77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
QM auditor in Germany: role, qualifications and tasks in the ISO 9001 audit
Quality Management

QM auditor in Germany: role, qualifications and tasks in the ISO 9001 audit

18 June 202613 min readBy Dr. Henrik Bauer
CIVAC

The QM auditor checks whether the quality management system according to ISO 9001:2015 is actually being implemented. This article explains qualifications, types of audits, obligations and the interface to the quality management representative in industrial and service companies.

The QM auditor is the person who checks a quality management system according to ISO 9001:2015. The standard requires in Section 9.2 a documented internal audit program that assesses the conformity and effectiveness of the system. External audits are carried out by accredited certification bodies according to ISO/IEC 17021-1, whose auditors are listed with DAkkS or an equivalent accreditation body. In Germany, the ISO Survey 2023 counts around 40,000 valid ISO 9001 certificates, which makes the QM auditor one of the quantitatively most important auditor roles.

This article differentiates the QM auditor from related roles, describes the required qualification according to ISO 19011, lists the types of audits and their practical significance, explains the process of an audit from planning to reporting and shows, how the QM auditor in a medium-sized company works with the quality management representative and the management. The focus is on operational reality, not on standard prose.

Key Takeaways

  • ISO 9001:2015 Section 9.2 requires a documented internal audit program conducted by a qualified and independent QM auditor.
  • The qualification is based on ISO 19011 and includes specialist training, auditor training, documented audit participation and continuous further training.
  • The QM auditor is organizationally independent of the area being audited; the quality management representative has operational responsibility for the QMS.

What a QM auditor does and who needs him

The QM auditor checks whether the quality management system meets the requirements of a reference standard and whether it is effective. The reference standard is usually ISO 9001:2015, but can also be an industry-specific extension, such as IATF 16949 for automotive, ISO 13485 for medical devices or AS 9100 for aerospace. The audit is carried out through audit discussions, samples from records, inspections and follow-up of processes.

Three types of audits are relevant in practice. First auditors audit their own company, i.e. the internal audit according to Section 9.2 ISO 9001:2015. Second-party auditors audit a supplier on behalf of a customer. Third-party auditors test on behalf of an accredited certification body and award the certificate. The three types of audit each require their own qualification profiles and different independence rules.

In medium-sized companies there are typically one or two internal QM auditors in addition to the quality management representative. Larger corporations maintain an audit team of five to fifteen people who rotate across multiple locations and standards. The role definition belongs in the job description, the order is documented by management. You can find a classification of the role under Quality Management Officer (QMB). CIVAC is a compliance platform and officer-as-a-service.

Qualification according to ISO 19011: What an auditor actually has to be able to do

ISO 19011:2018 is the authoritative standard for auditing management systems. It describes audit principles, audit programs and competence requirements for auditors. A QM auditor requires basic professional training, specialist training in quality management, auditor training of at least 40 teaching hours, documented participation in audits under supervision and professional experience in quality management of at least five years for external auditors. In practice, the requirements are graded depending on the type of audit; an internal auditor in a small company has to prove less than a DAkkS-accredited certification auditor.

Auditor training is not arbitrary. Accredited training providers in Germany include DGQ, TÜV, DEKRA and Beuth-Verlag. Successful training ends with an exam and a certificate. This is followed by personal certification as an auditor, for example by the DGQ or a personnel certifier according to DIN EN ISO/IEC 17024. The personnel certification is renewed regularly; a three-year cycle is usual with documented further training of at least 40 hours per period.

In addition to the formal qualification, practical behaviour is also important. ISO 19011 identifies eight audit principles, including integrity, fair presentation, due professional care, confidentiality, independence, evidence-based approach, risk-based approach and neutral reporting. These principles are not decorative. An auditor who conceals a clue or softens a finding violates the standard and jeopardizes certification. The supervision of the personnel certifiers examines behavioral complaints in individual cases and can revoke the certification.

Audit program: How the QMB draws up the audit plan

ISO 9001:2015 Section 9.2.2 requires a documented audit program. The program determines which areas are audited and at what frequency, which auditors are deployed, which audit criteria apply and how the results are reported. A three-year cycle is usual, in which every requirement of the standard and every area of ​​the company is checked at least once. The cycle is documented in an audit matrix that shows the area, standard section and auditor in a table.

Risk-based focal points have been mandatory since ISO 9001:2015. Areas with high risk, such as production with safety relevance, procurement with single sourcing or customer service after an accumulation of complaints, are audited more frequently and more deeply than areas with low risk. The audit plan responds to findings from the previous year, to significant changes and to the results of the management review. An escalation clause in the program regulates when unscheduled audits are triggered, for example after frequent complaints or a product recall.

The audit plan is a living document. The QMB updates it after each round of audits, reviews it annually with management and adapts it when new processes, new locations or new standards are added. The update is documented with the date and reason. CIVAC runs the audit program in the workspace with versioning, assignment to the 490 audit templates and automatic reminder function. The auditor calls, the evidence is ready.

Audit execution: opening, spot checks, closing discussion

An audit begins with the opening meeting. The QM auditor introduces himself, explains the audit objective, audit scope and audit criteria, clarifies the confidentiality rules and agrees on the procedure. The opening will be recorded. In practice it lasts 20 to 30 minutes and creates the basis for a factual conversation later on. The list of participants is recorded with the date and signature as it is part of the later audit dossier.

The sample is the central instrument. The auditor selects orders, complaints, proof of training or process runs and checks them against the standard. Example: When auditing procurement, the auditor selects ten current orders from the ERP system and tracks them from the request through the supplier evaluation, the incoming goods inspection to the release of payment. Deviations are noted, evidence is secured, statements are documented with quotes. The sample size depends on risk and frequency; the standard does not specify a general minimum number.

The final meeting presents the findings to management and those responsible for the process. Findings are classified: major deviation, minor deviation, recommendation. A major deviation blocks certificate issuance. The audit report follows in writing within an agreed period of time, usually ten to fourteen working days. The action planning is carried out by the audited area and is tracked by the QMB. The effectiveness of the measures is verified in a follow-up test before the process is completed.

Distinction between QM auditor and quality management representative

The two roles are often mixed, but they must be strictly separated. The quality management representative is responsible for the development, maintenance and further development of the QMS. He creates the documentation, conducts the management review, coordinates external audits and manages the audit program. The QM auditor checks the system in which the QMB works. A staff union is possible, but problematic because it endangers independence.

ISO 9001:2015 has formally removed the term representative of top management; the function remains in practice. According to Section 5.3, responsibility for the QMS lies with top management; operational maintenance is typically delegated to the QMB. A written order is common, even if the standard no longer explicitly requires it. The appointment certificate, signed, filed, verifiable.

The QMB is not allowed to audit his own work in the internal audit. The independence rule of the standard forces role rotation or the involvement of an external auditor. Medium-sized companies often solve this through a mutual audit with a sister company or by using an external audit partner for critical processes. CIVAC provides both the role of quality management officer and external auditors in the Officer-as-a-Service model.

External certification audits: Stage 1 and Stage 2

An external certification audit takes place in two stages. Stage 1 is a documentation audit with a site inspection. The auditor checks the manual, documentation, audit program, management review and readiness for Stage 2. If he finds significant gaps, Stage 2 is postponed. Stage 1 takes half a day to two days, depending on the size of the company.

Stage 2 is the operational audit. The auditor follows processes on site, checks records, interviews employees and compares the system in use with the documented standard. The duration depends on the IAF Mandatory Documents, in particular IAF MD 5, which specify audit days per number of employees and risk category. A company with 250 employees typically receives four to five audit days.

The certificate has a term of three years. A surveillance audit is carried out in each of the two following years, and the recertification audit is carried out in the third year. Findings are classified and must be closed within 30, 60 or 90 days depending on their severity. Evidence is maintained via an audit tracking system. CIVAC links each finding with the owner, deadline, receipt and verification and provides the auditor with the closing history at the next appointment in one click.

Interfaces to other management systems and audits

A QM auditor rarely works in isolation. ISO 9001:2015, ISO 14001:2015, ISO 45001:2018 and ISO/IEC 27001:2022 share the high-level structure according to Annex SL. The management, planning, support and improvement clauses are harmonised. In integrated management systems, audit work is consolidated: one audit team, one audit plan, one audit report for all standards. The advantage is particularly evident in medium-sized companies where human resources are limited.

Consolidation saves audit days and reduces duplication of work in documentation. An integrated audit of ISO 9001 and ISO 14001 reduces overall audit time by approximately 25 to 35 percent compared to two separate audits. The prerequisite is that the auditor has professional qualifications for both standards or a mixed audit team with a clear distribution of roles. The certification body confirms the consolidation in the audit planning, the number of days is regulated in IAF MD 11.

Industry-specific extensions create additional requirements. IATF 16949 requires auditors who are certified according to the automotive special rules, ISO 13485 for medical devices requires auditors with documented experience in the regulated area, AS 9100 for aviation requires the additional qualification path of the International Aerospace Quality Group. Anyone testing in a regulated industry needs both qualifications, the basic standard and the industry extension. Others run compliance like a filing cabinet. We run it like software.

Fee rates, market structure and typical engagements

The fee rates for QM auditors in Germany will move within a clearly defined corridor in 2025 and 2026. Internal auditors as permanent employees are paid according to collective agreements or outside collective agreements; gross annual salaries are usually between 55,000 and 85,000 euros, depending on experience and industry. External auditors as freelancers work at daily rates between 900 and 1,600 euros net, accredited third-party auditors work through certification bodies at rates between 1,400 and 2,200 euros per audit day.

A typical individual engagement includes between three and ten audit days. A complete round of internal audits in a medium-sized company with 200 employees takes eight to twelve days throughout the year. Preparation, reporting and follow-up are additional costs; there is usually a surcharge of 30 to 50 percent on top of the audit days alone. A supplier audit according to ISO 9001 or IATF 16949 usually takes one to two days on site plus preparation and follow-up.

The market structure is characterized by medium-sized companies. Individual experienced auditors work freelance, small consulting companies bundle auditors into a team, and the large certification bodies such as TÜV, DEKRA, DQS and LRQA maintain their own audit pools. The choice depends on the purpose. A freelance auditor with industry experience is suitable for internal audits, a consulting company with a standardised audit report format is often suitable for supplier audits, and a DAkkS-accredited certification body is mandatory for certifications.

Turn reading into an assignment

The QM auditor ensures that the quality management system not only exists in the documentation, but also works in everyday life. The standard alone doesn't move anything. Only regular auditing, honest identification of deviations and tracked action planning turn a QMS into a living system. Anyone who treats the auditor as a nuisance loses the greatest leverage for improving processes.

CIVAC is a compliance platform and officer-as-a-service. The workspace includes the audit program, the 490 audit templates, the ISO 9001 clause matrix, the findings and action tracking, the appointment certificates for QMB and auditor as well as the ISO/IEC 27001:2022 ISMS layer for the protection of audit data. The platform runs under EU data residency. Licence the workspace for your internal representatives, or have our representatives order it.

Turn reading into a mandate. Write to info@civac.de or use the contact form. An experienced QM auditor will contact you within two working days with a scoping discussion, a suggestion for the next round of audits and a list of gaps in preparation for the next external certification audit.

FAQ

What training does a QM auditor need in Germany?

Basic professional training, specialist training in quality management, 40-hour auditor training with an accredited provider such as DGQ, TÜV or DEKRA as well as documented audit participation under supervision are common. For external certification auditors, there is also a personnel certification according to DIN EN ISO/IEC 17024, which is renewed regularly.

Can the quality management representative also be an internal QM auditor?

Restricted. ISO 9001:2015 requires in Section 9.2 the independence of the auditor from the area being audited. The QMB is not allowed to audit its own documentation. In smaller companies, this leads to role rotation, mixed audit teams or the use of an external audit partner for critical processes.

How often do internal audits need to be carried out?

The standard does not specify a fixed cycle, but requires that all relevant areas and all requirements be audited in a planned cycle. A three-year program is common, in which every requirement of the standard and every organisational area is checked at least once. High-risk areas are audited more frequently.

What is the difference between an internal audit and a supplier audit?

The internal audit serves for your own self-examination and preparation for the certification audit. The supplier audit is a second-party audit that a company carries out on one of its suppliers, often based on a supplier code of conduct or a quality assurance agreement. Both types of audit follow ISO 19011, but differ in terms of client, reporting obligation and consequences.

What fees are standard for external QM auditors?

Freelance QM auditors bill daily rates between 900 and 1,600 euros net in 2025 and 2026, accredited certification auditors between 1,400 and 2,200 euros per audit day. Preparation and follow-up typically increase the overall effort by 30 to 50 percent compared to the pure audit days on site.

Can an external auditor replace the role of the QMB?

No. The QMB has operational responsibility for the QMS, the auditor checks the system. The roles are different and should not coincide in one person. The Officer-as-a-Service model provides an external QMB who assumes operational responsibility while internal or other external auditors conduct the audit.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles