Quality auditors already conduct value added audits.  Examples of value added audits include:

• Compliance audits.
• Process audits.
• Risk assessments.
• Internal control assessments.
• Self assessments.

Let’s look at how to conduct the above value added audits.

COMPLIANCE AUDITS

The key elements of a compliance audit can be gleaned from the ISO definition of ‘auditing’ as shown below:

“Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”  Audit criteria are a “set of policies, procedures, or other requirements against which collected audit evidence is compared.”  Audit evidence consists of “records, statements of fact or other information, relevant to the audit and which are verified.”

Most of us are familiar with compliance audits through ISO 9001 requirements. 

Compliance audits are fundamentally documentation reviews.  The result is a binary decision, compliance or noncompliance.  If there is noncompliance then the auditor will issue a Corrective Action Request (CAR) or a Preventive Action Request (PAR).

Compliance audits add value to governmental agencies and to commercial organizations that mandate contractual or regulatory compliance.  Compliance audits are probably the easiest to conduct because requirements are written and less auditor discretion is required.

PROCESS AUDITS
The major challenge of ISO 9001 is how to conduct a process audit to demonstrate  ‘effectiveness?’  Most quality and ISO pundits think that an effectiveness audit will be some type of process audit.  There is still confusion and little standardization on how to conduct a PDCA process audit, however the following are commonsensical steps:

• Identify business objectives.
• Flowchart processes.
• Identify critical process input and outputs.
• Evaluate process procedures, records, and documentation against ISO 9001 requirements.
• Evaluate process metrics against meeting business objectives.
• Analyze metrics to determine process stability and capability.
• Improve performance over time through intervention, and preventive/corrective actions.

The power of process audits is that they can go beyond evaluating effectiveness of ISO 9001 – 2000 quality management system clauses to evaluate value chain processes against internal business objectives and external business benchmarks.

RISK ASSESSMENT AUDITS
Up to five years ago, quality was the primary filter through which American senior management reached decisions.  Customer satisfaction was the critical quality attribute.  Well things changed.  Cost and schedule overshadowed quality as the primary senior management decision filter.  First to market, first to critical mass, and other time elements became critical to senior management as they competed with other companies.

Risk and its management is now the primary filter by which management makes its decisions.  This is why risk audits will become more critical to organizational operations.

ORCA is a common organizational risk assessment methodology.  Its principal elements are:

• Identify business Objectives.
• Identify operational and other Risks.
• Define business or other Controls.
• Assess the effectiveness of the business process to satisfy objectives and manage risks.

Once this risk assessment is conducted, senior and operational management can develop strategies to manage risks and execute business decisions.  Senior management can decide to:

• Avoid risk
• Mitigate risk
• Accept risk
• Share risk
• Diversify risk
• Control risk
• Increase risk

A discussion of each of the above strategies is beyond the scope of this Value Added Auditing article.  But, anyone conducting risk management assessments should be familiar with these risk management strategies.

INTERNAL CONTROL ASSESSMENTS
You can get an idea of the importance and purpose of internal controls by reading the following IBM Report:

“IBM maintains an effective internal control structure.  It consists, in part of organizational arrangements with clearly defined lines of responsibility and delegation of authority, and comprehensive systems and control procedures.  ….  To assure the effective administration of internal control, we carefully select and train our employees, develop and disseminate written policies, and procedures, provide appropriate communication channels, and foster an environment conducive to the effective functioning of controls.”

Internal control is the fundamental idea that underlies the entire financial and operational structure of the organization as indicated by IBM’s Chairman of the Board and Chief Financial Officer signing this statement.

Internal control is a process designed to assure reasonable confidence regarding the following:

• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations
  

Internal control assessments evaluate these 5 interrelated elements of effectiveness:

• Control environment.  Senior management sets the tone for vision, mission, quality, ethics, goals, and controls. Daily operational control defers to the people who know the process or a product – the process owners.
• Risk assessment.  Risk management is the fundamental objective of all managers in the next few years.  The precondition to effective risk management is identified core processes, stabilized processes, capable processes, and control of process variation.
• Control activities.  Control activities are the people, policies, suppliers and other factors that ensure that risks are identified, monitored, and mitigated throughout the project, product, or contract lifecycle.  Controls may include approvals, authorizations, validation, verification, reconciliation, and segregation of authorities.
• Information and communication.  No information and no communication – no control.  It’s that simple.
• Monitoring.  Internal controls systems and processes must be monitored.  It’s not enough to have a process out of control or worse that it is noncompliant with a specification or standard.  Ongoing monitoring should ensure corrective and preventive actions.
  

SELF-ASSESSMENTS
The workplace is galloping towards self-managed work teams. Chances are you may be in one or several. Self managed teams are also composed of self directed individuals who accept responsibility for developing schedules, managing quality, controlling costs, upgrading worker skills, assigning work, improving process performance, focusing on results, and ensuring stakeholders are satisfied. Many job classifications are replaced by one worker classification. The work environment is open and friendly. Time clocks are eliminated. Compensation is based on pay‑for‑knowledge so people are paid on the basis of training, experience, knowledge, and value-addition.  Workers and process owners are responsible for managing risks and controlling their processes.

When team and self managed teams work, results are stunning. The payoff in some production plants designed around self-managed, process teams is that they can be 30-50% more productive than conventional plants.[v]

Self managed teams and individuals can now assess the value of their work through:

• Balanced scorecards
• Checklists with ratings
• Internal control questionnaires
• Team written procedures and instructions
• Process control information, such as SPC
• Flexible and reinforcing work environment