Audit is not a responsibility of the internal or external auditors. It is the responsibility of business heads and managers who are running the operations of the company, on a day-to-day basis.
While many books and articles have been written about how to drive greater management and organizational output, only recently are managers being asked to think about how to incorporate "audits" as a management tool within their organizations. First of all, contrary to the belief, audit is not a responsibility of the internal or external auditors. It is the responsibility of business heads and managers who are running the operations of the company, on a day-to-day basis. How does one incorporate audit best practices within a management framework?
Here are some simple examples of audits, which many large and small companies are using to enhance their compliance with internal and external regulations and mandates.
- A global retailer sets up a global field audit capability to enhance its store operations
- A mid-size pharmaceutical company focuses on documenting its key policies and procedures
- A large food service company enables a web infrastructure for audits of its suppliers and franchisees
- A sporting good manufacturer begins to manage its business through real time KPI's (Key performance Indicators)
All these companies are incorporating audits in their management and operational framework. They are creating an environment for continuous improvement through a well thought out strategy of audits. These audit frameworks are not merely designed to serve the requirements of the internal or external auditors, but also provide continuous operational benefits to the business units. So choosing a proper audit tool will ameliorate your compliance and strengthen your audit process.
So, how should one think about building an audit strategy within the management framework of an organization? Here is a simple framework to think about how to incorporate audit controls in your business.
Segregation of Duties:
Segregation of Duties ensures that no one person is solely responsible for the entire process end-to-end, without effective checks and balances. For example, key authorization processes should have appropriate checks and balances. The person, who documents the transaction, should not be the same person who conducts the transaction. These simple checks and balances ensure effective controls and reduce organizational error rates.
- Design your organization with "checks and balances" in mind
- Ensure that the organizational processes and policies have a "quality control" oversight at all times
- Ensure that the quality functions are reporting independent of the operational units
Policies and Procedures:
codify management's criteria for executing an organization's operations. They document business processes, personnel responsibilities, departmental operations, and promote uniformity in executing and recording transactions. Thorough policies and procedures serve as effective training tools for employees. Having a documented repository of your standard operating procedures at the operational, financial, manufacturing unit levels, ensures consistency of processes and reduces audit failures.
- Document key business processes and policies
- Make the policies and procedures available to all personnel
- Ensure they are accurate, complete, and current at all times
- Revise policies and procedures for changes in business processes and policies. This is particularly important when new systems are developed and implemented or other organizational changes occur
- Communicate significant changes to all affected personnel immediately to ensure they are aware of any revisions to their daily duties and responsibilities
- In the event that there are changes in personnel (i.e. new employees are hired, promotions granted, etc.), documented policies and procedures will facilitate training and provide guidelines for the respective positions
- An integrated Document management system with an integrated training management ensures that all the employees, suppliers, vendors, partners are current with your documented policies and procedures
Reviews and Approvals:
When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process. The approval should be documented to verify that a review was done. Review and approval are controls that help management gauge whether operational and personnel goals and objectives are being met. In this time and age of emails and web technologies, it is easier to document your approvals if you can refrain from verbal approvals and use electronic methods to approve key policies and processes.
- Approve electronically to enable rapid documentation of approvals
- Ensure that approval alerts and escalations are embedded in the workflow of your organization
- Document all the approvals in a repository to ensure compliance with internal and external audits
- Numerous approval management and archival solutions exist to facilitate both enforcement and documentation of approvals within an organization
Process Efficiency and Effectiveness:
Organizational Processes must be efficient and effective. Efficiency implies most productive way to perform a task or function. Effectiveness implies that the given process has the intended outcome. Organizational process-flows have to be designed with both efficiency and effectiveness in mind.
- Effective processes are easier to audit, as the cause and effect of the processes are well understood. Ill-designed processes are often harder to audit and may have unforeseen consequences.
- Incorporate key audit controls (Key process indicators, metrics etc.) in your workflow to ease the audit of the processes.
- Efficient processes are often easier to audit as there are less intermediate steps and approval loops. So, all your effort to design greater process efficiency indeed pays of not just on an operational basis but also from an audit standpoint. Efficient processes are simply easier to audit.
- Talk to your internal and organizational audit organization sooner in the process and incorporate their needs as you design your key processes and policies.
Management reporting takes on a more strategic priority as you are designing your organization for greater audit ability. The reporting infrastructure of your company is not just a way to create visibility into the status of key processes and activities, it enables the management and the auditors a way to get possibly real-time visibility into the key indicators of your organization. Reporting of key Corrective Actions and Preventive Actions, Process KPI's, employee training status to key processes, supplier and partner scorecards, quality maintenance reports on critical equipments and plants are simple example of a well-designed management reporting system.
- Implement an organization wide reporting process and infrastructure, ensuring that all your business units are reliably and consistently reporting the required process status and data.
- A well-designed organization implies that reporting is not a separate task which you perform manually once a month or week. Instead, reports are generated "in-band" as you go through the key processes within your day-to-day activities. This ensures that reports are reflective of the process themselves and not a "post-fact" historical analysis of outcomes. These historical reports tend to be prone to manipulation and human errors.
- Reporting is not just what your direct reports and business units share with the management. In well-designed management reporting environments, the management must share back key reports back to the business units and direct reports. For example, many companies are beginning to implement “real-time” scorecards, which show comparative performance across different business units, suppliers or franchisees. These scorecards give an actionable framework to business units or suppliers to improve their performance in real-time. Post-fact scorecards (in hind-sight) may have some value, it lacks the ability of real-time performance improvements and actionability.
- Well-run organizations provide "drill-down" reporting capabilities, ensuring that employees, managers, suppliers can see the performance of their processes at the right level of abstraction. "Drill-down" enables organizations to get to the root-cause of key issues, enables insights and learnings, and creates an environment of continuous process improvements.