But if a packaging supplier shares a certificate to an ISO or NSF standard that covers the requirements for the scope of a supplier audit why do i still need a full audit report.
Short answer: because clause 3.5.1.2 says you do
The full report will allow you to understand what was actually covered in the audit.
If you have a copy of the standard and can show that it covers all of the requirements detailed in the clause then just having the certificate might work in theory (but obviously isn't permitted by the standard), but broadly it is expecting the audit to cover the equivalent to the GFSI-schemes, so one has to wonder - how many schemes are their that aren't GFSI benchmarked but do meet the full requirements? (At least in terms of publicly available certification standards)
My second issue is how in this case would I demonstrate competence of the auditor. Wouldn't that be implied if he was sent by the certifying agency or am I going to need a certificate of the person that did the audit?
I've always read this clause as being written primarily with your own auditing in mind, so for example a supplier audit by you, one of your colleagues, an external party you've commissioned, where it would be feasible and indeed necessary to verify/demonstrate competence and relatively easy to obtain evidence.
Whether you can obtain this from your suppliers for the relevant auditors is a question you'd have to pick up with them. I've no idea what the position is in the US, but in Europe I could imagine this being viewed as a potential data protection issue and the audit bodies not being able to release training details for individual auditors. They may be able to provide some sort of general statement on auditor training/experience requirements though?
But if a packaging supplier shares a certificate to an ISO or NSF standard that covers the requirements for the scope of a supplier audit why do i still need a full audit report.
Just a thought, but what risk status have you assessed these suppliers as?
If they're low risk then why not go down the questionnaire route instead?
Worth remembering that for determination of risk status you can take into account trading history and nature of the materials, so if this is longstanding suppliers etc then it might be possible to build up a defendable position on this. Similarly whilst e.g. ISO9001 alone isn't sufficient, that doesn't mean that you can't take it (without needing the full audit report, the auditor's inside leg measurement and social security number etc...) into account as a mitigating factor in your risk assessment calculation. In fact we do exactly this - ISO22k, ISO9001, HACCP, SALSA etc may not be GFSI benchmarked, but they're certainly better than nothing so our overall supplier risk score includes weightings for these.