Internal auditing revolution?
Always a controversial subject, internal auditing is traditionally fraught with difficulties and its capacity to add value is often questioned. In this new era of IT-based solutions, a revolution is on the horizon say Ian Rosam and Rob Peddle of the HPO Group
Internal auditing is not dead yet but it may well be if the value delivered by auditing does not improve. Auditing needs to deliver information that senior managers can use to make informed decisions and to help them direct and improve their organisation.
Most audits provide tactical, low-level detail, are text-based and difficult to digest. They often only cover compliance rather than effectiveness issues and do not compare what is happening against best practice and rarely link to drivers of business performance.
However, senior managers work with numbers, values, graphs, money and budgets. They are concerned with the performance of the organization and require strategic management information that reflects their need to drive effectiveness and manage risk.
Benchmarks and maturity values are needed to help with this decision-making and drive improvement - not just compliance. What they need is strategic, high level endorsement, yet often auditing is low level and low value. There is a crucial mismatch.
The number of organizations dropping out of ISO 9001 registration suggests that what is being delivered is not what is required and current methods of internal auditing contribute to this.
Why is this happening?
ISO 9001 requires organizations to audit both compliance and effectiveness. It is about:
- understanding how information, assets, IT, culture, leadership, budgets, equipment and knowledge etc work together to support the delivery of the process and affect the results
- how the process is managed and improved
The problem is that auditing a system or a process requires auditors to:
- understand business process management at both a strategic and tactical level
- possess a range of management skills and knowledge that cover all areas of business management
- comprehend how a business really works and not just have a text book understanding
Perfect auditors with all of these competences do not exist. Even working in teams will not help as the cost is usually too high. So is the auditor at fault? ISO 9001 is already four years old yet there has been no real step change to mainstream auditing methodologies, which has enabled it to assess effectiveness as well as compliance. If the gap between what senior managers actually need and what is being supplied is not closed, then why should they bother?
Looking for solutions.
Although few audits use IT as a tool, IT-based solutions can efficiently collect, collate, analyse and report findings. They can measure these against drivers or indicators of performance and consistently apply methods that build intelligence into the analysis to produce the information managers want and need. These IT solutions:
- reduce the need for human auditors and associated costs
- increase consistency, security, objectivity and sample size
- are less distracting to core activity
- reduce costs and/or increase value by scoring and reporting performance against what really matters
- benchmark results across sites, locations, and countries simultaneously
Online auditing does not mean looking at scanned documents on a screen or at computer records, which would merely be an extension of current methods. It is a dramatic change in approach.
Audits need to collect data from a large number of people - to create a fully representative sample size - on perception and behaviour, the importance of which is unknown to the auditee so that findings cannot be distorted. They then need to apply intelligence and an appropriate level of analysis (which a human auditor cannot sensibly do in this environment) to report consistently against drivers of performance.
Innovate to stay alive
So will there be an internal auditing revolution? Despite the transition to ISO 9001, many certification bodies still appear to be locked into an industry that seems to place more importance on the number of auditing days rather than the value of the outcomes they produce.
Organizations are required to assess both effectiveness and compliance. These are two completely different issues, yet the industry that assesses them only really focuses on compliance. As with any industry in which there is a gap between what is being supplied and what is actually needed, it is no wonder that thousands are opting out, whilst other players will inevitably join the market with innovative approaches and fill the gap.
Some certification bodies have recognized this new dynamic and are taking an innovative lead, which is developing considerable value for their customers and opportunity for themselves. These people who advance internal auditing along with the changing times and developing technology will be the winners.
About the authors
Rob Peddle is an experienced
business manager, change agent and facilitator, and Ian
Rosam is a project leader, coach, mentor and facilitor. They
are directors of The HPO Group.
The HPO Group provides online assessment of business processes, systems, standards, competence and other frameworks. These are enhanced by the facilitation of effective process-based systems and management system 'portals of the future'. For more information e: enquiries@the-hpo.com
Two new books are about to be released by BSI Publications about CSR and its 'real world' application. A new wave of services has also been developed in partnership with UL International (UK), a global player in product certification and system registration.
 |
|
 |
|
 |
 |
 |
|
 |