Value Added Auditing – Greg Hutchins

The American Management Association recently said the following about risk:

“For virtually every business in the United States, the implications of economic change are enormous. The rapidly changing and more uncertain environment not only has made corporate decision-making and planning more difficult, but also has significantly increased business risks. Operating successfully in this new environment will require a very different approach to business management. It involves more, rather than less, attention to external factors, as well as new priorities and strategies and a sharply increased focus on risk management.”

Quality auditors and professionals are going to see more emphasis on risk analysis and other forms of assessments, which we generally call Value Added Auditing. You’re going to hear a lot more of this as more companies focus on new types of assurance. In this article, we will look at different types of Value Added Audits, discuss how they are conducted, and discuss how they will impact quality auditing practices.

THE BUSINESS CHALLENGE
We are now officially in a recession. All types of risks are higher – terrorists risks, business risks, and customer risks. Senior management doesn’t want surprises. Senior management starts thinking: “Do we have sufficient information, yes even knowledge, of what’s happening with our operations?”

ISO 9000 has been deployed very successfully as many companies have gained compliance value. Companies are now asking: “What other assessments can we use to assess risks and evaluate end-to-end value chain processes?” The solution is a more comprehensive philosophy of control, assurance, and organizational governance based on controlling and managing risk.

THE SOLUTION – NEW VALUE ADDED ASSESSMENT METHODS
Management gurus say the secret of great management in the first years of the millennium is adding value and developing new assessment methods that verify and validate value. Hence, the prominence of value added auditing.

Understanding value added auditing will become essential to all quality auditors in the future. Quality auditing and internal auditing are converging around the ideas of assessing operational effectiveness and conducting risk management assessments. Also, we’re seeing early signs where internal auditing is absorbing some quality auditing responsibilities. 

WHAT IS VALUE?
First, we need to define value. All organizations exist to add value to their stakeholders. Value is added when products and services satisfy critical organizational stakeholders. 

Value can mean different things to different stakeholders. Value to shareholders means raising stock value. Value to management means no surprises. Value to regulatory authorities is compliance to laws and regulations. 

Value added auditors assess specific economic attributes, which may include: 

  • Effectiveness
  • Efficiency
  • Cost reduction
  • Waste elimination
  • Risk management
  • Business controls
  • Process controls

WHAT IS VALUE ADDED AUDITING
The Institute of Internal Auditing (IIA) developed their definition of ‘auditing’ which introduces various elements of value: 

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”[i] “About Internal Auditing,” IIA Web Site, 2000.

We can infer a number of value adding best practices from the above definition: Value added audits aim to:

  • Provide independent and objective operational analysis
  • Examine every function, process, and activity of the organizational and external value chain
  • Helps an organization achieve its business strategies and objectives
  • Follows a systematic and disciplined approach in its assessment
  • Evaluates and improves the effectiveness of risk management, control, and governance processes

In this article, we’ll discuss the following types of value added audits: 

  • Compliance audits
  • Process audits
  • Risk assessments
  • Internal control assessments
  • Self assessments
  • Consulting

COMPLIANCE AUDITS
The key elements of a compliance audit can be gleaned from the ISO definition of ‘auditing’ as shown below:

“Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.” Audit criteria are a “set of policies, procedures, or other requirements against which collected audit evidence is compared.” Audit evidence consists of “records, statements of fact or other information, relevant to the audit and which are verified.” [i] ISO CD2/ISO 19011 and ISO 9000 – 2000, ASQ Quality Press, 2000 .

Most of us are familiar with compliance audits through ISO 9000 requirements. ISO 9000 system audits traditionally were compliance assessments. The ISO standard or similar standards consist of ‘shall’ requirements. The auditor assesses business system, process, or product against these standards. The auditor in a compliance audit verifies that documentation complies with the standard’s requirements and verifies implementation to the ‘say what you do and do as you say’ criteria. 

Compliance audits are fundamentally documentation reviews. The result is a binary decision, compliance or noncompliance. If there is noncompliance then the auditor will issue a Corrective Action Request (CAR) or a Preventive Action Request (PAR). 

Compliance audits add value to governmental agencies and to commercial organizations that mandate contractual or regulatory compliance. Compliance audits are probably the easiest to conduct because requirements are written and less auditor discretion is required. 

PROCESS AUDITS
The most critical requirement in ISO 9001 – 2000 is ‘shall.’ ‘Shalls’ by their nature are compliance requirements. A system, activity, or product conforms to a requirement or it doesn’t. The second critical requirement in ISO 9001 – 2000 is demonstrating QMS ‘effectiveness.’ 

The major question is how to audit for ‘effectiveness?’ Most quality and ISO pundits think that an effectiveness audit will be some type of process audit. There is still much confusion and little standardization on how to conduct a process audit, however the following are commonsensical steps:

  • Identify business objectives
  • Flowchart processes 
  • Identify critical process input and outputs.
  • Evaluate process procedures, records, and documentation against ISO 9001 – requirements
  • Evaluate process metrics against meeting business objectives
  • Analyze metrics to determine process stability and then improvement over time

The power of process audits is that they can go beyond evaluating effectiveness of ISO 9001 – 2000 quality management system clauses to evaluate all value chain processes against internal business objectives and external business benchmarks. 

RISK ASSESSMENT AUDITS
Up to five years ago, quality was the primary filter through which American senior management reached decisions. Customer satisfaction was the critical quality attribute. Well things changed. Cost and schedule overshadowed quality as the primary senior management decision filters. First to market, first to critical mass, and other time elements became critical to senior management as they competed with other companies.

September 11, 2001 changed all that. Risk and its management is now the primary filter by which management makes its decisions. This is why risk audits will become more critical to organizational operations. 

ORCA is a common organizational risk assessment methodology. Its principal elements are:

  • Identify business Objectives
  • Identify operational and other Risks
  • Define business or other Controls
  • Assess the effectiveness of the business process to satisfy objectives

The organizational risk management assessment is really a competitive and marketplace scan of what can impede and as well as accelerate the achievement of business objectives. This is a critical point. Risk management has both a positive and negative connotation. We normally assume the negative – the mitigation of negative events or circumstances. However, all business decision-making is based on smart risk management and analysis. Once this is made, then management can develop its business model and execute based upon risk management criteria: being risk averse, risk sensitive or risk taking. 

Once this risk assessment is conducted, senior and operational management can develop strategies to manage risks and execute business decisions. Senior management can decide to:

  • Avoid risk
  • Mitigate risk 
  • Accept risk
  • Share risk 
  • Diversify risk
  • Control risk
  • Increase risk 

A discussion of each of the above strategies is beyond the scope of this Value Added Auditing article. But, anyone conducting risk management assessments should be familiar with these risk management strategies.

INTERNAL CONTROL ASSESSMENTS
You can get an idea of the importance and purpose of internal controls by reading the following from IBM’s 1998 Annual Report:

“IBM maintains an effective internal control structure. It consists, in part of organizational arrangements with clearly defined lines of responsibility and delegation of authority, and comprehensive systems and control procedures. …. To assure the effective administration of internal control, we carefully select and train our employees, develop and disseminate written policies, and procedures, provide appropriate communication channels, and foster an environment conducive to the effective functioning of controls.”

Internal control is the fundamental idea that underlies the entire financial and operational structure of the organization as indicated by IBM’s Chairman of the Board and Chief Financial Officer signing this statement. 

Internal control is a process designed to assure reasonable confidence regarding the following:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Internal control assessments evaluate these 5 interrelated elements of effectiveness: 
Control environment. Senior management sets the tone for vision, mission, quality, ethics, goals, and controls. Daily operational control defers to the people who know the process or a product – the process owners. 

Risk assessment. Risk management is the fundamental objective of all managers in the next few years. The precondition to effective risk management is identified core processes, stabilized processes, capable processes, and control of process variation. 
Control activities. Control activities are the people, policies, suppliers and other factors that ensure that risks are identified, monitored, and mitigated throughout the project, product, or contract lifecycle. Controls may include approvals, authorizations, validation, verification, reconciliation, and segregation of authorities.

Information and communication. No information and no communication – no control. It’s that simple. 
Monitoring. Internal controls systems and processes must be monitored. It’s not enough to have a process out of control or worse that it is noncompliant with a specification or standard. Ongoing monitoring should ensure corrective and preventive actions.

SELF ASSESSMENTS
The workplace is galloping towards self-managed work teams. Chances are you may be in one or several. Self managed teams are also composed of self directed individuals who accept responsibility for developing schedules, managing quality, controlling costs, upgrading worker skills, assigning work, improving process performance, focusing on results, and ensuring stakeholders are satisfied. Many job classifications are replaced by one work classification. The work environment is open and friendly. Time clocks are eliminated. Compensation is based on pay-for-knowledge so people are paid on the basis of training, experience, knowledge, and value-addition.

In the horizontal organization, hierarchal levels disappear, work is simplified, and information is universally available. Responsibility, authority, resources, information, and decision-making are downloaded to the lowest organizational level. Hierarchal – functional workers evolve into process owners. 

Self-managed process or project teams do work simultaneously or concurrently. Specifications are jointly developed so everyone is familiar with them. Processes are stabilized, documented, and capable. If there are process deficiencies, the team has the skills to solve them. When team and self managed teams work, results are stunning. The payoff in some production plants designed around self-managed, process teams are that they are 30-50% more productive than conventional plants.

Self managed teams and individuals can now assess the value of their work through: 

  • Balanced scorecards
  • Checklists with ratings
  • Internal control questionnaires
  • Team written procedures and instructions
  • Process control information, such as SPC
  • Flexible and reinforcing work environment

AUDITOR AS CONSULTANTS
Senior management and the company’s Board of Directors are responsible for the organization’s risk management and operational control processes. However, value added auditors also can serve as consultants to assist the organization in identifying, evaluating and implementing risk management methodologies and controls. This is a major change in internal auditing and other auditing disciplines where it was assumed that there was a firewall between auditing and the auditee.

Traditionally, auditors were independent and objective. Independence implies that there is an arms length relationship between the auditor and auditee. The challenge is that if the auditor provides the auditee consulting assistance, the auditor’s independence may be impaired while the auditor’s objectivity to the auditee still provides value. The auditor as consultant is a major revision in the Institute of Internal Auditing standards. This is a major step to auditors evolving to risk management and business process consultants.

THE VALUE ADDED AUDIT CHALLENGES
The journey from today’s compliance auditing to value added auditing has to be implemented carefully. These are the challenges to value added auditing:

  • Open to interpretation. Evaluating effectiveness, risk management, and internal controls is open to interpretation. 
  • Inconsistent application. Evaluating effectiveness, risk management, and internal controls can vary among auditors 
  • Requires additional auditor skills. Value added auditing requires profound business, process, and people knowledge. 
  • Possibility of additional variation. There are no consistent and well-established standards and protocols for conducting value added audits. 

YOUR TAKEAWAYS
ISO 9001 – 2000 now specifies ‘effectiveness’ requirements. How does an auditor audit for ‘effectiveness?’ This is a major challenge for all quality auditors, ISO registrars and quality consultants. The solution is some form of value added auditing. 

Most quality auditing will remain compliance based to ISO 9000 or to some other conformance standard. Compliance audits will not disappear. However, audit stakeholders will want additional assurance beyond a yes/no decision. They will ask value added auditing to evaluate quality management system effectiveness as well as provide risk assurance of other organizational processes. 

So, what does the quality auditing crystal ball show for the future? 

  • Term ‘quality’ audit will fade from the ISO vocabulary 
  • Compliance and systems assessments are still conducted
  • Quality auditors will emerge as business process consultants
  • Multiple audits are conducted for different stakeholders
  • Value adding auditing use increases
  • Quality auditing function will integrate with internal auditing
  • Auditor training requirements increase
  • Quality auditing will report to the Board of Directors along with internal auditing

A FINAL THOUGHT
A major goal of ours (quality auditing) has been to get more and higher level of exposure for quality auditing. Now, many compliance audits end up at a first or second level manager for subsequent action. Internal auditing as can be seen by their definition has been a major proponent of value added auditing. Internal audit reports usually end up in the hands of a Chief Financial Officer and ultimately in the hands of the Audit Committee of the Board of Directors. This is where we want our quality audit reports to end up. 

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com

WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below: