How to conduct value based audits?

In a 2008 survey conducted by KPMG of 200 small to medium-sized companies, 56% saw the audit as a routine chore that varied little from year to year. Just over 60% of the companies said their auditor did not raise any issues or ideas that were used in their business to enhance their processes or decisions.

Do you add value to your audits and clients processes?

There is a step by step approach to conduct “value based audits”:

1. Identify the process – It is very imperative to first understand or discover the process at first place, even before an audit checklist is drawn. Process identification helps to understand that audit plan and objectives have been drawn in the right direction.

2. Identify control points – Control points enables an auditor to identify the critical points which if not complied can lead to a total or partial failure of the business process

3. Identify process improvement areas – The best method to identify improvement area is to first identify RVA (real value added), BVA (Business value added) and finally NVA (non-value added) items in the process.

Finally, once these areas are identified later an auditor can complete the routine checks and not only supply a routine audit report but also provide a process improvement report. Thus, an auditor not only audit mundane tasks but provide a far better insights into client processes and methods of conducting the business.

There is also a very good reason why an auditor is fit for this job, not only he provides an out of box experience to the process but also submits and provides his entire audit experience to their client process. From an auditor perspective it gives an immense amount of satisfaction of having provided a value to client and a sense of pride to become a better auditor, from a client perspective it is a win-win situation since not only the process areas are audited but also a value is provided thereby raising overall audit experience.

Apart from gathering enough insights on the processes, few questionnaire like below goes a long way to craft an overall audit experience for clients:

5 questions for process owners to gain better insights of business processes:
1.  What is your role in the organization?
2.  In your view, what is the greatest strength of your area or department?
3. In your view, what is your area or departments greatest opportunity for improvement?
4. In your view, what is your company’s greatest strength?
5. In your view, what is your company’s best opportunity to improve upon?

These questions served as an effective way to get a dialogue started between the audit team and client person.

Have you recently conducted a value-based audits, let us know your experience.

** This article is written by 77comply as part of its endeavor to share knowledge about GRC

What are audit objectives?

An organization is tasked to create an effective audit programme that entails audit objectives, audit type, location, duration so on and so forth. Selection of auditees and guides, planning logistics and resources are integral part when planning audits. One of the key ingredients to frame an effective audit programme is “audit objective”.

What are Audit objectives:

Audit objectives are normally expressed in terms of conclusion the audit is expected to draw in respect to entity’s/stakeholders performance of an activity. They are based on the question(s) that the audit seeks to answer about the performance of an activity or program; for example, “Did the entity have effective procedures/controls in place to meet the process guidelines?” or “did the entity determine the effectiveness of the management system”

Audit objectives are generally based on SMART principle. They should be realistic and achievable and give sufficient information to the entity and other stakeholders about the focus of the audit.

Typically, an audit objective shares a one to one relationship with audit, but there may be cases though suggested to avoid where an audit can enjoy more than one audit objectives.

ISO 19011 defines audit objectives as follows:

The audit objectives define what is to be accomplished by the individual audit and may include the following:

• determination of the extent of conformity of the management system to be audited, or parts of it, with audit criteria;
• determination of the extent of conformity of activities, processes and products with the requirements and procedures of the management system;
• evaluation of the capability of the management system to ensure compliance with legal and contractual
• requirements and other requirements to which the organization is committed;
• evaluation of the effectiveness of the management system in meeting its specified objectives;
• identification of areas for potential improvement of the management system.

Do let us know your views on framing audit objectives.

 

Is this process or procedure?

Often, the answer to this question is simple but at many occasions unknowingly we interchangeably use process and procedure. This article is an effort to eliminate the difference and the confusion in these two terminologies.

What is process?

Lets take an example of one of the “procedures” mandated by ISO 9001:2008 “Control of documents”.

Now ISO 9001:2008 explicitly calls “Control of documents” as procedure, have you ever thought if it is called a procedure can we also call it as process. The answer is no, for it to be classified as process we need following things in order:

1. Typically a verb noun format – So instead of “Control of documents” it will be actually called as “Create Document” where “create” is a verb and “document” is the noun.

2. A process must be discrete and assignable – For instance, in the “Create document” process, we must be able to ask following questions. Who created the document?, how many documents were created?, how many times the same document was created?

The process has an input, in this case a request to create a document.

The process has an output, in this case an approved document.

What is a procedure?

Procedure is detail of a specific activity, for instance in our Create Document process example, there may be an activity to approve a document. Now typically to approve a document we may take following steps.

1. Email the approver

2. Approver opens a document management system

3. Verifies the document in the system

4. Mark it as approved.

5. Sign the hard copy of document

These are just imaginary steps, but the difference lies here, in the process document I will just mention “What to do” and in the procedure document ill explain “How to do”

Its really confusing for us too when ISO 9001:2008 demands a procedure for control of documents, does the correct interpretation is process or really the expectation is a well documented procedure. I leave the question to the audience and ISO experts.