I wrote this piece 11 years ago and it was published by Quality Digest in July 2002.  It seems still relevant:

Why have so few companies registered to ISO 9001 – 2000?  Quality Digest in its July 2002 reported that “the actual figure (of companies that have transitioned) is probably 8 to 10 percent.”[i]   Companies now have a little more than a year to transition to the new standard.  One major reason for the slow transition may be the perceived value for transitioning to ISO 9001 – 2000 is not sufficiently compelling in these economic slow times.

One solution to help ensure the transition to ISO 9001 – 2000 is to conduct value added audits.  What is value added auditing?  It is “a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”  Value added auditing is so hot that the New York Stock Exchange and the Securities and Exchange Commission are now requiring value added audits of more than 17,000 listed companies.  Read how you can make a difference and add more value to your audits.

CHANGE AND MORE CHANGE
Let’s look at some of the dramatic changes that have occurred recently.  Enron, WorldCom and a number of other companies have collapsed.  The government passes a number of laws requiring financial disclosure.  On August 1, 2002, the New York Stock Exchange requires all its listed companies to have an internal audit function.

There have been many changes in quality land.  Companies are transitioning to a major new revision, ISO 9001 – 2000.  The Registration Accreditation Board (RAB), which certifies quality management and environmental management systems auditors strengthens its policies regarding consulting and auditing independence.

Quality auditors and internal auditors are seeing more changes and emphasis on analytical auditing involving process audits, risk/control assessments, and other forms of effectiveness assessments, which we generally call Value Added Auditing (VAA).

SO WHAT?
Why should quality auditors and the quality profession pay attention to value added auditing?  Follow this logic and see if it makes sense:

We are now officially in a recession.  All types of risks are higher – terrorists risks, business risks, and customer risks.  Senior management doesn’t want surprises.  The Board of Directors and senior management starts thinking: “Do we have sufficient information and assurance of operational effectiveness internally as well as with our supply-partners in order to make robust decisions?”

Internal auditing departments conduct value added audits. Because of recent legislations on corporate governance, these reports more often go solid line and directly to the Board of Directors Audit Committee and dotted line to the Chief Financial Officer.  See the ‘Internal Auditing Reporting Relationship’ figure.

Steve Jameson, the Institute of Internal Auditors’s (IIA) Director of Technical Services, recently said the following about the new regulations coming out of Congress, SEC, and NYSE:

“Requiring public reporting on internal controls is the grand prize that the internal audit profession has sought for years. The US Congress has now mandated that requirement. The IIA Standards and the IIA’s value-added mindset for the profession support and promote internal auditors as the key organizational resource for providing assurance about internal controls to the (board of director’s) audit committees and management.”

BOTTOM LINE QUESTION
Our quality audits directly go to a first or second level manager.  As quality professionals, we want to make a difference with our quality reports.  Let’s look at the bottom line issue.

Will we be most effective by conducting quality management system assessments that go to a first level manager?  Or, will we add more value by collaborating with internal auditing to provide consolidated audit reports to the Board of Directors Audit Committee.

This seems a no-brainer to me.

WHAT IS VALUE?
All organizations exist to add value to their stakeholders.  Value can mean different things to different stakeholders.  Value to shareholders means raising stock value.  Value to senior management means operational effectiveness.  Value to boards of directors means ‘no surprises’.  Value to regulatory authorities is compliance to laws and regulations.

To provide value, quality auditors should be able to assess:

• Operational and quality effectiveness
• Business risk
• Business/ process controls
• Process and business efficiencies
• Cost reduction opportunities
• Waste elimination opportunities
• Corporate governance effectiveness

SO, WHAT IS VALUE ADDED AUDITING?
Many think that internal auditing just conducts financial audits.  The Institute of Internal Auditing (IIA) developed a definition of ‘auditing’ which introduces various elements of value added auditing:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”[ii]

We can infer a number of value added auditing ‘best practices’ from the above definition:  Value added audits aim to:

• Provide independent and objective operational analysis
• Examine every function, process, and activity of the organizational and external value chain
• Help an organization achieve its business strategies and objectives
• Follow a systematic and disciplined approach in its assessment
• Evaluate and improve the effectiveness of risk management, control, and governance processes

CONVERGENCE OF QUALITY AND INTERNAL AUDITING
Quality auditing and internal auditing are converging around the theme of value added auditing.  In the quality world, the Registrar Accreditation Board (RAB) and leading ISO registrars are taking the lead to provide higher levels of transparency, assurance, and ultimately value to quality audit reports. Read ‘Bob King, President and CEO of RAB on Auditor Independence in the above sidebar.

North America’s top registrars are also emphasizing value.  Tom Harris, Managing Director of AOQC Moody International recently said:

“With today’s stock market volatility, investors want higher assurance of company performance.  Quality auditors must evaluate management systems and processes not only in terms of compliance to a standard but most importantly analyze their effectiveness.  Companies must develop mission-critical objectives and then hold process owners accountable for the measurement, control, analysis and improvement of their systems and processes.  Moody AOQC is rapidly moving in this direction.”

WHAT DO VALUE ADDED AUDITS LOOK LIKE?
Quality auditors already conduct value added audits.  More examples of value added audits include:

• Compliance audits
• Process audits
• Risk assessments
• Internal control assessments
• Self assessments
• Consulting

Let’s look at how to conduct the above value added audits.

COMPLIANCE AUDITS
The key elements of a compliance audit can be gleaned from the ISO definition of ‘auditing’ as shown below:

“Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.”  Audit criteria are a “set of policies, procedures, or other requirements against which collected audit evidence is compared.”  Audit evidence consists of “records, statements of fact or other information, relevant to the audit and which are verified.”[iii]

Most of us are familiar with compliance audits through ISO 9001 requirements.

Compliance audits are fundamentally documentation reviews.  The result is a binary decision, compliance or noncompliance.  If there is noncompliance then the auditor will issue a Corrective Action Request (CAR) or a Preventive Action Request (PAR).

Compliance audits add value to governmental agencies and to commercial organizations that mandate contractual or regulatory compliance.  Compliance audits are probably the easiest to conduct because requirements are written and less auditor discretion is required.

PROCESS AUDITS
The major challenge of ISO 9001 –2000 is how to conduct a process audit to demonstrate  ‘effectiveness?’  Most quality and ISO pundits think that an effectiveness audit will be some type of process audit.  There is still confusion and little standardization on how to conduct a PDCA process audit, however the following are commonsensical steps:

• Identify business objectives
• Flowchart processes
• Identify critical process input and outputs
• Evaluate process procedures, records, and documentation against ISO 9001 – 2000 requirements
• Evaluate process metrics against meeting business objectives
• Analyze metrics to determine process stability and capability
• Improve performance over time through intervention, and preventive/corrective actions

The power of process audits is that they can go beyond evaluating effectiveness of ISO 9001 – 2000 quality management system clauses to evaluate value chain processes against internal business objectives and external business benchmarks.

RISK ASSESSMENT AUDITS
Up to five years ago, quality was the primary filter through which American senior management reached decisions.  Customer satisfaction was the critical quality attribute.  Well things changed.  Cost and schedule overshadowed quality as the primary senior management decision filter.  First to market, first to critical mass, and other time elements became critical to senior management as they competed with other companies.

September 11, 2001 changed all that.  Risk and its management is now the primary filter by which management makes its decisions.  This is why risk audits will become more critical to organizational operations.

ORCA is a common organizational risk assessment methodology.  Its principal elements are:

• Identify business
• Objectives
• Identify operational and other Risks
• Define business or other Controls
• Assess the effectiveness of the business process to satisfy objectives and manage risks

Once this risk assessment is conducted, senior and operational management can develop strategies to manage risks and execute business decisions.  Senior management can decide to:

• Avoid risk
• Mitigate risk
• Accept risk
• Share risk
• Diversify risk
• Control risk
• Increase risk

A discussion of each of the above strategies is beyond the scope of this Value Added Auditing article.  But, anyone conducting risk management assessments should be familiar with these risk management strategies.

INTERNAL CONTROL ASSESSMENTS
You can get an idea of the importance and purpose of internal controls by reading the following from IBM’s 1998 Annual Report:

“IBM maintains an effective internal control structure.  It consists, in part of organizational arrangements with clearly defined lines of responsibility and delegation of authority, and comprehensive systems and control procedures.  ….  To assure the effective administration of internal control, we carefully select and train our employees, develop and disseminate written policies, and procedures, provide appropriate communication channels, and foster an environment conducive to the effective functioning of controls.”[iv]

Internal control is the fundamental idea that underlies the entire financial and operational structure of the organization as indicated by IBM’s Chairman of the Board and Chief Financial Officer signing this statement.

Internal control is a process designed to assure reasonable confidence regarding the following:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations[v]

Internal control assessments evaluate these 5 interrelated elements of effectiveness:

• Control environment.  Senior management sets the tone for vision, mission, quality, ethics, goals, and controls. Daily operational control defers to the people who know the process or a product – the process owners.
• Risk assessment.  Risk management is the fundamental objective of all managers in the next few years.  The precondition to effective risk management is identified core processes, stabilized processes, capable processes, and control of process variation.
• Control activities.  Control activities are the people, policies, suppliers and other factors that ensure that risks are identified, monitored, and mitigated throughout the project, product, or contract lifecycle.  Controls may include approvals, authorizations, validation, verification, reconciliation, and segregation of authorities.
• Information and communication.  No information and no communication – no control.  It’s that simple.
• Monitoring.  Internal controls systems and processes must be monitored.  It’s not enough to have a process out of control or worse that it is noncompliant with a specification or standard.  Ongoing monitoring should ensure corrective and preventive actions.[vi]

SELF-ASSESSMENTS
The workplace is galloping towards self-managed work teams. Chances are you may be in one or several. Self managed teams are also composed of self directed individuals who accept responsibility for developing schedules, managing quality, controlling costs, upgrading worker skills, assigning work, improving process performance, focusing on results, and ensuring stakeholders are satisfied. Many job classifications are replaced by one worker classification. The work environment is open and friendly. Time clocks are eliminated. Compensation is based on pay‑for‑knowledge so people are paid on the basis of training, experience, knowledge, and value-addition.  Workers and process owners are responsible for managing risks and controlling their processes.

When team and self managed teams work, results are stunning. The payoff in some production plants designed around self-managed, process teams is that they can be 30-50% more productive than conventional plants.[vii]

Self managed teams and individuals can now assess the value of their work through:

• Balanced scorecards
• Checklists with ratings
• Internal control questionnaires
• Team written procedures and instructions
• q  Process control information, such as SPC
• Flexible and reinforcing work environment

AUDITORS AS CONSULTANTS
Senior management and the company’s Board of Directors are responsible for the organization’s risk management and operational control processes.  However, value added auditors also can serve as consultants to assist the organization in identifying, evaluating and implementing risk management methodologies and controls.[viii]  This is a major change in internal auditing and other auditing disciplines where it was assumed that there was an ‘independent’ firewall between auditing and the auditee.

Traditionally, auditors were independent and objective.  Independence implies that there is an arms length relationship between the auditor and auditee.  The challenge is that if the auditor provides the auditee consulting assistance, the auditor’s independence may be impaired while the auditor’s objectivity to the auditee still provides value.  The auditor as consultant is a major revision in the Institute of Internal Auditing standards. This is a major step where quality and internal auditors are evolving to ‘business process’ assurance and consulting experts.

VALUE ADDED AUDIT CHALLENGES
ISO 9001 – 2000 now requires ‘effectiveness’ and process auditing.  But, how does a quality auditor audit for ‘effectiveness?’  This is a major challenge for all quality auditors, ISO registrars and quality consultants.  The solution is some form of value added auditing.

Quality auditors can transition to value added auditing as long as it is done carefully.   Several challenges have to be understood and addressed:

• Open to interpretation.  Evaluating effectiveness, risk management, and internal controls is open to interpretation.
• Inconsistent application.  Evaluating effectiveness, risk management, and internal controls can vary among auditors
• Requires additional auditor skills.  Value added auditing requires profound business, process, and people knowledge.
• Possibility of additional variation.  There are no consistent and well-established standards and protocols for conducting value added audits.

FINAL THOUGHTS
Compliance regulatory audits will not disappear.  They add value through regulatory assurance. However, ALL boards of directors of publicly held companies want additional information and assurance beyond a ‘yes/no’ decision.  They are asking auditing and assurance services to evaluate risk management and operational control effectiveness.

Many quality gurus also think that value added auditing is the future of the profession. Jim Lamprecht, best selling author of ISO 9001 books and consultant says: “Value added auditing is auditing for increased profitability and improved customer satisfaction.”

So, what does our quality auditing crystal ball reveal of the future or our profession?

• Consolidated quality audit and internal audit reports go to the Board of Directors
• Quality auditing function will integrate with internal auditing
• Term ‘quality’ audit will fade from the ISO vocabulary
• Multiple audits are conducted for different stakeholders
• Compliance and regulatory systems assessments are still conducted
• Quality auditors will emerge as value added auditors and business process consultants
• Value adding auditing use increases exponentially
• Auditor training requirements increase

A major goal of ours has been to get higher levels of exposure for quality auditing.  Many compliance audits end up at a first level manager for subsequent action.  Internal auditing as seen by their definition of auditing has been a major proponent of value added auditing.  Internal audit reports ultimately end up in the hands of the Board of Directors Audit Committee.   This is where we want our quality audit reports to reside.  So, it’s up to us to work with internal auditing to develop consolidated quality, risk, and control reports.

The above article is excerpted from Greg Hutchins’s recently published Value Added Auditing.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below: