How to make Audit Management Effective

  • by gcarroll@fasttrackaust.com (Greg Carroll)
  • 25 Jul, 2016
Effectiveness is the holy grail of Compliance Management.  Whether regulatory or ERM, ensuring business is conducted as intended is the base requirement to optimising your organization’s performance.
making audits value adding

 

Let’s face it, business spends its money where it will deliver the best return, i.e. to shareholders, so the key to increasing the compliance budget is to measure compliance as a factor of performance not as a safety net.

The cornerstone of compliance is audit, which invariably is about pedantic assessment of “side” issues to the core principles of delivering operational results. This impression is reinforced by the use of checklists to focus on detail (pedantic) of compliance and not its effectiveness, which is what the board only really cares about.  So are checklists the problem?

 

Redefining the approach to Audit

Have you ever given a speech?  Did you purely reel off a set of dry facts or did you tell a story of interest to your audience?  In preparing the speech did you think about who would be there and what they care about?  You probably came up with some anecdotes (examples) of similar situations, along with veiled complimentary acknowledgements to get the audience onside. And you always want to have a killer ending to leave a lasting impression. To get the best result you plan what you will say and prepare prompt card to keep you on message.

Yes, all the analogies are more than obvious so I won’t bore you with rehashing it. The key issue is to make audits of interest to the auditees. This will come from understanding their motivations (KPIs) and problems (risks). And checklists are the equivalent to your palm cards prepared for that speech not a history lesson.

 

It starts with the Audit Plan

As with the speech analogy, audit management starts with the plan.  In a previous article “How to Implement Risk Based Audits & Inspections” I covered the identification and scheduling of audits by setting risk based surveillance levels according the needs of the area to be audited.  This doesn’t mean ignoring full coverage of regulatory requirements.  It just means not to robotically go thru the broad reach of regulatory requirements but instead to match the audit plan to the cost justifiable returns from the audit.

 

Audit as Motivation

A good speech leaves people motivated and so should a good audit.  How do you motivate?  You get them to understand their strengths and weaknesses, to own their own future and realise their potential, then set a call to action. 

The second problem with checklists, is commonly their scoring method.  Generally it’s just the level of conformance/non-conformance e.g. observation, minor or major.  This does not take into account the criticality of the requirement nor its effectiveness on the operational outcome.  Worse, the common practice of one-size-fits-all checklists waste time by focusing on irrelevant issues to the specific area being assessed. 

Conversely, checklists based on identified priority areas of risk and recent incidents, draw interest and involvement.  Instead of a single compliance score, items should have multiply scores including applicability/level of risk, degree of compliance, and an effectiveness rating on KPI/objectives. 

This can be extended to include performance by having the operational areas estimate their likely effectiveness rating at the next audit.  This not only has them to take ownership of the issue, with the implied commitment to improve, but when compared with the accuracy of their previous estimates, demonstrates their understanding of the underlying issues and capabilities.

 

The Killer Ending

You may think your current audit practice is effective, but how much is really aimed at the regulatory applicability instead of operational outcomes.  Regulations (or standards) are systematic guidelines for analysing a business not an objective in their own right.  They should be used to identify functionality that is then assessed on how it affect the target’s KPIs and objectives.  Being able to highlight the risks and occurrences that can adversely impacted performance of their objectives provides a powerful argument for the pursuit of effective controls. This will also breed empathy instead of animosity between audit partners. 

Finally, this approach will allow you to measure your compliance activities in terms of their effect on operational KPIs and objectives which when included in the Audit and Risk Committee Report to the board, will not only improve the status of the Compliance group but most like improve its budget as well.

 

Compensating for SharePoint Document Control Deficiencies

by gcarroll@fasttrackaust.com (Greg Carroll) 05 Apr, 2017
The benefits of SharePoint as a content management system and information portal tool are indisputable.  With great search functionality and user definable portal pages SharePoint is now the leading Content Management solution chosen by most IT departments. But what if your business demands strict document controls protocols, not just because it’s good practice but life depends on it?  Unfortunately there is generally a poor appreciation by IT departments of the importance of document control in mission critical business. 

Integrating ISO 9001:2015 with ISO 17025

by gcarroll@fasttrackaust.com (Greg Carroll) 11 Oct, 2016
It is not uncommon for laboratories to be saddled with maintaining both ISO 17025 and ISO 9001 certification. Although it is simpler to create and implement two QMS – and to "merge" those activities which can be merged – this approach is arduous, inefficient, and prone to mistakes.

The Future of Digital Transformation

by gcarroll@fasttrackaust.com (Greg Carroll) 15 Sept, 2016
Senior management have to come to grips with the fact that Digital Transformation is not an Event but rather the operating environment of 21st century business. 

Misunderstanding Innovation

by gcarroll@fasttrackaust.com (Greg Carroll) 22 Aug, 2016
Last week saw the latest in misguided innovation talkfests, the AFR Innovation Summit #Innovation16.  For several days academics, public servants, journalists, and corporate employees put forward their insights into how Australia can develop an Innovation culture. 

Behind compliance management failures at Mitsubishi, VW, Target

by gcarroll@fasttrackaust.com (Greg Carroll) 17 Jun, 2016
2016 has seen a virtual tsunami of compliance failures involving some of our largest companies. From Mitsubishi to VW, from ANZ to Target, almost weekly there have been media reports about some company employees having run amok – unbeknownst to their executives and boards. People are asking: “What happened to the compliance management systems that are supposed to monitor and prevent such abuses?” Executives and boards are naturally starting to question the entire compliance management function. 

Compliance Manager role in modern organizations-Empower decision makers

by gcarroll@fasttrackaust.com (Greg Carroll) 07 Sept, 2015
The Compliance Manager’s role in the modern organization is to enable/empower decision makers to take action and leave the building defensive walls to the Risk Manager with his heat maps. So how can compliance managers start realising their value adding role?

How to Implement Risk Based Audits & Inspections

by gcarroll@fasttrackaust.com (Greg Carroll) 18 Jul, 2015
With the release of the Final Draft of ISO9001:2015 this week and its focus on risk-based Compliance Management, I thought I would share our approach to Risk-Based Auditing from our experience with the likes of Defence Aviation and the Australian Quarantine Inspection Service, both leaders in the field.

The 4 Biggest Mistakes in Compliance Management

by gcarroll@fasttrackaust.com (Greg Carroll) 03 Jul, 2015
Mere compliance with a Framework is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business. The 4 biggest mistakes are:       Not being Outcome focused      Not using Risk base targeting      Not Value Adding      Not being timely

Why Corporate Governance is broken and how to fix it

by gcarroll@fasttrackaust.com (Greg Carroll) 28 May, 2015
Why, with the number of fertile minds that exist in our field, is it still a case of an irresistible force meeting an immovable object.  The paradox I believe, like our would-be entrepreneurs, is one of approach.

21 Best Practices in Workflow Management

by gcarroll@fasttrackaust.com (Greg Carroll) 22 Apr, 2015
Return of Investment (ROI) does not come for automating a process but from using it to add value.  Value adding comes from targeting time and resources, risk based thinking, and Business Intelligence where they can deliver the greatest benefit to achieving the organisation’s strategic goals. 
Show More
Share by: