+ Sidebar

Taking Auditing to New Level with International Standard Under Revision

ISO’s popular standard for auditing…

ISO’s popular standard for auditing management systems is under revision and has just reached the first voting stage, a crucial step in its development.

Organizations are increasingly turning to management systems in a quest to be more effective and save time and money. Many companies have several different management systems, each focusing on different areas, such as IT, information security, quality, and environmental management. ISO 19011, Guidelines for auditing management systems, will help with the effective audit of those management systems to ensure continuous improvement, allowing harmonization across systems and a uniform approach of the auditing process where there are multiple systems in place.

The standard is currently being revised to reflect the growing number of management system standards (MSS) and the recent revisions of some of the most widely used, such as ISO 9001 for quality and ISO 14001 for the environment. It has just reached Committee Draft (CD) stage, meaning those countries involved in its revision have an opportunity to make comments on the draft.

Denise Robitaille, chair of ISO/PC 302, the ISO project committee responsible for the revision, said that when the standard was last published in 2011, there were 11 management system standards, but that number has since grown significantly to 39, with 12 others in development.

“As organizations see the benefit and need for management systems, there has been an increase in the number of sector-specific standards to respond to the mandate.

“There are now MSSs that cover areas such as health and medical, environment, services, information technology and more. In addition, the two most popular MSSs – ISO 9001 and ISO 14001 – have recently been updated, so the auditing of these systems needs to reflect the variety and number of standards being developed.”

ISO 19011 is applicable to all organizations that need to conduct internal or external audits of management systems or manage an audit programme. It is intended to apply to a broad range of potential users, including auditors, organizations implementing management systems and organizations needing to conduct audits of management systems for contractual or regulatory reasons.

ISO 19011 also provides guidance on external audits, including certification and supplier, which support the implementation of the MSS.

The revised version of ISO 19011 is due to be published mid-2018.

This article has been republished in full with permission from ISO.

The post Taking Auditing to New Level with International Standard Under Revision appeared first on The Auditor.

A Little Data’ll Do Ya

figure-1-coleman.png
An introduction to basics statistics…

An introduction to basics statistics and data analysis for auditors

So what is a process approach anyway? Wait a minute. Hold up! This article is about data analysis for auditors isn’t it? Well yes, but before we can talk about how auditors can analyze data we need to understand the processes from which this data comes.

A process can be thought of as an activity that transforms inputs into outputs. In manufacturing, the 6Ms—man, machine, material, measure, method, and mother nature—are often identified as process inputs, with the understanding that problems with process outputs typically come from problems with process inputs. This is shown in figure 1.

In other words, the root causes of nonconforming outputs tie directly back to the process inputs. You don’t always need to use the 6Ms though. It’s only important to identify inputs that make sense for your organizational processes. Data from most process outputs align themselves in a normal distribution, or bell-shaped curve. The bell-shaped curve is a graphical representation of process variation, of which there are two kinds. Common cause variation is that which is normal to any process. Special cause variation is that which is outside of the  +/- three sigma control limits caused by an external factor.  Special cause variation should be investigated to determine root cause and apply corrective action.

Having a normal distribution is important because bell curves allow for a more profound understanding of process behavior through the use of statistical tools and methods. For example, understanding whether a given process is producing normal variation or if some special cause is adversely affecting it. It can also show if there’s a statistically significant difference between two events. Additionally, we can make certain predications about a population based on the bell curve, such as how likely something is to be true or whether it will fall within a certain range.

These benefits are so important that when process data doesn’t fall into a normal distribution pattern, the data is often transformed. Transformation is a kind of “statistical hocus-pocus” that seeks to answer the question: What would this data look like if it was normally distributed and which statistical tools can we apply based on this theoretical model?  Data transformation is thankfully outside of the scope of this article.

The process width of six standard deviations (+/- 3 standard deviations from the process center) is considered the voice of the process. This is the portion underneath the bell-shaped curve where 99.7 percent of the data falls, as shown in figure 2.

A Little Data’ll Do Ya

Someone way smarter than me years ago decided that 99.7 percent was a high enough percentage of the population to draw conclusions about the entire population. It’s this plus or minus three standard deviations from the process center where control chart control limits are set. Note that uncontrolled doesn’t necessarily mean out of specification. You want control limits to be within specification limits so that if a control limit is passed, you have time to either troubleshoot the process or make adjustments before parts begin to consistently go out of specification. The two most important things to understand about a process are: Is it stable and in control? Is it capable?

A Little Data’ll Do Ya

Process capability is simply the ability of a process to consistently make parts to specification. Process capability indices compare the process width to the difference between the upper specification limit and lower specification limit. The most commonly used capability indices are Cp, Cpk, Pp, and Ppk. When voice of the process equals voice of the customer then the capability index is one. Less than one and the process is not capable. An industry rule of thumb when a capability requirement is called out in a specification is Cp/Cpk of greater than or equal to 1.33 and Pp/Ppk greater than or equal to 1.67.

Cp/Cpk shows short-term variation. Pp/Ppk shows long-term variation, which captures more special cause variation. It is for this reason that Pp/Ppk will always be lower than Cp/Cpk. Cpk and Ppk are the preferred methods for evaluating process capability, as they both account for  process location and width.

Though statistical software often shows capability indices as a part of the control chart graphic, it’s important to understand that capability indices are not an element of control charts. Control charts (graphical) and capability indices (analytical), although complimentary of one another, are two separate and distinct tools.

 A Little Data’ll Do Ya

 

Now that we have covered the basics, let’s talk about data review. As we review an organization’s data analysis program you want to ask what information is reviewed, by whom, and what the data is used for. When looking at data you want to not just look at whether or not it’s within specification or even control. You also want to understand trends in data. Understanding how to respond to uncontrolled conditions or negative trends is an often overlooked portion of the less mature QMS.

“Decisions based on the analysis and evaluation of data and information are more likely to produce desired results” –ISO 9000:2015 2.3.6.1

What does this mean to us as auditors? As auditors we should be looking to confirm the maxim below.

  • Don’t collect data if you aren’t going to plot it.
  • Don’t plot data if you aren’t going to analyze it.
  • Don’t analyze data if you aren’t going to do anything with the results.

Ideally you would want to see process data even distributed around the process average, as shown in figure 5.

A Little Data’ll Do Ya

Some examples of commonly seen trends that would warrant further investigation are shown in the following figures. You will note that some of these changes can be subtle, so you will need to be on the lookout for them.

A Little Data’ll Do Ya

A Little Data’ll Do Ya

A Little Data’ll Do Ya

A Little Data’ll Do Ya

There’s a set of rules developed by Westinghouse in the 1980s called the “Westinghouse Rules” that gives additional examples of plotted data that might require investigation. However, you don’t need to be a statistical expert and remember every guideline for when to launch an investigation based on data. You should, however, be able to recognize when there is the possibility of special cause variation indicated by plotted data and know what questions to ask.

Some of the questions that an auditor might ask when reviewing the process monitoring program are:

  • What do you do when an adverse trend is encountered?
  • What do you do when an out of control condition is encountered?
  • How do you know what to do when an out of control condition or adverse trend is encountered?
  • If Cp/Cpk or Pp/Ppk data is captured, ask if there is a minimum requirement?
  • How do yields or other process data compare across shifts or between similar lines?
  • Is there a structured program in place for review of and response to adverse trends/conditions in data?
  • How do you identify positive trends that may point to an opportunity to transfer a best practice from one process or work center to another?
  • What training is provided in SPC and data analysis?
  • Are the daily metrics captured aligned with organizational goals and objectives?
  • How were the control or specification limits selected? Don’t assume that a statistical or even logical method was used.

In our data-driven society, more data is available than ever before. It’s important to not just understand the data that we are looking at but to also know which data to review.

When looking at data analysis an organization, it’s important to understand how flow down of strategic goals and objectives as called out in ISO 9001:2015 is accomplished. It should be clear how operational targets support tactical objectives, which in turn support strategic goals. Each goal and objective should have an associated metric that will indicate when the goal or objective has been met. When there is not a clear link between goals, objectives, and metrics it may sometimes be the case that unnecessary metrics are being tracked. Let’s look at the following example of proper flow down of corporate vision.

Vision: Become marketplace leader within the next five years.

Strategic goal: Increased market share

  • Metric: Industry ranking

 

Tactical objective: Improved quality

  • Metrics: Reduced customer return rate and increased customer satisfaction survey scores

 

Operational targets: Reduce process variation.

  • Metric: Lower scrap rate

 

We seek to derive insights from the review of data. Through those insights, data is transformed into information upon which can be based decisions.

Reviewing data doesn’t just occur by reviewing charts on the manufacturing floor. Often as part of an audit we are called upon to review validation reports. This may appear to be a daunting task. However, you don’t have to have a degree in statistics to provide a thorough review. Here are some basic tips below:

  • Is the data that was specified in the protocol in the report?
  • Have all of the required signatories signed off?
  • Have all the success criteria been met?
  • If all of the success criteria has not been met, were appropriate procedures followed?
  • Any red lines crossed on the graphs?

 

Auditors play an important role in their assessment of an organization’s data analysis program.  Understanding basic statistical tools and techniques will allow an experienced auditor to provide a thorough review, regardless of their background. I will close with this quote by W. Edwards Deming: “In God we trust. All others please bring data.”

 

About the author

Lance B. Coleman has more than 20 years of leadership experience in the areas of quality engineering, Lean implementation, quality, and risk management in the medical device, aerospace, and other regulated industries. He has a degree in electrical engineering technology from the Southern Polytechnical University in Marietta, Georgia and is an American Society for Quality Senior Member, Certified Quality Engineer, Six Sigma Green Belt, Certified Quality Auditor, and Biomedical Auditor. He is also an Exemplar Global Principal QMS Auditor. Coleman is chair of U.S. TAG 302 and a voting member U.S. TAG 176.

He is the author of Advanced Quality Auditing: An Auditor’s Review of Risk Management, Lean Improvement and Data Analysis (Quality Press, 2015) which has been nominated for an ASQ Crosby Award. Additionally, Coleman is an instructor for the ASQ Certified Quality Auditor Exam Preparatory and FMEA courses. As principal consultant of Full Moon Consulting, he has presented, trained, and consulted throughout the United States and abroad.

The post A Little Data’ll Do Ya appeared first on The Auditor.

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

duffy-fig-13-300x166.png
Today’s audit environment is truly…

Today’s audit environment is truly global. Gone are the days of small, local teams working on focused audits within a single department. Seldom are all audit members in the same time zone or even the same continent.

Preparing for an audit in a decentralized function takes complex planning and attention to detail. Effective decentralized management audits require the right skills focused on the right data within manageable time frames. Modular Kaizen is an integrated systems approach to organizational performance that supports the complex planning required for decentralized audits.

What is Modular Kaizen?

Modular Kaizen is a modification of the traditional kaizen improvement process that provides the same rapid results without removing critical personnel from daily operations. It’s conducted over a series of short activities designed to fit into a highly driven work environment.

Modular Kaizen was developed as a method for implementing a culture of quality improvement within an agency of the U.S. federal government during the H1N1 flu virus response in 2009. The agency was deeply involved in both the global preparation for and response to the effects of the H1N1 virus. Key personnel involved in the development of the cultural quality framework were leading scientists in the efforts surrounding the H1N1 epidemic. I was challenged with leading globally dispersed teams with subject matter experts busy working on life-saving activities.

Improvement relies on a system of processes

A management audit is an effective tool for process improvement. Faster process cycles and associated agility often suggest a decentralized auditing event. Auditors must be prepared to support this decentralized structure through remote communication.

One purpose of a management audit is to assure that the correct information is fed back to the appropriate parts of the organization to facilitate sustainability. The example described in this article shows how planning for a decentralized audit identified underlying process problems.

The emerging requirement to conduct decentralized audits fits well into the concept of Modular Kaizen. Modular Kaizen places heavy focus on planning, considering the availability of team members and subject matter experts. Critical to any successful audit is the availability of supporting documentation, often stored remotely under differing levels of security and access. Tools can be employed to structure complex activities to minimize disruption and maximize audit success.

What the audit tells us about a process

Figure 1 illustrates the concept of “accept, adjust, or abandon” in auditing processes. The least disruptive condition is to have the current process flow smoothly from one task to another, as illustrated in flow 1. Occasionally, processes will veer off expected target performance and exhibit a slight variation as shown in flow 2. This variation is still within the expected range of performance for the current process, so the process simply adapts to the minor variation identified in an audit and returns to the expected flow.

Occasionally a special cause strongly disrupts the flow, as exhibited in flow 3. Here process performance is outside the expected variation of the process. At this point, the process must adjust operations to return to the current process flow.

Finally, in flow 4, external pressure may be so strong on the current process that it’s no longer capable of meeting customer requirements. In this situation, the current state is abandoned and a new process is designed.

Auditing process performance relative to the four flows in figure 1 is a challenge when all the players are in the same room. Achieving an accurate image of how processes are followed during a remote audit can be downright frustrating. Unless the auditor and auditees think clearly through the audit steps well ahead of time, the event can fail miserably.

An example from real life

I recently served as a senior quality consultant to the electric utility industry. During this time, I designed quality assurance systems for protection and control departments. I was asked to complete a project closeout audit as follow-up for corrective action. One issue was the failure to follow documented procedures for engineering checklists and peer reviews before releasing an electrical design package to the client.

When planning for a decentralized audit, the following items are critical to a favorable outcome:

  • The right skills
  • The right standard
  • In the right place
  • At the right time
  • With the right documentation

Although the right skills were assigned to the process being audited at the electric utility, several other requirements were not as simply addressed.

The office being audited and the subject matter expert were in Birmingham, Alabama, along with the project coordinator and director responsible for the client. The auditor and project manager work out of headquarters near Orlando. We used online virtual meeting software for audit meetings. Keep in mind that this example is influenced by only one time zone. Imagine what happens when the audit is with locations on the other side of the globe!

Obstacles in this decentralized audit appeared quickly. Because the subject matter expert continued to have daily responsibilities for technical upgrades at client substations, I needed to schedule audit virtual sessions in between his work activities in Alabama. The Birmingham office was small with no backup for specialized engineering work.

Road blocks also appeared during documentation planning. Accessing standards and documentation across different servers became an issue. I use Microsoft Windows 10; the auditee location uses Windows 7. Windows 10 defaults to Microsoft Edge; Windows 7 uses Internet Explorer. IT access rules prevented the subject matter expert from having field access to corporate files, so we needed to download copies to a tablet we carried with us. Even with this workaround, we couldn’t always access the files we needed.

The reference standard for auditing the process was contained in a series of control manuals, but they weren’t all located in the same office or in the same format. Companywide standards were housed in electronic format at the headquarters location outside Orlando. Client-specific standards were maintained at the Birmingham office in electronic or hard copy files. Project-specific information was maintained in Birmingham across several software applications and files. MS Project files were kept by the project coordinator in Birmingham.

The standard for design packages follows generic electrical engineering protocols. A series of checklists and peer reviews are required before delivering the final package to the client. A common flowchart was maintained at headquarters for all company protection and control design packages. The Birmingham office had modified the flow for minor changes in client communication during design and acceptance.

Checklists for preliminary design, engineering package assembly, and final package delivery were available as standard templates with slight modifications for client preferences.

I developed a tracking sheet to record scheduled and completed dates of checklists and peer reviews for each of the three phases of project design. Event completions by the required date were used as project key performance indicators. When I compared the dates on the checklist and peer review documents with the project schedule based on the standard flowchart, I discovered serious discrepancies. When I asked about this, I was told, “Well, we don’t use the standard checklists. We wait to review until issue for acceptance.” This was a big clue for the audit.

Because I didn’t have access to company MS Project files, the project coordinator offered to create a PDF version of the project schedule to use during the virtual audit. Figure 2 is the PDF file. Problems with this approach were apparent quickly. When I maximized the font size by 400 percent to see the text, I couldn’t see sequencing throughout the project. The schedule includes individual dates for all three checklist and peer review phases that weren’t met, but instead left for the end of the project.

 

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

 Apply data access and Modular Kaizen project scheduling tools

The project team and I quickly came to the root cause analysis of the corrective action situation. The local office had accepted more client work than time allowed and was cutting corners to meet deadlines. Resolving obstacles to performing the decentralized audit highlighted the discrepancies between the standard and the utility’s compliance.

As a result of this experience, I worked with the project coordinator and director to establish firm expectations for meeting key performance indicators. I used the Modular Kaizen model to suggest planning tools for an effective decentralized audit.

Figure 3 illustrates the major tools recommended by Modular Kaizen. The tools identified for this audit activity were:

  • Quality at the source
  • Teams
  • Modular flow
  • Pull technology
  • Project management

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

As we become less preventive and more reactive, the cost of correction increases in dollars and reputation. Planning to have all materials and personnel available for a remote audit is critical. We learned from our mistakes during this example.

The checklists and peer review templates provide a description standard for deliverables. The Birmingham team established the project schedule, modified standard checklists to meet the nuances of its client contract, and performed tasks as identified in the process flowchart. The local team was augmented with corporate project management and quality assurance for key performance tracking and the closing audit.

Modular flow: Schedule separately using pull technology

Modular flow assumes there is no need to have team members in the same room at the same time to perform a closing audit. Advanced planning ensures data are available in the correct format, in the right place, and with access authority for each scheduled activity.

Figure 4 illustrates the modular activities possible through effective planning.

Prepare for a Decentralized Management Audit Using Modular Kaizen Tools

Note that the project coordinator schedules the project kickoff meeting and builds the project schedule based on information from the project lead. The design engineer performs engineering activities, including three phases of checklists to meet content and due dates. Once the checklists are performed, the director is queued to perform the associated peer review. When the package is accepted by the customer, the director performs final signoffs for project close.

All members of the team don’t need to be present for the closing audit. If the project coordinator can present all materials to meet audit requirements, it’s done.

A Modular Kaizen approach to the decentralized audit

The decentralized audit requires significant advanced planning. Modular Kaizen focuses on the preventive nature of planning rather than the reactive nature of correction. Anticipating the skills, data, standards, and timing required for a decentralized audit allows both auditee and auditor to use their time effectively. In this fast-paced and highly disruptive world, using tools to assure that an audit is done right the first time is worth the work.

About the author

Grace L. Duffy has more than 40 years of experience in successful business and process management in corporate, government, education, and health care. She uses her experience as a former president, CEO, and senior manager to help organizations improve. She has authored 13 texts and many articles on quality, leadership, and organizational performance. She is a frequent speaker and trainer.

Grace holds an MBA from Georgia State University. She is an ASQ CMQ/OE, CQIA, SSGB, and CQA. Grace is a Lean Six Sigma Master Black Belt, ASQ Fellow, and Distinguished Service Medalist. Grace is the 2014 Quality Magazine Quality Person of the year and the 2016 recipient of the Asia-Pacific Quality Organization Milflora M. Gatchalian International Woman in Quality Medal.

The post Prepare for a Decentralized Management Audit Using Modular Kaizen Tools appeared first on The Auditor.

ASQ Salary Survey Reveals Modest Increase for U.S. Quality Professionals

The average salary for quality…

The average salary for quality professionals in 2016 remained relatively flat, according to ASQ Quality Progress magazine’s 30th annual salary survey.

The Quality Progress Salary Survey helps to outline the health of the quality profession and breaks down salary information—submitted by ASQ members—in 26 sections and sorts the results by variables including job title, education, years of experience and geographic location. This year’s survey was completed by more than 7,200 quality professionals from a range of industries and market sectors.

According to the 2016 results, average salaries increased 0.86 percent to $91,659 for full-time professionals in the United States. However, average salaries for quality professionals in Canada decreased 2.6 percent to $86,923*. The decrease can be attributed to the smaller number of respondents.

In 2016, the titles of the highest-paid quality professionals in the United States include vice president/executive (earning an average of $169,350), statisticians ($132,468), and directors ($130,902). In Canada, the top salary belongs to Master Black Belts and educators/instructors, who earn an average of $177,230.

While salaries in the United States remained flat, the percentage of respondents dissatisfied with their salaries decreased from 35 percent in 2015 to 27 percent this year—the lowest level since Quality Progress began monitoring employee satisfaction in 2014. Respondents are most satisfied with their pay when their employers pay for quality-related training and ASQ certifications, according to the survey.

“While salaries for quality professionals remain mostly unchanged from last year, support from senior leaders and their willingness to pay for quality training and ASQ certifications play a major role in the satisfaction of their employees,” says Pat La Londe, ASQ chairman. “It’s that training and those certifications that can help employees add value to the organization and increase its quality.”

While the average salary for full-time quality professionals increased slightly, there are steps workers can take to boost their pay, such as earning ASQ certifications.

Consistent with past results, those who hold ASQ certifications earn more than their non-credentialed colleagues. According to the survey, U.S. respondents with one ASQ certification earn more than $3,800 than those without any certifications. Those with two certifications earn nearly $6,200 more than those with only one certification.

Specifically, quality engineers who hold ASQ manager of quality/organizational excellence certification earn nearly 21 percent more than non-certified quality engineers. Specialists with ASQ quality auditor certification earn 17 percent more than non-certified specialists.

Another way to boost pay is completing Six Sigma training. The average salary increased from $83,004 to $100,361 for U.S. quality professionals who completed one or more Six Sigma training programs. In Canada, the average salary increased from $81,759 to $94,234 for those with Six Sigma training.

While any level of training offers a boost in pay, completing higher levels of Six Sigma training offers an opportunity for larger salary increases, according to the survey.

In the U.S., the greatest disparity is between Master Black Belts, who earn an average of $130,878, and Black Belts, who earn an average of $104,974. In Canada, the greatest premium comes with Black Belts, who earn nearly $18,000 more than Green Belts.

Results from the Quality Progress Salary Survey can be found in the December issue of Quality Progress magazine.

*All Canadian figures are noted in Canadian dollars.

The post ASQ Salary Survey Reveals Modest Increase for U.S. Quality Professionals appeared first on The Auditor.

Security Expert Expects Rise in Security Certifications

Jeff Slotnick has been thinking…

Jeff Slotnick has been thinking about, analyzing, and predicting the future of the security industry for more than 30 years. In that time, he’s seen the industry shift into a significantly more important role; a change he saw coming while working as a senior enlisted person in the United States Army Engineer Corp.

“I’ve always been an evangelist for this community,” Slotnick observes. “The more people know about how risk assessment can help them, can help us run companies better and do things more safely, the more they become believers themselves.”

Slotnick, certified protection professional (CPP) and physical security professional (PSP), is the president of Setracon Inc. and chief security officer at OR3M, based in Washington state. He’s traveled the world consulting with organizations about their risk security profiles, and the predictions he made decades ago about the evolution of standardization in the risk assessment profession are fast becoming a reality. Compliance with ISO 31000 and ISO/PAS 28000 have become much more sought after in recent years. According to Slotnick, this is a change he saw coming years ago.

“It’s the influence of technology,” he says. “ISO 31000 and similar standards help organizations grasp an understanding of their culture, not just their data. It enables them to use all the data they collect and all the devices they have—which produce an immense amount of data—to protect themselves, their employees, customers, and businesses. It’s a very exciting time.”

The ISO 31000 family of standards includes ISO 3100:2009—Principles and Guidelines on Implementation, ISO/IEC 31010:2009—Risk Management—Risk Assessment Techniques, and ISO Guide 73:2009—Risk Management—Vocabulary. Although the standards weren’t developed with the intention for certification, Slotnick expects their popularity will increase significantly in coming years as more organizations recognize the potential of the standards to make them more secure.

“I find 60 percent of this job is education,” he says. “People don’t know what they don’t know. Simply capturing data in an audit, you’re creating a very clear value statement. I can show a company how identifying and managing risk helps them avoid problems in the future. Knowing what those dangers are and being able to create a plan to prevent or eliminate them is a very valuable skill and one that more people should learn.”

Teaching that skill is something that Slotnick is very familiar with. He serves as a faculty advisor with the University of Phoenix, where he also takes classes to continue his learning. In his roles as consultant, teacher, and student, he sees the risk assessment profession moving toward full enterprise security risk management (ESRM) and ultimately enterprise risk management (ERM). This is a shift that could have dramatic consequences to the way organizations staff their executive boards.

“This is an industry in transition,” he observes. “Traditionally, we’ve seen risk as a physical thing, something to address with physical means. Now, we’re seeing organizations meld their risk profile with their OHSAS, environmental, financial, customer and employee health, cyber, and physical risk efforts. All risk is shared. When there is risk to one part of an organization, there is going to be risk exposure to many other parts. That’s an exciting thing, and it’s been a long time coming.”

The post Security Expert Expects Rise in Security Certifications appeared first on The Auditor.

The Extraordinary Invisible World of Risk Type

figure-12-300x253.png
by Geoff Trickey  Think for…

by Geoff Trickey 

Think for a moment about the characteristics that set you apart and give you your unique identity. Is it your cautiousness, your careful planning, your ability to generate solutions, your openness to new experiences, your flexibility, your friendliness, your professionalism, your vigilance in following things through? Or, is it your independence or that you’re highly alert to signs that things may be going wrong?

All of the above are personality characteristics, or features that create a particular reputation for you among your friends, colleagues, and clients. They also define your risk disposition. Psychological Consultancy Ltd.’s research has found 23 different personality themes that affect risk taking and contribute to our taxonomy of eight distinctive risk types. It seems that these risk-related personality characteristics have a lot of influence on the way you come across to others, your public persona, and your reputation. They also affect the way people see eye to eye when making decisions and in the ease and comfort of relationships between colleagues. Individuals with opposite risk types are very different. When both people are extreme examples of their risk type, they may seem like aliens to each other, almost beyond belief, so it’s not likely that they will always see eye to eye or easily get along.

The interesting thing is that these distinct and defining features are invisible. In a crowded train, you would have no idea who would fit each of the eight risk types. Some will be highly anxious in these crowded conditions, some will be relaxed, unstressed, and oblivious to the circumstances. Some will be excited by being “one of the crowd” and find interest and fascination in the diversity of those around them. Others will be fretting about timetables, next appointments, or if they will miss their connection in this slow-moving crowd, but all that is inside their heads. You wouldn’t know it. You might not want to know it, but it’s real and it’s there. If you had a grasp of the key features of each risk type, you would be able to make a reasonable guess about the people you know well; certainly, you would recognize how they fit the description in their risk type report. Yet, these unseen individual differences play a huge part in influencing behavior across all areas of life: recreational preferences, the way you manage money, plan your career, or arrange your holidays. Their interpersonal consequences also create group dynamics in teams and affect group decision making. Organizational culture, board decisions, managerial relationships, and recruitment decisions are all influenced through the crucial overall balance achieved between opportunity and risk. Organizational survival depends on it. Yet risk dispositions are invisible and are likely to go unrecognized.

The Risk Type Compass is a psychometric personality questionnaire that focuses on these critical risk features. Like other personality characteristics, they have a persistent influence on our behavior and decisions.

A recent research study by eminent economists tracked senior bankers over a 15-year period as they moved from job to job. They found that the risk-taking policies of a bank were determined more by the personality of the bankers in charge than any other measurable factor, including bonuses (Financial Times, 2016). This has implications for auditors too. Auditing is more about probability than about certainty. It involves investigation, observation, and interpretation. The information gathered has to be pulled together and formulated to achieve coherent conclusions and recommendations. In all of this, personal judgments play a very significant part. The recommendations of one auditor may not be quite the same as another. Risk dispositions influence the perception of risk and the way we think about it and handle it, so there is always a degree of subjectivity and bias in the judgments we make.

The big picture is that auditors tend to be relatively risk averse by nature, although within this trend there is considerable variability. This is illustrated in figure 1, which shows how a large international sample of auditors were rated using the Risk Type Compass. This positions any individual within a 360 degree spectrum calibrated continuously through the eight risk types, which merge and blend into one another. Sixty-seven percent of auditors fall within a range defined by three neighboring risk types. Clearly, like any other professional, the approach and manner of an individual auditor will be influenced by their own risk disposition, and so will their judgments and decisions. You will probably know of auditor colleagues who are somewhat either more or less cautious than you are. Everyone falls somewhere on the Risk Type Compass, and this positioning will have implications. There are no good or bad risk types; each has its advantages and disadvantages. It’s important to be sufficiently self-aware of the bias that these differences in risk disposition imply. This allows the benefits to be exploited and the disadvantages to be managed in a professional way.

Self-awareness is just one side of the coin. There is a second way in which auditors encounter risk type. Auditors work in many different sectors and professions. Just as there is a characteristic distribution of risk types amongst auditors, this is also the case with other professions. Police officers do not, in general, have the same risk dispositions as recruiters or air traffic controllers. Not all professions are so distinctive in this respect. Some have a very even distribution of the eight risk types but in others—air traffic controllers are an extreme example—the influence on the culture within that industry or profession will be palpable. Walk into the tax department of an accountancy firm and the likely reaction is no more than a peek over the top of a pair of spectacles. However, walk into a PR firm and they will probably be climbing over the desks to grab your hand and introduce themselves.

In moving between organizations, or departments in a large organization, these differences in organizational culture will create two challenges for the auditor. First, to engage with those that need to be engaged with auditors may need to adapt their approach and mindset. Second, to establish working relationships, carry out their enquiries, communicate, define their requirements, and see the project through they negotiate the potential pitfalls of dealing with people whose risk disposition may be very different from their own. Organizations are characterized by different risk dispositions (see figures 2 to 6), and within any organization the finance function will be very different in this respect to the sales department, and HR will be different to research and development. When the risk culture of an organization is distinctive and different to the risk disposition of the auditor, basic assumptions about acceptable levels of risk and uncertainty, about vigilance in dealing with a task, or maintaining records or completing formalities may threaten the successful completion of the audit or its effectiveness. An awareness of the possible implications of risk type in the individuals you are working with, as well as self-awareness about the inevitable bias inherent in your own risk disposition, will improve your ability to navigate successfully within a world where these individual differences can be quite extreme.

From our database of more than 7,000 administrations of the Risk Type Compass assessment, we have generated the following illustrations of the varied patterns of risk type in different work settings:

The Extraordinary Invisible World of Risk Type    The Extraordinary Invisible World of Risk Type

The Extraordinary Invisible World of Risk Type       The Extraordinary Invisible World of Risk Type

The Extraordinary Invisible World of Risk TypeThe Extraordinary Invisible World of Risk Type

Looking at the total sample graphic, it’s clear that risk types are evenly distributed. Your next encounter is no more likely to be any one than any other. Surely, this even distribution must reflect the importance of all the risk types in contributing to survival for our own species? We clearly need those who are “on edge” about risk who will draw attention to pending disasters and help to protect us. Species survival also needs those who will challenge everything in search of better solutions or who are prepared to face the danger and act to overcome it. I refer to this even distribution of risk types as “Team Homo Sapiens.” No football game is won with a team made up solely of defenders or solely of attackers, you need a balance between the two. There are no “good” or “bad” risk types; all have an important contribution to make. Once you can measure it, you can begin to manage it effectively. Team building of all kinds and at all levels can make use of it. The challenge is to find the right combinations of risk types to ensure success.

Individuals will improve their effectiveness, decision making, and performance by taking their own risk type dispositions into account.

These findings are already influencing policy decisions and working practices in a wide range of occupations in different countries. The research is robust, and the possibilities and opportunities are becoming ever more apparent. In auditing, too, these human factors are an unavoidable feature of the terrain.

What risk type are you?

Contact Edward Balfour at ebalfour@exemplarglobal.org to take the Risk Type Compass assessment.

About the author

The Extraordinary Invisible World of Risk TypeGeoff Trickey is a passionate advocate of applied psychology. Through roles such as honorary research fellow at UCL, European manager for The Psychological Corporation, and a long association with Hogan Assessment Systems, he has been privileged to work with an influential pool of talent, which laid the basis for an informed global perspective on psychological practices.

Founding PCL in 1992, Trickey has overseen its continuous growth to establish a global presence. He developed the Risk Type Compass which is now distributed in the United States and Canada by Multi-Health Systems.

Trickey is a chartered psychologist, a fellow of the Royal Society of Arts, and an associate fellow of the British Psychological Society.

The post The Extraordinary Invisible World of Risk Type appeared first on The Auditor.

Establishing Audit Program Objectives

by J.P. Russell To most,…

by J.P. Russell

To most, establishing program or department objectives seems like the normal thing to do. However, that isn’t always the case. Sometimes managers of programs or departments only focus on the purpose of their program or department. For example, the purpose of the audit program is to conduct audits. Therefore, all resources go into conducting as many audits as possible. Another example might be the shipping department where incoming material must be shipped ASAP. Establishing objectives or desirable outcomes goes beyond the purpose of a function. The aim is more about how the purpose is carried out and improved upon.

ISO 19011, Guidelines for auditing management systems, states that it is top management’s responsibility to ensure that audit program objectives are established. That doesn’t mean audit program managers should wait to hear from their boss before they establish objectives. On the contrary, audit program managers need to be proactive.

The audit program manager can start by determining the organization’s objectives and policies. An organization should have objectives to achieve their performance goals and obligations. Not all, but many policies may affect the audit department. Examples include safety, stewardship, ethics, and confidential information. A good starting point is to ensure audit program objectives are consistent with, and support, management system policies and objectives.

Next, audit program objectives can be established. There may be objectives for the entire function or specific audit program activities such as program management, plans, and performing audit services. Audit program objectives should relate to organizational objectives.

The program and individual audit objectives should also align with the needs and expectations of interested parties. For example, interested parties may include regulatory agencies, customers, suppliers, purchasing, and operations.

Audit program objectives direct program planning (department policy, procedures, guidelines, etc.). Plan what you do and do what you plan. Plans should align with objectives as well as the purpose of the function. One might ask, “Is this plan consistent with our objectives?” and “Is there anything we should change that would enhance our effectiveness to achieve our objectives?”

There should also be objectives for conducting audits. Providing an audit service is the purpose of the audit program. These objectives may relate to efficiency, safety, professionalism, and the code of conduct, and they should be consistent with audit program objectives. Perhaps an example objective would be to incorporate the seven lean wastes thinking when conducting the audit process to improve efficiency.

Audit program objectives can consider the following:

  • Management priorities
  • Commercial and other business intentions
  • Characteristics of processes, products, and projects and any changes to them
  • Management system requirements
  • Legal and contractual requirements and other requirements to which the organization is committed
  • Need for supplier evaluation
  • Needs and expectations of interested parties, including customers
  • Auditee’s level of performance, as reflected in the occurrence of failures, incidents or customer complaints
  • Risks to the auditee
  • Results of previous audits
  • Level of maturity of the management system being audited
  • Auditing organization risks

Examples of audit program objectives include:

  • To contribute to the improvement of a management system and its performance
  • To fulfill external requirements, e.g., certification to a management system standard
  • To verify conformity with contractual requirements
  • To obtain and maintain confidence in the capability of a supplier
  • To determine the effectiveness of the management system
  • To contribute to the identification of risks to the organization and verification of risk treatment actions
  • To implement an eAudit program to reduce costs
  • To evaluate the compatibility and alignment of the management system objectives with the management system policy, strategic direction, and overall organizational objectives

The objectives should be measurable. The idea here is to avoid vague generalizations such as “We will only use top-notch auditors or achieve performance excellence.” Plans for monitoring the achievement of program objectives will need to include determining the appropriate metrics. Some metrics will be obvious such as continued certification of the management system. Determining the metrics for other objectives such as the effectiveness of the management system may be more challenging. There may be some thought about appropriate metrics now or later as part of the monitoring performance process.

Plans should include how objectives are communicated. Objectives should be shared (note that there could be security exceptions). Informing people that need to know will only help the achievement of objectives. Communication of objectives could be done using several media options. For example, posters, intranet, emails, and virtual or face-to-face meetings.

Plans should take into account the need to update, delete, or replace certain objectives. Objectives need to be monitored and periodically evaluated and updated. For example, they may need to be updated due to changing organizational objectives or strategic direction or the results of monitoring the achievement of objectives. Typically, objectives are reviewed annually, but circumstances may require the objectives to be assessed more frequently.

When appropriate, objectives should consider the type of audit. For example, on-site versus remote and internal versus external. The audit function of an organization may provide many different audit services beyond management system audits. Process audits are becoming increasingly popular due to the value they add to the organization. An ever-expanding supply chain has stressed the need for greater supplier accountability.

About the author

J.P. Russell is the founder and managing director of eLearning provider QualityWBT Center for Education (www.qualitywbt.com). He is also an ASQ fellow, ASQ-certified quality auditor, member of the U.S. Technical Advisory Group (TAG) 302 for management system auditing, member of the U.S. TAG for ISO technical committee 176. Russell is a recipient of the Paul Gauthier Award from the ASQ Audit Division and author of several ASQ Quality Press books about auditing, standards, and quality improvement.

The post Establishing Audit Program Objectives appeared first on The Auditor.

Risky Business: Why Auditors Need Liability Insurance

As an auditor you make…

As an auditor you make a living by providing your professional opinion. No matter what industry you audit, it is your responsibility to evaluate businesses and determine if they follow the applicable standards. Regardless of what you decide, there may be long-term consequences for the business.

Let’s outline a couple of scenarios to illustrate how some of these consequences could affect your legal liability.

Example 1: They Pass the Audit

In the first scenario, your findings indicate that the business you are auditing is compliant with the laws and industry standards you are reviewing. Great! Except, down the line, it’s discovered that the business isn’t compliant, and they get hit with fines and fees.

In this situation, the business may feel that you missed something during the audit. They may claim you were negligent in your duties, and if you had performed your duties fully, they would have had time to fix the situation before being fined.

Whether you were or were not negligent is irrelevant in this situation. If the client feels you were, they may bring a lawsuit against you. As an independent auditor, paying your legal expenses alone can cost tens of thousands of dollars.

Example 2: They Don’t Pass Your Audit

In this scenario, the business you have audited will need to fix the issues you identified—a process that will take time, money, and manpower to implement.

If the business disputes your findings, or if they spend the money to fix the issues, only to find out later that your recommendations were unnecessary or done in error, they may sue you as a way to recover costs.

Again, the lawsuit itself is expensive, even if you aren’t found liable. However, if you are found liable, then you will also have to pay damages and other settlement costs, which may include the court costs of the business. As an independent auditor, you likely don’t have this kind of money on hand. Even if you do, can your business afford that kind of loss?

Beyond Professional Liability: The Insurance Coverages You Need

The above scenarios illustrate your need for a specific type of coverage—professional liability coverage. As an auditor, this type of coverage needs to be the backbone of any insurance policy you choose. It protects you against the cost of damages and claims that occur because of errors or omissions made while providing your professional services, as well as any negligent acts in this same capacity.

Although professional liability needs to be the foundation of your policy, there are additional coverages you should have. These are outlined below.

General Liability Coverage

Next to professional liability coverage, general liability is one of the foundational coverages you need for your insurance policy. This coverage protects you in the event of bodily injury or property damage claims.

For example, while performing an audit, you spill a chemical or other liquid. If someone were to slip and become injured on that spill, you could be held liable. Or you may accidentally damage an expensive piece of equipment, and the company wants you to pay for its repair or replacement.

One accident could even result in both types of claims. If you bumped into a piece of equipment and it knocked into or fell on an employee, injuring them and damaging the item. This single mistake could lead to both medical costs and property damage.

On their own, medical care (which may last for months) and property repairs are expensive, especially if a lawsuit becomes part of the equation. Together, they could be enough to lead you to bankruptcy.

However, having an insurance policy with enough general liability coverage could save you from paying these expenses out of your own pocket.

Personal and Advertising Injury Coverage

This type of coverage is usually a subset under general liability coverage, but for many policies, the “per offense” limits are separate from general liability “per occurrence” limits. The reason for this separation is the difference in how “injury” is defined for each coverage.

Injury, under personal and advertising coverage, requires intentional acts rather than simple negligence. Personal and advertising injury coverage protects you against seven specifically defined acts, including slander, libel, defamation, right to privacy violations, false arrest, copyright infringement, etc.

Because each of the covered acts have specific legal meanings, it’s difficult to illustrate how this coverage may be applied in a claim. However, if you would like more information, including examples, this article about personal and advertising injury coverage from online insurance resource IMRI is highly informative.

Damage to Rented Premises Coverage

This coverage is a necessity if you rent office space. It protects you from the cost of property damages sustained if you accidentally cause a fire.

Although you may not think you are likely to start a fire, legal liability can apply in more situations than you might first assume.

For example, you probably own a smartphone. You’ve probably seen recent news reports about a certain model exploding and causing fires. Even if you don’t own this specific smartphone, it’s only the most recent incident to capture the media’s attention. The truth is, any smartphone could overheat and explode. If yours does so while in your rented space, as the phone’s owner, you could be held liable.

Or, maybe you smoke, and while on a break, you don’t realize your cigarette isn’t fully extinguished. Or your laptop short circuits. Or you forget to extinguish a candle you were burning.

There are a lot of ways you may unknowingly cause a fire. Because the cost of repairing a building from fire damage is expensive, you’ll want this protection.

Computer Network Security Coverage

Since much of your work is done on location for the business you are auditing, you most likely use a computer or other technology to perform your duties. While computers are useful, they are also vulnerable to cyber threats.

If your computer becomes a weak point through which the business’s network or security is compromised or infected by malicious software, this coverage is a necessity. Depending on the specific circumstances of the event, it can protect you against claims where electronic data is destroyed, deleted, corrupted, or stolen.

Don’t Spend a Fortune for the Coverage You Need

Assuming liability risk is an inherent part of your work as an auditor. However, you don’t have to risk your business to do your job. Getting the right insurance coverage, like those outlined in this article, is the first step. Getting them for an affordable price is the next.

If you’re interested in an insurance policy that offers competitive limits for all of these coverages at a price well below market value, check out the policy provided by Exemplar Global’s insurance partners:
Australia: Envirosure at www.envirosure.com.au
United States: Veracity Insurance Solutions at www.paceinsure.com

The post Risky Business: Why Auditors Need Liability Insurance appeared first on The Auditor.

Let’s Get Back to Basics: The Challenges of Being an Auditor

With more than 25 years…

With more than 25 years of audit experience, director of successful auditing and training business Global Quality Assurance, David Purslow has seen it all. In a no-holds-barred interview with The Auditor, Purslow gives insight into some key issues facing auditors and offers a simple solution for improvement.

Purslow enjoys the diversity of auditing and the process of assisting businesses improve. However, not everyone shares the same experience of auditing. In this fast-paced environment, auditors can face pressures from many sources, including auditees who want the job complete within tight deadlines or certification bodies pushing auditors to take on more than they can handle. According to Purslow, challenges such as these can easily pile up, leaving the auditor with a backlog of work or pushed to the point of burnout—particularly for contract auditors.

“In Australia, we work with a lot of contract-based auditors,” Purslow says. “This can breed the type of auditor who has a money focus, so they will take on every job that is available to them. That is where the issue of burnout can arise. They are trying to grow their business, but at what cost?

“All of a sudden we see people getting burnt out because they are doing too much.

“There are also a lot of young auditors who think they are invincible. They try to get as many audit scopes as they can and try to do as much as they can. You may have auditors who are quite happy working at a certain level within a certain scope. There is nothing wrong with that. There is always going to be a variance of auditor skills and knowledge across the industry.

“As an auditor you sometimes need to step back and have a good look at yourself and say there is only so much you can do, and be comfortable with what you do well.

“You need to manage yourself as an auditor, and as a business you need to manage your auditors to prevent those things from happening.”

Purslow postulates the current financial climate and varying audit standards to be an underlying cause of this pressure. When organizations tighten their budgets, the hunt is on to find the lowest-priced audit. As we all know, the cheapest price doesn’t always guarantee the best product or service, which raises the concern of ineffective auditing.

“If you start looking at the quality of the jobs being done, there is a big divide between the quality of the job and the actual meaningfulness of the reports that are generated,” Purslow says. “We don’t want an industry full of ‘tick and flick’ audits; we want people who write meaningful outcomes in their reports. We don’t want auditors to be subjective and negative in their approach to auditing where they forget to look at the process or become document focused. These aren’t good attributes of an auditor.

“For an auditor to do the job properly, he or she needs the time to actually do the job to the scope that has been issued. Sometimes that doesn’t happen because you have organizations that are so keen to keep clients, they cut the cost. Therefore, the expectation on the auditor to complete this body of work is increased.”

The notion of auditor competence is intertwined with these issues, which Purslow believes isn’t always the fault of the auditor.

“We talk a lot about auditor competence; the industry has been commenting on it,” he explains. “It always seems to be the auditors who are targeted for the inconsistency of auditing. But when we drill down to the root causes, you have to look at organizational cultures—the people who are running the scheme, the business, or the certification body and the auditors themselves.

“In particular, [you need to look at] issues like audit duration, number of standards being audited, expectations, audit cost, auditee, audit tools, audit team (if available), and location. All elements should be addressed by good audit planning.

“It’s about having the time and resources to put in to developing staff.”

Purslow offers the following tips to improve the standard of auditing:

  • Allow enough time. The extent to which a service will be provided when promised and how long it takes to consistently perform the service each and every time. You need to be able to complete the project or audit assignment in the time you have been given. If you don’t feel the timeframe is adequate, you need to be upfront and say it’s not going to meet the scope and objective of the audit. If you have a very heavy audit schedule, you need to make time to produce your reports and deliver your outcomes on time, in full.
  • Consistency. The extent to which audits are delivered in the same fashion for every client, every standard every time, relevant to the scope. You can’t have a bad day.
  • Honesty and integrity. The belief that things that are worth doing are worth doing well is a strong value that we should all aim to project. Integrity of the process and trust underpin the core philosophy of auditing. We choose this career path!
  • Accuracy. The extent to which the audit is performed right the first time and fully compliant to the standard we audit. Good audit planning should ensure that competency is held prior to audit delivery and enough time to complete the audit fully.
  • Competence. The relevant skills, knowledge, and expertise of auditors to complete the audits to the correct standard required. Auditing is a profession; it requires dedication, commitment, and the ability to keep learning and improving your skills and knowledge. Make time to do this!

So what is the solution to all of these challenges? Purslow suggests going back to the fundamentals.

“We need more consistency so we can get some traction and growth in the industry,” he says. “We need to go back to the fundamentals about why auditing is important and why process-based auditing is effective.

“We don’t want auditors to be checklist auditors. Ending up with 60 percent of an audit based on documentation doesn’t add value. We want auditors to be in processes, watching processes, understanding processes, and determining if they are meeting requirements.

“We choose to work in this sector, we choose to be auditors—we should all look at improving our industry, including standard owners, regulators, influencers, CABs, auditors, and clients alike. We should not accept substandard practices and planning, but agree on meaningful, achievable outcomes. To this end we all have a part to play, so let’s begin.

“Please do not perceive my passion for our industry with arrogance, as this was never the intent!”

The post Let’s Get Back to Basics: The Challenges of Being an Auditor appeared first on The Auditor.

A Look at the Evolution of Auditing in North America

bware-150x150.png
Robert T. Ware has been…

Robert T. Ware has been in the auditing profession since 1974—before the term “audit” existed and when MIL-Q-9858 military standard audits were the norm. Speaking to The Auditor, Ware shares his opinions on the changes and challenges of completing manufacturing audits in North America, and the value of internal audit teams.

“Back when I started they called it an assessment, they didn’t like the punishing word of audit,” Ware reflects. “The word ‘audit’ came out in 1987 when ISO 9000 came into effect, and they called it internal audits.

“I remember a lot of people were upset about that word because it means pass/fail, where assessment means continual improvement.”

Ware spent the first 13 years of his career working in reliability, before making the transition to quality assurance. In his current role, Ware works for Zoll Medical looking after quality assurance and regulatory affairs/reliability for the resuscitation division.

“I lead a team of engineers that investigates all failures, return goods authorizations, and returned material,” Ware explains. “I am responsible for design and development, through to manufacturing, distribution, and post market surveillance.”

Having worked in the manufacturing industry for most of his auditing career, Ware is saddened to see a lot of businesses move their manufacturing offshore.

“In the 1960s, manufacturing was booming,” he says. “Forty-three years later, I have to look hard to find a company that manufactures here. Even Zoll, we do assembly and testing, and China makes all of our boards. Big manufacturing firms like Intel, Texas Instruments, Digital Equipment Corporation, and J&J, they all do the same thing.”

These changes present challenges for auditors who have to work on an international scale to get the information they need.

“We just have to keep coping,” Ware says. “We do audits over the phone. I have spreadsheets and word files that I send out. The auditee will send me back the information and then we look at the information and evaluate it, analyze it, and get results.

“We do a lot of virtual audits. We can do an audit over the telephone or by Skype. It has evolved because everything is global.”

Throughout his career, Ware has worked with standards such as TL 9000, ISO/TS 16949, and ISO 14000. Ware also served on the U.S. TAG to ISO/TC 176 from 1987 to 2006, and he worked to revise ISO 9001 in 1987, 1994, and 2000. Through his experiences, Ware has learned how industries and standards work, and has noticed some key similarities.

“Once you audit [different industries], the basic processes and products are the same in terms of how you would manufacture them,” Ware explains. “You just have to understand the process and audits to help you break it down.”

Having worked in internal audit teams for most of his career, Ware sees great benefit in the internal audit function. However, he fears young executives today don’t see the same value.

“Back in the 1970s and 1980s we had big audit teams,” Ware says. “Now I see a lot of companies outsource their audit teams. In reality, if I didn’t know anything about an operation and went in and did an audit versus working there—working there you are more of a Tasmanian devil. You can do some really good digging. It’s not like it used to be, but you have to make the best of it.”

However, Ware uses management review as an opportunity to reinforce of the value of an internal audit team.

“When I do a management review and they start discussing issues and problems, I love to bring them back to people and products,” Ware says. “These are the main parts of the business.

“I think the people who work in a company would find more value and would feel empowered. Why not take someone from the manufacturing line and make them an auditor? Especially women; they do a great job because of their intuitive nature. I think it’s a lost art.”


Ware’s Tips for Auditors to Improve Their Craft:

  • Do your preparation. Never do anything blind. The more information you know, the better you can question.
  • Keep your eyes open. Just like Yogi Bear said: You can always find something if you look. Just by observing you could not even audit and see is that how they do it? Are they sure they want to do that?
  • Just listen. The only time I talk during an audit is to ask a question. You have to let the person you are auditing do all the talking.

The post A Look at the Evolution of Auditing in North America appeared first on The Auditor.