Why Competence Is the Foundation of Every Audit
When an internal audit produces a finding that no one takes seriously, or when an auditor walks away from a process without spotting an obvious gap, the root cause is almost always competence. Not bad luck, not a difficult auditee, not a poorly written checklist. Competence.
On this page
ISO standards are explicit about this. Whether you are auditing against ISO 9001, ISO 14001, or ISO 45001, the standard expects that the people conducting your internal audits are actually capable of doing the job. Not just trained, not just certified, but genuinely competent to plan, conduct, and report on an audit in a way that adds value to the organisation.
This article breaks down exactly what ISO expects from internal auditors, how competence is defined and evaluated, and what you need to do to build and demonstrate it in practice.
What ISO Standards Actually Say About Internal Auditor Competence
The primary reference for internal audit competence sits in two places: the relevant management system standard itself, and ISO 19011, which is the guidelines document for auditing management systems.
The Clause 9.2 Requirement
Every major ISO management system standard contains a clause on internal audits, typically Clause 9.2. ISO 9001:2015 Clause 9.2.2 states that the organisation shall select auditors and conduct audits to ensure objectivity and impartiality of the audit process. The same requirement appears in equivalent form in ISO 14001 and ISO 45001.
The standard does not specify exactly what qualifications or training an internal auditor must have. That is deliberate. ISO leaves it to the organisation to determine what competence is appropriate, based on the complexity of the processes being audited and the maturity of the management system.
What the standard does require is that the selection of auditors is intentional and documented. You cannot simply assign whoever is available. You need to be able to demonstrate that the people conducting your internal audits are capable of doing so objectively and effectively.
What ISO 19011 Adds to the Picture
ISO 19011 is the guidelines document that shapes how audits are planned, conducted, and managed. Clause 7 of ISO 19011 deals specifically with auditor competence, and it is where the real detail lives.
The standard describes competence as a combination of knowledge, skills, and personal attributes. It also identifies that competence needs to be evaluated, not just assumed. The updated ISO 19011:2026 edition reinforces this further, with additional guidance on how competence should be assessed and maintained over time.
For a deeper look at how ISO 19011 shapes audit practice, see our article on how the ISO 19011 guidelines shape modern audit practice.
The Three Dimensions of Auditor Competence
ISO 19011 breaks competence down into three interconnected areas. Understanding all three helps you see why a one day training course is rarely enough on its own.
Knowledge
An internal auditor needs knowledge in several areas. The first is the standard itself. You cannot audit conformance to ISO 9001 if you do not understand what ISO 9001 requires. This sounds obvious, but it is surprisingly common to find internal auditors who have attended a brief awareness session and are now expected to conduct full audits. Awareness is not the same as audit knowledge.
Beyond the standard, auditors need knowledge of audit principles and methodology. This includes understanding the difference between a finding, an observation, and a nonconformity, how to sample records effectively, how to plan an audit, and how to write a report that communicates clearly.
Auditors also need knowledge of the processes and activities they are auditing. This does not mean they need to be subject matter experts in every area. It means they need enough understanding to ask the right questions and recognise when something does not add up.
Skills
Knowledge alone does not make someone a competent auditor. Skills are what allow you to apply that knowledge in the field.
The critical skills for internal auditors include interviewing, which is the ability to ask open questions, probe for detail, and draw out accurate information from auditees without putting words in their mouths. Evidence gathering is another core skill, covering how to sample documents and records, what constitutes objective evidence, and how to link evidence back to the audit criteria.
Auditors also need strong observation skills. The ability to walk through a workplace and notice what is actually happening, rather than what people say is happening, is one of the most valuable things an experienced auditor brings to an audit.
Report writing rounds out the practical skills. A finding that cannot be clearly communicated is a finding that will not get fixed. Auditors need to write with enough precision that the auditee understands exactly what the nonconformity is, what evidence supports it, and what clause it relates to.
Personal Attributes and Behaviour
ISO 19011 also identifies a set of personal attributes that contribute to auditor competence. These include ethical conduct, open mindedness, diplomacy, observational awareness, and the ability to remain objective under pressure.
This is the dimension of competence that is hardest to train and easiest to overlook. An auditor who becomes defensive when challenged, who avoids raising difficult findings to keep the peace, or who forms conclusions before gathering evidence is not competent regardless of their qualifications. Integrity and impartiality are not soft extras. They are central to what auditing is.
How Organisations Typically Evaluate Internal Auditor Competence
ISO requires that auditor competence is evaluated. This is one of the areas where many organisations fall short. Having a training record is not the same as having a competence evaluation.
Common Evaluation Methods
The most straightforward approach is formal training followed by a practical assessment. An internal auditor course that includes role plays, audit exercises, and a written assessment gives you documented evidence that the person has been tested against defined criteria, not just sat in a room for a day.
Beyond initial training, organisations can evaluate competence through observed audits. A more experienced auditor accompanies the new auditor and assesses their performance against defined criteria. This is sometimes called a witness audit, and it is one of the most reliable ways to evaluate whether someone can actually conduct an audit rather than just describe how it should be done.
Peer review of audit reports is another practical method. Reviewing the quality of findings, the accuracy of evidence references, and the clarity of reporting gives you ongoing evidence of whether auditor competence is being maintained.
The Competence Matrix Approach
Many organisations use a competence matrix to document and track internal auditor competence. The matrix typically lists auditors in rows and competence criteria in columns, with ratings or evidence references in each cell. Criteria might include knowledge of the standard, audit planning, interviewing, report writing, and relevant technical knowledge for the areas being audited.
This approach works well because it makes competence visible and auditable. When an external auditor asks how you select and evaluate your internal auditors, you can point to a documented, current matrix rather than saying something vague about training records.
Specific Competence Requirements for Different Standards
While the general framework applies across ISO 9001, ISO 14001, and ISO 45001, each standard has areas that require specific knowledge from internal auditors.
ISO 9001 Internal Auditors
Auditors working against ISO 9001 need to understand the process approach and how it applies to the organisation. They need to be comfortable auditing quality objectives, customer satisfaction monitoring, management review, and the control of nonconforming outputs. A working understanding of risk based thinking and how it connects to planning and operational controls is also essential.
ISO 14001 Internal Auditors
For ISO 14001, auditors need specific knowledge of environmental aspects and impacts, compliance obligations, and how the organisation has identified and evaluated its significant environmental aspects. Understanding the lifecycle perspective and how it applies to the organisation's activities is also important. Auditors without this background can easily miss significant gaps in the environmental management system.
ISO 45001 Internal Auditors
Auditing against ISO 45001 requires a solid understanding of hazard identification, OH&S risk assessment, and the hierarchy of controls. Auditors need to know what to look for when reviewing operational controls, contractor management, and worker participation. The ability to walk a site and assess whether controls are actually in place and effective, rather than just documented, is particularly important in a safety context.
Common Gaps in Internal Auditor Competence
After conducting hundreds of external certification audits, there are patterns that appear repeatedly when internal auditor competence is insufficient. These are worth knowing so you can address them proactively.
Auditing Against Documents Rather Than Requirements
One of the most common issues is auditors who check whether procedures exist and whether people are following them, without ever asking whether the procedures actually address the requirements of the standard. This produces audits that confirm compliance with internal documentation but miss systemic gaps in the management system itself.
Avoiding Difficult Conversations
Internal auditors who work alongside the people they are auditing often find it uncomfortable to raise significant findings. The result is audits that produce a string of minor observations and opportunities for improvement, while the real issues go unrecorded. This is not just a competence problem. It is a structural problem that relates to auditor independence. But it is also a behaviour that competent auditors learn to manage.
Insufficient Sampling
Auditors who look at one or two records and conclude that a process is conforming are taking a significant risk. Competent auditors understand sampling principles. They know that the number of records they review should reflect the volume of activity, the risk associated with the process, and any prior audit history. A single record rarely tells you whether a process is consistently effective.
Weak Nonconformity Writing
A nonconformity that says something like
procedure not followedwithout identifying the specific requirement, the specific evidence, and the specific gap is almost useless. The auditee does not know what to fix, and the corrective action will likely be superficial. Competent auditors write findings with enough precision that the root cause can be investigated and a genuine corrective action developed.
For practical guidance on writing findings that hold up, see our article on how to write a nonconformity report that actually gets fixed.
Maintaining Competence Over Time
Competence is not a one time achievement. ISO 19011 is clear that auditor competence needs to be maintained and developed on an ongoing basis. Standards are revised. Organisations change. New risks emerge. An auditor who was competent three years ago may not be competent today if they have not kept pace with changes in the standard or in the organisation.
Continuing Professional Development
Auditors should be engaging in regular continuing professional development. This might include attending refresher training when a standard is revised, reviewing audit findings from external certification audits to see what the certification body is finding, or participating in industry forums and professional networks.
For those pursuing formal auditor certification through schemes like Exemplar Global or IRCA, ongoing CPD is a requirement for maintaining registration. But even for internal auditors who are not pursuing formal certification, the principle is sound. Auditing is a skill that degrades without practice and development.
Regular Audit Activity
One of the most effective ways to maintain auditor competence is simply to audit regularly. Auditors who conduct one internal audit per year will struggle to maintain the skills and confidence that come with regular practice. Where possible, internal auditors should be given enough audit activity to keep their skills sharp.
If your organisation is too small to support regular internal audit activity, consider whether your auditors could participate in supplier audits or cross functional audits in areas outside their usual work. Both provide valuable audit practice and contribute to competence development.
Documenting Competence for Audit Purposes
When an external auditor reviews your internal audit programme, they will almost certainly ask about internal auditor competence. Being prepared for this question means having documented evidence that is current, specific, and credible.
At a minimum, you should be able to produce training records showing the courses completed and the outcomes achieved, a record of the audits each internal auditor has conducted, any competence evaluations or observed audit assessments, and evidence of ongoing development activity.
The documentation does not need to be elaborate. A simple training record combined with an audit log and a brief competence assessment is sufficient for most organisations. What matters is that it is genuine, current, and demonstrates that competence has been actively managed rather than assumed.
If you are building or rebuilding your internal audit programme and want to think through the structure, our article on how to build an internal audit programme from scratch covers the key decisions you need to make.
Getting Formal Training Right
For most organisations, formal training is the starting point for internal auditor competence. The question is what kind of training is actually worth doing.
A good internal auditor course will cover the requirements of the relevant standard in enough depth that participants understand not just what the clauses say but what conformance looks like in practice. It will include audit methodology, covering planning, conducting, and reporting. It will involve practical exercises, role plays, and some form of assessment. And it will be delivered by someone who has actually conducted audits, not just someone who has read the standard.
One day awareness courses and short online modules have their place in building general understanding, but they are not sufficient on their own to develop internal auditor competence. If you are selecting training for your internal auditors, look for courses that are structured around practical application and that provide a recognised outcome.
At Audit Workshop, our internal auditor training courses for ISO 9001, ISO 14001, and ISO 45001 are designed specifically for practitioners. They are built around real audit scenarios, delivered by a lead auditor with over 14 years of field experience, and structured to develop the knowledge, skills, and confidence your internal auditors need to conduct audits that actually drive improvement. Both live and self paced options are available, so your team can complete training in a way that fits around operational commitments.
