The ‘Audit Imperatives’ Series
I am passionate about management systems audit. In an audit career spanning over 30 years I have seen a lot of good (and some extremely poor) audit practice. I have met excellent auditors as well as individuals who would clearly have been better suited to an alternative career. I have encountered audit clients who have fully embraced the audit process, seeing it as a means to move their organizations forward and others who regard management systems audit as little more than an operational overhead. In short, I have been fortunate enough to experience management systems audit at its very best and also at its worst.
This series of articles provides an opportunity for me to share my experiences as well as my thoughts as to the current state of the audit profession. More importantly, it also allows me to convey what I believe we must do to get to a place where the contribution auditors make generally, and internal auditors make in particular, to organisations, is properly recognised and appreciated.
Over the coming weeks we will examine the challenges and frustrations experienced by internal auditors, as well as suggesting how these may be overcome. The content of these articles will be shaped not just by our current understanding of best internal audit practice but will additionally include new insight drawn from the revised version of ISO 19011 which is currently under development.
When it is released towards the middle of next year, ISO 19011:2018 will ‘raise the bar’ for internal auditors significantly, with the inclusion of a new, seventh audit principle centred on risk based thinking, as well as a host of new expected internal auditor competencies designed to move the profession into 21st century.
So why are these articles called the ‘Audit Imperatives?’ The reason is simple. If something is imperative it cannot be ignored, it must be addressed. The six imperatives identified below are areas which I believe auditors must focus attention on if they are going to audit effectively. It is not a case of auditors needing to understand one or other of these imperatives, they must display competence in them all if they are to be properly equipped to carry out their audit roles.
The Six Audit Imperatives
The Cultural Imperative
Both the national and the local organisational culture that an auditor operates in can significant impact their audit approach, and there are times when the accepted cultural can place substantive barriers in the path of effective internal audit. In such instances, the internal auditor must continue to carry out their duty whilst at the same time still respecting cultural norms.
The Governance Imperative
The internal auditor is ideally positioned to evaluate organisational governance on behalf of the organisation’s stakeholders. They should seek answer to the key questions, ‘is management intent defined?’ and ‘is management intent fit for purpose?’ If the internal auditor determines that organisational governance is failing they need to be brave enough to take action.
The Assurance Imperative
Most organisations employ internal auditors to provide them with ‘assurance’; assurance that their legal requirements are being met, that their stakeholders needs and expectations are being fulfilled and that their management systems are operating efficiently and effectively. Internal auditors need to understand the types and sources of information that allow them to confirm both conformity and compliance, and should employ best practice audit techniques for obtaining such evidence.
The Improvement Imperative
Internal auditors, as a result of working in an organisation day in, day out, are ideally placed to both identify and drive through improvement. All too often however their remit is constrained to providing assurance alone. Here we will examine how the internal auditor can add value to an organisation if audit criteria are extended beyond assurance and into the realms of improvement.
The Context Imperative
It is essential for an organisation’s survival that it understands the business context in which it is operating. Internal auditors have a key role in this. Not only must they ensure that the organisation is clear as to the internal and external issues it faces and the needs and expectations of their various stakeholder groups, but they must also confirm this knowledge is being acted upon. If they do not and the business’s view of its environment is misinformed, the consequences can be disastrous.
The Leadership Imperative
Internal auditor must act as organisational leaders, individuals who have the ability to drive through change. Simply identifying risks, issues and opportunities for improvement is not sufficient if the organisation then fails to act upon this. Auditors must be able to challenge top management if they refuse to move the organization forwards. Those in authority at the most senior levels must be persuaded that things have to be done differently in the future.
Each of these articles will explore a different Imperative in turn. The first which we will consider is the Cultural Imperative, coming soon!
WHO IS RICHARD GREEN?
Richard Green, Managing Director
Kingsford Consultancy Services Limited
Richard Green is the Founder and Managing Director of Kingsford Consultancy Services (KCS) Limited, an organisation which specialises in the provision of management system consultancy, training and audit related services to businesses of all sizes, both within the UK and overseas.
Richard previously served as a member of the Chartered Quality Institute’s (CQI’s) Senior Management Team prior to leaving to form his own organisation. With a remit encompassing Corporate Partners, Member Services, Special Interest Groups and the global branch network, he also provided the technical lead for both the CQI and IRCA brands.
Richard continues to supply specialist services to the CQI. He retains the Chair of the CQI Standards Panel and represents the CQI on UK and international committees redrafting ISO Management System and Audit Standards. In 2017 Richard was one of the judges at the inaugural CQI International Quality Awards, a role he will return to in 2018 when he will act as the Head judge for the newly created ‘IRCA Certificated Auditor of the Year’ award.
Prior to joining the CQI, Richard held a variety of senior quality management, facilities management, contract management and IT service management positions, in both the UK public and private sectors.
He is a Chartered Quality Practitioner, a Chartered IT Practitioner, a Principal Quality Management System (QMS) Auditor and a PRINCE2 Project Management Practitioner.