What a skills matrix needs to pass an ISO 9001 competence audit
A grid of names and checkmarks is not evidence. Here is what an auditor actually opens it looking for.
ISO 9001 does not require a skills matrix. It requires you to determine the competence each role needs, prove the people doing the work have it, act when they do not, and keep the records. A matrix passes when every checkmark points to a date, a signature, and a piece of evidence, and when it was reviewed recently enough to be believed.
The auditor asks who is signed off to run the CMM, and someone opens a spreadsheet. There is a green cell next to a name. The auditor asks how you know that person is qualified. The room goes quiet. That pause is the finding. A skills matrix is not the requirement, it is a claim, and the audit is about whether the claim has evidence behind it.
First, the clause: 7.2, formerly 6.2.2
Competence lives in clause 7.2 of ISO 9001:2015. Many shops still call it 6.2.2 because that was its number in the older 2008 revision, and old procedures carry the old label. Same idea, renumbered. The standard never says the word matrix. Clause 7.2 asks you to do four things: determine the competence needed for the work that affects quality, ensure those people are competent on the basis of education, training, or experience, take action where a gap exists and check that the action worked, and retain documented information as evidence. That is it. The matrix is just the popular way to make those four things visible on one page (ISO 9001:2015).
What the auditor is actually testing
An auditor does not grade the matrix on how pretty it is. They pick a name and a task, and they follow the thread. Is there a defined level of competence for that task, so a checkmark means something specific and not just familiar with it. Does the rating trace to evidence, a training record, a sign-off, a certificate, a witnessed job, with a date and who approved it. Was competence verified rather than assumed, because attended a course is not the same as can do the job unsupervised. And when someone was not yet competent, is there a record of the action taken and proof it closed the gap. A matrix that survives this is a set of links to real records. A matrix that fails is a wall of green with nothing underneath.
Why most matrices fail
Two failure modes cover most findings. The first is stale. The matrix was filled in for the last audit and has not moved since, so it shows a new hire as unrated and a leaver as still current. An auditor spots a date that has not changed in a year and knows the document is decorative, not live. The second is hollow. The cell says qualified but there is no record behind it, so it is an assertion, not evidence, and the clause specifically asks for retained documented information. A green cell with nothing to open is the single most common competence nonconformity, and it is entirely avoidable.
What a passing matrix has that a spreadsheet does not
A passing matrix defines each competence level in plain words, so trained versus qualified versus can train others is not a guess. Every rating carries the evidence, the date it was earned, and who approved it, one click away. It flags expiry, because forklift and crane tickets and some weld and inspection qualifications lapse, and an expired cert reading as current is a finding waiting to happen. It shows the gaps honestly, since an auditor trusts a matrix that admits three people still need training far more than one where every cell is green. And it has a review date that is recent, because the matrix has to be a living record of who can do what today, not a snapshot from last spring.
Where a system beats a spreadsheet
A spreadsheet can hold all of this. The problem is that it does not maintain itself. Someone has to remember to attach the training record, update the cell when a ticket expires, and refresh the review date, and that someone is busy running the floor. This is the people side of CitrusWeb Works, our AI-native manufacturing platform. A competence rating links to the record that backs it, expiries raise a flag before they lapse, and the last-reviewed date is right there on the page. When the auditor picks a name and a task, you open the record instead of the silence. Works does not decide who is competent, that is your call to make and to sign. It keeps the evidence attached so the claim holds up.
The honest version
No tool passes your audit for you, and any vendor who says otherwise is selling. Competence is a judgment a qualified person makes and stands behind. What software can do is make that judgment defensible, by keeping the evidence attached, the dates current, and the gaps visible. Build the matrix so every checkmark has a record you can open in front of the auditor, keep it reviewed, and the audit stops being a scramble. It becomes a walk through what you already know is true.