There is a shift and some would even say there is a paradigm shift occurring in business, that impacts quality auditing. We, as quality professionals and quality auditors, must be aware of the drivers of change and adjust accordingly. Also, we must adapt to add value, including being able to conduct assurance and analytical assessments that provide senior management and the board of directors with peace of mind.
Specifically, we need to know how to conduct analytical risk assessments, such as:
- Corporate governance assessments
- Risk based internal audits
- Homeland security assessments
- Customer-supplier assessments
- ‘Effectiveness’ audits
MOVING FROM DETECTION TO ANALYTICAL ASSESSMENTS
What struck you when you read the definition of internal auditing? While, ISO 9000 stresses process and ‘effectiveness’ auditing, ISO registrars and most companies still seem to conduct systems or compliance audits. This is a problem in today’s business environment, where senior management and board of director’s audit committees want more forward-looking, analytical risk assessments.
By its nature, compliance auditing is ‘after the fact’, specifically that it is done after a quality system has been deployed, product has been produced or a service has been conducted. Also, it is document intensive. So, some call compliance auditing, a form of detection or inspection. And, companies are asking: ‘Where’s the value in a compliance audit?’
Analytical risk assessments are now the key element of today’s corporate governance in both publicly-held as well as governmental organizations. Auditors or assessors must be able to evaluate the effectiveness of internal controls to manage risks. The Securities and Exchange Commission as well as other regulatory agencies are moving to a risk-based model such as COSO – an acronym for ‘Committee of Sponsoring Organizations.’
ENTERPRISE RISK MANAGEMENT AND CONTROLS
The COSO model has been used for more than a decade to evaluate internal financial controls. Now this model is being used to evaluate internal operational controls and even regulatory controls. Compliance is fine for complying with the letter of regulatory and statutory standards, but now the governance bar is much higher as companies must meet the intent or spirit of the requirement. Quality auditors must be able to conduct ‘analytical’ assessments that evaluate effectiveness, efficiencies as well as the economics of operations.
It all comes down to being able to evaluate the effectiveness of risk management: COSO defines enterprise risk management (ERM) model as:
“…a process, effected by an entity’s board of directors, management, and other personnel applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
There are critical takeaways in the above definition, specifically ERM:
- Is a process. It’s a means to an end, not an end it
- Is applied across the enterprise and at every level
- Is designed to identify risk events
- Manage risks according to the organization’s risk sensitivity
- Provides ‘reasonable assurance’ to the organization’s board of directors and senior management
- Focuses on achieving the organization’s mission critical objectives
- Is a continual process of assurance, risk identification, and control effectiveness
- Is managed by process owners throughout the organization
- Is applied in strategy development and deployment
ENTERPRISE RISK MANAGEMENT INTEGRATED FRAMEWORK
Today’s quality auditors need to move from detection to analytical auditing. Quality auditors need to know how to evaluate internal and external controls that manage enterprise risks that result from changing competitive environments, shifting customer requirements, restructuring for growth, and managing the supply chain.
ERM controls or commonly called internal controls are the now the hallmark of good corporate governance because they offer the following benefits:
- Promote operational efficiency and effectiveness
- Manage surprises
- Ensure reliability of financial statements
- Ensure compliance with regulations and laws.
Quality auditors must be able evaluate the effectiveness of an enterprise risk management consisting of the following eight interrelated components:
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
- Monitoring
Bottom LIne: It’s a new normal for all quality auditors. What are you going to do?
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below: