by Greg Hutchins

Why have so few companies registered to ISO 9001:2000? In its July 2002 ISO 9000 survey, Quality Digest reported "the actual figure [of companies that have transitioned] is probably 8 to 10 percent." Companies now have barely more than a year to change to the new standard. One major reason for the slow response might be that ISO 9001:2000's perceived value isn't sufficiently compelling in these slow economic times.

One solution for easing the transition to ISO 9001:2000 is to conduct value-added audits. What is value-added auditing? According to the Institute of Internal Auditors' Web site (www.theiia.org), it's "a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes." Value-added auditing is so hot that the New York Stock Exchange and the Securities and Exchange Commission now require value-added audits of more than 17,000 listed companies.

Change and more change

It's no exaggeration to say that dramatic changes have occurred recently in business. Enron, WorldCom and a number of other companies have collapsed. The U.S. government has passed laws requiring financial disclosure. And on Aug. 1, 2002, the New York Stock Exchange began requiring all its listed companies to have an internal audit function.

There have been many changes in the quality world as well. Companies are transitioning to a major standard revision: ISO 9001:2000. The Registration Accreditation Board, which certifies quality and environmental management systems auditors, strengthened its policies regarding consulting and auditing independence.

Quality auditors and internal auditors have noticed a new emphasis on analytical auditing that involves process audits, risk and/or control assessments, and other forms of effectiveness assessments. Generally, this trend is called value-added auditing.

So what?

Why should quality auditors and the rest of us in the quality profession pay attention to value-added auditing?

We're now officially in a recession, and senior managers don't want surprises. They and their boards of directors are thinking, "Do we have sufficient information and assurance of operational effectiveness internally, as well as with our supply partners, to make robust decisions?"

Internal auditing departments are responsible for conducting value-added audits. Because of recent legislation concerning corporate governance, these reports often go directly to the board of directors' audit committee and indirectly to the chief financial officer. (See Internal Auditing Reporting Relationship.)

Steve Jameson, the Institute of Internal Auditors' director of technical services, recently had this to say about the new regulations coming out of Congress, the SEC and the NYSE: "Requiring public reporting on internal controls is the grand prize that the internal audit profession has sought for years. The U.S. Congress has now mandated that requirement. The IIA standards and the IIA's value-added mindset for the profession support and promote internal auditors as the key organizational resource for providing assurance about internal controls to the [board of director's] audit committees and management."

Our quality audits go directly to a first- or second-level manager. But as quality professionals, we want to make a difference with our quality reports. Will we be most effective by conducting quality management system assessments that go to a first-level manager, or will we add more value by collaborating with internal auditing to provide consolidated audit reports to the board of directors' audit committee? The latter is the obvious choice.

Value is in the eye of the beholder

All organizations exist to add value to their stakeholders. But this elusive quality can mean different things to different stakeholders. To shareholders, "value" means raising the stock price. To senior management it means operational effectiveness. To boards of directors, it means no surprises. To regulatory authorities, value means compliance to laws.

In order to provide value, quality auditors should be able to assess:

Operational and quality effectiveness

Business risks

Business and/or process controls

Process and business efficiencies

Cost reduction opportunities

Waste elimination opportunities

Corporate governance effectiveness

Internal Auditing Reporting Relationship

Value-added auditing defined

Many people think that internal auditing focuses primarily on financial audits. The Institute of Internal Auditors developed a definition of auditing that introduces various elements of value-added auditing:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."

We can infer a number of value-added auditing "best practices" from that definition. Value-added audits aim to:

Provide independent and/or objective operational analysis

Examine every function, process and activity of an organizational and external value chain

Help an organization achieve its business strategies and objectives

Follow a systematic and disciplined approach in its assessment

Evaluate and improve the effectiveness of risk management, control and governance processes

Where quality and internal auditing converge

Quality and internal auditing are converging around the theme of value-added auditing. The RAB and leading ISO standards registrars are spearheading the drive to provide higher levels of transparency, assurance and, ultimately, value to quality audit reports.

North America's top registrars are also emphasizing value. "With today's stock market volatility, investors want higher assurance of company performance," says Tom Harris, managing director of AOQC Moody International. "Quality auditors must evaluate management systems and processes not only in terms of compliance to a standard but, most important, to analyze their effectiveness. Companies must develop mission-critical objectives and then hold process owners accountable for the measurement, control, analysis and improvement of their systems and processes. AOQC Moody International is rapidly moving in this direction."

"Last May, RAB's Auditor Certification Board approved new language on auditor independence for all RAB auditor certification programs," says Bob King, president and CEO of RAB "Specifically, there must be a period of at least two years between any consulting an auditor does for an organization and any auditing he or she performs for the same organization. As more is being said and written on the topic of value-added auditing, we want to make sure our auditors have a very clear sense of the line between auditing and consulting."

Actually, quality auditors already conduct value-added audits. Let's take a closer look at these, which include:

Compliance audits

Process audits

Risk assessments

Internal control assessments

Self-assessments

Consulting

Compliance audits

The key elements of a compliance audit can be gleaned from the

ISO 9001:2000 definition, which characterizes an audit as a "systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled." Audit criteria, according to the same source, are a "set of policies, procedures or other requirements against which collected audit evidence is compared." Likewise, audit evidence consists of "records, statements of fact or other information relevant to the audit and which are verified."

Most of us are familiar with compliance audits through ISO 9001 requirements. Fundamentally, they're documentation reviews that result in a binary decision, i.e., compliance or noncompliance. If there's noncompliance, then the auditor will issue a corrective or preventive action request.

Compliance audits add value to governmental agencies and to commercial organizations that mandate contractual or regulatory compliance. They're probably the easiest audits to conduct because the requirements are already written, and less auditor discretion is required.

Process audits

ISO 9001:2000's biggest compliance challenge is determining how to conduct a process audit to demonstrate "effectiveness." Most quality and ISO standards pundits think that an effectiveness audit implies some type of process audit. Although there's still confusion and little standardization about how to conduct a plan-do-check-act process audit, the following are practical steps:

1. Identify business objectives

2. Flowchart processes

3. Identify critical process inputs and outputs

4. Evaluate process procedures, records and documentation against ISO 9001:2000 requirements

5. Evaluate process metrics against business objectives

6. Analyze metrics to determine process stability and capability

7. Improve performance through intervention and preventive and/or corrective actions

In addition, process audits can go beyond evaluating the effectiveness of ISO 9001:2000 quality management system clauses and evaluate supply-chain processes against internal business objectives and external business benchmarks.

Risk-assessment audits

As recently as five years ago, quality was the primary filter through which U.S. senior management reached decisions, and customer satisfaction was the critical quality attribute. Then costs and schedules superseded quality as the primary senior-management decision filter. Competing in an increasingly aggressive business environment meant being first to market, first to critical mass and paying attention to other time elements.

Sept. 11 changed all that. Risk and its management is now the primary filter by which management makes its decisions. This is why risk audits will become more critical to organizational operations.

The acronym ORCA is a common organizational risk-assessment methodology. It requires that organizations:

Identify business objectives

Identify operational and other risks

Define business or other controls

Assess the effectiveness of the business process to satisfy objectives and manage risks

Once this risk assessment is conducted, senior and operational management can develop strategies to manage risks and execute business decisions. Risk management strategies include:

Avoidance

Mitigation

Acceptance

Diversification

Control

Internal control assessments

The following excerpt from IBM's 1998 annual report illustrates the importance and purpose of internal controls:

"IBM maintains an effective internal control structure. It consists, in part, of organizational arrangements with clearly defined lines of responsibility and delegation of authority, and comprehensive systems and control procedures. To assure the effective administration of internal control, we carefully select and train our employees, develop and disseminate written policies and procedures, provide appropriate communication channels, and foster an environment conducive to the effective functioning of controls."

Internal control is the fundamental idea underlying the entire financial and operational structure of the organization--as indicated by IBM's chairman of the board and chief financial officer signing the statement.

According to the Committee of Sponsoring Organizations of the Treadway Commission's Web site (www.coso.org), internal control is a process designed to ensure reasonable confidence regarding:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

Internal control assessments evaluate these five interrelated elements of effectiveness and value:

Control environment. Senior management sets the tone for vision, mission, quality, ethics, goals and controls. Daily operational control defers to the people who know the process or product--i.e., the process owners.

Risk assessment. Risk management will be the fundamental objective of all managers during the next few years. The preconditions to effective risk management are identified as core processes, stabilized processes, capable processes and controlled process variations.

Control activities. These include the people, policies, suppliers and other factors that ensure risks are identified, monitored and mitigated throughout the project, product or contract lifecycle. Controls may include approvals, authorizations, validation, verification, reconciliation and segregation of authorities.

Information and communication. No information and no communication mean no control. It's that simple.

Monitoring. Internal controls systems and processes must be monitored. It's not enough to recognize that a process is out of control--or worse, noncompliant with a specification or standard. Ongoing monitoring, says COSO, should ensure corrective and preventive actions.

Self-assessments

The workplace modus operandi is moving toward self-managed work teams. Chances are you may be in one or several. Self-managed teams comprise self-directed individuals who accept responsibility for developing schedules, managing quality, controlling costs, upgrading worker skills, assigning work, improving process performance, focusing on results and ensuring that stakeholders are satisfied. Multijob classifications are replaced by one-worker classification. The work environment is open and friendly. Time clocks are eliminated. Compensation is based on pay-for-knowledge, i.e., people are paid on the basis of training, experience, knowledge and value-addition. Workers and process owners are responsible for managing risks and controlling their processes.

Self-managed teams and individuals can assess the value of their work through:

Balanced scorecards

Checklists with ratings

Internal control questionnaires

Team-written procedures and instructions

Process control information such as SPC

Auditors as consultants

Senior management and an organization's board of directors are responsible for risk management and operational control processes. However, value-added auditors can also serve as consultants to assist the organization in identifying improvement opportunities, evaluating risks and implementing risk-management methodologies and controls. This is a major change in internal and other auditing disciplines, where it was assumed that an unassailable firewall stood between the auditor and auditee.

Traditionally, auditors were independent and objective. Independence implied that an arms-length relationship existed between the auditor and auditee. If the auditor provided the auditee with consulting assistance, the prevailing belief held that the auditor's independence might be impaired, although his or her objectivity to the auditee still provided value. The notion of auditor as consultant represents a major change in the Institute of Internal Auditing standards as quality and internal auditors evolve into "business process" assurance and consulting experts.

Value-added audit challenges

ISO 9001:2000 now requires "effectiveness" and process auditing. But how does a quality auditor audit for effectiveness? This is a challenge for all quality auditors, ISO standards registrars and quality consultants. The solution is to perform some form of value-added auditing.

Quality auditors can transition to value-added auditing as long as it's done carefully. Several issues must be understood and addressed:

Open to interpretation. Evaluating effectiveness, risk management and internal controls varies according to how the standards and/or processes are interpreted.

Inconsistent application. Evaluating effectiveness, risk management and internal controls can vary among auditors.

Requires additional auditor skills. Value-added auditing requires profound business, process and people knowledge.

Possibility of additional variation. No consistent and well-established standards and protocols exist for conducting value-added audits.

The future of value-added auditing

Compliance regulatory audits won't disappear. Indeed, they add value through regulatory assurance. However, all boards of directors of publicly held companies want additional information and assurance beyond a yes/no decision. They're asking auditing and assurance services to evaluate risk management and operational control effectiveness.

Many quality gurus think that value-added auditing will be the profession's future. "Value-added auditing is auditing for increased profitability and improved customer satisfaction," says Jim Lamprecht, consultant and author of ISO 9001-related books.

So, what does our quality-auditing crystal ball reveal of our profession's future?

Consolidated quality audit and internal audit reports will go to the board of directors.

The quality auditing function will integrate with internal auditing.

The term "quality audit" will fade from ISO standards' vocabularies.

Multiple audits will be conducted for different stakeholders.

Compliance and regulatory systems assessments will still be conducted.

Quality auditors will emerge as value-added auditors and business process consultants.

Value-adding auditing as a tool will increase exponentially.

Auditor training requirements will increase.

Final thought

Quality auditing needs more exposure. Many compliance and ISO 9000 audits end up with first-level managers for subsequent action. In turn, the Institute of International Auditing definition of auditing has shaped value-added auditing. These internal audit reports ultimately end up with the board of directors' audit committee. This is where we want our quality audit reports to reside. It's up to us to work with internal auditing to develop consolidated quality, customer-supply, risk and control audit reports.

About the author

Greg Hutchins, PE, is a management principal with Quality Plus Engineering, a Portland, Oregon-based risk, process, project and supply management company. He can be reached at (800) 266-7383 or www.valueaddedauditing.com. Hutchins has written more than 15 books, including his most recent, Value Added Auditing, from which this article was excerpted. Letters to the editor regarding this article can be sent to letters@qualitydigest.com.