Some Thoughts about Internal Auditing Before We Discuss Security

Management consultants (like me) routinely help to set up or reorganize companies in order to help them to reach their full potential. With a little more effort, some of us give them the ongoing capability to effectively audit themselves, and to improve themselves on a continuing basis.

Points to Remember

[check] An "audit" is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. "Internal audits" are audits conducted by on behalf of the organization itself for internal purposes, and can form the basis of the organizations self-declaration of conformity (compliance).

[check] Developing an internal (self) auditing capability within an organization is vital to the continued success of that organization.

[check] A well-planned, effective, internal auditing program should consider the relative importance of the processes and areas to be audited.

[check] The success of an organization is the sum of the effectiveness of management authority, responsibility, and accountability. They are, in turn, the sum of the manner in which management deals with the findings of the internal audits.

Management consultants, who can audit processes and train organizations to audit themselves, can be heroes to their clients, as well as permanent "value-adds". Audits provide practical, impartial, feedback, and can save large amounts of time and money. Structured, proven, management programs such as ISOs 9000, 14000, 27000, and 28000 accentuate the value of effective internal auditing of organizational processes, toward a goal of continuous improvement. An organization must be able to identify and correct its own shortcomings, without relying on outsiders. Developing an internal auditing capability within a client organization can be as important to the continued success of that organization as the consulting engagement itself. More than ever, organizations must satisfy themselves and their stakeholders that they are as secure as possible from threat and attack. Moreover, they must realize that security can be more important than profitability.

Years ago, one of my many and often-frustrated mentors had a sign in his office that read: "Expect What You Inspect". That meant, as he "patiently" explained: "If you check on something routinely, before long you will be happy with what you see. If you hardly ever check it, you'll likely be unhappy when finally forced not only to look at it, but also to fix it, and if you inspect frequently, the area or function eventually operates well and continues to improve". Outside auditors audit against known standards, internal auditors should do the same.

Looking critically at internal operations and processes and comparing them with approved standards is the basis of internal auditing. An organization can develop its own internal auditing capability, or (you guessed it) can hire a management consultant. Either way, an effective program of internal auditing provides a comprehensive, self-sustaining, evaluation and improvement capability for an organization. Its structure and administration can be inexpensive, but its contribution can be priceless to the client, as well as satisfying (and lucrative) to the consultant.

Organizations don't always do all the work required to establish effective internal auditing programs or adequately qualify internal auditors. As a result, audits tend to be perfunctory, biased, or sporadic. More important, critical audit findings may not be declared (and corrective actions not instituted). Instead of executing a meaningful measure of organizational effectiveness, unqualified and unmotivated auditors only waste time, annoy busy people, and turn everyone off to the potential benefits of internal auditing.

Auditing to "Approved Standards"

"Quality," in its most simplistic definition, is conformance with standards. Approved process standards are vital to the continuous improvement and competitiveness of an organization. They form the criteria with which meaningful self-assessment can be made. The ever-changing global marketplace has placed great emphasis on the importance of quality in all goods and services.

Internal Auditing

The best way to describe internal auditing is with two definitions from the ISO 9000 Standard.

* An "audit" is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.

* "Internal audits" are audits conducted by on behalf of the organization (client) itself for internal purposes, and can form the basis of the organizations self-declaration of conformity (compliance).

Properly planned and well-implemented internal audits provide management with an ongoing, credible, and structured measure of how well the organization is achieving its goals and objectives.

What does an Internal Audit look like?

Here are some characteristics of an effective internal audit program. I'll start with the obligatory acronym - that way we'll get it over with:

"SMART": Scheduled – Measurable – Accurate – Repeatable – Timely.

There, that wasn't so bad.

The first step is to define and schedule every "audit-able" process for an audit at least once per year. "Surprise" audits are marginally effective, upset auditees, and reinforce a "pass-fail" mindset. Processes compared against approved standards (pounds of waste produced, finished products per hour, etc.) are measurable. Checklists are important for audit structure and repeatability. Audit findings are therefore accurate. Findings generated during the audit must be repeatable. That is, a different auditor, auditing to the same standard, should come up with the same findings.

Last, the audit should be timely. Discovering a problem that occurred six months ago, or has been occurring regularly for the last six months is not as good as finding it early. As a manager, you already knew that. Sorry!

Internal auditors should be independent of the processes being audited, and should never audit their own work. Some of an auditor's (or a consultant's) most challenging moments can be trying to assure middle managers that their jobs will not be jeopardized or forfeit as a result of audit findings. To do this with genuine credibility requires real, continuing, and committed support from Top Management. A commitment to continual improvement cannot exist in an atmosphere of retribution or retaliation. It just drives the troops deeper into the foxholes.

The internal auditing program (especially as it involves organizational security) must be organization-specific, to ensure compatibility with the other management systems in the organization. A "cookie-cutter" or plagiarized system will achieve only limited success at best. For this reason, international quality standards, like the ISO Standards, provide only "guidelines," and leave the client organization to fill in specifics. Additionally, a well-planned, effective, internal auditing program should consider the relative importance of the processes and areas to be audited. That is, do first things first.

The first thing an experienced auditor does is review of results of the last audit. Specifically:

• When was the last audit;

• What were the findings;

• Were preventive or corrective actions developed and implemented, and

• Were the preventive or corrective actions effective?

This says a great deal about how seriously the organization takes its auditing function.

What benefits can Internal Auditing bring to the organization?

Summarized below are key areas of management that can be improved by an effective internal auditing program. Look through these, and as you do, please think of how they apply to your organization.

Auditing Continuous Improvement

The ISO International Management Standards require Management to use the findings from internal audits to develop and implement improvements to the existing processes on a continuous basis. The premise is that every process can be improved, and that no process is ever "finished" or "completed." Auditing of processes (depending on the capability of the auditor) will nearly always result in the identification of deficiencies and recommendations for improvement. Management can constantly improve its operations, or it can hear about shortcomings from the customers.

Auditing Process Measurement and Confirmation

Management can use findings from internal audits for measurement, analyses, and improvement of existing processes; and to ensure conformance to established standards, contract requirements, regulatory requirements, as well as achievement of top management goals and objectives (e.g., reducing hazardous waste). Modern quality management system auditing goes beyond the earlier quality control or quality assurance expectations, which focused on adherence to customer contract specifications through individual disciplines (e.g. purchasing, inventory control, statistical techniques, etc.) rather than overall processes. Well-constructed internal audits can measure conformance to customer requirements, but they can also check customer communication and feedback (see below).

Auditing Strategic Planning

Executing strategic plans requires taking broad plans and policies and translating them into discrete, measurable, components. Internal auditing of the Strategic Plan evaluates the organization's progress in meeting those components. Policies with vague goals and objectives, or unquantifiable performance measurements, become "paper" policies, and lead to personnel discouragement, customer dissatisfaction, and organizational failure.

Auditing the Raising of Problems to Management Attention

Modern internal auditing assesses the day-to-day effectiveness of organizations in measurable terms (delivery dates, rejects, recycled material, unit costs, etc.). It spotlights specific practices or procedures which may require increased management attention. Human resources management audits evaluate personnel structure in terms of qualifications, training, numbers, and functions versus needs. Internal auditing helps to evaluate facilities (e.g. floor space, computer systems/LAN, heavy machinery, etc.) in terms of adequacy and conformance. All this is meaningless, however, if audit findings do not receive management attention and actionable corrections are not generated. There must be (as the ISO Standards require) structured management review, corrective action, feedback, follow-up, and accountability processes.

Summary

The success of an organization is the sum of the effectiveness of management authority, responsibility, and accountability. They are, in turn, the sum of the manner in which management deals with the findings of the internal audits.

A management consultant whose strengths lie not only in the application of structured skills, but in objectivity, can effectively audit an organization, and also develop a team of auditors to conduct scheduled internal audits routinely, after he/she has gone on to other challenges.

I believe that providing an organization with an effective self-auditing program is my best contribution

Benchmarking, Dashboards, Metrics, and Measures of Effectiveness

Benchmarking

We can't discuss performance measurement in general or dashboards in particular without first discussing benchmarking. That is, determining and quantifying the expected performance from an operation or a process, in order to compare it to actual performance. Benchmarking identifies the amount of improvement possible. Once completed, an accurate benchmarking process allows Management to assess those operations or processes on a continuing basis, in order to identify areas for improvement. Figure 2-1 shows the relationship between expected and actual performance. The "gap" may be strategic, tactical, or operational, depending on the subject of the benchmarking process.

Internal benchmarking examines an organization's own activities, those taking place inside its own walls. Areas always in need of internal benchmarking include (but are not limited to) facilities, manufacturing and material handling processes, administration, training, waste, work in progress, and reject rates.

External benchmarking can include customer satisfaction, competitors' products, recommendations from external consultants and auditors, public databases, and the annual reports of other companies.

1. Benchmarking and Gap Analysis – Asking good questions and acting on the answers

Benchmarking and gap analysis can be described as seeking out, identifying, and attempting to emulate and improve on established standards, contract requirements, or other best practices. Auditors use them to compare actual organizational performance with established standards.

Internal benchmarking examines activities taking place inside the organization's walls, such as manufacturing, training, waste, or work in progress. External benchmarking can include customer satisfaction (on-time delivery, reliability/defect reports, etc.) competitors' products, ISO 9000, ISO 14000, and other structured certification standards, as well as tradeshows, seminars, and workshops.

CEOs will not know the results of their decisions or changes without an effective benchmarking strategy. Internal audits can help determine how an organization is performing relative to how it should (i.e., the gap). Then, state the reasons for the gaps and the required corrective actions.

2. Metrics and Measures of Effectiveness

It has been said that what can't be measured can't be managed. CEOs must have the ability to subjectively and objectively quantify the success or failure of their operations, products, or services. They must be able to measure the components of those operations and compare their findings with established standards.

With the right mindset and the right metrics, CEOs and managers can perform the following:

• Optimally plan an entire throughput process, based on missions, load locations, and available resources

• Establish completion goals (pieces/day, number of days required, required deadlines)

• Evaluate operations in progress, and assess the ability of assigned resources to meet the established goals.

Once the optimal metrics and measures of effectiveness have been identified, CEOs and managers can employ them to assess all areas of operations, in order to meaningfully quantify:

• Decision making processes

• Intelligence collection

• Risk, vulnerability, and the allocation of limited resources7

• Optimal reporting procedures

• Plotting and prediction procedures

• Alternative courses of action.

The CEO's Dashboard

As a military analyst, I spent some time developing training packages and spreadsheet models for potential port commanders in places like Kuwait, trying to establish metrics and measures of effectiveness that would resemble, as closely as possible, a "dashboard" for their operations. The goal was, obviously, to increase operational efficiency and minimize exposure to danger in terms of time spent and personnel required in dangerous places or situations. Dashboards provide drivers with vital information (e.g., fuel level, coolant temperature), immediate warning (e.g., red lights), and control (various dials and switches). Metrics and measures of effectiveness, often in the form of a spreadsheet model, provided those commanders with a dashboard equivalent.

As warfighters must have the ability to objectively measure the success or failure of their operations in a timely manner, so must CEOs and program managers be able to measure (or quantify) the potential profit or loss from intended operations or initiatives.

Metrics can be either subjective (i.e., conclusions based on observations, experience, and judgment) or objective (collected data). The tables that follow describe core subjective and objective metrics used to measure the potential effectiveness of business operations.

Subjective Metrics

Table 2-1 lists representative subjective metrics for quantifying the impact of operations or processes.

Objective Metrics

Table 2-2 lists some representative objective metrics for quantifying operations or processes. These metrics are capable of quantification and not as susceptible to interpretation, license, or challenge as the subjective metrics in table 2-1.

The development and promulgation of goals and objectives, as described earlier, are essential for an organization's ultimate success, and the ultimate success of the goals and objectives depends on the appropriateness and comprehensiveness of the metrics and measures of effectiveness with which they are measured.

Metrics and measures of effectiveness, usually in the form of a spreadsheet model, provided those commanders with a dashboard equivalent.

As warfighters must have the ability to objectively measure the success or failure of their operations in a timely manner, so must CEOs and program managers be able to measure (or quantify) the potential profit or loss from intended operations or initiatives.