2. Agenda: Identifying risks and opportunities in
audits
Why audit?
Five common auditing mistakes
Is your auditing process broken?
Risks and opportunity management and
reporting
Chris Owen
Services Director
6. 90% of internal audit reports cost over £5,000 each
IIA Report: Nearly 70% of internal audit assignments last more than 15 days
0-5 man days 6-10 man days 11-15 man days 16-20 man days More than 20 days
•
Source: https://www.iia.org.uk/media/198130/13._benchmarking_report_internal_audit_assignments_22_september_2008_1_.pdf
17. Audits vs Inspections
Audit Inspections
Qualitative Quantitative
Exploratory Tick-box
Who, Why, What, Where, When, How? Yes / No
Useful for:
Leadership audits, risks and
opportunities, improvement
initiatives, operational excellence,
growth, profitability, ideas and
innovation
Useful for:
Exposing vulnerabilities, quality
control, waste reduction, fact-
checking, process management.
Complex root cause analysis and
problem solving
Rapid root cause analysis
18. Use your audit report wisely
Benefits of using a scale Disadvantages of using a scale
Simple to understand Diversion from findings to a
negotiation on a number
Provides areas of focus Promotes competition between
departments
Scale reflects risks Repetition of recommendations
against risks (no integration of
activities leading to duplication
of effort)
Allows committee members to
assess strength of controls
without reading report
Management may ignore areas of
weakness or good practice
Powerful communication tool Does not include recommendations,
instead agreed management actions
• How can we communicate risk and opportunity
in a way people are going to understand?
• How can we drive action from audit reports?
• How can we change the perception of an
internal audit from a tick-box exercise to one
where it drives cultural change?
!Think carefully before putting a scale in the audit report
21. “Quality people are the needle and
thread, stitching the whole end-to-
end together.
To do this you have to be a good
communicator and influencer who
can quickly build respect and
credibility. People who can truly do
this are very thin on the ground.”
Leading quality in the 21st Century –
CQI & Oakland research report
23. Implementing Risks & Opportunities
Remember to follow-up on
any audit findings
See all findings as an
opportunities for
improvement.
Discuss and report your
finding at senior level.
? What action did you take to address
a problem?
? Did you carry out any trend analysis?
? How can you prevent a NCF from
occurring again?
? How effective were your corrective
and preventative actions?
? Have you updated your Risk
register?
25. Example of 5s Performance & Grading Grid
STEP 1 – (Sort) ORGANISATION
Seiri
STEP 2 – (Set in order) ORDERLINESS
Seiton
STEP 3 – (Shine) CLEANLINESS
Seiso
STEP 4 – (Standardize) STANDARDISATION
Seiketsu
STEP – (Sustain) DISCIPLINE
Shitsuke
A cluttered workspace
with many unneeded
items in random
locations.
Haphazard
No organisation.
Essential items are
lost in the clutter
Dirty area with no
evidence of
systematic cleaning
No evidence of a
documented routine
No evidence of
management,
monitoring or
support
Some unneeded items
remain. Somewhat
easier to find needed
items
Some organisation of
items. All locations
not dedicated. Some
visual clues
Area is generally
clean. Routine not in
evidence. Inspection
not part of
routine
Procedures exist but
not evident in
workplace.
Inconsistently applied
Visual measures of 5s
performance posted
Only needed items
remain but quantities
required are not
defined
All items neatly
arranged. Dedicated
locations and
visual cues
Cleaning and
inspection of
equipment clearly
in evidence
Procedures in place
and beginning to be
practiced
Continuous
improvement process
in place. Evidence of
follow-up management
Only the bare
essentials remain.
Only defined
quantities of items
evident
A visual work
environment.
"A place for everything
and everything in its
place"
A spotless, inviting
environment.
Attention to detail
obvious
Clearly defined,
effective cleaning
process is in
constant use
Primary focus is
prevention. Standards
constantly being
upgraded
1
POOR
2 3 4
EXCELLENT
LEVEL
27. The art of data storytelling
• Use reports to paint a picture
of the business
• Develop a flexible approach to
dashboards
• From many data systems to
snapshots of an individual
process step
28. The auditing landscape
1. Collect
risk and
opportunity
data
2. Audits
3. Risk
treatment
Internal issues, NCRs, training
Macro-environmental changes
Inspections
Policies & documentation
Process reviews
Culture health checks
Department audits
Risk and opportunity identification
Reports
Business continuity
Workflows / CAPA
Business improvement
29. Let data be the guide
• Descriptive statics:
• Variance
• Range
• Standard Deviation
• Histograms
• Good for Qualitative , discreet data,
understanding the variations
• Pareto Analysis
• Value Stream Mapping
• Fishbone Analysis using the 6Ms
Why I am here today:
- 4 Years at Qualsys
- 10 years in heavily regulated financial sector where independent auditors and pension regulators would be in every fortnight.
- External audit
Internal Audits
- Regulator Audits
Independent Trustee Audits
Financial (forensic) audits
- 3 day audits, Have one week to prepare. One weeks notice. Sit in a room and it would be like an exam.
- Internal management systems and process audits – when they are evaluating the business as usual activity – is what we’ll talk about today
At Qualsys, role involves:
Ensuring organisations have inspection-ready management systems
wide variety of standards and regulations
Implement management systems,
Audit Manager - audits are working and performance can be seen.
Our experience with established customers
We have to be mindful and support auditors across a
number of industries
Number of regulators
Number of standards and certifications
An the number is only growing…….
World is changing to digital and more regulations
- These days, our economies are highly digitised and heavily-regulated.
Q - Community of 20,000 quality professionals: “What is your main business challenge?”
- In the past year alone you can see the shift from ISO to security.
It’s all about
cybersecurity,
data protection,
privacy impact assessments,
preventing hacks,
risk mitigation.
All about the world wide web and how we can utilise new technologies such as AI, IoT, BI and online to add value, but equally prevent customer issues.
But our internal audit processes are struggling to keep up.
All too often it’s too late.
We can do all the risk assessments and business continuity planning we like, but there are completely new territories
Difficult to see and identify new possible risks, threats and vulnerabilities to our business.
This leads to consequences ……………
Its catching up with everyone
These are just some of the examples of the risks
e.g. pret supplier audits, facebook data breach, ethical failures etc,
NORSK HYDRO (NORWAY) – SHUT DOWN BY RANSWOMWARE – MANUAL OPPERARTIONS
Extreme case of poor supplier audits Carrilion – Poor effective internal auditing THEY MISSED THE RED FLAGS (problem contracts) 2800 people redundant
There's never been a greater need for our internal management system to be performing but more importantly… KNOW they are performing better
Internal audits are incredibly expensive. They take vast amounts of time, energy and resource.
Q - In an IIA survey of SMEs (200) and global enterprise (50000) sized organisations, nearly 70% of internal audit assignments take more than 15 days to compile.
INSTITUE OF INTERNAL AUDIOTRS
TREND - These organisations had multiple auditors. We have one customer (Yazaki) who has over (140) auditors operating in over 42 countries.
That’s a significant amount of investment on the upkeep of your management systems.
So why are we doing audits? What’s the purpose? …
Why is auditing internal management systems so valuable?
Finding what you cant see.
HIGHLIGHT OPPS- OPPS ARE EASY – PEOPLE UNDERSTAND WHAT THEY MEANS AND ARE BETTER PRACTICED AT FINDING THEM AS THEY AR EMORE REALTABLE TO THEIR DIRECT BENEFITS-
EXAMPLE OF CUSTOMER OPP - Rawsons case study (increased audit activity up 80% from last year.
RISK ARE DIFFERENT _ EXAMPLE OF CUSTOMER AUDIIT RISK – Case study – PICK ONE
Experienced lead auditors know that traditionally there have been six basic tenets of auditing based on the following concepts.
1 – Integrity
2 – Fair presentation
3 – Due professional care
4 – Confidentiality
5 – Independence
6 – Evidence-based approach
ISO 19011:2018 adds a seventh principle focused on using the risk-based approach in auditing:
7 – Risk-based approach
The definition of risk presented in ISO 19011:2018 aligns with the concept of risk-based approach in ISO 13485:2016 clause 4.1.2(b).
This ISO 13485:2016 requirement instructs organizations to apply a risk-based approach in deciding how to control their QMS processes.
ISO 19011 follows a similar tack in suggesting the application of risk-based measures across all aspects of auditing – from your overall audit program management through the planning and performance of an individual audit and into auditor competence.
So do we think the process is broken? Or challenged?........
Why Is auditing Internal Management Systems so important – EASY TO LOSE SIGHT OF THE BIGGER PICTURE
SPEAK ABOUT BOTH OPPS AND RISKS
Gives bird’s eye view of the organisation
Diversity of audit assignments (insights)
Opportunity to leverage scepticism / curiosity / experience
People factor – engagement/ buy-inn / adoption / ownership
Opportunity to grow and evolve
So why do people (auditors/auditee) find it so challenging?..............
So why do organisations struggle?
ITS AN INDUSTRY CHALLENGE – IT HAPPENS EVERYWHERE
Why do people/auditees feel reluctant to support audit activities? (EYES ROLL, IM OUT THE OFFICE THAT DAY, JOKES, ETC)
- However, attitude towards audits is often bad. That’s an industry-wide issue.
- It’s preventing business from making the most of audit opportunities and risk management.
Remove the word audit and call them reviews. Audit has negative connotations of trying to catch you out, being judgey, lacking empathy…..
Tone/Language supports the challenges we have in place
- Survey of Quality proffesionals from a couple of years ago
Overly bureaucratic… the message from industry is that auditing is a bad thing and we don’t like them.
- It’s a big thing for you to challenge because its everywhere.
- How are you going to get the data and the information you need to be able to show the rest of the organisation that they need to facilitate you to get the results you need?
- TURN IT INTO A LEARNING OPPURTUNITY
Here are some of the mistakes we’ve come across to lead to this feeling/perception…
Internal Audits scope and manage lots of moving pieces,
its often easy to overlook the simplest element – COMMUNICATION
MIS (MANAGEMENT INFORMATION SYSTEMS) Training Institute (MISTI) is the international leader in process audit, IT audit and information security training
4 bad communication habits
STOP RELYING ON EMAIL – use for routine tasks and ongoing activities – NOT FOR TRAINING WHERE CONTNET CAN BE MMISINTERPETED
ANTICIPATE YOUR STAKEHOLDERS NEEDS– not all information is equal to everyone (don’t waste time on bad information)
KEEP ALL MEETINGS SHORT AND ON TOPIC – exit meeting should be to obtain final consensus on raised issues and agreement on action plans NOT to talk about the audit again – DO YOUR HOMEWORK
REMOVE ALL TECHNICAL JARGON – (e.g. HIGH-RISK CONTROL, risk appetite, CAPA,) Your audience may not understand or have different acronyms they follow
https://misti.com/internal-audit-insights/four-communication-tips-to-increase-internal-auditor-effectiveness
Map it out – be visual
COLLECT THE DATA. Collect risk data using Kiosk, risk suggestions, auditing applications, issues, NCRs, CAPAs.
Too many organisations expect you to simply pull this data from thin air.
You need to start by collecting data from on the ground.
Macroenvironmental changes – things like all of your regulatory requirements in a single system
WORK WITH THE PEOPLE - Then you plan, schedule, undertake the audits
MAKE THE BUSINESS BETTER - Then you implement the risk treatment strategy
Different types of auditors are:
management system audits,
process audits,
quality audits,
supplier audits etc
Our customers are conducting internal audits all the time! But it’s now a natural part of the process and part of the CHANGING culture.
HABIT, HABIT, HABIT – Habits are hard things to break?
if you ask the same questions you will get the same answers.
You end up going into this loop where you are bringing up the same old issues time and time again and nothing gets done about it.
OR WORSE THINGS GET MISSED!
You need to think – where is my auditing process failing?
Is there different source of data you need access too?
GOOD EXAMPE OF CLASSIC AREAS BEING OVERLOOKED – MARKETING? -
In the field of marketing technology systems, the number of martech companies has risen from under 1,000 to over 5,000 platform (2000%), data and software providers in just 3 years. On average, 49% of companies are currently using marketing automation and the sector is soon expected to be worth more than 5 billion a year.
The field of artificial intelligence (AI) is expected to be worth £16 billion by 2022, growing at a compound annual growth rate of 63% from 2016 to 2022. One of the issues holding back an even greater rate of growth is data hygiene, which is seen as a primary concern for those investing in marketing automation.
Do you know what data your marketing team have on customers and how they are using, maintaining that data? Is it inline with the GDPR?
Auditing is an art, it takes practice and experience to get the balance right.
In my experience there are three types of auditors.
1) The first are those which are over friendly. They don’t look at the detail. They skim the facts and don’t make recommendations which feel like they are of any value.
2) The second are rigid. They are direct, trying to catch you out, leave you feeling unprepared.
3) The best auditors are transparent and collaborative. They know how to balance the right amount of detail with professionalism. They give you an overview of areas they want to cover, it’s not an exam, both parties leave feeling motivated and as if they’ve learned something.
THIS IS ALSO THE SAME FOR THE AUDITEE
PUT THE COMPANY FIRST – WHAT IS CRITICAL TO THE ORGANISATION AND WHY DO THESE AUDIT MATTER
Better insights, better understanding of the internal cultures
It’s about identifying risks and opportunities, and using this to generate revenue for your company. SPOT THE RED FLAGS
Consistent Approach to audits:
In order to compare results of audits, the input and output need to be consistent; i.e. Same area to be audited on regular occasions. This will allow trends and causes and effects (improvements) to be seen.
Try and audit in Odd numbers – 3 or 5 examples of the item(s) in question – this allows a fair representation to be taken and seen.
Remember that one-off issues will always happen – look for patterns.
Having said that, having audits who different techniques is a benefit!
Experience of Auditors
The experience of auditors is important – inexperienced auditors ‘could’ have the wool pulled over their eyes.
An understanding / awareness of the audit area(s) is hugely beneficial.
Experienced auditors will provide hints, tips and guidance, especially if you know how to listen ask the right questions.
Experienced Auditees
Remember though that the experience and approach of an auditee is important too:
Own your work and the area being audited.
Be polite and open.
Don’t offer more information
Don’t be intimated
Don’t be afraid to answer questions.
FOR BOTH AUDITORS AND AUDITEES USE AUDITS AS AN OPPORTUNITY TO LEARN
DIFFERENT APPROACHES HELP RAISE DIFFERENT OPPS/RISKs – mix n match
INSPECTIONS
Time to act – moving to inspections more visual and responsive – GO TO GEMBA ‘THE ACTUAL PLACE’
INSPECTIONS LET YOU SLEEP AT NIGHT (STAGE 1 PREP e.g. Data physical security, H&S, Equipment checks, etc)
Risk Mitigation for process creep
AUDITS
STAGE 2 – SHOW WHY AND PROVE IT
Risk Prevention for business creep
MISTAKE 3 – THIS INCLUDES THE OUTPUTS OF YOUR AUDITS
You need a consistent way to report so you can compare and trend performance over time.
‘You cant manage what you cant measure’ AND ‘If you cant measure it, you cant improve it’
PETER DRUCKER ‘Management thinker’ – you don’t know if you are being successful (risk and opps) unless success is defined.
SCALE = PERFORMANCE OF AUDITS ACROSS THE BUSINESS e.g. Sodexo Astrazeneca, MonoSol – Plants who raise the most substantiated H&S observations are rewarded
Good audits are NOT possible without good auditors.
Audits are a valuable activity. They enable organisations to pick up positive trends, good working practices and improve efficiencies as well as highlighting any problems, areas that require review, preventative and corrective actions.
What makes a good auditor?
Impressive organisation skills
A thirst for knowledge
A natural affinity and passion for problem solving
Communication/People skills
Innovation
Have the Required Experience. Certifications are key academic qualifications for an auditor. ...
Ability to Make Independent Decisions. An auditor's decision should not be wavered or influenced by anyone. ...
Auditors Have the Ability to Understand Different Business Needs. ...
Dependable. ...
Effective Communication Skills
What do the skills look like?
Key attributes of an auditor according to PwC
1. Don’t be Shy
2. Be Friendly and Tactful
3. Communicate Carefully
4. Don’t be Arrogant
5. Be a Good Listener
6. Be Careful of Arguments
7. Know Your Laws and Standards
8. Look the Part – you must look professional! FIT THE ENVIROMENT
Q – WHAT DO YOU THINK AUDITEE SKILL ARE ?
Q. ARE WE INVESTING ENOUGH IN OUR AUDITEES?
Best soft skills:
Be a Team player – able to share experience/information with the wider team
Adaptability – hard to learn but easy to develop in the workplace
Resilience – manage defencive employees on their work/areas
https://www.morganintl.com/blog/accounting-auditing/top-soft-skills-every-internal-auditor-should-possess/
It’s a very difficult role and these people are in short supply
CHANGE TAKES TIME
MYTH - It takes 21 days to make something a habit
TRUTH - the European Journal of Social Psychology found it took on average 66 days to form a habit
One of things many people forget to do is follow-up on audit activity. So what should we do?
Have a clear purpose and understanding for what happens next?
What is important? Are any observation/findings business critical or do they impact the business risk register?
How effective were your corrective and preventative actions? – MonoSol!!!!!
Lead the way.
Put it all back in context – don’t do it for the sake of it!
My main advice would be to make sure the resolution is contextual – it’s not a one-size fits all approach!
Make it visual and precise to the business function and stakeholder level – COMMUNICATE AT THE RIGHT LEVEL
Simple & easy to communicate
TURN IT INTO A HABIT - MANUFACTURING
Sort means that you remove all items from the workplace that are not needed for current tasks
Set in order means that you arrange the items that are needed in the area and identify them or label them so that anyone can find them or put them away
Shine emphasizes removing the dirt, grime, and dust from the work area
Standardize by creating a consistent way of implementing the tasks that are performed on a daily basis including “Sort”, “Set in Order”, and “Shine”
Sustain means that the 5S program has a discipline that ensures it’s continued success
5 MISTAKES:
Poor communication
Lack of creativity
Inconsistent approaches and experience
Not investment in Auditors
Poor follow up activity
USE TECHNOLOGY -
GRANT THROTNON – AUDIOTRS OF THE FUTURE https://www.accaglobal.com/content/dam/ACCA_Global/Technical/audit/ea-future-of-audit.pdf
Not using technology is almost like defaulting on the quality management system’.
Audit in the digital age Audits are not dying yet, but they do need to adapt to the digital age.
Businesses and regulations are getting more complex – are auditors trained to deal with it?’
‘Auditors need to provide insights and contect to enhance the value of audit, and the relevance and attractiveness of the profession’.
KPIs to reflect controls (quality by design) Top ad tailing #1 poor communication and #5 poor follow up activites
Focused on the critical risk areas on the management system.
Behavioural – Training (THE WHY)
Procedural – Make them experts (THE HOW)
Technological – Protect them (STOP IT HAPPENING)
Configuring KPI dashboards to reflect the most important audit metrics:
Risks,
opportunities,
vulnerabilities,
issues,
CAPAs,
NCRs,
Supplier issues,
Whistleblowing from staff, I
nspection results, etc is critical to making strategic decisions based on data-driven insights.
Drill down dashboards helps teams to contextualise information regarding business objectives, testing, activities, qualitative research and business activities.
Shift in KPI reporting moving from adaptive dashboard of the future is shifting from broad overviews to granular tactical analysis for specialists in response to viewer requirements.
Map it out – be visual
COLLECT THE DATA. Collect risk data using Kiosk, risk suggestions, auditing applications, issues, NCRs, CAPAs. Too many organisations expect you to simply pull this data from thin air. You need to start by collecting data from on the ground. Macroenvironmental changes – things like all of your regulatory requirements in a single system
WORK WITH THE PEOPLE - Then you plan, schedule, undertake the audits
MAKE THE BUSINESS BETTER - Then you implement the risk treatment strategy
There can be:
management system audits,
process audits,
quality audits,
supplier audits etc
Our customers are conducting internal audits all the time! But it’s now a natural part of the process and part of the culture.
There are lots of options for data analytics and the trick is choosing the right tool for the job. Here are just a few examples of tools and what they are good for.
TURNING RISKS INTO OPPS
MAKE SURE YOU PROTECT YOUR EMPLOYEES – The risks and opportunities will most likely come from them – give them a voice
Encourage your employees to fail (MAKE IT A LEARNING EXPERIENCE) - Willing to make mistakes fast enough to learn and better the process.
Its just as much about the people than the business