently being drafted. The first working draft of the standard was released for comment in May.
Unlike quality and environmental standards, ISO 17021-10 is new—not a revision of an existing standard. It’s expected to be published concurrent with the publication of ISO 45001—Occupational health and safety management systems, Requirements with guidance for use.
The current draft of ISO 17021-10 sets out these additional competence requirements for OHSMS auditors:
- Knowledge of occupational health and safety (OHS) terminology and concepts.
- Knowledge for assessing whether an organization has identified its context.
- Knowledge of processes for worker participation and consultation.
- Sufficient knowledge for determining whether an organization has identified, applied and assessed its compliance to applicable legal and other requirements.
- Knowledge necessary for assessing an organization’s identification of its hazards and determination of the OHS risks and opportunities that must be addressed.
- Knowledge of reasonably foreseeable emergency situations and appropriate responses.
- Knowledge of relevant OHS performance evaluation methods, including the use of performance indicators.
- Knowledge of incident investigation processes.
- Knowledge of leadership roles and the impact of culture on OHSMS performance.
Because ISO 17021-10 is a working draft, it should be noted that these auditor competencies are likely to be revised, and additional competencies may be added.
ISO 17021 standards and auditor certification
There are many management system auditor training programs and auditor certification programs available. Just as ISO does not certify management systems, ISO does not recognize specific auditor certifications.
Many of the existing certification programs do use the ISO 17021 standards as a framework for the development of their auditor certification criteria, but there is no requirement to do so. Management system certification bodies also are not required to use auditors with a specific auditor certification. Accredited certification bodies are required to ensure their auditors are competent, not that they are certified.
Certification on its own is not sufficient to show auditor competence. Certification is simply one qualification that can be used when evaluating auditor competence.
ISO 17021 standards require that auditors also have technical knowledge appropriate to the technical sector in which they are performing audits, such as petroleum refining, food processing and electronics assembly. In addition, they are required to have knowledge about the organization they are auditing.
These areas of expertise are not typically part of an auditor certification program. In other words, there is no one-to-one relationship between competence and certification.
Why ISO 17021 competency requirements matter
Because the ISO 17021 auditor competency requirements are applicable only to auditors performing third-party management system audits for certification bodies, you might ask why organizations should care about the requirements set out in the ISO 17021 standards.
The first reason is that organizations should be aware of the areas of competence that are required for their certification auditors. This helps manage expectations, including an understanding that certification auditors are not, and shouldn’t be, management system consultants.
Certification auditors are not partners in designing and implementing an organization’s management system. Like Olympic judges, the certification auditor’s role is assessing performance, not coaching those who are competing. The role of the auditor is to determine whether the organization has established and implemented a management system that meets the requirements set out in a particular standard.
The second reason is that the ISO 17021 standards can be used by organizations that want to improve their internal audit programs. They can consider whether the competency criteria set out in these standards are appropriate for them. This is particularly true for organizations that have corporate audit programs. This may be particularly relevant for organizations that want to self-declare their conformance to an ISO management system standard.
Auditor competence is important, multifaceted and organization-specific. There are few, if any, individuals who would be competent to audit any management system in any organization anywhere in the world against every management system standard.
Each auditor’s competency must be assessed for the type of audit he or she is tasked with performing. It is important for organizations to make sure that those performing audits on their behalf are competent to do so.
- International Organization for Standardization (ISO), ISO 19011:2011—Guidelines for auditing management systems.
- ISO, ISO 17021-1:2015—Conformity assessment, Requirements for bodies providing audit and certification of management systems—Part 1: Requirements, annex A.2.6.
- ISO, ISO 17021-3:2013—Conformity assessment, Requirements for bodies providing audit and certification of management systems—Part 3: Competence requirements for auditing and certification of quality management systems.
- ISO, ISO 17021-2:2012—Conformity assessment, Requirements for bodies providing audit and certification of management systems—Part 2: Competence requirements for auditing and certification of environmental management systems.
Thea Dunmire is the president of ENLAR Compliance Services in Largo, FL. She has participated internationally in the development of multiple International Organization for Standardization (ISO) standards. She is currently the chair of the ANSI Z1 auditing subcommittee, which focuses on alignment of auditing requirements across the ISO management system standards. She is an environmental attorney with more than 30 years of environmental, health and safety experience.