It's the process.

Is quality a dead issue?

Total Quality Management is no longer a new and revolutionary concept. Whether it's called TQM, LTQ (Leadership Through Quality), or something else, the topic of quality has now been widely discussed, dissected, and implemented as companies strive to improve the

In fact, the quality movement has now been around long enough so that some observers have begun to question its value. They suggest in conferences and magazine articles that the quality movement is dead or outdated, while others avow that TQM is being expanded and extended like never before.

As audit professionals, we need to know what is really going on and what we, as audit professionals, should be doing about quality in our organizations and in our audits. Are we missing the point about the quality process? I think we are!

Quality in Internal Auditing

Based on my own observations, many people within the audit profession still haven't internalized the relationship of quality to their jobs, and they still don't believe there is a place for quality in auditing. This is a serious misunderstanding. In my opinion, quality means doing your job right, whatever that job is, even jobs that focus on conducting audits. Understanding what your job is and your role in that job is essential to understanding the relationship of quality to the audit process.

Although some might say the auditor's job is managing people, that isn't correct. Yes, people are important to us because they enable us to do our job; but managing them is not what we are paid to do. Our job as audit professionals, and our job as managers in general, is managing business processes!

Once we understand and internalize this idea, we can learn what we must do to ensure that we are managing these processes in a quality way. Once we realize that our audit process is a business process, we can strengthen our own techniques. To do this, we need to understand Audit's relationship to an effective business process, how internal controls relate to that process, and how these two elements relate to operating these processes in a quality way.

The Business Process

A business process is a group of logically related tasks - decisions and activities - that, when performed, utilize the resources of the business to produce definitive results. Business processes can be big or small, simple or complex. They can require a short time to execute, such as processing customer orders; or they may require years, as in the design and development of new products.

One less obvious example of a business process is conducting an audit. To prove my point, let's apply my definition. Quite simply, an audit is a series of related steps using some level of resources, usually people and money, to accomplish some task. In most instances, that task is to review some business process or entity within the company and assess the reasonableness of its controls. The most visible product of this process is an audit report with recommendations for improvement.

It is important to understand that processes themselves are independent of organizations. While some may operate within a particular organization, in many large corporations most business processes cover multiple organizations.

Order fulfillment may provide a good example. Sales receives an order, administration processes the order, manufacturing makes the product, logistics moves the product from manufacturing to the customer, service installs it, and finance then bills the customer and collects the money. Even in this common example, you can see that at least six organizations are involved in executing this one process.

Likewise, audits cross organizational borders: the audit organization may conduct the actual review, but recommendations are often developed in cooperation with the audit clients and are always executed by recipients of the recommendations, not by audit. This means that at least two groups, audit and audit clients, are involved.

Regardless of their size, complexity, or the number of organizations involved, effective business processes - including audit processes - have four common characteristics: ownership, documentation, controls, and improvement.

Ownership

Someone must own the process and be accountable for it. If you review a process where responsibility has not been clearly assigned, or where roles and responsibilities have not been clearly defined and agreed to, you will find problems in that operation. Similarly, if ownership for your audit process hasn't been clearly defined, there will be problems in your audit process execution.

To test for sufficient accountability, ask: Do managers understand their responsibilities? Is it clear what roles the staff, project leaders, and managers play in successfully executing the audit process? Has the director defined the "right way" to execute an audit? If the answers are "no," are your audits being executed effectively, efficiently, and with quality results? How would you even know?

Documentation

You don't need 50 pounds of documentation for every single activity within a process, but there should be enough documentation so that someone external to the process can see how it works. Unless the process is defined and documented, we become reliant upon individuals and their varying degrees of experience to execute the tasks being performed. Undocumented processes are people dependent; and we can only hope and pray that these people do not get hit by a bus on their way to work.

Similarly, if we have not documented how we want our audit process to be executed within our organizations, and if we have not defined the specific roles of the managers, seniors, and staff on individual jobs, we too will have a people dependent process. Even worse, we will confuse our staff and create tremendous inefficiencies. As auditors move from one job to the next, they will be reacting to different expectations, styles, experiences, and requirements of the individuals leading the audits. If there is no basic documentation of the audit process, the only way I can know how to audit is the way each individual project leader or manager tells me.

Documenting our process also lets us see and understand it more acutely. It allows us to examine the various steps critically, so that we can ensure that they are necessary. Documentation thus can identify improvement opportunities and prompt increased productivity.

Controls

The presence of control points and measurement is another characteristic of an effective business process. These controls can be either financial or operational, but their goal is the same: to tell us whether or not the goal we set out to accomplish through the process was achieved. They measure both the quality and quantity of the products or services being produced. You can't have one without the other and still be confident that your process is working as intended. For example, if you measure the volume of orders received from Sales, but not the accuracy of those orders, you may incur unnecessary administrative costs or customer dissatisfaction without even knowing it until it's too late.

This characteristic is particularly challenging for us in the audit profession. These measurements are not easy to select, and they may not be consistent from one audit group to the other. However, if we do not define measurements for our audit processes, we will never know if we are achieving the objectives we are trying to accomplish through our audits. If we don't know how long our audits last, or know how long it takes to issue a report; if we don't know if we are assisting senior management or whether we're doing a sufficient number of audits in the right areas - do we really know anything about this audit process we're supposedly managing?

Improvement

Continuous process control and improvement are essential characteristics of the business process. We must have a repeatable activity with measures that identify for us whether or not we are achieving the goal of the process. If not, can we identify areas we need to improve? Are our audit processes resulting in high quality products that are valued by company management? Are they produced effectively and efficiently; and when deviations occur, do we know it? And do we have enough information to know what needs to be fixed? If the number of audits conducted each year increases or decreases, do we know why? Is this good or bad? Managers of our respective audit processes should be able to answer these questions if we're doing our jobs right.

A Check-up

A little test may help you to assess whether or not these four characteristics apply to your company and ultimately to your audit group. Take the last four or five audit reports you have issued and look at the recommendations. I would bet that almost all your recommendations relate to elements of these four characteristics: there was lack of clarity about process ownership or roles and responsibilities, a lack of documentation, a breakdown in controls, or the absence of measures to identify when process improvements or changes were required.

If you agree that these elements are essential for an effective business process, why shouldn't they apply to an effective audit process? How can we in good conscience make recommendations to others to improve their processes if we don't have these characteristics ourselves? If our audit processes don't contain these four characteristics, then shame on us.

Managing Process Through Controls

To incorporate these four characteristics in managing business processes, including our audit processes, we must effectively manage controls. Yes, I used the word controls. I know that in this "enlightened era" control is not a politically correct term to use; but it is an essential word, and the right word to use in relation to a business process. If we step back and look at the essential purpose of controls, we see that it is to ensure that we have accomplished the objectives of the processes for which we are responsible.

All controls have four essential elements:

* Controls must be informational and actionable. You don't need a five-hundred page data dump about your process every week. What you do need is key information that's received in a timely manner. Based on this information, you should be able to determine what changes should be made to correct any deficiencies or to improve the process.

This is particularly important within the audit process since we must know which elements of our individual audit processes are working effectively and which are not so we can take appropriate actions. Is audit prework being done effectively and in timely fashion? Are our scoping activities taking too long? Do we spend too little time on fieldwork? Are our reports relevant and timely? We must adjust such important pieces of information to unique audit circumstances and to enhance our core processes.

* Controls should measure both the quality and the quantity of the transactions that move through the process. For example, if you are measuring the number of orders processed each day but you are not measuring the quality of those orders being processed, you may not be running your billing process effectively. Should you decide to increase your throughput rate but are unaware that the error rate is likely to double, your process may be further compromised without your knowing it. Similarly, if you decide to double the number of reports per auditor per year, or increase the required savings identified per auditor per year, without measuring and understanding the quality of the products being produced, you will seriously jeopardize your relationship with customers.

* Controls should form cycles or loops within the process. The information generated through your process should allow you to determine what pieces of your process are working and provide you with guidelines on where you should concentrate efforts to change various aspects of your process. If, for example, you are not measuring how long it takes to produce a report once fieldwork is completed, you will not know that you have problems in this area. By tracking specific process components you will be able to determine if there are bottlenecks in the report writing and review process that need to be eliminated so that you can provide more timely feedback and responsiveness to your customers.

* Controls must be cost-effective. Controls that cost more to implement or manage than the risk of not having them are useless. As companies streamline their businesses, auditors must be particularly sensitive to the costs incurred by controls. Not only must we ensure that we are making recommendations for control improvements that are absolutely cost-effective for our customers, but we must also ensure that the controls within our audit processes are cost-effective.

If these four elements are present, they promote the smooth, effective operation of the process. Whether financial or operational, the control should inform you whether or not your process is working as intended.

Business Processes and Quality

Once we understand what a business process is, what must exist for it to work effectively, and how controls help us manage these processes, we can apply that knowledge to audit managers and audit organizations as well as to any other managers or groups within our companies. The next critical step is to grasp how all this relates to quality. The Xerox quality model shown on the previous page may help to show how an effective business process relates to quality.

During the Planning for Quality phase we identify the process outputs, the customer, and the customer requirements; we then translate these requirements into what we call "supplier specifications." Once specifications have been established, we start Organizing for Quality, a step that involves defining and creating the business process. As illustrated in the exhibit, we identify the steps in the work process from beginning to end, including not only the identification of the owner of the process but also the roles and responsibilities of the various participants in the process. This definition requires some level of process documentation. In the case of our audit process, we identify the key steps that occur from the moment an audit starts until the final report is issued and the workpapers are filed. We then select measurements. In auditor lingo that means controls, either accounting controls or operational controls. Essentially these are the measures that will ultimately be used to ensure that the process can work and that it produces the output we intended.

Once we've determined that the process can work, it is implemented. We then move into the third phase of Quality, which is Monitoring for Quality. Here we use the measures to monitor process effectiveness and determine where and when improvement is required.

Conclusion

So how does quality relate to effective business processes and controls? They are one and the same! Quality is doing our job right, and our job is managing processes! The process is the core of everything we do and everything we manage, no matter how big or small, simple or complex. Ensuring that these fundamental characteristics are a part of every process we audit and a part of our own audit process will enable us to support our company's efforts to operate in a quality manner.

RELATED ARTICLE: Five Ways to Avoid Quality in Auditing

Rule 1: Proclaim yourself the law.

"Might Makes Right" is the rule that allows us to walk in and proclaim, "I Am The Auditor. Laws protect me. I cannot be eliminated; and if you don't do as I say, I will tell Senior Management and the Audit Committee about you. You will give me the information I require when I want it. My word is immutable law. Controls are controls."

Rule 2: Be comfortable with the status quo.

By this rule you assume that since no one audits you, there's no need to worry about having a quality process. "You can't measure my audit group anyway because we are involved in such complex, esoteric, mind-boggling issues that it would be impossible to create a measure that would clearly quantify the wonderful and enlightening work that we're doing." This rule also allows you to stay complacent and not be motivated to change.

Rule 3: Forget, or deny, that auditing is a business process.

By following this rule you will ensure that the four essential elements of an effective business process are either never implemented in your organization or never even considered.

Rule 4: Ignore the concept of "customer" in auditing.

Under this rule everyone is a victim. Understanding and empathizing with victims' business issues is not your job. Your job is to prosecute the guilty and unmask the wrong-doers in the operation. Under this rule you don't have to remember that both you and the clients are being paid from the same payroll system, or that they are working just as hard as you are to do a good job for the company.

Rule 5: Believe that "TQM" is something you do over and above your job.

Under this rule you can assume that quality is an add-on to your existing work load and, therefore, not essential. It doesn't really relate to the job of auditing, plus it takes too much time and is simply another fad that will soon bite the dust.

RELATED ARTICLE: How Empowerment Relates to a Quality Process

Just as controls and quality can only be understood within the context of a business process, it is my opinion that empowerment also can only be understood and delegated within the context of a quality process. When managements adopt the empowerment concept without really understanding its tenets, the result can be bad business practices and, in some cases, a weakening of the overall control environment of the business.

In my organization we've developed the following definition: "Empowerment is the delegation of responsibility and authority to act within the boundaries of the business process in the best interest of our internal and external customers." We believe four essential characteristics must exist if empowerment is to work:

* The responsibility and authority to act must be defined; and wherever possible, we need to minimize duplicate responsibilities.

* The boundaries of the process must be defined, whether they are company policies, departmental procedures, or legal policies. The controls, both operational and financial, must be documented; and agreement between department processes and expectations must be reached.

* Required tools, skills, training, and other resources that allow an individual to act in an empowered way must be available. Empowerment granted should maximize the "value added" to the process. This improvement could come in the form of improved customer satisfaction, improved employee satisfaction, or increased productivity to the business.

* Accountability for the consequences must exist, and a process should exist for modifying the boundaries as experience dictates change.

Both the definition and the characteristics confirm that empowerment occurs only within the context of a specific business process. It is only within this context and with these characteristics that I believe we can delegate responsibility to our people so that empowerment can truly work as intended.

John J. Lynch, former Director of North American Audit and Operational Analysis at Xerox, is currently serving as Xerox's Director of Global Outsourcing Management Operations.