Economic, political and societal pressures have always influenced the evolution of audit and inspection; albeit along different paths.
Today, these same pressures continue to shape auditing and inspection expectations; but something important has changed. For the first time, these expectations share a common theme – the effective monitoring and control of operational risk.
In this article, I outline how the continued convergence of audit and inspection is likely to play out, and more importantly, how it will impact on you and your organisation. Are you prepared?
Modern audit history
1800’s During this period audit’s main purpose was to check the compliance of financial accounts.
1900’s It was toward the end of the industrial revolution audit’s role expanded to include the detection of fraud, technical errors and errors of principle.
It was also during this period, that statistical sampling was introduced for the first time. Its purpose, to help organisations manage the increasing size and complexity of the audit task.
As the size and complexity of businesses continued to grow during the mid-1900’s audit’s role started to move away from checking process outcomes, and more towards the “verification of company systems and controls”. (Davies 1996)
The next phase in audit’s evolution occurred during the 1980’s; risk-based auditing (RBA). Its objective, to inject further rigor and efficiency into the auditing process by focusing an organisation’s limited resources on the areas of highest risk exposure. (Turley & Cooper, 1991).
2000’s The most recent phase in audit’s evolution can be directly attributed to the fallout from the Global Financial Crisis (GFC) of the early 2000’s; and a series of major financial scandals that took place around the same time i.e. Sunbeam, Waste Management, Xerox, Adelphia, Enron, WorldCom, HIH, One-Tel, etc.
Today, while the focus for audit is still on risk, the emphasis has turned to development of sophisticated software analytics that can measure and help control an organisation’s operational risk levels within its risk appetite.
Modern inspection history
1800’s Inspection’s modern history also starts during the late 1800’s. It was during this period of unprecedented growth and innovation that manufacturers began to use formal inspection processes to better control the quality of their products.
1900’s It was during the early 1900’s that statistical methods were used for the first time to improve inspection effectiveness and efficiency. Many of these methods were developed by the “father of quality control” Walter A. Shewhart. (Shewhart 1939)
In the mid 1940’s industry experts like Deming, Dodge, Juran and Roming started to move the focus of inspection away from end-products, and more towards the production process itself i.e. statistical process control (SPC).
2000’s Unlike audit, it wasn’t until the early 2000’s that risk-based inspection (RBI) came onto the scene in a big way. It was the American Petroleum Institute (API) that was the first to incorporate these methods into plant condition monitoring and maintenance guidelines. (API RP 580)
Since the early 2000’s, RBI has become recognized, and generally accepted, as good engineering practice by all companies operating in the oil and chemical industry. A view that is fast being shared by other industry sectors i.e. energy, water, construction, IT, etc.
Today, the uptake of risk-based inspection is being driven by the ongoing development of advanced software systems, and the inclusion of “risk-based thinking” into to the world’s most popular quality management standard ISO 9001:2015.
There is little doubt ongoing developments in advanced software analytics will soon deliver the next, and possibly final, stage in the evolution and convergence of audit and inspection. The creation of a truly integrated risk assurance system (IRA). Refer to Figure 1.
Figure 1: Convergence of Audit and Inspection
So what might this new IRA system of the future look like? And more importantly, how will it impact on existing organisational structures, roles and responsibilities?
Of course, no one knows the answers to these questions; but here’s my prediction.
Integrated planning and scheduling In the not too distant future, a common IRA system will be used to plan and schedule all organisation audits and inspections.
Centralised planning and scheduling will help eliminate the costly over and under auditing and inspection that takes place within many large organisations.
Real-time analysis and reporting The IRA system of the future will provide a common platform for the automatic analysis and reporting of audit and inspection data.
This will include an assessment of whether the system, process or third-party being assessed has exceeded the organisation’s risk appetite and if so, what actions are needed to mitigate and strengthen its risk controls.
This highly integrated to risk analysis will deliver substantial benefits compared to the traditional siloed approach, including;
1. Significant reductions in the amount of time and effort spent interpreting and reporting audit and inspection outcomes organisation-wide,
2. Improved capacity to identify and mitigate unacceptable operational risk levels before they adversely impact on organisation goals and objectives.
Objective performance evaluation The IRA system of the future will also assign each system, process and third-party an objective risk performance rating (Excellent, Good or Poor) based on its capacity to consistently achieve an organisation’s risk appetite over consecutive audits and inspections.
Performance ratings will be aggregated and transparently reported organisation-wide. Refer to Figure 2.
Figure 2: Example of Integrated Risk Assurance System Reporting
Key benefits of this highly objective approach to risk performance evaluation will include;
1. Consistent assessment and benchmarking of process, system and third-party risk performance (exposure) against an organisation’s risk appetite,
2. Continuous performance improvement by linking employee and third-party remuneration to their risk ratings, and directing limited improvement resources where they will generate most benefit i.e. areas of highest risk.
Audit and inspection optimisation The IRA system of the future will also automatically strike the optimum balance between an organisation’s operational risk exposure, and its auditing and inspection requirements.
In other words, systems, processes and third-parties with a Poor performance-rating will be audited or inspected at a higher level of rigor (sample-size and frequency) than those with a Good or Excellent performance-rating.
Key benefits of this dynamic, risk-based approach to auditing and inspection will include:
1. More effective and efficient identification, mitigation and control of operational risks,
2. Significant reduction in total audit and inspection costs,
3. Conformance to the world-best-practice “process and risk-based thinking” requirements outlined in ISO 9001:2015.
As outlined above, the IRA system of the future will significantly improve how organisations traditionally monitor, report and control their operational risks.
But how will the implementation of this system impact on traditional organisational structures, roles and responsibilities? And more importantly, how will it affect you?
Here is my take on how this might play out across each level of an organisation.
Board and executive level: The IRA system of the future is going to be a major success factor for many organisations. Accordingly, the responsibility for its effective and efficient operation should be assigned to someone at the executive level of an organisation. So, to whom should it fall?
In my opinion, there is only one choice – the Chief Risk Officer (CRO).
Just as a CFO is employed to monitor and report organisational revenues and expenditures against agreed targets to the Board and senior management group, the same should apply the CRO. But instead of finances, their role will include monitoring and reporting operational risk levels against an organisation’s risk appetite.
Other CFO responsibilities will include ensuring board-members, managers, employees and third-parties are trained and supported in the consistent application of the IRA system.
So what will the IRA system of the future mean for internal audit?
There is little doubt there will always be a need for targeted, independent internal audits; especially at Board and senior-management levels. Nonetheless, the introduction of an IRA system that uses existing audit and inspection data to objectively assess operational risk levels, is likely to see this need reduce.
It may even come to pass that internal audit will report directly to the CRO.
Systems level: The IRA system of the future is likely to have a similar impact at the systems level of an organisation.
A lot of the auditing and inspection that is managed from this level of an organisation, is carried out because of unavailable or unreliable audit and inspection data collected at process level e.g. quality, safety, security, environment, etc. The IRA system of the future will correct this situation.
Just how many of these auditing processes will become redundant, or reduced in scale, following the implementation of an IRA system, will largely depend on the level of duplication currently taking place.
At the very least, the introduction of the IRA system of the future will release valuable resources from this level of an organisation. Resources that can be more productively directed at working with other stakeholders to identify and correct the causes of unacceptable risk performance.
Process level: At process level the impact of the IRA system of the future will primarily be driven by the IRA’s capacity to objectively measure and benchmark process and third-party risk performance against the organisation’s risk appetite.
Without measurement, there cannot be understanding. And without understanding, there cannot be control. And without control, there cannot be improvement. (H. James Harrington 1990)
Continuous improvement will be further encouraged by linking employee and third-party remuneration with their respective risk performance ratings. A win-win for everyone.
Importantly, the ultimate success factor for the IRA system of the future won’t be its smart analytics and reporting capability. Instead, it will all come down to the Board’s and senior-management group’s ongoing commitment and support for the creation of a new integrated risk assurance paradigm.
Changing economic, political, societal and technological factors continue to influence the evolution and convergence of audit and inspection.
There is little doubt the next exciting phase in this convergence will see the development of software systems that can objectively assess and benchmark operational risk levels organisation wide.
Organisational benefits of the IRA system of the future will be profound i.e. increased organisation value, reduced operating costs, improved stakeholder assurance, improved employee morale, etc.
Just as profound will be impacts the system will have on traditional organisation structures, roles and responsibilities; driven by its capacity to hold internal and external stakeholders more accountable for their risk control performance.
No one knows exactly when and how this next exciting phase in the evolution and convergence in audit and inspection will take place. But one thing is for certain. Organisations that start preparing now, will be best placed to benefit the most.
If you’d like more information on how your organisation’s can transform its current audit and inspection processes into a powerful IRA system without the needs to make major changes, visit us at www.compliance-master.com.