The real purpose of Audit is to give the board an objective analysis of the organisations ability to achieve its strategic goals
Let’s face it, business spends its money where it will deliver the best return, i.e. to shareholders, so the key to increasing the compliance budget is to measure compliance as a factor of performance not as a safety net.
The cornerstone of compliance is audit, which invariably is about pedantic assessment of “side” issues to the core principles of delivering operational results. This impression is reinforced by the use of checklists to focus on detail (pedantic) of compliance and not its effectiveness, which is what the board only really cares about. So are checklists the problem?
Redefining the approach to Audit
Have you ever given a speech? Did you purely reel off a set of dry facts or did you tell a story of interest to your audience? In preparing the speech did you think about who would be there and what they care about? You probably came up with some anecdotes (examples) of similar situations, along with veiled complimentary acknowledgements to get the audience onside. And you always want to have a killer ending to leave a lasting impression. To get the best result you plan what you will say and prepare prompt card to keep you on message.
Yes, all the analogies are more than obvious so I won’t bore you with rehashing it. The key issue is to make audits of interest to the auditees. This will come from understanding their motivations (KPIs) and problems (risks). And checklists are the equivalent to your palm cards prepared for that speech not a history lesson.
It starts with the Audit Plan
As with the speech analogy, audit management starts with the plan. In a previous article “How to Implement Risk Based Audits & Inspections” I covered the identification and scheduling of audits by setting risk based surveillance levels according the needs of the area to be audited. This doesn’t mean ignoring full coverage of regulatory requirements. It just means not to robotically go thru the broad reach of regulatory requirements but instead to match the audit plan to the cost justifiable returns from the audit.
Audit as Motivation
A good speech leaves people motivated and so should a good audit. How do you motivate? You get them to understand their strengths and weaknesses, to own their own future and realise their potential, then set a call to action.
The second problem with checklists, is commonly their scoring method. Generally it’s just the level of conformance/non-conformance e.g. observation, minor or major. This does not take into account the criticality of the requirement nor its effectiveness on the operational outcome. Worse, the common practice of one-size-fits-all checklists waste time by focusing on irrelevant issues to the specific area being assessed.
Conversely, checklists based on identified priority areas of risk and recent incidents, draw interest and involvement. Instead of a single compliance score, items should have multiply scores including applicability/level of risk, degree of compliance, and an effectiveness rating on KPI/objectives.
This can be extended to include performance by having the operational areas estimate their likely effectiveness rating at the next audit. This not only has them to take ownership of the issue, with the implied commitment to improve, but when compared with the accuracy of their previous estimates, demonstrates their understanding of the underlying issues and capabilities.
The Killer Ending
You may think your current audit practice is effective, but how much is really aimed at the regulatory applicability instead of operational outcomes. Regulations (or standards) are systematic guidelines for analysing a business not an objective in their own right. They should be used to identify functionality that is then assessed on how it affect the target’s KPIs and objectives. Being able to highlight the risks and occurrences that can adversely impacted performance of their objectives provides a powerful argument for the pursuit of effective controls. This will also breed empathy instead of animosity between audit partners.
Finally, this approach will allow you to measure your compliance activities in terms of their effect on operational KPIs and objectives which when included in the Audit and Risk Committee Report to the board, will not only improve the status of the Compliance group but most like improve its budget as well.