The ultimate goal of an audit is to check the compliance against the external and internal standards, help the organizations understand their risk profile, and take actions to address those as per the company’s risk appetite. In this sense, audit results are considered to be the gauge for companies in prioritizing their resources and efforts. This creates an enormous -and sometimes unreasonable- amount of expectations from the audit functions, particularly from the auditors.
When an incident occurs in one branch of an organization, most often, one of the first things to be questioned would be the previous audit result. Auditing indeed is there to identify the risks and opportunities; however, the fact that it is performed during a given period is somehow forgotten. Audits are usually planned for a couple of days, and at most, a full week only for a few cases. Should we expect the audit team to cite all possible issues in their audit report? Theoretically speaking, yes. Would it be the case? Practically speaking, no.
Although it might not always be possible to find an issue that will create an incident in the future, it is extremely important to understand why an auditor fails to find an issue during an audit. It has many different aspects to consider, from the auditors to the structure of the audit function and the governance model. This article will be focused on the auditors and give some practical tips to consider:
Asking the right questions
The most successful auditors are not necessarily the most experienced or the smartest ones. Often, they are the ones with the right level of skepticism. Auditing is indeed the art of asking the right questions, analyzing the facts, and driving a conclusion out of those. We may need to admit that asking questions is not an absolute guarantee for the success of the audit, but it is impossible to have one without asking questions. Be inquisitive, question the unspoken, look beyond the given facts. Remember that an average auditee will argue for a reported finding which does not really exist but keep quiet for existing ones not being picked by the auditor.
Shopfloor assessment vs. desk review
It is very important for an auditor to spend time on the shopfloor watching the operations in real-time. Make your document review, interview the associates, and compare those with what is happening on the shopfloor. In most cases, the right skepticism will occur during your operational checks when everything is perfect on paper. Climb on the top of a tank, go to the rarely visited warehouse, talk to the technician at the far end of the workshop and pay a visit to the roof – of course with the necessary measures taken. Spend a balanced amount of time in the meeting rooms, offices, and shopfloor.
Checking the health of the internal audit program
It is always wise to spend a good amount of time checking the health of the operation’s internal audit program. A strong internal audit program will lead to a strong management system. Check how they plan the audits, how they choose their internal auditors, how capable the internal auditors are, the depth of the questions being asked, and more importantly, how precisely the findings are reported.
Internal audits short of findings are a symptom of an unhealthy organization and management system. In some cases, operations are afraid of raising issues during internal audits, not to expose their weaknesses to the external world. A short list or no findings should be a warning for a deeper assessment. An organization that is not able or willing to find the gaps and opportunities will end up having bigger issues sooner or later.
Corrective actions and root cause analysis
While checking the corrective action program of an operation (CAPA), the most important aspect to consider would be the methodology they use while performing the root cause analysis. A healthy organization will define which techniques will be used and get their teams trained. A strong CAPA will be able to find the real root cause of the issue and fix it accordingly. It is also necessary to check the number and the content of repeat findings as that will be the indication of poor root cause analysis. Spend necessary amount of time and effort to understand the operation’s CAPA and their capabilities to perform a proper root cause analysis.
An auditor is like a doctor. A good doctor will ask the right questions, will not rely only on test results but also examine the body thoroughly, understand what kind of life standards the individual is having and what controls she/he has on her/his life (eating habits, sports, relationships, etc.) and how she/he reacts when something goes wrong. The right diagnosis will be a result of a holistic assessment. Could such a doctor fail to find an issue despite all the right efforts? Well, she/he could. But the issue would not be a deadly one in most cases.
By Tülay Kahraman
April 26, 2021