Value Added Auditing(VAA) is risk based auditing. Or another way to think about it is VAA is analytical auditing where the sponsor and auditee get valuable information to improve their operations and become more competitive.
So, what can VAA do for you?
Value added auditing facilitates the company’s and its supplier’s improvement. For example, the auditor may determine if controls or systems are in place ensuring that: Continue reading
I wrote this piece 11 years ago and it was published by Quality Digest in July 2002. It seems still relevant:
Why have so few companies registered to ISO 9001 – 2000? Quality Digest in its July 2002 reported that “the actual figure (of companies that have transitioned) is probably 8 to 10 percent.”[i] Companies now have a little more than a year to transition to the new standard. One major reason for the slow transition may be the perceived value for transitioning to ISO 9001 – 2000 is not sufficiently compelling in these economic slow times. Continue reading
This is probably the most important question management is asking these days. Functions and activities that don’t add value are outsourced. Quality, operational, internal, and financial audits are outsourced if they don’t add real operational and managerial value. Value means different things to different people. What is important to one organization may be different to another. One company’s best practice may be another company’s standard operating procedure. Continue reading
The American Management Association recently said the following about risk:
“For virtually every business in the United States, the implications of economic change are enormous. The rapidly changing and more uncertain environment not only has made corporate decision-making and planning more difficult, but also has significantly increased business risks. Operating successfully in this new environment will require a very different approach to business management. It involves more, rather than less, attention to external factors, as well as new priorities and strategies and a sharply increased focus on risk management.”
Quality auditors and professionals are going to see more emphasis on risk analysis and other forms of assessments, which we generally call Value Added Auditing. You’re going to hear a lot more of this as more companies focus on new types of assurance. In this article, we will look at different types of Value Added Audits, discuss how they are conducted, and discuss how they will impact quality auditing practices.
ISO 9000 has been deployed very successfully as many companies have gained compliance value. Companies are now asking: “What other assessments can we use to assess risks and evaluate end-to-end value chain processes?” The solution is a more comprehensive philosophy of control, assurance, and organizational governance based on controlling and managing risk.
THE SOLUTION – NEW VALUE ADDED ASSESSMENT METHODS
Management gurus say the secret of great management in the first years of the millennium is adding value and developing new assessment methods that verify and validate value. Hence, the prominence of value added auditing.
Understanding value added auditing will become essential to all quality auditors in the future. Quality auditing and internal auditing are converging around the ideas of assessing operational effectiveness and conducting risk management assessments. Also, we’re seeing early signs where internal auditing is absorbing some quality auditing responsibilities.
WHAT IS VALUE?
First, we need to define value. All organizations exist to add value to their stakeholders. Value is added when products and services satisfy critical organizational stakeholders.
Value can mean different things to different stakeholders. Value to shareholders means raising stock value. Value to management means no surprises. Value to regulatory authorities is compliance to laws and regulations.
Value added auditors assess specific economic attributes, which may include:
WHAT IS VALUE ADDED AUDITING
The Institute of Internal Auditing (IIA) developed their definition of ‘auditing’ which introduces various elements of value:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”[i] “About Internal Auditing,” IIA Web Site, 2000.
We can infer a number of value adding best practices from the above definition: Value added audits aim to:
In this article, we’ll discuss the following types of value added audits:
COMPLIANCE AUDITS
The key elements of a compliance audit can be gleaned from the ISO definition of ‘auditing’ as shown below:
“Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.” Audit criteria are a “set of policies, procedures, or other requirements against which collected audit evidence is compared.” Audit evidence consists of “records, statements of fact or other information, relevant to the audit and which are verified.” [i] ISO CD2/ISO 19011 and ISO 9000 – 2000, ASQ Quality Press, 2000 .
Most of us are familiar with compliance audits through ISO 9000 requirements. ISO 9000 system audits traditionally were compliance assessments. The ISO standard or similar standards consist of ‘shall’ requirements. The auditor assesses business system, process, or product against these standards. The auditor in a compliance audit verifies that documentation complies with the standard’s requirements and verifies implementation to the ‘say what you do and do as you say’ criteria.
Compliance audits are fundamentally documentation reviews. The result is a binary decision, compliance or noncompliance. If there is noncompliance then the auditor will issue a Corrective Action Request (CAR) or a Preventive Action Request (PAR).
Compliance audits add value to governmental agencies and to commercial organizations that mandate contractual or regulatory compliance. Compliance audits are probably the easiest to conduct because requirements are written and less auditor discretion is required.
PROCESS AUDITS
The most critical requirement in ISO 9001 – 2000 is ‘shall.’ ‘Shalls’ by their nature are compliance requirements. A system, activity, or product conforms to a requirement or it doesn’t. The second critical requirement in ISO 9001 – 2000 is demonstrating QMS ‘effectiveness.’
The major question is how to audit for ‘effectiveness?’ Most quality and ISO pundits think that an effectiveness audit will be some type of process audit. There is still much confusion and little standardization on how to conduct a process audit, however the following are commonsensical steps:
The power of process audits is that they can go beyond evaluating effectiveness of ISO 9001 – 2000 quality management system clauses to evaluate all value chain processes against internal business objectives and external business benchmarks.
RISK ASSESSMENT AUDITS
Up to five years ago, quality was the primary filter through which American senior management reached decisions. Customer satisfaction was the critical quality attribute. Well things changed. Cost and schedule overshadowed quality as the primary senior management decision filters. First to market, first to critical mass, and other time elements became critical to senior management as they competed with other companies.
September 11, 2001 changed all that. Risk and its management is now the primary filter by which management makes its decisions. This is why risk audits will become more critical to organizational operations.
ORCA is a common organizational risk assessment methodology. Its principal elements are:
The organizational risk management assessment is really a competitive and marketplace scan of what can impede and as well as accelerate the achievement of business objectives. This is a critical point. Risk management has both a positive and negative connotation. We normally assume the negative – the mitigation of negative events or circumstances. However, all business decision-making is based on smart risk management and analysis. Once this is made, then management can develop its business model and execute based upon risk management criteria: being risk averse, risk sensitive or risk taking.
Once this risk assessment is conducted, senior and operational management can develop strategies to manage risks and execute business decisions. Senior management can decide to:
A discussion of each of the above strategies is beyond the scope of this Value Added Auditing article. But, anyone conducting risk management assessments should be familiar with these risk management strategies.
INTERNAL CONTROL ASSESSMENTS
You can get an idea of the importance and purpose of internal controls by reading the following from IBM’s 1998 Annual Report:
“IBM maintains an effective internal control structure. It consists, in part of organizational arrangements with clearly defined lines of responsibility and delegation of authority, and comprehensive systems and control procedures. …. To assure the effective administration of internal control, we carefully select and train our employees, develop and disseminate written policies, and procedures, provide appropriate communication channels, and foster an environment conducive to the effective functioning of controls.”
Internal control is the fundamental idea that underlies the entire financial and operational structure of the organization as indicated by IBM’s Chairman of the Board and Chief Financial Officer signing this statement.
Internal control is a process designed to assure reasonable confidence regarding the following:
Internal control assessments evaluate these 5 interrelated elements of effectiveness:
Control environment. Senior management sets the tone for vision, mission, quality, ethics, goals, and controls. Daily operational control defers to the people who know the process or a product – the process owners.
Risk assessment. Risk management is the fundamental objective of all managers in the next few years. The precondition to effective risk management is identified core processes, stabilized processes, capable processes, and control of process variation.
Control activities. Control activities are the people, policies, suppliers and other factors that ensure that risks are identified, monitored, and mitigated throughout the project, product, or contract lifecycle. Controls may include approvals, authorizations, validation, verification, reconciliation, and segregation of authorities.
Information and communication. No information and no communication – no control. It’s that simple.
Monitoring. Internal controls systems and processes must be monitored. It’s not enough to have a process out of control or worse that it is noncompliant with a specification or standard. Ongoing monitoring should ensure corrective and preventive actions.
SELF ASSESSMENTS
The workplace is galloping towards self-managed work teams. Chances are you may be in one or several. Self managed teams are also composed of self directed individuals who accept responsibility for developing schedules, managing quality, controlling costs, upgrading worker skills, assigning work, improving process performance, focusing on results, and ensuring stakeholders are satisfied. Many job classifications are replaced by one work classification. The work environment is open and friendly. Time clocks are eliminated. Compensation is based on pay-for-knowledge so people are paid on the basis of training, experience, knowledge, and value-addition.
In the horizontal organization, hierarchal levels disappear, work is simplified, and information is universally available. Responsibility, authority, resources, information, and decision-making are downloaded to the lowest organizational level. Hierarchal – functional workers evolve into process owners.
Self-managed process or project teams do work simultaneously or concurrently. Specifications are jointly developed so everyone is familiar with them. Processes are stabilized, documented, and capable. If there are process deficiencies, the team has the skills to solve them. When team and self managed teams work, results are stunning. The payoff in some production plants designed around self-managed, process teams are that they are 30-50% more productive than conventional plants.
Self managed teams and individuals can now assess the value of their work through:
AUDITOR AS CONSULTANTS
Senior management and the company’s Board of Directors are responsible for the organization’s risk management and operational control processes. However, value added auditors also can serve as consultants to assist the organization in identifying, evaluating and implementing risk management methodologies and controls. This is a major change in internal auditing and other auditing disciplines where it was assumed that there was a firewall between auditing and the auditee.
Traditionally, auditors were independent and objective. Independence implies that there is an arms length relationship between the auditor and auditee. The challenge is that if the auditor provides the auditee consulting assistance, the auditor’s independence may be impaired while the auditor’s objectivity to the auditee still provides value. The auditor as consultant is a major revision in the Institute of Internal Auditing standards. This is a major step to auditors evolving to risk management and business process consultants.
THE VALUE ADDED AUDIT CHALLENGES
The journey from today’s compliance auditing to value added auditing has to be implemented carefully. These are the challenges to value added auditing:
YOUR TAKEAWAYS
ISO 9001 – 2000 now specifies ‘effectiveness’ requirements. How does an auditor audit for ‘effectiveness?’ This is a major challenge for all quality auditors, ISO registrars and quality consultants. The solution is some form of value added auditing.
Most quality auditing will remain compliance based to ISO 9000 or to some other conformance standard. Compliance audits will not disappear. However, audit stakeholders will want additional assurance beyond a yes/no decision. They will ask value added auditing to evaluate quality management system effectiveness as well as provide risk assurance of other organizational processes.
So, what does the quality auditing crystal ball show for the future?
A FINAL THOUGHT
A major goal of ours (quality auditing) has been to get more and higher level of exposure for quality auditing. Now, many compliance audits end up at a first or second level manager for subsequent action. Internal auditing as can be seen by their definition has been a major proponent of value added auditing. Internal audit reports usually end up in the hands of a Chief Financial Officer and ultimately in the hands of the Audit Committee of the Board of Directors. This is where we want our quality audit reports to end up.
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below:
Quality risk auditing has become killer hot. ISO developed a new auditing document, ISO 19011: 2011. ISO says the purpose of the document is to:
ISO 19011:2011 provides guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process, including the person managing the audit programme, auditors and audit teams. ISO 19011:2011 is applicable to all organizations that need to conduct internal or external audits of management systems or manage an audit programme.
The challenge is that guidance standard does not teach auditor how to audit for quality risk and effectiveness. Risk based auditing is becoming much more critical in the power, cyber security, food, aerospace, pharma, and many other sectors.
Take a look at a ASQ Quality Audit Division talk we gave almost 10 years ago:
https://insights.cermacademy.com/files/2012/11/ASQ-QAD-VAA-presentation.pdf
Or, take a look at the CERM workshop on Value Added Auditing or Risk Based Auditing at:
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below: