Mere compliance with a Framework is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business. The 4 biggest mistakes are:
- Not being Outcome focused
- Not using Risk base targeting
- Not Value Adding
- Not being timely
In a recent article on Auditing Risk Appetite Norman Marks commented:“What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with a Framework is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.”
Although speaking about auditing Risk Appetite I believe these issues apply equally to Audit and Inspection in general. A comprehensive checklist of several hundred items assessed as complying or not is neither effective nor beneficial, and only serves to chew up limited Compliance funds from the corporate budget. If done well, corporate health reports become an eagerly awaited strategy document for boards.
1. Not Outcome focused
Merely auditing the existence of corporate goals and objectives doesn’t make auditing Outcome focused. The Audit Plan has to be based on the corporate objectives understanding the opportunities and threats inherent in those objectives. Any compliance management framework is a comprehensive inventory of compliance items not a roadmap. This is where good compliance management software comes in, letting you map your Audit Plan back to the framework to ensure comprehensive coverage, while allowing you to concentrate on Compliance Assurance of the corporate objectives. When looked at from this perspective improvement and performance become the aim of compliance not the systematic enforcement of controls.
2. Not Risk base targeting
Once focused on opportunities and threats, a risk based approach (see Does anyone really understand Emerging Risks? ) coupled with targeted activities is inevitable. Risk based is more that checking for known issues first. Setting surveillance levels and frequencies based on risk not only produces more results by concentrating on the areas that can produce the greatest returns, it allows for more efficient uses of the limited compliance budget resources.
Audit and Inspection are expensive services and in low risk areas have little benefit and are not the only methods of assuring compliance. Online self-audits with appropriate evidence or periodic reporting of key indicators is just as effective, and sometimes more timely, in low risk areas. Obviously, this needs to be backed by occasional unscheduled audits/inspections.
3. Not Value Adding
Identifying & issuing corrective actions, although necessary, is not value adding in the eyes of the operation staff responsible. If they saw it as a problem they would have fixed it before being assessed (yes a bad word, but if you’re not value adding that is all it is!). What can be done to value add? Well you have the unique opportunity to educate operation management in circumstances where they are likely to listen and act – PRIOR TO THE AUDIT. Use it.
Compliance is more than just Audit & Inspection
With a properly developed compliance management system, and not just a pool of word/excel documents, you can compile a targeted reviews based on areas of importance. Developing checklists based on objectives and risks, weightings can be allocated to individual questions as to their effect to objectives (see 2 above), allows assessment of effectiness not just compliance.
Previous history, lessons learnt in related fields, and current industry trends should be the purview of the Compliance department and their duty to disseminate as part of the pre-audit activity. Finally, in the final report include business cases for improvements in target areas. Relating those back to corporate objectives is a good way to garner support for the audit/inspection process from operational management. In time they will look forward to, and prepare for, the opportunity to press their own objectives.
4. Not being timely
Board/Management review of summaries audit findings is both an opportunity and entrenchment of value of Compliance Management to the organisation. Regurgitating conformance information of problems fixed and administrative observations reinforces the negative regulatory role of the compliance department as a necessary overhead. Releasing regular health reports on the organisation’s progress to achieving its objectives not only gives interest to compliance reports but the opportunity to push expanding the department’s capability.
Making Compliance Relevant
The key to this is not just relevance but timeliness. Knowing the emerging issues at a time they can be acted on is of benefit to the board. Historically knowing what happened last year is not. This requires moving away from an annual (or periodic) audit/inspection regime to a continuous monitoring approach, backed up by periodic audit/inspection. Sending out regular, specifically targeted questionnaires for self-assessment, with automated submission and analysis reduces the overhead and workload to the compliance dept while allowing them to adjust the risk targeting and produce timely health reports for management.
Effective Compliance Management
An effective compliance management methodology must not only deliver the right information and training, it must be delivered at the right time, in a consistent and controlled manner. The information delivered must be accurate and up to date. And, there must be validation that the information has been received and understood, with a complete audit trail. Automating these processes with best practice Compliance Management software frees up Compliance expertise to perform their true role monitoring and assisting the organisation in achieving its corporate objectives.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd.
Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.