Competency of Internal Auditors

Internal audits are an important aspect of certification and are required by several different sections of the R2v3 Standard:

• Core Requirement 3 (b) requires internal audits to be conducted at least annually to verify conformance with the facility’s Environmental Health and Management System and each R2 requirement
• Core Requirement 4 (d)(3) requires periodic internal audits of the facility’s legal compliance plan
• Core Requirement 7 (c)(3) requires internal data security and sanitization audits to be conducted at least annually

For internal audits to be effective, they must be conducted by someone with the right competencies. The auditor must have the knowledge and experience necessary to understand the R2 requirements, and to evaluate whether the facility is meeting those requirements.  Simply giving an employee a checklist and assigning them to do an internal audit will not be effective unless that person has sufficient knowledge of the processes and procedures they’re auditing.

Competency of the auditor can be achieved by a combination of training, hands on experience, and ongoing education.  SERI recommends that individuals who will be conducting internal audits take the R2 Lead Auditor Course and pass the final exam.   Additionally, internal auditors should complete a training course on the fundamentals of auditing.  And for internal auditors in the United States, OSHA training can be a great place to start for EH&S auditing.

The required competency for an internal auditor will vary from organization to organization, depending on the complexity of the organization’s scope and legal requirements.  It may be that a single person within the organization is qualified to audit all areas, or it may be that multiple auditors will be needed – each with their own area of competency.

Facilities need to keep in mind that the body of knowledge needed to conduct an effective internal EH&S compliance audit is different than the knowledge needed to conduct an effective internal R2 audit or data security audit.  For example, an EH&S auditor is expected to be knowledgeable in areas such as storm water management regulations, air quality, respiratory protection, noise, and industrial hygiene monitoring, but that same auditor may have no knowledge of data sanitization and would not have the expertise needed to conduct a data security audit.  When determining who will be conducting internal audits, it is helpful to create a matrix of the requirements, including various regulations applicable to the organization, and determine who has the qualifications to audit each area.

One of the many benefits of an effective internal audit, is that it can help facilities identify and correct areas where the facility is not conforming to R2 requirements.  By correcting these issues in advance of the certification body audit, a facility can avoid non-conformances that may result in delays or lapses in certification, suspension, or even revocation of the facility’s certification.   When planning your internal audit, it’s very important to allow enough time to implement the necessary corrective actions prior to the certification body audit.)    Additionally, using a competent internal auditor that is knowledgeable about regulatory requirements can minimize the risk of violations and non-compliance penalties.

The Bottom Line:  To demonstrate competency of internal auditors, a facility must be able to demonstrate that the auditor(s) are knowledgeable about the area(s) they audit, understand how R2 and EH&S requirements apply to the facility’s specific operation, and be able to identify any non-conformances that may exist.