ASQ CQA – 4. Audit Program Management and Business Applications Part 4

7. 4A7 Best Practices

Coming to this next topic, which is best practices? How do we deal with best practices or lessons learned if we look at ISO 19,011 2018 and look at requirements related to best practices. So here I have one requirement which says that the individual managing the audit program, which is the audit program manager, should consider where appropriate, communicating the audit results and best practices to other areas of the organization and implication for other processes. So here what standard is looking for is think beyond a particular audit. Don’t just focus on a particular audit, think beyond that how the findings from a particular audit could be used in other processes as well.

And when I say findings, that includes best practices as well. So, if during the audit you find some best practices being followed in some particular department, discipline or section, then how do you use these best practices in other areas, in other parts of the organization? This is also which is something which needs to be considered by the audit program manager. Now, what are the best practices? Best practices are those methods which produce superior results. So this means going above and beyond the basic minimum requirement.

So if some part of the organization is doing something in a different way, which is producing better results, which is producing less number of defectives, which is producing things faster, then consider those processes as best practices. And as an audit program manager, see how you could use these best practices in other part of the organization. So, when talking about best practices, best practices are also called as strengths. In some organizations, these are considered as strengths.

So the auditor is not only required to find out nonconformities, but the auditor is also required to find out the strengths. What are the best practices, what are good things happening, what are the strengths? Now, one common mistake which auditors do is considering a normal thing as a strength. So if the organization requires you to file the papers properly, then filing papers properly is not a strength. In many of the audits I’ve seen those things being mentioned as strength, that this particular discipline, this particular group is filing their papers properly.

So, when considering best practices, think something which is above and beyond the normal practice. Another term which is associated with best practices is benchmarking. What we do in benchmarking is we compare the performance of a process with the best in class process. So if we think of a common example of changing tires in your car, so how much time you take to change the tire if your tire goes flat? If you want to compare with the best in class, best in class would be people who are running the Formula One races. In Formula One races, you would have seen that in 1 second or maybe around that all the four tires of the car gets changed.

So if your process is changing tire, then the best in class process is the changing tire process in Formula One racing. So benchmarking could be internal or benchmarking could be external. External is when you are comparing your performance with some other company. Internal is something when you are doing benchmarking internally, looking at the best practices in the organization and using those as a reference to improve other processes. So when we talk about best practices, other associated term in that is benchmarking. So you benchmark your processes against those best practices. So this is how you can improve other processes also in the organization, not just focusing on the area which you audited.

8. 4A8 Organizational Risk Management

In the topic of audit program management. The next topic is organizational risk management. Before we talk about organizational risk management, let’s understand the definition of risk. There are two definitions of risk on this slide. The first one is from ISO 31,000 2018 version. And the second definition is from ISO 9000 2015. Let’s look at these two definitions. The first definition as per ISO 31,000 is that risk is the effect of uncertainties on objective. So you have an objective to achieve. And what is the effect of uncertainties on that? The simplest example of risk will be, let’s say if I want to go from my home to my office, my objective is to reach office in time. So that’s my objective. Every organization has objective. In this particular example, my simple objective is to reach office in time. So what are the uncertainties in regards to this objective? The uncertainties could be a lot of traffic when I go from home to office. Uncertainty could be related to my car not getting started.

Uncertainty could be related to weather going bad. So these are basically risks. Risk is something which will avoid or which will hamper me achieving my objective. So this is basically the definition of risk. The second definition as for ISO 9000 is that risk is effect of uncertainty. Basically both of these definitions mean same that risk is associated with uncertainty. If something is certain, then it is not a risk if going from home to office. If I know that there is heavy traffic, looking at the Google map, I’ve seen that there’s heavy traffic. I know that this thing has already happened. So if something has already happened, then this is not called as risk. Risk is always related to uncertainty. Another important thing which we need to understand in regards to risk is that risk could be positive or negative. Most of the times we associate risk with the negative feeling that risk is something which is negative. So in the example of going from my home to office, the risk will be delay in reaching office. This is what we consider. But the risk could be other way around as well. Risk could be positive as well. There could be some uncertainties which will make me reaching office faster than what I expected.

This is also called as risk. So when you think of risk, think of both positive and negative. At many places the positive risk is called as opportunity. In ISO 9001 also the positive risk is called as the opportunity. Another important thing in regards to risk is that risk is often expressed in terms of a combination of consequences of an event and associated likelihood of occurrence. To understand this in plain language, risk is associated with two things what are the consequences or what are the impacts of that risk? This is one part. The second part is the probability or the likelihood. How likely is it that this risk will happen? So whenever you look at the risk, look at the risk in terms of the likelihood and the impact, what is the probability of happening and what is the impact of that. So in terms of likelihood and impact, if I take the example of me reaching my office and getting delayed, if that is the risk, then the impact is low, because impact might not be very significant, but the likelihood is more, there’s more chance that I might get delayed.

On the other hand, let’s say if you have a plant, a building or a factory and you are looking at the risk of earthquake and because of that the factory getting collapsed, if that is the risk you are considering, the impact of that is very high, but the probability of that is very low. So whenever you look at the risk, look at that in these two terms, the likelihood and the impact of that. So this was the definition of risk. Now, if you look at ISO 19,011, there are seven principles of auditing. We have talked about those seven principles in section one of this course. So out of those seven principles, the last principle is related to riskbased approach. So when you look at audit, you do audit based on risk. So ISO 19,011 focuses on risk based approach for auditing. And also if you search ISO 19,011 and search for the term risk, you will see that there are 82 times the term risk has been mentioned there. So that means there is a very high importance of the risk management when it comes to auditing. Auditing is related with risk management. We will talk about that as we go further into this lecture.

So when we talk about risk based approach in auditing, what does this mean is that audit should consider risks and opportunities. So whenever you have an audit program or an individual audit, the risks and opportunities need to be considered in the audit process. And whatever we do in auditing, in the planning, in conducting and in reporting, our focus should be on the risks in the process. What we are auditing, what are the risk, what are the areas of focus which are more significant to the client. So this was risk based approach of auditing. In the CQA body of knowledge, risk management has been covered at two places. One is in this section where we are talking about organizational risk management and then also in section five H. In five H we will be talking about risk management in much more detail.

We will be looking at the risk management process and we will be going into the details of that and how to mitigate those risks. So the risk management part will be covered in section five H of the body of knowledge. But what we are focusing here in this section is on three aspects. And once again, this whole section is for audit program management, how you manage the audit program. So here in this lecture, I’m focusing on three aspects of risk. The first thing is how the audit program affects the organization’s risk level. So whether the auditing helps in reducing risk or not, this is the first part. The second part will be opposite of that. That how risk level affects the audit program. So depending on the risk, how audit program gets changed.

So this is the second part and third part will be the risk associated with the audit program. So when you are doing audit, what are the risks associated with that? So these three aspects or these three focus areas, I will be covering on next three slides. Let’s look at the first one here, which is how audit program affects or reduces the organization’s risk level. So when you do audit, basically you reduce the risk level. And how do you reduce the risk level? Because you are monitoring the critical processes and check whether these are being performed as planned or not. So you check the processes and make sure that they are performed as planned. And that basically reduces the risk for the organization. In the audit, you identify gaps, gaps from the statutory and regulatory requirements, gaps from the customer requirements, gaps from the contract requirements. So by identifying these gaps, taking necessary action, what you do in auditing is you reduce the risk to the organization. So now the organization is able to meet statutory and regulatory requirements.

The organization is able to meet the contractual requirement, the customer requirement. That means less returns, less penalties, less shutdowns, because of not meeting some legal requirements. So this is how audits affect the risk of the organization. And audits also create a culture of conformance. It creates a culture where people understand that they need to follow processes and if they don’t follow processes, the system is audited and these things are reported to management. So it creates a culture where people follow the specified rules, the set rules. So this is how audit program reduces the organization’s risk level. Now coming to the second part, which is how risk level affects the audit program. So there are some processes which are riskier, there are some processes which do not have much risk. So if you have a process where the risk level is high, what you will do is you will have more frequent audits there, you will have more detailed audits there. So depending on the risk level, your audit program will change, the extent of the audit program will change based on the risk coming to the third part, which is risk associated with the audit program. So once you are running an audit program, there are risks associated with that program itself.

When you do audit, there are a number of stages. There is a planning stage, there is actual audit stage, reporting stage, follow up stage. In all these stages there are some risks. So let’s look at some of these here. During the planning part, the failure to set the audit objective. Why you are doing this audit? If you are not clear about the audit objective, there is a risk that you will not be performing audit to the level this audit was supposed to be. So if you don’t have an objective set, then definitely you will not be able to meet the objective. Then another risk is resources. The audit team might not have sufficient time to do the audit, or the audit team might not be sufficiently trained to do audit in that particular area. If that is the case, there is a risk because of which the audit will not be successful. There are risks associated with ineffective communication channel, risk associated with security and confidentiality failure. If the audit team fails to keep things secure and confidential, there could be legal implications of that. So that’s another risk related to actually doing the audit. Then in effective program monitoring. If you are not monitoring the program, then the audits might not be being performed well, in time, actions might not have been taken. So this is another risk.

Then another risk is lack of cooperation from auditing. So if management is not interested, you might not get support from auditing. And another risk is not controlling audit cost. If you are doing second party audit where you are visiting suppliers and doing audits, there are costs related to that. Even for the internal audit, there are costs related to the time auditor and auditing spends. So if you’re not controlling these costs, then that is another risk associated with the audit program. Your audit program might exceed your budget limit. So here you might have to think that if you are doing outside audit, visiting two suppliers, how you can combine that so that the cost could be reduced, how you could do some of the audit via remote, look at some documents well before you actually go for audit. So these are some of the things which you need to consider when looking at the risks associated.