Add Value To Quality Audits
Align your reports with internal audits to get the attention of leadership
by Greg Hutchins
As I wrote this column, the congressional hearings on auditing and accounting fraud were playing in the background on C-SPAN.
One purpose of the hearings was to allow representatives to question corporate figures about the lack of transparency to investors and lack of value to stakeholders. Think quality of information and quality of decision making.
This subject has been featured in many page one articles in the Wall Street Journal, New York Times, national business magazines and local newspapers. The NASDAQ has hit five-year lows. The Dow has dropped alarmingly. WorldCom lost almost $200 billion in market capitalization. Enron lost almost $100 billion in value.
Sadly, ISO 9000 and quality auditing were never mentioned as solutions to the problem during the hearings. But internal auditing may finally become recognized as a way to solve the corporate governance crisis. As a matter of fact, a 37-year-old internal auditor at WorldCom became a national hero for blowing the whistle on her corporation's activities.
Bottom line: If we, as quality auditors, don't add real and perceived value, what we say is going to be dismissed. We need to understand corporate governance issues and what we can do to provide reliable and accurate information to stakeholders. Most importantly, partnering with internal auditors is critical to our careers as quality professionals.
What is value?
The Institute of Internal Auditors (IIA) defines "adding value" as follows:
Organizations exist to create value or benefit to their owners, other stakeholders, customers and clients. This concept provides purpose for their existence. Value is provided through their development of products and services and the use of resources to promote those products and services.
In the process of gathering data to understand and assess risk, internal auditors develop significant insight into operations and opportunities for improvement that can be extremely beneficial to their organization.
This valuable information can be in the form of consultation, advice, written communications or through other products--all of which should be properly communicated to the appropriate management or operating personnel.1
What do internal auditors do?
The IIA defines "internal auditing" as:
... an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.2
What adds value?
Audit value comes from managing risks, strengthening internal controls, measuring operational effectiveness, reducing costs, eliminating waste and assuring stakeholders business requirements are satisfied. Periodic assessments also provide trendline data to determine baseline and benchmark performance improvement.
New issues arise as a result of internal auditing. Processes, systems and products are understood better. Prevention is emphasized. Mistakes are detected and controlled further up the value chain. Business objectives are operationalized. Risks are managed. Opportunities are found. Priorities are refocused.
So, let's look at two types of value added audits.
Most quality and ISO pundits think ISO 9000:2000 audits will involve process auditing. There is still much confusion and little standardization on how to conduct a process audit, but the following are commonsense steps:
1. Identify business objectives.
2. Flowchart critical processes.
3. Identify critical process inputs and outputs.
4. Evaluate process procedures, records and documentation against ISO 9001:2000 or similar quality criteria.
5. Evaluate process metrics against business objectives.
6. Analyze metrics to determine process stability and then improvement over time.
ORCA is a common risk assessment methodology used by internal auditors. Its principal elements are:
- Identify business and process objectives.
- Identify operational and other risks.
- Define business or other controls.
- Assess and ensure the effectiveness of the business process to satisfy objectives.
So, what should we do?
Quality auditors should understand and align their reports with internal audit reports. Why? Our quality and ISO 9000 audits usually go no higher than a second level manager. Pre-Enron, 24% of internal audits went directly to the audit committee of a company's board of directors. Post-Enron, regulators and others are suggesting all internal audit reports go directly to the audit committee.
This is a no-brainer for us. If we want our reports and our decisions to have impact, we need to send them to the highest level management possible. We add real value because of our operational and supply base knowledge.
1. "Glossary," IIA Professional Practices Framework, 2000.
GREG HUTCHINS is a principal with Quality Plus Engineering, a Portland, OR, based process management and value added auditing company. He recently authored and published Supply Management Strategies, which can be ordered through Amazon.com. Hutchins is a member of ASQ.
If you would like to comment on this article, please post your remarks on the Quality Progress Discussion Board on www.asqnet.org, or e-mail them to firstname.lastname@example.org.