Does your organisation see its audit programme as a key enabler for continuous improvement? Is it directly linked to trends such as:
- The positive evolution of indicators like complaints and incidents?
- The absence of “surprises” during customer audits?
- The increase of best practices being identified and replicated?
If yes, then it is fantastic as your organisation is gaining value from the audit programme in place. Keep up the good work and adapt as needed to keep pace with the evolution of the business and the associated risks.
However, if your audit programme is not perceived as providing a positive return on investment or if there is room for improvement then you would need considering the implementation of actions in several critical areas. In order to improve, the management of an audit programme should indeed evaluate multiple aspects such as:
- Are the audit programme objectives being identified and achieved?
- Is the audit scope consistent with the audit programme’s objectives?
- Is the risk-based approach to auditing appropriate?
- Are the audit criteria rightly defined to achieve the objectives?
- Is the performance of the audit team members appropriate?
- Are the audit reports driving actions?
- What is the feedback received?
Reviewing the overall implementation on a regular basis, identifying opportunities for improvement and applying changes to the audit programme when and where needed is of the upmost importance.
Are the audit programme objectives being identified and achieved?
What are you willing to achieve with your audit programme? Is everyone aligned with these objectives? Are they ultimately attained? These are three very important questions to answer.
The audit programme objectives need to take into account the needs and expectations of its customers / interested parties. These have to be established, aligned and communicated within the organisation in order to direct the planning and conducting of audits, ensure the audit programme is implemented effectively and allow to determine whether the objectives are achieved. Lack of clarity and alignment on objectives typically impacts negatively the performance of any programme.
Is the audit scope consistent with the audit programme’s objectives?
A key question to answer is whether the scope of your audits allows to achieve the audit programme’s objectives.
Not sampling properly the locations and / or the processes is an example of an issue that could prevent achieving your goals. Go back to your records and see whether there is a pattern indicating that your scope does not allow for an appropriate evaluation. If this is the case then adapt and see how things evolve.
Is the risk-based approach to auditing appropriate?
Applying a risk-approach to auditing requires to keep it dynamic. You will need to answer on a regular basis key questions such as:
- Are certain products or services riskier than others?
- Which areas or processes have had critical audit findings in the past?
- Where is change happening? Are there any products, processes, services or departments that need a closer look due to change or turnover?
The answers to questions like these should trigger an agile adaptation of your approach and of how the audits are being performed.
Are the audit criteria rightly defined to achieve the objectives?
Defining the audit criteria in a way that facilitates their use by auditors is key. Using unclear, contradicting or not precise audit criteria is a recipe for audit programme’s failure. Paying attention to the tools provided to the auditors is critical as they are – from experience – always impacting heavily the quality of the audit.
Is the performance of the audit team members appropriate?
Confidence in the audit process and the ability to achieve its objectives depends on the competence of those performing the audits. Auditors should continually improve their competence and the person managing the audit programme should establish mechanisms for the continual evaluation of the performance of the auditors and the development of their capabilities.
Are the audit reports driving actions?
An audit report should provide a complete, accurate, concise and clear record of the audit, and should as a minimum include the audit criteria, the audit findings, the related evidence, and the audit conclusions. Are your audit reports including the above as a minimum? What else do you include that provides value to the organisation and which promotes continuous improvement? Do you have a report review process to ensure all the reports comply to your reporting requirements? The audit report is the end product of the audit and as such should receive the detailed attention it deserves. It should definitely facilitate the taking of actions to address the findings and the associated risks.
What is the feedback received?
Are you collecting the feedback from the audit programme’s interested parties? This feedback guides improvements of the stakeholder’s experience and can empower positive change in your audit organisation — even (and especially) when it’s negative. Feedback is essential for a more effective contribution of the audit programme to the company’s performance. To have an added value, the audit function has to constantly listen and grow but also rapidly change direction if needed and stay flexible in the ever-changing business environment.
What this article discusses is a list of areas one could investigate to ensure an audit programme drives continuous improvement. It is based on experience and does not constitute an exhaustive list. May this be considered as food for thought for you and your organisation. Investing resources in auditing has a value. Maximising it for the benefits of all is key.
By Marc Cwikowski
August 6, 2020