"RAB
has been concerned with auditor independence since
well before the Enron collapse focused attention on
the inherent conflict of financial accounting firms
providing clients with both consulting and auditing
services. The management systems community has taken
the high road by insisting on a clear separation of
auditing and consulting activities. This stance was
taken to ensure impartiality and freedom from conflict
of interest in management systems auditing."
--Bob King,
president and CEO of Registrar Accreditation Board
|
Why have so few companies registered
to ISO 9001:2000? In its July 2002 ISO 9000 survey, Quality
Digest reported "the actual figure [of companies
that have transitioned] is probably 8 to 10 percent."
Companies now have barely more than a year to change to
the new standard. One major reason for the slow response
might be that ISO 9001:2000's perceived value isn't sufficiently
compelling in these slow economic times.
One solution for easing the transition to ISO 9001:2000
is to conduct value-added audits. What is value-added auditing?
According to the Institute of Internal Auditors' Web site
(www.theiia.org), it's
"a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and
governance processes." Value-added auditing is so hot
that the New York Stock Exchange and the Securities and
Exchange Commission now require value-added audits of more
than 17,000 listed companies.
It's no exaggeration to say that dramatic changes have
occurred recently in business. Enron, WorldCom and a number
of other companies have collapsed. The U.S. government has
passed laws requiring financial disclosure. And on Aug.
1, 2002, the New York Stock Exchange began requiring all
its listed companies to have an internal audit function.
There have been many changes in the quality world as well.
Companies are transitioning to a major standard revision:
ISO 9001:2000. The Registration Accreditation Board, which
certifies quality and environmental management systems auditors,
strengthened its policies regarding consulting and auditing
independence.
Quality auditors and internal auditors have noticed a
new emphasis on analytical auditing that involves process
audits, risk and/or control assessments, and other forms
of effectiveness assessments. Generally, this trend is called
value-added auditing.
Why should quality auditors and the rest of us in the
quality profession pay attention to value-added auditing?
We're now officially in a recession, and senior managers
don't want surprises. They and their boards of directors
are thinking, "Do we have sufficient information and
assurance of operational effectiveness internally, as well
as with our supply partners, to make robust decisions?"
Internal auditing departments are responsible for conducting
value-added audits. Because of recent legislation concerning
corporate governance, these reports often go directly to
the board of directors' audit committee and indirectly to
the chief financial officer. (See Internal Auditing Reporting
Relationship.)
Steve Jameson, the Institute of Internal Auditors' director
of technical services, recently had this to say about the
new regulations coming out of Congress, the SEC and the
NYSE: "Requiring public reporting on internal controls
is the grand prize that the internal audit profession has
sought for years. The U.S. Congress has now mandated that
requirement. The IIA standards and the IIA's value-added
mindset for the profession support and promote internal
auditors as the key organizational resource for providing
assurance about internal controls to the [board of director's]
audit committees and management."
Our quality audits go directly to a first- or second-level
manager. But as quality professionals, we want to make a
difference with our quality reports. Will we be most effective
by conducting quality management system assessments that
go to a first-level manager, or will we add more value by
collaborating with internal auditing to provide consolidated
audit reports to the board of directors' audit committee?
The latter is the obvious choice.
All organizations exist to add value to their stakeholders.
But this elusive quality can mean different things to different
stakeholders. To shareholders, "value" means raising
the stock price. To senior management it means operational
effectiveness. To boards of directors, it means no surprises.
To regulatory authorities, value means compliance to laws.
In order to provide value, quality auditors should be
able to assess:
Operational and quality effectiveness
Business risks
Business and/or process controls
Process and business efficiencies
Cost reduction opportunities
Waste elimination opportunities
Corporate governance effectiveness
Many people think that internal auditing focuses primarily
on financial audits. The Institute of Internal Auditors
developed a definition of auditing that introduces various
elements of value-added auditing:
"Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve
an organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management,
control and governance processes."
We can infer a number of value-added auditing "best
practices" from that definition. Value-added audits
aim to:
Provide independent and/or objective operational analysis
Examine every function, process and activity of an organizational
and external value chain
Help an organization achieve its business strategies and
objectives
Follow a systematic and disciplined approach in its assessment
Evaluate and improve the effectiveness of risk management,
control and governance processes
Quality and internal auditing are converging around the
theme of value-added auditing. The RAB and leading ISO standards
registrars are spearheading the drive to provide higher
levels of transparency, assurance and, ultimately, value
to quality audit reports.
North America's top registrars are also emphasizing value.
"With today's stock market volatility, investors want
higher assurance of company performance," says Tom
Harris, managing director of AOQC Moody International. "Quality
auditors must evaluate management systems and processes
not only in terms of compliance to a standard but, most
important, to analyze their effectiveness. Companies must
develop mission-critical objectives and then hold process
owners accountable for the measurement, control, analysis
and improvement of their systems and processes. AOQC Moody
International is rapidly moving in this direction."
"Last May, RAB's Auditor Certification Board approved
new language on auditor independence for all RAB auditor
certification programs," says Bob King, president and
CEO of RAB "Specifically, there must be a period of
at least two years between any consulting an auditor does
for an organization and any auditing he or she performs
for the same organization. As more is being said and written
on the topic of value-added auditing, we want to make sure
our auditors have a very clear sense of the line between
auditing and consulting."
Actually, quality auditors already conduct value-added
audits. Let's take a closer look at these, which include:
Compliance audits
Process audits
Risk assessments
Internal control assessments
Self-assessments
Consulting
The key elements of a compliance audit can be gleaned
from the
ISO 9001:2000 definition, which characterizes an audit
as a "systematic, independent and documented process
for obtaining audit evidence and evaluating it objectively
to determine the extent to which audit criteria are fulfilled."
Audit criteria, according to the same source, are a "set
of policies, procedures or other requirements against which
collected audit evidence is compared." Likewise, audit
evidence consists of "records, statements of fact or
other information relevant to the audit and which are verified."
Most of us are familiar with compliance audits through
ISO 9001 requirements. Fundamentally, they're documentation
reviews that result in a binary decision, i.e., compliance
or noncompliance. If there's noncompliance, then the auditor
will issue a corrective or preventive action request.
Compliance audits add value to governmental agencies and
to commercial organizations that mandate contractual or
regulatory compliance. They're probably the easiest audits
to conduct because the requirements are already written,
and less auditor discretion is required.
ISO 9001:2000's biggest compliance challenge is determining
how to conduct a process audit to demonstrate "effectiveness."
Most quality and ISO standards pundits think that an effectiveness
audit implies some type of process audit. Although there's
still confusion and little standardization about how to
conduct a plan-do-check-act process audit, the following
are practical steps:
1. Identify business objectives
2. Flowchart processes
3. Identify critical process inputs and outputs
4. Evaluate process procedures, records and documentation
against ISO 9001:2000 requirements
5. Evaluate process metrics against business objectives
6. Analyze metrics to determine process stability and capability
7. Improve performance through intervention and preventive
and/or corrective actions
In addition, process audits can go beyond evaluating the
effectiveness of ISO 9001:2000 quality management system
clauses and evaluate supply-chain processes against internal
business objectives and external business benchmarks.
As recently as five years ago, quality was the primary
filter through which U.S. senior management reached decisions,
and customer satisfaction was the critical quality attribute.
Then costs and schedules superseded quality as the primary
senior-management decision filter. Competing in an increasingly
aggressive business environment meant being first to market,
first to critical mass and paying attention to other time
elements.
Sept. 11 changed all that. Risk and its management is
now the primary filter by which management makes its decisions.
This is why risk audits will become more critical to organizational
operations.
The acronym ORCA is a common organizational risk-assessment
methodology. It requires that organizations:
Identify business objectives
Identify operational and other risks
Define business or other controls
Assess the effectiveness of the business process to satisfy
objectives and manage risks
Once this risk assessment is conducted, senior and operational
management can develop strategies to manage risks and execute
business decisions. Risk management strategies include:
Avoidance
Mitigation
Acceptance
Diversification
Control
The following excerpt from IBM's 1998 annual report illustrates
the importance and purpose of internal controls:
"IBM maintains an effective internal control structure.
It consists, in part, of organizational arrangements with
clearly defined lines of responsibility and delegation of
authority, and comprehensive systems and control procedures.
To assure the effective administration of internal control,
we carefully select and train our employees, develop and
disseminate written policies and procedures, provide appropriate
communication channels, and foster an environment conducive
to the effective functioning of controls."
Internal control is the fundamental idea underlying the
entire financial and operational structure of the organization--as
indicated by IBM's chairman of the board and chief financial
officer signing the statement.
According to the Committee of Sponsoring Organizations
of the Treadway Commission's Web site (www.coso.org), internal
control is a process designed to ensure reasonable confidence
regarding:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Internal control assessments evaluate these five interrelated
elements of effectiveness and value:
Control environment. Senior management sets the tone for
vision, mission, quality, ethics, goals and controls. Daily
operational control defers to the people who know the process
or product--i.e., the process owners.
Risk assessment. Risk management will be the fundamental
objective of all managers during the next few years. The
preconditions to effective risk management are identified
as core processes, stabilized processes, capable processes
and controlled process variations.
Control activities. These include the people, policies,
suppliers and other factors that ensure risks are identified,
monitored and mitigated throughout the project, product
or contract lifecycle. Controls may include approvals, authorizations,
validation, verification, reconciliation and segregation
of authorities.
Information and communication. No information and no communication
mean no control. It's that simple.
Monitoring. Internal controls systems and processes must
be monitored. It's not enough to recognize that a process
is out of control--or worse, noncompliant with a specification
or standard. Ongoing monitoring, says COSO, should ensure
corrective and preventive actions.
The workplace modus operandi is moving toward self-managed
work teams. Chances are you may be in one or several. Self-managed
teams comprise self-directed individuals who accept responsibility
for developing schedules, managing quality, controlling
costs, upgrading worker skills, assigning work, improving
process performance, focusing on results and ensuring that
stakeholders are satisfied. Multijob classifications are
replaced by one-worker classification. The work environment
is open and friendly. Time clocks are eliminated. Compensation
is based on pay-for-knowledge, i.e., people are paid on
the basis of training, experience, knowledge and value-addition.
Workers and process owners are responsible for managing
risks and controlling their processes.
Self-managed teams and individuals can assess the value
of their work through:
Balanced scorecards
Checklists with ratings
Internal control questionnaires
Team-written procedures and instructions
Process control information such as SPC
Senior management and an organization's board of directors
are responsible for risk management and operational control
processes. However, value-added auditors can also serve
as consultants to assist the organization in identifying
improvement opportunities, evaluating risks and implementing
risk-management methodologies and controls. This is a major
change in internal and other auditing disciplines, where
it was assumed that an unassailable firewall stood between
the auditor and auditee.
Traditionally, auditors were independent and objective.
Independence implied that an arms-length relationship existed
between the auditor and auditee. If the auditor provided
the auditee with consulting assistance, the prevailing belief
held that the auditor's independence might be impaired,
although his or her objectivity to the auditee still provided
value. The notion of auditor as consultant represents a
major change in the Institute of Internal Auditing standards
as quality and internal auditors evolve into "business
process" assurance and consulting experts.
ISO 9001:2000 now requires "effectiveness" and
process auditing. But how does a quality auditor audit for
effectiveness? This is a challenge for all quality auditors,
ISO standards registrars and quality consultants. The solution
is to perform some form of value-added auditing.
Quality auditors can transition to value-added auditing
as long as it's done carefully. Several issues must be understood
and addressed:
Open to interpretation. Evaluating effectiveness, risk management
and internal controls varies according to how the standards
and/or processes are interpreted.
Inconsistent application. Evaluating effectiveness, risk
management and internal controls can vary among auditors.
Requires additional auditor skills. Value-added auditing
requires profound business, process and people knowledge.
Possibility of additional variation. No consistent and well-established
standards and protocols exist for conducting value-added
audits.
Compliance regulatory audits won't disappear. Indeed,
they add value through regulatory assurance. However, all
boards of directors of publicly held companies want additional
information and assurance beyond a yes/no decision. They're
asking auditing and assurance services to evaluate risk
management and operational control effectiveness.
Many quality gurus think that value-added auditing will
be the profession's future. "Value-added auditing is
auditing for increased profitability and improved customer
satisfaction," says Jim Lamprecht, consultant and author
of ISO 9001-related books.
So, what does our quality-auditing crystal ball reveal
of our profession's future?
Consolidated quality audit and internal audit reports will
go to the board of directors.
The quality auditing function will integrate with internal
auditing.
The term "quality audit" will fade from ISO standards'
vocabularies.
Multiple audits will be conducted for different stakeholders.
Compliance and regulatory systems assessments will still
be conducted.
Quality auditors will emerge as value-added auditors and
business process consultants.
Value-adding auditing as a tool will increase exponentially.
Auditor training requirements will increase.
Quality auditing needs more exposure. Many compliance
and ISO 9000 audits end up with first-level managers for
subsequent action. In turn, the Institute of International
Auditing definition of auditing has shaped value-added auditing.
These internal audit reports ultimately end up with the
board of directors' audit committee. This is where we want
our quality audit reports to reside. It's up to us to work
with internal auditing to develop consolidated quality,
customer-supply, risk and control audit reports.
Greg Hutchins, PE, is a management principal with Quality
Plus Engineering, a Portland, Oregon-based risk, process,
project and supply management company. He can be reached
at (800) 266-7383 or www.valueaddedauditing.com.
Hutchins has written more than 15 books, including his most
recent, Value Added Auditing, from which this article was
excerpted. Letters to the editor regarding this article
can be sent to letters@qualitydigest.com.
|