Health and Safety, Environment and Quality Audits
This page intentionally left blank
Health and Safety, Environment and Quality Audits
Stephen Asbury MBA, FRSA, MIEMA, CEnv, CFIOSH and Peter Ashwell FCA, FCIPD, FlnstLM
AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Butterworth-Heinemann is an imprint of Elsevier
Butterworth-Heinemann is an imprint of Elsevier Linacre House, Jordan Hill, Oxford OX2 8DP, UK 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA First edition 2007 Copyright © 2007, Stephen Asbury and Peter Ashwell. Published by Elsevier Ltd. All rights reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333; email:
[email protected]. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permission to use Elsevier material Notice No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging in Publication Data A catalog record for this book is available from the Library of Congress ISBN-13: 978-0-750-68026-4 ISBN-10: 0-7506-8026-1
For information on all Butterworth-Heinemann publications visit our website at http://books.elsevier.com Printed and bound in Great Britain 07 08 09 10 10 9 8 7
6
5
4
3
2
1
Working together to grow libraries in developing countries www.elsevier.com | www.bookaid.org | www.sabre.org
Contents
Foreword Endorsements Preface About the Authors Acknowledgements Introduction
vi vii x xiv xv xvii
Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter
Business Environment Business Control Planning for Audit and Assurance The Audit Process Roller Coaster© Set-up Review and Verify Concluding the Audit Personal Relationships The Written Report Teamworking
1 33 60 82 89 112 141 167 182 197
Appendix 1 – Preparation, Preparation, Preparation Appendix 2 – A-Factors Appendix 3 – Suggested List of Pre-audit Documents Glossary References Bibliography Comments from Course Delegates Index
204 208 215 217 218 219 222 225
1 2 3 4 5 6 7 8 9 10
v
Foreword
Mention auditing to the layman and the expected response is a glazed look. It is not a sexy subject. So why write a book about it, and who would want to read it? But start to talk about risk, governance, business improvement, adding value and many other aspects of business that have currency in the Boardroom and interest quickens. Auditing is no longer characterised by talking to the shop floor and ticking the boxes on a checklist. And while compliance remains relevant, the primary requirement for those being audited is to add value. Today’s auditor belongs as much in realms of senior management as in the production line. This book provides an interesting insight into the mechanics of auditing. Informative and a good read for those familiar with the industry, and for those not, an interesting insight into an interesting subject. Simon Feary Chief Executive The International Register of Certificated Auditors (IRCA) London, UK
vi
Endorsements
Health and safety management is an integral part of business risk management, with auditing being an essential component for helping ensure efficacy and continual improvement. Audits should not be dreaded or adversarial, but regarded as opportunities for organisations to learn and for auditors to share good practice. This book can assist employers and prospective and practising auditors to better understand their respective roles and also the potential value to the organisation of a well-designed and conducted audit undertaken by a competent auditor or audit team. Rob Strange Chief Executive The Institution of Occupational Safety and Health (IOSH) Leicester, UK I am delighted to have been asked to offer my support to a book that clearly outlines how beneficial having a positive approach to auditing has become in this contemporary, but accountable world we live in. All companies, no matter what size they are, have a duty to satisfy their customers, both internal and external, as well as interested stakeholders, that their business is run and governed correctly. How better to demonstrate this than by welcoming their activities to be audited by external individuals. During my 20-odd years in the chemical industry we were audited many times and although we knew up front there was much to do, always had the attitude that an audit should be welcomed and not feared as it allowed “a fresh pair of eyes” to overview our activities and possibly spot something our “all too familiar eyes” had missed. Working with the auditors, and not against them being essential. So I hope all who read this book will find it a useful companion on the often fascinating journey of auditing. Russell Foster Chief Executive Institute of Environmental Management & Assessment (IEMA) Lincoln, UK
vii
Endorsements
Back then in the mid-1990s, as Health, Safety, Environmental and Quality (HSEQ) Manager of Shell Malaysia Trading, I was responsible for and involved in the implementation of the Health, Safety and Environmental Management System (HSEMS) in the company. I believed then, and still do, that the HSEMS is a fantastic tool to manage the health, safety and environmental hazards and risks in the oil and gas environment or similar business operations only if it is properly implemented and maintained for continuous improvement. Internal auditors not only provide assurance but can also help management coach the employees on how they can ensure the controls in the HSEMS are strong and relevant. In so doing, the organization can be a fortress against any untoward world incidents like the Piper Alpha explosion and fire or the Valdez oil spill. HSEMS is not an easy system to understand. Higher expectations for increased accountability, more transparency, greater due diligence and enhanced oversight have all contributed to growing need for professionalism in auditing. Therefore, any help we can provide to auditors to conduct a proper review of the HSEMS system is welcome and appreciated. I think this book can provide some of that guidance to auditors. Syabas to Peter and Stephen for the courage and dedication in publishing this book. Fatimah Abu Bakar President of The Institute of Internal Auditors Malaysia (and formerly the General Manager, Internal Audit and Compliance at Pengurusan Danaharta Nasional Berhad) Kuala Lumpur, Malaysia
“Audited to death” is a cry often heard from managers, followed by disdain looks of dissatisfaction about the value and business contribution made by auditing. It is imperative that audit does add value; and is valued by those touched by the process. Dovetailing what we do, in an auditor role, to the business needs and risks, focusing on the things that matter help to raise the profile and status. All this helps to demonstrate that the time and effort spent on auditing greatly facilitates performance improvement. All so simple really, but often difficult to deliver and sustain. That is why it is refreshing to have a book, written by two reputable people, that describes the principles and tools for auditing and provides stimulating debate and examples to enthuse and revitalise auditors and those touched by auditing. The principles, practice and tips within this book will aid in the promotion of adding value. Neil Edmunds Health and Safety Director (UK & Europe) Bombardier Transportation Crewe, UK
viii
Endorsements
Audits have become an essential part of doing business and have not only been embraced by our management but built into the educational structure of McDonalds and our Hamburger University. Safety and the protection of our customers and employees are the highest priority. Audits and risk assessment play a major role in allowing us to provide that protection. Jim Marshall Director Insurance & Safety, McDonald’s Corporation Oak Brook, Illinois, USA The role of audit in the business world continues to be as important as ever. Stakeholders and shareholders alike rely on the expertise of external auditors to verify or discount what they think is working as it should in their business. This is true equally if you are involved in financial services, as it is in occupational health and safety. From corporate governance and S-OX, to OHSAS 18001, there is one ingredient that remains the same – protecting the health and safety of employees. The role of the auditee is in accepting audit as a basis for continual improvement and not a battering ram. The role of the auditor is in accepting that their expertise can help a business rather than placate it. This book will help auditees and auditors alike to understand the role and therefore the nature and practicalities of audit. Margaret McLoughlin Group OHS Manager Coca Cola HBC Vienna, Austria Organisations of every type and size need to be able to demonstrate that they have sound internal control and strong governance. Directors and senior management recognise the critical role that an effective Internal Audit function can play in providing them with assurance that lets them sleep soundly at night – or tells them what needs to be fixed. An Internal Audit department will be judged by its effectiveness in not only assuring management that the expected controls are in place but also by highlighting where management need to pay more attention to high risk areas of their operations and put more resource – in terms of time, money, expertise – before the challenges of the future turn into issues of today! Internal Audit, more than most functions, relies upon the quality of its people and in their ability to proactively engage with their audience at all levels of the organisation. Auditors need passion, knowledge, respect and to be eloquent exponents of the benefits to all stakeholders of sound internal control and strong governance. Whether you are a ‘seasoned’ auditor or relatively new to the role, I encourage you to use this book to help you develop as an individual whilst seeking yet further opportunities to add value to the organisation you work for. Mick Michael Sarbanes-Oxley Compliance Manager National Grid plc Warwick, UK
ix
Preface
Why, you might ask, would anybody wish to write a book about auditing. The answer is very simple. Today, we live in a world where enterprises of all types, sizes and sectors must be able to prove to those both inside and outside their organizations that they are being managed in a way which is consistently acceptable to all of society. In the main, enterprises have lost people’s trust to carry out their activities relying purely on their owners’, directors’ or managers’ word that everything is being done properly. Even when directors explain in great detail what their policies, guidelines and standards are with regard to how they intend to carry out their activities, that may still not be good enough. In the last ten to fifteen years, people outside – and often inside – all types of organizations have demanded demonstrable proof as to the extent to which enterprises are meeting their self-proclaimed standards. And over the same period, many groups claiming to represent interested people in society have persuaded enterprises to involve or engage them. There is no turning back (Figure P.1). The level of management performance needed to ensure that entities stand a chance of meeting these continually increasing levels of expectation is competing head-on with the level of management performance needed to create commercial success. We believe that the conundrum of how to get the same individuals to achieve both goals simultaneously can be solved if entities create a function to carry out effective management system auditing. Corporate governance and social responsibility are the expressions used today to describe the governmental, legal and societal reaction to this simultaneous phenomenon of lack of trust and huge expectation. There is a major challenge to agreeing a global approach because historically the US attitude to regulation has adopted a ‘rule-book mentality’, which means that when anything contravenes the prescribed letter of the law, organizations and officers are sued and possibly prosecuted. Meanwhile the UK and many International standards of accounting, auditing, ethics and corporate governance essentially are ‘principlesbased’, which means that you really have to think about the ‘spirit’ of the standard or rule – what is it expecting to achieve? – rather than just ‘ticking boxes as soon as you can show compliance with the ‘letter’ of the standard or rule.
x
Preface
Trust me
High
Tell me Africa /Asia Trust
Show me
Ask me
Europe S. America
N. America
Low Low
Need to demonstrate compliance and sincerity
High
Figure P.1 Demands for transparency and engagement
The accountancy profession, particularly those elements authorized to carry out statutory audits, was affected for many years by what is often referred to as ‘the expectation gap’. This ‘gap’ was the difference in the layman’s perception of the type and extent of work that went into an audit and the actual work which was required by law. A statutory audit results in the auditor giving either an unqualified audit opinion so that the reader can impute that the entity’s financial statements reflect a ‘true and fair view’, or on the contrary an audit opinion that qualifies the extent to which the statements are not true or not fair. It was as recent as 1990 in the UK in Caparo Industries v. Dickman that external statutory auditors were reminded by the justice system that they needed to manage this expectation gap rather better than before, because they owed a duty of care to other parties who may suffer an economic loss by relying upon their statutory audit opinion. The resultant debate about the extent of external auditors’ legal liability has been going on ever since, with a variety of ideas being put forward for mitigation in many jurisdictions across the world. A significant recent development has occurred in the United States of America with the creation of the Public Company Accounting Oversight Board (PCAOB) as the guardian angel of investors in US securities markets and charged with the responsibility to ensure that public company financial statements are audited according to the highest standards of quality, independence, and ethics. The PCAOB was established by legislation known as the Sarbanes Oxley Act that came into effect on 30 July 2002 as a response to the massive lack of trust and loss of confidence in the US capital markets caused by a litany of major corporate failures – immortalized by Enron, Tyco, WorldCom-MCI, HealthSouth, Global Crossing and Adelphia. Many non-US regulatory bodies were already in place with their objectives to protect investors, improve audit quality, and ensure effective and efficient regulation of audit
xi
Preface
Ahold (The Netherlands) Aural Mining (Romania) Barings Bank (UK/Singapore) British Credit and Commerce International (UK/India) Buncefield Oil Terminal (UK) Cable & Wireless (Hong Kong) Longford Gas Plant (Australia) Parmalat (Italy) Resona Bank (Japan) Shell-Brent Spar; Oil and Gas Reserves (UK) Figure P.2 Major non-US business control failings
firms. However, business control failings in entities of all types and sizes have occurred throughout the world – in West and East Europe, Japan, Australia, Asia, Africa, South America and Russia. Some examples are shown in Figure P.2. They will continue to happen because of the failure of some senior managers to either believe in the benefits of, or put sufficient priority on, implementing an effective business control framework or personally defer to them in their own behaviours and actions. Corporate failure of varying kinds affects varying groups of stakeholders. Some of the most visible are major technical failures when people are killed and communities knocked sideways – accidents in the North Sea (Piper Alpha), at the Longford gas plant in Australia, at BP Texas City in USA and on the railways and at Buncefield in the UK. This book sets out how HSEQ and other internal auditors, if they are given the chance, can help management to avoid failures like these. And along the way, we will have the opportunity to reflect on why so much activity called ‘internal auditing’ is being done today with so little benefit accruing either to the managers of the entities audited, or to those people who expect every entity to be run by super-heroes and paragons of virtue. The authors have written and structured the book so as to be of interest to three broad sets of readers: 1. Those in senior management who are thinking about setting up an internal audit function in their business or possibly questioning the value of their existing internal audit function; 2. Those who want to be persuaded to become an internal auditor or perhaps are disillusioned with the style and outputs of the auditing they are being asked to do; and 3. Seasoned HSEQ and other internal auditors, who may already have risk-based or management system auditing experience.
xii
Preface
Our hope is that the first two groups will read this book from cover to cover and the information will inspire them to create centres of excellence in their internal audit departments, get involved and deliver audit results that will help organizations and their clients. The third group will be able to dip into the book to contrast with and add to their practice. For them, we hope, it will become a well-thumbed source, with useful and challenging ideas to try out.
xiii
About the Authors
Stephen Asbury Stephen Asbury is Managing Director of Corporate Risk Systems Limited, a leading international auditing and training organisation. He has worked in a variety of senior risk management roles in 34 countries in a career which spans over 20 years in the following sectors – construction, polymer, and mechanical engineering, insurance and technical consultancy. Stephen is a Director and a Chartered Fellow of the Institution of Occupational Safety & Health, Europe’s largest membership organisation for safety and health practitioners, and is registered by the Society for the Environment as a Chartered Environmentalist. In his spare time, he enjoys theatre, scuba diving and F1 motor sport. Clay House, 5 Horninglow Street Burton upon Trent, Staffordshire DE14 1NG, United Kingdom www.crsrisk.com
Peter Ashwell Peter Ashwell is Managing Director of Kingdom Management Limited (KML), a leading international auditing and training organisation. He qualified as a Chartered Accountant in 1974 and worked in a variety of finance roles in the UK and overseas during a 15-year career with the Royal Dutch/Shell Group of Companies. In 1990, he founded KML and has been instrumental in building it into a quality-driven risk management and internal audit training business servicing multinational clients throughout the world. Peter is a Fellow of the Institute of Chartered Accountants of England and Wales, a Chartered Fellow of the Chartered Institute of Personnel and Development, and a Fellow of the Institute of Leadership and Management. He spends his leisure time with his wife and family, and enjoys sailing. Eccles End, Main Road Edenbridge, Kent TN8 6HZ, United Kingdom www.kmtcentre.co.uk
xiv
Acknowledgements
Stephen Asbury I would like to take this opportunity to thank a group of individuals who have been so generous with their love, support and encouragement over the years – Kimberley Asbury, Kasia Koszykowska, Michael Farmer, Arthur Rothwell, John Element, John Fawkes, Jeff Coleman, Johann Meeke, Bill Luttman, Andrew Ure, Neil McClure, Hazel Harvey, Steve Kay, Kev Tizzard, Stephen Lawton, John Leivers, Alan Shaw and Peter Kilby. You have all changed me in big ways and in small ways. I value your challenge, knowledge and friendship immensely. Peter Ashwell has been a friend and an inspiration for eight years. He has been a pleasure to work with (and more recently) to write with. A number of other people have helped considerably with contributions to the case studies and tips you will read within the book. My thanks are due in particular to Ian Waldram, Carey Evans, Andrew Burns-Warren, Richard Ball and John Watson. Thank you to all of my colleagues at CRS, and to each of the KML faculty. Working with you is always more fun than I expected. Thank you too to each of our training course delegates from around the UK and the world for showing up, listening to our messages and making ‘work’ such a pleasure. Thank you also to the management and staff at Elsevier, especially Doris Funke and Jonathan Simpson for believing that ‘there was a book in me’, and then encouraging me to write it. The sunsets of Key West provided inspiration for writing the final text. Finally, thank you to my late parents Alan and Betty. My family tells me that they would be proud of me.
Peter Ashwell In writing this book, Peter wishes to acknowledge the encouragement of his coauthor Steve Asbury whose idea it was to ‘tell the world what we know is a great way to get fantastic audit results’. But Peter also recognizes the contributions to his own thinking about what needs to be done, and how best to train people to do it, from Richard Heron, Campbell
xv
Acknowledgements
Tervit and Keith Wade especially, and from all of the other trainers and consultants who have worked with and are still working with him in Kingdom Management Limited. In addition, there have been many client focal points whose arguments have been listened to and of course the near continuous challenges by and discussions with the thousands of students with whom we have had the privilege to work over the last sixteen years. Therefore, the ideas expressed in this book are really the product of all these peoples’ thinking and shaping, which must never cease if we are to win the battle against ineffective auditing. To this end, I look forward to building on our ideas and sharing new ideas and experiences in future revisions to this book and supporting users through the book’s website.
© 2000 Joe Schwartz www.joyrides.com
xvi
Introduction
Too many internal audit results create a sigh of relief or a scream of frustration from the auditee who has been told he or she has ‘passed’ or ‘failed’. Many readers may believe that is an outdated perception, but regrettably it is not. The problem is growing; every year management react to the need to be able to demonstrate compliance with ever-increasing external requirements, such as changes to legislation or the small print of a new swathe of regulatory bodies, by doing more compliance auditing. But hang on a minute. Why do we need to do all this compliance auditing? Simply because most managers and supervisors are overburdened just keeping the boat afloat and heading in the right direction. Therefore auditors are used as a safety net, in the sure knowledge that something will be overlooked and wrong steps taken. So, literally, millions of hours of internal auditing are being carried out just in case somebody or something does not do a job properly. They are seen as a necessary evil, because the forms need to be filled in to show the work has been checked, but this condescension has a knock-on effect in that effectiveness is seen more in terms of efficiency rather than asking difficult questions. Our belief is that the reality should be that internal audit engages very bright people in reviewing key parts of an organization from a variety of aspects. Therefore internal audit is perfectly placed to challenge the way an organization is being managed. But whatever the type of audit, commercial or technical, the results need to demand the respect and attention of senior management. This book works through the individual steps that will enable internal auditors to deliver this exceptional quality of audit that will make a difference to management. The steps are encapsulated within a teaching model called The Audit Process Roller Coaster© . This simple model was created one evening in 1994 whilst reflecting upon a documentary on television about roller coasters. It was recognised that the physical and emotional journey that a rider went through after climbing aboard a roller coaster, such as the one pictured, matched very closely the reality and emotional journey of an auditor following and applying the internal audit approach and methodology which was then currently being taught by us. Since then the essential parameters of the model (see Figure I.1) have remained unchanged – the height above the ground
xvii
Introduction
Summary
Audit report
Level of detail involved
Very detailed Audit progress
Figure I.1 The Audit Process Roller Coaster©
being equated to working with summary or overview type of information and the closeness to the ground equated to working with transactional and detailed information. The left-to-right motion is the progress of the audit: the steepness of the initial drop creates a feeling of time flying by uncontrollably and the acceleration reminds the auditor that there is no going back; the hollow at the bottom causes a feeling of nausea as one’s stomach bottoms-out; and then, after the briefest respite at the bottom, relaxation as the momentum starts to carry the audit team up the slope as the momentum diminishes and as the speed reduces just before you deliver the audit report. You will find seventy A-Factors throughout the book which refer to either Asbury, Ashwell or Auditing factors which the authors use to summarize particular points. You will also find many case studies through which the authors use real life to illustrate points made in the text. Finally, the authors have given the reader a generous serving of their own tips regarding what they see as the necessary awareness, knowledge and skills needed to become good auditors. We look forward, in the following pages, to taking you on your first Audit Process Roller Coaster© ride.
xviii
1 Business Environment
Introduction While one organization is restructuring its post room, another has invented a lowcost, low-emission alternative to hydrocarbon fuel. While one organization indicates a pending increase in local taxes, another patents a retroviral drug for an ‘incurable condition’, and yet another quells a public order situation in a major capital city. And while children starve in Africa, we launch probes to the planets in search for our homes and resources of the future . However we see it, organizations of just about every type – no matter what their global significance, or how they differ in detail – are concerned with transforming inputs to outputs. They do this against a backdrop which readily affects – and in turn is affected by – the conduct of their activities. This backdrop is the ‘business environment’, one that is increasingly complex, dynamic and volatile. As an (anonymous) delegate on one of our recent auditor training courses said: change is the only constant these days If we are able to understand this business environment and the possible or likely effects it might have upon organizations, it will not only assist us in understanding the practice of ‘business’ in its entirety but will help auditors in their functioning as well. As you will see, auditing is about providing a confirmation (or an assurance) that an organization has reasonably addressed foreseeable risks towards the achievement of its objectives within a suitable framework for internal control. Along with providing assurance for the present, it also involves assessing its suitability for the business environment in the future. Information about future prospects is much more valuable to managers than information about the present or past. This chapter takes us on a short journey through the key elements of understanding business environments, before moving on to summarize the role of managers in positioning their organizations for success, and finally answers the question ‘What is risk?’
Beyond PEST As any management student or management textbook will affirm, there are numerous tools and techniques available for gathering and analysing the results of a review
1
Business Environment Internal Strengths
Weaknesses
External Opportunities
Threats
Figure 1.1 Basic SWOT tool
of external environments. A common tool is ‘PEST’ (and its derivatives) as noted below: • PEST (Political, Economic, Social, Technical) • PESTEL (same as in PEST + Environmental, Legal) • PEST-CM (same as in PEST + Customers, Markets) • STEEP (Social, Technical, Economic, Environmental, Political). While all these recording tools can be helpful, in this chapter we will focus on some of the key features to be understood, and offer a simple format for recording both, internal and external features. The simple tool for recording the significant internal and external environmental features applicable to an organization is a SWOT analysis – strengths, weaknesses, opportunities and threats. Strengths (S) and weaknesses (W) are internally focused, while the opportunities (O) and threats (T) are external to the organization. A basic format for this is shown in Figure 1.1.
The business environment As stated earlier, in this chapter we will look at external and internal environments relevant to all organizations, and later examine four distinct areas of essential knowledge in the environmental context: • political • economic
2
Business Environment
• legal • resources. The four major areas mentioned are summarized here and readers are referred to the bibliography for further details.
The external environment – an overview Look around. Business activity surrounds us. It is everywhere, starting each morning with the delivery of the morning newspapers, and with generation and distribution of the electricity we use to heat water for breakfast tea. ‘Business’ per se is however quite difficult to exactly categorize – it probably concerns all activities of trade (buying and selling), profit (making one, or existing not-for-profit), provision of service (whether governmental, charitable, religious or other) and many others. Definition of ‘Business’ – Occupation; concern; trade. Pertaining to traffic; trade. – Castle English Dictionary. Business has only two basic functions – marketing and innovation. – Peter Drucker. Here, we take the broadest possible view of the term, and encourage readers to think of ‘business activity’ as it concerns their own undertakings, or organizations known to them. Organizations have inputs (from our given example, newspapers, coal or gas, public donations), some process or activity adding value (manufacturing, delivery, conversion), and finally an output (the goods or service, and its waste). The common feature of all organizations is the transformation of inputs to outputs. This is summarized in Figure 1.2. Simply put, organizations of all types require land, labour and capital resources – classically known as the ‘factors of production’ by economists. Specifically, organizations require talented people with great ideas, a source of financial support for the enterprise, suitable buildings/accommodation for the process or activity, a supply of materials, committed workers, satisfied customers, and so on. In accordance with the anticipated needs of their target consumers, these are combined to deliver the planned output (goods, services, information, etc.). In successful organizations, this is a cyclical activity as shown in Figure 1.2. The generation of an output which is consumed by the customers generates revenue or appetite for the acquisition of new inputs, and a reward, whether financial or other, for the financiers.
3
Business Environment
Consumption
Inputs
Organisations
Land Employees Materials Energy Skill
Outputs Goods Services Information
Figure 1.2 The basic system for transformation of inputs to outputs
Let us relate this to a couple of simple scenarios: 1. A corner shop An entrepreneur, backed by a bank or parents, purchases premises and stock. The entrepreneur hires staff, and advertises the opening of the shop and its unique selling points (e.g. that it is convenient, local, etc.). Customers visit and make purchases. With the revenue, the entrepreneur purchases new stock to replace that sold, and makes the agreed loan payments to the bank, or reimburses the parents. If the entrepreneur has planned wisely, there may be a small profit as a reward, which will be re-invested elsewhere in the economy (e.g. purchases, savings, etc.). 2. A charity A registered charity seeks to raise disaster-relief funds. It hires premises, engages staff for a call-receiving centre, and advertises a need for donations. Donations are made, and these are divided to pay for the premises, staff wages and advertising; the excess will be donated to relieve suffering in the disaster zone. If the charity has planned wisely, this remainder will be sufficiently large to allow further advertising, based on the success of the initial phase. Again, staff salaries will be inputs elsewhere in the economy. A-Factor 1: Organizations are concerned with transforming inputs to outputs. Inputs create outputs, and outputs create inputs.
Business organizations in their environment These simple models mentioned are, of course, much more complicated in the operational reality of business and commerce in action. Organizations are inseparably intertwined with their outside world – the external environment. This business environment, where all organizations conduct their enterprises, comprises a wide range of influences. These include:
4
Business Environment
1. the prevailing political climate; the macroeconomic situation; the legal framework; technological, educational, entertainment and sport; religion and organized crime (sociocultural); and 2. the availability of resources (scarcity), willingness of potential customers to trade, and the activities of any competitors. The factors in the former group tend to have a slowly developing and general influence upon the enterprise whereas the ones in the latter group represent the day-to-day/operational influences.
General influences These factors are discussed later in this chapter, but a short overview is provided here by highlighting some of the key external influences on businesses: Politics Different types of governments have different political aspirations, and manipulate economies to these ends. This manipulation will tend to influence the business environment. For example, in the early years of the twenty-first century, in Europe, there seems to be a significant political aspiration to combine national trading into an international trading block called the European Union. Governments are generally large organizations, and employers of large numbers of people. Macroeconomics Governments create (and sometimes destroy) macroeconomic climates conducive to investment. Policies to create high or low levels of public sector borrowing, higher or lower levels of employment, higher or lower levels of inflation are examples of how governments intervene. Fiscal policies release (or withdraw) public sector spending, and other policies promote (or discourage) the creation of jobs. Legal In all countries there is a framework of laws and regulations – well-developed or not – that defines the relationships between the state, organizations and individual citizens. In some territories, for example in the United States of America (USA/US), there is an interrelationship between local (state) laws and national (federal) laws. Similarly in Europe, an implementation of many legal requirements is from federal level (EU directives) to country level (domestic legislation). Like the macroeconomic climate, this can be viewed as connected to the political perspective. Sociocultural Demand and thus supply is driven by social and cultural factors. The demand for electronic goods increases where homes have electricity. The supply of locally produced textiles reduces when markets move overseas to take advantage of lower labour rates.
5
Business Environment
Technology It seems the speed of technological advance in the twenty-first century is nearexponential, as anyone who has purchased a new television or computer recently may have noted. The willingness of organizations to invest in new technologies depends upon their attitudes to the external market, but is generally seen as a key to the success of an enterprise (or a country) over its peers.
Day-to-day/operational influences Resources Organizations rely upon their suppliers for resources. Likewise, the success of a supplier organization is sometimes dependant upon its customer; the operation of the two organizations has become intertwined. Organizations must tend to contracts, pricing agreements, delivery lead times and contingencies as a part of the continuity from input to output. Charles Handy, in The Empty Raincoat (1994) introduces the concept of the ‘Chinese contract’. This concerns a finely balanced agreement between two parties, where neither is advantaged or disadvantaged to the cost of the other. Customers Of course, customers are vital to all organizations and employees – customers make paydays possible! An ability to meet/exceed current requirements (and to anticipate future requirements) for price, quality and delivery on time are the hallmarks of successful organizations. ‘The customer is king’ is proclaimed aloud by many organizations, whilst ‘customers get in the way of the real work’ may be whispered in the offices. Markets for products, services and information are becoming increasingly market-led, and organizing a business to satisfy the emerging needs of customers remains a vital requirement. We particularly like the metaphor that is expressed in Who Moved My Cheese by Johnson (1999). It concerns a nimbleness and adaptation to a customer-base that we have tried to apply to our own organizations. An enlightening read! Competitors ‘Winning’ and ‘losing’ in commercial environments often concerns one party’s performance relative to another’s. This ‘other’ is one or more competitors who may desire to provide customers with lower-cost, higher-quality, or differentiated goods and services. Competition from overseas, where overheads may be lower, may be seen as particularly ‘unfair’. Innovation by competitors can render competing products and services obsolete. How an organization responds to its competitors (e.g. deciding upon the time for aggressive product development or defensive pricing) may be a significant indicator of its future success in its field of operation. A-Factor 2: Organizations are inseparably intertwined with their external environment. Their managers should take account of this to achieve their organizations’ objectives.
6
Business Environment
The internal environment Organizations decide how to operate in order to meet their objectives. A common theme running through any analysis of internal environments is ‘management’ and the style of its conduct. Management concerns both the roles fulfilled by the individuals who manage an enterprise, and the process – the management system – by which the enterprise sets out to meet its objectives. At this stage, we should stress upon the interaction between internal and external environments. If an enterprise is to remain successful, attention needs to be paid by the senior managers to balance all of the competing environmental influences by adapting so as to cope with the new circumstances facing the organization, and then being ready to institute further changes as and when required.
Case study A large, UK-based entertainment organization has approximately 250 clubs providing evening entertainment and dancing. A cursory review of its business environment highlights the following features to be managed if business objectives are to be met. Externally, an extension to licensing hours, a pending ban on smoking in pubs and clubs, a focus on noise exposure levels, increased use of illegal substances, media focus on late-night town-centre disorder, and a rise in underage drinking. Internally, the retention of key staff as they progress with age, marriage and family from ‘happy to work at night’ to finding working at night less acceptable. Some parts of the business are for sale, and maintaining staff morale could be challenging.
Organization and management There are three main categories of organizational theory: • classic • HR approach • systems-based.
Classic Writers such as F.W. Taylor (1856–1915) viewed organizations as formal structures established to achieve objectives under the direction of top management. Taylor believed that management was responsible for ‘scientific management’ – methods attached to the design of work, such as work study, that could be applied to heighten production.
7
Business Environment
HR approach An alternative approach to the classic, formal organization is the HR approach which emphasizes the importance of people in workplaces. The famous Hawthorne Experiments (1924–1932), conducted in USA, showed that individuals at work were part of informal as well as formal structures, and that group influences were fundamental to understanding individual behaviours. Thus influencing human behaviour becomes critical to enhancing the effectiveness of organizations.
Systems-based The approach, described earlier, of converting inputs to outputs and outputs to inputs (along with all the associated subsystems) produces a systems-based organizational theory. Modern views of organizations focus on such ‘systems-based’ approaches, where management is a highly critical subsystem directing the enterprise towards its objectives. Some of these ‘management systems’ are externally certified, such as ‘Investors in People’ in the UK, or ISO 14001:2004 internationally. Whichever the organizational theory preferred, an organizational structure to deliver it in practice is desirable.
Organization structures In all organizations – even sole traders, where the spouse may assist with the financial books – there is a division of effort in pursuit of the objectives. This resultant pattern of relationships is commonly known as the organization structure. This structure provides the means by which the work is planned, communicated, carried out and supervized. A main feature of all organization structures is that they embed a hierarchy within them, as Figure 1.3 shows: Within organizational structures, there are five main approaches: • by product/service • by geographical location • functional • matrix organization/project team • virtual.
8
Business Environment
Director
Manager
Supervisor
Worker
Figure 1.3 Classic hierarchal organisation chart
By product/service For example, a High Street store may have the following departments, each with specialist staff, to focus on the needs of customers – the structure follows the sales process. • menswear • ladies wear • home and garden • grocery.
By geographical location For example, a double-glazing company may structure regionally (North, South, East, West of territory/country) to provide a local address to customers, and employ locally based management and staff.
Functional For example, a manufacturing organization may structure functionally – the structure follows the activity of the enterprise. • procurement/goods in • production • warehouse
9
Business Environment
• sales and marketing • personnel/HR.
Matrix organization/project team For instance, a Grand Prix motor race takes place each year at a national venue e.g. the Circuit de Catalunya on the northern outskirts of Barcelona, Spain. A project team is brought together to combine in a matrix the skills of the full-time race management team with local suppliers of accommodation, ticketing, catering, parking, waste disposal and so on. It is disbanded after the event, until perhaps brought together again for next year’s event.
Virtual For example, an online auction relies upon a loosely connected web of member buyers, sellers and advertisers to achieve its business objectives – a formal organization chart is virtually invisible. In reality, some of the characteristics of each of these organizational structures may be present in a single organization to meet its current needs. A-Factor 3: The structure of an organization is a means to an end, not an end in itself.
The external environment in detail The political environment Business activity takes place locally, within countries, across borders and internationally. It is inevitable that governments will be involved in some way. Markets are globalizing for many products and services because governments around the world are taking action to remove barriers to trade. Understanding the basics of political systems, institutions and processes provides greater opportunities for organizations to align themselves, and thus provide greater opportunities for achieving business objectives.
Politics A good question for audit practitioners reading this book is ‘What is politics?’ An attempt is made to answer that question from that perspective. The style and nature of any country’s political system will tend to be underpinned by its historical and social values, national identity and political philosophies. Revolutions
10
Business Environment
come and go but political evolution is the norm – incremental, rather than radical – particularly in democratic countries. This tends to bring some degree of stability to the business environment, particularly in developed countries. The two extremes of political systems are: • totalitarian • democratic. Totalitarian Arising from the power of monarchy, from military conquest (sometimes called a ‘junta’), or a free election, a totalitarian government will tend to act in order to restrict or prohibit political participation by others. The style of government tends to be a rigid enforcement of rules and oppression of opposition. Democratic Exemplified by free and fair regular elections, and freedoms of speech and media, democratic systems provide more balanced governments where matters are discussed, and solutions accepted by all participants, even if they disagreed in the first place. A model for democratic government is shown in Figure 1.4. To be recognized as a democratic government, more is needed than a transparent election process. It should provide that the wishes of the electorate, in terms of the majority according to the votes cast, are reflected in the final result. This point can provide for interesting debate between political purists where, for example, a ‘first-past-the-post’ system is in place. In the UK, for instance, a simple majority of votes over other candidates is needed to be considered ‘elected’ in a regional constituency. At national level, a simple majority of candidates elected over other political groups (or parties) is needed if its leader is to be asked by the Queen
Make decisions on behalf of
The People (Voters)
The Government
Choose members of
Figure 1.4 Model for democratic government
11
Business Environment
to form a government in a representative assembly. As a result, it is often the case that the winner has less that 50 per cent of the total votes cast. Alternatives to this approach include ‘proportional representation’, where the electorate can indicate its second and sometimes further wishes for votes to be recast if there is no outright winner. Overall, a first-past-the-post system tends to produce majority government, and proportional representation tends to produce coalition government. Majority governments tend to implement their manifesto (the pre-election sales pitch to the electorate) and coalition governments tend to develop laws through negotiation and compromise with their government partners.
Functions of government The process of governing a country involves three main roles – making decisions, implementing those decisions, and enforcing compliance through a system of courts: • law maker • law implementer • law enforcer. Law maker Governing involves taking major decisions that may affect the lives and environments of individuals and organizations. Elected governments in a democratic system hold the power to make the law, and there is usually a series of checks and balances including a bicameral legislature (i.e. an Upper House and a Lower House) and other established processes to ensure that this is fair. Law implementer The government holds responsibility for putting laws into effect. The day-to-day administration is carried out by non-elected officials called civil servants, whose major role is implementing public policy. While politicians may come and go, civil servants are permanent career positions. They are expected to act in a non-partisan way, and this allows for continuity of governance, for example, when one government loses power to the next. Law enforcer The third arm of a government is a judiciary and system of courts. It is a hallmark of democratic systems that there be separation between the law enforcement role of ‘the judiciary’ and the other two main functions. An independent judicial system, free and able to challenge the government and review its decisions, provides a further check and balance to a democratic government – and it protects citizens from a state that has become too powerful. Auditors need an appreciation of how political factors can impact upon auditees – for example, how laws are initiated, developed, implemented and enforced. A review of legal compliance will be necessary in a number of auditing assignments.
12
Business Environment
Trans-frontier government As noted earlier, political influences are not restricted to national boundaries. International groupings such as the Group of Eight (G8) (formerly the Group of Six (G6) and the Group of Seven (G7)), the World Trade Organisation (WTO) and the European Union (EU) add far-reaching dynamics to an external environment with an increasingly profound influence. G8 The USA, Japan, Germany, France, Italy, Canada, Russia and the United Kingdom (UK) (together representing 66.5 per cent of the world’s economy) meet regularly to discuss matters of mutual interest. Known as ‘economic summits’, these attract significant interest from protestors and media alike. WTO The World Trade Organisation was formed in 1995 to supersede the General Agreement on Tariffs and Trade (GATT), which had been formed in 1947 to assist with re-establishing trade at the end of the Second World War. With a large membership – and many other countries indicating that they wish to join – the WTO is credited with opening up global trading within a framework of agreed rules. EU The EU is (in 2006) a group of twenty-five European nations. It was founded in 1958 by the Treaty of Rome with six original members (West Germany, France, Italy, Holland, Belgium and Luxembourg). Progressive enlargement in 1972 (UK, Denmark, Eire), 1981 (Greece), 1986 (Spain and Portugal) and 1995 (Austria, Finland, Sweden) was further magnified on 1 May 2004 when ten new members were admitted (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia). Bulgaria and Romania may become members of the European Union in January 2007. In December 2004, the European Council decided that in the light of a European Parliament resolution, Turkey had sufficiently fulfilled the Copenhagen criteria to open accession negotiations. The aim of the founding Treaty of Rome was to create a common market to promote trade, and bring national economies closer together. This convergence led towards the creation of a single market, when the members signed the Single European Act, effective 31 December 1992, comprising the following features: • reduction in legal and other obstacles to cross-border travel and trade • harmonization of technical/safety standards • convergence of excise duties • mutual recognition of qualifications.
13
Business Environment
Other treaty provisions provide for: • monetary union, which was achieved in eleven member countries on 1 January 1999 • a social chapter to protect workers (including their health and safety) • common foreign and security policies. Time will tell when and whether further countries will adopt/be permitted to adopt the Euro as their common currency. To put in place such a significant series of changes, literally hundreds of new laws and regulations have been required in the member states. For completeness, a very brief summary of the architecture of the EU, in terms of its principal bodies, follows: • The European Parliament • The Council of Ministers • The European Council • The European Commission • The European Court of Justice. The European Parliament A directly elected body of 732 members, with representation from each member state based on the size of its population. Much of the work is undertaken by specialist committees, which make recommendations to full meetings held in Strasbourg. The Council of Ministers The ultimate decision-making body of the EU comprises one minister from each member state. The presidency of the Council rotates between members on a six-monthly basis. It is responsible for major policy decisions, which are published as regulations, directives, recommendations or opinions. The European Council Comprising the Foreign Minister from each member state, its role is to discuss and propose policy to the Council of Ministers. The European Commission The European Commission is the ‘civil service’ of the EU and guardian of the treaties. It has offices in Brussels and Luxembourg, and comprises Commissioners from member states and a staff of c. 20 000 drawn from all member states. The European Court of Justice Judges sit in Luxembourg to pass judgement on the interpretation of EU laws. The Court can set aside measures which have been adopted by the Commission, the Council or governments of member states which are incompatible with the treaties. Decisions are binding upon the member states.
14
Business Environment
Auditors need an understanding of the political environment in which their audit work is to take place so that they can contextualize the possible risks areas upon which they will later base their audit opinion. We found Budd and Jones (1994) particularly insightful on the finer details of the EU, and further information is in the Reference section.
The economic environment During November 1985, the US dollar and the GB pound sterling were trading roughly at parity (1:1) in London. At the time of writing, the exchange rate between these two great currencies is pretty close to 2:1. In a world where trade is often international, depending on where you operate, this would have had the effect of doubling or halving the price of raw materials and/or sales invoices. And of course, there are innumerable territories where this inflation/deflation ratio is much more significant. As markets globalize, the successes of organizations in different trading economies becomes increasingly interconnected. The economics of business are important external factors to be considered if an organization is to achieve its objectives.
Scarcity Scarcity is based upon the relationship between consumers’ ‘wants’ and the resources available (referred to earlier as input–output–input) to satisfy these wants. Consumers’ ‘wants’ are said to be insatiable, whilst resources are inevitably finite. Thus choices have to be made concerning priorities. For example, does a society want better healthcare, or better education? In practice, scarcity is managed by a number of factors, including: • price – e.g. diamonds are more expensive than rocks • rationing – e.g. tickets to ‘the Cup final’ are sold out • queueing – e.g. there is a waiting list to see the eye surgeon. Price is deliberately at the top of this list, and often sorts out the other two; supply and demand are set in the marketplace. Much can be learned by an organization by considering the scarcity and demand for its output.
Case study A publisher of an annual sports almanac undertook a strategic review with the aim of increasing profitability. The review revealed that it was the only publication of its type, and that this scarcity provided a near-certain inelasticity in demand from its customers. It increased the sales price, and thus its profitability.
15
Business Environment
Economic systems An important distinction in economic theory is between those that are centrally planned, and those that operate under market conditions. Centrally planned economies This type of economy is generally associated with socialist economies, such as China, Eastern Europe and Cuba. The main production decisions are taken by a central authority. Characteristics of this type of economy are: • state control of resources • state control of priority for use of resources • targets for production to balance supply and demand are set by the State • prices too are set by the State. Free-market economy More common in the early parts of the twenty-first century are free-market economies, where prices determine the allocation of resources. Characteristics of this type of economy are: • privately owned resources, hence owners can choose how and when to consume them • privately owned organizations operate free from state intervention • customer is king – consumers choose how to spend their money. A-Factor 4: Recognize that, ultimately, market forces tell organizations – if they are listening carefully – what to produce (quality), when to produce it (delivery on time) and the price to charge (price). Set out, these objectives should be represented in the business plan.
Macro-economy Macro-economic theory concerns an economy as a whole, dealing with such matters as overall levels of employment, the rate of inflation (use of a retail price index measures how spending is affected by price changes), and the annual rate of growth of output from an economy. A simple economy comprises cyclical flows of money (and other financial instruments) between organizations and consumers, as • organizations provide income to households (salaries) • households spend salaries on products by organizations and their services.
16
Business Environment
This cyclical flow shows that the fortunes of organizations are connected to the spending decisions of consumers; customers need to spend if organizations are to prosper. Thus levels of income, output, expenditure and employment in any economy are interrelated. Recession occurs when these macro-economic indicators move negatively, and growth occurs when they move positively. Government uses tools such as interest rates to encourage or suppress consumer activity to promote growth aligned to its own objectives for the economy. Similarly, increasing company taxation to raise public expenditure injects additional income into this circular flow of money. External economic factors also influence the spending decisions of consumers, such as the 2005–2006 increases in the price of petrol at service stations, caused by increases in the world price for crude oil following, amongst other reasons, political instability in Iran and Russia, and supply chain interruptions caused by Hurricanes Katrina and Rita in the Mexican Gulf regions of the USA. Of course, the economy is much more complicated than this short section can possibly reflect. Everything affects everything else, and nothing can replace local analysis at the time any information is needed. Understanding how the macro-economy works helps organizations to set and achieve their business objectives.
The role of financial institutions In a developed market economy, there will be a number of financial institutions, whose role it is to channel funds from those willing and able to lend to those wishing to borrow. These intermediaries include private banks, state banks and world banks. Private banks generally lend to private customers on negotiated terms (usually based on the level of risk estimated in the transaction), gaining financial return from interest and other payments. A state bank is a critical element in a country’s financial system (e.g. in Germany, Deutsche Bundesbank). Like most state banks, it exercises control over the domestic banking sector, and sets monetary policy to the needs of the economy. World banks include: • The International Monetary Fund (IMF) • The Organisation for Economic Co-operation and Development (OECD) • The World Bank. IMF Established in 1946, its role is to provide a pool of international funds to promote growth in world trade. It also involves itself with assisting developing economies with debt problems.
17
Business Environment
OECD A forum established in 1961 in which powerful countries meet to discuss world economies. Its decisions are not binding, but its research is used by G8, IMF and other bodies.
The World Bank An agency of United Nations, established in 1945, to provide loans and technical assistance to developing countries.
The legal environment Laws impact on many areas of activity conducted by all organizations. The areas that may be affected include, for example, minimum employment conditions (including health and safety), sales contracts for supply of goods and services, taxation, and environmental discharges to air, land and water. Penalty frameworks, known in the UK as sentencing guidelines, exist for those that are judged to have broken the law. These include fines and imprisonment for offenders. This section provides an overview of the legal framework, written by non-legal practitioners for non-legal practitioners.
Classification and sources of law Laws have evolved over many years; in the UK, these are said to date as far back as the conquest of the land by William (the Conqueror) in the year 1066. The essence of laws from a general perspective is that in return for the protection provided to an individual or an organization by a law, the same individual is constrained by the same law that protects them. Laws exist to regulate behaviours of individuals and organizations, and collectively set out the minimum standards of conduct desired at any time by society at large in the territory. Laws are derived from historic custom and practice (known in the UK as ‘common law’), and written laws have passed through the political law-making process and the cumulative judicial decisions of the courts, where lower courts are obliged to follow the decisions, ‘the ratio decidendi’, of the higher courts. As governments come and go, laws are enacted, repealed and amended. Thus the law in many countries is dynamic, and an auditor will need an appreciation of the legal framework that applies to the auditee’s organization. Law can be defined in a number of ways; the main features within a typical legal framework are summarized here.
18
Business Environment
Criminal law Criminal laws relate to that which has been prohibited by legislation or statute in the interests of society at large, and are punished by the state upon conviction in a criminal court by a judge or a jury on behalf of the people. Fines and/or imprisonment are possible punishments. In the UK, the starting point for all criminal prosecutions is a Magistrate’s Court. More serious cases are referred to a Crown Court for judgement by a jury and sentencing by the judge. Civil law and tort The civil law concerns matters of law between individuals. A ‘tort’ is a civil wrong. Common torts include negligence, defamation and trespass. An award of damages or an Order of the court (perhaps requiring something to happen or something to stop) are typical outcomes. In the UK, civil judgements may be made in a County Court, and those where the remedy may be higher in value will be judged in the High Court. Both the criminal and the civil law systems have superior courts, with a right of appeal in the UK to the Court of Appeal, and ultimately the House of Lords, which is the highest court for domestic purposes. Decisions of the European Court of Justice are supreme at European level. Public law Another useful distinction in law is between public and private law. Public law comprises those laws concerning the state, whether in national/international matters, or in the relationship between the state and an individual – for example tax laws. Private law Private law comprises those laws concerning the relationships between individuals, such as family, property, trust and contract laws.
International law The world is becoming a smaller place. There is an increasing tendency for nations to accede to international laws and treaties. The Montreal Protocol, for example, is the agreed international framework that bans, except in particular circumstances, the manufacture of chlorofluorocarbons (CFCs), as they are generally thought to damage the protective ozone layer around Earth. As discussed earlier, the European Union has provided an impetus in Europe for a harmonization of legal standards in many areas. Regulations made by the Council of Ministers are binding in all member states. Directives must be implemented into the domestic legal frameworks of each member state.
19
Business Environment
Case study An example of how European law can impact upon national matters was the interesting case of Jean-Marc Bosman, a Belgian footballer. Out of contract with Belgian club RFC Liege, Bosman sought to play the game in France with Dunkerque. When Liege demanded a transfer fee and the French club declined to pay, Bosman referred the matter to the European Court of Justice. In the 1996 judgement, it was ruled that clubs could no longer request a transfer fee if a player out of contract wished to play elsewhere in Europe, as it violated the right established in the Treaty of Rome for European workers to work in any member country. Since then, players regularly move from one club to another in these circumstances, and are commonly said to have ‘gone on a Bosman’ (Blanpain and Inston, 1996).
Business organizations and the law As we have said, business is concerned with the conversion of input to outputs. The prevailing legal systems provide a controlling, constraining framework in which these activities should be conducted. Business can be helped by laws (e.g. assistance to collect payment of invoices) as well as being constrained by them (e.g. prohibition of disposal of waste into drainage systems). The following table provides some examples of interest to auditors of legal influences upon various business activities: Business Activity Start up Operations Building extension Deliveries Being an auditor
Possible Legal Influences Company, tax laws Employment, health & safety, product safety laws Planning, environmental, fire laws Consumer, road safety, transport of dangerous goods laws As above, + defamation and contract laws
Tip – As an auditor (particularly if self-employed), it is a good idea to have a readily accessible source of legal advice. Some professional bodies offer such a service as a part of the membership fee. Alternatively, a relationship with a professional legal practice may be useful.
Areas where such legal advice may be valuable include: • review of terms and conditions of business • review of contracts (employment, work orders, etc.)
20
Business Environment
• review of wording of audit reports • advice on legal matters.
The environment concerning resources Businesses exist to produce goods, services, information and other outputs from their inputs. The critical inputs are human beings to ‘do the work’ and ‘buy the goods’, a supply of resources (renewable or non-renewable) and the necessary technologies for the process. In an earlier part of this chapter, we called these (as economists do) the factors of production – land, labour and capital.
Land and natural resources Natural resources include land, land deposits, oceans and rivers, flora and fauna and the weather. An important distinction is between renewable resources and nonrenewable resources. Either way, it is generally true that our resources are finite in supply (though small areas of land can be reclaimed from the sea at large cost). Land use is renewable. We can build on it, demolish the structure, and build on it again. We can plant crops each year (though to do so on formerly industrial land would probably not be a good idea, unless an extensive ‘clean up’ has been done). Fossil fuels are not renewable. When we extract oil, refine and introduce it to an internal combustion engine, that oil is gone forever. How many years of hydrocarbon fuels remain is subject to debate, and probably uncertain at this time. In recent years, ‘the environment’ has become centre-stage, both politically and as a necessity. Predicted rates of increase in average temperatures have compelled attention, particularly to reduce CO2 emissions. At the same time, recycling and energy efficiency have become prominent in many developed areas of the world. Whether we have done enough waits to be seen.
Labour (people) Human beings are important, both as producers and consumers of goods and services. Figure 1.2 and the associated text will serve as a reminder. Many production processes are people-intensive, and accordingly, having a suitable supply of educated, motivated and affordable staff is important to most businesses. Throughout their working careers, many organizations will tend to want to develop the education and motivation of their staff, and reward successes in these areas with promotions and salary increments. Organizations seeking to develop their business in a territory will find the following factors helpful in identifying a workforce: • the total population of a territory • the age structure of the population
21
Business Environment
• the retirement age • the working population • the mobility of the working population • the occupational structure of the working population • the education level of the working population • the length of the working week • wage levels/minimum wage levels/trade union involvement. Marketers conduct similar analyses for establishing customers and markets. Tip – In the UK, annual statistics on some of these and many other demographic factors are published by the Office of National Statistics and available from The Stationery Office. Refer to this (or similar documents) when detailed information is required.
Case study A small organization’s business was buying and selling of concert souvenirs for ‘B’ list artistes and bands on tour. When it identified large foam ‘spongy hands’ printed with the artiste’s name as a potentially attractive product, it purchased 1000 at a cost of 20p (a fifth of £1 GBP), and sold out at £3 (GBP) each on the first night of a multi-night concert tour by a comeback act – a mark- up of 1500%. In the second year as his memorabilia agent, the organization trebled its order, and sold out on the second night of the tour. Expecting to ‘make it big’ in the third year, the purchase order was multiplied by ten, still at the year-one cost price. The organization was not able to sell even one of its orders. Why? The year was 1997, and artiste’s name was Paul Gadd, known to his fans as Gary Glitter. Many external factors are way beyond the control of organizations.
Capital and technical factors Flows of capital to business are undiminished, and these are providing for unprecedented changes in the input → process → output cycle. There have been simply massive changes in technology in recent years, and (for some, perhaps worryingly) as Fareed Zakaria, Editor, Newsweek International observed in Newsweek magazine (2006): The 21st century will be the century of change. More things will change in more places in the next ten years than in the previous 100.
22
Business Environment
Technological change leads to new products and services (including profound changes to the life expectancy of human beings as previously incurable conditions are treated), new markets, increased automation and displacement of people from processes, faster exchange and storage of data and information, and greater possibilities for intrusion and loss of privacy. The internet is presently transforming the way in which people shop, communicate and access information. It is difficult to predict how the internet will change in the future, suffice to say it will. Research into (for example) new processes, materials, crops, pharmaceuticals, vehicles, and sources of energy turns up new developments all the time. Barriers to technical developments include lack of skill in the workforce, or redundant skill, where technology has moved at a pace where parts of a workforce have not been retrained quickly enough. Exhaustion of natural resources (as noted earlier), and particularly fossil fuels, could impede future technical developments. All of these three inputs to businesses – land, labour and capital – are interconnected. For example, the productivity of human beings and the efficiency of plant and equipment will be impacted by the technology available to them at any point in time. These inputs are essential to organizations, because without them, conversion can not take place. As an auditor, it is likely that you will be exposed to new technology, ranging from the R&D department in the auditee’s organization, the new lean-burn aircraft you flew to site in, through to the new audit-reporting software on your palmtop computer. As part of your CPD (continuing professional development) programme, keeping abreast of appropriate developments is a good idea.
Management’s interpretation of their own business environment Management’s role is to take account of the business environment considered by them to be reasonably relevant to their sphere of operation, and to reflect this output of their analysis in the decisions that they make, based on their most realistic interpretation of the opportunities and/or threats faced. The most usual place for this will be contained within their business plan, and the specific objectives contained within it. Management will often express their analysis and the subsequent developments expected of their businesses in a series of corporate documents. The first of these is often a statement of ‘vision’ of how the organization will be in the future. A ‘mission’ statement provides the purpose of the organization, and a series of business objectives for the plan year and beyond will be established. These will be used as a means to
23
Business Environment
1. Business environment 2. Vision 3. Mission
4. Business objectives
Figure 1.5 Business Environment→ Vision→ Mission→ Business Objectives
cascading the essential activities (as seen by the top management) throughout their organization. Figure 1.5 shows how this ‘cascade’ looks. A-Factor 5: Top management should balance the influences of the competing external and internal environments to face its target market(s) with aligned and well-communicated business objectives. As auditors, you’ll learn in this book that your work concerns the likelihood and the severity of impacts on the achievement of these business objectives. You should be prepared also to challenge these set objectives in appropriate circumstances.
What is risk? Ask a manager from the twenty-first century ‘What is risk?’, and as likely as not, you’ll be told that it is an estimation of the likelihood and severity of some physical harm occurring. Health and safety managers have been busy in many organizations, and risk assessments are common in developed territories. In this understanding, some managers will use words such as frequency or probability, and some will use words such as impact or consequence. Either way, most will know that risk concerns a reasoned view of the future that can be calculated and planned. The greater the risk, the greater the need for control.
24
Business Environment
No director can ignore the risk to the reputation of his (sic) company and its brand that health and safety and environmental expectations present. – Sir Nigel Rudd, one of The Times Power 100, and holder of four FTSE directorships (in Eves and Gummer, 2005). However, ‘risk’ can, and should, be defined as any type or source of harm – either perceived as positive or believed to be negative (also referred to in this book as ‘value creation’ and ‘value protection’) – with potential for impact upon the achievement of the organization’s stated (or formally unstated, but still obvious) objectives: the combination of the severity of harm with the likelihood of its occurrence – From HSG65, Health and Safety Executive (1997). combination of the likelihood and consequence(s) of a specified hazardous event occurring – OHSAS 18001:1999. a combination of the hazard and the loss and, in any given set of circumstances, risk takes into account the relevant aspects of both. – Boyle (2002). the chance of a particular situation or event, which will have an impact upon an individual’s, organisation’s or society’s objectives, occurring within a stated period of time. – Fuller and Vassie (2004). Risk can be expressed and measured in two main ways: • gross • residual.
Gross risk Gross risk implies the risk exposure before the effect of the selected business control framework is accounted for. Some call this the ‘pure’ or ‘inherent’ risk.
Residual risk The residual risk is the remaining risk exposure after the mitigating and compensating factors of the business control framework are accounted for. Some controls tend
25
Business Environment
to reduce likelihood (e.g. preventative controls such as a well-trained workforce or fixed guards on machines) and some controls tend to reduce severity (i.e. detection, containment, mitigation and restoration controls). Other controls can reduce both likelihood and severity (elimination and substitution controls, such as low-toxicity chemicals). Some call this residual risk the ‘net risk’.
A true case study? Asbury and Ashwell were exploring at the North Pole, when they came about a huge polar bear. The bear growled angrily, and it rubbed its stomach in a hungry manner, clearly relishing the hearty meal which had just walked in. As experienced visitors to polar climes, the intrepid explorers were both wearing the expected ‘tennis racket style’ snow-shoes as part of their risk control measures. Asbury began removing his snow-shoes so as to be able to make a dash to safety. Ashwell said, ‘But Steve, you’ll never outrun a polar bear in its own terrain.’ As a risk manager, what would have been Asbury’s response? His response – ‘I don’t have to; I have only to outrun you!’
A-Factor 6: Risk is anything which may hinder or assist achievement of business objectives. It is generally quantified in terms of its residual likelihood and severity. Value creation and value protection are the essence of an organization’s success.
A brief history of risk ‘Risk’ has a fascinating history, which is beautifully narrated by Peter Bernstein in his book Against the Gods (1996). You would not have to go back in time many years for modern clarity of approach and measurement to be lost. A well-educated individual a thousand years ago would not recognize the number ‘0’, and would probably not pass a basic mathematics test. Five hundred years later, few would do very much better. Without some form of measurement, some numbers, risk was a matter of gut feel. The ‘power of numbers’ arrived in the West in the early thirteenth century, when a book entitled Liber Abaci appeared in Italy, a wholly handwritten fifteen volumes written by Leonardo Pisano (but commonly known as Fibonacci). Fibonacci is best known for a series of numbers, which provided the answer to the problem of how many rabbits will be born during the course of one year from one pair, while assuming
26
Business Environment
that every month, each pair produces another pair, and that rabbits start breeding aged two months – the answer is 233; and the twelve month-end totals for the year would be 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233. Each successive number is the sum of the two preceding numbers, and if one number is divided by the next, the answer is approximately 1.6. This ratio features in nature (e.g. in shell spirals, leaves and flowers) and in architecture (e.g. the General Assembly Building of the United Nations in New York). Playing cards are similarly proportioned. The Fibonacci series also features in the book and film The Da Vinci Code, where a dying Jacques Sauni`ere leaves a code for Robert Langdon to decipher. Fibonacci identified the ‘power of numbers’ in the West for the first time, but using them to assess risk still remained many years in the future. Bernstein (1996) comments on the development of risk over the last millennia: What is it that distinguishes the thousand years of history from what we think of as modern times? The answer goes way beyond the progress of science, technology, capitalism and democracy . The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk: the notion that the future is more than a whim of the gods and that men and women are not passive before nature. Until human beings discovered a way across that boundary, the future was a mirror of the past or the murky domain of oracles and soothsayers . He gives an interesting account of this history, suggesting that: The ability to define what may happen in the future and to choose amongst alternatives lies as the heart of contemporary societies.
Hazard and risk A modern definition of hazard is ‘the potential for harm’. The word hazard is said to derive from the Arabic word for dice – al zahr. We have seen a representative sample of definitions of risk on page 25, though there are many others. The word risk is said to derive from the early Italian risicare, which means ‘to dare’. To dare implies the freedom to choose, and possibly to fail. Dice is a game of luck, of pure chance, of pure hazard. Whilst lots of things have potential for harm (al zahr), managers can choose to dare, and decide how and when to respond to hazards. This choice influences the likelihood of the harm occurring and the severity of this harm, should it occur. This ‘daring’ to participate in the business environment includes choosing to stop doing something (or not starting in the first place) if the risk is too great. Other choices are to transfer the risk to someone else (to share or insure), or to take actions
27
Business Environment
to mitigate the risk (treatment). After the choices have been taken, the residual risk is taken knowingly.
Case study The scientist who developed the Saturn V rocket responsible for mankind’s forays to the Moon put risk this way: You want a valve that doesn’t leak and you try everything possible to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate. – From obituary of Arthur Randolph in the New York Times, in Bernstein (1996).
Once in a coffee shop As noted, there are several ways of dealing with ‘risk’. One of these is to insure against loss. Insurance works when the losses of the few are reimbursed by the premiums of the many. Following the great fire of London in 1666, there was an increasing demand for insurance. Business people would meet in coffee shops, and one of those rose to prominence. Edward Lloyd opened a coffee shop on Tower Street, London which was firmly established by 1688. It was a popular place for London’s sailors; so popular that it moved to larger premises in Lombard Street in 1691. Responding to the needs for shipping information from his customers, he provided a schedule of arrivals and departures of ships from the port of London. Thus ‘Lloyd’s list’ was born, and later used by captains of ships to consider the risks in various shipping routes. Shipowners seeking insurance would go to a broker who, in turn, would ‘sell’ (or transfer) portions of the total risk to individuals, who would confirm their agreement to cover a percentage of any loss by signing his name to the contract. Such ‘writing under’ each other, to cover the full value became known as ‘underwriting’. By 1771, seventy-nine of these underwriters had each subscribed £100 each to form the Society of Lloyd’s – the original ‘Lloyd’s names’. The names committed all their assets to secure their insurance promise. That commitment was the principal reason for the rapid growth and excellent reputation held to this day of insurance underwritten at Lloyd’s. After several relocations, it moved to One Lime Street, its current location, opened by the Queen in November 1986.
28
Business Environment
Case study When anyone asks me how I can best describe my experience of nearly forty years at sea, I merely say uneventful. Of course there have been winter gales and storms and fog and the like, but in all my experience, I have never been in an accident of any sort worth speaking about. I have seen but one vessel in distress in all my years at sea I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort. – From a paper presented by E.J. Smith in 1907. On 14 April 1912, RMS Titanic sank with the loss of 1500 lives. The captain went down with the ship. His name – E.J. Smith (Toone, 2004).
The practicalities of understanding risk We have discussed earlier the basic system for transformation of inputs to outputs to inputs (see Figure 1.2 and associated text). Figure 1.6 shows the reality of this for any business. On the left side is the aspiration of the entrepreneur, seeking funding for the enterprise, and investment in the necessary resources. On the right side is the ‘Vision’, of the achievement and success stated in whatever terms those entrepreneurs have decided. Connecting the two sides is ‘risk management’, which certainly is not a game of cards.
Excellent business plan
Investors
S t a r t
?
V i s i o n
Bravo !
Bonuses and dividends
Risk management Modern assets Pr o f i t t h i s y ear
Figure 1.6 Risk – ‘Not a Game of Cards’
29
Business Environment High
Severity
High risk
Medium risk Low risk Low Low
High Likelihood
Figure 1.7 Simple risk-ranking matrix
Not all organizations are equally successful, and how any business responds to the risks in its environment will be a significant feature of its success (or failure). Figure 1.7 shows a simple risk-ranking matrix, and Figure 1.8 shows how a corporation has developed this to highlight a variety of risk areas in greater detail. A-Factor 7: R = L × S (Risk = Likelihood × Severity). The greater the risk, the greater the (implied) urgency for response to that risk. Just how low a residual risk should be depends upon the ‘appetite’ for risk in the management of the organization. Some readers will be familiar with terms such as ‘ALARP’ (As Low As Reasonably Practicable) and ‘so far as reasonably practicable’, but these are beyond the scope of this book. Suffice to say that there is an established hierarchy for risk response (treatment), known as ‘ERIC’, as follows: • Eliminate – terminate exposure to the hazard • Reduce – reduce the exposure • Isolate – contain the hazard by physical or other means • Control – other means, including safe systems of work, training and so on. Tip – Remember ‘famous Eric’, when a significant risk is identified. Many people have a ‘famous Eric’ – whether a parent, a relative or a friend. In training courses, to encourage delegates to remember ‘ERIC’, we have referred to Eric Cantona (famous footballer), Eric Morcambe (famous comedian) or Eric Clapton (famous musician).
30
Business Environment
H&S
Assets
Environment
I n c r e a s i n g
Reputation
Impact of an incident
Slight impact
Slight injury
Slight damage
Slight effect
Limited impact
Minor injury
Minor damage
Minor effect
S e v Considerable Major Localised Localised impact effect damage injury e r Major 1 to 3 National Major i fatalities damage impact effect t y International Multiple Extensive fatalities damage impact
Massive effect
Increasing likelihood Heard Incident Happens Never of an has several heard incident occurred times per of in in the in our year in industry industry company company Manage for continuous improvement
Demonstrate ALARP
Happens several times per year at location
Incorporate risk controls
Intolerable Investigate alternatives
Figure 1.8 A more-developed risk-ranking matrix
A-Factor 8: Look for the application of ERIC whenever and wherever there is a significant risk.
Auditors and risk An essential first step for an auditor is to consider risks in the context of the environment in which the auditee’s organization is operating – of course, not all environments are the same (politically, economically, legally or otherwise). We have described the process for estimating risks (e.g. using a typical risk assessment matrix to qualitatively assess the significance of each identified risk area), and in effect, auditors will be following in the footsteps of the auditee’s management when they are selecting a sample of risks for review and verification in their audit work plan. Three questions (Asbury, 2005) will invariably assist auditors (as no doubt it may have assisted management) to decide the significance of the identified risks: • how often will this happen (the likelihood, frequency, probability)? • how big could the impact be (the severity, impact, consequence)? • who is likely to be impacted by an occurrence (which stakeholder groups)? NB – By ‘stakeholders’, we mean five specific groups – shareholders, customers, employees, suppliers and society at large.
31
Business Environment
The authors recommend that HSEQ auditors focus upon the relative incidence of risks within the auditee’s activities. A useful idea is to focus on the top 10–20 of such risk areas, ultimately selecting a sample size depending on the time available. There are many quantitative risk evaluation/estimation methodologies and software toolkits available. Too much focus on precise risk-scoring by auditors can easily become counter-productive, and this is supported by our experience of over 1000 audits and the feedback from thousands of our course delegates. Therefore, it is wise to avoid the ‘numbers game’ (Asbury, 2005). Qualitative methodologies are generally better suited for use by HSEQ auditors, who will have less time available than full-time site managers to select and investigate a sample of risks. A-Factor 9: Know that ultimately an audit is an independent and balanced assurance to stakeholders regarding an organization’s ability to meet its business objectives, in increasingly volatile business environments. In Chapter 2, we will consider the development and rise of business control as a technique for making a successful transition from vision to reality more likely. For example, organizations seeking excellence in worker health and safety are increasingly likely to use systematic techniques to meet (UK) legal requirements first established in 1802, and significantly amended in 1961, 1974 and 1992. From the first environmental law in 1307, when Queen Elizabeth published a proclamation prohibiting the burning of sea coal in London while Parliament was in session (Willis Corroon, 1996), up to the newest legal requirements for Integrated Pollution Prevention and Control (IPPC), business control frameworks have provided a systematic approach for the twenty-first century. We will also summarize the relatively new and important theme of corporate social responsibility (CSR), comprising the increasing expectation by all organizational stakeholders for transparency. The business response to CSR has provided both ‘greenwash’ (such as pictures of meadows, trees and children); plus targets and statistics galore.
32
2 Business Control
A brief history of business control The concept of using systemic business control frameworks to assist management in carrying out business activities has been around for twenty-five centuries (Figure 2.1). Some feel that a significant moment in the history of Business Control was on 14 October 1900 in Sioux City, Iowa and the birth of W. Edwards Deming (Figure 2.2). Deming trained to be an electrical engineer and received a Ph.D. in mathematical physics at Yale. He worked briefly as an engineer in Chicago before becoming a statistician, working in the US Bureau of Census. But fortunately for the world, his continuous quest for understanding deviation from the norm led him to become one of the founding fathers of the quality movement. After World War II he was sent to work in Japan and it was there in the 1950s that he developed, together with fellow American, Joseph Juran, production and management theories that later became known as the ‘right first time’ philosophy in Japanese industry. Leading industrialists credited them with giving birth to an industrial revolution through the way they developed statistical control of quality levels into a new way of managing business.
Plan–Do–Check–Act At the heart of Deming’s legacy to the business world is his adoption in his teaching of the ‘Plan–Do–Check–Act’ (PDCA) cycle which was originally developed by his friend and mentor, Walter Shewhart. The shorthand PDCA mnemonic has borne the test of time despite the efforts of many consultants and academics who have substituted Deming’s simplicity with complexity. We know it today as the Deming Wheel (Figure 2.3). It can be as easily applied as a ‘wheel within a wheel’ to illustrate the relationship of core business processes to corporate and strategic processes. Deming saw that the elimination of waste could be achieved by aligning processes coherently and then carrying them out in a manner that was sufficiently close to the laid-down standards as they could be. The armaments industry was the one to see the potential of a ‘quality’ approach to manufacture as every time an item of munitions failed to explode upon impact, or as designed, all the resources that were consumed before launching the munitions at its target had zero payback, since the enemy’s soldiers and equipment had not been destroyed as intended or the war won. For example, some observers feel that the outcome of the Falklands War (Guerra de las Malvinas) – an effective state of war between Argentina and the UK
33
Business Control
4th Century BC 13th Century • Sun Tzu
15th Century 18th Century 19th Century
• Leonado Pisano • Luca Pacioli
• Adam Smith
• Henri Fayol • Frederick W Taylor • Henry Ford • Toyoda family • Alfred Sloan • Tomas Bata • Max Weber
20th Century • Konosuke Matsushita • William Deming • Jehangir Tata • Joseph Juran • Peter Drucker • Akio Morita • Charles Handy • Henry Mintzberg • Tom Peters • Rosabeth Moss Kanter • Kenichi Ohmae • Michael Porter and others
Figure 2.1 Timeline for development of management system thinking
Figure 2.2 W. E. Deming Reproduced with permission from W. Edwards Deming Institute®
between 2 April and 14 June 1982 over the long-disputed territories of the Falkland Islands, South Georgia and the South Sandwich Islands – might have been quite different if more of the bombs launched by the Argentinean air force, that successfully hit their targets amongst the Royal Navy, had actually exploded. Would all the bombs have exploded as designed if they had been manufactured and assembled by Honda?
34
Business Control
Act
Check
Plan
Do
Figure 2.3 The Deming Wheel © 1982, 1986 by W. Edwards Deming Printed with permission from Massachusetts Institute of Technology, publishers of Out of the Crisis
Management truths In his book Out of the Crisis, Deming (1989) set out his System of Profound Knowledge (Figure 2.4) and his 14 Points of Management (Figure 2.5), some 40 years after his teaching had been listened to, accepted and benefited from by the Japanese. Deming believed that to effect transformation of the style in which something is currently being managed there had to be an external perspective. He called this a System of Profound Knowledge; it was his approach to understanding organizations and had to be applied through the transformation of the individual, who, once transformed, would: • • • •
Set a good example Be a good listener, but will not compromise Continually teach other people Help people to move into a new way of working
The system can be illustrated in four parts which are all inter-dependant upon and inter-related to each other: 1 2 3 4
Appreciation for a system Knowledge about variation Theory of knowledge Psychology
Therefore leaders of organisations that required transformation, and the managers involved, needed to learn the psychology of individuals, the psychology of a group, the psychology of society, and the psychology of change. Some understanding of variation, including appreciation of a stable system, and some understanding of special causes and common causes of variation, are essential for management of a system, including management of people.
Figure 2.4 The Deming System of Profound Knowledge © 1982, 1986 by W. Edwards Deming Printed with permission from Massachusetts Institute of Technology, publishers of Out of the Crisis
35
Business Control
Deming’s 14 Points of Management has been one of his abiding contributions to the transformation of organizations. He said that problem solving, big or small, was insufficient. If management really wanted to signal that they intended to win in business and aim to protect stakeholders’ interests they had to sincerely adopt and effectively implement his 14 points. 1.
Create constancy of purpose toward improvement of product and service, with the aim to become competitive and to stay in business, and to provide jobs.
2.
Adopt the new philosophy. We are in a new economic age. Western management must awaken to the challenge, must learn their responsibilities, and take on leadership for change.
3.
Cease dependence on inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.
4.
End the practice of awarding business on the basis of price tag. Instead, minimize total cost. Move toward a single supplier for any one item, on a long-term relationship of loyalty and trust.
5.
Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs.
6.
Institute training on the job.
7.
Institute leadership. The aim of supervision should be to help people and machines and gadgets to do a better job. Supervision of management is in need of overhaul, as well as supervision of production workers.
8.
Drive out fear, so that everyone may work effectively for the company.
9.
Break down barriers between departments. People in research, design, sales, and production must work as a team, to foresee problems of production and in use that may be encountered with the product or service.
10.
Eliminate slogans, exhortations, and targets for the work force asking for zero defects and new levels of productivity. Such exhortations only create adversarial relationships, as the bulk of the causes of low quality and low productivity belong to the system and thus lie beyond the power of the work force.
• Eliminate work standards (quotas) on the factory floor. Substitute leadership. • Eliminate management by objective. Eliminate management by numbers, numerical goals. Substitute leadership. 11.
Remove barriers that rob the hourly worker of his right to pride of workmanship. The responsibility of supervisors must be changed from sheer numbers to quality.
12.
Remove barriers that rob people in management and in engineering of their right to pride of workmanship. This means, inter alia, abolishment of the annual or merit rating and of management by objective.
13.
Institute a vigorous program of education and self-improvement.
14.
Put everybody in the company to work to accomplish the transformation. The transformation is everybody’s job.
Figure 2.5 Deming’s 14 Points of Management © 1982, 1986 by W. Edwards Deming Printed with permission from Massachusetts Institute of Technology, publishers of Out of the Crisis
36
Business Control
His ideas are still vibrant signposts for managers and auditors today. Deming saw immutable truths in the system of management. For example: a manager of people needs to understand that all people are different; a manager needs to understand the interaction of psychology and statistical variation, for example the number of defective items that an inspector finds depends on the size of the workload presented to him; an inspector, careful not to penalize anybody unjustly, may pass an item that is just outside the acceptable borderline; fear invites wrong figures; bearers of bad news fare badly and so, to keep their jobs, people present to their boss only good news; a committee appointed by the CEO of a company will report what the CEO wishes to hear. Would they dare report otherwise? Other observations by Deming are also relevant to today’s corporate practices; for example, accounting-based key performance indicators drive managers and employees to achieve targets of sales, revenue and costs, by manipulation of processes. In Deming’s opinion, the result of these types of outcomes is that statistical calculations and predictions based on distorted data may lead to confusion, frustration and wrong decisions. It would be exceptionally unusual to find a management system, framework or model which is in use today which has elements or components that could not be mapped to one of the four interconnecting stages within Deming’s Wheel. For example, the words used in other models may be policy, planning, implementation and operation; checking and corrective action and review (Figures 2.6 and 2.7) but they are all aspects of Deming’s recognition that senior management must plan what needs to be achieved in both quantitative and qualitative terms and set about telling people what and how they should perform in order to be successful. Figure 2.8 illustrates this correlation. Our business control model is shown on page 46.
Continual improvement
OH&S policy Management review Planning
Checking and corrective action
Implementation and operation
Figure 2.6 OHSAS 18001:1999 - Elements of successful OH&S management
37
Business Control
Figure 2.7 ILO–OSH 2001
PDCA Element
Our business control framework
OHSAS 18001
ILO OSH 2001
Plan
OHS policy Planning
Policy Organizing Planning
Policy Structure
Do
Implementation & operation
Implementation
Procedures
Check
Checking
Evaluation Audit
Supervision
Act
Corrective action Management review Continuous improvement
Action for improvement
Review & appraisal
Figure 2.8 Mapping control frameworks
A-Factor 10: Keep things simple – remember PDCA.
Information for management about control In teaching people how to audit management systems, it soon became apparent that a critical prerequisite for the auditor to carry out such audits was often missing.
38
Business Control
There was extensive internal control guidance available for auditors that had been produced over many years by professional auditing bodies, but virtually nothing had been specifically written for auditees (management). The auditee’s cupboard was overflowing with policies, governance guides, values and ethics, general business principles, vision and mission, laws and regulations, rules, mandates, main policy documents, organizational structures, reporting relationships, accountabilities, roles and responsibilities, competence standards, business process maps, training matrices, meeting minutes, action plans, insurance reports, plans, standards, strategic and tactical reviews, job descriptions, manuals of authority, audit reports, procedures, risk registers, etc. But there were very few highlevel overview documents written from management’s perspective that described how these discrete internal controls should and could be implemented in a coordinated and complementary manner that would tie management’s activities in with delivering success for their organization. In USA, this lack of guidance for management and boards of directors was eventually recognized and action taken. The Foreign Corrupt Practices Act of 1977 stimulated a flood of proposals and guidelines from consultants and professional and regulatory bodies focusing on management’s responsibility for maintaining a system of internal accounting control. Following on from their report on Fraudulent Financial Reporting in 1987, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) conducted a review of the written material available on internal control. This work led to COSO’s well-known project to provide practical, broadly accepted criteria for establishing internal control and evaluating its effectiveness. Management could use it to support their recently emphasized responsibility for establishing, monitoring, evaluating and reporting on internal control. A seminal moment arrived with the publication in September 1992 of COSO’s Integrated Framework of Internal Control (Figure 2.9). Throughout the 1990s, legislative and regulatory authorities across the world began to demand better standards of corporate governance generally. This was mainly a reaction to a litany of high-profile corporate failures which stimulated outrage from innocent parties who were affected not only directly, but also vicariously, by the actions of companies operating in their countries, cities, towns and countrysides. As all these outraged citizens were voters, the legislators took note that the majority wanted those responsible for running organizations to be held more accountable for their actions than in the past. Many professional accountancy bodies across the world have long accepted the need for global standards. The International Federation of Accountants now ensure that all accountants and auditors worldwide subscribe to a global code of ethics. And there has been growing support for international standard-setters to develop and promote international standards of accounting and auditing. The interdependence of the economies of individual countries requires high and globally accepted, applied and enforced management standards that act as the most
39
Business Control
Monitoring • Ongoing monitoring • Separate evaluations • Reporting deficiencies
Control activities
IC MM UN
ON
Risk assessment
TI MA
CO
• Management information systems • Performance information • Instructions & guidance
OR
AT IO N
• Policies • Procedures
F IN
• Downwards • Upwards • Horizontal • Departmental • External
• Organization-wide objectives • Activity-level objectives • Risk management • Managing change
Control environment • Integrity & ethical values • Commitment to competence • Board of directors & audit committee • Management philosophy & operating style
• Organizational structure • Assignment of authority & responsibility • Human resource policies & practices
Figure 2.9 COSO integrated framework of internal control © 1992 by the Committee of Sponsoring Organizations of the Treadway Commission. Reproduced with permission from the AICPA acting as authorized copyright administrator for COSO
effective solution between balancing the needs of regulatory authorities with the needs of commercial and other organizations. It is widely accepted that such standards are what give investors confidence in the companies in which they invest, and other stakeholders the confidence to buy from, work for, supply to and live next door to them. They require that organizations and their senior management throughout the world, operating in both private and public sectors, must demonstrate: • accountability (of managers to stakeholders) • integrity (to attract financial and social support) • transparency (of their operations and financial position as reflected in their statutory and voluntary reports to stakeholders). COSO’s framework became an accepted reference on internal control in USA and around the world, and its implications for corporate governance led other countries to follow with their own expectations: the Cadbury Committee reported in the UK in 1992; the Greenbury Committee reported in the UK; the Criteria of Control Board (CoCo) of The Canadian Institute of Chartered Accountants reported in Canada and Marc Vienot first reported in France in 1995; the Peters Commission reported in The Netherlands in
40
Business Control West
Europe
• Brazil • Canada • Jamaica • Mexico • Peru • USA
• Austria • Belgium • Cyprus • Czech Republic • Denmark • Estonia • Finland • France • Germany • Greece • Hungary • Iceland • Ireland • Italy • Latvia • Lithuania • Macedonia • Malta
Europe/cont.
Africa /Asia
• Norway • Poland • Portugal • Romania • Russia • Slovakia • Slovenia • Spain • Sweden • Switzerland • The Netherlands • Turkey • Ukraine • United Kingdom
• Bangladesh • India • Kenya • Pakistan • South Africa
East • Australia • China • Hong Kong • Indonesia • Japan • Malaysia • New Zealand • Singapore • South Korea • Taiwan • Thailand • The Philippines
Copies of each country’s code(s) can be read on www.ecgi.org/codes
Figure 2.10 Countries with corporate governance guidelines
June 1997; the Hampel Committee reported in the UK in January 1998; KonTraG was published in Germany in March 1998; and the Turnbull Committee reported in the UK in September 1999. In the last 10 years, most developed and developing countries have issued guidance regarding corporate governance of major companies registered in their jurisdictions (Figure 2.10). Furthermore they are reviewing and updating that guidance in the light of experiences in their own and other countries. Essentially they all have the same message: an organization’s senior management (particularly directors of a public limited liability company) must take responsibility for two things: • really understanding what the risks and opportunities of the company are and what it does to enhance performance on the basis of this knowledge • informing external parties about what the company has been doing in a transparent and trustworthy manner. During three of the most turbulent years in USA’s corporate history, COSO developed and then published in September 2004 their Enterprise Risk Management – Integrated Framework which was intended to meet the needs of these corporate governance expectations, by setting out principles and concepts, which could become a common language, and giving clear direction and guidance on enterprise risk management.
Internal control reference frameworks COSO’s Integrated Framework of Internal Control continues to stand the test of time and is still a broadly accepted standard for satisfying an organization’s reporting requirements.
41
Business Control
Now, in addition, the Enterprise Risk Management – Integrated Framework provides management with a more robust and extensive focus on the broader subject of organizational risk management. It was not intended to and has not replaced the internal control framework, since it incorporates the internal control framework within it, but organizations can use it to move towards a fuller risk management process. A-Factor 11: To carry out successful management system audits effectively,an auditor needs a relevant internal control reference framework against which the auditee’s performance can be assessed. The question is, ‘What constitutes a suitable internal control reference framework?’ And clearly the best answer is, ‘The internal control reference framework currently being used by the auditee.’ And this is fine as long as the auditor has sufficient time to get an understanding of that reference framework before they start the audit. One problem that does arise in trying to select an appropriate reference framework is the multiplicity of control frameworks with which managements are being asked to comply. Sometimes the type of audit will naturally lead the auditor towards a particular reference framework. For example in Quality Audits ISO 9001, shown in Figure 2.11, or in Environmental Audits ISO 14001 may be the primary frameworks. But often you will find that the auditee has no particular framework or group of frameworks which they are using personally because their company does not have a corporate-wide internal control or risk management framework, such as COSO’s approach, and therefore they are not expecting a structured means of control to give them reasonable assurance that they will meet their business objectives and carry out their activities in such a way that they meet their responsibilities to their particular group of stakeholders. A-Factor 12: Only by using a ‘structured management approach’ can an auditee turn their high-cost Controls into profit-enhancing Control.
Case study The explosion and fire at Longford, Australia in 1998 impacted not only people at the facility, but the whole state of Victoria, yet occurred in an organization with a highly developed and complex integrated occupational health and safety management system. Findings of the subsequent Royal Commission included this statement ‘… there was a tendency for the administration of OIMS [Operational Integrity Management System] to take on a life of its own, divorced from operations in the field. Indeed, it seemed that in some respects, concentration upon the development and maintenance of the system diverted attention from what was actually happening in the practical functioning of the plants at Longford.’ This significant disconnection between documented standards and the operations culture was apparently not highlighted by the regular OIMS audits and reviews carried out prior to the explosion.
42
Business Control ISO 9001:2000 Focus is on top management involvement Continually improving processes to deliver customer satisfaction Quality manual & 6 mandatory procedures 20 requirements, now 5 sections ISO 9001:2000 Clauses 4 5 6 7 8
Quality management system Management responsibility Resource management Product realization Measurement, analysis & improvement
4 Quality management system The organisation should implement:
• A quality policy defining commitment to quality together with quality objectives • A documented quality system (quality manual and a minimum of six specified procedures and others required by the organisation to ensure effective operation) which meets the requirements of ISO 9001 and details justification for any exclusions. The organisation should seek to continually improve the effectiveness of its business system. The quality manual should include a description of the interrelation of the processes. The extent of the documentation is dependant on the size & complexity of the organisation and the competence of its people.
• The key processes for achieving quality must be identified and measured and there must be controls in place to ensure the effectiveness of business processes.
• A procedure for controlling documents to ensure the correct information is available to users and that obsolete information is not used.
• A procedure for maintaining and controlling quality records to provide evidence of conformance of products to specifications and to enable investigation, corrective action and facilitate improvements to processes and products 5 Management responsibility The directors/top management of the organisation have to demonstrate their commitment to the development and continual improvement of the quality system. They do this by:
• Communicating the importance of meeting customer and legal requirements and ensuring customer requirements are met with the aim of enhancing customer satisfaction
• Producing a Quality policy and objectives which is the focus of the quality system in satisfying customers and is a framework for setting quality objectives which can be cascaded to all levels as appropriate and is understood by everyone in the organisation
• Holding management review meetings to review performance of both the quality system and product and drive improvements in processes to satisfy customer needs
• Ensuring the organisation has the necessary resources to satisfy customers • Appointment of a management representative to establish and maintain a quality system and promote quality awareness
• Ensuring that responsibilities and authorities regarding quality related tasks are clear and communicated
Figure 2.11 Description of ISO 9001:2000
43
Business Control 6 Resource management The requirements include:
• Top management to provide sufficient resources to implement and maintain the business system, continually improve its effectiveness to enhance customer satisfaction
• Ensuring competences for each position are identified and that people are competent through education, training and experience
• • • •
Training is identified to provide and meet training and competency needs Effectiveness of training is evaluated Training & evaluation records are maintained Infrastructure and working environment will be suitable to ensure product conformity
7 Product realization Customer requirements
• The business processes for the organisation should be identified usually by flow charting • The quality requirements for each product should be identified, together with the resources and processes to deliver them
• The organisation should also identify and implement controls for the checking, inspection and monitoring of each product together with quality records to demonstrate compliance to the quality objectives
• Customer requirements must be determined together with the organisations ability and capability of delivering the products on time and to specification
• Requirements not known by the customer but necessary to achieve product quality and any regulatory requirements such as CE marks must be determined Design
• Quality plans (procedure/form/flowchart) will be used to control the design, development and production of the product or service
• Design and development must be planned and specifications (design outputs) checked to verify that they meet the customers (and other) requirements (design inputs), testing stages and trial runs will be included to review within the design and development process together with appropriate risk control and control points and inspection and testing in the process prior to production
• The interfaces of the organisation between different people and departments, customers & suppliers involved in the design must be managed to ensure communication is effective and responsibilities are clearly assigned
• All changes to designs are controlled i.e. with issue status and description of change Purchasing
• All bought out materials and services used in the product must be from approved sources of supply, the level of control exercised is dependant upon their effect on the product or service
• The organisation should define the criteria for selection and evaluation of suppliers and subsequent re-evaluation. Records should be maintained of evaluation & re-evaluation & include actions arising from the re-evaluation
Figure 2.11 Description of ISO 9001:2000 (Continued )
44
Business Control
• Purchase orders should be checked and signed before issuing and should contain or make reference to all technical specifications and testing requirements, this may include international standards for product design and performance
• All purchase products should be verified prior to use, the level of verification is dependent upon the other supplier controls in place Control of production and service provision This is controlled through:
• • • • •
Process flow charts, procedures and work instructions drawings Quality records Maintained and calibrated equipment and machinery Qualified people Identification and traceability of products
Handling and storage of products and materials Care and control of customer property
Figure 2.11 (Continued )
A-Factor 13: Whatever the auditee’s reference framework is, an auditor needs to have their own standard ‘structured management approach’ which they can use to simplify the complexity of an auditee’s framework, or to have something to hand if there is a vacuum. The remainder of this chapter describes a simply structured management approach that we can use when we are auditing. It provides a robust reference framework, aligned to PDCA, which is simple in its structure, and when necessary, will allow auditors to map out and thus understand any of an auditee’s internal controls.
Business control framework The strength of the reference framework featured in the schematic (Figure 2.12) lies in its simplicity and flexibility and its reflection of all the features of modern management systems. This is a straightforward business control model which comprises four interdependent strata: environment, planning, organization and operations. As discussed in Chapter 1, all enterprises exist within a business environment which is subject to constant and increasingly rapid change, and that is likely to affect management’s business vision of risk and opportunity. Business objectives are the start point for risk management and should guide all the business processes of the enterprise. Risk management is a vital activity that identifies and prioritizes risks and opportunities. Business process analysis includes the identification of critical success factors and risks and, therefore, which business controls are needed and how the enterprise can be organized more effectively in line with its business processes.
45
Business Control
Environment Business vision
Business review & appraisal
Planning Business objectives Risk assessment
Organisation Policy
Structure
Procedures
Supervision
Organizational review & appraisal
Operations review & appraisal
Operations Application
Figure 2.12 Our business control model
Business controls for all processes can be classified under five ‘control mechanisms’ – policy, structure, procedures, supervision, and review and appraisal. Business controls should be applied to business operations in an effective and efficient manner. Performance measurement, i.e., review and appraisal should be made from operational, organizational and business perspectives. Operational review and appraisal should involve quantitative and qualitative measures of performance. Organizational review and appraisal should confirm the appropriateness of business controls whenever operational or organizational changes are planned or environmental changes occur. Business review and appraisal should confirm the progress of the enterprise against its specified objectives. Changes in the business environment may mean that the enterprise’s objectives need to be revised, with subsequent organizational and operational reviews of the control framework. All business control frameworks comprise various categories of control, which themselves are rooted in good management practice. Therefore, these categories can be considered both as components of a business control system and as essential criteria for an effective management system.
Environment and planning Figure 2.13 shows the flight deck of the US Space Shuttle with its mass of instrumentation for measuring all the significant environmental features affecting the mission. Superimposed on the picture are a few examples of some of the environmental factors applicable to an organization’s mission.
46
Business Control
Legislation Industry reputation
Education
New technology
Competitors Look at the horizon Government investment
Infrastructure
Organized crime
Political stability
New markets
Figure 2.13 Environmental factors
Business vision Every enterprise needs a vision of what and where it wants to be. From such a vision, management can create strategies and specify business objectives which take full account of the opportunities and constraints inherent in a range of possible business environments, the resources that should be deployed and the enterprise’s existing competitive position. Figures 2.14a, b, c shows a sample of published ‘vision’ statements from John Lewis, Toyota and Virgin.
Business objectives Even though they are a means of realizing an enterprise’s vision, business objectives are not controls by themselves, but rather the necessary start and end points for an integrated business control framework. Business objectives should: • conform with any published code of conduct • guide the business processes of the enterprise
47
Business Control
'The supreme purpose of the John Lewis Partnership is simply the happiness of its members.' John Spedan Lewis, the founder, aimed to create: A business that: • was fair to all-to customers and suppliers as well as to those who work in it • the Partners really felt was their own • would challenge and beat the best of the competition and attract people at the top of their profession into its executive ranks. From www.johnlewispartnership.co.uk(June 2006)
Figure 2.14a Example vision statements (John Lewis)
Guiding Principles at Toyota (1990 and revised 1997) 1. Honor the language and spirit of the law of every nation and undertake open and fair corporate activities to be a good corporate citizen of the world. 2. Respect the culture and customs of every nation and contribute to economic and social development through corporate activities in the communities. 3. Dedicate ourselves to providing clean and safe products and to enhancing the quality of life everywhere through all our activities. 4. Create and develop advanced technologies and provide outstanding products and services that fulfill the needs of customers worldwide. 5. Foster a corporate culture that enhances individual creativity and teamwork value, while honoring mutual trust and respect between labor and management. 6. Pursue growth in harmony with the global community through innovative management. 7. Work with business partners in research and creation to achieve stable, long-term growth and mutual benefits, while keeping ourselves open to new partnerships.
From www.toyota.co.jp(June 2006)
Figure 2.14b Example vision statements (Toyota)
• apply to each level of management • give explicit time frames for achievement of measurable results • have wide participation of employees in their development • be communicated to and understood by all staff • form a coherent whole and be internally consistent, as illustrated by Figure 2.15.
Planning Risk assessment Risk, defined in A-Factor 6 on page 26, is something which may hinder or assist achievement of business objectives.
48
Business Control
The Virgin Brand values are… Value for Money Simple, honest & transparent pricing – not necessarily the cheapest on the market Good Quality High standards, attention to detail, being honest and delivering on promises. Brilliant Customer Service Friendly, human & relaxed; professional but uncorporate Innovation Challenging convention with big and little product/service ideas; innovative, modern and stylish design. Competitively Challenging Sticking two fingers up to the establishment and fighting the big boys – usually with a bit of humour. Fun Every company in the world takes itself seriously so we think it's important that we provide the public and our customers with a bit of entertainment – as well as making Virgin a nice place for our people to work. From www.virgen.com(June 2006)
Figure 2.14c Example vision statements (Virgin)
Risk assessment is a vital management activity. This does not imply that all risks can, or indeed should, be avoided. The inability or failure to identify or seize business opportunities may itself be a significant risk. Senior management should ensure that a risk assessment process is embedded in their enterprise’s strategy and the implementation of that strategy.
Individual targets
Department plans
Regional/sector plans
Corporate plan
Corporate vision
Figure 2.15 Achieving success by aligning objectives
49
Business Control
An effective risk assessment process would require: • senior management to have an intimate knowledge of the political, economic, legal, social, technological and market environment in which their enterprise operates • creation of strategic and operational objectives which are well known and clearly understood throughout the enterprise • addressing methodically the risks in all the major business activities • a structured description of the factors critical to the enterprise’s success and the opportunities and threats that may help or hinder achievement of the set objectives • estimation of the enterprise’s exposure to the factors, opportunities and threats in quantitative or qualitative terms of the likelihood of occurrence and its possible impact • collating these exposures in the format of a risk profile or risk matrix which enables management to prioritize the areas for risk response. The strategies for risk response are to: • avoid or terminate the activity or situation • transfer the risk to, or share it with, another party • reduce the likelihood and/or potential impact of the risk by applying appropriate business controls. An effective business control framework will enable timely reaction to changes in risks and opportunities in the business environment or operations. Figure 2.16 shows some examples of risks in an organization’s ‘risk universe’.
People
Environment
• Death or Injury
• Pollution
• Absenteeism
• Regulation
• Discrimination
• Species fauna /flora
• Management
• Climate
Assets
Reputation
• Design/quality
• Local
• Cost
• Regional
• Functionality
• National
• Life cycle
• Global
Figure 2.16 Categories of risk
50
Business Control
Business processes Business processes are logically linked groups of activities needed to fulfil the business objectives of the enterprise. They comprise: • core processes and • service and control processes. Core processes Core processes are those which directly deliver the required product or service to the enterprise’s customers. Service and control processes Service and control process are those which provide and facilitate the corporate infrastructure to deliver the core processes. Effective overall business control will result if an enterprise is managed as a series of core business processes and service processes, each with its own quality process for continuous improvement and business control framework. Business process activity charts generally describe the ‘what’ and not the ‘how’ or the ‘information’ used, but process analysis, as illustrated in Figure 2.17, provides a basis for control self assessment – the determination of where control accountabilities lie, identification of risks and control objectives, definition of necessary controls, authorization to accept the residual risks and setting appropriate performance indicators.
Inputs
Outputs for customers
Business process
Sub-processes Inputs
A
B
Service process input
D
C
E
F
Outputs
Service process input
Figure 2.17 Analyse your business processes
51
Business Control
The human factor How people behave in an enterprise is critical to the success of any control framework. Critical success factors are: • the tone and example set by the highest management level regarding the ethical values, standards and actions of everyone associated with an enterprise • the quality of all levels of staff and their understanding, support and compliance with the business controls in their area • an adequacy of time and competent resources for proper operation, maintenance and review of business controls • good communication between individuals and between groups of people • reliable, timely and useful information to enable staff to discharge their responsibilities efficiently, and to measure their achievement of specified objectives. Figure 2.18, in cartoon form, illustrates how ‘tone at the top’ can impact upon the success of an organization. The impact of culture and human factors are illustrated powerfully in Carolyn W. Merritt’s (Chairman and CEO of the US Chemical Safety and Hazard Investigation
Figure 2.18 Human factors
Printed by permission of John Cole, The (Scranton) Times-Tribune
52
Business Control
Board) statement to the BP Independent Safety Review Panel in Houston, Texas on 10 November 2005: One of my aspirations is that all industrial managers treat safety and major accident prevention with the same degree of seriousness and rigor that is brought to financial transactions. Few people would operate a major corporation today without a strict system of financial controls and auditing, where everyone within the corporation recognizes the severe consequences for non-compliance. That same standard of diligence is not always applied to risk management and safety. If you get away with a flawed safety decision one day or repeatedly, far from facing a penalty you may actually end up rewarded, perhaps for boosting production. You may come to believe that what was thought to be unsafe is actually safe, based on your experience. It is a phenomenon that is sometimes called ‘normalization of abnormalities’.
Organization and operations Policy Policies comprise general standards, principles and guidelines for action which influence and constrain decision-making. They define the boundaries within which the enterprise’s management and staff may choose to operate. Senior management is responsible for setting major policies in a structured way. At lower levels, actions and decisions are guided and empowered by intermediate policies and procedures which are consistent with major policies. General policies should always be made accessible to all staff. For each business process, policies are developed by: • considering the operating environment and the process objectives, and identifying categories of inherent risk • formulating general directives in respect of such risks to enable consistent lower level policies and procedures to be developed as a basis for future operations. Policies should be: • clearly and concisely expressed as a practicable proposition • documented and promoted in line with their relevance and importance • distributed to and explained to relevant staff • kept up-to-date as necessary.
Structure Structural or organizational controls concern the creation and maintenance of the necessary fabric and resources for an enterprise to achieve its business objectives. Fabric
53
Business Control
includes assets and communication. Resources include staff, finance and information systems. The attitudes held by the senior management team will set the tone for an effective framework of business controls. If management underlines its commitment to the importance of control and ethical behaviour through programmes of control awareness, a sound control framework will surely follow. All staff should know the code of conduct and principles of integrity expected of them by the enterprise over and above legal obligations. The responsibilities of individuals or teams should cover all activities of the enterprise without gaps or overlaps. Every position should have clearly established and documented responsibilities, authorities and accountabilities. Responsibility should lie at a level at which the time and expertise required exists. No individual should have exclusive knowledge, authority or control over important transactions. Financial and operational authorities should be documented as necessary for all activities, and should be appropriately assigned to match individuals’ responsibilities. A chain of accountabilities should be clearly established throughout the enterprise in order to monitor achievement of business objectives in accordance with the enterprise’s business plan. Realistic targets for quality and quantity should be clearly assigned and communicated to each accountable individual. Accountable individuals must report to their line manager on actions taken to discharge their responsibilities, and the results thereof, and confirm the continuing effectiveness of business controls in their areas. Accountable individuals are responsible for creating, operating, reviewing and improving business controls in their areas. Effective exercise of accountability depends on: • provision of adequate resources – people, finance and information – to be able to fulfil assigned targets • recruitment and training of competent staff appropriate to their position • development of worker competence, so that responsibilities and reporting relationships can be regrouped efficiently • control over the transfer of accountability. Handover arrangements should make clear to incoming managers or supervisors the targets and control systems for which they will be held accountable. For absences, clearly defined assignment of authorities and accountability should be approved by the absentee’s supervisor.
54
Business Control
Procedures Procedures describe how management requires business operations to be carried out with the purpose of confirming how to address risks. Procedural controls may range from extensive documented procedures to less formal working instructions and localized procedures developed by staff themselves. Managers should ascertain the extent to which activities require procedures and ensure that they are properly developed and approved. This selection process requires knowledge of the activity and its risks, appreciation of the purposes of all relevant policies, and evaluation of optional treatments. Detailed written procedures are not necessary, generally, for activities which are not critical and have a minimal cost of failure. Policies, combined with competent staff, are needed for directing or guiding activities which do not warrant a procedure. Procedural controls should be applicable as effectively and flexibly as possible. It is sensible to adopt procedures which have already been prepared elsewhere and to use a delivery medium and context which optimize staff access to the procedures. Procedures should be made available and accessible to all relevant staff. Effective procedures enable staff to understand how an activity fits into the overall business process, how to do an activity, what the required standard of performance is, and what the control objectives are. The complete range of procedures and standards should be reviewed periodically to identify redundant layers that should be removed.
Supervision Supervisory control includes all forms of regular comparisons, reconciliations and monitoring carried out in the normal course of operations by both internal and external, manual and automated sources. Effective supervision requires continuous confirmation that procedures and policies are followed properly and kept up-to-date. Managers at all levels who are responsible for supervising staff should ensure their adherence to procedures and policies, by: • confirming that all staff are clear about their responsibilities and authorities, understand the procedures and policies pertinent to their work, and are competent to perform them • inspecting, personally, that procedures are being followed in practice. Critical, high-risk activities will require more frequent checking • identifying changes occurring in the enterprise whereby any controls which may, or have, become redundant, ineffective and/or inefficient; encouraging staff to be similarly aware (recognizing that they are often best placed to identify uncontrolled risks and can therefore suggest meaningful improvements to procedures and policies, and recognizing opportunities for, and making suggestions)
55
Business Control
• providing regular reports on operations, with any financial data being integrated or reconciled with the corporate financial reporting system • investigating potential or actual breakdowns in control and correcting the situation. By implementing supervisory controls, managers are well placed to identify gaps, and so develop the competence of their staff (including subordinate managers). Successful supervision comprises just the right blend of direction, trust, delegation and necessary checking that is appropriate to the motivation and development of each level of staff. Some call this ‘the invisible hand’.
Case study A local authority fitted gas-fired central heating into its housing stock. After a few days, it started to receive phone calls from its tenants, suggesting that homes were too cold or hot. A council officer visited, and showed residents how to adjust their thermostatic controller, advising that temperature change would not be immediate. The calls continued, and then increased. After more visits, which led to an investigation, it was found that the installing contractors had wallmounted the thermostat panels, but had not connected them to the boiler due to a significant cost overrun. It seems neither business control framework (either that of the contractor or of the local authority) worked as intended!
Review and appraisal Review and appraisal at periodic and regular intervals; and at various levels in the enterprise is vital to monitor the extent to which the enterprise is on course to achieve its business objectives in order to take appropriate and timely remedial action if necessary. Meaningful performance indicators – sometimes called KPIs (key performance indicators) – should be established and compatible measurement and reporting systems set up and used. Such indicators are a more effective control when determined for a complete process rather than individual tasks. Prompt comparison of results against plans and budgets will often detect control weaknesses causing actual loss or unauthorized exposure to potential loss and enable early remedial action at this level and/or a higher level where the root cause may be situated. Control self-assessments can be carried out by each level of accountable managers to confirm the continued adequacy of control. This is particularly useful in the light of possible or actual changes occurring inside or outside the enterprise, which may alter the extent or types of risk to which the enterprise is exposed. This confirmation should be personally and formally reported up-the-line on a regular basis and it could support a management statement to stakeholders about internal controls. All independent evaluations or internal audits of processes within the enterprise should be carried out in accordance with an integrated plan (later called a corporate
56
Business Control
audit plan) in order to avoid gaps and overlaps, and to optimize the use of staff with relevant experience. This audit plan should be approved by senior management. The existence of an audit function within an enterprise does not diminish the responsibility of accountable managers to ensure compliance with policies and procedures, or to review and appraise their unit’s performance. Internal auditors provide independent opinions and advice on the maintenance and improvement of the framework of business controls and work together with management to add value to the enterprise. A review of personal performance against preset targets should be made between every level of management at least once a year. A-Factor 14: Do not permit the terminology and detail used to describe any business control framework to deflect you from the structured simplicity of Plan–Do–Check–Act. Throughout the rest of this book, when reference is made to our business control framework (BCF), we will be referring to the BCF described in this chapter. Table 2.8 provides a guide for mapping types of control with each of the BCF elements.
Corporate social responsibility (CSR) CSR is essentially about companies moving beyond a base of legal compliance to integrate socially responsible behaviour into their core values in recognition of the sound business benefits in doing so. Since organizations, and the challenges they face, differ widely, government interventions need to be carefully considered, well designed and targeted to achieve their objective. Some of the key themes include: • workplace – human rights, health and safety, equal opportunities, employee engagement • environment – emissions to air, land and water; pollution; biodiversity; end-of-life disposal • markets – product safety and quality; responsible marketing; supply chain • community – community relationships/development; sponsorship; emergency relief. The UK government’s approach is to encourage and incentivize the adoption and reporting of CSR through best practice guidance, and, where appropriate, intelligent regulation and fiscal incentives. Margaret Hodge, Minister of State for Industry and the Regions is responsible for CSR. Upon appointment (May 2006), she said: I am delighted to be taking on responsibility for CSR. I look forward to working with UK business to ensure that environmental protection and community cohesion are seen as an integral part of delivering sustainable economic growth and business prosperity.
57
Policy Controls
Organization/Structural Controls
Procedural Controls
Supervisory Controls
Review and Appraisal Controls
Owning and communicating general principles and guidance for corporate behaviour and personal standards and actions.
Establishment of an organization’s capability to achieve set objectives. People deliver results through their skills, relationships and shared understanding.
How to perform processes which are in line with operational guidelines and functional standards.
Comparison of how processes are being done to the standard expected, to understand why there are variances, and to take timely corrective action.
Comparison of performance against plans and objectives, to appraise reasons for shortfalls/overruns, to decide how to improve, and to implement changes.
General business principles Governance guidelines Values & ethics Vision & mission Purpose Management integrity/‘tone at the top’ Laws and regulations Rules
Strategies, objectives, goals management Organizational structure Reporting relationships Coordination & communication Accountabilities Roles & responsibilities Manual of authorities Management systems Performance targets Expectation thresholds Budgets Priorities Critical success factors
Operating guidelines Standards set by: Functional management Benchmarks Contracts Service level agreements Terms of reference Manufacturer’s instructions Safety – design and engineering of systems, alarms and warning indicators
Continuous supervisory oversight Compliance verification Observation and checking Challenge sessions Diagnostics Surveys/benchmarking Peer reviews Testing and piloting Reconciliations Error detection Health checks Performance monitoring/tracking
Periodic management meetings/management reviews: Performance and results analysis Decision-making to improve performance Implementation of changes Confirmation of improvement Scorecard/milestone reviews
Business Control
58 Table 2.1: Guide for mapping types of control with business control elements
Main organizational policies (e.g. health and safety, environment, quality, contracting, project management)
Business process maps Competence and training Information sharing Motivation Incentives & rewards Commitment Teamworking & interaction Partner selection Learning networks
Security – physical barriers, information protection, access controls Housekeeping – transaction limits, segregation of duties, procedures and work instructions. Fallback or backup arrangements – job handover, absence coverage, business continuity plans
Corrective measures
Incident investigation and reporting Personnel performance appraisals/feedback (360) Independent internal audit Internal audit committee
Use this record as a guide to the types of control that you would expect to find in the different elements of the business control framework
Business Control
59
3 Planning for Audit and Assurance
Introduction As we have seen, it is becoming increasingly important for all organizations to look at themselves with integrity and honesty, and with the responsibilities to all of their stakeholders in mind, through the reflection in the mirror that is presented to them by an audit of their management systems, and ask ‘Do we have reasonable control of our operations’? Chapter 2 provides a history of business control, and how the simplicity of the Deming Wheel has been supplemented by the complexity of subsequent control frameworks. Legal and stakeholder expectations for statutory and corporate governance have led to a variety of codes and standards for providing greater levels of assurance. Typically, the approach within any organization is hierarchical – of course depending upon its size. At the highest level, this hierarchy begins with specific responsibilities for the corporate body and its executive directors, extends to the appointment of an audit committee which gains its independence by representation amongst its membership of external/non-executive directors, and the appointment of an internal audit manager. The internal audit manager is responsible for identifying and specifying a balanced mix of audit/assurance products in a rolling plan, and providing a flow of information to the audit committee for their consideration and action. Reasonable control, in the context of this book, includes health, safety, environment and quality risks. Our methodology – set out herein – will show audit practitioners and those seeking to develop a career in auditing in step-by-step stages (just as a cookery recipe does) on how to conduct a risk-based management system audit that will provide (or not!) reasonable assurance that the organizations’ objectives will be achieved. If taken literally, we believe that ‘audit’ concerns organizational improvement. Accordingly, we will be addressing both the ‘down’ side of risk – protection of that which is important to us – but also the ‘up’ side of risk, identifying opportunities to create value from our existing and future activities. Said correctly, then, our audit process is designed to give (or not!) reasonable assurance that organizations’ objectives will be achieved. But we are ahead of ourselves for now. A-Factor 15: An audit should provide a reflection, as if in a mirror, of the auditee’s business control framework.
60
Planning for Audit and Assurance
Audit committees Organizations of all types are increasingly likely to have appointed an ‘audit committee’ (also known in different organizations as internal audit committees, business assurance committees, governance groups, and other similar titles depending upon the organization’s size, ownership and preferences). These ‘audit committees’ are responsible for overseeing all of the activities within the organization that are generically called ‘audits’. There are several types and levels of audits, and these are discussed in the pages which follow. A current definition of internal auditing is that it is: An independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and internal auditing. IIA-UK & Ireland (2004). This book absolutely is all about independent, objective assurance; improving operations; and systematic approaches to achievement of business objectives for the benefit of all the stakeholders. Our definition of internal auditing is ‘A structured, management process overseeing all of an organization’s own internal controls. It provides independent, objective assurance when the selected framework for control can be reasonably expected to support the achievement of objectives, and an alert to stakeholders to initiate improvement when it may not.’ Whatever the definition, it is the role of the audit committee to deliver it. A-Factor 16: A prime reason for audit is organizational improvement, as well as providing assurance. I think the thing to remember about auditing is that anyone can be a compliance auditor, can check a list and put a tick in the box. The real benefit of auditing comes from adding value, being constructive, and helping companies to improve over a period of time, however long that is. – Andrew Burns-Warren, Managing Director, ISC (a certification body). The principal corporate responsibility of audit committees is to review and endorse the effectiveness of all of the organizations’ internal control frameworks. This responsibility is achieved by effective audit planning, and thereafter ensuring the
61
Planning for Audit and Assurance
timely delivery of a balanced programme of audits as established by the plan which identifies the ‘up’ and ‘down’ sides of risk, and how these, individually and overall, affect the organization and its stakeholders. The overall opinion is derived from a rolling audit (or assurance) plan, often endorsed and agreed on an annual cycle for typically a three-to-five year window. Information is gathered throughout the life of the audit plan, which is reviewed during and at the end of each audit cycle, and that guides the overall opinion of the audit committee in the reports it provides to senior management. Done effectively, this report to senior management provides confirmation that the audit committee and line management are listening to the auditors – their reports, recommendations and assessments – and is ensuring that the potential for improvement across the organization is being capitalized on. This lateral learning will be effective if the audit committee ensures that line management in similar parts of the organization where particular findings arise, check their control frameworks. Line management needs to understand the reasons for and the manner by which it can gain the potential and/or necessary protection and improvements – i.e. by taking appropriate, timely action upon the audit findings. Corporate governance requires that significant risks are brought to the attention of shareholders and other investors/interested parties. Increasingly, organizations are providing assurance information to other stakeholders, such as the media and the public, as a part of public accountability initiatives, elsewhere referred to as corporate social responsibility (CSR).
The role of the audit committee The role of the audit committee is to: • approve the audit plan for plan year, and to endorse it for subsequent years (as noted above, typically three to five years) • endorse draft audit terms of reference (ToR) for audits in the plan year • facilitate access to auditors (often who will be on a part-time secondment from line management for the duration of each audit) • receive summaries of all audit reports from the internal audit manager to check and challenge as necessary • review follow-up of actions and recommendations • promote lateral learning throughout the organization • assess overall performance of the audit function • provide annual assurance to the main executive board.
62
Planning for Audit and Assurance
Key roles related to audit There are two other key roles related to internal audit in many organizations. These are: 1. Head of internal audit (aka the internal audit manager) 2. Line managers. The main roles of these groups are the following.
Head of internal audit • Devise rolling audit plan – current year and outline for subsequent years – for approval by the audit committee • Prepare draft ToR for each audit (which will be endorsed by the audit committee) • Recruit and develop audit resources (e.g. lead auditors and administrative support) • Maintain lists of lead auditors and auditors (usually in line management positions) available for undertaking audit assignments • Ensure audit teams have the right mix of competences (knowledge of the audit process, knowledge of the audit subject, skilled in working with others, and experience of practical auditing) in their team leadership and membership • Receive audit reports when issued • Promote lateral learning throughout the organization • Keep the audit plan under review.
Line managers • Release staff as requested to participate as auditors in other locations/departments as per the audit plan • Respond to audit recommendations relating to own site/department. This second point is critical. In many jurisdictions, failing to respond to recommendations raised by an audit would be considered very serious, with punitive criminal and/or civil penalties a possible consequence, particularly upon discovery following a significant loss. In the context, ‘respond’ implies a formal and recorded decision followed by a corresponding and timely action on each recommendation, rather than implementation per se.
Types and levels of audit There are many different types of ‘audits’, generally undertaken against a reference framework of one kind or another – even if sometimes this amounts to a reference to ‘best practice’ in the eyes of the lead auditor/the audit team. The origins of reference frameworks are discussed in Chapter 2 of this book.
63
Planning for Audit and Assurance
The selected reference framework (or frameworks) included within the organization’s overall audit plan will provide the subject matter for each audit (e.g. environment, health and safety), and clearly set out the expected structure of business controls against which each audit will be assessed. Some readers will remember a BBC television show, popular in the UK in the 1980s, called Blankety Blank. Whether you are familiar with this show or not, imagine now the number and variety of words that could precede the word ’audit”’: • health and safety • fire • financial • housekeeping • quality • IT • procurement/supply chain • pre-acquisition/due diligence • pre-flight • sexual/religious/political preference. Some of these – and of course other – different types of audits exist in probably all organizations. Some are very conceptual in nature – perhaps with a consultancy-type approach to their conduct, e.g. Could we increase the warranty period from one year to two?, whilst some are more of a transactional/compliance check nature, e.g. We have to be sure that this is right in every detail before we switch it on, etc. Figure 3.1 shows some of these audits, and where they typically fit against two independent continuums – consultancy vs compliance and conceptual vs transactional.
Case study A UK-based manufacturer of carrier bags was the subject of an environmental audit that highlighted possible cost savings in electricity by replacing the power correction units. These were subsequently installed at a cost of £13 000 (GBP), and produced annual savings of £4000 (GBP).
Levels of audit From all of the different audit types and levels we have described, audits generally can be said to exist at three different levels:
64
Planning for Audit and Assurance Consultancy Strategic review Conceptual Due diligence audit HSEQ MS audit Joint venture audit
Transactional
Monthly Check Compliance
Figure 3.1 Varieties of audit – consultancy v. compliance; conceptual v. transactional
• Level 1 • Level 2 • Level 3
Level 1 Level 1 audit is a planned internal self-inspection made by appointed line staff that is responsible for identifying non-compliance with policies and procedures, reporting their findings to line management and following up corrective actions. Most HSEQ practitioners will be familiar with these hourly, daily, weekly, monthly checks undertaken by ‘safety reps’ and ‘quality inspectors’, often against a checklist, though use of such a list is not mandatory from our perspective. Clearly, effective supervision can also be classified as Level 1 (though some refer to this as ‘Level 0’) since this activity involves confirming the quality of outputs is ‘right first time’ and correcting the situation if they are not. We would see this as a part of a supervisor’s normal work routine – it is line management’s direct responsibility entirely. An example of Level 0/1 inspection is seen in many High Street retail organizations that operate a ‘clean as you go’ policy. Staff inspect regularly and clean up spillages (e.g. of loose soft fruit).
Level 2 A Level 2 audit is an independent appraisal of selected management systems, and thus the subject matter of this book. Level 2 audits are generally done by staff from the organization itself, but it would be usual for these to be from a different operation or department to that which devised and operates the system under scrutiny. This
65
Planning for Audit and Assurance
gives independence to the audit opinion (and we shall come back to the notion of ‘independence’ later in this chapter). An example of a Level 2 audit could be an audit of how a contractor is performing against a set specification or contract. Another example could be an audit of health and safety performance against an organization’s own health and safety management system.
Case study A UK-based oil and gas production affiliate of a global company developed a strong internal EHS-MS model, including an annual self-assessment audit plan covering the whole organization, in response to major hazards legislation. The US-based parent had a pre-existing global EHS audit process which mandated an external ‘compliance audit’ of the UK subsidiary every three years. Initially the two systems operated independently and the external audits were viewed by the UK organization as time-consuming and resulting in very few improvement ideas. It was suggested an experienced external auditor should join one internal audit, and this was agreed by all involved. This led to significant benefits, with the internal and external auditors complementing each other, providing value-added findings and identifying several opportunities for good-practice transfer.
Level 3 A Level 3 audit generally concerns an audit leading to an external certification or a level of approval by a customer. This validation or certification may comprise a client’s approval to ‘stay one of our suppliers’ for some specified period, or alternatively result in the award of a ‘certificate’ signifying compliance with a national and/or (and this is becoming much more common since the mid-1990s) an international certification. A representation of these three levels of audit is shown in Figure 3.2.
Example
1 Internal self-inspection
De p a r t m e n t a l c h ec k
In d ep en d en t MS au d i t
Fac i l i t y au d i t
External certification
ISO certification audit
2
3
Figure 3.2 Three levels of audit
66
Planning for Audit and Assurance
Case study At a seminar in March 2004 in Scotland, attended by organizations involved with ISO 9001 in a range of business sectors, 160 attendees voted as follows: • following ISO 9001 is a complete waste of time, our money and efforts would be better utilized in other ways – 24 per cent • QMS based on ISO 9001 is good for business, but it can be adequately maintained by the business alone – 44 per cent • as for 2, but to be effective it needs to be monitored by a competent third party – 17 per cent • accredited certification to ISO 9001 provides clear benefits for any business – 15 per cent.
Case study A UK gas terminal obtained ISO 9002 certification for supply of products. As the globally mandated corporate internal ‘flawless operations’ integrated MS became fully effective, the ISO 9002 systems were seen to have no added value and, after six years, the certificate was discontinued.
Some examples of internationally recognized approvals or certifications (sometimes called verifications), that can be awarded/granted after Level 3 audits are noted further. Not all of these are generally certifiable, and some (or all) of these standards will be familiar to readers. Accordingly, and for brevity, we have decided not to include pr´ecis or descriptions of each standard, and refer interested readers to our bibliography instead, where details are provided. Suffice to say that, generally speaking, most follow the PDCA structure of the Deming Wheel discussed in Chapter 2.
Quality • ISO 9001 (Quality Management Systems – Requirements; replaced BS 5750) • QS-9000 (Quality Management System developed by General Motors, Chrysler and Ford)
67
Planning for Audit and Assurance
• ISO/TS 16949 (Quality Management System developed by IATF – International Automotive Task Force, working closely with the International Organization for Standardization – ISO) • EQFM Excellence Model.
Health and safety • OHSAS 18001 (Occupational Health and Safety Management Systems – Specification; developed by a consortia of certification bodies) • ANSI/AIHA Z10-2005 (American National Standard for Occupational Health and Safety Management Systems) • ILO-OSH 2001 (International Labour Organization Guidelines on Occupational Safety and Health Management Systems) – not certifiable • HSG 65 (Successful Health and Safety Management) • BS 8800 (Health and Safety Management Systems) • HACCP (Food Hygiene – Hazard and Critical Control Point).
Environment • ISO 14001 (Environmental Management Systems) • EMAS (Eco-Management and Audit Scheme).
Security • ISO 17799 (Code of Practice for Information Security Management) • BS 7799 (Information Security). For this book, we have focused upon our recommended audit methodology principally for Level 2 audits, and to a lesser extent, Level 3 audits.
Use of this auditing methodology for non-HSEQ audits Whilst this book focuses upon Health and Safety, Environment and Quality Audits, the authors believe passionately that the auditing methodology described in this book can be successfully and powerfully applied to reference frameworks relevant to other topics and specialisms. Indeed, we have ourselves applied this methodology to contractor, security, food hygiene, motor fleet, and fire/asset protection audits during the period covering the preparation and writing phases for this book.
68
Planning for Audit and Assurance
A balanced audit plan An important role held by the head of internal audit is to seek to balance the mix of types and Levels of audits covering all parts of their organization, whilst considering the most appropriate intervals, intensities or frequencies to conduct these. A-Factor 17: A rolling, balanced audit plan is a foundational and essential component in preparation for providing internal and external assurance to stakeholders.
Tip – On our travels as auditors and audit trainers, we have come across many organizations that have adopted the levels of audit as described here. We have also come across other organizations that have reversed the order (3, 2, 1), named (rather than numbered) the levels, or have more (or fewer) levels than we have described herein. This does not matter; the principle remains the same. The audit planning will typically include a risk assessment, including evaluation of such matters as: • complexity of operation • impact of loss • level of control achieved (i.e. the audit opinion last time). The audit intensity (i.e. the number of auditor days) will depend upon the judgement of the internal audit manager as a result of this assessment. The balance of an audit plan can be represented – as a representation of coverage – as a jigsaw (Figure 3.3). Note how there are no overlaps, and no areas are missed. Also note how interfaces – where one section joins another in a ‘handshake’ – are considered. In totality, an audit/assurance plan will show how each part of the organization (location, process or combination of both) is covered, and at what frequency. Consider also a three-dimensional jigsaw. It would show the different types and levels of audit. Under each jigsaw piece may be a number of layers, each a different subject at a different frequency (e.g. quality audit annually, safety audit biannually). Doing all audits ‘annually’, or at some other predefined frequency, overlooks the reality of varying levels of risk. Unless there are specific reasons to do so (e.g. a legal requirement), arbitrary intervals generally do not make sense, and are difficult, and rightly so, to justify to line managers on the receiving end. We think that organizations can gain more useful and more cost-effective audit performance at any acceptable level of cost by considering their overall governance needs first. The internal audit manager and the audit committee prove their value to the organization
69
Planning for Audit and Assurance
Figure 3.3 A representation of an organisation’s audit plan – everything covered; with clear interfaces
by looking at the needs of the whole, and contrasting these with the needs (and applicable constraints) of the parts. For example, it may be that ‘the central distribution depot’ in Birmingham is critical to the organization, whilst the ‘Exeter parts store’ holds mainly obsolete stock. Accordingly there will, very probably, be a greater need shown in the audit plan for broader, deeper audits in Birmingham than in Exeter. A well-thought-through audit plan aligns audit frequency, and at each level (0/1, 2, 3), to the governance needs of the organization at that time. The most appropriate ‘audit mix’ is likely to give the highest level of assurance at a cost acceptable to the organization. Keeping the audit plan under regular review, as we have said, remains a role of the audit committee. A-Factor 18: The audit committee is responsible for keeping the audit plan under regular review.
Audit terms of reference Draft terms of reference for each audit will usually be prepared by the internal audit department in advance. When appointed, the lead auditor will generally liaise with the internal audit manager for any clarification on the details of the assignment. Each ToR document will relate to a discrete part of the overall audit plan (i.e. one jigsaw piece).
70
Planning for Audit and Assurance
The ToR document should generally cover at least three main areas: • objectives • reference framework(s) • scope.
Objectives The objectives of an audit can vary. The audit committee may have adopted ‘house language’ such as Six Sigma, Kaizen, 5Ss and so on; each of these terms should remind us that ‘continuous improvement’ is a major aim of a management system. Audit objectives tend to be to provide assurance to management that the reference framework is implemented and effective, and if not, to alert them to problems as found, and finally (if we can, in terms of time and competence) to provide advice or assistance about corrective action. A-Factor 19: The audit objectives can be referred to as ‘the 3 As’ as an aidem´emoire – Assure, Alert, Advise.
Reference framework(s) Audits may include one or more reference frameworks. Each reference framework tells the auditors in the team which structure of controls is to be used for their audit work. For OHSAS 18001:1999, the auditors will consider the management controls in place aligned to the following framework: 4.1 General requirements 4.2 OH&S Policy 4.3 Planning 4.4 Implementation and operation 4.5 Checking and corrective action 4.6 Review
Scope The audit scope is a statement highlighting what and where the audit work is to take place – the processes and/or location included. It advises what is ‘in’ and what is ‘out’ of the scope of the audit assignment. The answer to the question ‘Does our work include third-party deliveries?’ should be found within the scope of the ToR.
71
Planning for Audit and Assurance
At the start of any audit, the ToR document will generally be in draft format. Later this will be discussed and formally agreed with the subject organization’s management representative(s) at the opening meeting. How to do this effectively is described later, where we also discuss how to ‘sell’ an audit. A-Factor 20: The Terms of Reference are the contract for the audit – the agreement between the organization and its auditors of ‘what’ will be delivered by the end of the audit. No audit should commence without agreed ToR. We have included a skeleton ToR document in Chapter 5, Figure 5.2. This can be freely used in future HSEQ audits as a starting point or for guidance.
Tip – When you are asked to join an audit team, or participate in an audit, an ideal first question to ask is ‘Please can I see a copy of the ToR?’ It should confirm why you have been asked to participate in this audit; parts of the Scope should align with your own competencies.
Selection of the audit team The selection of an audit team usually commences with the appointment of the lead auditor. The lead auditor should be competent to complete the job. Typical characteristics are: • an experienced auditor, able to keep a team moving, and bring it to consensus with a conclusion and an opinion of the status of control in the auditee’s organization • formal training in auditing techniques provided by a recognized auditor training organization • participation in numerous audits, firstly as a team member before progressing to lead audit teams • possibly formally certified as a ‘lead’ or ‘principal’ auditor from one or more of the recognized auditor registration bodies (for more details, see later in this chapter). From hereon in, things can vary from organization to organization; and from audit to audit. Audit teams ideally comprise a mix of internal and external human resources to balance internal detailed knowledge with external breadth. The three main ways that audit teams can come together are summarized as: • selection by the internal audit manager • selection by the lead auditor • provision of auditors by the unit to be audited.
72
Planning for Audit and Assurance
Selection by the internal audit manager The internal audit manager may specify the team by selecting suitable individuals from the organization’s list of internal auditors (both full-time and part-time), and give it to the lead auditor. This can bring an audit team together reasonably quickly, and can certainly prevent any suggestions that the team has any bias in its formation. Each team member will need to understand auditing, and usually each member of the team will have been formally trained by a recognized auditor training organization, though sometimes this training is ‘on the job’ (and this audit may be a part of that training!). A possible downside to this approach is that line management for the part-time auditors may resist releasing them because ‘we are busy that week’.
Selection by the lead auditor The lead auditor may be given a certain freedom to select the audit team. With experience, the lead auditors will know how to select people with whom they have good working relationships, know them to be confident auditors and able team players.
Provision of auditors by the unit to be audited Sometimes, the organization which is to be audited may wish to provide one or more team members, for example, as a part of an internal training and development plan. This can be helpful to the audit team, as these individuals are likely to be better placed to know who to talk to about any given theme, where to find documents on site, and so on. However, great care should be taken by the lead auditor in balancing the professional skills and experience in the audit team – too many medical doctors without audit experience could be counter-productive! Regardless of how the audit team is formed, it is useful if they have some knowledge of the activities of the site to be audited (e.g. including one or more medical doctors in the team is invariably useful if the audit is in a hospital). Tip – Base the team selection (if you can) on the requirements in the ToR. An audit is a project, and team selection is critical to a meaningful outcome.
73
Planning for Audit and Assurance
Case study An organization with internal systems based on the EFQM model requested bids for certification to ISO 9001. During bid evaluation, it met the proposed auditors, and awarded the contract to an organization with limited experience in their business sector, but with an auditor clearly committed to continual improvement. When they later required certification to ISO 14001, they rejected a bid from their current certifier, as the proposed Environment auditor was judged to have a ‘tick-box’ approach, in contrast to the Quality auditor. This organization won a European Quality Award in the year 2003.
The role of the lead auditor The role of the lead auditor is a critical one, and it is probable that their first involvement may start typically up to three months before the start of the audit work on site. Early activity for the lead auditor may be to liaise with the audit manager in the scheduling of the audit and/or with the production of the draft ToR for the particular audit. As we have said elsewhere, a final ToR will usually be agreed with the auditee just before or at the opening meeting. As described, the lead auditor may be involved in the selection of some or all the other members of the audit team. The size and complexity of the organization to be audited will ultimately determine how many other auditors may be necessary and the duration of the project (i.e. how long the audit will last). The usual convention is for the audit manager (who may also be advised by others) to schedule audit-days, and then to divide this by the target audit duration to determine the number of auditors needed on the audit team, or vice versa. In practice, we note that this is often a compromise between the auditor-days the lead auditor would like allocated to the audit team to do a thorough job, and the wishes of the site, especially if it is paying fees and expenses for each of these days. A-Factor 21: For Level 2 audits, the team should comprise a minimum of two members (i.e. a lead auditor, plus one other auditor), with access to support for peer review.
Independence Fairly experienced individuals in diverse businesses and other organizations believe that independence comes wholly and only from outside their own organization. Some readers may have observed with interest how ‘external’ advice is treated in some organizations, compared to advice given internally – i.e. it is sometimes more likely to be accepted, or treated with reverence.
74
Planning for Audit and Assurance
In our experience, independence is not binary. It is not something that you either have, or do not have. Consider the following scenarios: 1. I am auditing an organization managed by an individual whom I would really like to be my next boss. 2. I am auditing an organization managed by an individual I rely upon for our next large consultancy order. 3. I am auditing an organization managed by an individual whose beautiful daughter/handsome son I would like to marry next year. How many auditors can say that they would not be influenced at all by these factors, irrespective of their (internal or external) employer? We believe that independence comes in degrees. The level of independence in any audit team will be a factor that should have been considered by the audit manager, and in turn, the audit committee at the time the audit plan was approved. In practice, the independence of the audit as it progresses will be monitored (and actioned as necessary) in real time by the lead auditor throughout the conduct of the project. He remains ultimately responsible for the audit, and the audit opinion. This responsibility is discussed in detail in Chapter 7. Tip – Resist inappropriate membership of the team, for example someone who may have a vested interest in the outcome, such as a line manager from the section to be audited.
Case study After an accident investigation, a food industry manufacturer with a strong Hazard Analysis and Critical Control Point (HACCP) process and generally good OSH record was cited by the UK regulator for inconsistent risk assessment. The company strongly disagreed with this finding and sought advice from an experienced OSHMS consultant, who after further investigation concurred with the regulator. The HACCP process identified some, but not all, OSH hazards and the company eventually recognized this. Steps were taken to remedy this defect, and to ensure the resulting additional controls were regularly monitored and reviewed, these minor additions were readily added to the existing HACCP process.
A-Factor 22: Recognize the importance to the overall audit opinion of an objective view from an independent audit team.
75
Planning for Audit and Assurance
Auditor registration organizations As auditing has become considerably more widespread since the mid-1990s, the number of auditor registration organizations has grown to such an extent that there are already some early signs of mergers between them as dominance in the marketplace is sought. Likewise, individual registration with these auditor registration organizations has grown at unprecedented levels (Figure 3.4). Increasingly, these auditor registration organizations require their professional members to participate in programmes of Continuing Professional Development (CPD), which includes both learning elements and evidence of leading (or participating in) audit teams. This mandatory approach to CPD by the registration organizations is commended; all current and aspiring HSEQ auditors are encouraged to join such organizations as appropriate and applicable to the sphere(s) of activity at the appropriate grade, as they offer such benefits as: • initial and top-up training • professional recognition (often with an escalating scale of professional and/or career grades) • peer and client approval • networking opportunities • CPD opportunities. We have discussed some of the technical and experiential attributes of HSEQ auditors. Apart from these, professional auditors need ‘soft’ skills too, an ability to interact with other human beings in commercial and other environments. Tip – ‘Once you have rapport, they tend to like you more’.
International auditor registration bodies A sample of international auditor registration bodies are listed further on and summary information on each follows. We have included an internet URL for each to enable readers to assess each of these organizations relative to their own particular needs. There are other certification bodies, and this list is by no means exhaustive: • International Register of Certificated Auditors (IRCA) - www.irca.org • RABQSA International – www.rabqsa.com • Institute of Internal Auditors (IIA) – www.theiia.org
76
14,000
Reg i ster (as at year en d )
12,000 10,000 8,000 6,000 4,000
1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 1984–91 approximate;
Figure 3.4 Graph showing growth of IRCA-certificated auditors 1984–2006
Registered
77
Planning for Audit and Assurance
2,000
Planning for Audit and Assurance
• Institute of Environmental Management and Assessment (IEMA)– www.iema.net • American Society for Quality – www.asq.org • Board of Environmental, Health & Safety Auditor Certifications (BEAC) – www.beac.org
IRCA IRCA was formed in 1984 as part of the UK government’s enterprise initiative, designed to make industry and business more competitive, through the implementation of quality principles and practices. This structure included: • IRCA • an accreditation body (now known internationally as UKAS) • a national standards making body (BSI Standards) • a number of commercial certification bodies. The original reference framework/quality management standard used was the British standard BS 5750, which has since evolved to become ISO 9001. The evaluation and certification methods developed and used by IRCA have been adopted as the industry standard model used by other auditor certification bodies. IRCA says that‘… we remain the auditor certification that supplier organisations, certification bodies and auditors value most.’ IRCA claims to be the world’s original and largest international certification body for auditors of management systems. It is based in London, UK. Over 26 000 auditors, based in more than 105 countries, have been awarded certification since 1984. Certification results in representation on the appropriate IRCA register (Figure 3.5). IRCA provides auditors, business and industry with two main services: • certification of auditors of management systems • approval of training organizations and certification of auditor training courses. It has approved over 90 training organizations. IRCA’s mission is to: • instil confidence in accredited certification worldwide by improving the performance of auditors • associate the IRCA name with integrity, best practice and adding value • promote auditing as a valued profession
78
Planning for Audit and Assurance
Figure 3.5 An IRCA OH&S Lead Auditor certification card
• provide an excellent administration service to all stakeholders, which sets a benchmark for others to follow • improve the standard of auditors and auditor training • make IRCA certification available to all relevant organizations and individuals worldwide • promote best practice in auditing.
RABQSA International It was established from two legacy auditor registration bodies - RAB of USA and QSA of Australasia. It has two principal offices, in Penrith, Australia and Milwaukee, USA. The Mission of RABQSA is ‘ to improve the performance of industry by providing recognition to individuals who, having demonstrated competence to RABQSA International approved certification schemes, can improve and offer a positive contribution to the performance of organizations ’ RABQSA certifies management system auditors, business improvement specialists and management consultants across a range of disciplines, including quality, environmental and OH&S. Those certified are examined to ISO 17024:2003 and are recognized as competent having demonstrated the required knowledge, skills, personal attributes and additional qualification specific to their scheme and/or scope of certification.
79
Planning for Audit and Assurance
IIA Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 120 000 members based in around 160 countries. It has global headquarters in Altamonte Springs, Florida, USA and a regional network throughout the world. IIA says that it ‘ is recognised as the internal audit profession’s leader in certification, education, research, and technological guidance.’ Also see BEAC.
IEMA The Institute of Environmental Management and Assessment (IEMA) is a not-forprofit organization established to promote best practice standards in environmental management, auditing and assessment. Its origins lie in the merger of the Institute of Environmental Management (IEM), the Institute of Environmental Assessment (IEA) and the Environmental Auditors Registration Association (EARA) in 1999. It is based in Lincoln, UK. IEMA currently operates three specialist registers, one of which is especially applicable to auditors. The IEMA Environmental Auditors Register has been in operation since before 1999 and is recognized internationally. The register has over 2000 auditors listed, based in approximately 60 countries worldwide. IEMA is growing quickly; it welcomed its 10 000th member on 31 May 2006.
ASQ The American Society for Quality (ASQ) is based in Milwaukee, USA, and is an authority on quality, with more than 100 000 individual and organizational members. Its mission is to ‘ advance learning, quality improvement, and knowledge exchange to improve business results, and to create better workplaces and communities worldwide.’ Since 1991, ASQ has administered the United States’ annual premier quality honour, the Malcolm Baldrige National Quality Award, which recognizes companies and organizations that have achieved excellence in performance. ASQ maintains a number of auditor registers, including the ASQ-certified quality auditor.
80
Planning for Audit and Assurance
BEAC BEAC is an independent, non-profit corporation established in 1997 to issue professional certifications relating to environmental, health, and safety auditing and other scientific fields. BEAC was originally created as a joint venture between The Institute of Internal Auditors (The IIA) and the Auditing Roundtable, Inc. It has headquarters in Altamonte Springs, Florida, USA. A-Factor 23: First impressions count. Get the highest level of professional qualifications that you can, pursue CPD, and use your (applicable) designatory letters on business cards, reports and other stationery.
The International Personnel Certification Association (IPC) – www.iatca.com IPC may also be of interest to auditors, as is a membership association for certification bodies. In 2005, the International Personnel Certification Association (IPC) replaced the organization known as IATCA (International Auditor and Training Certification Association), which had been founded in Singapore in 1995. It is now based in Athens, Greece. IPC’s mission is ‘to provide recognition to individuals who, having demonstrated competence to IPC approved schemes, can improve the performance of organisations.’ IPC has described the reasons for this change: The members of IATCA recognised that there are now many sectors within business and industry and government that require and benefit from personnel certification. IATCA was established 10 years ago expressly to address the management systems market. During those 10 years, the requirement for personnel certification has extended into many more contexts within business, industry and government and it is now recognised that management systems form only a small part of the personnel certification market. To accommodate those changes IATCA has expanded its remit to include and contribute within those other areas, and evolved into IPC. IPC differs from IATCA in that its membership requirements have changed. Full membership is offered only to personnel certification bodies which are accredited to the new ISO standard for accreditation of personal certification bodies – ISO 17024:2003.
81
4 The Audit Process Roller Coaster©
Imagine a roller coaster ride This vision, first described in our Introduction, provides a powerful image which an effective lead auditor should have in their mind of the job to be done, the challenges to be met and the best responses to those challenges, and how to execute each stage of the audit successfully. The major steps in The Audit Process Roller Coaster© journey as shown in Figure 4.1 are: • familiarization with the auditee’s business environment • meeting the auditee and agree on terms of reference (ToR) • developing a risk-based work plan • establishing the expected business control framework (BCF) • reviewing and verifying selected controls • identifying and assessing the strength and weakness of the controls
Summary
Background data
Present to auditee
Terms of reference
Level of detail involved
Initial meeting with auditee
Opinion & summary findings
Work plan
Audit file & working papers
Expected control framework
Cluster/ group findings
Interviews Actual Complete control findings framework Tests
Assess control framework Clear findings
Very detailed Set-up
Review and verify
Report
Figure 4.1 The Audit Process Roller Coaster© activities
82
Audit report
The Audit Process Roller Coaster©
• assessing the strength of the overall BCF • determining the audit opinion and key messages for management • reporting.
Overview of the vision 1. An audit starts at a leisurely pace whilst the audit team climbs up to a high vantage point, in a manner of speaking, so they can obtain sufficient up-to-date background information to become familiar with the auditee’s area of responsibility. 2. After completing this familiarization, the audit team is in the best position to create a risk-based work plan. 3. The audit team now knows that the time available for set-up is behind them and so nerves start to appear as they feel the pace begin to pick up and the pressure of being on the edge of a precipice looking down at a deep chasm begins to tell. 4. The audit team can easily feel out of control as they travel down the steep slope gathering evermore detailed amounts of data. 5. The lead auditor needs to ensure the audit team is well placed in documenting their detailed audit findings and their initial analysis of the BCF before the time available for fieldwork has elapsed. Only then will there be sufficient momentum to be able to extricate the audit team from the detail and move back up to a higher level. 6. The audit team must rely upon their momentum to push them up the final slope of The Audit Process Roller Coaster© and spend the last part the time available finding the synergies and synchronicity within the detailed findings. 7. The final push is to present conclusions so that they will have sufficient resonance within the busy worlds of senior management that will result in them taking action to improve the business control framework. In our experience, auditing a management system or a BCF is akin to a ride on a roller coaster. The Audit Process Roller Coaster© shown in Figure 4.2 comprises two simple dynamics, top down and bottom up.
Dynamics of The Audit Process Roller Coaster© Moving top down enables the audit team to move its attention from top level, summary information encompassing whole processes, downward into detailed information encompassing subprocesses and individual activities. By fully understanding how the auditee management expects their BCF to operate, the audit team can establish its priorities before descending into the detailed and time-consuming work of auditing specific key activities. Moving bottom up enables the audit team to build their conclusions and an overall assessment of the adequacy of the BCF on a sound foundation of logical argument, supported by factual evidence.
83
The Audit Process Roller Coaster©
Top:down
Bottom:up
Figure 4.2 The Audit Process Roller Coaster© dynamics
The gradient of the top down journey and the depth of the curve at the bottom of The Audit Process Roller Coaster© will differ depending upon the results of the initial review of the expected BCF. In areas where expected controls are in place, the journey will continue downwards, but in areas where the auditee either confirms or reluctantly accepts that the necessary controls are not designed appropriately or do not exist at all, then The Audit Process Roller Coaster’s bottom curve will be much shallower, as shown in Figure 4.3.
Summary
Level of detail involved
Very detailed Set-up
Review and verify
Report
Figure 4.3 The Audit Process Roller Coaster© level of detail of enquiry
84
The Audit Process Roller Coaster©
In a normal scenario, the audit team needs to dig deep to confirm the controls are functioning as expected, whilst in the other three scenarios (shown by the dotted lines), auditors would only need to spend time going into more detail if the absence of specific controls was thought to have caused major losses or was creating an unacceptable level of exposure. In reality there will be many lines of enquiry being carried out simultaneously by an audit team, each with its unique level of detail of enquiry. The audit team may unearth a situation that requires them to visit areas which were not selected for the audit work plan as critical processes at a higher level of The Audit Process Roller Coaster© , and they will find that climbing back up The Audit Process Roller Coaster© is time and resource-consuming. A-Factor 24: The Audit Process Roller Coaster© comprises two simple dynamics – top down and bottom up.
An audit is a project An audit is a project, a series of related activities with a start, middle, and end. Like every well-managed project, it should have a realistic timing plan, an agreed-upon budget and a clearly specified objective. So effective auditing includes carrying out an audit which covers the agreed scope on time and to budget. If you fail to do this, you fail as a lead auditor. Optimizing the utility of the deliverable is also an important benchmark of an effective lead auditor. Whilst an audit’s purpose is generally to improve the management of the activities comprising the audit’s scope, the responsibility for exactly how that is achieved lies with the relevant audit or assurance committee.
Case study In our position as a training company that delivers internal audit training courses throughout the world, it is often the case that when we discuss how successfully audit reports are instrumental in effecting change within a business, too many of the line managers on the courses tell us that even if they have contributed a lot of their own and their staff’s time to assisting auditors, they do not see the report or recommendations.
A-Factor 25: The main deliverable of The Audit Process Roller Coaster© is an audit report that triggers improvement. It is very important that every audit team, as it prepares for an audit, thinks about what their journey may look like over its timeframe; setting-up, reviewing and verifying work and reporting. And close supervision of the audit team’s work by the lead auditor is necessary throughout the audit.
85
The Audit Process Roller Coaster© Set-up
Review and verify
Report
Summary Audit report
Level of detail involved
20%
60%
20%
Very detailed
Figure 4.4 The Audit Process Roller Coaster© time planning
To do all this effectively, the lead auditor must develop a time and resources plan that allocates an appropriate amount of time for each stage and identifies key checkpoints. Figure 4.4 shows our suggested time planning which has about 20 per cent of the total time available for set-up of the audit, 60 per cent of the total time for the review and verify stage (audit field work) and the residual 20 per cent of time for the reporting stage. A-Factor 26: A lead auditor can decide, if it is a relatively inexperienced audit team working in an area of the business which they do not know well, that the set-up time can be increased above 20 per cent and the time available for the audit field work decreased by the extra time used for set-up. At least 20 per cent must be retained for the reporting stage. The check-points should be at the end of the set-up stage, when the audit team are finalizing their audit findings, and before the first draft report is shown to the auditee.
Set-up The lead auditor plans for success by carefully preparing both the auditee and the audit team. By auditee, we mean the senior member of the organization’s management who is responsible for the area which is the subject of the audit. The main objectives of the set-up stage are to: • meet the auditee (possibly for the first time) at an opening meeting to describe how the audit process will work – this includes ‘selling’ the benefits of audit, and agreeing on the ToR – and listen to any of their concerns
86
The Audit Process Roller Coaster©
• ensure that the audit team is familiar with their roles, have read (and understood) the background documents selected by the lead auditor, and know what needs to be done to deliver against the ToR. In Chapter 5 there are tips and techniques for conducting the opening meeting. The main outcome of the set-up stage is a detailed plan of each auditor’s fieldwork. The overall document is called the work plan and is focused upon a sample of risk areas which are intentionally selected as being critical to the achievement of the organization’s objectives. If, within the time and budget allowed, the lead auditor (and possibly some of the auditors) can visit the location where the main audit scope activities are actually performed, for an orientation visit – to see operations first-hand and be walked through the processes – it will be extremely helpful and will aid the set-up immensely. As the planning progresses, a more detailed plan can be developed. The example in Figure 4.5 shows the division of the total audit time (two weeks in this example) amongst the three main stages of a management system audit. A-Factor 27: Regular monitoring by the lead auditor of progress against the audit work plan and of findings which are arising, should ensure that the audit is completed on time, using those resources available to provide a level of assurance concerning the control framework within the auditee’s area of responsibility. In Chapter 5 there is a detailed explanation of how to ‘set-up’ an audit effectively.
2 d1 d2 d1 d 0 en en en en y 1 ay 2 ay 3 ay 4 ay 5 eek eek ay 6 ay 7 ay 8 ay 9 ay 1 eek eek a D D D D D D D D D W D W W W
Set-up/initial meeting with auditee Select key risks/dev. interview schedule Interviews/fieldwork Team progress review Confirm review/tests Interviews/fieldwork Team report of findings Agree opinion No surprises meeting(s) with auditee Complete report and present to auditee Finalize/issue report = Set-up
= Review and verify
= Report
= Contingency
Figure 4.5 The Audit Process Roller Coaster© two-week plan
87
The Audit Process Roller Coaster©
Review and verify Effective audit interviewing will be the main technique used to gather information during the review stage, supported by examination of documentation. Verifying or testing relies upon interviews to corroborate what has been said or learned elsewhere but is mainly carried out by more time-consuming techniques. Efficient testing requires careful planning. The main objectives of the review and verify stage are to: • complete a review of the design of the management system being audited for every selected potential risk area in the work plan • sample the application and efficacy of the main controls within key elements of the management system for every selected potential risk area in the work plan. A-Factor 28: Whilst there is a logical sequence of activities within the review and verify stages, the main tasks will be performed more than once. This is especially true during interviewing, when there will be a number of iterations and the enquiries undertaken move inexorably down into finer granularity of detail, across various lines of enquiry, and possibly across a number of different control frameworks. In Chapter 6 there is a description of our ‘review and verify’ methodology, and shows you how to do this effectively.
Reporting Ensure there is sufficient time left for a full understanding of the results of the review and verify stage, and then for explaining the key findings to the auditee and line management. It is best if the findings and recommendations are agreed upon before the audit team leaves the site. Agreeing upon these and discussing appropriate reactions, and preparing and presenting the final report, will complete the audit assignment. Reporting provides for the delivery of an audit opinion that compels the necessary actions, based on the level of assurance the audit team can provide, and the level of concern raised by the gravity and quantity of alerts. There are a number of key goals for the lead auditor to achieve during this stage: • • • • • •
complete and assess all of the audit team’s audit findings discuss and agree the main findings with the auditee obtain the auditee’s commitments to improve the management system determine the audit opinion present a draft report at exit meeting finalize report within agreed time period.
Chapter 7 describes the detailed steps required to conclude an audit effectively.
88
5 Set-up
Introduction The next three chapters (Chapters 5–7) are set out to be read as if you, the reader, have been appointed the lead auditor for a new audit assignment. The chapters follow The Audit Process Roller Coaster© stage by stage: • set-up • review and verify • conclude (report). In these chapters, we describe our selection of the most important matters to think through in anticipation of each defined stage and how to carry them out to produce an excellent result. In exactly the same way that sports psychologists work with athletes to envisage each detail of how they are going to complete the course and how to do their best to win the race, a lead auditor too must have a clear view of the route ahead and know how to react at each critical moment along the route, before they set off on their journey. If they are not confident in the audit process, then both they and their audit team will underperform. A-Factor 29: Lead auditors must have a clear view of their process, and know how to react at each stage.
How to set up an audit – ‘top down’ Efficient and effective use of the first 20 per cent of the total audit time will enable the lead auditor to significantly increase the success and usefulness of the audit’s outcome. The set-up stage covers the preparatory activities and the project planning that is necessary to ensure that the next 60 per cent of the audit time for review and verify is used as effectively as possible. Auditing is a process of sampling. In risk-based auditing, the sample selected comprises a selection of the highest gross risk areas (i.e. those activities that would have the greatest impact on the organization’s success if they were not properly controlled).
89
Set-up
The selection of risk areas for review and verification is made by the lead auditor and the team members. The main preparatory activities are: • agree upon the audit’s terms of reference (ToR) • obtain background information • get an overview of the area to be audited • understand the reference framework • meet the auditee • make a site visit. The main planning activities are: • prepare audit time and resource plan • audit logistics • prepare risk-based work plan for the audit • prepare an interview strategy • prepare the right questions to ask based on the expected business control framework (BCF) • start a structured audit file/filing system for the documentation relating to the audit. Figure 5.1 illustrates each of these key activities in the early part of The Audit Process Roller Coaster© .
Agree upon the audit’s terms of reference (ToR) At this stage, the ToR is the most critical document. Both auditee and auditor must agree upon it because it sets down the key parameters for the audit, as described in Chapter 3. It is the essence of the contract for the service to be provided by the audit team. A draft ToR will usually have been prepared when the audit was included in the organization’s audit plan for the current year. Therefore it is important to check that the main contents remain current, and that, for example, there have been no acquisitions or divestments of significant assets. If the audit ToR needs to change as a result of significant changes, the internal audit manager should be notified. A-Factor 30: If the audit is not carried out as scheduled, or if either the audit reference framework/audit scope are significantly changed, the corporate audit plan should be amended.
90
Set-up
Summary
Background Data
Initial meeting with auditee
Terms of reference Level of detail involved
Work plan Expected control framework
Audit file & working papers Very detailed Set-up
Figure 5.1 The Audit Process Roller Coaster© set-up stage
Tip – The auditee would normally be the most senior manager at the location being audited. However, in certain business organization models, such as in a matrix organization (which was discussed in Chapter 1), functional or regional managers may be accountable for particular activities at the same location, bypassing the senior manager on site. In such situations, where an appropriate auditee cannot be clearly identified, the lead auditor should refer back to the internal audit manager or internal audit committee. Therefore an audit must not commence without absolute clarity concerning the auditee’s accountability for the activities in the audit scope.
By obtaining the ToR as soon as possible after their appointment, the lead auditor will see the who, why, what and where of the audit. ToRs may come in many styles, shapes and sizes but they must at least state the following: • Who – the names of the auditee and their boss, or the audit’s sponsor if that is not one of these two people. • Why – the objectives for an audit of a BCF need to provide management with: 1. an opinion on the effectiveness of the whole BCF (assurance). 2.
identification of weak control resulting in or causing exposure to unacceptable levels of risk, inefficient consumption of resources or failure to benefit from business opportunities as they arise (alerts).
3.
development of appropriate actions for addressing the identified weaknesses and improving the overall strength of the BCF (advice).
91
Set-up
Title of audit and name of auditee
Objectives Assure – control framework Alert – findings Advise – actions
Reference framework Organization’s policy and guidelines, HSE MS, ISO 9001/14001, OHSAS 18001 Contractor management guidelines
Scope Business processes at location X Project activity Site or installation etc.
Figure 5.2 Terms of reference – skeleton
• What – the reference framework to be used should be clearly identified. • Where – the scope outlining the business processes/subprocesses at specific location(s), named facilities, etc. on which to concentrate the audit, including a description of the key interfaces with departments or sites either upstream (i.e. suppliers to the auditee) or downstream (i.e. customers of the auditee) of the scope area. Figure 5.2 shows a skeleton ToR. Completed ToRs, though, generally include logistical information such as the team membership, start and finish dates, and planned dates for presentation of the agreed deliverables to management. A-Factor 31: The audit’s ToR is generally not negotiable. It has been approved by the audit committee as one of their ‘jigsaw pieces’ and the scope areas need to be covered completely.
Case study An extremely well-prepared distribution manager of a busy oil storage and distribution depot with a 400 metre frontage onto a tidal estuary suggested to the lead auditor, at the audit kick-off meeting, that there was little point in including the ‘river-jetty product receiving operations’ within the audit scope since an audit team of marine specialists were scheduled to audit a nearby ship-bunkering facility in a few months. The lead auditor declined by saying that it was within the audit scope, and that there would be sufficient time to include this potentially high-risk activity within his work plan. The audit fieldwork included the jetty operations, and identified that coastal tankers to be offloaded at the jetty often arrived before suitable spillage containment booms were available to be deployed.
92
Set-up
Whilst sometimes demurrage was paid until the equipment arrived and could be deployed, unloading of the most recent delivery had been started without this critical environmental protection control in place. It was discovered that this situation arose because the stock level of product in the depot storage tanks was below that needed to supply the next shift’s deliveries and undue pressure had been brought to bear on relatively junior operations personnel by the marketing department. Fortunately, by retaining ‘river-jetty product receiving operations’ within the scope of the audit, the audit team was focusing on this risk area during the period that the non-compliance occurred and therefore the lead auditor was able to alert senior management’s attention to this unacceptable level of risk.
Obtain background information As soon as possible, the lead auditor should request authority to receive appropriate background information which, for example, may be on the auditee’s intranet, or it may require copying and sending to you. In most organizations, there will be offices, computers and archives filled with information, files and records. The lead auditor must be selective in their requests for background information. Figure 5.3 illustrates literally that there are ‘mountains of data’ that are potentially available to the lead auditor as background reading. The lead auditor is looking for information that will enable analysis of the business environment in which the organization is operating. This may be achieved by studying the business plans of the auditee’s department and of the parts of the business to which they contribute or for which they are the internal customer or the internal supplier.
Corp. strategy Business plans Organization charts Process models
Internet and country data
Lead auditor will sift through the layers of background data to get at the key information…
Last audit & review reports
Hazard & risk Assessments Incident statistics
...and auditors will need to be familiar with this information
Figure 5.3 Mountains of background reading
93
Set-up
The lead auditor will extract from the business plans the key corporate and main departmental objectives and strategies, and confirm their alignment to each other. Tip – Create an extract of the main corporate and operational business objectives and give each one a unique reference number. For example, C1, C2, C3 may be the first, second and third corporate objectives, whilst D1, D2, D3 may be the first, second and third distribution department objective, or M1, M2, M3 may be the first, second and third marketing department objective. Using this referencing system for each level’s objectives, create a list of them all and give a copy to each member of the audit team. Get all team members to use these references in building the work plan, their working papers and in team discussions. Then everyone will be clear about which business objectives are at risk.
Possibly even before the membership of the audit team is finalized, the lead auditor should be liaising with a nominated (or identified) senior contact within the auditee’s department to make arrangements to carry out the audit at the worksite(s). The lead auditor should check that the auditee has a copy of the draft ToR. They should request the selected background information to be sent to them in advance so that the lead auditor can understand what has to be audited and how to address the logistical issues. It also provides background/preparation materials for the audit team. Some examples of suggested items for this background information list are as follows: • auditee organization’s business objectives • descriptions (and diagrams) of the major processes • organization charts at each level • manual or table of contents from the subject reference framework manual (i.e. the Health and Safety Manual for a health and safety audit) • list of major risks • list of major control systems • directions to the site(s), local area map(s) and site plan(s). Other items a lead auditor may consider requesting, since they are very useful prereading, include: • auditee’s business plan • most recent management self-assessment of residual risks • levels of authority manual • most recent report of financial and operational performance • recent stakeholder surveys and reports, e.g. reports from regulators, media coverage, etc.
94
Set-up
An example letter/text advising of the audit and requesting background materials is shown as Appendix 3. From November 2006, this will also be available on this book’s companion website at http://books.elsevier.com/companions/0750680261 The lead auditor could try to arrange to obtain access to the auditee’s organizations intranet, and of course there is a variety of internet search engines available to assist with background information prior to (and during) audits. The sites shown in Figure 5.4 generally turn up relevant data to assist preparation.
Case study A lead auditor, one day before an audit started, reviewed the auditee’s website. A news release stated that the site was in preliminary negotiations for a management buy-out. This information was invaluable the next day at the kick-off meeting with the auditee, and the audit team was able to appear very well briefed.
Case study A lead auditor, whilst preparing for an audit, noted that there had been a recent change in national legislation concerning radioactivity. During the audit, the audit team observed that a batch of radioactive isotopes for use as x-ray sources for non-destructive testing of oil field pipelines were at a reactivity level above that allowed by the new laws, and the preparation allowed them to respond accordingly.
Case study A lead auditor read in an online trade journal that a major contractor used by the auditee had won a separate large contract that was likely to stretch its ability to deliver service in the short term. The audit team was able to reprioritize its audit sample to take account of this new information.
Altavista.com Aol.com Wikipedia.com Yahoo.com Google.com Hotbot.com Figure 5.4 Useful Internet sites for background research
95
Set-up
In all of the above cases, the preparation by the lead auditor and the audit team affected the selection of risk areas for inclusion of the work plan. A-Factor 32: As a lead auditor, it is important to encourage your team to be speculative. Think ahead about the business environment in the audit setting, and about how your auditee will be managing their part of the business in the light of future challenges. Tip – Send the list of documents required from the auditee’s organization as early as you can. Depending upon the priority of the audit for the auditee, you may not get a response to your first request. You may need to send a second and even a third request for the information materials. Give yourself time to do so; remember you will need to read them and create a pack of selected information for your audit team. A longer list of items for consideration as background information and pre-reading are in Appendix 1. From November 2006, these will be available on this book’s companion website at http://books.elsevier.com/companions/0750680261 Tip – While we have tried here and in Appendix 3 to provide the key types of information that you need to obtain about the auditee’s area of responsibility, excellent lead auditors will develop their own master checklists.
Distribute selected background information When the pre-reading documentation is received by the lead auditor (and note that sometimes it does not all arrive together), it should be read, sifted and sorted. The lead auditor needs to extract relevant information from potentially large amounts of data, and usually, it means sifting through considerably more data than the information which is eventually given to the team members for their familiarization. The aim is to identify the key information to circulate to the audit team members. Selected packs/extracts of the key documents should be prepared and sent to each member of the audit team with instructions to read and understand it. The intention is for each member of the audit team to gain a good overview of the auditee’s organization, site(s) and business processes to be audited. Tip – In an ideal world, the best time to send such a pre-reading pack out to the audit team members is two to three weeks before they will start on the audit. If it is sent earlier than this, anything read may have been forgotten by day one of the audit. If sent later than this, the team member may not receive it (particularly if it has to travel through international or company postal systems). A-Factor 33 – The key to a successful audit set-up is to have a well-prepared audit team.
96
Set-up
Audit team members to overview the area to be audited From the moment you are assigned to an audit, an auditor needs to become thoroughly familiarized with the key matters influencing the way in which the auditee is managing the area to be audited. You will receive information from the lead auditor, and it is important that it is read thoroughly. An auditor should aim to assimilate quickly the information needed by concentrating on understanding the business challenges confronting the auditee, identifying the key personnel, and generally getting a feel for the business activity to be audited. Study the company’s and department’s organizational structure, in terms of who does what job, who reports to whom, where do people work, how many positions are vacant, etc. Confirm the physical locations where work takes place, and what the work comprises. The audit team will usually meet together for the first time with respect to this particular audit on the first day at the auditee’s site. In Chapter 10, we have described how this initial meeting should be conducted. Briefly, the lead auditor should: • finalize the team composition with regard to competencies • one-to-one meetings with team members • hand any last minute background materials to the team members • lay down the ground rules, such as ‘working as a team’.
Make a preliminary site visit A practical overview will help to develop a more realistic work plan. It will benefit the audit team if the lead auditor can visit the site(s) where the business activities actually take place as part of the familiarization. So you can meet and listen to personnel, ask questions about the technical aspects of the work being done (confirming en route the extent to which personnel are confident in their knowledge about both the business process as well as how best to manage it), and obtain a feel for the maturity of the overall control framework and the extent to which it is respected and utilized by line management. Your eyes, ears and brain should be switched to receive mode whilst visiting worksites. Avoid too much detailed investigation by asking the ‘right’ questions. Do not react to what you hear or see and certainly never jump to conclusions or start analysing what is going on or suggesting different ways of doing the work at this early stage of the audit since the operational staff may interpret this as arrogance on your behalf or implied criticism of what they are doing. Figure 5.5 illustrates some of the benefits of making a pre-audit site visit.
97
Set-up
Meet key members of auditee staff
See the operations first-hand
Obtain documentation and check coverage
‘Walk through’ processes
Figure 5.5 Benefits of making an early site visit
At this point in the process, the audit team will gather together on site in preparation for the first day of the fieldwork.
Prepare the right questions to ask Make a list of those people whom you think will be able to contribute to the audit and obtain their contact details (e.g. telephone number and email address). As soon as you have agreed upon the dates for the audit fieldwork, introduce yourself and the audit team by an email to all the people on your list and suggest to them your preferred time for an interview and assistance with the audit. You must get as much of your schedule agreed to before you arrive on site. Think about the logistical requirements in getting from A to B and in terms of developing realistic interview schedules. The ToR should refer to which reference framework the audit is being carried out against. Therefore you should fully familiarize yourself with both the ‘official’ documentation supporting the reference framework as well as that being used by the auditee (if there is any difference). For each high risk business process, you and the team need to ask yourselves ‘How should the auditee be using the reference framework to manage these risks?’ And by answering your own question, you will create a view of what we call the ‘expected reference framework’ which will be used later in the audit process. Tip – The whole audit team must fully understand the composition of controls in each element of the reference framework and how the various elements interact with each other in terms of controlling the risks within the auditee’s business processes and activities. If necessary, confirm your understanding with
98
Set-up
the reference framework’s owner or relevant discipline head (e.g. corporate social responsibility or financial accounting).
Initial meeting with the auditee At an early stage, it is essential to meet the auditee face to face to get the audit off on the right lines and to build the auditee’s confidence that your audit team can really help in achieving business objectives in the future. Meeting the auditee’s immediate superior also would be a bonus since you would then obtain another perspective on the quality of control in the area being audited and possibly some hints as to where there might be pressures in the system. Tip – Gaining an initial assessment, from the auditee or auditee’s line manager, of their perceived level of control in the subject area, will alert you to any likely difficulties in selling your major findings and final opinion. Give the auditee reasonable notice of the meeting so you can be sure to agree to a firm date, time and place to meet. Contact beforehand to discuss your preferred agenda and confirm the ‘arrangements’ shortly before the appointment. The main benefits of having a formal initial meeting with the auditee are: • to try to ensure that everybody who needs to know knows that the audit is ‘on’ • agreeing to the final ToR • explaining the risk-based methodology you will be using for the audit and how this process can deliver the audit objectives • explaining the purpose of the close-out meeting to the auditee and agree to a firm date, time and place for the meeting • confirm the auditee’s knowledge and acceptance of the reference framework • confirm with the auditee the feasibility of your time and resource plan including the availability of their and their subordinates’ time for interviews and meetings to discuss progress and discuss and agree about the weaknesses and corrective actions • obtain an explanation from the auditee of how he controls the risks in his area of operation • start your review of the auditee’s management style and level of compliance with the reference framework. It is essential that at least the matters shown in Figure 5.6 are covered at the initial meeting with the auditee:
99
Set-up
Communicate audit objectives and approach
Establish professionalism and credibility
Agree outline time table and staffing
Confirm terms of reference
Confirm auditee availability and involvement
Schedule progress meetings
Check awareness of reference framework
Figure 5.6 Initial meeting with auditee – a solid foundation
Establish credibility Generally auditees can be apprehensive – even worried – about audits, and especially the audit opinion. For example, it is easy to understand why an auditee may be worried if they feel the audit opinion may threaten their career, the viability of the operation they are managing, or if this threatens their performance score card and hence their bonus! Your role at this time is to persuade them that you and your team members have the necessary knowledge, skills and experience to undertake a meaningful analysis of their operations and to help them to identify and address risks which may not be as well controlled as they thought. Your interest is in ensuring future success, not dwelling on past mistakes. Tip – Before meeting the auditee, a thorough understanding of how the background information relates to both the business and the audit will enable the audit team members to demonstrate considerable credibility.
Communicate audit objectives and approach Describe how the audit process will work, taking the auditee through the work you and the team have already done and then the next stages. Tip – Figure 5.7 shows the generally held expectation gap between audit and management. You will need to explain that audits involve a process of sampling
100
Set-up
100% of scope (in Terms of Reference)
Selection of work plan items
Figure 5.7 The expectation gap – what is actually examined during an audit
and, therefore, the audit result can never give management a 100 per cent assurance. Selection of a solid, risk-based and representative sample is critically important. Therefore it is important that the auditee and their boss understand this concept and how it influences the final audit opinion.
Use the ToR document – which the auditee should have seen already – as an agenda to confirm their use of the reference framework and to discuss the major challenges to their overall objectives and the key risks in each of their main business processes. Tip – By explaining the purpose of the initial meeting to the auditee beforehand, this may encourage him, or his senior staff, to make a presentation of some of the issues currently affecting the area being audited.
Confirm ToR Up to this point, the ToR will usually have only been a draft. Once the audit’s objectives and approach are clear, it is usual for the auditee and lead auditor to each sign the document to signify agreement. Since the assurance committee is responsible for the overall assurance plan, as they see the ‘big picture’ – the metaphorical complete jigsaw, where each piece needs to be audited at the right level at the right frequency with no overlaps, and no gaps – you and the auditee cannot exclude (or include) scope areas willy nilly. If the auditee has
101
Set-up
a real problem, then you will have to refer the issue back up your line of authority before agreeing to a change. Generally the ToR will be agreed to at this meeting and it is helpful if the auditee can be persuaded to circulate a copy of the approved document to the line staff.
Agree to a provisional timetable Depending upon exactly when the opening meeting is held, the audit team may be able to present the auditee with quite a detailed overview of the timing plan. Referring to our suggested 20/60/20 division of time helps to show the auditee that we have used the background materials, and that the audit team will conclude their work with an audit report, which includes where possible, appropriate and agreed recommendations.
Agree to progress meetings Surprisingly, auditors do not know everything! It is wise for all auditors to remember this. Agreeing a programme of contact or short meetings with the auditee – perhaps every day or two – to discuss early findings and observations is invaluable. It goes without saying that if not needed, these can be cancelled. Agreeing with the auditee, if you can, upon what the audit team has found at an early stage will be helpful during the audit conclusion stage.
Confirm auditee involvement As has been said, the auditee may be apprehensive, so make it clear that the audit team will not only value any input at every stage of the process but is expecting an active interest and involvement throughout the audit. Give the auditee an open invitation to visit the audit team room at any time to see what is going on. A-Factor 34: You get one chance to make a first impression – take it! A sample agenda for an initial meeting will be available on this book’s companion website from November 2006 at http://books.elsevier.com/ companions/0750680261
Time and resource planning Detailed planning is critically important if an audit’s objectives are to be fully met. Even in the shortest audits, the original timetable will be a best estimate and will need regular updating to make the most of the resources available to cover the necessary activities and use any planned contingency time to best effect.
102
Set-up
Overall Offsite
Onsite
Offsite
Set-up
Review and testing
Concluding
Activity
Resources Team leader Auditor 1 Auditor 2 Auditor 3
Figure 5.8 Audit time and resource planning
The timetable should include the necessary activities for both the audit team and, to the extent possible, the auditee’s staff and other staff in the organization being audited. The timetable showing the total resource requirement should be discussed at an early stage with the auditee to get their support for the proposed timings, logistics, the interview schedule and dates of key meetings. Figure 5.8 shows the audit time plan at overall, activity and resource levels. Once you have confirmed that allocation of approximately 60 per cent of resource available for the fieldwork stage, as a broad guideline, reckon on spending 25 per cent on reviewing the potential adequacy of the auditee’s control framework and 20 per cent on testing the application and effectiveness of the controls. This leaves a contingency of 15 per cent which can be allocated after the lead auditor has finished a formal supervisory review to confirm the quality of the team’s planned review and testing. As shown in Figure 5.9, this supervisory review would normally be carried out no later than three-quarters of the way through the fieldwork stage. Its purpose is to challenge work done by audit team members, confirm the quality of the audit findings (and how well they have been documented), and confirm how the individual auditors will spend the remaining 15 per cent of time available in the fieldwork stage.
Audit logistics The lead auditor should assume responsibility for communicating with and organizing the audit team as soon as they are appointed. Simple things can be overlooked when trying to get everybody together to start an audit:
103
Set-up Review and verify stage (60% overall time)
Review 25%
Verify 20%
Contingency 15%
V
Lead Auditor review
Figure 5.9 Scheduling the lead auditor review
• team members don’t know the start date (and have conflicting bookings which they cannot get out of ) • work or country entry visas not applied for in sufficient time or at all • mandatory inoculations not obtained • flights booked to Budapest, not Bucharest; Austria, not Australia • local accommodation fully booked (perhaps due to a large trade fair) • After late night arrival at airport, the taxi would not take sterling, euros or dollars.
A detailed list of items for the lead auditor to consider as part of the preparation and planning work are in Appendix 1. From November 2006, this will be available on this book’s companion website at http://books.elsevier.com/companions/0750680261
Tip – Apply to your local passport office for a second passport. In many territories, it is legal to have two passports, on the basis that you may need to send one to a foreign embassy for visas at the same time as you are travelling. Your employer will need to endorse this request in the UK.
Useful addresses for the UK passport Agency are: 1.
104
London Passport Office Globe House 89 Eccleston Square London SW1V 1PN
2.
Peterborough Passport Office Aragon Court Northminster Road Peterborough Cambridgeshire PE1 1QG
Set-up
3.
Liverpool Passport Office 101 Old Hall Street Liverpool L3 9BD
4.
Durham Passport Office Millburngate House Durham DH1 5ZL
5.
Glasgow Passport Office 3 Northgate 96 Milton Street Cowcaddens Glasgow G4 0BT
6.
Belfast Passport Office Hampton House 47-53 High Street Belfast BT1 2QS
7.
Newport Passport Office Olympia House Upper Dock Street Newport Gwent NP20 1XA
Application forms for UK passports are available from main post offices or from www.passport.gov.uk
Develop a work plan Each audit requires a work plan. The work plan is a separate, tangible deliverable which, although initially created during the set-up stage of the audit, will be actively used by the lead auditor to allocate and manage the resources in the audit team to the best effect. The work plan assigns particular work items (the selected risk areas for review and verification) to those members in the team who have appropriate knowledge and experience. Progress against the work plan should be monitored by the lead auditor in terms of the quantity and quality of the review and testing work done during the fieldwork stage. It also helps to keep the conduct of the audit on time. The lead auditors will use their own, and the team’s, good understanding of the main corporate, departmental and operational opportunities and risks to start the process of creating a work plan that will be the focus of the audit team’s efforts throughout the fieldwork stage. Creating an appropriate work plan is an analytical and speculative process in which the whole team participates. It is done by identifying initially those situations that may arise either in the business environment surrounding the organization or within the operational activities of the organization, and subsequently have an impact on the achievement of the organization’s business objectives. The team must then select those subprocesses and business activities in the area being audited, upon which the success of both the auditee’s area of accountability and of the overall organization, is most reliant.
105
Set-up
Experience has shown us that particular business circumstances tend to increase the likelihood or impact of risky or opportunistic situations arising in an organization,for instance: • when even a slight deviation from the control design would result in a disproportionately major loss (e.g. signals passed at danger on the rail network) • wherever a supply chain or business process has a link or interface, there is potential for failure due to omission (e.g. to take responsibility for a critical action) or due to duplication of effort (e.g. doing the same work twice) • in parts of a business undergoing organizational change, it will be more likely that appropriate maintenance or amendment to the control framework will not be happening • the sheer complexity of business today and the speed of change (often led by external events and determined by senior management) creates stress on people and on systems at all levels within the business • frustrations can creep into personnel’s attitudes and actions if ineffective or excessive controls are not identified (if not already known about) and either changed or eradicated • management’s knowledge about and commitment to correct control failures is often well illustrated by how they reacted previously to the discovery of poor performance or operational losses. Failure to assist with the identification, measurement and mitigation of such poor performance or loss would be a cause for concern. These possible risk areas are illustrated in Figure 5.10.
Links and interfaces
Reorganization
Organizational Potential for major loss stress Actual losses
Over/under controlled
Figure 5.10 Known risk areas
106
Set-up
The business activities selected by the audit team for inclusion in the work plan must always be challenged by the lead auditor, in terms of asking ‘why will the results of reviewing these activities form a significant and relevant part of my audit team’s assurance to management?’ This type of challenge process will result in the identification of the most important business processes to be reviewed and tested. Tip – Assess each ‘risky’ situation that might occur by validating it in terms of how many main business objectives will be directly impacted, should the exposure to risk become an incident. Use the references codes created during the familiarization with the auditee’s organization for the corporate and operational business objectives (e.g. C1, D2 or M3). The coverage of every audit is restricted in the number of discrete business activities which can be put in the work plan by the time available to review the reference framework and test the underlying controls fully. To be clear, there will always be more potential risk areas than there is time to fully review and verify them.With this restriction in mind, the content of the work plan must be finalized by the lead auditor before the in-depth analysis and review of the reference framework is started. This finalization includes a review of the sample selected to determine that the scope of the ToR has been adequately covered. A-Factor 35: The work plan is, and should remain, a dynamic tool which is continuously referred to by the lead auditor. It should be adapted to take account of discoveries made by the audit team in the review process. For example, the review work may unearth a major area of risk not previously considered which may have to replace an item already in the plan.
Developing an interview strategy For each of the risk areas included as a work plan item, it is necessary to: • identify the people who are involved with the relevant business activities (from Board level down to operations) • decide what type of documentation is likely to be needed to reflect application of the relevant control framework • be clear on how, when and where the activities are carried out. A useful audit tool for all auditors is a reference or map of each of the potential interviewees to a list of the risk areas selected. Of course, we cannot be certain of their actual involvement until we meet them, but the likelihood of them being able to contribute to the audit team’s review of each risk area will usually be seen from their position in the organization chart, or their job title. This process not only helps the audit team to cover the most ground at each interview, but it also helps allocate responsibility for particular work plan items to individual auditors efficiently.
107
Set-up
Work plan items
Work plan items Interviewee
R1
R2
R3
R4
R5
R6
R7
R8
R9
√
√
√
√
√
Head office R1. Local contractors R2. Work plan & estimate
General manager
√
Contract manager
√
R4. Crew mobilization
√
HSE manager Corp QS (HSE)
R3. Bidding extra work
√
√
√ √
Senior Q system
√ √
Welding engineer (QA) √
Corp planner Pr manager
R6. Drilling services
Site
R7. Emergency jobs
Site manager
√
√ √
Proj Eng design
√
√
√
√
HSE advisor
R8. Preventive mtce. R9. Health at camp
√
√
Medical officer
R5. Flowlines / hook up
√ √
Wks coordinator
√
Senior QA eng
√
√
Materials coord
√
Plannning engineer
√
√
√
√
√
√
√
√
√
√
√
√
√
√ √
√ √ √
Figure 5.11 Mapping work plan items to interviewees
Figure 5.11 illustrates how this mapping may look, with work plan items along the top (indexed on the left), and interviewees down the side. Each ‘tick’ represents a probable requirement for an interview. By looking across each line, an auditor can see the areas to be covered with each individual at an interview.
Prepare the right questions to ask Once individual auditors know which work plan items they have been allocated by the lead auditor, they can start to create effective interviewing agendas and questions. Since each work plan item must be reviewed and tested individually, the responsible auditor needs to decide the best approach to take to obtain the most information out of each interviewee. A-Factor 36: Time constraints and the need for audit efficiency means that the auditor should not set out planning to ask questions about every control element of the reference framework. They need to decide which of the control elements are critical as a basis for good risk management of the business activity being audited. For example, as illustrated in Figure 5.12, project management activities are critically reliant upon good organizational controls such as designated project manager and project team members, authorized budget, management control systems, and management review controls such as project steering committee and committee minutes.
108
Set-up
Work plan item:
Key project to develop new market
Ri sk ( s ) :
Failure to increase sales/profits Too late or expensive T o o d i f f i c ul t Loss of reputation within industry
Expected business c ontrol framework : P ol i c y: Organiz ation: Procedures:
Has feasibility been approved? Is accountability clear? Have resources being provided? Has an achievable plan been prepared?
S upervision: Review and appraisal:
Is there a steering/review body in place to authori ze continuation at milestones?
Figure 5.12 Selection of key business control framework elements
By approaching each work plan item in this manner, an auditor will be able to prepare themselves in an organized way: 1. Create direct and appropriate closed questions (i.e. which can be answered ‘yes’ or ‘no’) to establish which controls in the selected elements of the reference framework are expected to be applied to manage the risks arising. Answers will often be provided by corporate policies, local legal obligations and senior levels of management’s statements. 2. Prepare a series of related open and closed questions for each of these expected controls to confirm the extent to which such controls are actually in place within the auditee’s organization. 3. Ask these questions in an appropriate way to individuals at various levels and with different responsibilities in the organization. Their answers will give the auditor information about whether these key controls are known about and how well they are understood, implemented, checked and reviewed from top to bottom or across departmental boundaries in the same organization. 4. Confirm whether these controls are being applied as designed and to what extent their application is effective by further interviewing, detailed examination of documents, observation of activities and verification of assets. By preparing a set of questions and then inspecting documents and interviewing individuals at different levels in the organization and at different stages of the work cycle, the auditor will be able to quickly establish the extent to which the expected reference framework has been adopted within the auditee’s organization and if it is effectively supporting the achievement of its business objectives.
109
Set-up
Pros… • • • •
Saves time = quick start Expert’s questions Full coverage of subject area Lends appearance of credibilty • Detailed and complete
Cons… • • • •
Blinkered approach Limits auditor’s thinking One size does not fit all May not understand what the question is trying to find out • Questions done = audit done
Figure 5.13 Pros and cons of standard questionnaires
Standard audit programmes and/or control questionnaires may be useful tools to avoid reinventing the wheel. However, such generic audit aids have advantages and disadvantages that must be carefully weighed. Generally they must be adapted to reflect the actual environment encountered and hence become appropriate to the particular business activities being audited. That takes time! Figure 5.13 summarizes some of the pros and cons of standard questionnaires.
Audit working papers and the audit file The lead auditor and the audit team members need to be well organized to record the information obtained during the fieldwork. It is quite normal that the rules for the retention of audit working papers and the final audit reports are specified by the national legislation, or in audit codes adopted in the country or organization where the audit is being carried out. Figure 5.14 shows an example document retention schedule which was developed by the UK National Archive. It sets out maximum periods for retention. As soon as the audit work plan has been approved by the lead auditor, each auditor in the team should open audit finding working papers (AFWP) for each item in the work plan for which they have been assigned responsibility to carry out the fieldwork and report back to the team and lead auditor. On pages 128–129, there is a sample AFWP. This particular document is representative of a form used by the authors, and is commended. From November 2006, a copy of this will be available on this book’s companion website at http://books.elsevier.com/companions/0750680261 These AFWPs will be actively used by individual auditors to record: • the title of the risk area for audit • the initial justification for including the business activity as a work plan item • which controls are expected in the reference framework
110
Set-up
Disposal after… Reports Audit reports with examination of long-term contracts Fraud investigation papers Other audit reports
6 years 6 years after legal proceedings 3 years
Undertakings Terms of reference Programmes/plans/strategies Correspondence Minutes of meetings and related papers (inc. Audit Ctee) Working papers
3 years 1 year after last date of plan 3 years 3 years 3 years
Other records When superseded Internal audit guides When superseded Procedure manuals Model retention schedule from UK National Archives 2003 website
Figure 5.14 Audit working paper retention guideliness
• details of evidence of strength and weakness obtained from the reviewing and verification work • logical support for any control weakness identified • the specific impact of the identified control weakness on the organization’s objectives • the root cause of the control weakness (if identified) • evaluation of the significance of any control weakness • recommendation for appropriate remedial action • a space for response or reaction by the auditee. Each audit will have a master audit file, containing all the audit records. This will be retained for a period agreed upon after the audit. The audit file should be structured to enable the auditors to find documentation easily at every stage of the audit. Individual auditors will have preferences about naming the various sections of the file; however, a simple document referencing system, with an index at the front of the file, should be used. A-Factor 37: Each audit will have a master audit file, containing all the audit records. This will be retained after the audit for an agreed period. A-Factor 38: Before the time available for the set-up stage runs out, each auditor should have a series of individual agendas for their first interviews ready, together with lists of appropriate questions which will enable them to start the next stage of the audit.
111
6 Review and Verify
Introduction As described in Chapter 1, ‘risk’ can be defined as anything – opportunity, threat, activity or event – with potential for impact on the achievement of the organization’s business objectives. Risk may thus be perceived as being positive and helpful to the organization – ‘up-side risks’, or alternatively be believed to be a negative exposure to be avoided – ‘down-side risks’. We have additionally referred to the characteristics of these risks elsewhere as of ‘value creation’ and ‘value protection’ respectively. An essential first step for any auditor is to identify and consider significant risks in the context of the host organization’s business environment. As we have seen, the business environment is turbulent – ‘more things will change in the next ten years than in the previous 100’. It is probably in a permanent state of flux as a result of dynamic changes in the political, economic, legal, social or technical perspectives or otherwise. As described in Chapter 5, auditors use a process for identifying a sample of potentially significant risks for inclusion in an audit work plan. Auditors estimate the significance of identified individual risks (e.g. by using a risk assessment matrix to qualitatively assess the significance of each identified risk area), and their relationships to each other. We have suggested three questions that invariably assist auditors (they may assist management too) to decide the significance of the identified risks: • How often will this happen (likelihood)? • How big could the impact be (severity)? • Who is likely to be impacted by an occurrence (which of the stakeholders)? The authors have commended that HSEQ auditors focus upon the relative position of risks in the risk matrix – a useful discipline is to focus on the top 10 –20 risk areas. Whilst there are many quantitative risk measurement, evaluation and estimation methodologies and software toolkits available to assist with this, our experience gained over many audits suggests that unless absolutely necessary, it is wise to avoid the ‘numbers game’. Quantitative methods are usually better suited for use by risk managers within organizations, charged with dynamically recording the significant risks, aspects and impacts and prioritizing these for subsequent improvement. Tip – For an example of risk-ranking software available, readers could refer to www.crsrisk.com for a useful downloadable toolkit.
112
Review and Verify
However risks have been identified and prioritized, Chapter 2 explains why the greater the risk (i.e. the greater the value of the opportunity, or the greater the value to be protected from threat), the more resilient and reliable – and more emphatically set at the heart of the organization – any framework for risk control should be expected to be. Chapter 3 describes how to plan a programme of organization-wide audits, which provides assurance through the appointed audit committee, and Chapter 4 provides an overview of The Audit Process Roller Coaster© , the vision effective lead auditors should have in their mind. Chapter 5 describes how to set up a particular audit, concluding with the development of a work plan for any particular audit. A-Factor 39: Understand that we base our overall audit opinion on the efficient and structured control of the risks in our work plan, which was selected because of the potential risks to the achievement of the organization’s objectives. This chapter will explain, with examples, how to reliably and effectively establish the actual system (review) for business control in the auditee’s operations, and then verify (test) how well it works. In this chapter, we enter the steeper part of our planned descent from the top of The Audit Process Roller Coaster© . As stated earlier, we call this the ‘top down’ approach to auditing.
Top down – the controlled descent Our model for audit referred to throughout the book is The Audit Process Roller Coaster© . Earlier (Chapter 5), we described how to try to ‘stay at the top’ of the first slope as long as possible throughout our audit set-up stage, even though we know that an auditor’s enthusiasm to get started on the audit (like an invisible but powerful force, akin to gravity) inexorably tries to pull us down from our high-level view of the organization into ever finer detail. We will have plenty of time to look at detail later (if we continue to plan our audit well). Our controlled descent is very focused onto the risk areas we have selected in our work plan – it is as though we are ‘guided by the rails’ of the metaphorical rollercoaster. A risk-based audit is not a low-level compliance check. For each selected risk area (i.e. high gross risk as explained in Chapter 1), the auditor is looking for reliable evidence of planning, implementation and monitoring procedures of the management and how continual improvement is sought (a structured means of control – ‘PDCA’). Applying an OHSAS 18001:1999 approach, this would mean development and deployment of occupational health and safety policy specific to the particular
113
Review and Verify
organizational risk selected, clear and transparent planning for control of the specific risk, implementation and internally assured operation of the selected control framework, timely checking of how these controls work in practice (such as site supervision), with corrective action if and where gaps may be noted, with a scheduled management review to provide longer-term assurance and to promote and drive continual improvement, as expressed by the primary clauses in the standard: • OH&S policy • planning • implementation and operation • checking and corrective action • management review. Drilling down into the facts ‘top down’ in the selected risk areas focuses the auditor’s attention on the work plan sample, rather than those risks which may often present themselves as symptoms of a basic loss-of-control (basic causes) during the conduct of the audit, e.g. as sometimes spotted on the plant tour or a management walk-about. In this latter case, it is all too easy for the inexperienced auditor to report the facts as found, set in a long list of low-level findings, tantamount to hazard-spotting. In our judgement, these are not audit findings, and they are characteristics of the past, not the future: • worker not wearing hard hat, and/or high-visibility jacket • paper cup in the metal recycling container • yard not swept • box on form not signed • a ladder ‘abandoned’ in the yard • bund not pumped free of rainwater. In our opinion, these are purely symptoms of a possibly greater issue for management’s attention – in these cases possibly ‘ineffective supervision’. But again, we are ahead of ourselves.
Case study An audit at an organization highlighted a mutual aid arrangement with its competitors in the event of an emergency, for example fire or spillage. The auditors were advised that fire fighters would be brought with all their equipment to the affected site by helicopter, ready to respond. In verifying this system, it was discovered that the connectors for refilling the competitor’s self-contained breathing apparatus (SCBA) tanks was incompatible. After a 30 –45 minute helicopter transfer, the only air available was that in the tanks brought to site – possibly 20 minutes – as refilling by the host organization was not possible.
114
Review and Verify
Review and verify We plan for the review and verify stage of an audit to take 60 per cent of the total audit time. So in the conduct of a two-week (ten working days) audit, this will take six days and can be further broken down into: • review – 25 per cent (2.5 days) and • verify – 20 per cent (2 days) plus an allowance for contingency of 15 per cent (1.5 days). The contingency allowance is important. It gives the lead auditor, or an auditor, time to go back and check, or take a larger sample size (e.g. to speak to more people or review more documentation, in order to confirm matters about which they are not sure). These elements are detailed below.
Review The review stage commences with our use of the audit work plan, which comprises a sample selected by the audit team of potentially high (gross) risk areas. It is upon this sample that the audit team will later base the overall audit opinion. It is these risk areas that have been chosen for review and verification against the selected reference framework, and the work plan guides all the subsequent auditing activities. An audit is similar to any other type of project, and it should be managed as one with a carefully thought-through time plan. The review stage as described above, usually takes around 25 per cent of the total audit time. This is shown in Figure 6.1. A-Factor 40: Manage an audit as any other project, with careful time planning, including an allocation for contingency.
Audit finding working papers The review stage commences with the preparation of an audit finding working paper (AFWP) for each risk area in the work plan. We have presented an example of an AFWP on pages 128 and 129, and this can be freely copied to assist with audits. The number of boxes, section titles and so on are not absolutely prescriptive, but we have found in our work as auditors that this format works very well, as it presents a logical (structured and repeatable) auditing process, with a complete and detailed record of the auditing work.
115
Review and Verify
Auditor’s time
Auditee’s time
Reading documents
Advising colleagues
Interviews
Preparing documents
Conducting interviews
Interviews
Developing findings
Progress meetings
Review
Test
Contingency
25%
20%
15%
Review & testing stage (60%)
Supervisory review
Figure 6.1 Time plan and activity summary - Review stage
We have also included sample AFWPs – both blank and completed – on the book’s companion website. From November 2006, these will be available for download from http://books.elsevier.com/companions/0750680261 With the downloaded versions an auditor can, if they wish, make minor amendments to our forms to suit their own preferences. When you type into the boxes, the suggested boxes extend to contain the text wholly. Figure 6.2 shows our audit thought process, highlighting the connection of the review stage to the business environment, the business objectives, and the risks.
AFWP – step one Give the AFWP a ‘working title’, as per your audit work plan.
AFWP – step two The next step – the second box of the AFWP (see p. 128) – is to confirm to the management why we have selected this particular risk area as significant and worthy of a portion of our and their time for review and verification. This second box is very important. For those readers who may have an insurance background, this is akin to a possible maximum loss (PML) scenario, where ‘worst case’ is considered. Some readers may have involvement in emergency exercises. Likewise this is similar to the disaster scenario which may have been selected as the trigger for response and recovery.
116
Review and Verify
Business objectives
Slight i m p ac t Limited impact
Major national Major international
ent Peop le
Peo p l e
Assets
Rep ut at i o n
Considerable impact
A s s et s
Organization’s environment
Increasing likelihood Envi ronm
I n c r e a s i n g S e v e r i t y
Rep utati u t ation on
Co n s eq u en c e o f an In c i d e n t
En v i r o nm en t
SSlilgighht i n j ut r y injur Minor y injury
SlS iglihgtht d admaamgaeg e Minor damage
SliSglhigt h l eakt
Major injury
Local damage
Local spill
Single f at al i t y
Major damage
Major spill
leak Minor spill
Multiple Extensive Massive spill fatalities damage
Heard Never of an heard incident of in in the world industry
Incident Happens Happens several has several occurred times per times per in our year in year at company company location
Im p r o v e t h r o u g h Pr o c ed u r es an d Su p er v i s i o n
In c o r p o r at e Ri s k Red u c t i o n Meas u r es
Risks
A L A RP Meas u r es
l Un aInc tcoelpetraabbl e e
Expected control framework
Compare
Actual control framework Review
Residual risk so what?
Findings S e v e r i t y
Slight i m p ac t
Increasing likelihood ent
Peop le
Peo p l e
Assets
Rep ut at i o n
A s s et s
Envi ronm
Rep utati u t ation on
Co n s eq u en c e o f an In c i d e n t I n c r e a s i n g
En v i r o nm en t
SSlilgighht i n j ut r y injur Minor y injury
iglihgtht SlS d admaamgaeg e Minor damage
SliSglhigt h l eakt
Considerable impact
Major injury
Local damage
Local spill
Major national
Single f at al i t y
Major damage
Major spill
Limited impact
Major international
leak Minor spill
Multiple Extensive Massive fatalities damage spill
Heard Never of an heard incident of in in the world industry
Incident Happens Happens several has several occurred times per times per year at in our year in company company location
Im p r o v e t h r o u g h Pr o c ed u r es an d Su p er v i s i o n
In c o r p o r at e R i s k Red u c t i o n M eas u r es
Applied? Effective? Gaps?
Verify
A L A RP Meas u r es
l Un aInc ct oelpetraabbl e e
Draft report & presentation final report
Figure 6.2 Audit thought process, showing Review stage
For example, we may write in Box 2: ‘A small, contained explosion in the tank farm will disrupt operations, and lead to adverse media reaction. A large, uncontained explosion will terminate – perhaps permanently – operations on this site, and impact significantly on the neighbouring industrial and residential occupants and the company’s own deliveries to customers.’ Do keep it reasonably credible, and explain the scenario clearly. It is unlikely that any management team (or audit committee) will believe ‘Thousands may die as machine guard fails’. If applicable, we can also refer to specific business objectives, e.g. ‘to avoid adverse media coverage’. Also consider re-reading Chapter 5 to review the need for familiarising yourself with the auditee’s business objectives and their significance in determining ‘risk’. Re-read the Tip on page 94 to enable you to save time by using your own set of reference codes for the business objectives.
AFWP – step three With the AFWP, our third step is to set out clearly (for ourselves and our auditee) our considered expectation of a structured means of control per risk area. Start by selecting a key set of controls, without which our opinion would be of inadequate
117
Review and Verify
control. Record this set of controls in the third box of the corresponding AFWP. It depends which framework we are using in our audit and how this may be expressed, but as we know, the general framework of PDCA will guide us. For example, if we have selected ‘explosion at tank farm’ as a significant risk, we may have a basic expectation (based on PDCA) as follows. Plan A specification for the tank farm based on national/international design codes. Fire alarms and fixed fire suppression systems. Safe systems of work, based on detailed risk assessments. Trained, competent staff and supervision. Do Safe systems of work implemented. Incidents, accidents and near-misses reported. Check Active supervision on all shifts. Non-compliances identified, investigated and rectified. Act Regular management reviews of performance. Learning incorporated into future plans and targets. We do not aim or claim to have identified every expectation, and while this is a very basic example, we trust the reader could extrapolate this approach into a future, interconnected series of expected controls for other risk areas, either against other specific risk control frameworks, or against PDCA. We give one further example below, this time against OHSAS 18001:1999. Again, we do not claim to have identified every expectation. Note also how the formal headings from the standard could be aligned (in an auditor’s mind) to PDCA. Example Work plan item ‘Asbestos Exposure – Maintenance Team’ OH&S policy A written statement of health and safety policy, signed by a member of the top management within the last two years, which has been communicated to all staff, expresses awareness of asbestos as a possible health risk to workers, and committing to minimizing this risk.
118
Review and Verify
Planning An asbestos management plan which is up to date, and identifies all possible asbestos exposures. This may include laboratory sampling to identify crocidolite, amosite, chrysotile and other asbestos fibres. In the absence of sampling, the plan should identify possible asbestos containing materials (ACMs), and these should be treated as though they are asbestos until proved to the contrary. Asbestos-containing materials scheduled for regular, planned inspections to observe any deterioration in their condition. Selected ACMs (e.g. in locations near forklift truck entrances, where they could be easily damaged), and those which have already deteriorated should be scheduled for safe removal. Affected staff scheduled for asbestos awareness training. Plans for contractors to be briefed. Implementation and operation The OH&S policy is clearly communicated to workers – records available. Asbestos management plan is up to date. Affected staff have received asbestos awareness training – records retained. Contractors briefed – records retained. Selected ACMs taken from site by authorized contractors to approved disposal sites. Waste disposal records retained. Checking and corrective action Regular ACM inspection records. Periodic review of records for all potentially affected staff and contractors to ensure training/briefings have been provided. Management review Planned reviews at regular intervals by top management on how the organization is delivering upon its commitment to asbestos safety set out in its OH&S Policy. A-Factor 41: This preparation of the expected control framework is done (probably) before the site work commences, but is essential for focusing the auditor’s questions during the review and the testing in the later verification stage.
119
Review and Verify
Tip – On preparing questions for interviews: know what you want out of a meeting before you go in. You (the auditee and the auditor) are both busy, and keeping to the point is essential. An agenda that shows the risk-activities to be discussed – particularly when meeting with senior and middle managers – can really help.
As can be seen, each of an auditors ‘expectations’ can be checked in turn against the documentation and systems established at site level, and as described by the site management – i.e. ‘this is how we expect it to be done here’ – during our series of planned interviews. The audit thought process (see Figure 6.2 on page 117) provides a useful pictorial revision of the first steps of any audit, but then – in its highlighted horizontal aspect – shows the nature of the comparison between the auditors’ expectation (based on the applicable reference framework) and that which management have established for their operations. At this point, we need to highlight the possible differences in approach between: 1. audits of ISO-type, where the review may be between the expectation caused by and set out in the applicable clause of the standard, and the organization’s requirement in its own manual/documentation, and 2. our risk-based approach where we are focusing on structured control of selected significant risks using a reference framework.
ISO-type audits The former can become a binary process – and the approach needed if there is no defined expectation (refer to Chapter 2).
Risk-based audits In the latter case, the review process can become more intellectual (and for an auditor, much more rewarding). It requires judgement on behalf of the auditor to decide the right mix and the right elements for control that should be present, and then consulting with the auditee and agreeing they should be (and are) there. NB – We have noted clause 4.4.6 in ISO 14001 and OHSAS 18001 which draws management’s attention to operational controls. Properly, these operational controls should be based upon the significance tests set out in clause 4.3.1, and are thus themselves risk-based operational controls.
120
Review and Verify
Sources of information As we have seen, the well-prepared auditor will already have much relevant information at his disposal, gathered and sorted at the set-up stage. The importance of developing and then using a good filing system for the paperwork cannot be overstated. Being able to find particular documents when they are needed is vitally important. Few things appear worse than an auditor who cannot find the source of the facts. The auditors may have seen, for example: • table of contents from applicable manuals • training matrices • job descriptions • example work methods/risk assessments. Collectively, these documents obtained from the auditee before the audit starts may show the site has thought about its own risks and addressed them with a collection of controls. Of course, much more information will (usually) be available to the auditors when the team is actually on site. It will probably have access to: • organization’s archive records – reading • organization’s library of standards and procedures – reading • people actually doing the work – observing • staff for interview questions – asking and so on. Each of these approaches for gaining information has pros and cons, and provides different information on management’s desired approach to control.
Reading Reading documents – if they are up to date, and not too long (!) – can be a very illuminating source of information at the review stage. A key drawback is that in many organizations, the documentation can lag the current practices. By ‘lag’, we do not mean non-compliance, which is discussed later. What we mean is that the documentation does not reflect the possibly newer practices in the organization. This may be the situation because with ‘continuous improvement’ activities within organizations so prevalent (‘ change is the only constant ’), the written system has not or can not keep up with the work in the field. What’s also true, and a common drawback, is that in some organizations, the drafter of the
121
Review and Verify
system has decided ‘why use one page when a hundred-and-five will do’. Even at this early stage, we may have found a possible area for useful comment to management if this were to be so! Tip – If you are given a 105 page document to read, look through the table of contents and the section headings. You’ll get a feel for the document, and probably, where the sections relevant to the work plan may lie.
Observing Observing can be a very powerful method of learning how work should be done. A useful question for an auditor is ‘can you tell me/show me how you should do x?’ A trusted member of the organization’s staff will then usually demonstrate the designed system in its application. A key drawback here is to slip into a testing mode and decide too early that ‘someone is doing something correctly/incorrectly’. At this stage, we are simply trying to compare (and write down for later testing) management’s chosen system with the expectation we have developed on our AFWP. Tip – Don’t be frightened to ask someone to ‘do it again’ when learning by observing. It is important that auditors understand how work has been designed during the review stage.
Asking Asking too can be a very powerful method of learning how a task should be completed. ‘Do you have a procedure for x?’ or ‘What method have you been trained to use for y?’ are good questions at this stage; again, we’ll be testing later whether it works (or not). If one person from the management team gives a ‘wrong’ answer – i.e. different from our expectation – it does not per se give an auditor an audit finding. When we test the system in application later, we can decide then whether this ‘wrong/different’ system of control gives reasonable output of control (or not). Tip – Remember that ‘auditors are from Missouri’. Let us explain.
In the US, states have nicknames – Florida is the ‘sunshine state’; Texas the ‘lone star’ state; New York the ‘big apple ’ and so on. Missouri is unofficially known as
122
Review and Verify
Figure 6.3 Missouri ‘Show Me’ state licence plate
the ‘Show Me’ state (Figure 6.3), though there are several different explanations as to the origins of this. Two of these are summarized below. Version 1: Missouri became known as the ‘Show Me’ state in 1899, when Congressman Willard D Vandiver said, ‘I come from a country that raises corn and cotton and cockleburs and Democrats, and frothy eloquence neither convinces nor satisfies me. I’m from Missouri. You’ve got to show me.’ Version 2: Another version of the ‘show me’ legend places the slogan’s origin in the mining town of Leadville, Colorado. There, the phrase was first employed as a term of ridicule and reproach. A miner’s strike had been in progress for some time in the mid-1890s, and a number of miners from the lead districts of southwest Missouri had been imported to take the places of the strikers. The Joplin miners were unfamiliar with Colorado mining methods and required frequent instructions. Pit bosses began saying, ‘That man is from Missouri. You’ll have to show him.’ Whichever version of this you may prefer, remember to ask – at the review AND the verification stages – to see the relevant procedures, methods and forms you are told are important to the effective control of the particular risk. This can sometime feel repetitive, and has even been known to make auditees annoyed who, at times, feel they are not being believed.
Tip – A great way to put your auditee’s mind at rest is to briefly explain the Missouri story at the start of an audit interview. That explains why, as an auditor, you will want them to ‘show me’ the essential requirement (i.e. their expected control framework and related documentation) each time.
123
Review and Verify
It may sound like motherhood, but unless you ask the right questions, you won’t always get the most useful or actionable information. For example, too many companies use satisfaction surveys that are constructed to answer questions based on their own hierarchy of needs, i.e. ‘What do we want to know?’, rather than ‘What does the client see as important?’. – Carey Evans, Relationship Audits & Management, London.
Case study In 1998, we conducted a pre-audit on an Asian airline that wished to become certified to ISO 14001. We spent two weeks in-country looking at airport, airside and maintenance operations. During our work, we had already decided to conduct a water balance because in a dry country (as it was), water (even then) was seen as a scarce resource. It was selected as an example of a sustainability opportunity. In our review, we hypothesized that all the water purchased by the airline as a raw material would approximately balance with the water ultimately leaving the organization. Of course, aircraft cooling systems and toilets are filled with water and then fly away. But a corresponding number of aircraft are filled with water and fly back. A water balance is a recognized tool, and can be applied in most audit settings. From paid water supply invoices, we soon knew the value paid and hence could calculate the volume. We set about seeking its path through the organization to its disposal point. We looked at aircraft washing, aircraft systems, catering, toilets, and cleaning. Within a day, we knew that a lot (90 per cent) of the purchased water was ‘missing’. We considered various options: 1. Were employees stealing it and taking it home? 2. Were there leakages in the underground pipework systems? 3. Had there been a site subdivision, and was someone else receiving water without paying for it? 4. Were the water supply bills incorrectly totalled? 5. Were our calculations incorrect? We asked a lot of questions to resolve this but will merely summarize the outcome of this part of the pre-audit project.
124
Review and Verify
The answers to the above five questions were – 1, no; 2, probably but not significantly large losses; 3, no; 4, no; and 5, no. What we discovered in our verification was that the incoming water was measured by a linear flow meter, approximately twenty years old. There was no evidence that it had been calibrated, and now when one cubic metre of water passed through the meter, it spun like the office fan! Approximately 500 per cent over-readings were the result, and approximately $20 000 USD equivalent the (annual) saving for our client. We were also able to provide the underlying information that resulted in a negotiated settlement for a one-off refund of $20 000 USD to cover all past errors. When we checked in at the airport to come home, we were upgraded to First Class. Clearly our client had appreciated our audit on this occasion! And we are able to tell you about the experience here. Three months later, the client achieved ISO14001:1996.
Ultimately, there will be a possible two main outcomes that we can expect from the review process.
Possible review outcomes There are probably two main outcomes of the review process for each risk area in the audit work plan: 1. the framework’s design may appear to provide reasonable assurance, or 2. the framework’s design may appear not to work as intended – there may be a gap between the actual framework in place and the management’s expectation. Either of these outcomes (our opinions) is good information. Remember that audit is not about finding things wrong – remember I Will Audit: • I – An independent assessment of the control frameworks. • W – An opinion that the control framework is well balanced – between levels of risk and degrees of control. • A – With the overall appropriateness for this organization. Accordingly, either of these outcomes will be included in step 4 of completing the AFWP, which will be described later.
125
Review and Verify
An example of an AFWP appears on the following pages, though in practice they are a two-sided sheet. These are blank pages, which can be photocopied for use in your own audits. By this stage of the audit process, the first three boxes should have been filled in, at least in draft: • title of work plan item • risk and reason for selection • expected framework of controls. We have included a number of sample AFWPs – both blank ones, and examples of completed ones for reference purposes on the book’s companion website. From November 2006, these will be available for download from http://books.elsevier.com/companions/0750680261 As we progress through our work plan, completing our comparison between the expectation for control created by the appropriate parts of the reference framework and the organization’s own selected controls, we can start to populate Box 4 on the AFWP. As shown, auditors should do this reporting both positive (+ve) and negative (−ve) facts, based on the information gathered, and cross-refer to our other working papers as necessary.
Tip – Do not refer to individual interviewee’s names in audit working papers or reports. Do not divulge ‘who told you’ that something works or not. From following our methodology, anyone would be able to follow in our footsteps and may come to a very similar conclusion to the one that we did. We suggest that you refer to documents (title, reference number, etc.) and insofar as people are concerned, stick to ‘the audit team were told that ’. This of course also allows you to maintain the confidentiality you may have promised respondents. If ‘everyone’ told you something – good or bad – a useful term to use is ‘Everyone we spoke to told us that .’
When we are sure we have established how the site’s management requires its employees to manage the risk areas we have selected, we can commence our verification (or testing) stage.
Verify Once management’s framework for control has been established by the review process, the next stage for the auditor is to verify it (or test it) in operation.
126
Review and Verify
Business objectives
Slight i m p ac t
ent Peop le
Peo p l e
Assets
Rep ut at i o n
A s s et s
En v i r o nm en t
SSlilgighht i n j ut r y injur Minor y injury
SlS iglihgtht d admaamgaeg e Minor damage
SliSglhigt h l eakt
Considerable impact
Major injury
Local damage
Local spill
Major national
Single f at al i t y
Major damage
Major spill
Limited impact
Major international
Organization’s environment
Increasing likelihood Envi ronm
I n c r e a s i n g S e v e r i t y
Rep utati u t ation on
Co n s eq u en c e o f an I n c i d e n t
leak Minor spill
Multiple Extensive Massive spill fatalities damage
Heard Never of an heard incident of in in the world industry
Incident Happens Happens has several several occurred times per times per in our year in year at company company location
Im p r o v e t h r o u g h Pr o c ed u r es an d Su p er v i s i o n
In c o r p o r at e Ri s k Red u c t i o n Meas u r es
Ri s k s
A L A RP Meas u r es
l Un aInc tcoelpetraabbl e e
Expected control framework
Co m p ar e
Actual control framework
Review
Residual risk so what?
Fi n d i n g s S e v e r i t y
Slight i m p ac t
Increasing likelihood ent
Peop le
Peo p l e
Assets
Rep ut at i o n
A s s et s
Envi ronm
Rep utati u t ation on
Co n s eq u en c e o f an In c i d en t I n c r e a s i n g
En v i r o nm en t
SSlilgighht i n j ut r y injur
SliSglhigt h l eakt
Minor y injury
iglihgtht SlS d admaamgaeg e Minor damage
Considerable impact
Major injury
Local damage
Local spill
Major national
Single f at al i t y
Major damage
Major spill
Limited impact
Major international
leak Minor spill
Heard Never of an heard incident o f in in the world industry
Incident Happens Happens has several several occurred times per times per in our year in year at company company location
Im p r o v e t h r o u g h Pr o c ed u r es an d Su p er v i s i o n
In c o r p o r a t e Ri s k R ed u c t i o n Mea s u r es
Multiple Extensive Massive fatalities damage spill
Applied? Effective? Gaps?
Verify
A L A RP Meas u r es
l Un aInc tcoelpetraabbl e e
Draft report & presentation final report
Figure 6.4 Audit thought process, showing Verify stage
As shown in Figure 6.4, there should be a very clear linkage between the results of review and those controls or BCF elements that can be selected and now verified. As auditors, having established management’s preferred (or chosen) control framework, it is very important that we verify/test that it actually works as intended, and if not, to try to assess the significance of the residual exposures to the achievement of the business objectives. It is upon this verification that we can give our assurance (or not) to both, the auditee in our ‘no surprises’ meetings and at the final exit meeting, and to the audit committee in our final report. There are three possible outcomes to the verification step.
Possible verification outcomes There are probably three main outcomes of the verification process for each risk area: 1. the activity/work is controlled as designed 2. controls are not implemented, leading to unauthorized exposures and/or inadequately uncontrolled risks 3. control is implemented as designed, but is still not effective at controlling the specific risk adequately. Again, any of these outcomes is good information to progress the audit. Remember auditing is not about finding things wrong.
127
Review and Verify
AUDIT FINDING WORKING PAPER (AFWP) Box 1 – Work Plan Item (Descriptive Title/Reference No.)
Box 2 – Risk(s)(Refer Business or Process Objectives which may be affected )
Box 3 – Risk-based Business Control Framework Expected expectations, according to ToR’s Reference Framework, or PDCA)
(Main
Box 4 – Identified and Proven Status of Control (Both +ve and −ve examples from Review and Verify stage – Refer to documents, interviews and examples) +ve
−ve
128
Review and Verify
Box 5 – Specific Impact – Significance of Control Weakness (in terms of the effect on relevant Business Objectives)
Box 6 – Failing Business Control Framework Element(s)
Box 7 – Root Cause
Box 8 – Weakness Level
Serious
High
Medium
Low
Box 9 – Recommendation/Corrective Action (SMART )
Box 10 – Auditee’s Response
Prepared by (auditor) and date:
Reviewed by (lead auditor) and date:
129
Review and Verify
A-Factor 42: I Will Audit (Independent, Well-balanced, Appropriate) given the needs of the auditee’s organization.
Control works as intended Audit verification can often show that the intended system has been communicated to operators, and actually works, based on the sample we have taken. Tip – As an auditor, remember to remind your auditee that you are not giving a 100 per cent guarantee that this system has and will always work with absolute reliability – you are not! But you can advise that it works as tested. We call this ‘reasonable assurance’; the more time we can give to testing, the more confidence we have in the assurance.
Tip – We can also leverage our testing sample by reference to and reliance on others’ audit work, in which case we need to verify their processes.
Control is not implemented, so does not or may not work as intended In the alternative, the audit verification may show that whilst authorized procedures are in place, the control framework is applied differently. This may or may not give rise for concern since the actual control may be more cost-effective, or in the structured means of control there is a compensating control which is making up for the apparent control failure. Tip – When such compensating controls are identified, the lead auditor should satisfy themselves that the auditee both knows about the situation and has an action plan to either reinstate the authorized control framework or revise it. Often, compensating controls are found in the supervisory control element because ‘loyal employees’ recognize the shortcomings of implementing the approved BCF and out of professionalism or the ‘goodness of their hearts’ do things to ensure a successful outcome, i.e. employees are not injured. Clearly, in these circumstances, the audit finding will be reported for urgent management attention.
Tip – Telling an auditee that the staff is working well and doing a good job (if this really is true!) is always well received in our experience. If they have thought about their work, and have improved it, all that may be necessary is to bring the documented system into line with what is actually happening, at a low or nil cost in most circumstances.
130
Review and Verify
Control is implemented as designed, but not effective Thirdly, management’s controls may be implemented as intended. However, to give a reasonable assurance, auditors should be able to report whether or not this expected implementation done correctly is proving to control the identified risk adequately. For example, an annual check that hearing protection is worn is probably too infrequent to determine the effectiveness of the policy, whilst an annual check of the cables on a goods lift may give reassurance. Tip – Tell it as you see it. Sparing someone’s feelings does not enhance your credibility, it can only undermine it. But of course there are techniques to deliver bad news without shutting down the audit!
A-Factor 43: To check for controls in place = verify implementation and effectiveness of management’s expected control. For expected controls not considered appropriate or necessary by management = verify acceptability of residual exposure.
AFWP – step four Whatever auditors find at the review and verify stage, they should write it down onto the AFWP as evidence of control (either positive or negative) in Box 4. On a hard copy form, this can be limited by the space available, whilst on an ‘electronic’ form, the text box can grow to accommodate all of the evidence obtained. We commend auditors to give a full account of what they have found, as this will supply the facts that provide an audit trail leading to their opinion. Tip – Tell the truth. Don’t be afraid to describe precisely what was found but don’t over-embellish a minor shortfall. Honesty is always the best policy.
Case study Benefits of health and safety audits in a medium-sized public sector organization. Organization: A government-funded agency supporting young people across four local authority areas, with 160 employees receiving an annual grant of around £11 million (GBP).
131
Review and Verify
As part of a new government initiative to support young people, this organization was set up to support teenagers through a transitional stage in their lives. With government funding, and a statutory requirement to deliver services, this new organization had to recruit staff from a range of youth work, voluntary and private sector backgrounds in order to meet its targets. As part of the business plan, a health and safety procedures manual, training programme, and a health and safety audit programme was introduced into the organization. Many of the staff had never experienced audit interviews before and the range of backgrounds and lack of organic growth meant that the concept of auditing was met with concern. The health and safety audit programme focused on an inspection of the site to ensure office hazards were being correctly managed, and interviews of a structured selection of staff representing front-line staff, administrators, team leaders and managers. Managers were given a copy of the audit report and were re-audited after three months to ensure that the recommendations had been implemented. The number of non-compliances was used as a key performance indicator for effectiveness of the safety management system. Once the first round of audits had been completed it was possible to identify a range of benefits for the organization as follows: • non-compliances were actioned, where previous initiatives had failed • the audit encouraged compliance because staff knew they would be checked • the audit reinforced company policies and procedures • compliance could be demonstrated to regulators • local and organization-wide problems could be identified for action • resources and re-training could be targeted to where it was required • by signing the report, managers understood health and safety was their responsibility • stratified auditing encouraged all staff to consider their responsibility for safety • The audit interviews also provided an opportunity to refresh training provisions • The audit process improved the safety culture at the organization • Staff reported that the process demonstrated the organization was really concerned about their and their clients’ health and safety, which improved morale • Key performance indicators provided a proactive quantifiable measure of the effectiveness of the safety system.
132
Review and Verify
Confirming findings with the lead auditor It is important that an auditor discusses and confirms their preliminary and developing findings with the lead auditor and shares them with the rest of the audit team. This is discussed in Chapter 10.
Confirming findings with the auditee (AFWP Box 5) As areas of strength and weakness emerge, the lead auditor will wish to hold periodic ‘no surprises’ meetings with the auditee to confirm issues identified that have arisen in the audit, and/or seek guidance if necessary. ‘No surprises’ is a powerful technique which we commend, because: • auditor errors and misunderstandings are identified at an early stage, when they can be corrected i.e. confirming the facts • missing documents, awkward interviewees and other day-to-day issues can be resolved whist the auditors are on site • The audit team seeks the earliest ‘buy-in’ from the auditee to findings as they arise; this delivers on the pre-audit ‘sale’ of the process and shows that the auditee is not a ‘secret process’ • Auditees like it – they can tell their boss ‘the facts’ and ‘the progress’ and share (if given) the early good news or start to develop corrective actions if appropriate. Tip – Use the power of ‘no surprises’, even on a short audit. Even if the audit takes one day, take lunch or coffee with the auditees and talk with them about what has been found, and how the work is progressing – you’ll be glad you did! A-Factor 44: The best recommendations auditors ever make are those that have been agreed upon with the auditee. The best chance of gaining agreement arises from bringing the auditee on their side at the earliest possible opportunity. In Chapter 7, we will gather and group together our detailed findings to present to the auditee. We call this the ‘bottom up’ stage of The Audit Process Roller Coaster© .
Sampling techniques/sample sizing In this section, we will explain the techniques available to assist auditors to consider whether or not the management system, as prescribed, is in place, and how to intrusively (but selectively) verify it in operation. If we wish to know how many residents of New York State watched the last Superbowl on the television, would we have to ask all 18.98 million inhabitants of
133
Review and Verify
the state? The answer is assuredly ‘no’. To establish how many may have watched it, we would ask a sample of inhabitants whether they watched the game, and extrapolate this to the wider population. The same would be true for political opinion polls or public opinion on likely Oscar® winners. Likewise, if we wish to know if all the effluent discharged is within the limits set by a consent (or permission), we do not have to spend all day down the drains! We would take a sample of water analysis results (or indeed organize a series of samples) and possibly look at the organization’s or external inspectors’ test results, and base our opinion upon this information. As auditors, we have a variety of sampling tools and techniques at our disposal, and the merits of each are presented further on. In reality, a mix of these techniques may be used in each audit. In addition to those described, there are a broad range of mathematical, statistical and analytical tools which tend to go beyond what is required in a risk-based HSEQ audit. Suggested reading on statistical techniques is available in the bibliography. We use and commend the following techniques: • observation • corroboration • examination of records • brown paper exercise • independent confirmation.
Observation A straightforward verification: watch the activity taking place and compare with the standard as reviewed. Does it match? Tip – Auditing is not a covert exercise and therefore auditors should tell the auditee which activities they would like to observe and at which stages of the process. You should ask the auditee to advise the appropriate site supervisors that you will be attending at a particular time on a particular day. As soon as possible after you arrive at the work site, appropriately clothed and with the requisite personal protective equipment (PPE), you should introduce yourself to the foreman or senior supervisor and confirm that they will be carrying out the activities which you would like to observe. There should be no reason why you cannot describe your test plan to the foreman and, if there is an appropriate opportunity, to the operators. Once this is done and you have checked the necessary paperwork (e.g. permits to work or operators’ licences), try to become as inconspicuous as possible so that both the supervisor and operators forget you are there observing them.
134
Review and Verify
Corroboration A very useful technique – ask several people the same question, and compare their responses. For example – ‘In your opinion, how well was the recent fire evacuation practice conducted?’ If the practice was indeed conducted well, several people will verify this. Nine out of ten positive responses may also represent a verification (depending upon what No. 10 said!). However, if most people describe chaos, it probably was! Tip – For note-taking – ‘Work as a team if you can – one of you asks, and one of you writes down the response(s). It is difficult to ask, listen and write at the same time. Decide who is doing what. It is probably best if the ‘techie’ asks the ‘techie’ questions. If the reply is ‘techie’ or important, make sure the note-taker has an accurate record of what was said – ask the note taker to read it back for agreement – yours and the interviewees’.
Tip – When you are auditing an activity which is carried out by a close-knit group of colleagues, do not be surprised if you get the same responses to the same question from each person in the work group. Generally speaking, the closer the group, there will be a feeling of ‘them’ and ‘you’. In these circumstances, you will need to corroborate (check) what they say against substantive evidence (e.g. transactional documents, procedures or reports). If you need to rely on another person’s word, then that person needs to be independent of any influence of the first group.
Case study During an audit in Asia, an auditee told an auditor (at least) three times that the site did not have all the necessary building and planning consents for the site buildings. The auditor was apparently too focused on his questions concerning construction materials and fire separations, and missed the main point that this ‘whistle blower’ was trying to make. The result was involvement between headquarters, senior management and site management, which led to an action plan to acquire the necessary consents before the local authorities stopped work on the site.
A-Factor 45: Learn by listening closely! There is more to hear than ‘yes’ or ‘no’!
135
Review and Verify
Tip – LISTEN • L – Look interested and it may rub off on your interviewee (enthusiasm can be infectious)! • I – Inquire with questions which are relevant to your interviewee’s area of responsibility and/or competence. • S – Stay focused on your interview agenda items so you cover the ground in the time available. • T – Test your understanding of the facts by asking supplementary questions and summarizing. • E – Evaluate whether you need to carry on reviewing/verifying a particular agenda item and, if so, where to probe. • N – Neutralize your emotions. Do not get distracted by irritation or obfuscation. Tip – Post-interview analysis of interview notes : use a good recording system/proforma to facilitate the post-interview analysis of the facts. Figure 6.5 illustrates a simple proforma that gives you all you need to extract from your interview notes.
Examination of records Organizations produce many records and documents such as: • purchase orders • invoices Interview with:
Date: Time: Facts learned
Work plan item No.
Figure 6.5 Pro-forma for post-interview analysis
136
+/-
BCF Element
Review and Verify
• inspection reports • accident records • minutes of meetings • contractual records • performance appraisals • advertising budgets • training plans • recruitment results • competency evaluations and many more Examining some of these records and documents – our audit sample – is almost always a good idea. An auditor should select the sample size before the sampling starts. The following table suggests example sample sizes for various population sizes. Size of Population Sample
Suggested Size of Sample (%)
2–10 11–25 26–100 101–500 501–1000 1000+
100 50 25 10 5 1–2
An alternative statistical approach, and easier to remember, is a ‘square root sample’ – if there have been (say) 144 accidents, a reasonable sample size is the square root of 144 i.e. 12. Take the individual records of the sample from different places in the sequence (i.e. not the most recent twelve, or the earliest twelve). Random number generators (on some mobile telephones today), or random number tables can be used to identify a random sample, but in most cases we do not think that this is necessary. As you get more used to creating an appropriate sample, we commend that you add or subtract from your original sample size and thereby ‘correct’ it – for example: 1. If the job is done by lots of people, you may take a larger sample to ensure broader coverage. 2. If you have met the only operator of a process, and you are impressed by the knowledge and expediency, you may choose to take a smaller sample.
137
Review and Verify
Tip – If examining training records, an example/suggested sample may be to look at a sample structured in the following way: • the newest starter • the longest server • the first alphabetically • the last alphabetically • the most senior employee • the most junior. Use numbers 1, 4, 9, 16, 25, 36, 49, 64, 81, 100 and so on (square numbers) to make up your planned sample size.
Brown paper exercise A brown paper exercise commences (if taken literally) by covering a large wall or a table top with brown paper. Onto this, take a work system e.g. a document flow – and map out the route where each piece passes, and where it ends up. Reworking a system in this way shows an auditor what to expect in the records of a department. When you have completed the brown paper exercise, follow the system for the sample set of transactions in reality, to see if the outcomes are the same. Tip – Before you start such an exercise, ask the auditee whether a flow chart of the relevant business process/activities already exists. If there is, that is fine; save yourself time and use it. If it is only available in digital form to be viewed on a computer screen, there may still be value in carrying out the above exercise to increase the transparency (to you) of the controls.
Independent confirmation Sometimes, we may need an independent confirmation that ‘something’ is right. For example: • a composite wall panel is indeed non-combustible • a passenger lift winding cable is indeed safe • an electrical transformer does not contain PCB (polychlorinated biphenyl) • a water sample contains particular levels of zinc
138
Review and Verify
There are a broad range of laboratories and independent specialists who offer such and similar analytical services. Similarly we may need independent confirmation of legal issues, in which case the lead auditor should arrange access to an appropriately qualified solicitor. Tip – In any of the above cases, if this independent expertise can only be provided outside the auditee’s organization, it will have to be paid for. So make sure you have the necessary budget provision before committing the audit department to such expenditure.
Sampling summary Whichever blend of sampling approaches is taken, there will tend to be a variety of outcomes to the verifications. These can be statistical, quantitative or qualitative.
Statistically significant This involves expressing an audit opinion in statistical terms – e.g. ten out of ten = 100 per cent, a statistically valid sample. The degree of confidence in relying upon the results of a sample is stated in terms of standard deviations from the norm. If you are experienced enough (or have an appropriate software package) to calculate the right sample sizes and carry out the tests accordingly, you will be able to say you are 99 per cent, 95 per cent or 68 per cent confident in whether something is happening or not. You will find reference to a user-friendly statistical sampling software package in the bibliography.
Case study All employees (100 per cent) at an off-shore oil terminal in Asia were male Sikhs. The terminal served a sour field, and a known hazard was H2S. Emergency alarms and procedures were established, and all the employees had been provided with personal issue H2S respirators. Male Sikhs do not shave. The respirators provided would almost certainly not seal against a bearded face. Thus, 100 per cent of employees remained at risk of exposure in the event of a leak.
Quantitative Expressing an audit opinion in quantitative terms, e.g. we checked 20, and 19 of these were OK.
139
Review and Verify
Tip – Sample sizes will often be determined by the time available and the cost of carrying out the tests, given the audit scope and objectives. A key to controlling the audit effort at this stage is knowing how significant the results of the work already done in a particular area are and how much more information is necessary to attain through detailed testing.
Qualitative Expressing an audit opinion in qualitative terms, e.g. everyone we spoke to told us that . Tip – Whether the testing approach is quantitative or qualitative, the actual selection of items within the sample can be skewed towards factors which the lead auditor judges as being important, for example, transactions which are a representative cross-section, items of higher value and high risk exposure, activities carried out during high pressure times (e.g. shift handover or emergency response), and focus on current or recent periods. These will be different in other situations as, for example, when one is testing the robustness of the management system over a period of time (e.g. the effectiveness of a steering committee of a major project).
A-factor 46: Whatever you decide as the sampling strategy, record the sample size, how it was derived and the results of the sample (i.e. what the sample told you) in Box 4 of the AFWP.
140
7 Concluding the Audit
Introduction In Chapter 5, we looked at the ‘top down’ approach to audit, and in Chapter 6, we looked at the conduct of the review and verification. This third stage of the audit process is to conclude the audit ‘bottom up’ in such a way that you help management to understand the status of what they have in place and where, if necessary, it may need improvement. You should still have at least 20 per cent of the total time scheduled for the audit available for this stage. Staying with the vision of an audit being like a ride on a roller coaster, the concluding stage of the ride starts just after the roller coaster has bottomed out. Your heart has missed a beat and your stomach is coming back up to meet your mouth, and then there is a momentary release of tension until you see the steepness of the climb upwards directly in front of you. But the speed of descent down the roller coaster, with its resultant flood of information into the audit team’s group brain, normally provides sufficient momentum to enable you to reach the top of the slope, at which point the audit team should be ready to issue an audit report. Figure 7.1 illustrates the concluding stage of The Audit Process Roller Coaster© , and this chapter describes how to do it. A-Factor 47: Acceleration ‘top down’ provides sufficient momentum for the journey ‘bottom up’ the roller coaster.
Concluding the audit – ‘bottom up’ However well the team leader and the audit team have performed in the previous two stages of the audit, it will all count for little or nothing if the audit work to be performed in this stage of the audit process is not fully understood and carried out with precision, imagination and creativity. The challenge for the audit team throughout their work is to create an appetite for the audit findings and the consequent opportunities for business improvement. The final proof of the audit pudding will of course be determined by how senior management relish the eating! Figure 7.2 illustrates the main activities involved in concluding the audit. The figure breaks down the work to be performed in this stage of the audit process into a
141
Concluding the Audit
Report
Issue final report
Present Prepare Determine
Evaluate Prepare structured
Summary
findings and conclusions
Report: Part 1
Audit opinion
overall level of control
Report: Part 2
Level of detail involved
Clear findings and recommendations Re-evaluate remedial actions
Develop important issues Very detailed Review & verify
Reporting
Figure 7.1 The Audit Process Roller Coaster© – concluding stage
• Complete record of findings • Agree areas of strength and control weakness • Map results onto business control framework • Identify and focus on main issues • Evaluate control framework • Discuss findings and main issues with auditee • Determine audit opinion • Prepare and present findings and report
Figure 7.2 Main activities in concluding stage
number of discrete activities. These activities are not necessarily carried out in the sequence in which they appear in the schematic or in this chapter, since the best results will come from using an iterative approach. That is to say, at the start of this stage, auditors will have available to them a lot of detail regarding the individual controls and control framework relevant to each of the work plan items they have had responsibility for auditing. Auditors not only need to assess this information in terms of its impact on the particular risk exposures associated with each work plan item, but they also need to review the results as a whole. It will then be possible to identify if there are any common traits or patterns that can be reported as a summary finding. Each auditor must also share the results of their audit work in a structured way so that members of the audit team can similarly compare the detail of their own audit findings to the results of their colleagues’ audit work to determine if there are any further common traits that could be reported as a summary finding.
142
Concluding the Audit
Getting a clear picture from the mass of information The starting point for the concluding stage of the audit should be: (1) a completed set of factually accurate audit finding working papers (AFWPs), i.e. one AFWP for each risk area in the work plan, and (2) an accurate picture of the auditee’s actual business control framework (BCF). By this stage, lead auditors should have ensured that they have challenged robustly the details within the content, logical extension and conclusion of every AFWP prepared by each audit team member. The underlying fieldwork should demonstrate sufficient, relevant, reliable evidence which is comprehensively cross-referenced to the source of that evidence and to transactional documentation which is linked to the organization’s BCF. The audit papers should also be properly filed as described earlier in this book. Lead Auditors should also have ensured that the work carried out in preparing the AFWPs is clearly traceable directly to individual or groups of Work Plan items. Then the team leader can demonstrate that the team has fully audited the effectiveness of the BCF, as applied to the high-risk activities selected for the work plan. In Figure 7.3, we have presented the key words in the AFWP associated with the results of a particular audit finding (in this case, work plan item 3.1) and the lead auditor checking this off for completeness against the work plan.
Identify control weaknesses In her recipe for Jugged Hare, celebrated British writer on domestic science, Mrs. Isabella Beeton (1836–1865) reputedly said ‘First, catch your Hare.’ Likewise, this is important for auditors.
AFWP p.2
Work plan
WP Item 3.1 Scope
Control weakness
Ordering
F a il i n g B C F e l em e n t
Receiving
Root cause BCF element Storage Remedial action
I t em
D o ne
1.1 1.2 2.1 2.2 3.1
Processing
4.1 4.2 etc. (let ‘etc.’ run on with ‘processing’)
Figure 7.3 Lead auditor checking coverage of work plan
143
Concluding the Audit
First, they must clearly identify a control weakness. Fortunately, the audit process we have followed will do that at each stage: • the review stage will identify whether there are any gaps in the design of the business control framework • the verification (or testing) stage will identify if there is non-compliance with the expected controls • substantive testing will identify those controls that produce ineffective results.
Tip – This identification of control weaknesses needs to be followed by a process of analysis and synthesis as soon as possible, if the audit team are going to be successful in meeting their objective of reducing the number of audit findings. At this interim stage the classification will fall into three categories: • OK – because the audit fieldwork has clear evidence of adequacy of control design, appropriate levels of compliance and effective outcomes • Failing – because there is clear evidence of inadequacy of design, varying degrees of non-compliance and ineffective outcomes • Uncertainty – because final testing to confirm strength or weakness has not been completed. But as soon as possible in the ‘concluding the audit’ stage, the lead auditor should have classified all of the audit findings, the fieldwork for which has been satisfactorily completed, as OK or Failing. Tip – If the lead auditor is in any doubt as to the sufficiency or reliability of the evidence obtained by the responsible auditor, then that part of the fieldwork must remain inconclusive. If appropriate, the work-in-progress can be passed to the local internal auditor to complete.
As a general rule, in most major organizations it is likely that there will be a significantly greater number of controls which are likely to be classified as OK, than those classified as Failing. Sometimes this grates with auditors because they think their job is to find failing controls, and they may forget to fully record the evidence of control strength and complete the AFWP accordingly. Tip – In reality, a talented and effective auditor is one who makes a judgement, based upon factually accurate findings, about the strength or weakness of the BCF they find to be in place. That final judgement is built up from incremental judgements based upon the results of the audit fieldwork for each work plan item.
144
Concluding the Audit
Categorize control weaknesses The audit process followed will gradually increase the audit team’s knowledge and understanding of how well discrete, and progressively larger, parts of the auditee’s BCF function. The lead auditor must optimize using the group brain of the audit team through a structured process of analysis and synthesis to assimilate the underlying facts and extract the similarities between or common denominators within individual control weaknesses. This information can then be used as the basis for grouping or clustering detailed audit findings into higher-level audit issues. For example, an auditor may note the following weaknesses: • staff not wearing PPE • housekeeping falls short of expectation • site speed limit exceeded from time-to-time • signatures missing from small sample of documents • level 1 audit programme behind schedule and so on. In our example here, we believe these are not several individual control weaknesses, but one. That one weakness seems to be related to the efficiency and effectiveness of supervision. There are no obvious categories an auditor would necessarily choose for this grouping or clustering process. However, possible categories are suggested in Figure 7.4.
By priority of importance
By cost
• Most (Red)
• Nil (Opex)
• Next (Amber)
• Low (Opex)
• Least (Green)
• High (Capex)
By organiz ation
By reference framework element
• Process 1
• Policy
• Process 2
• Planning
• Site A
• Implementation & corrective action
• Department B
• Review
Figure 7.4 Grouping and clustering findings
145
Concluding the Audit
We have provided four examples of possible groups, though of course there are many other possibilities:
By priority Auditees like to know which weaknesses need to be addressed first, and which may wait. A typical manner of clustering weaknesses is into priority groups, such as: • immediate • up to three months • three to six months • one year Another way to do this is simple colour-coding, with a traffic light approach – red (highest priority), amber and green (lowest priority) to show which need the earliest attention.
By cost Ultimately, some weaknesses will require expenditure, either from revenue or capital budgets. A useful alternative to clustering weaknesses ‘by priority’ is to cluster ‘by cost’, with nil and low cost items (revenue) separated from matters requiring application from capital budgets.
By organization A third option is to group weaknesses under organizational headings – by process, department, building or site for example. This approach can be used in conjunction with one of the other groups, i.e. each department, control weaknesses are clustered by priority.
By reference framework Throughout our work, commencing with the ToR, we have referred to one or more reference frameworks. A useful clustering could be under the elements of the framework – PDCA, or whatever. This is a useful approach, as it tends to cluster further the weaknesses into their root causes. Tip – Discuss with the auditee how he or she may wish to see the weaknesses grouped. Should there be a preference, and you have flexibility to prepare the report in this way, it would be a good idea to satisfy these preferences.
146
Concluding the Audit
A significant number of failings or root causes falling within any of these objectives, components or elements, may become the signposts leading to meaningful higherlevel issue. However, literally any relevant category can be used to group detailed control weaknesses into a few main audit findings. Suitable categories will become obvious to the audit team as they begin to get into the process.
Identify root causes of control weaknesses Of course a huge potential benefit of carrying out internal audits would be lost if each auditor, the audit team and the lead auditor did not ask the simple question, ‘Why, or how, was it possible for this aspect of the control framework to fail?’ Finding a significant control weakness and getting the auditee’s agreement that they will fix the problem, is certainly a good result from the audit. However, unless the auditor and auditee unearth the root cause of the control failure, it is quite possible that the benefit of the fix will be short-lived, as there may be a similar control (that was not reviewed in this audit work plan) which is already failing or will be allowed to fail soon. By identifying the root cause of a particular weakness, the auditor is likely to expose similar controls that have not been audited but which, if they were failing, would have a negative impact on the auditee’s organization achieving their business objectives. There are various, established techniques, proprietary software tools and welldocumented techniques available for root cause analysis. Some applicable titles are provided in the bibliography. However, we believe that an effective way of finding the root cause of a control failure is to ask questions about how well other key controls in the same BCF were and are working. For example, if the identified control failing is a procedure then ask the question ‘Was this failing identified by a supervisory control? If so, what was done about it?’ And if the supervisory control had failed, then one needs to ask the question ‘Does an adequately designed supervisory control exist and was it operating properly?’ And if there was no suitable supervisory control, then one needs to ask the question ‘Are there sufficient competent manpower or other automated resources available to carry out the necessary supervision?’ Then one could ask the question ‘Were the risks associated with the control failure properly assessed? If so, what was the agreed risk response to structure? If not, is there a fit-for-purpose hazard and effect management process in place?’
Case study An employee of a large organization had cut his hand on a sheet of steel in a power press shop. The investigating health and safety officer applied a technique of asking questions about how well other controls within the same BCF for hand
147
Concluding the Audit
protection were working, applying the style of ‘domino theory’ (Boyle, 2002; Fuller and Vassie, 2004). The injury was a serious cut to the left hand. Instead of blaming the worker, the investigation chose to consider the possible reasons why the worker was not wearing the strong gloves that had been approved for use on that type of work. It was discovered that those gloves were not available that day in the stores and that the worker had ‘done his best’ and got on with the work without wearing them. Instead of blaming the store-keeper, the investigation chose to consider the reasons the stores did not have gloves. It was discovered that the glove supplier, having been chased five times for a delivery, had made five delivery promises to the store-keeper. Instead of immediately blaming the supplier, the investigation chose to consider why the delivery promises had not been kept. It was discovered that the supplier had not been paid for three months by the large organization, but had been promised five times that ‘the cheque would be posted today’, and in each case, it had not been received, and accordingly the account not settled and normalized. If the organization had blamed the worker, the probable outcome would have been further cut hands, rather than resolution of the weakness in the accounts department.
As long as the auditor keeps asking questions about the existence and effectiveness of controls in the BCF, this approach will track down the control failure at the highest level in framework, for example, unearthing a failure to have clear objectives or direction. This approach is shown in Figure 7.5.
Root causes at a higher level?
O bje ctives
Plan failing?
Direction
Management
Ops
Policy failing?
Organiz ation failing?
Operational failing XX
Effect of control failing is generally felt first in operations
Audit analysis mu s t u n c ov e r r oo t cau ses
Review or appraisal failing? Monitoring failing?
But there will be a reason for this failure at a higher level in the control framework
Figure 7.5 Tracking down the root cause
148
P ro bl em s at Ops level
Concluding the Audit
Tip – In addition to fixing the failing control and addressing the issues surrounding the root cause, another valid audit recommendation would be for the auditee to review the effectiveness of each of the other controls potentially affected by the same root cause.
Prioritize control weaknesses Before a team member tries to persuade the lead auditor that they have identified a control weakness, they should ask themselves ‘So what?’ In other words, at an early stage they should be looking for control issues that are significant and not ‘quick hits’ which will just add to the mass of lower-level audit findings in which senior management have little interest. A-Factor 48: A significant finding is one to which the answer to the ‘So what?’ question is assessed in terms of a significant impact which the control weakness is very likely to have on the auditee’s ability to meet their immediate business objectives or more significantly the ability of the organization to meet its corporate objectives. The particular business objectives that are most likely to be impacted, are probably the same ones reviewed when the AFWP was opened and the high-risk nature of the selected work plan item was challenged and validated. Along with the ‘So what?’ question, the auditor can also get answers to two other questions to help him prioritize the control weakness level. The first is ‘How easy is it going to be to fix the whole problem?’ The assessment of ‘easy’ would include ease of access to the required competence, sufficient availability of those resources’ time, and sufficient financial resources. The second is ‘Why has it been left to an internal audit to discover this control weakness?’ Here the auditor needs to realize that many audit findings are not necessarily ‘news’ to auditees. However, what may be ‘new’ is a different perspective leading to a clear understanding of exactly how exposed either the auditee or possibly the business will be if they continue to condone the status quo. Control weaknesses can be prioritized using various gradations of terminology to signify their importance. Generally, there is no need to go further than splitting the control weaknesses between serious, high, medium and low. The two higher categories are reserved for control weaknesses that to a greater or lesser degree of impact and/or timeframe will affect the achievement of corporate objectives until senior management takes timely action to address the weaknesses. The two lower categories are used to classify control weaknesses that impact the achievement of the auditee’s process or departmental objectives, without significant impact on the corporate objectives.
149
Concluding the Audit
Low level weaknesses are generally those that affect the economy and efficiency of the auditee’s outputs. There needs to be some means of flagging to the management, those situations where control weaknesses that have been identified and reported previously to higherlevel management (whether through a previous independent audit or departmental monitoring activity) but have not been properly and effectively reacted to by them. One way of handling such situations is to prioritize the underlying audit finding at one level higher than the original rating. However, the delay in a timely reduction of exposure may have resulted in the situation worsening, in which case the control weakness may be prioritized at an even higher level in its own right.
Reduce the number of discrete findings One of the reasons why the majority of internal audit reports don’t possess a ‘wow factor’ is because they include too many often low-level findings. A mass of audit findings, whilst quite correctly identifying things that have happened but should not have happened, will not be attractive to most senior managers. Tip – Senior managers do not expect to look at a plethora of findings and detail. They wish to be told how they can help the business. They expect lower-level managers to take care of the detail!
The challenge for the audit team during the concluding stage is to interpret what the mass of information, acquired during the fieldwork, is saying about the state of risk management throughout the auditee’s area of responsibility. The result of their interpretation then needs to be expressed in high-level terms. Tip – Whatever the number of discrete audit findings that the audit team have produced as a result of the detailed audit fieldwork, the lead auditor needs to set a stretch target for the team to develop a maximum of twenty main audit findings and a maximum of (say) five final messages for management. Figure 7.6 shows in simple style how this can be achieved by clustering them together.
To achieve this step change in squeezing out more value from the audit fieldwork and increasing the chance of senior management involvement in putting right what needs to be put right, the audit team must use a structured approach towards grouping and clustering the lower-level audit findings. This work will demonstrate the audit team’s understanding of how many of the basic audit observations and findings can be built up into meaningful, substantial findings of interest to management because they relate to their efforts to achieve or even exceed their corporate business objectives.
150
Concluding the Audit
Report
S u m m a ry
5 key messages Level of detail involved
2 0 gr o u p i n g s
2 00 f in di ng s
Review & verify
Ve r y detailed
Reporting
Figure 7.6 Reduce the number of findings for senior management
Sharing the detailed findings The success of the audit methodology described in this book depends upon the ability of each auditor to share relevant parts of the information they have obtained during their part of the fieldwork. To do this, we need a means of recording key statements of fact onto a simple simulation of the auditee’s BCF. To add comprehension of the information we need to allocate the facts to each element and to say whether the fact indicates strength or weakness. The physical nature of such a BCF for use in this audit methodology can either be individual wall charts or a database in a computer. However, what is important is that the whole audit team can easily see, essentially at a glance, every item of discrete factual information allocated to each BCF element, and to see how the facts are populating the overall BCF. Figure 7.7 shows how facts can be transferred from interview download into the elements of the BCF summary sheets. Tip – When the audit team has more than two or three members, it becomes more difficult to share A4-sized working papers. An approach commended by the authors is to use A1-sized, flipchart-sized sheets which can be wall-mounted. Everyone can see them, and discussions concerning ‘the facts’ are easier.
This fact-loaded ‘vision’ of the BCF will quite quickly become a veritable treasure trove of the knowledge which has been extracted during the fieldwork by every member of the audit team and contributed to by each of them, working individually or with others. New facts (positive or negative) should be populated onto the BCF
151
Concluding the Audit BCF wallcharts Interview download analysis worksheet Fact learned
+/–
Work plan #
BCF #
1. No project manager
–
2.1
2
2. Risk assessment done
+
3.2
3
3. Budget not approved
–
2.1
2
4. Up to date guidelines
+
2.1
3
E tc.
AFWPs Work plan item # 2.1
AFWP = Audit finding working papers
Work plan item # 3.2
Element # 2 e.g. Organization Positive facts
Negative facts
Element # 3 e.g. Procedures Positive facts Negative facts
E tc.
BCF = Business control framework
Figure 7.7 Downloading information after an interview
as soon as auditors are sure of the accuracy of the information they have obtained, together with hard documentary evidence, where applicable, to prove it. Facts can also be added to the BCF as the audit team extrapolate new facts from the original facts, obtained during their fieldwork, and when they are confident which individual control element of the BCF to record the information against. Some photographs of BCF wall-sheets populated with facts from actual audits are shown in Figure 7.8. For the methodology to work, it is critically important to record all the results of the audit fieldwork based on full coverage of the work plan. An auditor’s natural reaction is to skate over, mentally and practically, areas where the expected controls are in place, their purpose is well understood by different levels of management and they are applied correctly, their application and effectiveness is regularly confirmed and there is evidence of incorrect application being identified and corrected. In other words, auditors tend not to notice risk areas where there is plenty of evidence of strength. But they must! Tip – Unless all the areas of strength found in the BCF are recorded as fully as examples of weakness, then there will not be an accurate weighting of strong controls to influence the audit team’s deliberations when they come to determine the overall audit opinion.
152
Concluding the Audit
Figure 7.8 Wallcharts aid sharing of information
Tip – It is important to be able to trace every positive and negative fact recorded on the BCF back to its original source and to the auditor who carried out the fieldwork and, if relevant, the work plan item to which the facts refer. Figures 7.7 and 7.9 show how to do this.
Tip – The aggregate information obtained during the fieldwork, recorded on AFWPs and allocated to an element of the BCF, will be the factual and logical basis upon which the audit opinion is founded.
A-Factor 49: All areas of strength found in the BCF must be recorded as fully as examples of weakness, so there is accurate weighting of each.
Keep in contact with the auditee Regular contact with the auditee at this stage of the audit can give many benefits; not least, discussing in a low-key manner apparent control weaknesses discovered during the fieldwork, and either having your misunderstandings clarified with the opportunity for re-auditing specific controls, or getting to agreement with the auditee about the facts, the extent of the weakness and the root cause.
153
Concluding the Audit
Figure 7.9 Interview download sheets show how information has been processed
If auditees understand why an auditor is concerned, they generally will provide resources for further testing, checking and quantifying exposure to particular risk scenarios, particularly if the control weakness is likely to affect the successful performance of their department. Such a consultative approach (particularly if practised by the lead auditor from the start of the audit) will often result in the auditee giving assistance to the audit team at a time when The Audit Process Roller Coaster© is running on pretty steep rails, and time is critical. Formulating effective remedial action is another task the auditee will be more eager to assist with once they have understood and participated in a joint analysis of a particular control weakness. Although you will have ideas as to what needs to be done to rectify the situation, it is better to encourage the auditee to suggest what can be done and what improvement they expect to achieve. Tip – The degree of interest and commitment to make changes to the way the control framework operates and the amount of cooperation to ensure that the ultimate change has the required effect, will normally be in direct proportion to the openness, constructiveness and professional manner in which the lead auditor handles the auditee during the concluding stage.
154
Concluding the Audit
Stand back and analyse information obtained This requires careful organization and recording of every fact, both positive as well as negative. Everything obtained should contribute something when the audit team have to make their final evaluations of each control weakness, every element of the auditee’s BCF, and the overall BCF. Tip – The challenge for the audit team, during the latter part of the fieldwork stage and the initial part of the concluding stage of the process is to effectively use the mass of discrete facts obtained during the fieldwork.
As AFWPs are completed, their underlying weakness ratings (serious, high, medium, low) should be recorded both on the specific AFWPs in question, and onto the appropriate business control element of the BCF wall charts. Even though all the analyses of the information gathered during the fieldwork may not have been fully completed and the conclusions drawn about the controls may not yet have been entered onto the BCF wall charts, the audit team should be encouraged to start paying more attention to the information as a whole. This is the moment when the methodology that uses wall charts, rather than a database hidden within a computer, comes into its own. A-Factor 50: The audit team has to be able to see the balance of the emerging facts if it is to apply its mind to what those facts mean. Large wall charts are a fantastic idea, because they lend visibility. From a relatively cursory analysis of all the information (sorted into positive and negative impacts upon each control element) each member of the team should be able to see the extent to which there is correlation between the results of their audit findings (which came out of focusing on individual work plan items) and the aggregate information on the wall charts. Looking for this correlation early on in the concluding stage will encourage the audit team that the dual approach to evaluating the overall BCF is working. Tip – Taking this holistic view may also help individual auditors to understand better the dynamics of the control framework within the areas they have been looking at, especially when working on the analysis of root causes.
Business control assessment matrix At a certain stage in this process, the lead auditor can open a summary evaluation tool called a business control assessment matrix (BCAM). Rather than having a lot of detailed information, as has been recorded on the wall charts, the BCAM will only
155
Concluding the Audit
record any resultant Failings, with its respective weakness level, and root cause for each audit finding. Figure 7.10 shows an example of a BCAM. As more AFWPs are completed, and control weaknesses identified and grouped into generic findings of control weakness, the resulting information can be recorded on the BCAM. Tip – The lead auditor needs to be aware of the source of the information to avoid recording both, the results of discrete control weaknesses (or strengths) as well as the aggregate results of a group of the same control weaknesses.
Develop main issues The audit team, and especially the lead auditor, must now use the momentum created by the roller coaster to confidently develop the main issues which their audit work has brought to the surface. The most significant criterion for selecting such main issues will be finding issues which directly and significantly affect the achievement of corporate objectives. The most important issues are those which clearly demonstrate activities within the auditee’s organization that are having or will have, with some high degree of certainty, a significant negative impact on the achievement of corporate objectives, in both quantitative (‘the what’) and qualitative (‘the how’) terms. This stage of the audit process is a key opportunity for the lead auditor to demonstrate sound judgement as well as technical ability.
Findings and recommendations Prepare summary audit findings As Mrs Beeton instructed in her recipe for Jugged Hare, now that you have your main ingredients, you can start to prepare them for serving. In this instance, the preparation is to write them up in a style which will be suitable for consumption by senior managers. Tip – It is important to give each main issue a ‘catchy title’ to capture management’s imagination. These, we think, are NOT catchy: • Housekeeping • General health and safety • Deficiencies in quality policy, page 47, paragraph 2, section 3c, iii, 2nd bullet
156
Policy
Figure 7.10 Business control assessment matrix (BCAM)
Organization
Procedures
Supervision
Rev.& App.
157
Concluding the Audit
Overall management system ratings → Ref.# Work plan item 1 DHO – project Management 2 Inland depot – Project mgement 3 Systems implement (ADM/RAM) 4 Strategic stock reserve legislation 5 Stock outs 6 Jetty operations – spill in river 7 Rail operations – prod. crossover 8 Stock losses 9 Tank storage integrity 10 Fire protection 11 Inland depot – deliveries 12 Own fleet deliveries (bulk) 13 Contractor fleet deliveries (bulk) 14 Delivery scheduling 15 Cash/credit rating control Overall audit opinion =
Concluding the Audit
• PPE (personal protective equipment) – Lack of fully documented risk assessments in accordance with the Health and Safety (PPE) Regulations 1992 and the Management of Health and Safety at Work Regulations 1999; both as amended several times. We think the examples that follow are ‘catchy’ since they grab the reader’s attention. We commend writing in this style: • Explosion at tank farm • Asbestos exposure – maintenance team • Product contamination – customers poisoned • Risk of spill – river Thames.
Three to five carefully selected words can give a powerful message to senior management and compels them to read further. Keep the title in draft at this stage as required, and it can be revised (or confirmed) later. Without trying to be too funny or too incredible, we suggest you think how a tabloid or ‘red top’ newspaper may report on this potential risk area on its front page. ‘Housekeeping’ will not sell newspapers. ‘Explosion at tank farm’ would (and has!), as Figure 7.11 illustrates.
This is printed under the GNU Free Documentation License on Wikipedia
Figure 7.11 Buncefield oil terminal in the news
158
Concluding the Audit
The narrative should lead the reader’s thought process as follows: • What is the business activity? • What are the key risks inherent in that activity, and how might they impact business objectives? • What are the key controls expected to be in an effective control framework? • Which controls (in which control elements) are present and the extent of their effectiveness? • Which controls (in which control elements) are failing and the impact of this failure? • What is the root cause of the failure? • What needs to be done to improve the situation? • How urgent is the matter? Drafting these summary audit findings is likely to go through a number of iterations since on them hangs much of the potential success of the whole audit.
Initial preparation of recommendations Historically, auditors have been castigated by auditees because they only ‘bring problems, not solutions’. That is not really surprising since it is the auditee who needs to decide exactly what, when and how they should react to audit findings. However, if the ‘no surprises’ contact between the lead auditor and the auditee has been successful and the auditee fully understands and accepts the control issues which the audit has surfaced, then they are more likely to take the initiative and propose what they see as the most appropriate remedial action. The lead auditor needs to be prepared to assist the auditee to arrive at a workable solution that is likely to be effective. So, in exactly the same way as the audit finding must be completely defensible from challenge by the auditee, similarly the lead auditor should be able to assess the robustness of the auditee’s proposed solutions, on the basis of reliable facts and information. For example, what level of competence and seniority of personnel would be required, and are such individuals available; how much time will the necessary work take, and can the auditee afford to wait that long; how much will it cost? All these facts need to have been researched as well as possible in the final part of the fieldwork. In the best scenario, the auditee will discuss the underlying issues and provision of the necessary resources with his line manager. However, with the more serious audit findings, generally the process will take quite some time for management to accept the significance of a control weakness and work out what to do. Often there are knock-on effects which need to be carefully examined and external parties need to be consulted.
159
Concluding the Audit
Draft audit report Part 2 The audit report is split into two parts. Part 1 is the management summary and Part 2 is the full detailed report. Part 2 is prepared first, followed by Part 1 (as most managers know, it is usual to prepare the management summary last of all). Clearly what is required from the whole report is a readable, logically thought out report that presents the audit team’s conclusions and the basis upon which they have arrived at them. The report deals in turn with any serious, high or medium level weaknesses, recording the detailed findings in much the same way as the structured contents of the AFWPs, and the summary information about the main findings. Using previously prepared information, such as that on the AFWPs, eliminates the task of a major re-write to create Part 2 of the audit report. The first section for each issue detailed comprises a full story of each issue (or group of issues) describing the expected controls, the actual controls found, the residual risk resulting from any difference between the two, the root cause of the problem and the impact of the risk on the process and/or company objectives. The second section is for remedial action. A typical layout for this is shown in Figure 7.12. In its entirety, the content of audit report Part 2 must drive the reader towards the same understanding and conclusion that lead the audit team to their final audit opinion regarding the adequacy or inadequacy of the auditee’s BCF as it is currently in place and functioning.
Evaluate each BCF element A key part of the audit methodology explained in this book is that the effectiveness of the reference framework in controlling the risks within the auditee’s area of
Part 2 – Findings and actions Issue
Exposure
Action
Descriptive heading Expected control
Residual risk
Actual control
Impact of risk
Reducing risk Removing cause
Descriptive heading Expected control
Residual risk
Actual control
Impact of risk
Reducing risk Removing cause
Figure 7.12 Audit Report Part 2 structure
160
Concluding the Audit
responsibility, is primarily assessed by reviewing and verifying how well the relevant key controls within the reference framework are applied to all of the essential tasks occurring in the audit team’s sample of high gross risk activities in the auditee’s part of the business. The results of auditing each of these activities are recorded on the AFWPs. Simultaneously the underlying control strengths and weaknesses are used to populate the control elements within the reference framework. Figure 7.13 illustrates how this is applied in practice. Before we start to write Part 1, the management summary, of the audit report, we must write a summary of how each control element in the auditee’s BCF is contributing or detracting from its overall effectiveness. The summary for each element should make the reader absolutely clear as to why the audit team have assessed the element either to be positive or negative in its contribution. This summary should demonstrate the same inescapable conclusions which the audit team arrived at in selecting the main findings, and be based on the same irrefutable evidence and logical analysis. The result of the positive or negative assessments of each control element can then be added to the top of the BCAM . The audit team should now compare these control element assessments against the failing controls and the root causes (and areas of strong control) for each of the work plan items and subsequently developed summary items. Figure 7.14 shows how this is done in practice.
BCF wallcharts Audit finding working paper Work plan item # 2.1
Element #1 Policy
Ri s k (s )
Positive facts
Expected control framework
Negative facts
Element # 2 Organization Positive facts
Negative facts
Actual control status 1. Procedures not up-to-date (–) 2. Hazard and effects mangement process complete (+)
Element # 3 Risk assessment Positive facts
3. Hazard register in use (+) 4. Training budget not approved (–) 5. Policy recently revised to reflect new legislation (+)
Element # 4 Procedures Positive facts
Negative facts Negative facts
Etc.
Figure 7.13 Checking the facts on AFWP against the information on the BCF wallcharts
161
Concluding the Audit
Business control assessment matrix
Scope area
General management
Organization
Policy
1.2 High (RC) 1.6 Medium (RC)
Ordering/supply Movements ovements inward
3.3 Low (RC)
Procedures Supervision
2.2 Low (RC)
2.3 Medium (RC) 2.2 Low (F) 2.3 Medium (F)
3.4 High (RC)
3.3 Low (F)
4.2 Medium (RC) 4.1 Low (RC)
Road fleet planning
5.2 Medium (F) 5.4 High (RC) 6.1 Medium (RC)
Deliveries
(RC) = Root cause
+ /–
3.4 High (F) 4.1 Low (F) 4.2 Medium (F)
5.2 Medium (RC)
5.4 High (F)
6.4 Low (F)
6.1 Medium (F) 6.4 Low (RC)
7.1 High (F) 7.4 Low (RC) 8.5 High (RC)
Facilities maintenance 8.3 Low (RC)
(F) = Failed element
1.2 High (F)
1.6 Medium (F)
Storage/stock mgt
Road fleet ops
Review & appraisal
7.4 Low (F)
7.1 (High (RC) 8.3 Low (F) 8.5 High(F)
A s s e s s m e n t o f e a c h B C F element
+ /–
+ /–
+ /–
+ /–
Figure 7.14 BCAM – Cross-reference between each element and individual work plan item’s results
Only once this overall cross-referencing exercise has been completed can the audit team confidently say that they have arrived at their overall audit opinion using as objective a basis as was possible.
Overall audit opinion How to determine the overall audit opinion It is generally accepted practice today for audit opinions for internal control audits to have an even (two or four) number of gradations, such as good, fair, poor and unacceptable. This reduces the possibilities for auditors to ‘sit on the fence’ – ’I’ve seen better, I’ve seen worse, I’ll put it in the middle’. Many large organizations have devised their own gradation models, and some have dispensed with them completely. Tip – Hours of erudite debate have surrounded the distinction between a ‘review’ and an ‘audit’. Our distinction is that an audit will result in a level of assurance being given to the auditee and the audit committee as a result of the audit work. A review is primarily focused at identification of individual areas of strength and weakness which will be reported individually, and is not required to aggregate the impact of these findings in the form of a single audit opinion.
162
Concluding the Audit
Opinion
Concern
Good
Very few and specific
No desire or need to take more or less risk No follow-up required by auditee’s function head
Fair
Room for overall enhancement
Actions needed to enhance design and/or operation of control framework–to adjust risk exposure. Next level of management should be advised of and review actions required
Poor
Overall cause for concern
Key elements of design and/or operation need improvement. Significant gap between the current level of risk exposure and the ‘target’ level. Next level of management should monitor implementation of actions and improvements
Unacceptable
Wide-ranging, may affect or expose other parts of Co.
The next level of management should take urgent action to confront the situation and commit appropriate resources. Shareholder’s senior representative should monitor the improvement
Senior management involvement
Figure 7.15 The implication of the audit opinion
A-Factor 51: Overall audit opinions should have an even number of gradations. The overall audit opinion should reflect the overall level of concern resulting from the audit work. Each gradation should be clearly defined in terms of an objective assessment of the level of concern that should be felt by the audit’s sponsor and the consequential degree of follow-up required from senior management as shown in Figure 7.15. Caution is required when using the absolute number of findings to determine the audit opinion directly. Such a quantitative approach can provide a supporting crosscheck, but as we have said, our approach is based upon grouping weaknesses, rather than counting them! It is the audit team’s judgement on the concern arising from the overall weaknesses that provides the audit opinion to senior management. Arriving at an audit opinion is not an art, nor can it be called a science. As professional auditors using an effective methodology, we strive to arrive at an opinion as a team based on objective evidence (of both weakness and strength). However, in the final analysis it is the lead auditor’s responsibility to make the decision and he or she will use their judgement to weigh all the facts available to them. A-Factor 52: The lead auditor is ultimately responsible for the conduct of the audit, and the overall audit opinion.
163
Concluding the Audit
‘No surprises’ with auditee Once the audit team have got to this stage of concluding the audit, it is important that there should be a final meeting with the auditee (and possibly the sponsor of the audit) so that a final opportunity is given to the auditee to raise questions about any aspect of the audit, the way it was conducted and its overall outcome. The lead auditor should be prepared for a reaction if they must tell the auditee and the sponsor that the audit opinion is Poor or Unacceptable. As soon as the lead auditor realizes that there is a likelihood of this outcome, they can prepare by briefing the auditee at earlier meetings by stressing on the depth and breadth of the control failures which the audit team are finding. The lead auditor should also keep in mind what they heard at their initial meetings with the auditee, and possibly the sponsor, regarding their self-assessment of the current effectiveness of the BCF that was to be audited. Of course, however much logic there is to the conclusion, it is human nature that ambitious managers will not take kindly to criticism and will wish to avoid being judged to have failed. This emotional element will be even more prevalent if the audit results are part of the auditee’s and/or sponsor’s personal performance appraisal upon which their annual bonus is based! And the wider the gap between the auditee’s self-assessment and the audit opinion, the tougher the final clearance meeting will be. Even at this late stage, the lead auditor must listen carefully to the auditee’s (and possibly the sponsor’s) contributions to the discussion. Clearly the most important outcome from this meeting will be unequivocal support for everything that has happened during the audit and most particularly for the results. If the lead auditor does not take the opportunity at this stage to react positively to the auditee and the sponsor, he or she may be jeopardising the achievement of a 90 per cent win at the expense of losing 100 per cent of the audit. A-Factor 53: The audit opinion is not negotiable once the audit team has arrived at its decision.
Prepare audit report Part 1 This report delivers the audit results to senior management. It spells out the audit opinion, the major audit findings, and an assessment of each element of the BCF. It might also describe remedial actions, if they have been discussed and agreed with the auditee. Therefore it is critically important to develop an audit report which senior management will read with interest (because of the significance of the overall level of assurance in the audited area) and credulity. The painstaking work of getting hold of and documenting the detailed facts, in an organized way, has been done and now the auditor’s task is to explain to the auditee ‘what it all means’ and, if necessary, to discuss with the auditee management ‘what improvements they need to make’.
164
Concluding the Audit
An imaginative approach by the team leader in how to do this will increase the likelihood of the overall success of the audit. Tip – Remember that Part 2 provides the platform for the conclusions in Part 1, thus nothing can be reported in Part 1 unless it is linked to a weakness reported in Part 2 and has been fully discussed with the auditee management.
In addition to declaring and formalizing the audit result, Part 1 allows the lead auditor to preface the report with an introduction to the audit. The first few paragraphs of this executive summary will describe a business environment which is very familiar to senior management. Therefore the lead auditor needs to achieve two things: firstly, make the point that he and his team understand the challenges to be faced by the organization and the contribution of the auditee’s department to successfully achieving the corporate objectives, and, secondly, set a scene which is going to be rudely disrupted when the main audit findings are read. Appendices to either part of the report should enhance the reader’s understanding of the audit’s coverage, process and result, and nothing else. Figure 7.16 shows a typical format for this.
Presentation to management Strictly speaking, detailed guidance on how to make management presentations falls beyond the scope of this book. Over the years, however, we have learned some Audit report – part 1 Executive summary In tr o d u c tio n a n d b u s in e s s e n v ir o n m e n t A u d it o p in io n M a jo r fin d in g s a n d a c tio n s A ssessm ent o f B C F
Supported by the detail in…..
Part 2 – findings and actions Issue
Supported by the detail in….. Appendices
Exposure
Action
Descriptive heading Expected control
Residual risk
Reducing risk
Actual control
Impact of risk
Removing cause
TOR/work plan
Descriptive heading
Interviewees
Expected control
Residual risk
Reducing risk
Action plan
Actual control
Impact of risk
Removing cause
Figure 7.16 Layout of executive summary of audit report
165
Concluding the Audit
techniques relating to ‘how to do it’ and ‘how not to do it’. These techniques are consolidating into the following four A-Factors: A-Factor 54: Have clear objectives, strategies and tactics for you and your team during the presentation.Your objective is to help management arrive at the right decision regarding their reaction to your audit’s findings. Whether this opinion is a ‘good’ or ‘unacceptable’ (or anywhere in between), initiation of some response is likely to be necessary, whether this is consolidation of existing strengths, or a survival strategy and keeping the board out of jail respectively. The strategy should be to focus management’s attention onto a few key messages, and the tactics will be to support these messages with factual evidence to the extent demanded by any person in the room. A-Factor 55: Know who will be attending the meeting, and so far as possible, ensure that the attendees are the appropriate audience with sufficient time available for the full duration. You (or the auditee) send to each attendee an agenda, and a short description of how the audit team wish to conduct the presentation. Requests from management for pre-meetings or discussions as a result of this should be met. A-Factor 56: Remember the audit is not over. The best outcome of the presentation will be full support for the findings, and commitment to making the appropriate response. However, if, for whatever reason, management is not able to accept either the findings or commit, then maintain a dialogue going with the audited organization to give management the opportunity to express why agreement and commitment is not possible. Your aim is still to optimize the effect of all the hard work done by the audit team. A-Factor 57: If despite following this guidance, and ideally having broad support from the auditee, you do not feel that further discussion will result in management’s agreement and commitment, your only course of action is to refer the matter to the internal audit manager (with a view to their reporting this outcome to the Chair of the internal audit committee).
166
8 Personal Relationships
Introduction This chapter explains some important features with regard to personal relationships. It encourages auditors to think about the need to establish the best possible relationships with the wide variety of individuals who could have a significant effect on the outcome of the audit. The success of such relationship-building is to move the perception of the relationship from a feeling of win:lose or lose:win to an expectation of win:win. The lead auditor and the members of the audit team should start thinking about this important aspect of their work at the outset of the audit – starting at the time of their initial planning. Only in this way will they increase the chances of achieving a win:win outcome in the relationships that they will have with the auditee and all of the personnel involved at every stage of the audit. One prerequisite, an expectation for this chapter is that readers will already know the essential rules and techniques to establish good interpersonal relationships and be capable of practicing them. Another premise of this chapter is that the lead auditor and the audit team are competent auditors and therefore their findings and their audit conclusion have been arrived at in a defensible manner with full documentary evidence to support their findings, and that there is a rational logic leading up to their conclusions. The nature of the critical personal relationship between the lead auditor and the team members is dealt with separately in Chapter 10.
Behaviour and communication Experienced auditors will recognize that behaviour of human beings is probably the most important factor impacting on whether the business control framework being audited will be robustly effective or not. It takes a special sort of individual to inspire, empower and lead people to work towards the achievement of specific goals. It takes other sorts of characteristics to tell them how to do their jobs, to follow up on matters of fine detail, and to confirm what is expected next. Both of these individuals can, should they so choose, learn from what happened and respond accordingly next time.
167
Personal Relationships
To do their job well, all auditors need a natural ability to communicate and create relationships quickly. An engaging personality that can develop rapport quickly, and make the most of the initial short period of time in which relationships form or storm. A key aspect is to put people at ease, as well as to be at ease themselves at all times and in all company. Key skills for this include having a courteous, personable and professional manner at all times whilst being able to listen carefully, speak engagingly and explain what you want to do concisely and coherently. Smiling helps, especially when greeting individuals with a firm handshake.
Case study The pre-audit preparation had been carried out in the UK for a major audit to be carried out on the foreign subsidiary of this large marketing company. There had been considerable contact with the managing director of the subsidiary, who was the auditee, and the local internal audit department. The dates for the audit team’s arrival and the period for fieldwork had been agreed on, together with a target date for the close-out meeting with the auditee and his senior management team. The four-person-strong audit team flew out and established themselves in their hotel. The internal audit manager collected them from the hotel the next morning for the audit briefing meeting arranged with the managing director. However, it soon materialized that the managing director was not around and had only informed his finance director by telephone late the previous evening at his home, that he was taking his annual leave starting immediately, and therefore could he look after the audit team who would be starting an audit of the company the following morning. However well you plan, sometimes you will find people who do not wish to cooperate!
Influence As auditors, we need to develop influence. This is not the same as ‘power’, where people may do as we wish them to because of our status or title. Generally, auditors do not have power, but they can become very influential. There are at least a dozen different influencing styles, and here we comment briefly on each of them. It is useful to think of your own preferred style, and then to consider the other eleven, and how they may permit you to become (even) more influential.
168
Personal Relationships
Coerce This is when you insist, or even threaten. If used sparingly, you become respected for being able to stand up for yourself, even in the face of sharp resistance.
Educate This concerns providing information and new ideas. People will learn from you, and you will be respected if your information or examples are seen as relevant.
Sell This concerns emphasizing the benefits of your suggestions. Enthusiasm will help you to sell, but few like an ‘over sell’.
Logical This means presenting an argument based on logic and reasoning. The other person has to have the time to relax, sit back and be objective for your reasoning to be accepted.
Emotive Here, you seek to appeal to emotions, feelings and values. It can involve trying to make people feel guilty. A trusted manager can be very influential when appealing to people’s emotions to get them to put a big effort into a worthwhile cause.
Expert This is where you apply your superior knowledge or expertise. You need to be very credible to use this style, and be aware of others who may know the facts too. The expert style at meetings is to be quiet at the start while others struggle with the facts. Then analyse the situation, and suggest a course of action.
Model This means leading by example, and you will be around long enough for people to copy you. ‘Do as I do’ is much more influential than ‘Do as I say’.
169
Personal Relationships
Charisma These individuals rely upon their charisma, and strength of ego. You have a large supply of charm and humour to carry this off – successful where a straight-faced boss may fail.
Negotiate This characteristic concerns encouraging compromise all round to achieve a negotiated outcome, which satisfies a little of all parties’ wishes. Negotiators NEVER give up; there is a little ground to give and take.
Joint problem-solving This is about mutual agreement of the best decision. ‘Let’s work together to fix this’ comprises the style, but a high level of trust is needed. If you successfully pull it off, a level of commitment to the outcome is the reward. People support what they create.
Non-directive With this style, you encourage the other person to develop their own analysis of the problem, and come to their own solutions. Asking only questions is the style. Tip – Lee Bryce’s book The Influential Manager (1991) is an excellent read for those auditors desiring a larger input in this important area.
Relationships The concept of auditing is well established in many fields such as finance, health and safety, competencies, competitive performance/delivery and so on. A new area of activity for many business students is auditing business-to-business relationships. In a commercial environment increasingly focused upon personal accountability, the need for relationships which actively contribute to the success of the overall business strategy has never been greater. The desire for client/customer satisfaction has been replaced by the need for commitment and endorsement. Therefore, measuring business relationships is as important as the other traditional commercial metrics – what gets measured gets done! If you provide any type of services to a client, you need to be sure you are at least delivering to – if not exceeding – expectations. And if you’re buying services you need to be sure you’re getting the best possible performance. Relationship auditing
170
Personal Relationships
helps service providers and service users measure, manage and maximize the potential of their stakeholder relationships.
Case study How relationship auditing has benefited an organization One of Europe’s largest law firms decided to initiate an independent audit of one of its high value relationships with a financial services provider. The audit uncovered that whilst the client was happy with the service delivered, it was unsure whether the firm had the resources to handle an upcoming new large-scale product launch and was thus considering a panel review. Senior clients hadn’t mentioned this concern but a junior client, pleased to be included in the review process, was eager to help. Communicating such intelligence promptly to the right people meant the firm was able to take pre-emptive steps to reconfigure its resources, and communicate that fact to the client’s decision-makers. In possession of such facts, and suitably reassured, the client decided not to bother with a review and simply assign the extra business to the said law firm. The value of this one assignment paid for a three-year relationship auditing programme across the firm’s top 50 clients and still had a six figure sum ‘in the bank’. In the same programme, a relationship audit uncovered that a client individual, at the time number 3 in the pecking order, was extremely unhappy with the service being provided. The firm had previously concentrated its attention on the Chief executive and the number 2, both of whom had the power of appointment. The number 3 was due to be promoted to replace the retiring number 2. The firm was surprised but armed with this intelligence put in place a remedial strategy which, within 12 months, turned the ‘renegade’ into an ‘apostle’ and not only secured but grew the number and value of the firm’s assignments.
Individuals whose help you may need One of the first things you should do whenever commencing an audit assignment (or frankly, any management assignment), is to make two lists.
First list On the first list, write the names of all those people or positions who you think you will need to make contact with during the audit.
171
Personal Relationships
The key thing is to be imaginative and not to constrain your thinking only to those people or positions relevant to the operational activities within the auditee’s area. Figure 8.1 shows just a small sample of individuals with whom relationships may need to be forged before or during various stages of the audit. Second list On the second, write the names of all those people with whom you have a current relationship and who could assist you during this audit. Tip – Retaining the business cards of other auditors, subject practitioners, peers, etc. is a good way of building your contact base. To be truly effective, you need to find a good reason to make contact – to stay in touch – a minimum of two times per year.
Tip – Attending meetings of your practitioner group (e.g. health and safety group) is a good way to make contacts. And if you are ready, offer to present to the group on a subject of your choice.
Audit committee chairman Audit committee members
Internal auditors – management Internal auditors – previous audits Fraud investigators External auditors Regulators
Auditee’s line manager Audit sponsor
Legal department Technical advisers – internal and external Operational staff Project teams Support staff
Personal network of technical contacts
Auditee’s customers – internal and external Auditee’s suppliers – internal and external
Figure 8.1 Groups of potentially useful contacts to be developed in an audit
172
Personal Relationships
Networking relationships As noted in the sections above, all auditors have an opportunity to build a network of contacts, which will invariably be helpful in the future.
Case study An HSE practitioner was teased by friends when he was in his 20s for spending too much time attending business meetings in the evenings. When he was in his 30s, he was the managing director of a medium-sized HSE consultancy group. Most of his employees, and most of his customers, were connected via his contacts over ten years earlier.
Senior auditors will tend to find that over time they will develop a good network of auditor contacts inside and outside the internal audit department with whom they can discuss issues on which they would like guidance or a second opinion. In addition to building relationships with other auditors, an excellent and careerfocused auditor will look to build relationships with senior managers in various functional and operational areas of the business in which they work. These may be on the basis of friendship, professional interest or personal respect for audit work done in their areas. Relationships and contacts with colleagues who, when requested, are able to give authoritative advice on legal and technical issues are particularly useful. Generally the best relationships are built and rely upon the understanding by both parties that any information sought and information provided is handled, unless otherwise stated, in confidence and treated as personal and non-attributable.
You cannot start thinking about relationships too soon The lead auditor should endeavour to find out as much as possible as to why this audit is being carried out. The majority of internal audits are carried out because they are the next in line in the corporate audit plan. Remember, their priority in this audit plan was decided by the internal audit manager following on from the results of a risk assessment of the organization’s business activities, and later approved by the audit committee. However, some audits will have been triggered for particular reasons other than being ‘next in line’. Sometimes, they will be given priority because an incident has occurred either in the area to be audited or in a similar area elsewhere in the organization. Sometimes senior management needs a level of assurance given particular circumstances already existing or likely to occur in the short-term in the area to be audited or in the business environment affecting the area.
173
Personal Relationships
Whatever the reason for the audit, the lead auditor should, as part of his initial preparation, always make contact with the internal audit manager, the audit sponsor (who may also be a member of the audit committee), and depending upon the reason for the audit, possibly even the Chair of the audit committee. As necessary, try to arrange a meeting to discuss the audit generally and to get their input on any matters your early research has shown to be interesting or unusual. A-Factor 58: Time spent on reconnaissance is seldom wasted.
Case study Most of the pre-audit preparation had been carried out in the UK for a series of audits to be carried out over an eight-month period outside the UK. This had required a lot of e-mail and telephone contact with a number of senior managers in the auditees’ areas of operations, the local internal audit department, and the local contracting and procurement department. Upon arrival in the country, the lead auditor arranged to see the sponsor of the audits (two organization levels above most of the auditees), essentially as a courtesy but also to run past him a few of his initial thoughts regarding the development of an appropriate audit work plan. From their discussion, he found out that the audits had been postponed for nearly two years and they were only happening now because of the personal insistence of the company’s managing director (MD). When he got out of that meeting, he called the MD’s secretary to make an appointment to see him and he was not really surprised when she told him that the MD had already asked her to arrange a meeting with him. The information which the MD provided was invaluable to the success of the audits since it guided the audit team’s detailed work planning and how they related to some key individuals in the auditee’s department. The audit results had a profound impact on how that company changed its view of a significant area of social accountability.
Although a (draft) Terms of Reference should be issued already for the audit in question, which should clearly state the expected deliverables from the audit (i.e. to provide assurance to senior managers, to identify areas needing improvement, and to assist management as to how to improve), the lead auditor should also try and find out if there are any particular circumstances surrounding the area of the business to be audited of which he should be aware. A lead auditor’s preparations would normally require them to review the reports of the previous audits, including those by other internal audit or review bodies
174
Personal Relationships
(e.g. a review by the health and safety committee). Whilst these audit reports may have been accepted by management at the time they were done, the lead auditor may still wish to contact the person who led the audit at the time to find out if there were any particular issues that had been the focus of the auditee’s or management’s attention at the time of the closeout of the audit. Similar inquiries may be made with external auditors (e.g. on a statutory audit or a Level 3 certification/recertification audit) or with regulators (e.g. following a health and safety accident investigation). A key characteristic of these contacts will be informality. However, generally third party contacts will necessarily be more formal unless the lead auditor in question already knows the other person. Also, the lead auditor needs to use his relationship with senior managers to find out how they assess the control framework about to be audited and where they think the strengths and weaknesses lie. If they say that they don’t have a view, or don’t know, that is useful information in its own right. The lead auditor can also ask to see a copy of the most recent management selfassessment (MSA) results, but this should only be used as a parameter to measure the audit’s early findings. If there is a significant divergence between the audit’s results and the MSA, then a more detailed comparison could be made later.
Bringing down barriers and changing perceptions In many organizations the audit department, the auditing function and even auditors themselves are still viewed with suspicion and even a degree of disdain by those individuals who are likely to be audited or at least involved in audits. As members of an auditor training organization, the authors regularly hear from course delegates that this antipathy between the hunter and the hunted – the policeman and the offender – remains alive and kicking.
Case study Food and Drug Administration (FDA) auditors in the USA were mentioned as usually being very confrontational, requiring excessive detail in paper evidence, and having little concern for efficiency of their management system requirements. Most FDA audits are reported as ‘competitive’, with the auditees seeking to give no information other than what is specifically requested, and the auditors trying to identify ‘stones to turn over’ so as to find hidden faults – this type of auditor/auditee relationship is not good practice.
175
Personal Relationships
The two great ‘lies of audit’ persist: Auditor: ‘We have come to help you.’ Auditee: ‘You are most welcome.’ Many heads of internal audit, especially in larger organizations, would like to think that this is not the case because of the way in which their departments have been modernized in recent years. Many organizations have formally adopted professional auditing standards, such as The Institute of Internal Auditors’ standards which state that internal auditors can indeed see themselves as consultants to the business. However, every time an audit is carried out is the moment of truth as far as those potentially suspicious individuals are concerned. Our challenge as twenty-first century auditors is to progressively reverse these perceptions. Whatever the past or current perception of audit may be within an organization, it is possible to generate a receptive and creative atmosphere by focusing on building good personal relationships between every auditor on the team and those whose assistance will be sought in preparing for and carrying out the audit. The essential steps in building good personal relationships are: • do not expect to be liked immediately • accept that suspicion is entirely normal and do not equate it with people having something to hide; give them the benefit of your doubt • ensure you have the tools and knowledge to persuade people of the benefits of audit and be ready to use them at every level in an organization • bring as many people on board at the beginning of the audit by inviting them to meet you and the audit team, hear about the audit process and how you would value their support • be open about the audit process – there is nothing secretive about it – and confirm that an internal audit is being done to assure management that all is well or to alert them if their intervention is required • describe how that intervention might take place • give pertinent examples of how audits have helped organizations such as this one • explain how the auditors will focus their attention and scrutiny on ‘the system’ and not on ‘individuals’ • demonstrate all the auditors’ competencies to do the audit in the particular part of the business being audited without saying ‘We are brilliant and we know everything!’ • adapt your approach (i.e. how you are dressed, and how you speak) and interpersonal style (i.e. using first or family names) to the people with whom you are communicating
176
Personal Relationships
• start every formal interview by stating clearly why you have chosen that person to speak to and how they can help you to do the audit effectively • discuss the agenda you have prepared and invite your interviewee to add other issues to the agenda and to decide the order in which they would like to discuss them • offer confidentiality if you think that will help to get to the truth, and do not breach that confidentiality later • do not judge what you find out, until you are certain you have obtained the truth, and even then ask yourself ‘So what?’ • report back to individuals if you say you will • return any documents you ‘borrow’ • practice humility • tell them ‘I am from Missouri’, and explain why this is so (see Tip in Chapter 6, pages 122–3 and Figure 6.3).
Show your interest in operations The main sources of information to assist you during the audit – in addition to the auditee and his or her immediate subordinates who are working in the area being audited – will be the operational and support services personnel. Generally, these people will be helpful. They will usually either give you the information needed, or point you in the direction of relevant evidence to support the existence and effectiveness of parts of the business control framework. However, we, as auditors, would not be doing our job properly if we did not check or corroborate such information by referring to an independent source, such as another person, or comparing the information obtained verbally against physical evidence or supporting documentation. This action of confirming what we have just been told can elicit from the people who gave you the information emotions of frustration and even annoyance or anger. They think that you do not trust them! Handling this part of any relationship, especially at the operational level, is critically important. So explain the next step of the process at the end of every interview and meeting. Testing outside the auditee’s operational area is required when auditors want to seek further confirmation of the effectiveness of particular controls from individuals or documentation in customer and supplier organizations. Auditors need to be aware that their relationships inside the auditee’s department will have to be particularly well grounded to withstand the strains that often arise when the auditee’s personnel are told or find out that the auditors wish to make inquiries or seek confirmation from third parties outside the immediate boundaries of the auditor’s scope area. In addition to confirming clearance with the auditee, out of courtesy and on the grounds of confidentiality, auditors must be prepared to handle such sensitivity which
177
Personal Relationships
arises irrespective of whether the customers and suppliers are internal or external to the overall organization.
Take time to get your message across Human nature alone would suggest that auditors are unlikely to be welcomed with open arms as the bearer of bad news. This could be in the form of serious control weaknesses, or a poor or unacceptable audit opinion. ‘If they don’t like the news, they shoot the messenger’. However, the extent to which this reaction will be evoked will be very much dependent upon how the lead auditor delivers the message. Clearly, just dumping the bad news on the auditee’s desk on the final day, as he heads for the car park or the airport, is not going to help anyone. Tip – Provide the audit opinion at an early point, once it is known. Be prepared to explain why and how the opinion was derived, particularly those opinions which may be seen as ‘bad news’.
Case study An auditor had spent approximately two hours presenting the detailed findings of an audit to the management team. When the final slide announced the audit opinion as ‘poor’, the managing director said ‘Please put the first slide on again ’.
When applicable, contrast the audit team’s early indicators of poor control with perhaps the more optimistic expectation of senior managers (which the lead auditor may have heard about). An experienced lead auditor would commence ‘drip-feeding’ the bad news to the auditee through a series of ‘no surprises’ meetings from an early stage in the audit. In contrast, passing on a Good or Satisfactory audit opinion is usually an easy and pleasant affair. This is because management will feel that they have ‘passed the audit test’. They are not feeling threatened, since they will see the result in the same light as having just been told ‘everything in your area of responsibility is being well-managed’. They then get on with their usual job. However, such ready acceptance may not be what the lead auditor really wants, or the outcome that the audit warrants. It is probably inappropriate in most circumstances, so some auditees and their management teams need to be encouraged to rigorously challenge even seemingly good news; they should examine the methods used by the auditor to arrive at the good news, and the documentation that the audit team has prepared to support it. This process should result in auditees and management above them understanding the strengths and weaknesses of their management control framework more fully. Only then should
178
Personal Relationships
they feel confident of the extent to which they can bask in the reflected glow of the audit team’s assessment. Tip – This process of ‘educating’ the management team can be done best through a series of ‘progress’ meetings.
Such progress meetings can be set up in a similar way to the ‘no surprises’ meetings from as early a moment as the lead auditor has something to which he wishes to draw to the auditee’s attention.
Don’t drop your guard until the report is delivered The lead auditor may have prior warning that there is going to be difficulty in closing out the audit at the presentation. Usually this would be because the auditee has mentioned or stated that the management team cannot (or will not) accept the audit opinion. This can still be the case, even if the lead auditor has initiated and participated in copious ‘no surprises’ meetings, has responded appropriately to questions and challenges from the auditee’s staff or even the auditee personally. In this type of scenario, the auditee may be prepared to make accusations and threats, and fight every finding in the hope of unearthing some factual inaccuracies upon which the auditors have relied in arriving at their conclusions. If they are successful, they hope to cast aspersions on the reliability of the remaining part of the auditors’ work. It may be that some ‘big guns’ – intimidating, large or boisterous, or very senior managers – may be assembled at the final presentation. Auditees cannot sustain this type of behaviour on their own. They need the support of their subordinates which will be provided either willingly or as result of coercion. Quite reasonably you cannot and should not expect them to come to your aid in the final closeout meeting, whatever they have said to you privately. A key relationship that will need to be relied upon in these circumstances will be that between the lead auditor and the auditee’s line manager. In certain circumstances, others may necessarily become involved, including the internal audit manager, the audit sponsor or even the Chair of the audit committee.
Case study A highly competent technical professional had been working in internal audit of a major global business for a relatively short period, when she was appointed as the lead auditor for an audit which was to cover the engineering department of a large subsidiary.
179
Personal Relationships
She and her team completed the audit and the results did not reflect well on the subsidiary’s management. In fact, there were some serious issues which needed urgent management attention. This meant that the audit opinion was going to be no better than Poor, and possibly Unacceptable. The auditee knew this but could not bring himself to accept it or some of the main findings, even though the supporting evidence had been fully and clearly documented and explained to him. He decided to wait until the final presentation to try to cut the lead auditor down to size. He gathered his troops around him in three locations – having organized a video conferencing facility – and by her own words, the lead auditor was so nervous she could not apply her lipstick in the Ladies when she had gone there, immediately before the meeting, to seek a refuge to compose herself for what she knew was going to be a very rough ride. The tension in the three locations was growing as the seats in the three conference rooms filled. The lead auditor, the audit team, and auditee finally took their places. The scene was set; this auditee was going to teach this particular auditor a lesson she would not forget! Just as the lead auditor was drawing breath to start the audit results presentation, there was a disturbance at one of the remote locations. Everybody’s eyes looked at the distracting video screen. A late arrival had entered that conference room and was offered a seat in the front row. The scene had been set for a totally unnecessary demonstration of bully boy tactics which probably would have resulted in accusations, denials and counteraccusations, many probably of a personal nature. The audit result would have stood but people would have been damaged. But the presentation went off without much more than a few clarifications. The auditee was very quiet and the lead auditor got the acceptance of the findings and a commitment to take urgent action to address the control weaknesses. Why the swing around? The late arrival was the auditee’s boss, who had been tipped off about the audit results and the planned showdown by a telephone call from the internal audit manager.
Tip – Invest the necessary time to get the essential facts relating to the audit result to a level of management that does not see it as personal criticism, and who will want to ensure the auditee listens and responds with actions. Although it is advisable for the audit team leader to discuss with the auditee who will attend the final presentation, particularly which members of senior management, at
180
Personal Relationships
times there are senior individuals who invite themselves at the very last moment – possibly because they haven’t got anything better to do and are looking for some sport! Their motives of attending may or may not be known and therefore it will be difficult to prepare to handle any interjections that may arise from them. Their aim can be to disrupt the smooth flow of the audit team’s presentation, and if the opportunity arises, to call the auditors’ credibility into doubt. This can be a very difficult situation to handle, but a good way to deal with it is to raise the possibility of something like this happening with the auditee and get them to agree that they will field any questions coming from such a quarter. A-Factor 59: Don’t drop your guard until the assignment is complete. It is essential to rehearse the nature of objections, and to try to see things from the other person’s perspective. Anticipate and have in mind answers to the types of questions auditees and others are likely to pose.
181
9 The Written Report
Introduction This chapter relates to the areas we described towards the end of Chapter 7 – concluding the audit. Chapter 8 – personal relationships focused on the critically important aspects of the lead auditor’s and the auditors’ abilities to connect on an emotional and psychological level with the auditee and auditee staff. This chapter focuses on the equally important ability, particularly of the lead auditor, to be able to put the same information in an attractive written form. As you’ll have read, good – no, excellent – interpersonal relationships between the audit team throughout the entire audit process, in particular those with the lead auditor leader and those with the auditee, are very important. This is especially true at this point of the process, where we will seek to turn all of the time and effort put into the audit (i.e. the set-up, review and verification, and concluding) into a written report that is generally accepted and agreed for its content, easy to read, and welcomed by the receiver as being a useful contribution to their business. One of our main premises for writing this book was our passionate belief that auditing is really all about facilitating business improvement. Such improvements, as we foresee them, are only possible if our messages – carefully worded, factually correct, and (if possible) agreed upon with our auditee through our ‘no surprises’ process while we are on site – are clearly replicated and enhanced through the written report. A-Factor 60: The written report is an essential document which compels business improvement if you get it right. In this chapter you’ll learn: • how to write really great reports that are easy to read, and truly welcomed by the receiver • the use of powerful words • how to deal with abbreviations and references • why it is so vitally important to read the report after writing it but before submitting it • how to formally submit audit reports and recommendations.
182
The Written Report
How to write great reports Let us start with a question. In your experience, which parts of any book, prior to a purchase, get read? We guess that you answered ‘the summary on the back page’, ‘the profile of the author’ and/or ‘the first page’. This would be our answer too. This is because we all know that if these ‘headlines’ do not quickly engage our interest as readers, we will put the book back on the shelf, and pick up another instead. We have choice. If we now asked you, in your experience which parts of any management report are likely to get read, likewise, we suspect you may well answer ‘the management summary’, ‘the table of contents’, and ‘the recommendations’. This would be our answer too, again. This is because we all know that if these ‘headlines’ do not quickly engage our interest as readers, we put the report back in the envelope and find something else to do in the office. Well, the same is true for the auditee, senior management of both the auditee function and internal audit, and the audit committee members. All of these people have very busy days, and lots of other things they could choose to be doing with their time. If our report is not ‘a good and easily digestible read’ from the start, it is unlikely to be read with a degree of interest that you would like. In this section, we offer some tips and hints on how to write reports that are easy to read and more likely to be welcomed by the reader. Some early characteristics that need to be correct are common sense (but lots of people still get these wrong!): • names on the cover of the report must be spelled correctly • audit title and dates of audit • auditee’s and sponsor’s names and titles • names and job titles of recipients • company name fully and correctly expressed – plc, SA, Sdn Bhd, Ltd, etc. • audit team membership. Making sure these straightforward facts are correct gives a (perhaps unconscious) feeling of comfort to the reader. Get these incorrect, and they may already be doubting the audit team’s ability to have done a good audit, let alone present a coherent and useful message. Tip – Your report has one chance to make a first impression. Use it!
183
The Written Report
PART 1 Management summary
Part 2 – Findings and actions Issue
Exposure
Action
Descriptive heading Expected control
Residual risk
Reducing risk
Actual control
Impact of risk
Removing cause
– Introduction and business environmnet – Audit opinion – Major findings and actions – Assessment of BCF – Introduction and business
+ Descriptive heading Expected control
Residual risk
Reducing risk
Appendices
Actual control
Impact of risk
Removing cause
– TOR/work plan – Interviewees – Action plan
Figure 9.1 Audit Report structure
Other important objectives must be: • clear structure • simple layout • a concise extract of the audit’s conclusion(s). A clear structure is: • Part 1 – executive summary • Part 2 – audit report (with appendices). A simple layout and the relationship between the two parts of the report is shown in Figure 9.1.
Title So let’s start – give the document a clear title on the cover. We have previously commended sharp titles of three to four words, and we do so again here. Contrast: HSE Audit Report – O’Hare Airport with
184
The Written Report
A report into health, safety and environmental management systems, aligned to OHSAS 18001:1999 and ISO 14001:2004 at O’Hare International Airport, Terminals 1, 2 and 3, Chicago, IL, United States of America We choose the former every time. Tip – Don’t try to be too clever. Don’t try to show that we know ‘everything’ on the cover. Compel the reader to turn on to find out which terminals (in our example) are covered by the report.
Cover page Experienced auditors seem able to prepare a cover page using a format carried in their minds. We commend you try to establish your own format; it helps a lot when you are under time pressure to prepare the final report. Our model is shown here. This has worked well in setting the scene in hundreds of audits around the World: • [‘draft’ or ‘final’] audit report of a [add type of audit here] at [add name of organization and short-form address here] on [add date here, including the year] • auditee [name and job title] and sponsor [name and job title] • lead auditor and team members [add your and the team’s names and designatory letters, the name of your organization if a contractor]. Tip – Designatory letters (1): Use the ones relevant to the audit, with your highest qualification first (if you have more than one). Avoid a long list, unless you really do have several (relevant) degrees!
Tip – Designatory letters (2): If you do not have any designatory letters, it may be a good time to set about formalizing practical skills with formal qualifications and/or membership of a RELEVANT technical body. Chapter 3 provides the names of some major auditor registration bodies.
Table of contents This is an important section of the report since it helps readers familiarize themselves with what we have included in our report and where they can find it. In our experience, this is one of the first pages readers will look at.
185
The Written Report
We suggest that experienced auditors could/should build a library of ‘tables of contents’ templates – perhaps one for each reference framework they are auditing against. The table of contents should show the following appendices: terms of reference, audit work plan, description of the audited reference framework, audit scope, and list of all contributors to the audit. Tip – Take a template as an ideal starting point for the report; you then only need to amend each main heading.
Tip – If you do not know Microsoft Word’s ‘Tables and Index’ tab, then find out. Making sure that the page numbers align with the table of contents can be done automatically. After proofreading, after peer review (details hereunder) and just before the ‘final check’, press the Refresh key and the page numbers are updated.
Tip – Similarly an essential skill is to know how to copy or cut text using ‘Control-C’, or ‘Control-X’ and paste it using ‘Control-V’ into the same or another document. The foot of this page is a good place to put a note of thanks and acknowledge the cooperation received. Unless it is absolutely necessary, do not list individuals by name and/or job title.
Disclaimer statements It seems to us that most auditors these days include a disclaimer statement within their reports. We are not lawyers and therefore we suggest that you discuss the pros and cons of doing this with people who can advise you about the benefits of such a statement. What we do suggest is not to put the disclaimer either on the cover or on the bottom of the table of contents. We have been advised that any warning given in the UK should be no less prominent than the text surrounding it, but as a general point, we advise auditors to start with positive messages. Let us be clear: • an auditor cannot know everything, verify every record, speak to each employee in an audit lasting two weeks, let alone a few days • any audit is an intentional sample, designed to give reasonable assurance to readers to the extent that the work plan has been completed
186
The Written Report
• our report is not a guarantee of zero loss in those areas which are found to be adequately controlled • corrective action is the responsibility of the auditee. However: • we have followed a structured audit process • our results are likely to be replicable by others following in our footsteps and referring to our working papers • we have reported our conclusions based on the facts obtained during our work (of course, we rely upon the facts reported to us being true!). Between these two positions lies (1) our credibility as auditors and (2) our desire to take account of and manage our own risks. A statement used by the authors is shown below. We use it at the end of the management summary, and again at the start of the recommendations. As we too are risk managers, we cannot commend these particular words to you, but we show them to give you a ‘feel’ for what your lawyers may suggest you use. ‘We have taken into account risk factors which we were aware of at the time of the auditor’s visit(s). It should be noted that there might be other not reasonably identifiable factors that may be relevant or other matters, which in the opinion of the auditor do not constitute risks in the context of the report. In preparing reports, we may suggest improvements, which in our opinion will reduce risks. It should not be inferred that other risks could not be reduced or further controlled, nor that identified risks could not be reduced further by other measures or in other ways.’ A-Factor 61: Discuss ‘disclaimer statements’ with competent legal advisers in your jurisdiction.
Executive summary (Part 1 of the report) We think that the management summary or executive summary is possibly the most important section of the report. In our experience, it is the section that senior managers look at first, as it provides a full account of the audit’s outcome in a ‘nutshell’. Either they will love it, or loathe it. It is up to the lead auditor to promote continued reading by the way in which the summary is written and presented. Accordingly, it should not be rushed. We commend you to write it last, when the body of the report – with all the key findings, exposures and recommendations finalized – and appendices have been prepared. The lead auditor must know what the ‘big picture messages’ are going to be, and will have a fair inkling of how senior management will react.
187
The Written Report
The time to begin writing an article is when you have finished it to your satisfaction. By that time you begin to clearly and logically perceive what it is that you really want to say. – American writer Mark Twain – born Samuel Langhorne Clemens (1835–1910); from his Notebook, 1902–1903. A good management summary could (literally) be taken from the report to stand alone. If possible, restrict it to two pages. This distillation aims to bring transparency and clarity to the issues which the audit team communicate to senior management. The executive summary should comprise four sections: 1. introduction and business environment 2. audit opinion 3. major findings and actions needed 4. assessment of the business control framework (or ToR’s reference framework). Once again (twice, actually), we quote from Mark Twain as a reminder that focus takes time: I am sorry for writing you a four-page letter. I did not have the time to write you a one-page letter – Writing to his wife To get the right word in the right place is a rare achievement. To condense the diffused light of a page of thought into the luminous flash of a single sentence, is worthy to rank as a prize composition just by itself Anybody can have ideas – the difficulty is to express them without squandering a quire of paper on an idea that ought to be reduced to one glittering paragraph. – Letter to Emeline Beach, 2 October 1868.
Introduction and business environment The introduction and business environment section should describe in concise terms: • type of audit performed • which part(s) of the business was audited • extract (by relevance to the audit’s findings) of the corporate challenges, objectives and major projects • description of aspects of the organization’s business environment which are both, critical to the business’ future success and relevant to the audit’s findings.
188
The Written Report
This is your opportunity to prepare the minds of senior management, most of whom will be reading the report for the first time, so that they easily recognize their company and subconsciously give you the credit for having neatly encapsulated the key (and not all) of internal and external environmental factors which are challenging and supporting their business’ potential success. A-Factor 62: Senior management should recognise that the executive summary describes their business as they see it. It must demonstrate that the audit team have approached the audit in terms of assuring management that they have a successfully managed business and not just assessing how their HSEQ management system measures up against the specified reference framework. Much of the factual information which will be appropriate for use in the introductory paragraph would have been obtained at the start of the audit process, during the lead auditor’s and audit team’s familiarization with the auditee’s business environment. Now that the audit has been completed and its conclusions arrived at, only those aspects of this familiarization work (e.g. political, economic, social, technological, infrastructural, legislative, etc. environmental factors; business strategies and objectives; corporate level risks and opportunities; and operational risks) which have a clear relationship with the major findings, need to be mentioned in the executive summary. Tip – The reason for a highly selective approach to what is mentioned in the introductory paragraph of the executive summary, is to keep the reader’s attention focused on only those matters that you need them to think about. Either you will be commending them on a strong and effective BCF regarding some of the critical issues affecting the company’s future or you will be setting them up, to relax in their comfort zone, before delivering a message which cannot be deflected. Setting them up by allowing the reader to recognize vital issues within their own organization, and winning their interest and commitment because you will report (in the next paragraph) that the relevant part of the management framework requires improvement and may possibly be unacceptable.
Audit opinion This section is the ‘newspaper headline’ that really matters to senior managers. A-Factor 63: Whether auditors like it or not, managers will be judged by the results of audits. The body of those standing in judgement includes the board of directors, remuneration committees, external regulators, the legal system, and other stakeholders.
189
The Written Report
In such an environment, it is only human nature that ‘good news’ will be well received and ‘bad news’ will evoke a knee-jerk rejection. Therefore, the audit opinion paragraph needs to pack a punch. It must succinctly describe the auditors’ assessment of each of the elements of the reference framework – is it in place? could it work as designed? does it work? This description should be structured so that the reader is given brief examples of strengths and weaknesses within each element which are relevant to and supportive of the major findings, and the totality of these facts must lead the reader along a path of irrefutable logic that ends in the reported audit opinion. A-Factor 64: A well written paragraph delivering a ‘poor’ or ‘unacceptable’ audit opinion, will have the effect that ‘the reader may not like it, but the logic and the facts cannot be denied’.
Major findings and actions This section will be a summary of what has been reported in detail in Part 2 of the report – bullet points can be a very useful way of condensing text. The key challenge is to demonstrate clearly what management action needs to be taken and over what time frame in order to avoid the identified potential business outcome. Don’t try to say everything again but tell a compelling short story which forces the reader to make the link between the control failure in the reference framework and the impact on their business’ future success (or failure, if they take no action). The basic logical thought process used throughout the audit can form an initial template: • a title that imparts feeling as well as description to the issue • the risks to business success of any control failure • the presence, absence, strength or weakness of relevant controls • the action and urgency required to improve the control framework.
Assessment of the BCF This information can either be retained in the body of the executive summary or attached as an appendix with only a table of the results in the body of the report.
190
The Written Report
For example: #
BCF Element
1 2 3 4 5
Policy Organization Procedures Supervision Review and appraisal
Positive + + +
Negative − −
For each element of the BCF, there should be a clear and concise description of the most important examples of strength and weakness in control which were found during the audit. If appropriate, make the link between specific examples and the respective high-risk activity (i.e. work plan item). Ensure that the paragraph for each BCF element can both be read as a standalone commentary on the audit’s findings with regard to that element’s particular control failings, as well as presenting a balanced report (i.e. in terms of quantity and significance of control failings described) of that element’s overall contribution to the assessed effectiveness of the overall management system (i.e. as shown in the table of results of the BCF).
Audit findings and actions (Part 2 of the report) Part 2 of the report presents the details behind the comments and conclusions presented in Part 1 of the report. The layout of the detailed information will normally be determined by the organization being audited. Figure 9.1 shows a format with three key elements reported in separate columns: 1. status of the control framework – comparing expecting controls with actual controls 2. exposure of the business – identifying the extent of unauthorized residual risk 3. actions – required to strengthen the failing controls and address the root cause of the failure. Therefore, the overriding objective for the auditor when detailing the status of the control framework (needed to effectively manage specific inherent risks within activities which are critical to the business) is for the reader to agree with the auditor’s statement of expectation of particular controls and to be able to clearly note where there are gaps between that expectation and the type and quality of controls found/not found and working/not working. To the extent necessary, details of verification can be included or cross-referenced to appended documentation (e.g. list of interviewees and contributors to the audit).
191
The Written Report
The overriding objective for the auditor when detailing the exposure of the business, resulting from the control failure, is for the reader to clearly appreciate the impact of the existing situation upon the organization’s key business objectives, both quantitative and qualitative. A-Factor 65: Detailed reporting of each audit finding should examine the extent to which the audited organization has delivered on the definition of business control. Without action being implemented to correct the failings identified within the BCF, no improvement will occur. However, irrespective of whether it is auditee or auditor who decides what the appropriate action needs to be, the description of the necessary action needs to reflect a SMART approach: • Specific – clearly defined action • Measurable— defined performance level and timing • Achievable – can be done by designated action party • Right – it is appropriate in light of the problem • Timely – urgency in line with seriousness. From a technical standpoint, clarity of wording in recommendations (especially in report Part 2) is critical. Actions that need to be taken will be understood in such a way that there can be a genuine commitment on the basis of a full understanding of what, how and when action needs to be taken. Often clarity is a matter of balance. For example: • being specific in what is required, balances conciseness with writing a paper; • improving matters that are impacting business objectives simultaneously in the corporate realm and at the process level, requires balance; and • clearly identifying the person with responsibility for taking the required actions, needs to be balanced against the person with accountability to ensure that the result is effective. When drafting recommendations and seeking conciseness, it is always difficult but very necessary to avoid vague action words such as: • consider rather use: estimate, evaluate, measure, calculate, compute • ensure rather use: check, verify, certify, justify, investigate • review rather use: amend, adjust, correct, recreate, rewrite • monitor rather use: analyse, investigate, revise, overhaul, repair.
192
The Written Report
Format Tip – Tables and figures in the text of the report should be shown as follows: • Tables of figures = Table 1, 2, 3, and • Pictures, photographs, images, graphs = Figure 1, 2, 3,
Tip – For abbreviations and references, such as COSHH, RIDDOR, OSHA, NOSA, etc. state the full term once with the abbreviation in brackets, and then use the abbreviation alone thereafter.
Reading after writing, before submitting This section highlights why it is important to read the report after writing it and before submitting it. It shares some of our experiences (humorous, but still serious) from 20+ years as auditors. Think of the things that distract you when you are reading someone else’s work: • spelling mistakes • obvious errors of fact • excessive use of ‘absolute’ terms (e.g. no training) – what, absolutely none, ever? • poor punctuation. Spell-check carefully, a starting point is to use proprietary spell checkers within word processing software – so long as the limitations are recognized. Additional proofreading is very important to be sure that ‘there’ is not incorrectly spelled ‘their’, and so on.
Case study A Master’s degree student had appointed a personal tutor for his dissertation. The student sent in several of the early chapters for review and comment. The tutor sent back a note which said: I am unable to concentrate upon the (no doubt excellent) content of your work, as I am continually distracted by your poor punctuation and grammar. Learning = learn to punctuate if you need to!
193
The Written Report
It is very difficult to proofread your own work, so each audit team member’s work should be read by a colleague and every part of the audit report should be read by at least two people – specifically looking for spelling, formatting and typographical errors. Other reasons to check documents after completing the writing, but before submitting them include: • it is good practice • it may be in your organization’s quality system (e.g. ISO 9001:2000) to internal review • auditees will pick up on errors to deflect from all important issues and possibly as an excuse not to do what was intended, if not accurately stated.
Tip – Peer review of reports is a very good idea. Read audit reports after you have written them, but before submitting them. Often the brain can work faster than the hand, or the report may not say quite what you wished it to!
Case study One of the authors was close to submitting the following report some years ago: the site has much carnage in its workshops, but this is well documented and clearly marked. The report was supposed to say ‘ the site has much cranage [i.e. many cranes] in its workshops ’, but our pals at the software company had pre-programmed their integral spell-checker to auto-correct. Some surnames can be hopelessly auto-corrected too, and this can be very embarrassing. If you do not believe us, try spell-checking ‘Pernis’, ‘Hyster’ or ‘McVities’.
If the reader is not to be distracted while reading, we need to make sure that correct familiar technical language is used. Which health and safety practitioner would not be distracted by incorrect referral to the main health and safety legislation in their country?
Submitting audit reports There will come a point in time when the report is to be submitted to your client/auditee – either because submission is contractually due, or because you feel that it is ready to be read.
194
The Written Report
There are two basic approaches to submitting audit reports: • here it is (e.g. final report) • here is a draft for comment prior to our final report.
Here it is Some audit reports are very much of this type. Any auditor that has worked with, for example, a certification body would have prepared the audit report while progressing through the audit, by recording the evidence of the work in a chronological fashion. The report is collated, and with a summary front page, and recommendations at the back, is handed to the auditee on the last day. This is a cost-effective way of audit reporting, but does not allow for major issues such as ‘can the auditee read my writing’ and (relatively) minor issues such as spellchecking.
Here is a draft This is our preference, and we commend this approach to you. If you can (and of course this depends upon what has been agreed to in terms of the time and budget for the whole audit), we suggest that a draft report is presented to the client – ideally in time for them to read it before the final presentation. If you can do this, you can refer to it during the presentation, e.g. for facts and tables of information. Give (say) two weeks for comment after the presentation and prior to final issue of report. Comment does not equal changes, it equals only an opportunity to comment. Change inaccuracies, spellings. Remove unnecessarily contentious statements – e.g. ‘incompetent’, or absolute negatives/positives (‘no’, ‘not’, ‘always’, etc.) Resolve questions raised in draft. Take account of auditee’s concerns and preferences regarding actions.
195
The Written Report
‘Final check’ It is a really good idea to do a ‘final check’ as the last thing to do before you put the whole report into the envelope with an appropriately worded covering letter. Tip – Send the invoice separately to the report.
A-Factor 66: Regularly maintain an off-site back-up of all computer files to prevent irretrievable loss.
196
10 Teamworking
Introduction In Chapter 8 of this book, we discussed the importance of creating and maintaining good working relationships with individuals outside the audit team. However, the lead auditor must also ensure that all the individuals in their audit team work well together. Before we do this, we must recognize that many audits are undertaken by lone auditors. This has its difficulties.
Difficulties of working on your own Many audits are carried out by a singleton auditor, even in quite large organizations. However, as we said in Chapter 3 of this book, this is not an approach that we would support or recommend. When there is a need for analysing and synthesizing the many and various strands of information coming in from a variety of sources to arrive at an opinion about the effectiveness of a business control framework (BCF), there should be at least two auditors on site, with access to a senior colleague off-site – please see A-Factor 21 on page 74. By the time an auditor has completed half to three-quarters of the review and verify stage in the auditing methodology described in this book, they will have generated a vast amount of information about the way in which the auditee and their subordinates have created and are using each of the elements of the BCF (or multiple control frameworks). The auditor may also have decided which controls he wishes to verify/test for application and effectiveness, and possibly have got the results of verifications already carried out. After doing all this work, there is a need to stand back and reflect on what it all means, especially in preparing for the ‘no surprises’ meeting with the auditee. In this situation, it is extremely difficult for an auditor working on his or her own to be able to arrive at a balanced assessment taking into account all the positive as well as the negative indicators. Having at least two auditors is preferable to allow reasoned discussion and argument which is more likely to result in the balance that the audit is required to produce, and provide management with relevant high-level messages for improvement.
197
Teamworking
Initial meetings It is generally unlikely that the lead auditor will personally know all the individuals assigned to the audit team – and sometimes, may not know any of them. The size and composition of the team will vary according to the complexity of the audit to be performed, and the audit intensity required. The lead auditor’s first action with regard to ensuring effective teamworking will be to have a brief discussion with each team member and thereby confirm that he has been given a sufficient number of people with the right competencies to carry out the audit. A-Factor 67: The lead auditor’s first action to promote effective teamworking is to have an early discussion with each team member. Once the team composition has been finalized, the lead auditor should arrange to have an early one-on-one meeting (of perhaps an hour?) with each member of the audit team. The aim is for the lead auditor and the team member to get to know a little (more) about each other in an unpressurized situation. The lead auditor should try to find out the level of personal and professional commitment and operational readiness the team member has regarding their assignment and the audit team, and whether they are likely to be distracted during the period of the audit by either personal or work issues. He should also confirm the level of their auditing experience and whether they have any particular specialization which will be useful in allocating them to do specific tasks. The team member should be encouraged to ask as many personal and assignmentrelated questions as they like at this meeting since they should understand that the next meeting will be with the whole team and there will be an emphasis upon getting on with the job and less time for personal questions. If the team leader has compiled a package of relevant background reading already, then he should give a copy to each team member, together with a copy of the draft terms of reference, and ask that they thoroughly acquaint themselves with the information and be prepared to talk about the business environment, corporate business objectives, corporate and auditee opportunities and risks, and operational risks within each scope area (Figure 10.1) at a meeting with the whole team.
Laying down the ground rules The lead auditor needs to make it clear to the team members from the outset, both in private and in plenary session, that the best results will be produced by any audit team, as long as: • each auditor ensures that they are clear about their individual accountabilities for auditing particular items in the work plan; they execute the necessary fieldwork to
198
Teamworking
Business Environment – political; economic; social and technological:
Corporate and key Departmental Objectives, Strategies and Plans:
Main Company Risk and Opportunities:
Figure 10.1 Set-up stage – familiarization with background data
199
Teamworking
INITIAL MAIN OPERATIONAL RISK ASSESSMENT: Scope Area 1:
Scope Area 2:
Scope Area 3:
Scope Area 4:
Scope Area 5:
Scope Area 6:
Figure 10.1 Set-up stage – familiarization with background data – Pg2
200
Teamworking
a high standard; they record all of the information obtained in their own working papers and they share the same information (analysed across the elements of the BCF) with the other team members • each auditor is committed to give and receive positive criticism of both the team’s and their own work and behaviour • each auditor is committed to listen to their fellow team members explaining the results of their fieldwork and the conclusions they have drawn from those results before they challenge what their colleague has done • each auditor welcomes that the product of their fieldwork and the logic of their thinking and argumentation will be challenged by the other audit team members (as well as the lead auditor) • each auditor is willing to seek assistance from other team members as well as the lead auditor so as to optimize the quality of their own work.
Confirming findings with the lead auditor As each team member progresses through the audit, it is a very good idea for there to be regular meetings with the lead auditor to report back on what has been found so far in their fieldwork. The lead auditors can either do this one-on-one with their team members or involve other team members. Periodic confirmation by the lead auditor with his audit team that they are on track and covering the work plan items allocated to them is a critical supervisory aspect of the lead auditor’s role. This is beneficial and essential because: • if a team member cannot convince the lead auditor there is a finding, they will be unlikely to convince the auditee; and • the lead auditor also needs to hear about the quality of risk management in the auditee’s area and the degree of strengths and weaknesses in the management system at an early stage. The lead auditor will want to know whether any major or serious control weaknesses have been identified so that they can advise the auditee as necessary, during their ‘no surprises’ meetings.
Playing as a team If the lead auditor is successful in engendering the above style of teamwork, it will result in an individuality of committed performance together with an open and vigorous discussion amongst team members, including reasoned challenge and debate without irritation or rancour, and the result will be that every team member feels committed to every finding. This team-playing attitude is especially important during the conclusion stage when the lead auditor has to sign off each of the auditor’s Audit Finding Working Papers
201
Teamworking
and initiate the sharing of information amongst the audit team through the medium of the BCF (simulated on the wall charts), so that the team together can start to evaluate, group and summarize the findings. This can only be done from a base of common understanding of the factual information on the BCF. All auditors need to be prepared to explain and support the facts that they have contributed to the wall charts. This process can generate some heat which the lead auditor will need to ensure is productive rather than destructive. At the end of this process the facts upon which the audit opinion is going to be formed would have been agreed on by the whole team. Similarly, each team member assigned responsibility for preparing a balanced assessment of an individual element of the control framework, in a form suitable for inclusion in the management summary, will work more effectively since they will have previously been involved in discussions which referred to most of the positive and negative indicators which they will use in preparing their summary.
Cabinet rules – ‘our opinion’ Each member of the audit team has to be clear that the lead auditor is ultimately accountable for presenting the result of all their work and may therefore have to make judgement calls based on his assessment of all the facts available to him. If the team has operated in the effective and creative way described above then it is less likely that there will be any serious disagreement between any member of the audit team and the lead auditor. However, should there be such a disagreement, then it will be incumbent upon the lead auditor to remind the team member in question that audit reports do not include ‘minority opinions’. A-Factor 68: The only place for the audit team to disagree is in the team room. Outside the team room, they must be united. There must be no minority opinions in audit reports.
Consulting with external team members The lead auditor needs to remember that there will be experts outside the audit team to whom he could turn for advice and guidance. This is particularly relevant when the team are assessing the possible impacts and consequences of the auditee’s actions as uncovered during the audit. The reality is that the report is likely to be seen by third parties, such as contractors or regulatory authorities. If there is an error either by commission or omission that impacts them, they are free to challenge the audit results. In sensitive situations such as those affecting occupational health and safety of customers, employees or the local community, especially if there have been any recent incidents in the area being audited, the lead auditor must be prepared to speak to
202
Teamworking
technical or legal experts. They should be treated as part of the audit team. For example, a lawyer could assist the team by providing appropriate language to describe a control weakness that needs to be strengthened so as to prevent the reoccurrence of incidents. Auditors can be held liable for defamation if an audit report is inaccurate and subsequently harms the subject of the report. Clearly, truth is the best defence against such legal action and therefore working closely with legal experts is important even as early as the recording of evidence and deliberations of findings. In sensitive areas, contact with legal experts should not be left until drafting the audit report. In certain jurisdictions, expressions in an audit report referring to poor management practices and unacceptable levels of exposure to certain risks, could lead to civil and criminal action which could result in substantial punitive damages and imprisonment for senior managers involved and some indemnification may be avoided in contractual documents such as insurance policies.
Peer review Towards the end of the audit, if it is possible to arrange, the lead auditor should be given access to another senior internal auditor, who will either have experience of auditing a similar area or would have been sufficiently briefed on the background of the particular audit, so that they will be able to review the main audit findings and the draft audit report in order to confirm their agreement with the draft audit opinion. Such a ‘peer review’ process is always likely to make a significant contribution to the quality assurance surrounding an audit; however, it becomes an essential part of audits carried out by one or two auditors. A-Factor 69: It is a real bonus if the lead auditor has access to a competent colleague with the time to carry out a peer review to confirm their draft audit opinion. A-Factor 70: The auditee can become the most important team member!
203
Appendix 1 – Preparation, Preparation, Preparation
Introduction This appendix, we think, is perhaps the most important section of this book. We encourage lead auditors to cut it out, photocopy it, or if you wish amend it to take account of your own experiences or specific requirements, we recommend alternatively that you download a copy of it from the book’s companion website at http://books.elsevier.com/companions/0750680261 after November 2006. We welcome especially constructive feedback from users of these checklists, as we very much intend to incorporate and credit the better suggestions received into future editions of this book. This appendix provides a practitioner’s guide to audit preparation and conduct. Just as many people have a packing list for their holidays and other travel, where each year they add to their list something they forgot, well, this has been our preparation list for many years. We use this each time we go to do an audit, and we commend it to you, though of course, it does not claim to be absolutely definitive. You will find lots of tips and suggestions here to think about – whether you are to join (or lead) your first or 1001st audit. Amongst our suggestions, tips and techniques, you’ll find our thoughts on: • preparation of the audit team • personal preparation – visas, jabs, local currency, credit cards • preparation – documentation • getting there – transport, accommodation, ticketing • subject preparation – business background, organization objectives, interview schedule • doing the audit. These checklists are provided for the guidance of current and trainee auditors, particularly lead auditors. Whilst it is unlikely that any list of this type can be absolutely complete, it does aim to cover many of the main areas, and in turn to give a reasonable assurance that the main additional requirements for team-leading (over and above those of the audit team members) have been covered.
204
Appendix 1 – Preparation, Preparation, Preparation
How the checklist is structured The checklist (and supporting commentary) is divided into three sections, hence this appendix is called ‘preparation, preparation, preparation’: • set-up stage • conducting the audit • after the audit.
Set-up stage 1. Confirm with internal audit manager the requirement for an audit. As a lead auditor, it is essential that the requirement to participate in an audit is confirmed (in writing if possible). You’ll need the audit duration and intensity (i.e. number of auditors). If you are providing this service as a contractor, this confirmation constitutes your work order. Another important request at this time is for the draft of terms of reference (ToR). 2. Confirm the audit dates and duration. Confirm the dates /duration for the audit with the nominated individual at the location(s) /process(es) to be audited. If no specific individual is nominated, the site manager (or similar) is likely to be the auditee. We recommend that confirmation of this information is sent to the auditee in writing. Mention the orientation visit if this is required (see 9 below). 3. Identify/select the other audit team members. The lead auditor should write to each nominated member of the audit team, welcoming them to the team, briefly describing their involvement, and confirming the dates and duration of the audit. 4. Develop and send pre-audit requests (for information and documents needed in advance of audit). Approximately three months in advance of the audit (or as time allows), request in advance the desired information from the location. This gives time for followup at –2 months and –1 month if the required items are not received. We have included an example text, showing what may be useful to request in advance in Appendix 3. 5. Receipt of pre-audit documentation. When pre-audit documentation arrives, be sure to read it. Check it against the list of information requested, and as necessary, follow up on essential items not received. 6. ‘One month out checks’ These constitute the ‘final arrangements’. Check (for self and audit team): • passports and necessary entry/exit visas (a six-month validity beyond the planned return date is a good standard)
205
Appendix 1 – Preparation, Preparation, Preparation
• ticketing/travelling arrangements • immunizations, etc. – some territories require evidence of inoculations at border control (e.g. yellow fever) • business travel insurance • accommodation for the duration of stay – the auditee can often recommend suitable, convenient locations and may also have preferential rates agreed upon • a supply of local currency and an ATM-enabled credit card • availability of translators (where needed) • immunizations/anti-malarial tablets • initial meeting point logistics for auditors • PPE (e.g. safety shoes, flameproof overalls, etc.). 7. Send draft ToR (3 ‘A’s, reference framework, scope). Send the draft ToR to the auditee approximately one month before the audit is due to commence. This is an ideal way of confirming the final details to the location. 8. Sift and send pre-audit materials to audit team members. There is no need to send everything. Choose wisely and send copies of the information that is most likely to be helpful to the auditors as they start to prepare for this assignment. One month before is an ideal time beforehand. 9. Arrange pre-audit orientation visit to site. Within the month before the audit (as discussed in Chapter 5), it is useful for the lead auditor to make a short orientation visit to the location.
Conducting the audit Lead auditors have the principal responsibility for ‘delivering the overall audit service’ with a fact-based written audit report. The lead auditor is also responsible: • as the principal contact between the auditee and the auditors • for convening and chairing all meetings of the audit team • for being the principal presenter at entry and exit meetings/presentations • arranging and conducting ‘no surprises’ meetings with the auditee • for scheduling meetings with auditee’s staff, and coordinating overall timekeeping • for motivating the audit team – coaching/coordinating/maintaining team discipline
206
Appendix 1 – Preparation, Preparation, Preparation
• to check/proofread all documentation (e.g. working papers) produced by the team • for security of data and materials • to ‘decide’ where the team cannot (sometimes this can be as the ‘casting vote’ – the lead auditor is responsible for the overall audit opinion) • to coordinate production of the draft report • for QA (quality assurance).
After the audit The lead auditor takes the following responsibilities following the conclusion of the on-site work, and after the audit team has dispersed: • finalize (having received and taken account of any auditee comments) and submit the final audit report with recommendations to auditee, and others as agreed/required • gather, index and securely archive/securely destroy (depending upon contractual arrangements and/or professional indemnity insurance requirements) audit working papers and other documents • sending letters of thanks (as appropriate) to the auditee and each member of the audit team • arrange for charging or invoicing (as required) for the fees and expenses incurred. An excellent lead auditor should also: • regularly back up all computer and mobile phone data at a secure, out-of-office location • undertake CPD (continuing professional development), and maintain a CPD logbook of developmental training and experience of auditing • provide one-to-one coaching/support/training to their staff • be aware of the need for the provision of professional indemnity insurance (we recommend that this be discussed with a licensed insurance broker) • be a member of a recognized auditing organization such as the International Register of Certificated Auditors (IRCA) or on an auditor register, such as that maintained by the Institute of Environmental Management and Assessment (IEMA). This latter register was formerly known as the EARA register.
207
Appendix 2 – A-Factors
In this appendix, for ease of reference and revision, we have gathered together the seventy (70) ‘A-Factors’ presented throughout the chapters in the text. A-Factors (Asbury, Ashwell or Auditing Factors) represent the authors’ consolidation of the essential knowledge and skills for undertaking risk-based audits.
Chapter 1 A-Factor 1: Organizations are concerned with transforming inputs to outputs. Inputs create outputs, and outputs create inputs. A-Factor 2: Organizations are inseparably intertwined with their external environment. Their managers should take account of this to achieve their organizations’ objectives. A-Factor 3: The structure of an organization is a means to an end, not an end in itself. A-Factor 4: Recognize that ultimately market forces tell organizations – if they are listening carefully – what to produce (quality), when to produce it (delivery on time) and the price to charge (price). Set out, these objectives should be represented in the business plan. A-Factor 5: Top management should balance the influences of the competing external and internal environments to face its target market(s) with aligned and well-communicated business objectives. A-Factor 6: Risk is anything which may hinder or assist achievement of business objectives. It is generally quantified in terms of its residual likelihood and severity. Value creation and value protection are the essence of an organization’s success. A-Factor 7: R = L × S Risk = Likelihood × Severity. A-Factor 8: Look for the application of ERIC whenever and wherever there is a significant risk. A-Factor 9: Know that ultimately an audit is an independent and balanced assurance to stakeholders regarding an organization’s ability to meet its business objectives, in increasingly volatile business environments.
208
Appendix 2 – A-Factors
Chapter 2 A-Factor 10: Keep things simple – remember PDCA. A-Factor 11: To carry out successful management system audits effectively, an auditor needs a relevant internal control reference framework against which the auditee’s performance can be assessed. A-Factor 12: Only by using a ‘structured management approach’ can an auditee turn their high-cost Controls into profit-enhancing Control. A-Factor 13: Whatever the auditee’s reference framework is, an auditor needs to have their own standard ‘structured management approach’ which they can use to simplify the complexity of an auditee’s framework, or to have something to hand if there is a vacuum. A-Factor 14: Do not permit the terminology and detail used to describe any business control framework to deflect you from the structured simplicity of Plan–Do–Check–Act.
Chapter 3 A-Factor 15: An audit should provide a reflection, as if in a mirror, of the auditee’s business control framework. A-Factor 16: A prime reason for audit is organizational improvement, as well as providing assurance. A-Factor 17: A rolling, balanced audit plan is a foundational and essential component in preparation for providing internal and external assurance to stakeholders. A-Factor 18: The audit committee is responsible for keeping the audit plan under regular review. A-Factor 19: The audit objectives can be referred to as ‘the 3 As’ as an aide- m´emoire – Assure, Alert, Advise. A-Factor 20: The Terms of Reference are the contract for the audit – the agreement between the organization and its auditors of ‘what’ will be delivered by the end of the audit. No audit should commence without agreed ToR . A-Factor 21: For Level 2 audits, the team should comprise a minimum of two members (i.e. a lead auditor, plus one other auditor), with access to support for peer review.
209
Appendix 2 – A-Factors
A-Factor 22: Recognize the importance to the overall audit opinion of an objective view from an independent audit team. A-Factor 23: First impressions count. Get the highest level of professional qualifications that you can, pursue CPD, and use your (applicable) designatory letters on business cards, reports and other stationery.
Chapter 4 A-Factor 24: The Audit Process Roller Coaster© comprises two simple dynamics – top down and bottom up. A-Factor 25: The main deliverable of The Audit Process Roller Coaster© is an audit report that triggers improvement. A-Factor 26: A lead auditor can decide, if it is a relatively inexperienced audit team working in an area of the business which they do not know well, that the set-up time can be increased above 20 per cent and the time available for the audit fieldwork decreased by the extra time used for set-up. At least 20 per cent must be retained for the reporting stage. A-Factor 27: Regular monitoring by the lead auditor of progress against the audit work plan and of findings which are arising, should ensure that the audit is completed on time, using those resources available to provide a level of assurance concerning the control framework within the auditee’s area of responsibility. A-Factor 28: Whilst there is a logical sequence of activities within the review and verify stages, the main tasks will be performed more than once. This is especially true during interviewing, when there will be a number of iterations and the enquiries undertaken move inexorably down into finer granularity of detail, across various lines of enquiry, and possibly across a number of different control frameworks.
Chapter 5 A-Factor 29: Lead auditors must have a clear view of their process, and know how to react at each stage. A-Factor 30: If the audit is not carried out as scheduled, or if either the audit reference framework/audit scope are significantly changed, the corporate audit plan should be amended. A-Factor 31: The audit’s ToR is generally not negotiable. It has been approved by the audit committee as one of their ‘jigsaw pieces’ and the scope areas need to be covered completely. A-Factor 32: As a lead auditor, it is important to encourage your team to be speculative. Think ahead about the business environment in the audit setting, and about how your auditee will be managing their part of the business in the light of future challenges.
210
Appendix 2 – A-Factors
A-Factor 33 : The key to a successful audit set-up is to have a well-prepared audit team. A-Factor 34: You get one chance to make a first impression – take it! A-Factor 35: The work plan is, and should remain, a dynamic tool which is continuously referred to by the lead auditor. It should be adapted to take account of discoveries made by the audit team in the review process. A-Factor 36: Time constraints and the need for audit efficiency means that the auditor should not set out planning to ask questions about every control element of the reference framework, They need to decide which of the control elements are critical as a basis for good risk management of the business activity being audited. A-Factor 37: Each audit will have a master audit file, containing all the audit records. This will be retained after the audit for an agreed period. A-Factor 38: Before the time available for the set-up stage runs out, each auditor should have a series of individual agendas for their first interviews ready, together with lists of appropriate questions which will enable them to start the next stage of the audit.
Chapter 6 A-Factor 39: Understand that we base our overall audit opinion on the efficient and structured control of the risks in our work plan, which was selected because of the potential risks to the achievement of the organization’s objectives. A-Factor 40: Manage an audit as any other project, with careful time planning, including an allocation for contingency. A-Factor 41: This preparation of the expected control framework is done (probably) before the site work commences, but is essential for focusing the auditor’s questions during the review and the testing in the later verification stage. A-Factor 42: I Will Audit (Independent, Well-balanced, Appropriate) given the needs of the auditee’s organization. A-Factor No 43: To check for controls in place = to verify implementation and effectiveness of management’s expected control. For expected controls not considered appropriate or necessary by management = verify acceptability of residual exposure. A-Factor 44: The best recommendations an auditor ever makes are those that have been agreed upon with the auditee. The best chance of gaining agreement arises from bringing the auditee on their side at the earliest possible opportunity. A-Factor 45: Learn by listening closely! There is more to hear than ‘yes’ or ‘no’!
211
Appendix 2 – A-Factors
A-factor 46: Whatever you decide as the sampling strategy, record the sample size, how it was derived and the results of the sample (i.e. what the sample told you) in box 4 of the AFWP.
Chapter 7 A-Factor 47: Acceleration ‘top down’ provides sufficient momentum for the journey ‘bottom up’ the roller coaster. A-Factor 48: A significant finding is one to which the answer to the “so what?” question is assessed in terms of a significant impact which the control weakness is very likely to have on the auditee’s ability to meet their immediate business objectives or more significantly the ability of the organization to meet its corporate objectives. A-Factor 49: All areas of strength found in the BCF must be recorded as fully as examples of weakness, so there is accurate weighting of each. A-Factor 50: The audit team has to be able to see the balance of the emerging facts if it is to apply its mind to what those facts mean. Large wall charts are a fantastic idea, because they lend visibility. A-Factor 51: Overall audit opinions should have an even number of gradations. The overall audit opinion should reflect the overall level of concern resulting from the audit work. A-Factor 52: The lead auditor is ultimately responsible for the conduct of the audit, and the overall audit opinion. A-Factor 53: The audit opinion is not negotiable once the audit team has arrived at its decision. A-Factor 54: Have clear objectives, strategies and tactics for you and your team during the presentation. Your objective is to help management arrive at the right decision regarding their reaction to your audit’s findings. Whether this opinion is a ‘good’ or ‘unacceptable’ (or anywhere in between), initiation of some response is likely to be necessary, whether this is consolidation of existing strengths, or a survival strategy and keeping the board out of jail respectively. The strategy should be to focus management’s attention onto a few key messages, and the tactics will be to support these messages with factual evidence to the extent demanded by any person in the room. A-Factor 55: Know who will be attending the meeting, and so far as possible, ensure that the attendees are the appropriate audience with sufficient time available for the full duration. You (or the auditee) send to each attendee an agenda, and a short description of how the audit team wish to conduct the presentation. Requests from management for pre-meetings or discussions as a result of this should be met. A-Factor 56: Remember the audit is not over. The best outcome of the presentation will be full support for the findings, and commitment to making the appropriate response. However,
212
Appendix 2 – A-Factors
if, for whatever reason, management is not able to accept either the findings or commit, then maintain a dialogue going with the audited organization to give management the opportunity to express why agreement and commitment is not possible. Your aim is still to optimize the effect of all the hard work done by the audit team. A-Factor 57: If despite following this guidance, and ideally having broad support from the auditee, you do not feel that further discussion will result in management’s agreement and commitment, your only course of action is to refer the matter to the internal audit manager (with a view to their reporting this outcome to the Chair of the internal audit committee).
Chapter 8 A-Factor 58: Time spent on reconnaissance is seldom wasted. A-Factor 59: Don’t drop your guard until the assignment is complete. It is essential to rehearse the nature of objections, and to try to see things from the other person’s perspective. Anticipate and have in mind answers to the types of questions auditees and others are likely to pose.
Chapter 9 A-Factor 60: The written report is an essential document, which compels business improvement if you get it right. A-Factor 61: Discuss ‘disclaimer statements’ with competent legal advisers in your jurisdiction. A-Factor 62: Senior management should recognise that the executive summary describes their business as they see it. It must demonstrate that the audit team have approached the audit in terms of assuring management that they have a successfully managed business and not just assessing how their HSEQ management system measures up against the specified reference framework. A-Factor 63: Whether auditors like it or not, managers will be judged by the results of audits. The body of those standing in judgement includes the board of directors, remuneration committees, external regulators, the legal system, and other stakeholders. A-Factor 64: A well written paragraph delivering a ‘poor’ or ‘unacceptable’ audit opinion, will have the effect that ‘the reader may not like it, but the logic and the facts cannot be denied’. A-Factor 65: Detailed reporting of each audit finding should examine the extent to which the audited organization has delivered on the definition of business control. A-Factor 66: Regularly maintain an off-site back-up of all computer files to prevent irretrievable loss.
213
Appendix 2 – A-Factors
Chapter 10 A-Factor 67: The lead auditor’s first action to promote effective teamworking is to have an early discussion with each team member. A-Factor 68: The only place for the audit team to disagree is in the team room. Outside the team room, they must be united. There must be no minority opinions in audit reports. A-Factor 69: It is a real bonus if the lead auditor has access to a competent colleague with the time to carry out a peer review to confirm their draft audit opinion. A-Factor 70: The auditee can become the most important team member!
214
Appendix 3 – Suggested List of Pre-audit Documents
Preamble This useful text and checklist provides some basic ideas for the initial list of documents and information to be requested from the auditee. Some lead auditors have ‘fill in the blanks’-type questionnaires, which are sent to a location in advance of an audit for gathering information. Personally, we do not favour this approach, as the answers are often too closed to be of real assistance, but as we have said, in Appendix 1, we would be pleased to hear from auditors who favour this alternative approach.
Suggested text In advance of the xxx audit scheduled to commence on xx/xx/20xx, the audit team would like to receive hard/soft (state preference) copies of the following documents in English language (or state preference). To allow the necessary preparation, we request that they arrive no later than xx/xx/20xx. Please send these to ______________________________________ (address), marked for the attention of _____________ (name of lead auditor). • Directions to site and an area map • Site rules, pointing out any particular training, PPE or other mandatory access requirements • Site plan showing perimeter, buildings and major processes • Comprehensive organization chart • Business plan and organization’s major objectives • Operating licences and permits (e.g. fire, environmental, waste, fleet, etc.) • List of applicable laws and regulations • Table of contents – xxx manual (state subject – health & safety, quality, etc.) • Minutes of most recent xxx management review meeting, or similar (state subject required) • Training matrix (or similar)
215
Appendix 3 – Suggested List of Pre-audit Documents
Final words In our experience, ‘less is often more’. Don’t ask for complete manuals, as a table of contents will usually suffice. We suggest keeping the list tight and short – that way, you’ll be more likely to receive all the items requested. If the items do not show up by the due date, send up to two reminders. Please don’t be disappointed if some or all of your requested information does not show up – this is surprisingly common. But do be ready to work a little harder in the set-up stage to fill in the gaps!
216
Glossary
ACM AFWP BCAM BCF CFC CoCo COSO CSR ERIC EU FDA G8 GATT GDP IMF IPPC ISO KPI MSA OECD PCAOB PDCA PEST PML PPE RPI SCBA SMART SWOT ToR US/USA UK WTO
Asbestos-containing material Audit finding working paper Business controls assessment matrix Business control framework Chlorofluorocarbon Criteria of Control Board Committee of Sponsoring Organisations of the Treadway Commission Corporate social responsibility Eliminate, Reduce, Isolate, Control European Union Food and Drug Administration Group of 8 General Agreement on Tariffs and Trade Gross domestic product International Monetary Fund Integrated Pollution Prevention and Control International Standards Organisation Key performance indicator Management self-assessment Organisation for Economic Co-operation and Development Public Company Accounting Oversight Board Plan, Do, Check, Act Political, Economic, Social, Technical Possible maximum loss Personal protective equipment Retail price index Self-contained breathing apparatus Specific, Measurable, Achievable, Right, Timely Strengths, Weaknesses, Opportunities, Threats Terms of reference United States/United States of America United Kingdom World Trade Organisation
217
References
Asbury, S.W. (2005). A risk-based approach to auditing. The Environmentalist – Issue Number 29, June 2005. Institute of Environmental Management and Assessment. Bernstein, P.L. (1996). Against the Gods – The Remarkable Story of Risk. Wiley. Blanpain, R. and Inston, R. (1996). The Bosman Case. Sweet and Maxwell. Boyle, T. (2002). Health and Safety: Risk Management. The Institution of Occupational Safety and Health. Bryce, L. (1991). The Influential Manager. Piatkus. Budd, S.A. and Jones, A. (1994). The European Community: A Guide to the Maze. Kogan Page. Deming, W.E. (1989). Out of the Crisis. Massachusetts Institute of Technology. Eves, D. and Gummer, J. (2005). Questioning Performance – The Director’s Essential Guide to Health, Safety and the Environment. The Institution of Occupational Safety and Health. Fuller, C.W. and Vassie, L.H. (2004). Health and Safety Management – Principles and Best Practice. Prentice Hall. Handy, C. (1994). The Empty Raincoat. Arrow Business Books. Health and Safety Executive (1997). Successful Health & Safety Management. 2nd edition, HSG65 HSE Books. IIA-UK & Ireland (2004). Institute of Internal Auditors – UK and Ireland. Code of Ethics and International Standards for the Professional Practice of Internal Auditing. IIA, p. 4. Johnson, S. (1999). Who Moved My Cheese? Vermilion. OHSAS 18001:1999 Occupational Health and Safety Management Systems – Specification. British Standards Institution. Toone, B. (2004). Protect Your People – and Your Business. The Institution of Occupational Safety and Health. Willis Corroon (1996). Environmental Management Manual. Willis Corroon Environmental Forum. Zakaria, F. (2006). Voices. Newsweek, Volume CXLVII, No. 22, 29 May 2006, page 28. Newsweek International
218
Bibliography
The titles in this bibliography are informative references to assist readers to learn more about corporate environments, management and management systems, and tools and techniques relating to the subject matter of business and auditing. Titles noted represent books and technical standards which we have found useful over the years of our work to help us to really understand the role and context of auditing. The list is not exclusive, and other titles not included may be equally useful to readers.
Books Barton, T.L. et al. (2002). Making Enterprise Risk Management Pay Off. Financial Times/Prentice Hall. Bendell, T., Boulter, L. and Kelly, J. (1993). Benchmarking for Competitive Advantage. Pitman Publishing. Blanchard, K. and Johnson, S. (1983). The One Minute Manager. Fontana. Borge, D. (2001). The Book of Risk. Wiley. Brooks, I. and Weatherspoon, J. (1997). The Business Environment: Challenges and Changes. Prentice Hall. Buchholz, R.A. (1998). Principles of Environmental Management – The Greening of Business. Prentice Hall. Campbell, D.J. (1997). Organisations and the Business Environment. ButterworthHeinemann. Chisnall, P. (1989). Strategic Industrial Marketing. Prentice Hall. Cormack, D. (1987). Team Spirit. MARC Europe. Covey, S.R. (1989). The 7 Habits of Highly Effective People. Simon & Schuster. Crainer, S. et al. (1996). Leaders on Leadership. The Institute of Management. Curwin, J. and Slater, R. (1991). Quantitative Methods for Business Decisions. Chapman and Hall. Dalton, A.J.P. (1998). Safety, Health and Environmental Hazards at the Workplace. Cassell. Daniels, J.D. and Radebough, L.H. (1997). International Business: Environments and Operations. 8th edition, Addison-Wesley. Davies, P. (1990). Your Total Image – How to Communicate Success. Piatkus. Drucker, P. (1970). Drucker on Management. Management Publications Limited for British Institute of Management. Eichenwald. K. (2005). Conspiracy of Fools: A True Story. Random House.
219
Bibliography
Finlay, P. (2000). Strategic Management – An Introduction to Business and Corporate Strategy. Prentice Hall. Friedman. T.L. (2005). The World is Flat. Penguin Group. Graham, A. (1990). Investigating Statistics. Hodder and Stoughton. Goldratt, E.M. (1988). The Goal. Gower. Goldratt, E.M. (1994). It’s Not Luck. Gower. Greeno, J.L. et al. (1988). The Environmental, Health, and Safety Auditor’s Handbook. Arthur D. Little, Inc. Handy, C. (1995). Waiting for the Mountain to Move. Arrow Books. Handy, C. (1995). Beyond Certainty. Hutchinson. Handy, C. (1997). The Hungry Spirit. Hutchinson. Hart, M. (1993). Survey Design and Analysis Using Turbostats. Chapman and Hall. Heller, R. (1998). In Search of European Excellence. HarperCollins. Hendy, J. and Ford, M. (2004). Redgrave, Fife and Machin – Health and Safety. Butterworth. Hill, T. (1991). Production/Operations Management. Prentice Hall. Huczynski, A. and Buchanan, D. (1991). Organisational Behaviour. Prentice Hall. Jay, A. (1967). Management and Machiavelli. Pelican. Jenkins, M., Pasternak, K. and West, R. (2005). Performance at the Limit – Business Lessons from Formula 1 Motor Racing. Cambridge University Press Johnson, G. and Scholes, K. (1999). Exploring Corporate Strategy. Prentice Hall. Kolk, A. (2000). Economics of Environmental Management. Prentice Hall. Kolluru, R.V. (1994). Environmental Strategies Handbook – A Guide to Effective Policies and Practices. McGraw Hill. Kolluru, R. et al. (1996). Risk Assessment and Management Handbook. McGraw Hill. Lorriman, J and Kenjo, T. (1994). Japan’s Winning Margins. Oxford University Press. Magretta, J. (2002). What Management Is. HarperCollins. Mintzberg, H., Ahlstrand, B. and Lampel, J. (1998). Strategy Safari. Prentice Hall. Morgan, G. (1986). Images of Organisation. Sage. Morris, H. and Willey, B. (1996). The Corporate Environment. Pitman. Moser, C. and Kalton, G. (1971). Survey Methods in Social Investigation. Heinemann. Moss-Kanter, R. (1989). When Giants Learn to Dance. Touchstone Simon and Schuster. Neale, A. and Haslam, C. (1995). Economics in a Business Context. Chapman and Hall. Pascale, R.T. and Athos, A.G. (1986).The Art of Japanese Managememt. Penguin. Peters, T. (1988). Thriving on Chaos. Pan Books. Peters, T. (1992). Liberation Management. Pan Books. Peters, T. (1994). The Tom Peters Seminar. MacMillan. Peters, T. (1994). The Pursuit of Wow! MacMillan. Peters, T. (1997).The Circle of Innovation. Hodder and Stoughton. Peters, T. and Waterman, R.H. (1982). In Search of Excellence. HarperCollins. Porteous, A. (1996). Dictionary of Environmental Science and Technology. Wiley. Pritchard, P. (2000). Environmental Risk Management. Earthscan. Steiner, G.A. and Steiner, G.F. (1994) Business, Government and Society; A Managerial Perspective. 7th edition, McGraw Hill. Welford, R. and Gouldson, A. (1993).Environmental Management & Business Strategy. Pitman Publishing. Worthington, I. and Britton, C. (2000). The Business Environment. 3rd edition, Prentice Hall.
220
Bibliography
Technical standards ANSI/AIHA Z10-2005 American National Standard for Occupational Health and Safety Management Systems. ISBN 1 931504 64 4. BS 8800:1996 Guide to Health & Safety Management Systems. British Standards Institution. EMAS – Eco-Management and Audit Scheme. HACCP – Food Hygiene – Hazard and Critical Control Point. ILO-OSH 2001 Guidelines on Occupational Safety and Health Management Systems. International Labour Organisation. ISBN 92 2 111634 4. ISO 9001:2000 Quality Management Systems – Requirements. International Standards Organisation. ISO 14001:2004 Environmental Management Systems – Requirements with Guidance for Use. International Standards Organisation. ISO 17799 Code of Practice for Information Security Management. International Standards Organisation. ISO/TS 16949 Quality Management System. International Automotive Task Force. OHSAS 18001:1999 Occupational Health & Safety Management Systems – Specification. British Standards Institution. PAS 99 Integrated Management System Standard. British Standards Institution. QS-9000 Quality Management Systems for Suppliers to the Automotive Industry. General Motors, Chrysler and Ford.
221
Comments from course delegates
This was an outstanding course with clear objectives, good methodology, good time management and excellent facilitators. The good balance between tutorial and practice made the course highly effective. I am confident in my future role as an auditor. Ismaila Mbaye Health Adviser Dakar, Senegal An excellent course. Far more relevant with practical needs and requirements for auditing within my environment compared with [an] ISO Auditors course. Captain Kevan McGregor Team Leader Vessel Quality Assurance Houston, TX, USA The process used (viz. roller coaster) made us go deeper in checking at the test stage – that was great for understanding the methodology. Alfredo Santos HSE Adviser Sao Paolo, Brazil I have found the audit course extremely useful both in terms of content and presentation. In addition, my expectation of the course in terms of ‘audit team approach’ were fully met. Daryoush Leicy Head of Exploration & Production Onshore HSE Kazakhstan Excellent course. Covered my expectations and more. Very helpful and easy to understand even with a huge amount of information presented. Daniel Rodriguez Leader Engineer for Instrumentation & Electricity – Surface Operations Support Venezuela
222
Comments from course delegates
For the first time in my 30-year career in construction, I have understood the audit process and no longer regard it in the negative way that I once did. Henryk Akielan Offshore Construction Superintendent Kazakhstan More confident now to ‘balance’ audit reviews and testing, what to look for and when evidence is enough. Arphee Caymo HSE Adviser Brunei I rode the roller coaster! [Case study was] a masterpiece!! I am happy to recommend others to participate in this course for their work within [our] Technical & Operational Excellence Group.” David A. Harding Technical Manager Rijswijk, The Netherlands Now I believe I can positively contribute to audit. Helped me to understand internal audit structure. Emmanuel Monnif HSSE Line Advisor Cameroon Although designed primarily for auditing, almost all aspects of management development are touched upon ... in a very exciting and comfortable/relaxed environment. Okey Onuoha Senior Operations Readiness Engineer The Hague, The Netherlands “A very well structured and informative course. The approach and methodology to conduct a risk-based audit was very well put forward. The tedium of the sheer volume of documents and tutorials all came to good fruition. Bijan Vakilzadeh Senior Safety Engineer Kazakhstan
223
Comments from course delegates
From you I have learned a great deal of skills (interpersonal & from an auditing perspective) which will make my future auditing involvement so much more effective. Andre Norton Head of HSE Audit Johannesburg, South Africa I found what I wanted, a new approach. The training was very useful and good. I think I can be in an audit team in a real audit, and it will help me to apply the things that I learnt from this training. The roller coaster approach is very useful. Ayhan Erden Civil Superintendent Offshore Civil Works Kazakhstan I came to the course with no auditing experience and a moderate understanding of the HSE MS. So I was looking to gaining that ‘high level’ knowledge. The theory, complemented by the syndicate exercise, really validated and drove home the principles I was hoping to get. Cody Buyer Wells HSE Supervisor Geophysical Operations Houston, TX, USA There is a lot of mystique around the auditing process. This course has lifted the veil and revealed it to be suitable for use in any management situation. It has given me a valuable reminder that I can use existing skills in a variety of ways and I have learned new skills to complement. Mike Pincock Production Technologist Rijswijk, The Netherlands This course is well known in the Well Engineering community. I will continue to send my staff on this course as I found the content very applicable for Well Engineers and the course itself is well designed and enjoyable. Co Vleugel Head of Well Engineering Syria I feel very confident now about participating in [an] HSE MS Audit. Nico Meijboom Chemicals Customer Service Rotterdam, The Netherlands
224
Index
Accountability, . . . . . . . 40, 54, 62, 105, 170, 174, 192 ACM see Asbestos containing material Adelphia see Business, control failings A-Factors, . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 AFWP see Audit finding working paper Ahold see Business, control failings ALARP see Risk American Society for Quality, The (ASQ), . . . . . . . . . . . . . . . . . . 78, 80 ANSI/AIHA Z10–2005, . . . . . . . . . . . . . . . 68 Areas of strength and weakness,. . . . . . . .133 Asbestos containing material, . . . . . . . . . . 122 Assurance, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Assure, Alert, Advise (3 As) see Terms of Reference audit, . . . . . . . . 60, 61–2, 63, 64–7, 69–70 business, 61 reasonable, . . . . . . . . 42, 60, 125, 131, 186 Audit: appropriate, . . . . . . . . . . . . . . . . . . . . . . . . 70 balance,. . . . . . . . . . . . . . . . . .60, 62, 69–70 compliance, . . . . . . . . . . . . . . 12, 52, 61, 64 definition, . . . . . . . . . . . . . . . . . . . . . . . . . . 61 file, . . . . . . . . . . . . . . . . . . . . . . . 90, 110, 111 findings,. . . . . . . . . . . .117, 156–62, 191–3 documenting, . . . . . . . . . . . . . . . . 83, 164 grouping, . . . . . . . . . . . . . . . . . . 150, 156 prioritizing, . . . . . . . . . . 112, 149, 150 reducing the number of . . . . . . . . . . 150 HSEQ, . . . . . . . . . . . . . . . . . . . 68, 112, 134 independent, . . . . . . . . . . . . . . . . . . . . . . 150 interview strategy, . . . . . . . . . . . . . . 90, 107 interviewing, . . . . . . . . . . . . . . 88, 107, 108 analysing facts,. . . . . . . . . . . . . . . . . . .155 recording facts, . . . . . . . . . . . . . 155, 160 levels of, . . . . . . . . . . . . . . . . . . . . . . . . . 63–8 level 1, . . . . . . . . . . . . . . . . . . . . . . 65, 145 level 2, . . . . . . . . . . . . . . . . . . . . . 65–6, 68 level 3, . . . . . . . . . . . . . . . 65, 66, 67, 175
management system, . . . . . . . . . . . . . 38, 79 opinion, . . . . . . . . . . . . . . . 162–6, 189–190 level of concern, . . . . . . . . . . . . . 88, 163 planning, . . . . . . . . . . . . . . . . . . . . . . . 60–81 frequency, . . . . . . . . . . . . . . . 69, 70, 101 intensity, . . . . . . . . . . . . . . . . . . . . . . . . . 69 process roller coaster see Audit Process Roller Coaster© , The process stages: conclude, . . . . . . . . . . . . . . 102, 116, 141 report, . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 review, . . . . . . . . . . . 116, 120, 123, 150 set-up, . . . . . . . . . . . . . . . . . . . . . . . 86, 89 verify, . . . . . . . . . . . . . . . . . . 87, 118, 129 report: actions, . . . . . . . . . . . . . . . . . . . . . . . 191–2 disclaimer see Disclaimer statements draft, . . . . . . . . . . . . . . . . . . . . . . 160, 195 executive summary, . . . . . . . . . . . 187–8 finalizing, . . . . . . . . . . . . . . . . . . . . . . . . 86 part 1, . . . . . . . . . . . . . . . . . . . 164–5, 187 part 2, . . . . . . . . . . . . . . . . . . . . . 160, 191 peer review,. . . . . . . . . . . . . . . . . . . . .203 recommendations, . . . . . . 159, 183, 187 results, . . . . . . . . . . . . . . . . . . . 161, 164, 165 site visit, . . . . . . . . . . . . . . . . . . . . . . . . . 97–8 sponsor, . . . . . . . . . . . . . . . . . . . . . . 164, 179 team: cabinet rules, . . . . . . . . . . . . . . . . . . . . 202 external team members, . . . . . . . . 202–3 meetings with the team, . . . . . . . . . . 201 membership of, . . . . . . . . . . . . . . . 60, 94 selection of, . . . . . . . . . . . . . . . . . . 72, 74 working on your own, . . . . . . . . . . . 197 test plan: sampling, . . . . . . . . . . . . . . . . . . . 119, 134 testing see Verify thought process, . . . . . . . . . . 120, 159, 190 time planning: contingency, . . . . . . . . . . . . . . . . 102–104 logistics, . . . . . . . . . . . . . . . . . . . . . . . . 103
225
Index Audit (Continued) work plan: work plan item, . . . . . . . . . . . . . . . . . 107 Audit finding working paper: example of, . . . . . . . . . . . . . . . . . . . . . 115 Audit Process Roller Coaster© , The: bottom up, . . . . . . . . . . . . . . . . . . 83, 133 top down, . . . . . . . . . . . . . . . . . . . 84, 113 Auditee: challenge by, . . . . . . . . . . . . . . . . . . . . . . 159 meetings with: close out, . . . . . . . . . . . . . . . . . . . . . . . . 99 initial, . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 no surprises, . . . . . . . . . . . . . . . . . . . . . 164 presentation to management,. . . . . .165 progress meetings, . . . . . . . . . . . 102, 179 Auditor: continuing professional development, . . . . . . . . . . . . 23, 76 independence, . . . . . . . . . . . . . . . . . . . . 74 registration, . . . . . . . . . . . . . . . . . . . . . . 76 role, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Aural Mining see Business, control failings Barings Bank see Business, control failings BEAC, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Beeton, Mrs. I., . . . . . . . . . . . . . . . . . 143, 156 Bernstein, P. L., . . . . . . . . . . . . . . . . . . . 26, 27 Bosman, Jean-Marc, . . . . . . . . . . . . . . . . . . . 20 Bottom up see Audit Process Roller Coaster© , The BP Texas City see Business, control failings British Credit and Commerce International (BCCI) see Business, control failings BS 7799, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 BS 8800, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Buncefield Oil Terminal see Business, control failings Business: control failings, . . . . . . . . . . . 147, 148, 191 Adelphia, . . . . . . . . . . . . . . . . . . . . . . . . xix Ahold, . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Aural Mining, . . . . . . . . . . . . . . . . . . . . xx Barings Bank, . . . . . . . . . . . . . . . . . . . . xx BP Texas City, . . . . . . . . . . . . . . . xx, 53 British Credit and Commerce International (BCCI), . . . . . . . . . xx Buncefield Oil Terminal, . . . . . xx, 158 Cable & Wireless, . . . . . . . . . . . . . . . . xx
226
Enron, . . . . . . . . . . . . . . . . . . . . . . . . . . xix Global Crossing, . . . . . . . . . . . . . . . . . xix HealthSouth, . . . . . . . . . . . . . . . . . . . . xix Longford Gas Plant, . . . . . . . . . . . . . . . xx Parmalat, . . . . . . . . . . . . . . . . . . . . . . . . . xx Piper Alpha, . . . . . . . . . . . . . . . . . xvi, xx Resona Bank, . . . . . . . . . . . . . . . . . . . . xx Shell . . . . . . . . . . . . . . . . . . . . . . . . . . x, 27 Tyco, . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Worldcom-MCI, . . . . . . . . . . . . . . . . xix definition of, . . . . . . . . . . . . . . . . . . . . . 3, 51 ethics, . . . . . . . . . . . . . . . . . . . . . . . . . . 39, 54 improvement, . . . . . . . . . . . . . 79, 144, 182 Business control: model, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 organisation, . . . . . . . . . . . . . . . . . . . . . . . . 45 policy, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 procedures, . . . . . . . . . . . . . . . . . . . . . . . . . 55 review and appraisal, . . . . . . . . . . . . . . 56–7 structure, . . . . . . . . . . . . . . . . . . . . . . . . 53–4 supervision, . . . . . . . . . . . . . . . . . . . . . . 55–6 Business control framework (BCF): actual, . . . . . . . . . . . . . . . . . . . . . . . . 146, 155 expected, . . . . . . . . . . . . . . . . . . . . . . . 84, 98 weak element(s), . . . . . . . . . . . . . . . . . . . 164 weakness level, . . . . . . . . . . . . . . . . 149, 156 well balanced, . . . . . . . . . . . . . . . . . . . . . 125 Business controls assessment matrix (BCAM), . . . . . . . . . . . . . . . . . . . . . 155–6 Business environment: economic, . . . . . . . . . . . . . . . . . . . . . . . . . . 15 legal,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 political, . . . . . . . . . . . . . . . . . . . . . . . . . 5, 10 resources, . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Business objectives: code of conduct, . . . . . . . . . . . . . . . . . . . . 47 qualitative, . . . . . . . . . . . . . . . . . . . . . . . . . 51 quantitative, . . . . . . . . . . . . . . . . . . . . . . . . 46 Business process: analysis, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 control, . . . . . . . . . . . . . . . . . . . . . . . . . 33, 45 core, . . . . . . . . . . . . . . . . . . . . . . . . . . . 33, 51 service,. . . . . . . . . . . . . . . . . . . . . . . . . . . . .51 Cable & Wireless see Business, control failings Cadbury Committee, . . . . . . . . . . . . . . . . . . 40 Chlorofluorocarbon (CFC), . . . . . . . . . . . . 19
Index Committee of Sponsoring Organisations of the Treadway Commission (COSO): Enterprise Risk Management – Integrated Framework,. . . . . . . .41–2 Integrated Framework of Internal Control, . . . . . . . . . . . . . . . . . . . 39, 41 Competence: auditor, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Competitors, . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Compliance, . . . . . 12, 52, 57, 61, 64, 66, 99 Consequence, . . . . . . 24, 24, 31, 53, 63, 202 Continuing professional development see Auditor Controls: business see Business control definition of, . . . . . . . . . . . . . . . . . . . . . 3, 51 containment, . . . . . . . . . . . . . . . . . . . . . . . 26 detection, . . . . . . . . . . . . . . . . . . . . . . . . . . 26 framework see Business control framework (BCF) internal see Internal control mitigation, . . . . . . . . . . . . . . . . . . . . . 26, 106 preventative,. . . . . . . . . . . . . . . . . . . . . . . .26 restoration, . . . . . . . . . . . . . . . . . . . . . . . . . 26 reasonable assurance, . . . . . . . . 42, 60, 131 self-assessment, . . . . . . . . . . . . . . . . . . . . . . 56 structured means of, . . . 42, 113, 117, 133 weakness: remedial action, . . . . 56, 154, 159, 167 Corporate governance, . . . . . . . . . . . . . . . . . 62 Corporate social responsibility, . . . . . . . . . 57 Cost,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Criteria of Control Board (CoCo), . . . . . . 40 Critical success factors, . . . . . . . . . . . . . 45, 52 CSR see Corporate social responsibility Customers, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Deming, W.E.: 14 points of management see Management system of profound knowledge see Management Wheel, . . . . . . . . . . . . . . . . . . 33, 37, 60, 67 Directors: executive, . . . . . . . . . . . . . . . . . . . . . . . . . . 60 non-executive,. . . . . . . . . . . . . . . . . . . . . .60 Disclaimer statements, . . . . . . . . . . . . . . 187–8
Eliminate, Reduce, Isolate, Control, . . . . . . . . . . . . . . . . . . . . . . . . . 30 EMAS, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Employees,. . . . . . . . . . . . . . . . .6, 37, 48, 126 Enron see Business, control failings Enterprise, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Environment: audits, . . . . . . . . . . . . . . . . . . . . . . . . . . 42, 80 economic, . . . . . . . . . . . . . . . . . . . . . . 15–18 external, the, . . . . . . . . . . . . . . . 3–4, 10–15 factors, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 internal,. . . . . . . . . . . . . . . . . . . . . . . . . .7–10 legal,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 political, . . . . . . . . . . . . . . . . . . . . . . . . 10–14 EQFM Excellence Model, . . . . . . . . . . . . . 68 ERIC see Eliminate, Reduce, Isolate, Control Ethics: accountability, . . . . . . . . . . . . . . . . . . . . . . 40 honesty, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 integrity, . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 European Union (EU), . . . . . . . . . . 5, 13, 19 Expectation gap, . . . . . . . . . . . . . . . . . . . . . 100 External audit see Statutory audit ExxonMobil see Longford Gas Plant Familiarisation: background information, . . . . . . . . . . 93–6 Fibonacci, . . . . . . . . . . . . . . . . . . . . . . . . . . 26–7 Findings see Audit Food and Drug Administration (FDA), . . . . . . . . . . . . . . . . . . . . . . . . . 175 Foreign Corrupt Practices Act, . . . . . . . . . 39 Frequency, . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 General Agreement on Tariffs and Trade (GATT), . . . . . . . . . . . . . . . . . . . . . . . . . 13 Global Crossing see Business, control failings Government, . . . . . . . . . . . . . . . . . . . . . . 13–14 Greenbury Committee, . . . . . . . . . . . . . . . . 40 Group of 8 (G8), . . . . . . . . . . . . . . . . . . . . . . 13 HACCP, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Hampel Committee, . . . . . . . . . . . . . . . . . . . 41 Hazard: al zahr, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Health see Health and safety
227
Index Health and safety: audits, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Executive (HSE), . . . . . . . . . . . . . . . . . . . 25 policy, . . . . . . . . . . . . . . . . . . . . . . . 113, 118 HealthSouth see Business, control failings Hierarchy of risk control see Eliminate, Reduce, Isolate, Control Honda, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 HSE-MS, . . . . . . . . . . . . . . . . . . . . . . . . 92, 223 HSG65, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 ILO-OSH 2001, . . . . . . . . . . . . . . . . . . . . . . 68 Impact, . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 167 Improvement, . . . . . . . . . . . . . . . . . . . . 71, 182 Information: reading, . . . . . . . . . . . . . . . . . . . . 93, 96, 121 sources, . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Institute of Environmental Management and Assessment (IEMA), . . . . . . . 78, 80 Institute of Internal Auditors (IIA), . . 76, 80, 81, 176 Insurance: Lloyd’s list, . . . . . . . . . . . . . . . . . . . . . . . . . 28 Integrated Pollution Prevention and Control (IPPC), . . . . . . . . . . . . . . . . . . 32 Internal audit: committee, . . . . . . . . . . . . . . . . . . . . . . . . . 61 manager, . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Internal control: action, . . . . . . . . . . . . . . . . . . . . . . . . . . . 41–2 aim, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 comparison, . . . . . . . . . . . . . . . . . . . . . . . . 56 standard, . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 International Auditor and Training Certification Association, The (IATCA), . . . . . . . . . . . . . . . . . . . . . . . . 81 International Monetary Fund (IMF), . . . . 17 International Personnel Certification Association, The (IPC), . . . . . . . . . . . 81 International Register of Certificated Auditors (IRCA), . . . . . . . . . . . . . . . . . 76 International Standards Organisation (ISO), . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Interview strategy see Audit Interviewing see Audit ISO 14001:2004, . . . . . . . . . . . . . . . . . . 8, 185 ISO 17799, . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 ISO 9001:2000, . . . . . . . . . . . . . . . . . . . . . . 194 ISO/TS 16949, . . . . . . . . . . . . . . . . . . . . . . . 68
228
John Lewis Partnership, . . . . . . . . . . . . . . . . 48 Juran, J., . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Kaizen, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Key Performance Indicator (KPI), . . . 37, 56 KonTraG, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Law: civil, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 classification and sources, . . . . . . . . . . . . 18 criminal, . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 enforcer, . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 implementer, . . . . . . . . . . . . . . . . . . . . . . . 12 international, . . . . . . . . . . . . . . . . . . . . . . . 19 maker, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 tort, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Lead auditor: role, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 supervisory review,. . . . . . . . . . . . . . . . .103 Legislation, . . . . . . . . . . . . . . . 5, 19, 110, 194 Likelihood, . . . . . . . . . . . . . . . . . . . . . . . . . 24–6 Lloyd’s list see Insurance Longford Gas Plant see Business, control failings Management: 14 points of, . . . . . . . . . . . . . . . . . . . . . . . . 35 good practice, . . . . . . . . . . . . . . . . . . . . . 194 lateral learning, . . . . . . . . . . . . . . . . . . . . . 62 system of profound knowledge, . . . . . . 35 system thinking, . . . . . . . . . . . . . . . . . . . . 34 tone at the top, . . . . . . . . . . . . . . . . . . . . . 52 truths, . . . . . . . . . . . . . . . . . . . . . . . . . . . 35–8 Management self-assessment (MSA), . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Meetings see Auditee Merritt, C.W., . . . . . . . . . . . . . . . . . . . . . . . . 52 Mission, . . . . . . . . . . . . . . . . . . . . . . . 24, 79, 81 Missouri, . . . . . . . . . . . . . . . . . . . . . . . 122, 123 Objectives see Business objectives OHSAS 18001:1999, . . . . . . . . . 71, 113, 118 Opinion see Audit, opinion Organisation: organisational theory, . . . . . . . . . . . . . . . 7–8 structure, . . . . . . . . . . . . . . . . . . . . . . . . 8–10 Organisation for Economic Co-operation and Development (OECD), . . . . 17, 18
Index Parmalat see Business, control failings Passport Office: addresses of, . . . . . . . . . . . . . . . . . . . . . . . 104 PCAOB see Public Company Accounting Oversight Board (PCAOB) PDCA see Plan, Do, Check, Act Performance measurement, . . . . . . . . . . . . . 46 Personal protective equipment (PPE), . . . . . . . . . . . . . . . . . . . . . . . . . . 145 PEST see Political, Economic, Social, Technical Peters Commission, . . . . . . . . . . . . . . . . . . . 40 Piper Alpha see Business, control failings Pisano, L. see Fibonacci Plan, Do, Check, Act, . . . . . . . . . . . . . . . 33–4 Policy: health and safety, . . . . . . . . . . . . . . 113, 118 Political, Economic, Social, Technical, . 1–2 Possible maximum loss (PML), . . . . . . . . 116 Preparation see Familiarisation Probability, . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Public Company Accounting Oversight Board (PCAOB), . . . . . . . . . . . . . . . 217 QS-9000, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Quality: audits, . . . . . . . . . . . . . . . . . . . . . . . . . . 42, 68 management system, . . . . . . . . . . . . . . 67–8 of staff, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Questionnaires, . . . . . . . . . . . . . . . . . . . . . . 110 RABQSA,. . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Records: filing, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 retention of records, . . . . . . . . . . . . . . . . 110 working papers, . . . . . . . . 110–11, 115–20 Reference framework, . . . . . . . . . . . 41–2, 71, 146–7 Relationships: networking, . . . . . . . . . . . . . . . . . . . . . . . 173 Report see Audit Reputation, . . . . . . . . . . . . . . . . . . . . . . . 25, 28 Resona Bank see Business, control failings Resources: capital, . . . . . . . . . . . . . . . . . . . . . . . . . . 3, 21 labour, . . . . . . . . . . . . . . . . . . . . . . . . . . 3, 21 land, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3, 21 natural, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Retail price index (RPI), . . . . . . . . . . . . . . 16
Review, . . . . . . . . . . 56–7, 88, 112, 115, 125 Risk: ALARP, . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 appetite,. . . . . . . . . . . . . . . . . . . . . . . . . . . .30 area, . . . . . . . . . . . . . . . . . . . . . . . . . 107, 110 assessment, . . . . . . . . . . . . . . . . . . . . . . 48–50 assessment matrix (RAM), . . . . . . . 31, 112 assessment software, . . . . . . . . . . . . . . . . . 32 awareness, . . . . . . . . . . . . . . . . . . . . . . . . . 121 balance, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 dare, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 definition, . . . . . . . . . . . . . . . . . . . . . . . . . . 27 exposures, . . . . . . . . . . . . . . . . . . . . . . . . . . 25 gross, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 identification, . . . . . . . . . . . . . . . . . . . . . . . 91 management framework, . . . . . . . . . . . . . 42 matrix, . . . . . . . . . . . . . . . . . . . . . . . . 50, 112 net, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 opportunity, . . . . . . . . . . . . . . . . 45, 112–13 residual,. . . . . . . . . . . . . . . . . . . . . . . . . .25–6 risicare, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 tolerance, . . . . . . . . . . . . . . . . . . . . . . . . . . 28 universe, . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Root cause, . . . . . . . . . . . . . . . . . . . . . . . 147–9 Rudd, Sir Nigel, . . . . . . . . . . . . . . . . . . . . . . 25 Safety see Health and safety Sample: sampling, . . . . . . . . . . . . . . . . . . . . . . . . . . 133 size of, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 techniques, . . . . . . . . . . . . . . . . . . . . . . 133–4 Sarbanes Oxley Act, . . . . . . . . . . . . . . . . . . . . xix Self-contained breathing apparatus (SCBA), . . . . . . . . . . . . . . . . . . . . . . . . 118 Set-up, . . . . . . . . . . . . . . . . . . . . . . . . . 86–7, 89 Severity,. . . . . . . . . . . . . . . . . . . . . . .24, 25, 26 Shell see Business, control failings Show Me state see Missouri Site visit see Audit Six Sigma, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 So what?, . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Social responsibility, . . . . . . . . . . . . . . . . . 57–9 Society, . . . . . . . . . . . . . 15, 19, 25, 28, 78, 80 Software see Risk, assessment software Specific, Measurable, Achievable, Right, Timely (SMART), . . . . . . . . . . . . . . 193 Stakeholders, . . . . . . . . . . . . . . . . . . . . 32, 60–2 Standards: global, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
229
Index guidelines, . . . . . . . . . . . . . . . . . . . . . . . . . . 53 international, . . . . . . . . . . . . . . . . . . . . . . . 39 legal,. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 principles, . . . . . . . . . . . . . . . . . . . . . . 39, 53 Statutory audit: expectation gap, . . . . . . . . . . . . . . . . . . . . 60 opinion, . . . . . . . . . . . . . . . . . . . . . . . . . . 164 true and fair view, . . . . . . . . . . . . . . . . . 124 Strengths, Weaknesses, Opportunities, Threats, . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Structure, . . . . . . . . . . . . . . . . . . . . . . . . 8, 53–4 Structured means of control, . . . . . . 42, 113, 117, 130 Suppliers, . . . . . . . . . . . . . . . . . . . . . . . . . . 6, 66 SWOT see Strengths, Weaknesses, Opportunities, Threats Targets, . . . . . . . . . . . . . . . . . . . . . . . 16, 54, 57 Teaching model see Audit Process Roller Coaster© , The Terms of Reference: Assure, Alert, Advise (3 As), . . . . . . . . . 71 Testing see Verify Texas City see BP Texas City Threat, . . . . . . . . . . . . . . . . . . . . . 112–113, 169 Top down see Audit Process Roller Coaster© , The ToR see Terms of Reference Toyota, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
230
Transparency, . . . . . . . . . . . . . . . . . 32, 40, 190 True and fair view see Statutory audit Trust, . . . . . . . . . . . . . . . . . . 19, 122, 170, 177 Turnbull Committee, . . . . . . . . . . . . . . . . . . 41 Tyco see Business, control failings United Kingdom (UK), . . . . . . . . . . . . . . . . 13 United States (US), . . . . . . . . . . . . . . . . . . . . 80 United States of America (USA), . . . . . . . . . . . . . . . . . . . . . . . 5, 185 Value: adding, . . . . . . . . . . . . . . . . . . . . . . . 3, 61, 78 Value creation, . . . . . . . . . . . . . . . . . . . 25, 112 Value protection, . . . . . . . . . . . . . . . . . 25, 112 Verify: corroboration, . . . . . . . . . . . . . . . . . . . . . 135 LISTEN, . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Vienot, M., . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Virgin, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Vision, . . . . . . . . . . . . . . . . . . . . . . . 47, 83, 151 Weakness level see Business control framework (BCF) Work plan see Audit, work plan World Trade Organisation (WTO), . . . . . 13 WorldCom-MCI see Business, control failings