audits [ hse all around the world ]

7/18/2019 Audits [ HSE All Around the World ]

http://slidepdf.com/reader/full/audits-hse-all-around-the-world- 1/249



Health and Safety, Environmentand Quality Audits



This page intentionally left blank



Health and Safety,

Environment and QualityAudits

Stephen Asbury MBA, FRSA, MIEMA, CEnv, CFIOSH

andPeter Ashwell FCA, FCIPD, FlnstLM

AMSTERDAM • BOSTON • HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO

SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Butterworth-Heinemann is an imprint of Elsevier



Butterworth-Heinemann is an imprint of Elsevier Linacre House, Jordan Hill, Oxford OX2 8DP, UK30 Corporate Drive, Suite 400, Burlington, MA 01803, USA

First edition 2007

Copyright © 2007, Stephen Asbury and Peter Ashwell. Published by Elsevier Ltd.All rights reserved

No part of this publication may be reproduced, stored in a retrieval systemor transmitted in any form or by any means electronic, mechanical, photocopying,recording or otherwise without the prior written permission of the publisher

Permissions may be sought directly from Elsevier’s Science & Technology RightsDepartment in Oxford, UK: phone (+44) (0) 1865 843830; fax (+44) (0) 1865 853333;email: [email protected]. Alternatively you can submit your request online byvisiting the Elsevier web site at http://elsevier.com/locate/permissions, and selectingObtaining permission to use Elsevier material

NoticeNo responsibility is assumed by the publisher for any injury and/or damage to personsor property as a matter of products liability, negligence or otherwise, or from any useor operation of any methods, products, instructions or ideas contained in the materialherein. Because of rapid advances in the medical sciences, in particular, independentverification of diagnoses and drug dosages should be made

British Library Cataloguing in Publication DataA catalogue record for this book is available from the British Library

Library of Congress Cataloging in Publication Data

A catalog record for this book is available from the Library of Congress

ISBN-13: 978-0-750-68026-4ISBN-10: 0-7506-8026-1

For information on all Butterworth-Heinemann publications visit our website at http://books.elsevier.com

Printed and bound in Great Britain07 08 09 10 10 9 8 7 6 5 4 3 2 1

Working together to grow libraries in developing countries

www.elsevier.com | www.bookaid.org | www.sabre.org



Contents

Foreword vi

Endorsements vii

Preface x

About the Authors xiv

Acknowledgements xv

Introduction xvii

Chapter 1 Business Environment 1

Chapter 2 Business Control 33

Chapter 3 Planning for Audit and Assurance 60

Chapter 4 The Audit Process Roller Coaster © 82

Chapter 5 Set-up 89

Chapter 6 Review and Verify 112

Chapter 7 Concluding the Audit 141

Chapter 8 Personal Relationships 167

Chapter 9 The Written Report 182

Chapter 10 Teamworking 197

Appendix 1 – Preparation, Preparation, Preparation 204

Appendix 2 – A-Factors 208

Appendix 3 – Suggested List of Pre-audit Documents 215

Glossary 217

References 218

Bibliography 219

Comments from Course Delegates 222

Index 225

v



Foreword

Mention auditing to the layman and the expected response is a glazed look. It is nota sexy subject. So why write a book about it, and who would want to read it? Butstart to talk about risk, governance, business improvement, adding value and manyother aspects of business that have currency in the Boardroom and interest quickens.

Auditing is no longer characterised by talking to the shop floor and ticking the boxeson a checklist. And while compliance remains relevant, the primary requirement for those being audited is to add value. Today’s auditor belongs as much in realms of senior management as in the production line.

This book provides an interesting insight into the mechanics of auditing. Informativeand a good read for those familiar with the industry, and for those not, an interestinginsight into an interesting subject.

Simon FearyChief ExecutiveThe International Register of Certificated Auditors (IRCA)

London, UK

vi



Endorsements

Health and safety management is an integral part of business risk management, withauditing being an essential component for helping ensure efficacy and continualimprovement. Audits should not be dreaded or adversarial, but regarded as opportu-

nities for organisations to learn and for auditors to share good practice.

This book can assist employers and prospective and practising auditors to better understand their respective roles and also the potential value to the organisation of awell-designed and conducted audit undertaken by a competent auditor or audit team.

Rob Strange

Chief ExecutiveThe Institution of Occupational Safety and Health (IOSH)

Leicester, UK

I am delighted to have been asked to offer my support to a book that clearlyoutlines how beneficial having a positive approach to auditing has become in thiscontemporary, but accountable world we live in.

All companies, no matter what size they are, have a duty to satisfy their customers,both internal and external, as well as interested stakeholders, that their business is runand governed correctly. How better to demonstrate this than by welcoming their activities to be audited by external individuals.

During my 20-odd years in the chemical industry we were audited many times andalthough we knew up front there was much to do, always had the attitude that anaudit should be welcomed and not feared as it allowed “a fresh pair of eyes” tooverview our activities and possibly spot something our “all too familiar eyes” hadmissed. Working with the auditors, and not against them being essential.

So I hope all who read this book will find it a useful companion on the oftenfascinating journey of auditing.

Russell Foster

Chief ExecutiveInstitute of Environmental Management & Assessment (IEMA)

Lincoln, UK

vii



Endorsements

Back then in the mid-1990s, as Health, Safety, Environmental and Quality (HSEQ)Manager of Shell Malaysia Trading, I was responsible for and involved in the imple-mentation of the Health, Safety and Environmental Management System (HSEMS)in the company. I believed then, and still do, that the HSEMS is a fantastic tool

to manage the health, safety and environmental hazards and risks in the oil and gasenvironment or similar business operations only if it is properly implemented andmaintained for continuous improvement. Internal auditors not only provide assurancebut can also help management coach the employees on how they can ensure thecontrols in the HSEMS are strong and relevant. In so doing, the organization can bea fortress against any untoward world incidents like the Piper Alpha explosion andfire or the Valdez oil spill.

HSEMS is not an easy system to understand. Higher expectations for increased

accountability, more transparency, greater due diligence and enhanced oversight haveall contributed to growing need for professionalism in auditing. Therefore, any helpwe can provide to auditors to conduct a proper review of the HSEMS system iswelcome and appreciated. I think this book can provide some of that guidance toauditors. Syabas to Peter and Stephen for the courage and dedication in publishingthis book.

Fatimah Abu Bakar

President of The Institute of Internal Auditors Malaysia (and formerly the GeneralManager, Internal Audit and Compliance at Pengurusan Danaharta Nasional Berhad)

Kuala Lumpur, Malaysia

“Audited to death” is a cry often heard from managers, followed by disdain looksof dissatisfaction about the value and business contribution made by auditing. Itis imperative that audit does add value; and is valued by those touched by theprocess. Dovetailing what we do, in an auditor role, to the business needs and risks,focusing on the things that matter help to raise the profile and status. All this helps todemonstrate that the time and effort spent on auditing greatly facilitates performance

improvement.

All so simple really, but often difficult to deliver and sustain.

That is why it is refreshing to have a book, written by two reputable people, thatdescribes the principles and tools for auditing and provides stimulating debate andexamples to enthuse and revitalise auditors and those touched by auditing. Theprinciples, practice and tips within this book will aid in the promotion of addingvalue.

Neil Edmunds

Health and Safety Director (UK & Europe)Bombardier Transportation

Crewe, UK

viii



Endorsements

Audits have become an essential part of doing business and have not only beenembraced by our management but built into the educational structure of McDonaldsand our Hamburger University. Safety and the protection of our customers andemployees are the highest priority. Audits and risk assessment play a major role in

allowing us to provide that protection. Jim Marshall

Director Insurance & Safety, McDonald’s Corporation

Oak Brook, Illinois, USA

The role of audit in the business world continues to be as important as ever. Stake-holders and shareholders alike rely on the expertise of external auditors to verify or discount what they think is working as it should in their business. This is true equally

if you are involved in financial services, as it is in occupational health and safety.From corporate governance and S-OX, to OHSAS 18001, there is one ingredientthat remains the same – protecting the health and safety of employees. The role of theauditee is in accepting audit as a basis for continual improvement and not a batteringram. The role of the auditor is in accepting that their expertise can help a businessrather than placate it. This book will help auditees and auditors alike to understandthe role and therefore the nature and practicalities of audit.

Margaret McLoughlinGroup OHS Manager

Coca Cola HBCVienna, Austria

Organisations of every type and size need to be able to demonstrate that theyhave sound internal control and strong governance. Directors and senior manage-ment recognise the critical role that an effective Internal Audit function can playin providing them with assurance that lets them sleep soundly at night – or tellsthem what needs to be fixed. An Internal Audit department will be judged by itseffectiveness in not only assuring management that the expected controls are in placebut also by highlighting where management need to pay more attention to high risk

areas of their operations and put more resource – in terms of time, money, expertise – before the challenges of the future turn into issues of today! Internal Audit, more thanmost functions, relies upon the quality of its people and in their ability to proactivelyengage with their audience at all levels of the organisation. Auditors need passion,knowledge, respect and to be eloquent exponents of the benefits to all stakeholdersof sound internal control and strong governance.

Whether you are a ‘seasoned’ auditor or relatively new to the role, I encourage youto use this book to help you develop as an individual whilst seeking yet further

opportunities to add value to the organisation you work for.Mick Michael

Sarbanes-Oxley Compliance Manager National Grid plc

Warwick, UK

ix



Preface

Why, you might ask, would anybody wish to write a book about auditing. The

answer is very simple. Today, we live in a world where enterprises of all types, sizes

and sectors must be able to prove to those both inside and outside their organizations

that they are being managed in a way which is consistently acceptable to all of society.

In the main, enterprises have lost people’s trust to carry out their activities relyingpurely on their owners’, directors’ or managers’ word that everything is being done

properly. Even when directors explain in great detail what their policies, guidelines

and standards are with regard to how they intend to carry out their activities, that

may still not be good enough.

In the last ten to fifteen years, people outside – and often inside – all types of

organizations have demanded demonstrable proof as to the extent to which enterprises

are meeting their self-proclaimed standards. And over the same period, many groups

claiming to represent interested people in society have persuaded enterprises to involveor engage them. There is no turning back (Figure P.1).

The level of management performance needed to ensure that entities stand a chance

of meeting these continually increasing levels of expectation is competing head-on

with the level of management performance needed to create commercial success.

We believe that the conundrum of how to get the same individuals to achieve both

goals simultaneously can be solved if entities create a function to carry out effective

management system auditing.

Corporate governance and social responsibility are the expressions used today to

describe the governmental, legal and societal reaction to this simultaneous phe-

nomenon of lack of trust and huge expectation.

There is a major challenge to agreeing a global approach because historically the US

attitude to regulation has adopted a ‘rule-book mentality’, which means that when

anything contravenes the prescribed letter of the law, organizations and officers are

sued and possibly prosecuted. Meanwhile the UK and many International standardsof accounting, auditing, ethics and corporate governance essentially are ‘principles-

based’, which means that you really have to think about the ‘spirit’ of the standard

or rule – what is it expecting to achieve? – rather than just ‘ticking boxes as soon as

you can show compliance with the ‘letter’ of the standard or rule.

x



Preface

High

Low

Trust

Need to demonstrate compliance and sincerity HighLow

Trust me

Tell me

Europe

S. America

Ask me

Africa /Asia

Show me

N. America

Figure P.1 Demands for transparency and engagement

The accountancy profession, particularly those elements authorized to carry outstatutory audits, was affected for many years by what is often referred to as ‘theexpectation gap’. This ‘gap’ was the difference in the layman’s perception of the typeand extent of work that went into an audit and the actual work which was requiredby law. A statutory audit results in the auditor giving either an unqualified audit

opinion so that the reader can impute that the entity’s financial statements reflecta ‘true and fair view’, or on the contrary an audit opinion that qualifies the extentto which the statements are not true or not fair. It was as recent as 1990 in theUK in Caparo Industries v. Dickman that external statutory auditors were remindedby the justice system that they needed to manage this expectation gap rather better than before, because they owed a duty of care to other parties who may suffer aneconomic loss by relying upon their statutory audit opinion.

The resultant debate about the extent of external auditors’ legal liability has been

going on ever since, with a variety of ideas being put forward for mitigation inmany jurisdictions across the world. A significant recent development has occurred inthe United States of America with the creation of the Public Company AccountingOversight Board (PCAOB) as the guardian angel of investors in US securities marketsand charged with the responsibility to ensure that public company financial statementsare audited according to the highest standards of quality, independence, and ethics.

The PCAOB was established by legislation known as the Sarbanes Oxley Act thatcame into effect on 30 July 2002 as a response to the massive lack of trust and loss of confidence in the US capital markets caused by a litany of major corporate failures –

immortalized by Enron, Tyco, WorldCom-MCI, HealthSouth, Global Crossing andAdelphia.

Many non-US regulatory bodies were already in place with their objectives to protectinvestors, improve audit quality, and ensure effective and efficient regulation of audit

xi



Preface

Ahold (The Netherlands)Aural Mining (Romania)Barings Bank (UK/Singapore)

British Credit and Commerce International (UK/India)Buncefield Oil Terminal (UK)Cable & Wireless (Hong Kong)Longford Gas Plant (Australia)Parmalat (Italy)Resona Bank (Japan)Shell-Brent Spar; Oil and Gas Reserves (UK)

Figure P.2 Major non-US business control failings

firms. However, business control failings in entities of all types and sizes have occurredthroughout the world – in West and East Europe, Japan, Australia, Asia, Africa, SouthAmerica and Russia. Some examples are shown in Figure P.2. They will continueto happen because of the failure of some senior managers to either believe in thebenefits of, or put sufficient priority on, implementing an effective business controlframework or personally defer to them in their own behaviours and actions.

Corporate failure of varying kinds affects varying groups of stakeholders. Some of

the most visible are major technical failures when people are killed and communitiesknocked sideways – accidents in the North Sea (Piper Alpha), at the Longford gasplant in Australia, at BP Texas City in USA and on the railways and at Buncefield inthe UK.

This book sets out how HSEQ and other internal auditors, if they are given thechance, can help management to avoid failures like these. And along the way, we willhave the opportunity to reflect on why so much activity called ‘internal auditing’ isbeing done today with so little benefit accruing either to the managers of the entities

audited, or to those people who expect every entity to be run by super-heroes andparagons of virtue.

The authors have written and structured the book so as to be of interest to threebroad sets of readers:

1. Those in senior management who are thinking about setting up an internalaudit function in their business or possibly questioning the value of their existinginternal audit function;

2. Those who want to be persuaded to become an internal auditor or perhaps aredisillusioned with the style and outputs of the auditing they are being asked todo; and

3. Seasoned HSEQ and other internal auditors, who may already have risk-basedor management system auditing experience.

xii



Preface

Our hope is that the first two groups will read this book from cover to cover and theinformation will inspire them to create centres of excellence in their internal auditdepartments, get involved and deliver audit results that will help organizations andtheir clients. The third group will be able to dip into the book to contrast with and

add to their practice. For them, we hope, it will become a well-thumbed source,with useful and challenging ideas to try out.

xiii



About the Authors

Stephen AsburyStephen Asbury is Managing Director of Corporate Risk Systems Limited, a leadinginternational auditing and training organisation. He has worked in a variety of senior risk management roles in 34 countries in a career which spans over 20 years in thefollowing sectors – construction, polymer, and mechanical engineering, insurance and

technical consultancy. Stephen is a Director and a Chartered Fellow of the Institutionof Occupational Safety & Health, Europe’s largest membership organisation for safetyand health practitioners, and is registered by the Society for the Environment as aChartered Environmentalist. In his spare time, he enjoys theatre, scuba diving andF1 motor sport.

Clay House, 5 Horninglow StreetBurton upon Trent, Staffordshire

DE14 1NG, United Kingdomwww.crsrisk.com

Peter AshwellPeter Ashwell is Managing Director of Kingdom Management Limited (KML), aleading international auditing and training organisation. He qualified as a CharteredAccountant in 1974 and worked in a variety of finance roles in the UK and overseasduring a 15-year career with the Royal Dutch/Shell Group of Companies. In 1990,

he founded KML and has been instrumental in building it into a quality-drivenrisk management and internal audit training business servicing multinational clientsthroughout the world. Peter is a Fellow of the Institute of Chartered Accountantsof England and Wales, a Chartered Fellow of the Chartered Institute of Personneland Development, and a Fellow of the Institute of Leadership and Management. Hespends his leisure time with his wife and family, and enjoys sailing.

Eccles End, Main RoadEdenbridge, Kent

TN8 6HZ, United Kingdomwww.kmtcentre.co.uk

xiv



Acknowledgements

Stephen Asbury

I would like to take this opportunity to thank a group of individuals who have beenso generous with their love, support and encouragement over the years – KimberleyAsbury, Kasia Koszykowska, Michael Farmer, Arthur Rothwell, John Element, John

Fawkes, Jeff Coleman, Johann Meeke, Bill Luttman, Andrew Ure, Neil McClure,Hazel Harvey, Steve Kay, Kev Tizzard, Stephen Lawton, John Leivers, Alan Shawand Peter Kilby. You have all changed me in big ways and in small ways. I value your challenge, knowledge and friendship immensely.

Peter Ashwell has been a friend and an inspiration for eight years. He has been apleasure to work with (and more recently) to write with. A number of other peoplehave helped considerably with contributions to the case studies and tips you willread within the book. My thanks are due in particular to Ian Waldram, Carey Evans,Andrew Burns-Warren, Richard Ball and John Watson.

Thank you to all of my colleagues at CRS, and to each of the KML faculty. Workingwith you is always more fun than I expected. Thank you too to each of our trainingcourse delegates from around the UK and the world for showing up, listening to our messages and making ‘work’ such a pleasure.

Thank you also to the management and staff at Elsevier, especially Doris Funke and Jonathan Simpson for believing that ‘there was a book in me’, and then encouragingme to write it.

The sunsets of Key West provided inspiration for writing the final text.

Finally, thank you to my late parents Alan and Betty. My family tells me that theywould be proud of me.

Peter Ashwell

In writing this book, Peter wishes to acknowledge the encouragement of his co-

author Steve Asbury whose idea it was to ‘tell the world what we know is a greatway to get fantastic audit results’.

But Peter also recognizes the contributions to his own thinking about what needsto be done, and how best to train people to do it, from Richard Heron, Campbell

xv



Acknowledgements

Tervit and Keith Wade especially, and from all of the other trainers and consultantswho have worked with and are still working with him in Kingdom ManagementLimited.

In addition, there have been many client focal points whose arguments have beenlistened to and of course the near continuous challenges by and discussions with thethousands of students with whom we have had the privilege to work over the lastsixteen years.

Therefore, the ideas expressed in this book are really the product of all these peoples’thinking and shaping, which must never cease if we are to win the battle againstineffective auditing. To this end, I look forward to building on our ideas and sharingnew ideas and experiences in future revisions to this book and supporting usersthrough the book’s website.

© 2000 Joe Schwartz www.joyrides.com

xvi



Introduction

Too many internal audit results create a sigh of relief or a scream of frustration fromthe auditee who has been told he or she has ‘passed’ or ‘failed’.

Many readers may believe that is an outdated perception, but regrettably it is not.The problem is growing; every year management react to the need to be able to

demonstrate compliance with ever-increasing external requirements, such as changesto legislation or the small print of a new swathe of regulatory bodies, by doing morecompliance auditing.

But hang on a minute. Why do we need to do all this compliance auditing? Simplybecause most managers and supervisors are overburdened just keeping the boat afloatand heading in the right direction. Therefore auditors are used as a safety net, in thesure knowledge that something will be overlooked and wrong steps taken.

So, literally, millions of hours of internal auditing are being carried out just in case

somebody or something does not do a job properly. They are seen as a necessaryevil, because the forms need to be filled in to show the work has been checked, butthis condescension has a knock-on effect in that effectiveness is seen more in termsof efficiency rather than asking difficult questions.

Our belief is that the reality should be that internal audit engages very bright peoplein reviewing key parts of an organization from a variety of aspects. Therefore internalaudit is perfectly placed to challenge the way an organization is being managed. Butwhatever the type of audit, commercial or technical, the results need to demand the

respect and attention of senior management.

This book works through the individual steps that will enable internal auditors todeliver this exceptional quality of audit that will make a difference to management.

The steps are encapsulated within a teaching model called The Audit Process Roller Coaster ©.

This simple model was created one evening in 1994 whilst reflecting upon a docu-mentary on television about roller coasters. It was recognised that the physical and

emotional journey that a rider went through after climbing aboard a roller coaster,such as the one pictured, matched very closely the reality and emotional journeyof an auditor following and applying the internal audit approach and methodologywhich was then currently being taught by us. Since then the essential parameters of the model (see Figure I.1) have remained unchanged – the height above the ground

xvii



Introduction

Audit progress

Auditreport

Summary

Verydetailed

Level ofdetail

involved

Figure I.1 The Audit Process Roller Coaster ©

being equated to working with summary or overview type of information and thecloseness to the ground equated to working with transactional and detailed informa-tion. The left-to-right motion is the progress of the audit: the steepness of the initial

drop creates a feeling of time flying by uncontrollably and the acceleration remindsthe auditor that there is no going back; the hollow at the bottom causes a feelingof nausea as one’s stomach bottoms-out; and then, after the briefest respite at thebottom, relaxation as the momentum starts to carry the audit team up the slope asthe momentum diminishes and as the speed reduces just before you deliver theaudit report.

You will find seventy A-Factors throughout the book which refer to either Asbury,Ashwell or Auditing factors which the authors use to summarize particular points.

You will also find many case studies through which the authors use real life toillustrate points made in the text.

Finally, the authors have given the reader a generous serving of their own tipsregarding what they see as the necessary awareness, knowledge and skills needed tobecome good auditors.

We look forward, in the following pages, to taking you on your first Audit ProcessRoller Coaster © ride.

xviii



1 Business Environment

Introduction

While one organization is restructuring its post room, another has invented a low-

cost, low-emission alternative to hydrocarbon fuel. While one organization indicates

a pending increase in local taxes, another patents a retroviral drug for an ‘incurable

condition’, and yet another quells a public order situation in a major capital city.

And while children starve in Africa, we launch probes to the planets in search for our homes and resources of the future .

However we see it, organizations of just about every type – no matter what their global

significance, or how they differ in detail – are concerned with transforming inputs to

outputs. They do this against a backdrop which readily affects – and in turn is affected

by – the conduct of their activities. This backdrop is the ‘business environment’, one

that is increasingly complex, dynamic and volatile. As an (anonymous) delegate on

one of our recent auditor training courses said:

change is the only constant these days

If we are able to understand this business environment and the possible or likely

effects it might have upon organizations, it will not only assist us in understanding

the practice of ‘business’ in its entirety but will help auditors in their functioning

as well.

As you will see, auditing is about providing a confirmation (or an assurance) that an

organization has reasonably addressed foreseeable risks towards the achievement of

its objectives within a suitable framework for internal control. Along with providing

assurance for the present, it also involves assessing its suitability for the business

environment in the future. Information about future prospects is much more valuable

to managers than information about the present or past.

This chapter takes us on a short journey through the key elements of understanding

business environments, before moving on to summarize the role of managers inpositioning their organizations for success, and finally answers the question ‘What

is risk?’

Beyond PEST

As any management student or management textbook will affirm, there are numerous

tools and techniques available for gathering and analysing the results of a review

1



Business Environment

Internal

External

Strengths

Opportunities Threats

Weaknesses

Figure 1.1 Basic SWOT tool

of external environments. A common tool is ‘PEST’ (and its derivatives) as noted

below:

• PEST (Political, Economic, Social, Technical)

• PESTEL (same as in PEST + Environmental, Legal)

• PEST-CM (same as in PEST + Customers, Markets)

• STEEP (Social, Technical, Economic, Environmental, Political).

While all these recording tools can be helpful, in this chapter we will focus on some

of the key features to be understood, and offer a simple format for recording both,

internal and external features.

The simple tool for recording the significant internal and external environmental

features applicable to an organization is a SWOT analysis – strengths, weaknesses,opportunities and threats. Strengths (S) and weaknesses (W) are internally focused,

while the opportunities (O) and threats (T) are external to the organization. A basic

format for this is shown in Figure 1.1.

The business environment

As stated earlier, in this chapter we will look at external and internal environments rel-

evant to all organizations, and later examine four distinct areas of essential knowledgein the environmental context:

• political

• economic

2




• legal

• resources.

The four major areas mentioned are summarized here and readers are referred to the

bibliography for further details.

The external environment – an overview

Look around. Business activity surrounds us. It is everywhere, starting each morning

with the delivery of the morning newspapers, and with generation and distribution of

the electricity we use to heat water for breakfast tea. ‘Business’ per se is however quite

difficult to exactly categorize – it probably concerns all activities of trade (buying andselling), profit (making one, or existing not-for-profit), provision of service (whether

governmental, charitable, religious or other) and many others.

Definition of ‘Business’ – Occupation; concern; trade. Pertaining to traffic;

trade.

– Castle English Dictionary.

Business has only two basic functions – marketing and innovation.

– Peter Drucker.

Here, we take the broadest possible view of the term, and encourage readers to think

of ‘business activity’ as it concerns their own undertakings, or organizations known

to them.

Organizations have inputs (from our given example, newspapers, coal or gas, public

donations), some process or activity adding value (manufacturing, delivery, conver-

sion), and finally an output (the goods or service, and its waste). The common feature

of all organizations is the transformation of inputs to outputs. This is summarized inFigure 1.2.

Simply put, organizations of all types require land, labour and capital resources –

classically known as the ‘factors of production’ by economists. Specifically, organiza-

tions require talented people with great ideas, a source of financial support for the

enterprise, suitable buildings/accommodation for the process or activity, a supply of

materials, committed workers, satisfied customers, and so on.

In accordance with the anticipated needs of their target consumers, these are com-

bined to deliver the planned output (goods, services, information, etc.). In successfulorganizations, this is a cyclical activity as shown in Figure 1.2. The generation of

an output which is consumed by the customers generates revenue or appetite for

the acquisition of new inputs, and a reward, whether financial or other, for the

financiers.

3




Consumption

Inputs

LandEmployeesMaterialsEnergySkill

GoodsServicesInformation

Organisations Outputs

Figure 1.2 The basic system for transformation of inputs to outputs

Let us relate this to a couple of simple scenarios:

1. A corner shop

An entrepreneur, backed by a bank or parents, purchases premises and stock. The

entrepreneur hires staff, and advertises the opening of the shop and its unique selling

points (e.g. that it is convenient, local, etc.). Customers visit and make purchases.

With the revenue, the entrepreneur purchases new stock to replace that sold, and

makes the agreed loan payments to the bank, or reimburses the parents. If the

entrepreneur has planned wisely, there may be a small profit as a reward, which will

be re-invested elsewhere in the economy (e.g. purchases, savings, etc.).

2. A charity

A registered charity seeks to raise disaster-relief funds. It hires premises, engages

staff for a call-receiving centre, and advertises a need for donations. Donations are

made, and these are divided to pay for the premises, staff wages and advertising;

the excess will be donated to relieve suffering in the disaster zone. If the charity

has planned wisely, this remainder will be sufficiently large to allow further

advertising, based on the success of the initial phase. Again, staff salaries will be

inputs elsewhere in the economy.

A-Factor 1: Organizations are concerned with transforming inputs to out-

puts. Inputs create outputs, and outputs create inputs.

Business organizations in their environment

These simple models mentioned are, of course, much more complicated in the

operational reality of business and commerce in action. Organizations are inseparablyintertwined with their outside world – the external environment.

This business environment, where all organizations conduct their enterprises, com-

prises a wide range of influences. These include:

4




1. the prevailing political climate; the macroeconomic situation; the legal frame-

work; technological, educational, entertainment and sport; religion and organized

crime (sociocultural); and

2. the availability of resources (scarcity), willingness of potential customers to trade,

and the activities of any competitors.

The factors in the former group tend to have a slowly developing and general

influence upon the enterprise whereas the ones in the latter group represent the

day-to-day/operational influences.

General influences

These factors are discussed later in this chapter, but a short overview is provided here

by highlighting some of the key external influences on businesses:

PoliticsDifferent types of governments have different political aspirations, and manipulate

economies to these ends. This manipulation will tend to influence the business

environment. For example, in the early years of the twenty-first century, in Europe,

there seems to be a significant political aspiration to combine national trading into an

international trading block called the European Union. Governments are generallylarge organizations, and employers of large numbers of people.

MacroeconomicsGovernments create (and sometimes destroy) macroeconomic climates conducive to

investment. Policies to create high or low levels of public sector borrowing, higher or

lower levels of employment, higher or lower levels of inflation are examples of how

governments intervene. Fiscal policies release (or withdraw) public sector spending,

and other policies promote (or discourage) the creation of jobs.

Legal In all countries there is a framework of laws and regulations – well-developed or

not – that defines the relationships between the state, organizations and individual

citizens. In some territories, for example in the United States of America (USA/US),

there is an interrelationship between local (state) laws and national (federal) laws.

Similarly in Europe, an implementation of many legal requirements is from federal

level (EU directives) to country level (domestic legislation). Like the macroeconomic

climate, this can be viewed as connected to the political perspective.

Sociocultural Demand and thus supply is driven by social and cultural factors. The demand for elec-

tronic goods increases where homes have electricity. The supply of locally produced

textiles reduces when markets move overseas to take advantage of lower labour rates.

5




Technology It seems the speed of technological advance in the twenty-first century is near-

exponential, as anyone who has purchased a new television or computer recently may

have noted. The willingness of organizations to invest in new technologies depends

upon their attitudes to the external market, but is generally seen as a key to thesuccess of an enterprise (or a country) over its peers.

Day-to-day/operational influences

ResourcesOrganizations rely upon their suppliers for resources. Likewise, the success of a

supplier organization is sometimes dependant upon its customer; the operation of

the two organizations has become intertwined. Organizations must tend to contracts,pricing agreements, delivery lead times and contingencies as a part of the continuity

from input to output. Charles Handy, in The Empty Raincoat (1994) introduces the

concept of the ‘Chinese contract’. This concerns a finely balanced agreement between

two parties, where neither is advantaged or disadvantaged to the cost of the other.

CustomersOf course, customers are vital to all organizations and employees – customers make

paydays possible! An ability to meet/exceed current requirements (and to anticipate

future requirements) for price, quality and delivery on time are the hallmarks of successful organizations. ‘The customer is king’ is proclaimed aloud by many orga-

nizations, whilst ‘customers get in the way of the real work’ may be whispered in

the offices. Markets for products, services and information are becoming increasingly

market-led, and organizing a business to satisfy the emerging needs of customers

remains a vital requirement.

We particularly like the metaphor that is expressed in Who Moved My Cheese by

Johnson (1999). It concerns a nimbleness and adaptation to a customer-base that we

have tried to apply to our own organizations. An enlightening read!

Competitors‘Winning’ and ‘losing’ in commercial environments often concerns one party’s per-

formance relative to another’s. This ‘other’ is one or more competitors who may

desire to provide customers with lower-cost, higher-quality, or differentiated goods

and services. Competition from overseas, where overheads may be lower, may be

seen as particularly ‘unfair’. Innovation by competitors can render competing prod-

ucts and services obsolete. How an organization responds to its competitors (e.g.

deciding upon the time for aggressive product development or defensive pricing)

may be a significant indicator of its future success in its field of operation.

A-Factor 2: Organizations are inseparably intertwined with their external

environment. Their managers should take account of this to achieve their

organizations’ objectives.

6




The internal environment

Organizations decide how to operate in order to meet their objectives. A common

theme running through any analysis of internal environments is ‘management’ and the

style of its conduct. Management concerns both the roles fulfilled by the individualswho manage an enterprise, and the process – the management system – by which

the enterprise sets out to meet its objectives. At this stage, we should stress upon

the interaction between internal and external environments. If an enterprise is to

remain successful, attention needs to be paid by the senior managers to balance

all of the competing environmental influences by adapting so as to cope with the

new circumstances facing the organization, and then being ready to institute further

changes as and when required.

Case study

A large, UK-based entertainment organization has approximately 250 clubs pro-

viding evening entertainment and dancing. A cursory review of its business

environment highlights the following features to be managed if business objec-

tives are to be met. Externally, an extension to licensing hours, a pending ban

on smoking in pubs and clubs, a focus on noise exposure levels, increased use

of illegal substances, media focus on late-night town-centre disorder, and a rise

in underage drinking. Internally, the retention of key staff as they progress withage, marriage and family from ‘happy to work at night’ to finding working at

night less acceptable. Some parts of the business are for sale, and maintaining staff

morale could be challenging.

Organization and management

There are three main categories of organizational theory:

• classic

• HR approach

• systems-based.

Classic

Writers such as F.W. Taylor (1856–1915) viewed organizations as formal structuresestablished to achieve objectives under the direction of top management. Taylor

believed that management was responsible for ‘scientific management’ – methods

attached to the design of work, such as work study, that could be applied to heighten

production.

7




HR approach

An alternative approach to the classic, formal organization is the HR approach

which emphasizes the importance of people in workplaces. The famous Hawthorne

Experiments (1924–1932), conducted in USA, showed that individuals at work werepart of informal as well as formal structures, and that group influences were funda-

mental to understanding individual behaviours. Thus influencing human behaviour

becomes critical to enhancing the effectiveness of organizations.

Systems-based

The approach, described earlier, of converting inputs to outputs and outputs to inputs(along with all the associated subsystems) produces a systems-based organizational

theory. Modern views of organizations focus on such ‘systems-based’ approaches,

where management is a highly critical subsystem directing the enterprise towards

its objectives. Some of these ‘management systems’ are externally certified, such as

‘Investors in People’ in the UK, or ISO 14001:2004 internationally.

Whichever the organizational theory preferred, an organizational structure to deliver

it in practice is desirable.

Organization structures

In all organizations – even sole traders, where the spouse may assist with the financial

books – there is a division of effort in pursuit of the objectives. This resultant pattern

of relationships is commonly known as the organization structure. This structure

provides the means by which the work is planned, communicated, carried out and

supervized.

A main feature of all organization structures is that they embed a hierarchy within

them, as Figure 1.3 shows:

Within organizational structures, there are five main approaches:

• by product/service

•by geographical location

• functional

• matrix organization/project team

• virtual.

8




Director

Manager

Supervisor

Worker

Figure 1.3 Classic hierarchal organisation chart

By product/service

Forexample,aHighStreetstoremayhavethefollowingdepartments,eachwithspecialist

staff, to focus on the needs of customers – the structure follows the sales process.

• menswear

• ladies wear

• home and garden

• grocery.

By geographical location

For example, a double-glazing company may structure regionally (North, South,

East, West of territory/country) to provide a local address to customers, and employ

locally based management and staff.

Functional

For example, a manufacturing organization may structure functionally – the structure

follows the activity of the enterprise.

• procurement/goods in

• production

• warehouse

9




• sales and marketing

• personnel/HR.

Matrix organization/project team

For instance, a Grand Prix motor race takes place each year at a national venue e.g.

the Circuit de Catalunya on the northern outskirts of Barcelona, Spain. A projectteam is brought together to combine in a matrix the skills of the full-time race

management team with local suppliers of accommodation, ticketing, catering, parking,waste disposal and so on. It is disbanded after the event, until perhaps brought together again for next year’s event.

Virtual

For example, an online auction relies upon a loosely connected web of member buyers, sellers and advertisers to achieve its business objectives – a formal organization

chart is virtually invisible.

In reality, some of the characteristics of each of these organizational structures maybe present in a single organization to meet its current needs.

A-Factor 3: The structure of an organization is a means to an end, not anend in itself.

The external environment in detail

The political environment

Business activity takes place locally, within countries, across borders and internation-

ally. It is inevitable that governments will be involved in some way. Markets areglobalizing for many products and services because governments around the worldare taking action to remove barriers to trade. Understanding the basics of political

systems, institutions and processes provides greater opportunities for organizationsto align themselves, and thus provide greater opportunities for achieving businessobjectives.

Politics

A good question for audit practitioners reading this book is ‘What is politics?’ Anattempt is made to answer that question from that perspective.

The style and nature of any country’s political system will tend to be underpinned by

its historical and social values, national identity and political philosophies. Revolutions

10




come and go but political evolution is the norm – incremental, rather than radical –

particularly in democratic countries. This tends to bring some degree of stability to

the business environment, particularly in developed countries.

The two extremes of political systems are:

• totalitarian

• democratic.

TotalitarianArising from the power of monarchy, from military conquest (sometimes called a

‘junta’), or a free election, a totalitarian government will tend to act in order to

restrict or prohibit political participation by others. The style of government tends to

be a rigid enforcement of rules and oppression of opposition.

Democratic Exemplified by free and fair regular elections, and freedoms of speech and media,

democratic systems provide more balanced governments where matters are discussed,

and solutions accepted by all participants, even if they disagreed in the first place.

A model for democratic government is shown in Figure 1.4.

To be recognized as a democratic government, more is needed than a transparent

election process. It should provide that the wishes of the electorate, in terms of themajority according to the votes cast, are reflected in the final result.

This point can provide for interesting debate between political purists where, for

example, a ‘first-past-the-post’ system is in place. In the UK, for instance, a simple

majority of votes over other candidates is needed to be considered ‘elected’ in a

regional constituency. At national level, a simple majority of candidates elected over

other political groups (or parties) is needed if its leader is to be asked by the Queen

ThePeople(Voters)

Choosemembers

of

TheGovernment

Makedecisions on

behalf of

Figure 1.4 Model for democratic government

11




to form a government in a representative assembly. As a result, it is often the case

that the winner has less that 50 per cent of the total votes cast. Alternatives to this

approach include ‘proportional representation’, where the electorate can indicate its

second and sometimes further wishes for votes to be recast if there is no outright

winner. Overall, a first-past-the-post system tends to produce majority government,and proportional representation tends to produce coalition government. Majority

governments tend to implement their manifesto (the pre-election sales pitch to the

electorate) and coalition governments tend to develop laws through negotiation and

compromise with their government partners.

Functions of government

The process of governing a country involves three main roles – making decisions,

implementing those decisions, and enforcing compliance through a system of courts:

• law maker

• law implementer

• law enforcer.

Law maker Governing involves taking major decisions that may affect the lives and environments

of individuals and organizations. Elected governments in a democratic system holdthe power to make the law, and there is usually a series of checks and balances

including a bicameral legislature (i.e. an Upper House and a Lower House) and other

established processes to ensure that this is fair.

Law implementer The government holds responsibility for putting laws into effect. The day-to-day

administration is carried out by non-elected officials called civil servants, whose major

role is implementing public policy. While politicians may come and go, civil servants

are permanent career positions. They are expected to act in a non-partisan way, andthis allows for continuity of governance, for example, when one government loses

power to the next.

Law enforcer The third arm of a government is a judiciary and system of courts. It is a hallmark

of democratic systems that there be separation between the law enforcement role of

‘the judiciary’ and the other two main functions. An independent judicial system,

free and able to challenge the government and review its decisions, provides a further

check and balance to a democratic government – and it protects citizens from a state

that has become too powerful.

Auditors need an appreciation of how political factors can impact upon auditees – for

example, how laws are initiated, developed, implemented and enforced. A review of

legal compliance will be necessary in a number of auditing assignments.

12




Trans-frontier government

As noted earlier, political influences are not restricted to national boundaries. Inter-

national groupings such as the Group of Eight (G8) (formerly the Group of Six

(G6) and the Group of Seven (G7)), the World Trade Organisation (WTO) and theEuropean Union (EU) add far-reaching dynamics to an external environment with

an increasingly profound influence.

G8The USA, Japan, Germany, France, Italy, Canada, Russia and the United Kingdom

(UK) (together representing 66.5 per cent of the world’s economy) meet regularly

to discuss matters of mutual interest. Known as ‘economic summits’, these attract

significant interest from protestors and media alike.

WTOThe World Trade Organisation was formed in 1995 to supersede the General Agree-

ment on Tariffs and Trade (GATT), which had been formed in 1947 to assist with

re-establishing trade at the end of the Second World War. With a large membership –

and many other countries indicating that they wish to join – the WTO is credited

with opening up global trading within a framework of agreed rules.

EUThe EU is (in 2006) a group of twenty-five European nations. It was founded in

1958 by the Treaty of Rome with six original members (West Germany, France,

Italy, Holland, Belgium and Luxembourg). Progressive enlargement in 1972 (UK,

Denmark, Eire), 1981 (Greece), 1986 (Spain and Portugal) and 1995 (Austria, Finland,

Sweden) was further magnified on 1 May 2004 when ten new members were admit-

ted (Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland,

Slovakia and Slovenia).

Bulgaria and Romania may become members of the European Union in January

2007. In December 2004, the European Council decided that in the light of aEuropean Parliament resolution, Turkey had sufficiently fulfilled the Copenhagen

criteria to open accession negotiations.

The aim of the founding Treaty of Rome was to create a common market to promote

trade, and bring national economies closer together. This convergence led towards

the creation of a single market, when the members signed the Single European Act,

effective 31 December 1992, comprising the following features:

•reduction in legal and other obstacles to cross-border travel and trade

• harmonization of technical/safety standards

• convergence of excise duties

• mutual recognition of qualifications.

13




Other treaty provisions provide for:

• monetary union, which was achieved in eleven member countries on 1 January

1999

• a social chapter to protect workers (including their health and safety)

• common foreign and security policies.

Time will tell when and whether further countries will adopt/be permitted to adopt

the Euro as their common currency.

To put in place such a significant series of changes, literally hundreds of new laws

and regulations have been required in the member states. For completeness, a very

brief summary of the architecture of the EU, in terms of its principal bodies, follows:

• The European Parliament

• The Council of Ministers

• The European Council

• The European Commission

• The European Court of Justice.

The European Parliament A directly elected body of 732 members, with rep-

resentation from each member state based on the size of its population. Much of the

work is undertaken by specialist committees, which make recommendations to full

meetings held in Strasbourg.

The Council of Ministers The ultimate decision-making body of the EU com-

prises one minister from each member state. The presidency of the Council rotates

between members on a six-monthly basis. It is responsible for major policy decisions,

which are published as regulations, directives, recommendations or opinions.

The European Council Comprising the Foreign Minister from each member

state, its role is to discuss and propose policy to the Council of Ministers.

The European Commission The European Commission is the ‘civil service’ of

the EU and guardian of the treaties. It has offices in Brussels and Luxembourg, and

comprises Commissioners from member states and a staff of c. 20 000 drawn from

all member states.

The European Court of Justice Judges sit in Luxembourg to pass judgement

on the interpretation of EU laws. The Court can set aside measures which have been

adopted by the Commission, the Council or governments of member states which

are incompatible with the treaties. Decisions are binding upon the member states.

14




Auditors need an understanding of the political environment in which their auditwork is to take place so that they can contextualize the possible risks areas uponwhich they will later base their audit opinion.

We found Budd and Jones (1994) particularly insightful on the finer details of theEU, and further information is in the Reference section.

The economic environment

During November 1985, the US dollar and the GB pound sterling were tradingroughly at parity (1:1) in London. At the time of writing, the exchange rate betweenthese two great currencies is pretty close to 2:1. In a world where trade is ofteninternational, depending on where you operate, this would have had the effect

of doubling or halving the price of raw materials and/or sales invoices. And of course, there are innumerable territories where this inflation/deflation ratio is muchmore significant. As markets globalize, the successes of organizations in differenttrading economies becomes increasingly interconnected. The economics of businessare important external factors to be considered if an organization is to achieve itsobjectives.

Scarcity

Scarcity is based upon the relationship between consumers’ ‘wants’ and the resources

available (referred to earlier as input–output–input) to satisfy these wants. Consumers’‘wants’ are said to be insatiable, whilst resources are inevitably finite. Thus choiceshave to be made concerning priorities.

For example, does a society want better healthcare, or better education?

In practice, scarcity is managed by a number of factors, including:

• price – e.g. diamonds are more expensive than rocks

• rationing – e.g. tickets to ‘the Cup final’ are sold out• queueing – e.g. there is a waiting list to see the eye surgeon.

Price is deliberately at the top of this list, and often sorts out the other two; supplyand demand are set in the marketplace. Much can be learned by an organization byconsidering the scarcity and demand for its output.

Case study

A publisher of an annual sports almanac undertook a strategic review with the aimof increasing profitability. The review revealed that it was the only publication

of its type, and that this scarcity provided a near-certain inelasticity in demand

from its customers. It increased the sales price, and thus its profitability.

15




Economic systems

An important distinction in economic theory is between those that are centrally

planned, and those that operate under market conditions.

Centrally planned economiesThis type of economy is generally associated with socialist economies, such as China,

Eastern Europe and Cuba. The main production decisions are taken by a central

authority. Characteristics of this type of economy are:

• state control of resources

• state control of priority for use of resources

• targets for production to balance supply and demand are set by the State• prices too are set by the State.

Free-market economy More common in the early parts of the twenty-first century are free-market

economies, where prices determine the allocation of resources. Characteristics of this

type of economy are:

• privately owned resources, hence owners can choose how and when to consume

them

• privately owned organizations operate free from state intervention

• customer is king – consumers choose how to spend their money.

A-Factor 4: Recognize that, ultimately, market forces tell organizations – if

they are listening carefully – what to produce (quality), when to produce it

(delivery on time) and the price to charge (price). Set out, these objectives

should be represented in the business plan.

Macro-economy

Macro-economic theory concerns an economy as a whole, dealing with such matters

as overall levels of employment, the rate of inflation (use of a retail price index

measures how spending is affected by price changes), and the annual rate of growth

of output from an economy.

A simple economy comprises cyclical flows of money (and other financial instruments)

between organizations and consumers, as

• organizations provide income to households (salaries)

• households spend salaries on products by organizations and their services.

16




This cyclical flow shows that the fortunes of organizations are connected to the

spending decisions of consumers; customers need to spend if organizations are toprosper. Thus levels of income, output, expenditure and employment in any economyare interrelated.

Recession occurs when these macro-economic indicators move negatively, and

growth occurs when they move positively. Government uses tools such as interestrates to encourage or suppress consumer activity to promote growth aligned to itsown objectives for the economy. Similarly, increasing company taxation to raise

public expenditure injects additional income into this circular flow of money.

External economic factors also influence the spending decisions of consumers, such asthe 2005–2006 increases in the price of petrol at service stations, caused by increasesin the world price for crude oil following, amongst other reasons, political instability

in Iran and Russia, and supply chain interruptions caused by Hurricanes Katrina andRita in the Mexican Gulf regions of the USA.

Of course, the economy is much more complicated than this short section can possiblyreflect. Everything affects everything else, and nothing can replace local analysis at

the time any information is needed. Understanding how the macro-economy workshelps organizations to set and achieve their business objectives.

The role of financial institutionsIn a developed market economy, there will be a number of financial institutions,whose role it is to channel funds from those willing and able to lend to those wishingto borrow. These intermediaries include private banks, state banks and world banks.

Private banks generally lend to private customers on negotiated terms (usually based

on the level of risk estimated in the transaction), gaining financial return from interestand other payments.

A state bank is a critical element in a country’s financial system (e.g. in Germany,Deutsche Bundesbank). Like most state banks, it exercises control over the domestic

banking sector, and sets monetary policy to the needs of the economy.

World banks include:

• The International Monetary Fund (IMF)

• The Organisation for Economic Co-operation and Development (OECD)

• The World Bank.

IMF Established in 1946, its role is to provide a pool of international funds to promotegrowth in world trade. It also involves itself with assisting developing economies with

debt problems.

17




OECDA forum established in 1961 in which powerful countries meet to discuss world

economies. Its decisions are not binding, but its research is used by G8, IMF and

other bodies.

The World BankAn agency of United Nations, established in 1945, to provide loans and technical

assistance to developing countries.

The legal environment

Laws impact on many areas of activity conducted by all organizations. The areas that

may be affected include, for example, minimum employment conditions (including

health and safety), sales contracts for supply of goods and services, taxation, and

environmental discharges to air, land and water. Penalty frameworks, known in the

UK as sentencing guidelines, exist for those that are judged to have broken the law.

These include fines and imprisonment for offenders.

This section provides an overview of the legal framework, written by non-legal

practitioners for non-legal practitioners.

Classification and sources of law

Laws have evolved over many years; in the UK, these are said to date as far back as

the conquest of the land by William (the Conqueror) in the year 1066. The essence

of laws from a general perspective is that in return for the protection provided to

an individual or an organization by a law, the same individual is constrained by the

same law that protects them. Laws exist to regulate behaviours of individuals andorganizations, and collectively set out the minimum standards of conduct desired at

any time by society at large in the territory.

Laws are derived from historic custom and practice (known in the UK as ‘common

law’), and written laws have passed through the political law-making process and the

cumulative judicial decisions of the courts, where lower courts are obliged to follow

the decisions, ‘the ratio decidendi’, of the higher courts.

As governments come and go, laws are enacted, repealed and amended. Thus the

law in many countries is dynamic, and an auditor will need an appreciation of thelegal framework that applies to the auditee’s organization.

Law can be defined in a number of ways; the main features within a typical legal

framework are summarized here.

18




Criminal law Criminal laws relate to that which has been prohibited by legislation or statute in the

interests of society at large, and are punished by the state upon conviction in a criminal

court by a judge or a jury on behalf of the people. Fines and/or imprisonment are

possible punishments. In the UK, the starting point for all criminal prosecutions is aMagistrate’s Court. More serious cases are referred to a Crown Court for judgement

by a jury and sentencing by the judge.

Civil law and tort The civil law concerns matters of law between individuals. A ‘tort’ is a civil wrong.

Common torts include negligence, defamation and trespass. An award of damages or an

Order of the court (perhaps requiring something to happen or something to stop) are

typical outcomes. In the UK, civil judgements may be made in a County Court, andthose where the remedy may be higher in value will be judged in the High Court.

Both the criminal and the civil law systems have superior courts, with a right of

appeal in the UK to the Court of Appeal, and ultimately the House of Lords, which

is the highest court for domestic purposes. Decisions of the European Court of Justice

are supreme at European level.

Public law

Another useful distinction in law is between public and private law. Public lawcomprises those laws concerning the state, whether in national/international matters,

or in the relationship between the state and an individual – for example tax laws.

Private law Private law comprises those laws concerning the relationships between individuals,

such as family, property, trust and contract laws.

International law

The world is becoming a smaller place. There is an increasing tendency for nations

to accede to international laws and treaties.

The Montreal Protocol, for example, is the agreed international framework that bans,

except in particular circumstances, the manufacture of chlorofluorocarbons (CFCs),

as they are generally thought to damage the protective ozone layer around Earth.

As discussed earlier, the European Union has provided an impetus in Europe for a

harmonization of legal standards in many areas. Regulations made by the Council of

Ministers are binding in all member states. Directives must be implemented into the

domestic legal frameworks of each member state.

19




Case study

An example of how European law can impact upon national matters was the

interesting case of Jean-Marc Bosman, a Belgian footballer. Out of contract

with Belgian club RFC Liege, Bosman sought to play the game in France withDunkerque. When Liege demanded a transfer fee and the French club declined

to pay, Bosman referred the matter to the European Court of Justice. In the

1996 judgement, it was ruled that clubs could no longer request a transfer fee if a

player out of contract wished to play elsewhere in Europe, as it violated the right

established in the Treaty of Rome for European workers to work in any member

country. Since then, players regularly move from one club to another in these

circumstances, and are commonly said to have ‘gone on a Bosman’ (Blanpain

and Inston, 1996).

Business organizations and the law

As we have said, business is concerned with the conversion of input to outputs. The

prevailing legal systems provide a controlling, constraining framework in which these

activities should be conducted.

Business can be helped by laws (e.g. assistance to collect payment of invoices) as well as

being constrained by them (e.g. prohibition of disposal of waste into drainage systems).

The following table provides some examples of interest to auditors of legal influences

upon various business activities:

Business Activity Possible Legal Influences

Start up Company, tax laws

Operations Employment, health & safety, product safety laws

Building extension Planning, environmental, fire laws

Deliveries Consumer, road safety, transport of dangerous goods laws

Being an auditor As above, + defamation and contract laws

Tip – As an auditor (particularly if self-employed), it is a good idea to have

a readily accessible source of legal advice. Some professional bodies offer such

a service as a part of the membership fee. Alternatively, a relationship with a

professional legal practice may be useful.

Areas where such legal advice may be valuable include:

• review of terms and conditions of business

• review of contracts (employment, work orders, etc.)

20




• review of wording of audit reports

• advice on legal matters.

The environment concerning resourcesBusinesses exist to produce goods, services, information and other outputs from their inputs. The critical inputs are human beings to ‘do the work’ and ‘buy the goods’,a supply of resources (renewable or non-renewable) and the necessary technologiesfor the process. In an earlier part of this chapter, we called these (as economists do)the factors of production – land, labour and capital.

Land and natural resources

Natural resources include land, land deposits, oceans and rivers, flora and fauna andthe weather. An important distinction is between renewable resources and non-renewable resources. Either way, it is generally true that our resources are finite insupply (though small areas of land can be reclaimed from the sea at large cost).

Land use is renewable. We can build on it, demolish the structure, and build on itagain. We can plant crops each year (though to do so on formerly industrial landwould probably not be a good idea, unless an extensive ‘clean up’ has been done).

Fossil fuels are not renewable. When we extract oil, refine and introduce it to aninternal combustion engine, that oil is gone forever. How many years of hydrocarbonfuels remain is subject to debate, and probably uncertain at this time.

In recent years, ‘the environment’ has become centre-stage, both politically andas a necessity. Predicted rates of increase in average temperatures have compelledattention, particularly to reduce CO2 emissions. At the same time, recycling andenergy efficiency have become prominent in many developed areas of the world.Whether we have done enough waits to be seen.

Labour (people)

Human beings are important, both as producers and consumers of goods and services.Figure 1.2 and the associated text will serve as a reminder. Many production processesare people-intensive, and accordingly, having a suitable supply of educated, motivatedand affordable staff is important to most businesses. Throughout their working careers,many organizations will tend to want to develop the education and motivation of their staff, and reward successes in these areas with promotions and salary increments.

Organizations seeking to develop their business in a territory will find the followingfactors helpful in identifying a workforce:

• the total population of a territory

• the age structure of the population

21




• the retirement age

• the working population

• the mobility of the working population

• the occupational structure of the working population

• the education level of the working population

• the length of the working week

• wage levels/minimum wage levels/trade union involvement.

Marketers conduct similar analyses for establishing customers and markets.

Tip – In the UK, annual statistics on some of these and many other demographicfactors are published by the Office of National Statistics and available from The

Stationery Office. Refer to this (or similar documents) when detailed information

is required.

Case study

A small organization’s business was buying and selling of concert souvenirs for

‘B’ list artistes and bands on tour. When it identified large foam ‘spongy hands’printed with the artiste’s name as a potentially attractive product, it purchased

1000 at a cost of 20p (a fifth of £1 GBP), and sold out at £3 (GBP) each on

the first night of a multi-night concert tour by a comeback act – a mark- up of

1500%. In the second year as his memorabilia agent, the organization trebled its

order, and sold out on the second night of the tour. Expecting to ‘make it big’

in the third year, the purchase order was multiplied by ten, still at the year-one

cost price. The organization was not able to sell even one of its orders. Why?

The year was 1997, and artiste’s name was Paul Gadd, known to his fans as GaryGlitter. Many external factors are way beyond the control of organizations.

Capital and technical factors

Flows of capital to business are undiminished, and these are providing for unprece-

dented changes in the input → process → output cycle. There have been simply

massive changes in technology in recent years, and (for some, perhaps worryingly)

as Fareed Zakaria, Editor, Newsweek International observed in Newsweek magazine(2006):

The 21st century will be the century of change. More things will change in

more places in the next ten years than in the previous 100.

22




Technological change leads to new products and services (including profound changes

to the life expectancy of human beings as previously incurable conditions are treated),

new markets, increased automation and displacement of people from processes, faster

exchange and storage of data and information, and greater possibilities for intrusion

and loss of privacy.

The internet is presently transforming the way in which people shop, communicate

and access information. It is difficult to predict how the internet will change in the

future, suffice to say it will.

Research into (for example) new processes, materials, crops, pharmaceuticals, vehicles,

and sources of energy turns up new developments all the time.

Barriers to technical developments include lack of skill in the workforce, or redundant

skill, where technology has moved at a pace where parts of a workforce have notbeen retrained quickly enough. Exhaustion of natural resources (as noted earlier), and

particularly fossil fuels, could impede future technical developments.

All of these three inputs to businesses – land, labour and capital – are interconnected.

For example, the productivity of human beings and the efficiency of plant and

equipment will be impacted by the technology available to them at any point in

time. These inputs are essential to organizations, because without them, conversion

can not take place.

As an auditor, it is likely that you will be exposed to new technology, ranging

from the R&D department in the auditee’s organization, the new lean-burn aircraft

you flew to site in, through to the new audit-reporting software on your palmtop

computer. As part of your CPD (continuing professional development) programme,

keeping abreast of appropriate developments is a good idea.

Management’s interpretation of their ownbusiness environment

Management’s role is to take account of the business environment considered by

them to be reasonably relevant to their sphere of operation, and to reflect this

output of their analysis in the decisions that they make, based on their most realistic

interpretation of the opportunities and/or threats faced. The most usual place for this

will be contained within their business plan, and the specific objectives contained

within it.

Management will often express their analysis and the subsequent developmentsexpected of their businesses in a series of corporate documents. The first of these is

often a statement of ‘vision’ of how the organization will be in the future. A ‘mission’

statement provides the purpose of the organization, and a series of business objectives

for the plan year and beyond will be established. These will be used as a means to

23




4.Businessobjectives

3. Mission

2. Vision

1. Businessenvironment

Figure 1.5 Business Environment→ Vision→ Mission→ Business Objectives

cascading the essential activities (as seen by the top management) throughout their

organization.

Figure 1.5 shows how this ‘cascade’ looks.

A-Factor 5: Top management should balance the influences of the com-

peting external and internal environments to face its target market(s) with

aligned and well-communicated business objectives.

As auditors, you’ll learn in this book that your work concerns the likelihood and the

severity of impacts on the achievement of these business objectives. You should beprepared also to challenge these set objectives in appropriate circumstances.

What is risk?

Ask a manager from the twenty-first century ‘What is risk?’, and as likely as not,

you’ll be told that it is an estimation of the likelihood and severity of some physical

harm occurring. Health and safety managers have been busy in many organizations,

and risk assessments are common in developed territories. In this understanding, somemanagers will use words such as frequency or probability , and some will use words such

as impact or consequence . Either way, most will know that risk concerns a reasoned

view of the future that can be calculated and planned. The greater the risk, the greater

the need for control.

24




No director can ignore the risk to the reputation of his (sic ) company and its

brand that health and safety and environmental expectations present.

– Sir Nigel Rudd, one of The Times Power 100, and holder of four FTSE

directorships (in Eves and Gummer, 2005).

However, ‘risk’ can, and should, be defined as any type or source of harm –

either perceived as positive or believed to be negative (also referred to in this book

as ‘value creation’ and ‘value protection’) – with potential for impact upon the

achievement of the organization’s stated (or formally unstated, but still obvious)

objectives:

the combination of the severity of harm with the likelihood of its

occurrence

– From HSG65, Health and Safety Executive (1997).

combination of the likelihood and consequence(s) of a specified hazardous

event occurring

– OHSAS 18001:1999.

a combination of the hazard and the loss and, in any given set of circum-

stances, risk takes into account the relevant aspects of both.

– Boyle (2002).

the chance of a particular situation or event, which will have an impact

upon an individual’s, organisation’s or society’s objectives, occurring within a

stated period of time.

– Fuller and Vassie (2004).

Risk can be expressed and measured in two main ways:

•gross

• residual.

Gross risk

Gross risk implies the risk exposure before the effect of the selected business control

framework is accounted for. Some call this the ‘pure’ or ‘inherent’ risk.

Residual risk

The residual risk is the remaining risk exposure after the mitigating and compensating

factors of the business control framework are accounted for. Some controls tend

25




to reduce likelihood (e.g. preventative controls such as a well-trained workforce or

fixed guards on machines) and some controls tend to reduce severity (i.e. detection,

containment, mitigation and restoration controls). Other controls can reduce both

likelihood and severity (elimination and substitution controls, such as low-toxicity

chemicals). Some call this residual risk the ‘net risk’.

A true case study?

Asbury and Ashwell were exploring at the North Pole, when they came about

a huge polar bear. The bear growled angrily, and it rubbed its stomach in a

hungry manner, clearly relishing the hearty meal which had just walked in. As

experienced visitors to polar climes, the intrepid explorers were both wearing theexpected ‘tennis racket style’ snow-shoes as part of their risk control measures.

Asbury began removing his snow-shoes so as to be able to make a dash to

safety. Ashwell said, ‘But Steve, you’ll never outrun a polar bear in its own

terrain.’

As a risk manager, what would have been Asbury’s response?

His response – ‘I don’t have to; I have only to outrun you!’

A-Factor 6: Risk is anything which may hinder or assist achievement of

business objectives. It is generally quantified in terms of its residual likeli-

hood and severity. Value creation and value protection are the essence of an

organization’s success.

A brief history of risk ‘Risk’ has a fascinating history, which is beautifully narrated by Peter Bernstein in

his book Against the Gods (1996). You would not have to go back in time many

years for modern clarity of approach and measurement to be lost. A well-educated

individual a thousand years ago would not recognize the number ‘0’, and would

probably not pass a basic mathematics test. Five hundred years later, few would do

very much better. Without some form of measurement, some numbers, risk was a

matter of gut feel.

The ‘power of numbers’ arrived in the West in the early thirteenth century, whena book entitled Liber Abaci appeared in Italy, a wholly handwritten fifteen volumes

written by Leonardo Pisano (but commonly known as Fibonacci). Fibonacci is best

known for a series of numbers, which provided the answer to the problem of how

many rabbits will be born during the course of one year from one pair, while assuming

26




that every month, each pair produces another pair, and that rabbits start breeding

aged two months – the answer is 233; and the twelve month-end totals for the year

would be 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233. Each successive number is the

sum of the two preceding numbers, and if one number is divided by the next, the

answer is approximately 1.6. This ratio features in nature (e.g. in shell spirals, leavesand flowers) and in architecture (e.g. the General Assembly Building of the United

Nations in New York). Playing cards are similarly proportioned. The Fibonacci series

also features in the book and film The Da Vinci Code , where a dying Jacques Sauniere

leaves a code for Robert Langdon to decipher. Fibonacci identified the ‘power of

numbers’ in the West for the first time, but using them to assess risk still remained

many years in the future.

Bernstein (1996) comments on the development of risk over the last millennia:

What is it that distinguishes the thousand years of history from what we thinkof as modern times? The answer goes way beyond the progress of science,

technology, capitalism and democracy . The revolutionary idea that defines

the boundary between modern times and the past is the mastery of risk: the

notion that the future is more than a whim of the gods and that men and

women are not passive before nature. Until human beings discovered a way

across that boundary, the future was a mirror of the past or the murky domain

of oracles and soothsayers .

He gives an interesting account of this history, suggesting that:

The ability to define what may happen in the future and to choose amongst

alternatives lies as the heart of contemporary societies.

Hazard and risk

A modern definition of hazard is ‘the potential for harm’. The word hazard is said to

derive from the Arabic word for dice – al zahr.

We have seen a representative sample of definitions of risk on page 25, though

there are many others. The word risk is said to derive from the early Italian risi-

care , which means ‘to dare’. To dare implies the freedom to choose, and possibly

to fail.

Dice is a game of luck, of pure chance, of pure hazard. Whilst lots of things have

potential for harm (al zahr ), managers can choose to dare, and decide how and when

to respond to hazards. This choice influences the likelihood of the harm occurring

and the severity of this harm, should it occur.

This ‘daring’ to participate in the business environment includes choosing to stop

doing something (or not starting in the first place) if the risk is too great. Other

choices are to transfer the risk to someone else (to share or insure), or to take actions

27




to mitigate the risk (treatment). After the choices have been taken, the residual risk

is taken knowingly.

Case study

The scientist who developed the Saturn V rocket responsible for mankind’s forays

to the Moon put risk this way:

You want a valve that doesn’t leak and you try everything possible to

develop one. But the real world provides you with a leaky valve. You

have to determine how much leaking you can tolerate.

– From obituary of Arthur Randolph in the New York Times, in Bernstein

(1996).

Once in a coffee shop

As noted, there are several ways of dealing with ‘risk’. One of these is to insure against

loss. Insurance works when the losses of the few are reimbursed by the premiums

of the many. Following the great fire of London in 1666, there was an increasingdemand for insurance. Business people would meet in coffee shops, and one of those

rose to prominence.

Edward Lloyd opened a coffee shop on Tower Street, London which was firmly

established by 1688. It was a popular place for London’s sailors; so popular that

it moved to larger premises in Lombard Street in 1691. Responding to the needs

for shipping information from his customers, he provided a schedule of arrivals

and departures of ships from the port of London. Thus ‘Lloyd’s list’ was born,

and later used by captains of ships to consider the risks in various shippingroutes.

Shipowners seeking insurance would go to a broker who, in turn, would ‘sell’

(or transfer) portions of the total risk to individuals, who would confirm their

agreement to cover a percentage of any loss by signing his name to the con-

tract. Such ‘writing under’ each other, to cover the full value became known as

‘underwriting’.

By 1771, seventy-nine of these underwriters had each subscribed £100 each to form

the Society of Lloyd’s – the original ‘Lloyd’s names’. The names committed alltheir assets to secure their insurance promise. That commitment was the principal

reason for the rapid growth and excellent reputation held to this day of insurance

underwritten at Lloyd’s. After several relocations, it moved to One Lime Street, its

current location, opened by the Queen in November 1986.

28




Case study

When anyone asks me how I can best describe my experience of nearly

forty years at sea, I merely say uneventful. Of course there have been

winter gales and storms and fog and the like, but in all my experience, Ihave never been in an accident of any sort worth speaking about. I have

seen but one vessel in distress in all my years at sea I never saw a

wreck and have never been wrecked, nor was I ever in any predicament

that threatened to end in disaster of any sort.

– From a paper presented by E.J. Smith in 1907.

On 14 April 1912, RMS Titanic sank with the loss of 1500 lives. The captain

went down with the ship. His name – E.J. Smith (Toone, 2004).

The practicalities of understanding risk

We have discussed earlier the basic system for transformation of inputs to outputs to

inputs (see Figure 1.2 and associated text).

Figure 1.6 shows the reality of this for any business. On the left side is the aspiration of

the entrepreneur, seeking funding for the enterprise, and investment in the necessaryresources. On the right side is the ‘Vision’, of the achievement and success stated in

whatever terms those entrepreneurs have decided. Connecting the two sides is ‘risk

management’, which certainly is not a game of cards.

??Bonuses and

dividends

Excellentbusiness

plan

Investors

Modernassets

tiforPraeysiht

Risk management

Bravo ! Start

Vision

Figure 1.6 Risk – ‘Not a Game of Cards’

29




High

High

Low

LowLikelihood

S e v e r i t y

Highrisk

Lowrisk

Mediumrisk

Figure 1.7 Simple risk-ranking matrix

Not all organizations are equally successful, and how any business responds to the

risks in its environment will be a significant feature of its success (or failure).

Figure 1.7 shows a simple risk-ranking matrix, and Figure 1.8 shows how a

corporation has developed this to highlight a variety of risk areas in greater detail.

A-Factor 7: R = L ×S (Risk = Likelihood × Severity).

The greater the risk, the greater the (implied) urgency for response to that risk.

Just how low a residual risk should be depends upon the ‘appetite’ for risk in the

management of the organization. Some readers will be familiar with terms such as

‘ALARP’ (As Low As Reasonably Practicable) and ‘so far as reasonably practicable’,

but these are beyond the scope of this book. Suffice to say that there is an established

hierarchy for risk response (treatment), known as ‘ERIC’, as follows:

• Eliminate – terminate exposure to the hazard

• R educe – reduce the exposure

• Isolate – contain the hazard by physical or other means

• Control – other means, including safe systems of work, training and so on.

Tip – Remember ‘famous Eric’, when a significant risk is identified. Many people

have a ‘famous Eric’ – whether a parent, a relative or a friend. In training courses,

to encourage delegates to remember ‘ERIC’, we have referred to Eric Cantona

(famous footballer), Eric Morcambe (famous comedian) or Eric Clapton (famous

musician).

30




Slightinjury

Slightdamage

Impact of an incident

Never

heardof in

industry

Heard

of anincidentin the

industry

Incident

hasoccurredin our

company

Happens

severaltimes peryear in

company

Happens

severaltimes peryear atlocation

Slightimpact

Limitedimpact

Considerableimpact

Nationalimpact

Internationalimpact

Multiplefatalities

Minorinjury

Minordamage

Majordamage

Localiseddamage

Localisedeffect

Majoreffect

Minoreffect

Slighteffect

Majorinjury

1 to 3fatalities

Extensivedamage

Massiveeffect

Increasing likelihood

R e p u t a t i o n

H & S

A s s e t

s

E n v i r o n m

e n t

Manage forcontinuous

improvement

DemonstrateALARP

Incorporate riskcontrols

IntolerableInvestigate

alternatives

Increasing

Severit

y

Figure 1.8 A more-developed risk-ranking matrix

A-Factor 8: Look for the application of ERIC whenever and wherever there

is a significant risk.

Auditors and risk

An essential first step for an auditor is to consider risks in the context of the environ-

ment in which the auditee’s organization is operating – of course, not all environments

are the same (politically, economically, legally or otherwise).

We have described the process for estimating risks (e.g. using a typical risk assessment

matrix to qualitatively assess the significance of each identified risk area), and in effect,auditors will be following in the footsteps of the auditee’s management when they

are selecting a sample of risks for review and verification in their audit work plan.

Three questions (Asbury, 2005) will invariably assist auditors (as no doubt it may

have assisted management) to decide the significance of the identified risks:

• how often will this happen (the likelihood, frequency, probability)?

• how big could the impact be (the severity, impact, consequence)?

• who is likely to be impacted by an occurrence (which stakeholder groups)?

NB – By ‘stakeholders’, we mean five specific groups – shareholders, customers,

employees, suppliers and society at large.

31




The authors recommend that HSEQ auditors focus upon the relative incidence of

risks within the auditee’s activities. A useful idea is to focus on the top 10–20 of such

risk areas, ultimately selecting a sample size depending on the time available.

There are many quantitative risk evaluation/estimation methodologies and softwaretoolkits available. Too much focus on precise risk-scoring by auditors can easily

become counter-productive, and this is supported by our experience of over 1000

audits and the feedback from thousands of our course delegates. Therefore, it is

wise to avoid the ‘numbers game’ (Asbury, 2005). Qualitative methodologies are

generally better suited for use by HSEQ auditors, who will have less time available

than full-time site managers to select and investigate a sample of risks.

A-Factor 9: Know that ultimately an audit is an independent and balanced

assurance to stakeholders regarding an organization’s ability to meet its busi-

ness objectives, in increasingly volatile business environments.

In Chapter 2, we will consider the development and rise of business control as a

technique for making a successful transition from vision to reality more likely.

For example, organizations seeking excellence in worker health and safety are increas-

ingly likely to use systematic techniques to meet (UK) legal requirements first

established in 1802, and significantly amended in 1961, 1974 and 1992. From the

first environmental law in 1307, when Queen Elizabeth published a proclamation

prohibiting the burning of sea coal in London while Parliament was in session(Willis Corroon, 1996), up to the newest legal requirements for Integrated Pollu-

tion Prevention and Control (IPPC), business control frameworks have provided a

systematic approach for the twenty-first century.

We will also summarize the relatively new and important theme of corporate social

responsibility (CSR), comprising the increasing expectation by all organizational

stakeholders for transparency. The business response to CSR has provided both

‘greenwash’ (such as pictures of meadows, trees and children); plus targets and statistics

galore.

32



2 Business Control

A brief history of business control

The concept of using systemic business control frameworks to assist management in

carrying out business activities has been around for twenty-five centuries (Figure 2.1).

Some feel that a significant moment in the history of Business Control was on 14October 1900 in Sioux City, Iowa and the birth of W. Edwards Deming (Figure 2.2).

Deming trained to be an electrical engineer and received a Ph.D. in mathematicalphysics at Yale. He worked briefly as an engineer in Chicago before becoming a

statistician, working in the US Bureau of Census. But fortunately for the world, hiscontinuous quest for understanding deviation from the norm led him to becomeone of the founding fathers of the quality movement. After World War II he was

sent to work in Japan and it was there in the 1950s that he developed, together with fellow American, Joseph Juran, production and management theories that later became known as the ‘right first time’ philosophy in Japanese industry. Leading

industrialists credited them with giving birth to an industrial revolution through theway they developed statistical control of quality levels into a new way of managingbusiness.

Plan–Do–Check–Act

At the heart of Deming’s legacy to the business world is his adoption in his teachingof the ‘Plan–Do–Check–Act’ (PDCA) cycle which was originally developed by his

friend and mentor, Walter Shewhart. The shorthand PDCA mnemonic has bornethe test of time despite the efforts of many consultants and academics who havesubstituted Deming’s simplicity with complexity. We know it today as the DemingWheel (Figure 2.3). It can be as easily applied as a ‘wheel within a wheel’ to illustratethe relationship of core business processes to corporate and strategic processes.

Deming saw that the elimination of waste could be achieved by aligning processes

coherently and then carrying them out in a manner that was sufficiently close tothe laid-down standards as they could be. The armaments industry was the one tosee the potential of a ‘quality’ approach to manufacture as every time an item of

munitions failed to explode upon impact, or as designed, all the resources that wereconsumed before launching the munitions at its target had zero payback, since theenemy’s soldiers and equipment had not been destroyed as intended or the war

won. For example, some observers feel that the outcome of the Falklands War (Guerra de las Malvinas) – an effective state of war between Argentina and the UK

33



Business Control

4th Century BC

• Sun Tzu

18th Century

• Adam Smith

19th Century

• Henri Fayol

• Frederick W Taylor

• Henry Ford

• Toyoda family

• Alfred Sloan

• Tomas Bata

• Max Weber

20th Century

• Konosuke Matsushita

• William Deming

• Jehangir Tata

• Joseph Juran

• Peter Drucker

• Akio Morita

• Charles Handy

• Henry Mintzberg

• Tom Peters

• Rosabeth Moss Kanter

• Kenichi Ohmae

• Michael Porterand others

15th Century

• Luca Pacioli

13th Century

• Leonado Pisano

Figure 2.1 Timeline for development of management system thinking

Figure 2.2 W. E. DemingReproduced with permission from W. Edwards Deming Institute®

between 2 April and 14 June 1982 over the long-disputed territories of the Falkland

Islands, South Georgia and the South Sandwich Islands – might have been quitedifferent if more of the bombs launched by the Argentinean air force, that successfully

hit their targets amongst the Royal Navy, had actually exploded. Would all the

bombs have exploded as designed if they had been manufactured and assembled by

Honda?

34



Business Control

Act Plan

Check Do

Figure 2.3 The Deming Wheel© 1982, 1986 by W. Edwards Deming Printed with permission from Massachusetts Institute

of Technology, publishers of Out of the Crisis

Management truths

In his book Out of the Crisis, Deming (1989) set out his System of Profound Knowl-

edge (Figure 2.4) and his 14 Points of Management (Figure 2.5), some 40 years after

his teaching had been listened to, accepted and benefited from by the Japanese.

Deming believed that to effect transformation of the style in which somethingis currently being managed there had to be an external perspective. He calledthis a System of Profound Knowledge; it was his approach to understandingorganizations and had to be applied through the transformation of theindividual, who, once transformed, would:

• Set a good example

• Be a good listener, but will not compromise

• Continually teach other people

• Help people to move into a new way of working

The system can be illustrated in four parts which are all inter-dependant uponand inter-related to each other:

1 Appreciation for a system

2 Knowledge about variation

3 Theory of knowledge

4 Psychology

Therefore leaders of organisations that required transformation, and themanagers involved, needed to learn the psychology of individuals, thepsychology of a group, the psychology of society, and the psychology ofchange. Some understanding of variation, including appreciation of a stablesystem, and some understanding of special causes and common causes of

variation, are essential for management of a system, including managementof people.

Figure 2.4 The Deming System of Profound Knowledge

© 1982, 1986 by W. Edwards Deming Printed with permission from Massachusetts Institute


35



Business Control

Deming’s 14 Points of Management has been one of his abiding contributions to thetransformation of organizations. He said that problem solving, big or small, wasinsufficient. If management really wanted to signal that they intended to win in business

and aim to protect stakeholders’ interests they had to sincerely adopt and effectivelyimplement his 14 points.

1. Create constancy of purpose toward improvement of product and service, with theaim to become competitive and to stay in business, and to provide jobs.

2. Adopt the new philosophy. We are in a new economic age. Western managementmust awaken to the challenge, must learn their responsibilities, and take onleadership for change.

3. Cease dependence on inspection to achieve quality. Eliminate the need forinspection on a mass basis by building quality into the product in the first place.

4. End the practice of awarding business on the basis of price tag. Instead, minimizetotal cost. Move toward a single supplier for any one item, on a long-termrelationship of loyalty and trust.

5. Improve constantly and forever the system of production and service, to improvequality and productivity, and thus constantly decrease costs.

6. Institute training on the job.

7. Institute leadership. The aim of supervision should be to help people and machinesand gadgets to do a better job. Supervision of management is in need of overhaul,as well as supervision of production workers.

8. Drive out fear, so that everyone may work effectively for the company.

9. Break down barriers between departments. People in research, design, sales, andproduction must work as a team, to foresee problems of production and in use thatmay be encountered with the product or service.

10. Eliminate slogans, exhortations, and targets for the work force asking for zerodefects and new levels of productivity. Such exhortations only create adversarialrelationships, as the bulk of the causes of low quality and low productivity belong tothe system and thus lie beyond the power of the work force.

• Eliminate work standards (quotas) on the factory floor. Substitute leadership.

• Eliminate management by objective. Eliminate management by numbers,

numerical goals. Substitute leadership.11. Remove barriers that rob the hourly worker of his right to pride of workmanship.

The responsibility of supervisors must be changed from sheer numbers to quality.

12. Remove barriers that rob people in management and in engineering of their right topride of workmanship. This means, inter alia, abolishment of the annual or meritrating and of management by objective.

13. Institute a vigorous program of education and self-improvement.

14. Put everybody in the company to work to accomplish the transformation.The transformation is everybody’s job.

Figure 2.5 Deming’s 14 Points of Management

© 1982, 1986 by W. Edwards Deming Printed with permission from Massachusetts Institute


36



Business Control

His ideas are still vibrant signposts for managers and auditors today. Deming saw

immutable truths in the system of management. For example: a manager of peopleneeds to understand that all people are different; a manager needs to understand

the interaction of psychology and statistical variation, for example the number of

defective items that an inspector finds depends on the size of the workload presentedto him; an inspector, careful not to penalize anybody unjustly, may pass an item thatis just outside the acceptable borderline; fear invites wrong figures; bearers of bad

news fare badly and so, to keep their jobs, people present to their boss only good

news; a committee appointed by the CEO of a company will report what the CEO

wishes to hear. Would they dare report otherwise? Other observations by Demingare also relevant to today’s corporate practices; for example, accounting-based key

performance indicators drive managers and employees to achieve targets of sales,

revenue and costs, by manipulation of processes. In Deming’s opinion, the resultof these types of outcomes is that statistical calculations and predictions based on

distorted data may lead to confusion, frustration and wrong decisions.

It would be exceptionally unusual to find a management system, framework or modelwhich is in use today which has elements or components that could not be mapped

to one of the four interconnecting stages within Deming’s Wheel. For example,

the words used in other models may be policy, planning, implementation and operation;

checking and corrective action and review (Figures 2.6 and 2.7) but they are all aspects of Deming’s recognition that senior management must plan what needs to be achieved

in both quantitative and qualitative terms and set about telling people what and how

they should perform in order to be successful.

Figure 2.8 illustrates this correlation. Our business control model is shown on page 46.

Continual improvement

Management review

OH&S policy

Planning

Implementation and operation Checking and

corrective action

Figure 2.6 OHSAS 18001:1999 - Elements of successful OH&S management

37



Business Control

Figure 2.7 ILO–OSH 2001

PDCA Element OHSAS 18001 ILO OSH 2001 Our businesscontrol framework

Do

Act

Check

PlanOHS policyPlanning

Implementation& operation

Checking

Corrective actionManagement reviewContinuousimprovement

Action forimprovement

PolicyOrganizingPlanning

Implementation

Evaluation

Audit

PolicyStructure

Procedures

Supervision

Review &appraisal

Figure 2.8 Mapping control frameworks

A-Factor 10: Keep things simple – remember PDCA.

Information for management about control

In teaching people how to audit management systems, it soon became apparent that

a critical prerequisite for the auditor to carry out such audits was often missing.

38



Business Control

There was extensive internal control guidance available for auditors that had beenproduced over many years by professional auditing bodies, but virtually nothing hadbeen specifically written for auditees (management).

The auditee’s cupboard was overflowing with policies, governance guides, valuesand ethics, general business principles, vision and mission, laws and regula-tions, rules, mandates, main policy documents, organizational structures, report-ing relationships, accountabilities, roles and responsibilities, competence standards,business process maps, training matrices, meeting minutes, action plans, insurancereports, plans, standards, strategic and tactical reviews, job descriptions, manuals of authority, audit reports, procedures, risk registers, etc. But there were very few high-level overview documents written from management’s perspective that described howthese discrete internal controls should and could be implemented in a coordinatedand complementary manner that would tie management’s activities in with delivering

success for their organization.

In USA, this lack of guidance for management and boards of directors was eventuallyrecognized and action taken. The Foreign Corrupt Practices Act of 1977 stimulateda flood of proposals and guidelines from consultants and professional and regulatorybodies focusing on management’s responsibility for maintaining a system of internalaccounting control.

Following on from their report on Fraudulent Financial Reporting in 1987, theCommittee of Sponsoring Organisations of the Treadway Commission (COSO)conducted a review of the written material available on internal control. This workled to COSO’s well-known project to provide practical, broadly accepted criteriafor establishing internal control and evaluating its effectiveness. Management coulduse it to support their recently emphasized responsibility for establishing, monitoring,evaluating and reporting on internal control. A seminal moment arrived with the publi-cation in September 1992 of COSO’s Integrated Framework of Internal Control (Figure 2.9).

Throughout the 1990s, legislative and regulatory authorities across the world beganto demand better standards of corporate governance generally. This was mainly a

reaction to a litany of high-profile corporate failures which stimulated outrage frominnocent parties who were affected not only directly, but also vicariously, by theactions of companies operating in their countries, cities, towns and countrysides. Asall these outraged citizens were voters, the legislators took note that the majoritywanted those responsible for running organizations to be held more accountable for their actions than in the past.

Many professional accountancy bodies across the world have long accepted the needfor global standards. The International Federation of Accountants now ensure that allaccountants and auditors worldwide subscribe to a global code of ethics. And there

has been growing support for international standard-setters to develop and promoteinternational standards of accounting and auditing.

The interdependence of the economies of individual countries requires high andglobally accepted, applied and enforced management standards that act as the most

39



Business Control

Risk assessment

Control activities

Monitoring

C O M M U N I C A T I O N I N

F O R M A T I O

N

• Procedures• Policies

• Downwards• Upwards• Horizontal• Departmental• External

• Ongoing monitoring• Separate evaluations• Reporting deficiencies

• Organization-wide objectives• Activity-level objectives•

Risk management• Managing change

• Organizational structure• Assignment of authority & responsibility• Human resource policies & practices

• Integrity & ethical values• Commitment to competence• Board of directors & audit committee• Management philosophy & operating style

• Management information systems• Performance information• Instructions & guidance

Control environment

Figure 2.9 COSO integrated framework of internal control© 1992 by the Committee of Sponsoring Organizations of the Treadway Commission.

Reproduced with permission from the AICPA acting as authorized copyright administrator

for COSO

effective solution between balancing the needs of regulatory authorities with the

needs of commercial and other organizations.

It is widely accepted that such standards are what give investors confidence in the

companies in which they invest, and other stakeholders the confidence to buy from,

work for, supply to and live next door to them.

They require that organizations and their senior management throughout the world,operating in both private and public sectors, must demonstrate:

• accountability (of managers to stakeholders)

• integrity (to attract financial and social support)

• transparency (of their operations and financial position as reflected in their statu-

tory and voluntary reports to stakeholders).

COSO’s framework became an accepted reference on internal control in USA and around

the world, and its implications for corporate governance led other countries to followwith their own expectations: the Cadbury Committee reported in the UK in 1992; the

Greenbury Committee reported in the UK; the Criteria of Control Board (CoCo) of

The Canadian Institute of Chartered Accountants reported in Canada and Marc Vienot

first reported in France in 1995; the Peters Commission reported in The Netherlands in

40



Business Control

West

• Brazil• Canada• Jamaica

• Mexico• Peru• USA

Europe

• Austria• Belgium• Cyprus

• Czech Republic• Denmark• Estonia• Finland• France• Germany• Greece• Hungary• Iceland• Ireland• Italy• Latvia

• Lithuania• Macedonia• Malta

Africa /Asia

• Bangladesh• India• Kenya

• Pakistan• South Africa

East

• Australia• China• Hong Kong

• Indonesia• Japan• Malaysia• New Zealand• Singapore• South Korea• Taiwan• Thailand• The

Philippines

Europe/cont.

• Norway• Poland• Portugal

• Romania• Russia

• Slovakia

• Slovenia

• Spain• Sweden• Switzerland• The Netherlands• Turkey• Ukraine• United Kingdom

Copies of each country’s code(s) can be read on www.ecgi.org/codes

Figure 2.10 Countries with corporate governance guidelines

June 1997; the Hampel Committee reported in the UK in January 1998; KonTraG waspublished in Germany in March 1998; and the Turnbull Committee reported in the UKin September 1999. In the last 10 years, most developed and developing countries have

issued guidance regarding corporate governance of major companies registered in their jurisdictions (Figure 2.10). Furthermore they are reviewing and updating that guidancein the light of experiences in their own and other countries.

Essentially they all have the same message: an organization’s senior management(particularly directors of a public limited liability company) must take responsibilityfor two things:

• really understanding what the risks and opportunities of the company are andwhat it does to enhance performance on the basis of this knowledge

• informing external parties about what the company has been doing in a transparentand trustworthy manner.

During three of the most turbulent years in USA’s corporate history, COSOdeveloped and then published in September 2004 their Enterprise Risk Management – Integrated Framework which was intended to meet the needs of these corporategovernance expectations, by setting out principles and concepts, which couldbecome a common language, and giving clear direction and guidance on enterpriserisk management.

Internal control reference frameworks

COSO’s Integrated Framework of Internal Control continues to stand the test of time and isstill a broadly accepted standard for satisfying an organization’s reporting requirements.

41



Business Control

Now, in addition, the Enterprise Risk Management – Integrated Framework provides man-

agement with a more robust and extensive focus on the broader subject of organizational

risk management. It was not intended to and has not replaced the internal control frame-

work, since it incorporates the internal control framework within it, but organizations

can use it to move towards a fuller risk management process.

A-Factor 11: To carry out successful management system audits effectively,an

auditor needs a relevant internal control reference framework against which

the auditee’s performance can be assessed.

The question is, ‘What constitutes a suitable internal control reference framework?’

And clearly the best answer is, ‘The internal control reference framework currently

being used by the auditee.’ And this is fine as long as the auditor has sufficient time

to get an understanding of that reference framework before they start the audit.

One problem that does arise in trying to select an appropriate reference framework is

the multiplicity of control frameworks with which managements are being asked to

comply. Sometimes the type of audit will naturally lead the auditor towards a particular

reference framework. For example in Quality Audits ISO 9001, shown in Figure 2.11,

or in Environmental Audits ISO 14001 may be the primary frameworks. But often you

will find that the auditee has no particular framework or group of frameworks which

they areusing personally because their company does not have a corporate-wide internal

control or risk management framework, such as COSO’s approach, and therefore they

are not expecting a structured means of control to give them reasonable assurance thatthey will meet their business objectives and carry out their activities in such a way that

they meet their responsibilities to their particular group of stakeholders.

A-Factor 12: Only by using a ‘structured management approach’ can an

auditee turn their high-cost Controls into profit-enhancing Control.

Case study

The explosion and fire at Longford, Australia in 1998 impacted not only people

at the facility, but the whole state of Victoria, yet occurred in an organizationwith a highly developed and complex integrated occupational health and safety

management system. Findings of the subsequent Royal Commission included this

statement ‘… there was a tendency for the administration of OIMS [Operational

Integrity Management System] to take on a life of its own, divorced from oper-

ations in the field. Indeed, it seemed that in some respects, concentration uponthe development and maintenance of the system diverted attention from what

was actually happening in the practical functioning of the plants at Longford.’

This significant disconnection between documented standards and the operations

culture was apparently not highlighted by the regular OIMS audits and reviews

carried out prior to the explosion.

42



Business Control

ISO 9001:2000

Focus is on top management involvementContinually improving processes to deliver customer satisfactionQuality manual & 6 mandatory procedures

20 requirements, now 5 sections

ISO 9001:2000 Clauses

4 Quality management system5 Management responsibility6 Resource management7 Product realization8 Measurement, analysis & improvement

4 Quality management system

The organisation should implement:• A quality policy defining commitment to quality together with quality objectives

• A documented quality system (quality manual and a minimum of six specifiedprocedures and others required by the organisation to ensure effective operation)which meets the requirements of ISO 9001 and details justification for any exclusions.The organisation should seek to continually improve the effectiveness of its businesssystem. The quality manual should include a description of the interrelation of theprocesses. The extent of the documentation is dependant on the size & complexity ofthe organisation and the competence of its people.

• The key processes for achieving quality must be identified and measured and theremust be controls in place to ensure the effectiveness of business processes.

• A procedure for controlling documents to ensure the correct information is available tousers and that obsolete information is not used.

• A procedure for maintaining and controlling quality records to provide evidence ofconformance of products to specifications and to enable investigation, correctiveaction and facilitate improvements to processes and products

5 Management responsibility

The directors/top management of the organisation have to demonstrate their commitmentto the development and continual improvement of the quality system. They do this by:

•

Communicating the importance of meeting customer and legal requirements andensuring customer requirements are met with the aim of enhancing customersatisfaction

• Producing a Quality policy and objectives which is the focus of the quality system insatisfying customers and is a framework for setting quality objectives which can becascaded to all levels as appropriate and is understood by everyone in theorganisation

• Holding management review meetings to review performance of both the qualitysystem and product and drive improvements in processes to satisfy customer needs

• Ensuring the organisation has the necessary resources to satisfy customers

• Appointment of a management representative to establish and maintain a qualitysystem and promote quality awareness

• Ensuring that responsibilities and authorities regarding quality related tasks are clearand communicated

Figure 2.11 Description of ISO 9001:2000

43



Business Control

6 Resource management

The requirements include:

• Top management to provide sufficient resources to implement and maintain thebusiness system, continually improve its effectiveness to enhance customer

satisfaction

• Ensuring competences for each position are identified and that people are competentthrough education, training and experience

• Training is identified to provide and meet training and competency needs

• Effectiveness of training is evaluated

• Training & evaluation records are maintained

• Infrastructure and working environment will be suitable to ensure product conformity

7 Product realizationCustomer requirements

• The business processes for the organisation should be identified usually by flow charting

• The quality requirements for each product should be identified, together with theresources and processes to deliver them

• The organisation should also identify and implement controls for the checking,inspection and monitoring of each product together with quality records todemonstrate compliance to the quality objectives

• Customer requirements must be determined together with the organisations ability and

capability of delivering the products on time and to specification• Requirements not known by the customer but necessary to achieve product quality

and any regulatory requirements such as CE marks must be determined

Design

• Quality plans (procedure/form/flowchart) will be used to control the design,development and production of the product or service

• Design and development must be planned and specifications (design outputs)checked to verify that they meet the customers (and other) requirements (designinputs), testing stages and trial runs will be included to review within the design and

development process together with appropriate risk control and control points andinspection and testing in the process prior to production

• The interfaces of the organisation between different people and departments,customers & suppliers involved in the design must be managed to ensurecommunication is effective and responsibilities are clearly assigned

• All changes to designs are controlled i.e. with issue status and description of change

Purchasing

• All bought out materials and services used in the product must be from approvedsources of supply, the level of control exercised is dependant upon their effect on the

product or service

• The organisation should define the criteria for selection and evaluation of suppliersand subsequent re-evaluation. Records should be maintained of evaluation &re-evaluation & include actions arising from the re-evaluation

Figure 2.11 Description of ISO 9001:2000 (Continued )

44



Business Control

• Purchase orders should be checked and signed before issuing and should contain ormake reference to all technical specifications and testing requirements, this mayinclude international standards for product design and performance

• All purchase products should be verified prior to use, the level of verification is

dependent upon the other supplier controls in place

Control of production and service provision

This is controlled through:

• Process flow charts, procedures and work instructions drawings

• Quality records

• Maintained and calibrated equipment and machinery

• Qualified people

• Identification and traceability of products

Handling and storage of products and materials

Care and control of customer property

Figure 2.11 (Continued )

A-Factor 13: Whatever the auditee’s reference framework is, an auditor

needs to have their own standard ‘structured management approach’ which

they can use to simplify the complexity of an auditee’s framework, or to

have something to hand if there is a vacuum.

The remainder of this chapter describes a simply structured management approachthat we can use when we are auditing. It provides a robust reference framework,aligned to PDCA, which is simple in its structure, and when necessary, will allowauditors to map out and thus understand any of an auditee’s internal controls.

Business control framework

The strength of the reference framework featured in the schematic (Figure 2.12)lies in its simplicity and flexibility and its reflection of all the features of modernmanagement systems.

This is a straightforward business control model which comprises four interdependentstrata: environment, planning, organization and operations.

As discussed in Chapter 1, all enterprises exist within a business environment which

is subject to constant and increasingly rapid change, and that is likely to affectmanagement’s business vision of risk and opportunity. Business objectives are the

start point for risk management and should guide all the business processes of theenterprise. Risk management is a vital activity that identifies and prioritizes risks andopportunities. Business process analysis includes the identification of critical successfactors and risks and, therefore, which business controls are needed and how theenterprise can be organized more effectively in line with its business processes.

45



Business Control

E n v i r o n m e n t

Business vision

P l a n n i n g

Business objectives

Risk assessment

O r g a n i s a t i o n

Policy

Procedures

Structure

Supervision

O p e r a t i o n s

Application

Operations

review &

appraisal

Organizational

review &

appraisal

Business

review &appraisal

Figure 2.12 Our business control model

Business controls for all processes can be classified under five ‘control

mechanisms’ – policy, structure, procedures, supervision, and review and appraisal.

Business controls should be applied to business operations in an effective and efficient

manner. Performance measurement, i.e., review and appraisal should be made from

operational, organizational and business perspectives. Operational review and appraisal

should involve quantitative and qualitative measures of performance. Organizationalreview and appraisal should confirm the appropriateness of business controls whenever

operational or organizational changes are planned or environmental changes occur.

Business review and appraisal should confirm the progress of the enterprise against itsspecified objectives. Changes in the business environment may mean that the enter-

prise’s objectives need to be revised, with subsequent organizational and operationalreviews of the control framework.

All business control frameworks comprise various categories of control, which them-

selves are rooted in good management practice. Therefore, these categories can be

considered both as components of a business control system and as essential criteria

for an effective management system.

Environment and planning

Figure 2.13 shows the flight deck of the US Space Shuttle with its mass of instrumen-tation for measuring all the significant environmental features affecting the mission.

Superimposed on the picture are a few examples of some of the environmental factors

applicable to an organization’s mission.

46



Business Control

Legislation

Industryreputation

Competitors

Government

investment

Politicalstability

Newmarkets

Organizedcrime

Infrastructure

Newtechnology

Education

Look at thehorizon

Figure 2.13 Environmental factors

Business vision

Every enterprise needs a vision of what and where it wants to be. From such a vision,management can create strategies and specify business objectives which take fullaccount of the opportunities and constraints inherent in a range of possible businessenvironments, the resources that should be deployed and the enterprise’s existingcompetitive position.

Figures 2.14a, b, c shows a sample of published ‘vision’ statements from John Lewis,Toyota and Virgin.

Business objectives

Even though they are a means of realizing an enterprise’s vision, business objectivesare not controls by themselves, but rather the necessary start and end points for anintegrated business control framework.

Business objectives should:

• conform with any published code of conduct

• guide the business processes of the enterprise

47



Business Control

'The supreme purpose of the John Lewis Partnershipis simply the happiness of its members.'

John Spedan Lewis, the founder, aimed to create:

A business that:

• was fair to all-to customers and suppliers as well as to those who work in it

• the Partners really felt was their own

• would challenge and beat the best of the competition and attract people at the top of

their profession into its executive ranks.

From www.johnlewispartnership.co.uk(June 2006)

Figure 2.14a Example vision statements (John Lewis)

1. Honor the language and spirit of the law of every nation and undertake open and faircorporate activities to be a good corporate citizen of the world.

2. Respect the culture and customs of every nation and contribute to economic and

social development through corporate activities in the communities.

3. Dedicate ourselves to providing clean and safe products and to enhancing the quality

of life everywhere through all our activities.

4. Create and develop advanced technologies and provide outstanding products and

services that fulfill the needs of customers worldwide.

5. Foster a corporate culture that enhances individual creativity and teamwork value,

while honoring mutual trust and respect between labor and management.

6. Pursue growth in harmony with the global community through innovative

management.

Guiding Principles at Toyota (1990 and revised 1997)

7. Work with business partners in research and creation to achieve stable, long-term

growth and mutual benefits, while keeping ourselves open to new partnerships.

From www.toyota.co.jp(June 2006)

Figure 2.14b Example vision statements (Toyota)

• apply to each level of management

• give explicit time frames for achievement of measurable results

• have wide participation of employees in their development

• be communicated to and understood by all staff

• form a coherent whole and be internally consistent, as illustrated by Figure 2.15.

Planning

Risk assessment

Risk, defined in A-Factor 6 on page 26, is something which may hinder or assistachievement of business objectives.

48



Business Control

Value for MoneySimple, honest & transparent pricing – not necessarily the cheapest on the

market

Good QualityHigh standards, attention to detail, being honest and delivering on promises.

Brilliant Customer ServiceFriendly, human & relaxed; professional but uncorporate

InnovationChallenging convention with big and little product/service ideas; innovative,

modern and stylish design .

Competitively ChallengingSticking two fingers up to the establishment and fighting the big boys – usually

with a bit of humour .

FunEvery company in the world takes itself seriously so we think it's important that we provide the public and our customers with a bit of entertainment – as well as making Virgin a nice place for our people to work.

The Virgin Brand values are…

From www.virgen.com(June 2006)

Figure 2.14c Example vision statements (Virgin)

Risk assessment is a vital management activity. This does not imply that all risks

can, or indeed should, be avoided. The inability or failure to identify or seize

business opportunities may itself be a significant risk. Senior management shouldensure that a risk assessment process is embedded in their enterprise’s strategy and the

implementation of that strategy.

Individual targets

Department plans

Regional/sector plans

Corporate plan

Corporate vision

Figure 2.15 Achieving success by aligning objectives

49



Business Control

An effective risk assessment process would require:

• senior management to have an intimate knowledge of the political, economic, legal,social, technological and market environment in which their enterprise operates

• creation of strategic and operational objectives which are well known and clearlyunderstood throughout the enterprise

• addressing methodically the risks in all the major business activities

• a structured description of the factors critical to the enterprise’s success and theopportunities and threats that may help or hinder achievement of the set objectives

• estimation of the enterprise’s exposure to the factors, opportunities and threats inquantitative or qualitative terms of the likelihood of occurrence and its possibleimpact

• collating these exposures in the format of a risk profile or risk matrix whichenables management to prioritize the areas for risk response.

The strategies for risk response are to:

• avoid or terminate the activity or situation

• transfer the risk to, or share it with, another party

• reduce the likelihood and/or potential impact of the risk by applying appropriate

business controls.

An effective business control framework will enable timely reaction to changes inrisks and opportunities in the business environment or operations.

Figure 2.16 shows some examples of risks in an organization’s ‘risk universe’.

People

Assets

• Death or Injury

• Absenteeism

• Discrimination

• Management

• Design/quality

• Cost

• Functionality

• Life cycle

Environment

• Pollution

• Regulation

• Species fauna /flora

• Climate

Reputation

• Local

• Regional

• National

• Global

Figure 2.16 Categories of risk

50



Business Control

Business processes

Business processes are logically linked groups of activities needed to fulfil the business

objectives of the enterprise. They comprise:

• core processes and

• service and control processes.

Core processes

Core processes are those which directly deliver the required product or service to

the enterprise’s customers.

Service and control processesService and control process are those which provide and facilitate the corporate

infrastructure to deliver the core processes.

Effective overall business control will result if an enterprise is managed as a series of

core business processes and service processes, each with its own quality process for

continuous improvement and business control framework.

Business process activity charts generally describe the ‘what’ and not the ‘how’ or

the ‘information’ used, but process analysis, as illustrated in Figure 2.17, provides

a basis for control self assessment – the determination of where control account-

abilities lie, identification of risks and control objectives, definition of necessary

controls, authorization to accept the residual risks and setting appropriate performance

indicators.

Business processInputsOutputs forcustomers

Sub-processes

Inputs OutputsA B C D E F

Serviceprocessinput

Serviceprocessinput

Figure 2.17 Analyse your business processes

51



Business Control

The human factor

How people behave in an enterprise is critical to the success of any control framework.

Critical success factors are:

• the tone and example set by the highest management level regarding the ethicalvalues, standards and actions of everyone associated with an enterprise

• the quality of all levels of staff and their understanding, support and compliancewith the business controls in their area

• an adequacy of time and competent resources for proper operation, maintenanceand review of business controls

•

good communication between individuals and between groups of people• reliable, timely and useful information to enable staff to discharge their responsi-

bilities efficiently, and to measure their achievement of specified objectives.

Figure 2.18, in cartoon form, illustrates how ‘tone at the top’ can impact upon thesuccess of an organization.

The impact of culture and human factors are illustrated powerfully in Carolyn W.Merritt’s (Chairman and CEO of the US Chemical Safety and Hazard Investigation

Figure 2.18 Human factorsPrinted by permission of John Cole, The (Scranton) Times-Tribune

52



Business Control

Board) statement to the BP Independent Safety Review Panel in Houston, Texas on10 November 2005:

One of my aspirations is that all industrial managers treat safety and major

accident prevention with the same degree of seriousness and rigor that is broughtto financial transactions. Few people would operate a major corporation todaywithout a strict system of financial controls and auditing, where everyone withinthe corporation recognizes the severe consequences for non-compliance.

That same standard of diligence is not always applied to risk management andsafety. If you get away with a flawed safety decision one day or repeatedly, far from facing a penalty you may actually end up rewarded, perhaps for boostingproduction. You may come to believe that what was thought to be unsafe isactually safe, based on your experience. It is a phenomenon that is sometimes

called ‘normalization of abnormalities’.

Organization and operations

Policy

Policies comprise general standards, principles and guidelines for action which influ-ence and constrain decision-making. They define the boundaries within which theenterprise’s management and staff may choose to operate. Senior management is

responsible for setting major policies in a structured way. At lower levels, actions anddecisions are guided and empowered by intermediate policies and procedures whichare consistent with major policies. General policies should always be made accessibleto all staff.

For each business process, policies are developed by:

• considering the operating environment and the process objectives, and identifyingcategories of inherent risk

• formulating general directives in respect of such risks to enable consistent lower

level policies and procedures to be developed as a basis for future operations.

Policies should be:

• clearly and concisely expressed as a practicable proposition

• documented and promoted in line with their relevance and importance

• distributed to and explained to relevant staff

• kept up-to-date as necessary.

Structure

Structural or organizational controls concern the creation and maintenance of thenecessary fabric and resources for an enterprise to achieve its business objectives. Fabric

53



Business Control

includes assets and communication. Resources include staff, finance and information

systems.

The attitudes held by the senior management team will set the tone for an effec-

tive framework of business controls. If management underlines its commitment tothe importance of control and ethical behaviour through programmes of control

awareness, a sound control framework will surely follow.

All staff should know the code of conduct and principles of integrity expected of them

by the enterprise over and above legal obligations. The responsibilities of individuals

or teams should cover all activities of the enterprise without gaps or overlaps. Every

position should have clearly established and documented responsibilities, authorities

and accountabilities. Responsibility should lie at a level at which the time and

expertise required exists. No individual should have exclusive knowledge, authorityor control over important transactions. Financial and operational authorities should

be documented as necessary for all activities, and should be appropriately assigned to

match individuals’ responsibilities.

A chain of accountabilities should be clearly established throughout the enterprise

in order to monitor achievement of business objectives in accordance with the

enterprise’s business plan.

Realistic targets for quality and quantity should be clearly assigned and communicated

to each accountable individual. Accountable individuals must report to their line

manager on actions taken to discharge their responsibilities, and the results thereof, and

confirm the continuing effectiveness of business controls in their areas. Accountable

individuals are responsible for creating, operating, reviewing and improving business

controls in their areas.

Effective exercise of accountability depends on:

• provision of adequate resources – people, finance and information – to be ableto fulfil assigned targets

• recruitment and training of competent staff appropriate to their position

• development of worker competence, so that responsibilities and reporting

relationships can be regrouped efficiently

• control over the transfer of accountability.

Handover arrangements should make clear to incoming managers or supervisors thetargets and control systems for which they will be held accountable.

For absences, clearly defined assignment of authorities and accountability should be

approved by the absentee’s supervisor.

54



Business Control

Procedures

Procedures describe how management requires business operations to be carried

out with the purpose of confirming how to address risks. Procedural controls may

range from extensive documented procedures to less formal working instructions andlocalized procedures developed by staff themselves.

Managers should ascertain the extent to which activities require procedures and

ensure that they are properly developed and approved. This selection process requires

knowledge of the activity and its risks, appreciation of the purposes of all relevant

policies, and evaluation of optional treatments. Detailed written procedures are not

necessary, generally, for activities which are not critical and have a minimal cost of

failure. Policies, combined with competent staff, are needed for directing or guiding

activities which do not warrant a procedure.

Procedural controls should be applicable as effectively and flexibly as possible. It is

sensible to adopt procedures which have already been prepared elsewhere and to use

a delivery medium and context which optimize staff access to the procedures.

Procedures should be made available and accessible to all relevant staff. Effective

procedures enable staff to understand how an activity fits into the overall business

process, how to do an activity, what the required standard of performance is, and

what the control objectives are. The complete range of procedures and standards

should be reviewed periodically to identify redundant layers that should be removed.

Supervision

Supervisory control includes all forms of regular comparisons, reconciliations and

monitoring carried out in the normal course of operations by both internal and

external, manual and automated sources.

Effective supervision requires continuous confirmation that procedures and policiesare followed properly and kept up-to-date. Managers at all levels who are responsible

for supervising staff should ensure their adherence to procedures and policies, by:

• confirming that all staff are clear about their responsibilities and authorities, under-

stand the procedures and policies pertinent to their work, and are competent to

perform them

• inspecting, personally, that procedures are being followed in practice. Critical,

high-risk activities will require more frequent checking

• identifying changes occurring in the enterprise whereby any controls which may,or have, become redundant, ineffective and/or inefficient; encouraging staff to

be similarly aware (recognizing that they are often best placed to identify uncon-

trolled risks and can therefore suggest meaningful improvements to procedures

and policies, and recognizing opportunities for, and making suggestions)

55



Business Control

• providing regular reports on operations, with any financial data being integratedor reconciled with the corporate financial reporting system

• investigating potential or actual breakdowns in control and correcting thesituation.

By implementing supervisory controls, managers are well placed to identify gaps, andso develop the competence of their staff (including subordinate managers). Successfulsupervision comprises just the right blend of direction, trust, delegation and necessarychecking that is appropriate to the motivation and development of each level of staff.Some call this ‘the invisible hand’.

Case study

A local authority fitted gas-fired central heating into its housing stock. After a

few days, it started to receive phone calls from its tenants, suggesting that homeswere too cold or hot. A council officer visited, and showed residents how toadjust their thermostatic controller, advising that temperature change would not

be immediate. The calls continued, and then increased. After more visits, which

led to an investigation, it was found that the installing contractors had wall-

mounted the thermostat panels, but had not connected them to the boiler due

to a significant cost overrun.

It seems neither business control framework (either that of the contractor or of

the local authority) worked as intended!

Review and appraisal

Review and appraisal at periodic and regular intervals; and at various levels in theenterprise is vital to monitor the extent to which the enterprise is on course toachieve its business objectives in order to take appropriate and timely remedialaction if necessary. Meaningful performance indicators – sometimes called KPIs (keyperformance indicators) – should be established and compatible measurement and

reporting systems set up and used. Such indicators are a more effective control whendetermined for a complete process rather than individual tasks. Prompt comparisonof results against plans and budgets will often detect control weaknesses causing actualloss or unauthorized exposure to potential loss and enable early remedial action atthis level and/or a higher level where the root cause may be situated.

Control self-assessments can be carried out by each level of accountable managersto confirm the continued adequacy of control. This is particularly useful in the lightof possible or actual changes occurring inside or outside the enterprise, which mayalter the extent or types of risk to which the enterprise is exposed. This confirmation

should be personally and formally reported up-the-line on a regular basis and it couldsupport a management statement to stakeholders about internal controls.

All independent evaluations or internal audits of processes within the enterpriseshould be carried out in accordance with an integrated plan (later called a corporate

56



Business Control

audit plan) in order to avoid gaps and overlaps, and to optimize the use of staff withrelevant experience. This audit plan should be approved by senior management.

The existence of an audit function within an enterprise does not diminish the respon-

sibility of accountable managers to ensure compliance with policies and procedures,or to review and appraise their unit’s performance. Internal auditors provide indepen-dent opinions and advice on the maintenance and improvement of the framework of business controls and work together with management to add value to the enterprise.

A review of personal performance against preset targets should be made betweenevery level of management at least once a year.

A-Factor 14: Do not permit the terminology and detail used to describe anybusiness control framework to deflect you from the structured simplicity of

Plan–Do–Check–Act.

Throughout the rest of this book, when reference is made to our business controlframework (BCF), we will be referring to the BCF described in this chapter.

Table 2.8 provides a guide for mapping types of control with each of the BCF elements.

Corporate social responsibility (CSR)

CSR is essentially about companies moving beyond a base of legal compliance tointegrate socially responsible behaviour into their core values in recognition of thesound business benefits in doing so. Since organizations, and the challenges theyface, differ widely, government interventions need to be carefully considered, welldesigned and targeted to achieve their objective. Some of the key themes include:

• workplace – human rights, health and safety, equal opportunities, employeeengagement

• environment – emissions to air, land and water; pollution; biodiversity; end-of-lifedisposal

• markets – product safety and quality; responsible marketing; supply chain

• community – community relationships/development; sponsorship; emergencyrelief.

The UK government’s approach is to encourage and incentivize the adoption andreporting of CSR through best practice guidance, and, where appropriate, intelligentregulation and fiscal incentives.

Margaret Hodge, Minister of State for Industry and the Regions is responsible for

CSR. Upon appointment (May 2006), she said:

I am delighted to be taking on responsibility for CSR. I look forward to workingwith UK business to ensure that environmental protection and communitycohesion are seen as an integral part of delivering sustainable economic growthand business prosperity.

57



Table 2.1: Guide for mapping types of control with business control elements

Policy Controls Organization/Structural

Controls

Procedural Controls Supervisory Con

Owning and communicating

general principles and

guidance for corporate

behaviour and personal

standards and actions.

Establishment of an

organization’s capability to

achieve set objectives. People

deliver results through their

skills, relationships and

shared understanding.

How to perform processes

which are in line with

operational guidelines and

functional standards.

Comparison of h

processes are bein

to the standard e

to understand w

are variances, an

timely corrective

General business

principles

Governance guidelinesValues & ethics

Vision & mission

Purpose

Management

integrity/‘tone at the

top’

Laws and regulations

Rules

Strategies, objectives,

goals management

Organizational structureReporting relationships

Coordination &

communication

Accountabilities

Roles & responsibilities

Manual of authorities

Management systems

Performance targets

Expectation thresholds

BudgetsPriorities

Critical success factors

Operating guidelines

Standards set by:

Functionalmanagement

Benchmarks

Contracts

Service level

agreements

Terms of reference

Manufacturer’s

instructions

Safety – design and

engineering of systems,alarms and warning

indicators

Continuous

supervisory o

Complianceverification

Observation an

checking

Challenge sessi

Diagnostics

Surveys/bench

Peer reviews

Testing and pi

Reconciliation

Error detectionHealth checks

Performance

monitoring/

5 8



Main organizational

policies (e.g.

health and safety,

environment, quality,

contracting, project

management)

Business process maps

Competence and training

Information sharing

Motivation

Incentives & rewards

Commitment

Teamworking &

interaction

Partner selection

Learning networks

Security – physical

barriers, information

protection, access

controls

Housekeeping –

transaction limits,

segregation of duties,

procedures and work

instructions.

Fallback or backup

arrangements – job

handover, absence

coverage, business

continuity plans

Corrective me

Use this record as a guide to the types of control that you would expect to findin the different elements of the business control framework

5 9



3 Planning for Audit andAssurance

Introduction

As we have seen, it is becoming increasingly important for all organizations to look

at themselves with integrity and honesty, and with the responsibilities to all of their stakeholders in mind, through the reflection in the mirror that is presented to them

by an audit of their management systems, and ask ‘Do we have reasonable control of

our operations’?

Chapter 2 provides a history of business control, and how the simplicity of the Deming

Wheel has been supplemented by the complexity of subsequent control frameworks.

Legal and stakeholder expectations for statutory and corporate governance have led

to a variety of codes and standards for providing greater levels of assurance. Typically,

the approach within any organization is hierarchical – of course depending upon its

size. At the highest level, this hierarchy begins with specific responsibilities for thecorporate body and its executive directors, extends to the appointment of an audit

committee which gains its independence by representation amongst its membership of

external/non-executive directors, and the appointment of an internal audit manager.

The internal audit manager is responsible for identifying and specifying a balanced

mix of audit/assurance products in a rolling plan, and providing a flow of information

to the audit committee for their consideration and action.

Reasonable control, in the context of this book, includes health, safety, environment

and quality risks. Our methodology – set out herein – will show audit practitionersand those seeking to develop a career in auditing in step-by-step stages (just as a

cookery recipe does) on how to conduct a risk-based management system audit that

will provide (or not!) reasonable assurance that the organizations’ objectives will be

achieved. If taken literally, we believe that ‘audit’ concerns organizational improve-

ment. Accordingly, we will be addressing both the ‘down’ side of risk – protection of

that which is important to us – but also the ‘up’ side of risk, identifying opportunities

to create value from our existing and future activities. Said correctly, then, our audit

process is designed to give (or not!) reasonable assurance that organizations’ objectives

will be achieved.

But we are ahead of ourselves for now.

A-Factor 15: An audit should provide a reflection, as if in a mirror, of the

auditee’s business control framework.

60



Planning for Audit and Assurance

Audit committees

Organizations of all types are increasingly likely to have appointed an ‘audit com-

mittee’ (also known in different organizations as internal audit committees, business

assurance committees, governance groups, and other similar titles depending upon theorganization’s size, ownership and preferences). These ‘audit committees’ are respon-

sible for overseeing all of the activities within the organization that are generically

called ‘audits’.

There are several types and levels of audits, and these are discussed in the pages which

follow.

A current definition of internal auditing is that it is:

An independent, objective assurance and consulting activity designed to add

value and improve an organisation’s operations. It helps an organisation accom-

plish its objectives by bringing a systematic, disciplined approach to evaluate and

improve the effectiveness of risk management, control and internal auditing.

IIA-UK & Ireland (2004).

This book absolutely is all about independent, objective assurance; improving opera-

tions; and systematic approaches to achievement of business objectives for the benefit

of all the stakeholders.

Our definition of internal auditing is ‘A structured, management process overseeing all

of an organization’s own internal controls. It provides independent, objective assur-

ance when the selected framework for control can be reasonably expected to support

the achievement of objectives, and an alert to stakeholders to initiate improvement

when it may not.’

Whatever the definition, it is the role of the audit committee to deliver it.

A-Factor 16: A prime reason for audit is organizational improvement, as

well as providing assurance.

I think the thing to remember about auditing is that anyone can be a com-

pliance auditor, can check a list and put a tick in the box. The real benefit of

auditing comes from adding value, being constructive, and helping companies

to improve over a period of time, however long that is.

– Andrew Burns-Warren, Managing Director, ISC (a certification body).

The principal corporate responsibility of audit committees is to review and endorse

the effectiveness of all of the organizations’ internal control frameworks. This

responsibility is achieved by effective audit planning, and thereafter ensuring the

61




timely delivery of a balanced programme of audits as established by the plan which

identifies the ‘up’ and ‘down’ sides of risk, and how these, individually and overall,

affect the organization and its stakeholders. The overall opinion is derived from a

rolling audit (or assurance) plan, often endorsed and agreed on an annual cycle for

typically a three-to-five year window.

Information is gathered throughout the life of the audit plan, which is reviewed

during and at the end of each audit cycle, and that guides the overall opinion of the

audit committee in the reports it provides to senior management.

Done effectively, this report to senior management provides confirmation that the

audit committee and line management are listening to the auditors – their reports, rec-

ommendations and assessments – and is ensuring that the potential for improvement

across the organization is being capitalized on. This lateral learning will be effective if

the audit committee ensures that line management in similar parts of the organization

where particular findings arise, check their control frameworks. Line management

needs to understand the reasons for and the manner by which it can gain the potential

and/or necessary protection and improvements – i.e. by taking appropriate, timely

action upon the audit findings.

Corporate governance requires that significant risks are brought to the attention of

shareholders and other investors/interested parties. Increasingly, organizations are pro-

viding assurance information to other stakeholders, such as the media and the public,

as a part of public accountability initiatives, elsewhere referred to as corporate socialresponsibility (CSR).

The role of the audit committee

The role of the audit committee is to:

•

approve the audit plan for plan year, and to endorse it for subsequent years (asnoted above, typically three to five years)

• endorse draft audit terms of reference (ToR) for audits in the plan year

• facilitate access to auditors (often who will be on a part-time secondment from

line management for the duration of each audit)

• receive summaries of all audit reports from the internal audit manager to check

and challenge as necessary

• review follow-up of actions and recommendations

• promote lateral learning throughout the organization

• assess overall performance of the audit function

• provide annual assurance to the main executive board.

62




Key roles related to audit

There are two other key roles related to internal audit in many organizations. These are:

1. Head of internal audit (aka the internal audit manager)

2. Line managers.

The main roles of these groups are the following.

Head of internal audit

• Devise rolling audit plan – current year and outline for subsequent years – for

approval by the audit committee

• Prepare draft ToR for each audit (which will be endorsed by the audit committee)

• Recruit and develop audit resources (e.g. lead auditors and administrative support)

• Maintain lists of lead auditors and auditors (usually in line management positions)

available for undertaking audit assignments

• Ensure audit teams have the right mix of competences (knowledge of the auditprocess, knowledge of the audit subject, skilled in working with others, and

experience of practical auditing) in their team leadership and membership

• Receive audit reports when issued

• Promote lateral learning throughout the organization

• Keep the audit plan under review.

Line managers

• Release staff as requested to participate as auditors in other locations/departments

as per the audit plan

• Respond to audit recommendations relating to own site/department.

This second point is critical. In many jurisdictions, failing to respond to recommen-dations raised by an audit would be considered very serious, with punitive criminal

and/or civil penalties a possible consequence, particularly upon discovery following

a significant loss. In the context, ‘respond’ implies a formal and recorded decision

followed by a corresponding and timely action on each recommendation, rather thanimplementation per se.

Types and levels of audit

There are many different types of ‘audits’, generally undertaken against a reference

framework of one kind or another – even if sometimes this amounts to a reference to

‘best practice’ in the eyes of the lead auditor/the audit team. The origins of reference

frameworks are discussed in Chapter 2 of this book.

63




The selected reference framework (or frameworks) included within the organization’s

overall audit plan will provide the subject matter for each audit (e.g. environment,

health and safety), and clearly set out the expected structure of business controls

against which each audit will be assessed.

Some readers will remember a BBC television show, popular in the UK in the 1980s,

called Blankety Blank. Whether you are familiar with this show or not, imagine now

the number and variety of words that could precede the word ’audit”’:

• health and safety

• fire

• financial

•housekeeping

• quality

• IT

• procurement/supply chain

• pre-acquisition/due diligence

• pre-flight

• sexual/religious/political preference.

Some of these – and of course other – different types of audits exist in probably all

organizations. Some are very conceptual in nature – perhaps with a consultancy-type

approach to their conduct, e.g. Could we increase the warranty period from one year

to two?, whilst some are more of a transactional/compliance check nature, e.g. We

have to be sure that this is right in every detail before we switch it on, etc.

Figure 3.1 shows some of these audits, and where they typically fit against two

independent continuums – consultancy vs compliance and conceptual vs transactional.

Case study

A UK-based manufacturer of carrier bags was the subject of an environmental

audit that highlighted possible cost savings in electricity by replacing the power

correction units. These were subsequently installed at a cost of £13 000 (GBP),

and produced annual savings of £4000 (GBP).

Levels of audit

From all of the different audit types and levels we have described, audits generally

can be said to exist at three different levels:

64




Consultancy

Conceptual

Transactional

Compliance

Strategic review

Due diligence audit

Monthly Check

Joint venture audit

HSEQ MS audit

Figure 3.1 Varieties of audit – consultancy v. compliance; conceptual v. transactional

• Level 1

• Level 2

• Level 3

Level 1

Level 1 audit is a planned internal self-inspection made by appointed line staff that is

responsible for identifying non-compliance with policies and procedures, reporting

their findings to line management and following up corrective actions. Most HSEQ

practitioners will be familiar with these hourly, daily, weekly, monthly checks under-

taken by ‘safety reps’ and ‘quality inspectors’, often against a checklist, though use of

such a list is not mandatory from our perspective.

Clearly, effective supervision can also be classified as Level 1 (though some refer to this

as ‘Level 0’) since this activity involves confirming the quality of outputs is ‘right firsttime’ and correcting the situation if they are not. We would see this as a part of a super-

visor’s normal work routine – it is line management’s direct responsibility entirely.

An example of Level 0/1 inspection is seen in many High Street retail organizations

that operate a ‘clean as you go’ policy. Staff inspect regularly and clean up spillages

(e.g. of loose soft fruit).

Level 2

A Level 2 audit is an independent appraisal of selected management systems, and thus

the subject matter of this book. Level 2 audits are generally done by staff from the

organization itself, but it would be usual for these to be from a different operation

or department to that which devised and operates the system under scrutiny. This

65




gives independence to the audit opinion (and we shall come back to the notion of

‘independence’ later in this chapter).

An example of a Level 2 audit could be an audit of how a contractor is performing against

a set specification or contract. Another example could be an audit of health and safetyperformance against an organization’s own health and safety management system.

Case study

A UK-based oil and gas production affiliate of a global company developed a

strong internal EHS-MS model, including an annual self-assessment audit plan

covering the whole organization, in response to major hazards legislation. The

US-based parent had a pre-existing global EHS audit process which mandated

an external ‘compliance audit’ of the UK subsidiary every three years. Initially

the two systems operated independently and the external audits were viewed by

the UK organization as time-consuming and resulting in very few improvement

ideas. It was suggested an experienced external auditor should join one internal

audit, and this was agreed by all involved. This led to significant benefits, with the

internal and external auditors complementing each other, providing value-added

findings and identifying several opportunities for good-practice transfer.

Level 3

A Level 3 audit generally concerns an audit leading to an external certification or a

level of approval by a customer. This validation or certification may comprise a client’s

approval to ‘stay one of our suppliers’ for some specified period, or alternatively result

in the award of a ‘certificate’ signifying compliance with a national and/or (and this

is becoming much more common since the mid-1990s) an international certification.

A representation of these three levels of audit is shown in Figure 3.2.

ytilicaF

tidua

ISO

certification

audit

latnemtrapeD

kcehc

Example

Internal

self-inspection

1

tnednepednI

tiduaSM

2

External

certification

3

Figure 3.2 Three levels of audit

66




Case study

At a seminar in March 2004 in Scotland, attended by organizations involved

with ISO 9001 in a range of business sectors, 160 attendees voted as

follows:

• following ISO 9001 is a complete waste of time, our money and efforts

would be better utilized in other ways – 24 per cent

• QMS based on ISO 9001 is good for business, but it can be adequately

maintained by the business alone – 44 per cent

• as for 2, but to be effective it needs to be monitored by a competent third

party – 17 per cent

• accredited certification to ISO 9001 provides clear benefits for any business – 15 per cent.

Case study

A UK gas terminal obtained ISO 9002 certification for supply of products. As the

globally mandated corporate internal ‘flawless operations’ integrated MS became

fully effective, the ISO 9002 systems were seen to have no added value and, after

six years, the certificate was discontinued.

Some examples of internationally recognized approvals or certifications (sometimes

called verifications), that can be awarded/granted after Level 3 audits are noted

further. Not all of these are generally certifiable, and some (or all) of these standardswill be familiar to readers. Accordingly, and for brevity, we have decided not to

include pr ecis or descriptions of each standard, and refer interested readers to our

bibliography instead, where details are provided.

Suffice to say that, generally speaking, most follow the PDCA structure of the Deming

Wheel discussed in Chapter 2.

Quality • ISO 9001 (Quality Management Systems – Requirements; replaced BS 5750)

• QS-9000 (Quality Management System developed by General Motors, Chrysler

and Ford)

67




• ISO/TS 16949 (Quality Management System developed by IATF – International

Automotive Task Force, working closely with the International Organization for

Standardization – ISO)

• EQFM Excellence Model.

Health and safety

• OHSAS 18001 (Occupational Health and Safety Management Systems – Speci-

fication; developed by a consortia of certification bodies)

• ANSI/AIHA Z10-2005 (American National Standard for Occupational Health

and Safety Management Systems)

• ILO-OSH 2001 (International Labour Organization Guidelines on OccupationalSafety and Health Management Systems) – not certifiable

• HSG 65 (Successful Health and Safety Management)

• BS 8800 (Health and Safety Management Systems)

• HACCP (Food Hygiene – Hazard and Critical Control Point).

Environment

• ISO 14001 (Environmental Management Systems)

• EMAS (Eco-Management and Audit Scheme).

Security

• ISO 17799 (Code of Practice for Information Security Management)

• BS 7799 (Information Security).

For this book, we have focused upon our recommended audit methodology princi-

pally for Level 2 audits, and to a lesser extent, Level 3 audits.

Use of this auditing methodology for non-HSEQ audits

Whilst this book focuses upon Health and Safety, Environment and Quality Audits,

the authors believe passionately that the auditing methodology described in thisbook can be successfully and powerfully applied to reference frameworks relevant to

other topics and specialisms. Indeed, we have ourselves applied this methodology to

contractor, security, food hygiene, motor fleet, and fire/asset protection audits during

the period covering the preparation and writing phases for this book.

68




A balanced audit plan

An important role held by the head of internal audit is to seek to balance the mix of types and Levels of audits covering all parts of their organization, whilst considering

the most appropriate intervals, intensities or frequencies to conduct these.

A-Factor 17: A rolling, balanced audit plan is a foundational and essentialcomponent in preparation for providing internal and external assurance tostakeholders.

Tip – On our travels as auditors and audit trainers, we have come across

many organizations that have adopted the levels of audit as described here. We

have also come across other organizations that have reversed the order (3, 2,

1), named (rather than numbered) the levels, or have more (or fewer) levels

than we have described herein. This does not matter; the principle remains

the same.

The audit planning will typically include a risk assessment, including evaluation of such matters as:

• complexity of operation

• impact of loss

• level of control achieved (i.e. the audit opinion last time).

The audit intensity (i.e. the number of auditor days) will depend upon the judgementof the internal audit manager as a result of this assessment.

The balance of an audit plan can be represented – as a representation of coverage – as a jigsaw (Figure 3.3). Note how there are no overlaps, and no areas are missed.Also note how interfaces – where one section joins another in a ‘handshake’ –

are considered. In totality, an audit/assurance plan will show how each part of theorganization (location, process or combination of both) is covered, and at whatfrequency.

Consider also a three-dimensional jigsaw. It would show the different types and levelsof audit. Under each jigsaw piece may be a number of layers, each a different subjectat a different frequency (e.g. quality audit annually, safety audit biannually).

Doing all audits ‘annually’, or at some other predefined frequency, overlooks thereality of varying levels of risk. Unless there are specific reasons to do so (e.g. a

legal requirement), arbitrary intervals generally do not make sense, and are difficult,and rightly so, to justify to line managers on the receiving end. We think thatorganizations can gain more useful and more cost-effective audit performance atany acceptable level of cost by considering their overall governance needs first. Theinternal audit manager and the audit committee prove their value to the organization

69




Figure 3.3 A representation of an organisation’s audit plan – everything covered; with clear

interfaces

by looking at the needs of the whole, and contrasting these with the needs (and

applicable constraints) of the parts.

For example, it may be that ‘the central distribution depot’ in Birmingham is critical

to the organization, whilst the ‘Exeter parts store’ holds mainly obsolete stock.

Accordingly there will, very probably, be a greater need shown in the audit plan for

broader, deeper audits in Birmingham than in Exeter.

A well-thought-through audit plan aligns audit frequency, and at each level (0/1, 2,

3), to the governance needs of the organization at that time. The most appropriate

‘audit mix’ is likely to give the highest level of assurance at a cost acceptable to the

organization. Keeping the audit plan under regular review, as we have said, remainsa role of the audit committee.

A-Factor 18: The audit committee is responsible for keeping the audit plan

under regular review.

Audit terms of reference

Draft terms of reference for each audit will usually be prepared by the internal auditdepartment in advance. When appointed, the lead auditor will generally liaise with

the internal audit manager for any clarification on the details of the assignment. Each

ToR document will relate to a discrete part of the overall audit plan (i.e. one jigsaw

piece).

70




The ToR document should generally cover at least three main areas:

• objectives

• reference framework(s)

• scope.

Objectives

The objectives of an audit can vary. The audit committee may have adopted ‘house

language’ such as Six Sigma, Kaizen, 5S s and so on; each of these terms should remind

us that ‘continuous improvement’ is a major aim of a management system.

Audit objectives tend to be to provide assurance to management that the reference

framework is implemented and effective, and if not, to alert them to problems as

found, and finally (if we can, in terms of time and competence) to provide advice or

assistance about corrective action.

A-Factor 19: The audit objectives can be referred to as ‘the 3 As’ as an aide-

memoire – Assure, Alert, Advise.

Reference framework(s)

Audits may include one or more reference frameworks. Each reference framework

tells the auditors in the team which structure of controls is to be used for their audit

work. For OHSAS 18001:1999, the auditors will consider the management controls

in place aligned to the following framework:

4.1 General requirements

4.2 OH&S Policy

4.3 Planning

4.4 Implementation and operation

4.5 Checking and corrective action

4.6 Review

Scope

The audit scope is a statement highlighting what and where the audit work is to

take place – the processes and/or location included. It advises what is ‘in’ and what

is ‘out’ of the scope of the audit assignment. The answer to the question ‘Does our

work include third-party deliveries?’ should be found within the scope of the ToR.

71




At the start of any audit, the ToR document will generally be in draft format. Later

this will be discussed and formally agreed with the subject organization’s management

representative(s) at the opening meeting. How to do this effectively is described later,

where we also discuss how to ‘sell’ an audit.

A-Factor 20: The Terms of Reference are the contract for the audit –

the agreement between the organization and its auditors of ‘what’ will be

delivered by the end of the audit. No audit should commence without

agreed ToR .

We have included a skeleton ToR document in Chapter 5, Figure 5.2. This can be

freely used in future HSEQ audits as a starting point or for guidance.

Tip – When you are asked to join an audit team, or participate in an audit,

an ideal first question to ask is ‘Please can I see a copy of the ToR?’ It should

confirm why you have been asked to participate in this audit; parts of the Scope

should align with your own competencies.

Selection of the audit team

The selection of an audit team usually commences with the appointment of the

lead auditor. The lead auditor should be competent to complete the job. Typical

characteristics are:

• an experienced auditor, able to keep a team moving, and bring it to consensus with

a conclusion and an opinion of the status of control in the auditee’s organization

• formal training in auditing techniques provided by a recognized auditor training

organization

• participation in numerous audits, firstly as a team member before progressing to

lead audit teams

• possibly formally certified as a ‘lead’ or ‘principal’ auditor from one or more of the

recognized auditor registration bodies (for more details, see later in this chapter).

From hereon in, things can vary from organization to organization; and from audit to

audit. Audit teams ideally comprise a mix of internal and external human resources

to balance internal detailed knowledge with external breadth. The three main ways

that audit teams can come together are summarized as:

• selection by the internal audit manager

• selection by the lead auditor

• provision of auditors by the unit to be audited.

72




Selection by the internal audit manager

The internal audit manager may specify the team by selecting suitable individu-

als from the organization’s list of internal auditors (both full-time and part-time),

and give it to the lead auditor. This can bring an audit team together reasonablyquickly, and can certainly prevent any suggestions that the team has any bias in its

formation.

Each team member will need to understand auditing, and usually each member of the

team will have been formally trained by a recognized auditor training organization,

though sometimes this training is ‘on the job’ (and this audit may be a part of that

training!).

A possible downside to this approach is that line management for the part-time

auditors may resist releasing them because ‘we are busy that week’.

Selection by the lead auditor

The lead auditor may be given a certain freedom to select the audit team. With

experience, the lead auditors will know how to select people with whom they have

good working relationships, know them to be confident auditors and able team

players.

Provision of auditors by the unit to be audited

Sometimes, the organization which is to be audited may wish to provide one or

more team members, for example, as a part of an internal training and development

plan. This can be helpful to the audit team, as these individuals are likely to be better

placed to know who to talk to about any given theme, where to find documents on

site, and so on.

However, great care should be taken by the lead auditor in balancing the professional

skills and experience in the audit team – too many medical doctors without audit

experience could be counter-productive!

Regardless of how the audit team is formed, it is useful if they have some knowledge

of the activities of the site to be audited (e.g. including one or more medical doctors

in the team is invariably useful if the audit is in a hospital).

Tip – Base the team selection (if you can) on the requirements in the ToR. An

audit is a project, and team selection is critical to a meaningful outcome.

73




Case study

An organization with internal systems based on the EFQM model requested bids

for certification to ISO 9001. During bid evaluation, it met the proposed auditors,

and awarded the contract to an organization with limited experience in their business sector, but with an auditor clearly committed to continual improvement.

When they later required certification to ISO 14001, they rejected a bid from

their current certifier, as the proposed Environment auditor was judged to have

a ‘tick-box’ approach, in contrast to the Quality auditor. This organization won

a European Quality Award in the year 2003.

The role of the lead auditor The role of the lead auditor is a critical one, and it is probable that their first

involvement may start typically up to three months before the start of the audit work

on site. Early activity for the lead auditor may be to liaise with the audit manager

in the scheduling of the audit and/or with the production of the draft ToR for the

particular audit.

As we have said elsewhere, a final ToR will usually be agreed with the auditee just

before or at the opening meeting.

As described, the lead auditor may be involved in the selection of some or all the

other members of the audit team. The size and complexity of the organization to be

audited will ultimately determine how many other auditors may be necessary and the

duration of the project (i.e. how long the audit will last). The usual convention is for

the audit manager (who may also be advised by others) to schedule audit-days, and

then to divide this by the target audit duration to determine the number of auditors

needed on the audit team, or vice versa. In practice, we note that this is often a

compromise between the auditor-days the lead auditor would like allocated to the

audit team to do a thorough job, and the wishes of the site, especially if it is paying

fees and expenses for each of these days.

A-Factor 21: For Level 2 audits, the team should comprise a minimum of

two members (i.e. a lead auditor, plus one other auditor), with access to

support for peer review.

Independence

Fairly experienced individuals in diverse businesses and other organizations believethat independence comes wholly and only from outside their own organization.

Some readers may have observed with interest how ‘external’ advice is treated in

some organizations, compared to advice given internally – i.e. it is sometimes more

likely to be accepted, or treated with reverence.

74




In our experience, independence is not binary. It is not something that you either

have, or do not have. Consider the following scenarios:

1. I am auditing an organization managed by an individual whom I would really

like to be my next boss.

2. I am auditing an organization managed by an individual I rely upon for our next

large consultancy order.

3. I am auditing an organization managed by an individual whose beautiful daugh-

ter/handsome son I would like to marry next year.

How many auditors can say that they would not be influenced at all by these factors,

irrespective of their (internal or external) employer?

We believe that independence comes in degrees. The level of independence

in any audit team will be a factor that should have been considered by the

audit manager, and in turn, the audit committee at the time the audit plan was

approved.

In practice, the independence of the audit as it progresses will be monitored (and

actioned as necessary) in real time by the lead auditor throughout the conduct of the

project. He remains ultimately responsible for the audit, and the audit opinion. This

responsibility is discussed in detail in Chapter 7.

Tip – Resist inappropriate membership of the team, for example someone who

may have a vested interest in the outcome, such as a line manager from the

section to be audited.

Case study

After an accident investigation, a food industry manufacturer with a strong Haz-ard Analysis and Critical Control Point (HACCP) process and generally good

OSH record was cited by the UK regulator for inconsistent risk assessment.

The company strongly disagreed with this finding and sought advice from an

experienced OSHMS consultant, who after further investigation concurred with

the regulator. The HACCP process identified some, but not all, OSH hazards

and the company eventually recognized this. Steps were taken to remedy this

defect, and to ensure the resulting additional controls were regularly monitored

and reviewed, these minor additions were readily added to the existing HACCP

process.

A-Factor 22: Recognize the importance to the overall audit opinion of an

objective view from an independent audit team.

75




Auditor registration organizations

As auditing has become considerably more widespread since the mid-1990s, the

number of auditor registration organizations has grown to such an extent that there are

already some early signs of mergers between them as dominance in the marketplaceis sought.

Likewise, individual registration with these auditor registration organizations has

grown at unprecedented levels (Figure 3.4).

Increasingly, these auditor registration organizations require their professional mem-

bers to participate in programmes of Continuing Professional Development (CPD),

which includes both learning elements and evidence of leading (or participating in)

audit teams. This mandatory approach to CPD by the registration organizations is

commended; all current and aspiring HSEQ auditors are encouraged to join suchorganizations as appropriate and applicable to the sphere(s) of activity at the appro-

priate grade, as they offer such benefits as:

• initial and top-up training

• professional recognition (often with an escalating scale of professional and/or

career grades)

• peer and client approval

• networking opportunities

• CPD opportunities.

We have discussed some of the technical and experiential attributes of HSEQ auditors.

Apart from these, professional auditors need ‘soft’ skills too, an ability to interact with

other human beings in commercial and other environments.

Tip – ‘Once you have rapport, they tend to like you more’.

International auditor registration bodies

A sample of international auditor registration bodies are listed further on and summary

information on each follows.

We have included an internet URL for each to enable readers to assess each of these

organizations relative to their own particular needs. There are other certification

bodies, and this list is by no means exhaustive:

• International Register of Certificated Auditors (IRCA) - www.irca.org

• RABQSA International – www.rabqsa.com

• Institute of Internal Auditors (IIA) – www.theiia.org

76



Registered1984–91 approximate;

19911990 19921993199419951996199719981198919881987198619851984

2,000

4,000

6,000

8,000

10,000

12,000

14,000

) d n e r a e y t a s a (

r e t s i g e R

Figure 3.4 Graph showing growth of IRCA-certificated auditors 1984–2006

7 7




• Institute of Environmental Management and Assessment (IEMA)– www.iema.net

• American Society for Quality – www.asq.org

• Board of Environmental, Health & Safety Auditor Certifications (BEAC) –

www.beac.org

IRCA

IRCA was formed in 1984 as part of the UK government’s enterprise initiative,

designed to make industry and business more competitive, through the implementa-

tion of quality principles and practices. This structure included:

• IRCA

• an accreditation body (now known internationally as UKAS)

• a national standards making body (BSI Standards)

• a number of commercial certification bodies.

The original reference framework/quality management standard used was the British

standard BS 5750, which has since evolved to become ISO 9001.

The evaluation and certification methods developed and used by IRCA have beenadopted as the industry standard model used by other auditor certification bodies.

IRCA says that‘… we remain the auditor certification that supplier organisations,

certification bodies and auditors value most.’

IRCA claims to be the world’s original and largest international certification body for

auditors of management systems. It is based in London, UK. Over 26 000 auditors,

based in more than 105 countries, have been awarded certification since 1984.

Certification results in representation on the appropriate IRCA register (Figure 3.5).

IRCA provides auditors, business and industry with two main services:

• certification of auditors of management systems

• approval of training organizations and certification of auditor training courses. It

has approved over 90 training organizations.

IRCA’s mission is to:

• instil confidence in accredited certification worldwide by improving the perfor-mance of auditors

• associate the IRCA name with integrity, best practice and adding value

• promote auditing as a valued profession

78




Figure 3.5 An IRCA OH&S Lead Auditor certification card

• provide an excellent administration service to all stakeholders, which sets a bench-

mark for others to follow

• improve the standard of auditors and auditor training

• make IRCA certification available to all relevant organizations and individuals

worldwide

• promote best practice in auditing.

RABQSA International

It was established from two legacy auditor registration bodies - RAB of USA and QSA

of Australasia. It has two principal offices, in Penrith, Australia and Milwaukee, USA.

The Mission of RABQSA is ‘ to improve the performance of industry by provid-

ing recognition to individuals who, having demonstrated competence to RABQSA

International approved certification schemes, can improve and offer a positive con-

tribution to the performance of organizations ’

RABQSA certifies management system auditors, business improvement specialists

and management consultants across a range of disciplines, including quality, environ-mental and OH&S. Those certified are examined to ISO 17024:2003 and are rec-

ognized as competent having demonstrated the required knowledge, skills, personal

attributes and additional qualification specific to their scheme and/or scope of

certification.

79




IIA

Established in 1941, The Institute of Internal Auditors (IIA) is an international pro-

fessional association of more than 120 000 members based in around 160 countries.

It has global headquarters in Altamonte Springs, Florida, USA and a regional network

throughout the world.

IIA says that it ‘ is recognised as the internal audit profession’s leader in certifica-

tion, education, research, and technological guidance.’

Also see BEAC.

IEMA

The Institute of Environmental Management and Assessment (IEMA) is a not-for-

profit organization established to promote best practice standards in environmental

management, auditing and assessment. Its origins lie in the merger of the Institute

of Environmental Management (IEM), the Institute of Environmental Assessment

(IEA) and the Environmental Auditors Registration Association (EARA) in 1999. It

is based in Lincoln, UK.

IEMA currently operates three specialist registers, one of which is especially applicable

to auditors. The IEMA Environmental Auditors Register has been in operation since

before 1999 and is recognized internationally. The register has over 2000 auditors

listed, based in approximately 60 countries worldwide.

IEMA is growing quickly; it welcomed its 10 000th member on 31 May 2006.

ASQThe American Society for Quality (ASQ) is based in Milwaukee, USA, and is an

authority on quality, with more than 100 000 individual and organizational members.

Its mission is to ‘ advance learning, quality improvement, and knowledge exchange

to improve business results, and to create better workplaces and communities

worldwide.’

Since 1991, ASQ has administered the United States’ annual premier quality honour,

the Malcolm Baldrige National Quality Award, which recognizes companies andorganizations that have achieved excellence in performance.

ASQ maintains a number of auditor registers, including the ASQ-certified quality

auditor.

80




BEAC

BEAC is an independent, non-profit corporation established in 1997 to issue profes-

sional certifications relating to environmental, health, and safety auditing and other

scientific fields.

BEAC was originally created as a joint venture between The Institute of Internal

Auditors (The IIA) and the Auditing Roundtable, Inc.

It has headquarters in Altamonte Springs, Florida, USA.

A-Factor 23: First impressions count. Get the highest level of professional

qualifications that you can, pursue CPD, and use your (applicable) designa-

tory letters on business cards, reports and other stationery.

The International Personnel CertificationAssociation (IPC) – www.iatca.com

IPC may also be of interest to auditors, as is a membership association for certification

bodies.

In 2005, the International Personnel Certification Association (IPC) replaced the

organization known as IATCA (International Auditor and Training CertificationAssociation), which had been founded in Singapore in 1995. It is now based in

Athens, Greece.

IPC’s mission is ‘to provide recognition to individuals who, having demon-

strated competence to IPC approved schemes, can improve the performance of

organisations.’

IPC has described the reasons for this change:

The members of IATCA recognised that there are now many sectors within

business and industry and government that require and benefit from personnel

certification. IATCA was established 10 years ago expressly to address the man-

agement systems market. During those 10 years, the requirement for personnel

certification has extended into many more contexts within business, industry

and government and it is now recognised that management systems form only a

small part of the personnel certification market. To accommodate those changes

IATCA has expanded its remit to include and contribute within those other

areas, and evolved into IPC.

IPC differs from IATCA in that its membership requirements have changed. Full

membership is offered only to personnel certification bodies which are accredited

to the new ISO standard for accreditation of personal certification bodies – ISO

17024:2003.

81



4 The Audit Process Roller Coaster ©

Imagine a roller coaster ride

This vision, first described in our Introduction, provides a powerful image which an

effective lead auditor should have in their mind of the job to be done, the challenges

to be met and the best responses to those challenges, and how to execute each stageof the audit successfully.

The major steps in The Audit Process Roller Coaster © journey as shown in

Figure 4.1 are:

• familiarization with the auditee’s business environment

• meeting the auditee and agree on terms of reference (ToR)

• developing a risk-based work plan

• establishing the expected business control framework (BCF)

• reviewing and verifying selected controls

• identifying and assessing the strength and weakness of the controls

Terms ofreference

Initialmeeting

withauditee

Opinion &summaryfindings

Presentto auditee

Set-up Review and verify Report

Auditreport

Summary

Verydetailed

Level ofdetail

involved

Audit file &workingpapers

Interviews

Expectedcontrol

framework

Actualcontrol

framework

Clearfindings

Cluster/ group

findings

Assesscontrol

framework

Tests

Completefindings

Work plan

Backgrounddata

Figure 4.1 The Audit Process Roller Coaster © activities

82



The Audit Process Roller Coaster ©

• assessing the strength of the overall BCF

• determining the audit opinion and key messages for management

• reporting.

Overview of the vision

1. An audit starts at a leisurely pace whilst the audit team climbs up to a high vantagepoint, in a manner of speaking, so they can obtain sufficient up-to-date backgroundinformation to become familiar with the auditee’s area of responsibility.

2. After completing this familiarization, the audit team is in the best position tocreate a risk-based work plan.

3. The audit team now knows that the time available for set-up is behind them andso nerves start to appear as they feel the pace begin to pick up and the pressureof being on the edge of a precipice looking down at a deep chasm begins to tell.

4. The audit team can easily feel out of control as they travel down the steep slopegathering evermore detailed amounts of data.

5. The lead auditor needs to ensure the audit team is well placed in documenting their detailed audit findings and their initial analysis of the BCF before the time availablefor fieldwork has elapsed. Only then will there be sufficient momentum to be ableto extricate the audit team from the detail and move back up to a higher level.

6. The audit team must rely upon their momentum to push them up the final slopeof The Audit Process Roller Coaster © and spend the last part the time availablefinding the synergies and synchronicity within the detailed findings.

7. The final push is to present conclusions so that they will have sufficient resonancewithin the busy worlds of senior management that will result in them takingaction to improve the business control framework.

In our experience, auditing a management system or a BCF is akin to a ride on aroller coaster. The Audit Process Roller Coaster © shown in Figure 4.2 comprises

two simple dynamics, top down and bottom up.

Dynamics of The Audit Process Roller Coaster ©

Moving top down enables the audit team to move its attention from top level, summaryinformation encompassing whole processes, downward into detailed informationencompassing subprocesses and individual activities. By fully understanding how theauditee management expects their BCF to operate, the audit team can establish itspriorities before descending into the detailed and time-consuming work of auditing

specific key activities.

Moving bottom up enables the audit team to build their conclusions and an overallassessment of the adequacy of the BCF on a sound foundation of logical argument,supported by factual evidence.

83




Top:down Bottom:up

Figure 4.2 The Audit Process Roller Coaster © dynamics

The gradient of the top down journey and the depth of the curve at the bottom of

The Audit Process Roller Coaster © will differ depending upon the results of the

initial review of the expected BCF. In areas where expected controls are in place,

the journey will continue downwards, but in areas where the auditee either confirmsor reluctantly accepts that the necessary controls are not designed appropriately or do

not exist at all, then The Audit Process Roller Coaster’s bottom curve will be much

shallower, as shown in Figure 4.3.

Summary

Very

detailed

Level ofdetail

involved

Set-up Review and verify Report

Figure 4.3 The Audit Process Roller Coaster © level of detail of enquiry

84




In a normal scenario, the audit team needs to dig deep to confirm the controls are

functioning as expected, whilst in the other three scenarios (shown by the dotted

lines), auditors would only need to spend time going into more detail if the absence

of specific controls was thought to have caused major losses or was creating an

unacceptable level of exposure. In reality there will be many lines of enquiry beingcarried out simultaneously by an audit team, each with its unique level of detail of

enquiry. The audit team may unearth a situation that requires them to visit areas

which were not selected for the audit work plan as critical processes at a higher level

of The Audit Process Roller Coaster ©, and they will find that climbing back up The

Audit Process Roller Coaster © is time and resource-consuming.

A-Factor 24: The Audit Process Roller Coaster©comprises two simple

dynamics – top down and bottom up.

An audit is a project

An audit is a project, a series of related activities with a start, middle, and end. Like

every well-managed project, it should have a realistic timing plan, an agreed-upon

budget and a clearly specified objective. So effective auditing includes carrying out

an audit which covers the agreed scope on time and to budget. If you fail to do this,

you fail as a lead auditor. Optimizing the utility of the deliverable is also an important

benchmark of an effective lead auditor.

Whilst an audit’s purpose is generally to improve the management of the activities

comprising the audit’s scope, the responsibility for exactly how that is achieved lies

with the relevant audit or assurance committee.

Case study

In our position as a training company that delivers internal audit training courses

throughout the world, it is often the case that when we discuss how successfullyaudit reports are instrumental in effecting change within a business, too many of

the line managers on the courses tell us that even if they have contributed a lot

of their own and their staff’s time to assisting auditors, they do not see the report

or recommendations.

A-Factor 25: The main deliverable of The Audit Process Roller Coaster© is

an audit report that triggers improvement.

It is very important that every audit team, as it prepares for an audit, thinks about what

their journey may look like over its timeframe; setting-up, reviewing and verifying

work and reporting. And close supervision of the audit team’s work by the lead

auditor is necessary throughout the audit.

85




Set-up Review andverify

Report

Audit

report

Summary

Verydetailed

Level ofdetail

involved20% 60% 20%

Figure 4.4 The Audit Process Roller Coaster © time planning

To do all this effectively, the lead auditor must develop a time and resources planthat allocates an appropriate amount of time for each stage and identifies key check-

points. Figure 4.4 shows our suggested time planning which has about 20 per cent

of the total time available for set-up of the audit, 60 per cent of the total time for

the review and verify stage (audit field work) and the residual 20 per cent of time for the reporting stage.

A-Factor 26: A lead auditor can decide, if it is a relatively inexperienced

audit team working in an area of the business which they do not know well,

that the set-up time can be increased above 20 per cent and the time available

for the audit field work decreased by the extra time used for set-up. At least20 per cent must be retained for the reporting stage.

The check-points should be at the end of the set-up stage, when the audit team arefinalizing their audit findings, and before the first draft report is shown to the auditee.

Set-up

The lead auditor plans for success by carefully preparing both the auditee and the audit

team. By auditee, we mean the senior member of the organization’s management

who is responsible for the area which is the subject of the audit.

The main objectives of the set-up stage are to:

• meet the auditee (possibly for the first time) at an opening meeting to describehow the audit process will work – this includes ‘selling’ the benefits of audit, and

agreeing on the ToR – and listen to any of their concerns

86




• ensure that the audit team is familiar with their roles, have read (and understood)the background documents selected by the lead auditor, and know what needs tobe done to deliver against the ToR.

In Chapter 5 there are tips and techniques for conducting the opening meeting.

The main outcome of the set-up stage is a detailed plan of each auditor’s fieldwork.The overall document is called the work plan and is focused upon a sample of riskareas which are intentionally selected as being critical to the achievement of theorganization’s objectives.

If, within the time and budget allowed, the lead auditor (and possibly some of theauditors) can visit the location where the main audit scope activities are actuallyperformed, for an orientation visit – to see operations first-hand and be walkedthrough the processes – it will be extremely helpful and will aid the set-up immensely.

As the planning progresses, a more detailed plan can be developed. The example inFigure 4.5 shows the division of the total audit time (two weeks in this example)amongst the three main stages of a management system audit.

A-Factor 27: Regular monitoring by the lead auditor of progress againstthe audit work plan and of findings which are arising, should ensure thatthe audit is completed on time, using those resources available to providea level of assurance concerning the control framework within the auditee’sarea of responsibility.

In Chapter 5 there is a detailed explanation of how to ‘set-up’ an audit effectively.

W e e k e

n d 2

D a y 6

D a y 7

D a y 8 D a

y 9 D a

y 1 0

D a y 4

D a y 5

W e e k e

n d 1

D a y 1

W e e k e

n d 2

D a y 2

D a y 3

W e e k e

n d 1

Select key risks/dev.

interview schedule

Set-up/initial meetingwith auditee

Interviews/fieldwork

Team progress reviewConfirm review/tests

Interviews/fieldwork

Team report of findingsAgree opinion

No surprises meeting(s)with auditee

Complete report andpresent to auditee

Finalize/issue report

= Set-up = Review and verify = Report = Contingency

Figure 4.5 The Audit Process Roller Coaster © two-week plan87




Review and verify

Effective audit interviewing will be the main technique used to gather informationduring the review stage, supported by examination of documentation. Verifying or

testing relies upon interviews to corroborate what has been said or learned elsewherebut is mainly carried out by more time-consuming techniques. Efficient testingrequires careful planning.

The main objectives of the review and verify stage are to:

• complete a review of the design of the management system being audited for every selected potential risk area in the work plan

• sample the application and efficacy of the main controls within key elements of the management system for every selected potential risk area in the work plan.

A-Factor 28: Whilst there is a logical sequence of activities within the reviewand verify stages, the main tasks will be performed more than once. This isespecially true during interviewing, when there will be a number of itera-tions and the enquiries undertaken move inexorably down into finer granu-larity of detail, across various lines of enquiry, and possibly across a numberof different control frameworks.

In Chapter 6 there is a description of our ‘review and verify’ methodology, andshows you how to do this effectively.

Reporting

Ensure there is sufficient time left for a full understanding of the results of the reviewand verify stage, and then for explaining the key findings to the auditee and linemanagement. It is best if the findings and recommendations are agreed upon before theaudit team leaves the site. Agreeing upon these and discussing appropriate reactions,and preparing and presenting the final report, will complete the audit assignment.

Reporting provides for the delivery of an audit opinion that compels the necessaryactions, based on the level of assurance the audit team can provide, and the level of concern raised by the gravity and quantity of alerts.

There are a number of key goals for the lead auditor to achieve during this stage:

• complete and assess all of the audit team’s audit findings

• discuss and agree the main findings with the auditee

• obtain the auditee’s commitments to improve the management system

•

determine the audit opinion• present a draft report at exit meeting

• finalize report within agreed time period.

Chapter 7 describes the detailed steps required to conclude an audit effectively.

88



5 Set-up

Introduction

The next three chapters (Chapters 5–7) are set out to be read as if you, the reader,

have been appointed the lead auditor for a new audit assignment.

The chapters follow The Audit Process Roller Coaster

©

stage by stage:

• set-up

• review and verify

• conclude (report).

In these chapters, we describe our selection of the most important matters to think

through in anticipation of each defined stage and how to carry them out to produce

an excellent result.

In exactly the same way that sports psychologists work with athletes to envisage each

detail of how they are going to complete the course and how to do their best to win

the race, a lead auditor too must have a clear view of the route ahead and know how

to react at each critical moment along the route, before they set off on their journey.

If they are not confident in the audit process, then both they and their audit team

will underperform.

A-Factor 29: Lead auditors must have a clear view of their process, and

know how to react at each stage.

How to set up an audit – ‘top down’

Efficient and effective use of the first 20 per cent of the total audit time will enable

the lead auditor to significantly increase the success and usefulness of the audit’s

outcome. The set-up stage covers the preparatory activities and the project planning

that is necessary to ensure that the next 60 per cent of the audit time for review and

verify is used as effectively as possible.

Auditing is a process of sampling. In risk-based auditing, the sample selected comprises

a selection of the highest gross risk areas (i.e. those activities that would have the

greatest impact on the organization’s success if they were not properly controlled).

89



Set-up

The selection of risk areas for review and verification is made by the lead auditor and

the team members.

The main preparatory activities are:

• agree upon the audit’s terms of reference (ToR)

• obtain background information

• get an overview of the area to be audited

• understand the reference framework

• meet the auditee

• make a site visit.

The main planning activities are:

• prepare audit time and resource plan

• audit logistics

• prepare risk-based work plan for the audit

• prepare an interview strategy

• prepare the right questions to ask based on the expected business control frame-work (BCF)

• start a structured audit file/filing system for the documentation relating to the

audit.

Figure 5.1 illustrates each of these key activities in the early part of The Audit Process

Roller Coaster ©.

Agree upon the audit’s terms of reference (ToR)

At this stage, the ToR is the most critical document. Both auditee and auditor must

agree upon it because it sets down the key parameters for the audit, as described in

Chapter 3. It is the essence of the contract for the service to be provided by the audit

team. A draft ToR will usually have been prepared when the audit was included in

the organization’s audit plan for the current year. Therefore it is important to check

that the main contents remain current, and that, for example, there have been no

acquisitions or divestments of significant assets. If the audit ToR needs to change as

a result of significant changes, the internal audit manager should be notified.

A-Factor 30: If the audit is not carried out as scheduled, or if either the audit

reference framework/audit scope are significantly changed, the corporate

audit plan should be amended.

90



Set-up

BackgroundData

Initialmeeting

withauditee

Set-up

Summary

Verydetailed

Level ofdetail

involved

Terms ofreference

Audit file &workingpapers

Work plan

Expectedcontrol

framework

Figure 5.1 The Audit Process Roller Coaster © set-up stage

Tip – The auditee would normally be the most senior manager at the location

being audited. However, in certain business organization models, such as in a

matrix organization (which was discussed in Chapter 1), functional or regional

managers may be accountable for particular activities at the same location, bypass-

ing the senior manager on site. In such situations, where an appropriate auditeecannot be clearly identified, the lead auditor should refer back to the internal audit

manager or internal audit committee. Therefore an audit must not commence

without absolute clarity concerning the auditee’s accountability for the activities

in the audit scope.

By obtaining the ToR as soon as possible after their appointment, the lead auditor will see the who, why, what and where of the audit. ToRs may come in many styles,

shapes and sizes but they must at least state the following:

• Who – the names of the auditee and their boss, or the audit’s sponsor if that is

not one of these two people.

• Why – the objectives for an audit of a BCF need to provide management with:1. an opinion on the effectiveness of the whole BCF (assurance).

2. identification of weak control resulting in or causing exposure to unacceptable

levels of risk, inefficient consumption of resources or failure to benefit from

business opportunities as they arise (alerts).

3. development of appropriate actions for addressing the identified weaknesses

and improving the overall strength of the BCF (advice).

91



Set-up

Title of audit and name of auditee

Objectives

Assure – control frameworkAlert – findingsAdvise – actions

Reference framework Organization’s policy and guidelines,HSE MS, ISO 9001/14001, OHSAS 18001Contractor management guidelines

Scope

Business processes at location XProject activitySite or installation etc.

Figure 5.2 Terms of reference – skeleton

• What – the reference framework to be used should be clearly identified.

• Where – the scope outlining the business processes/subprocesses at specific loca-

tion(s), named facilities, etc. on which to concentrate the audit, including a descrip-

tion of the key interfaces with departments or sites either upstream (i.e. suppliers to

the auditee) or downstream (i.e. customers of the auditee) of the scope area.

Figure 5.2 shows a skeleton ToR. Completed ToRs, though, generally include

logistical information such as the team membership, start and finish dates, and planned

dates for presentation of the agreed deliverables to management.

A-Factor 31: The audit’s ToR is generally not negotiable. It has been

approved by the audit committee as one of their ‘jigsaw pieces’ and the scope

areas need to be covered completely.

Case study

An extremely well-prepared distribution manager of a busy oil storage and dis-

tribution depot with a 400 metre frontage onto a tidal estuary suggested to thelead auditor, at the audit kick-off meeting, that there was little point in including

the ‘river-jetty product receiving operations’ within the audit scope since an

audit team of marine specialists were scheduled to audit a nearby ship-bunkering

facility in a few months. The lead auditor declined by saying that it was withinthe audit scope, and that there would be sufficient time to include this potentiallyhigh-risk activity within his work plan. The audit fieldwork included the jetty

operations, and identified that coastal tankers to be offloaded at the jetty often

arrived before suitable spillage containment booms were available to be deployed.

92



Set-up

Whilst sometimes demurrage was paid until the equipment arrived and could

be deployed, unloading of the most recent delivery had been started without

this critical environmental protection control in place. It was discovered that this

situation arose because the stock level of product in the depot storage tanks was

below that needed to supply the next shift’s deliveries and undue pressure hadbeen brought to bear on relatively junior operations personnel by the marketing

department. Fortunately, by retaining ‘river-jetty product receiving operations’

within the scope of the audit, the audit team was focusing on this risk area during

the period that the non-compliance occurred and therefore the lead auditor wasable to alert senior management’s attention to this unacceptable level of risk.

Obtain background information

As soon as possible, the lead auditor should request authority to receive appropriatebackground information which, for example, may be on the auditee’s intranet, or itmay require copying and sending to you. In most organizations, there will be offices,computers and archives filled with information, files and records. The lead auditor must be selective in their requests for background information.

Figure 5.3 illustrates literally that there are ‘mountains of data’ that are potentiallyavailable to the lead auditor as background reading.

The lead auditor is looking for information that will enable analysis of the businessenvironment in which the organization is operating. This may be achieved by studyingthe business plans of the auditee’s department and of the parts of the business to whichthey contribute or for which they are the internal customer or the internal supplier.

Corp. strategyBusiness plans

Organization chartsProcess models

Last audit &reviewreports

Hazard &

riskAssessments

Incident statistics

Lead auditor will siftthrough the layers ofbackground data to getat the key information…

Internet andcountry data

...and auditorswill need to be

familiar with thisinformation

Figure 5.3 Mountains of background reading

93



Set-up

The lead auditor will extract from the business plans the key corporate and maindepartmental objectives and strategies, and confirm their alignment to each other.

Tip – Create an extract of the main corporate and operational business objectivesand give each one a unique reference number. For example, C1, C2, C3 may be

the first, second and third corporate objectives, whilst D1, D2, D3 may be the

first, second and third distribution department objective, or M1, M2, M3 may be

the first, second and third marketing department objective. Using this referencingsystem for each level’s objectives, create a list of them all and give a copy to

each member of the audit team. Get all team members to use these references

in building the work plan, their working papers and in team discussions. Then

everyone will be clear about which business objectives are at risk.

Possibly even before the membership of the audit team is finalized, the lead auditor should be liaising with a nominated (or identified) senior contact within the auditee’sdepartment to make arrangements to carry out the audit at the worksite(s). The leadauditor should check that the auditee has a copy of the draft ToR. They shouldrequest the selected background information to be sent to them in advance so that thelead auditor can understand what has to be audited and how to address the logisticalissues. It also provides background/preparation materials for the audit team.

Some examples of suggested items for this background information list are as follows:

• auditee organization’s business objectives

• descriptions (and diagrams) of the major processes

• organization charts at each level

• manual or table of contents from the subject reference framework manual (i.e.the Health and Safety Manual for a health and safety audit)

• list of major risks

• list of major control systems

• directions to the site(s), local area map(s) and site plan(s).

Other items a lead auditor may consider requesting, since they are very useful pre-reading, include:

• auditee’s business plan

• most recent management self-assessment of residual risks

• levels of authority manual

• most recent report of financial and operational performance

• recent stakeholder surveys and reports, e.g. reports from regulators, media cover-age, etc.

94



Set-up

An example letter/text advising of the audit and requesting background materialsis shown as Appendix 3. From November 2006, this will also be available on this

book’s companion website at http://books.elsevier.com/companions/0750680261

The lead auditor could try to arrange to obtain access to the auditee’s organizationsintranet, and of course there is a variety of internet search engines available toassist with background information prior to (and during) audits. The sites shown in

Figure 5.4 generally turn up relevant data to assist preparation.

Case study

A lead auditor, one day before an audit started, reviewed the auditee’s website. Anews release stated that the site was in preliminary negotiations for a management

buy-out. This information was invaluable the next day at the kick-off meeting

with the auditee, and the audit team was able to appear very well briefed.

Case study

A lead auditor, whilst preparing for an audit, noted that there had been a recent

change in national legislation concerning radioactivity. During the audit, the

audit team observed that a batch of radioactive isotopes for use as x-ray sourcesfor non-destructive testing of oil field pipelines were at a reactivity level above

that allowed by the new laws, and the preparation allowed them to respond

accordingly.

Case study

A lead auditor read in an online trade journal that a major contractor used bythe auditee had won a separate large contract that was likely to stretch its ability

to deliver service in the short term. The audit team was able to reprioritize its

audit sample to take account of this new information.

Altavista.comAol.comWikipedia.com

Yahoo.comGoogle.comHotbot.com

Figure 5.4 Useful Internet sites for background research

95



Set-up

In all of the above cases, the preparation by the lead auditor and the audit teamaffected the selection of risk areas for inclusion of the work plan.

A-Factor 32: As a lead auditor, it is important to encourage your team to bespeculative. Think ahead about the business environment in the audit setting,and about how your auditee will be managing their part of the business inthe light of future challenges.

Tip – Send the list of documents required from the auditee’s organization as early

as you can. Depending upon the priority of the audit for the auditee, you may

not get a response to your first request. You may need to send a second and

even a third request for the information materials. Give yourself time to do so;

remember you will need to read them and create a pack of selected informationfor your audit team.

A longer list of items for consideration as background information and pre-readingare in Appendix 1. From November 2006, these will be available on this book’scompanion website at http://books.elsevier.com/companions/0750680261

Tip – While we have tried here and in Appendix 3 to provide the key types

of information that you need to obtain about the auditee’s area of responsibility,

excellent lead auditors will develop their own master checklists.

Distribute selected background information

When the pre-reading documentation is received by the lead auditor (and note thatsometimes it does not all arrive together), it should be read, sifted and sorted. The leadauditor needs to extract relevant information from potentially large amounts of data,and usually, it means sifting through considerably more data than the informationwhich is eventually given to the team members for their familiarization.

The aim is to identify the key information to circulate to the audit team members.Selected packs/extracts of the key documents should be prepared and sent to eachmember of the audit team with instructions to read and understand it. The intentionis for each member of the audit team to gain a good overview of the auditee’sorganization, site(s) and business processes to be audited.

Tip – In an ideal world, the best time to send such a pre-reading pack out to the

audit team members is two to three weeks before they will start on the audit. If it is sent earlier than this, anything read may have been forgotten by day one of

the audit. If sent later than this, the team member may not receive it (particularlyif it has to travel through international or company postal systems).

A-Factor 33 – The key to a successful audit set-up is to have a well-preparedaudit team.

96



Set-up

Audit team members to overview the area to be audited

From the moment you are assigned to an audit, an auditor needs to become thor-oughly familiarized with the key matters influencing the way in which the auditee is

managing the area to be audited.

You will receive information from the lead auditor, and it is important that it is readthoroughly. An auditor should aim to assimilate quickly the information needed byconcentrating on understanding the business challenges confronting the auditee, identi-fying the keypersonnel, and generally getting a feel for thebusiness activity to be audited.

Study the company’s and department’s organizational structure, in terms of who does

what job, who reports to whom, where do people work, how many positions arevacant, etc. Confirm the physical locations where work takes place, and what the

work comprises.

The audit team will usually meet together for the first time with respect to thisparticular audit on the first day at the auditee’s site. In Chapter 10, we have describedhow this initial meeting should be conducted.

Briefly, the lead auditor should:

• finalize the team composition with regard to competencies

• one-to-one meetings with team members

• hand any last minute background materials to the team members

• lay down the ground rules, such as ‘working as a team’.

Make a preliminary site visit

A practical overview will help to develop a more realistic work plan. It will benefit the

audit team if the lead auditor can visit the site(s) where the business activities actuallytake place as part of the familiarization. So you can meet and listen to personnel,ask questions about the technical aspects of the work being done (confirming enroute the extent to which personnel are confident in their knowledge about both thebusiness process as well as how best to manage it), and obtain a feel for the maturity

of the overall control framework and the extent to which it is respected and utilizedby line management.

Your eyes, ears and brain should be switched to receive mode whilst visiting worksites.Avoid too much detailed investigation by asking the ‘right’ questions. Do not react

to what you hear or see and certainly never jump to conclusions or start analysingwhat is going on or suggesting different ways of doing the work at this early stage of

the audit since the operational staff may interpret this as arrogance on your behalf or implied criticism of what they are doing. Figure 5.5 illustrates some of the benefitsof making a pre-audit site visit.

97



Set-up

Meet keymembers ofauditee staff

See theoperationsfirst-hand

Obtaindocumentation

and check

coverage

‘Walk through’processes

Figure 5.5 Benefits of making an early site visit

At this point in the process, the audit team will gather together on site in preparation

for the first day of the fieldwork.

Prepare the right questions to ask

Make a list of those people whom you think will be able to contribute to the audit

and obtain their contact details (e.g. telephone number and email address). As soon

as you have agreed upon the dates for the audit fieldwork, introduce yourself andthe audit team by an email to all the people on your list and suggest to them your

preferred time for an interview and assistance with the audit. You must get as much

of your schedule agreed to before you arrive on site.

Think about the logistical requirements in getting from A to B and in terms of

developing realistic interview schedules.

The ToR should refer to which reference framework the audit is being carried

out against. Therefore you should fully familiarize yourself with both the ‘official’documentation supporting the reference framework as well as that being used by the

auditee (if there is any difference).

For each high risk business process, you and the team need to ask yourselves ‘How

should the auditee be using the reference framework to manage these risks?’ And by

answering your own question, you will create a view of what we call the ‘expected

reference framework’ which will be used later in the audit process.

Tip – The whole audit team must fully understand the composition of controlsin each element of the reference framework and how the various elements

interact with each other in terms of controlling the risks within the auditee’sbusiness processes and activities. If necessary, confirm your understanding with

98



Set-up

the reference framework’s owner or relevant discipline head (e.g. corporate social

responsibility or financial accounting).

Initial meeting with the auditee

At an early stage, it is essential to meet the auditee face to face to get the audit off on

the right lines and to build the auditee’s confidence that your audit team can really

help in achieving business objectives in the future.

Meeting the auditee’s immediate superior also would be a bonus since you would

then obtain another perspective on the quality of control in the area being audited

and possibly some hints as to where there might be pressures in the system.

Tip – Gaining an initial assessment, from the auditee or auditee’s line manager,

of their perceived level of control in the subject area, will alert you to any likely

difficulties in selling your major findings and final opinion.

Give the auditee reasonable notice of the meeting so you can be sure to agree to

a firm date, time and place to meet. Contact beforehand to discuss your preferred

agenda and confirm the ‘arrangements’ shortly before the appointment.

The main benefits of having a formal initial meeting with the auditee are:

• to try to ensure that everybody who needs to know knows that the audit is ‘on’

• agreeing to the final ToR

• explaining the risk-based methodology you will be using for the audit and how

this process can deliver the audit objectives

•

explaining the purpose of the close-out meeting to the auditee and agree to afirm date, time and place for the meeting

• confirm the auditee’s knowledge and acceptance of the reference framework

• confirm with the auditee the feasibility of your time and resource plan including

the availability of their and their subordinates’ time for interviews and meetings to

discuss progress and discuss and agree about the weaknesses and corrective actions

• obtain an explanation from the auditee of how he controls the risks in his area of

operation

• start your review of the auditee’s management style and level of compliance withthe reference framework.

It is essential that at least the matters shown in Figure 5.6 are covered at the initial

meeting with the auditee:

99



Set-up

Confirmterms of

reference

Agreeoutline

time tableand staffing

Scheduleprogressmeetings

Communicate

audit objectivesand approach

Establish

professionalismand credibility

Checkawareness of

referenceframework

Confirm auditee

availability andinvolvement

Figure 5.6 Initial meeting with auditee – a solid foundation

Establish credibility

Generally auditees can be apprehensive – even worried – about audits, and especiallythe audit opinion. For example, it is easy to understand why an auditee may be

worried if they feel the audit opinion may threaten their career, the viability of the

operation they are managing, or if this threatens their performance score card and

hence their bonus! Your role at this time is to persuade them that you and your

team members have the necessary knowledge, skills and experience to undertake a

meaningful analysis of their operations and to help them to identify and address risks

which may not be as well controlled as they thought. Your interest is in ensuring

future success, not dwelling on past mistakes.

Tip – Before meeting the auditee, a thorough understanding of how the back-

ground information relates to both the business and the audit will enable the

audit team members to demonstrate considerable credibility.

Communicate audit objectives and approach

Describe how the audit process will work, taking the auditee through the work you

and the team have already done and then the next stages.

Tip – Figure 5.7 shows the generally held expectation gap between audit andmanagement. You will need to explain that audits involve a process of sampling

100



Set-up

100% of scope (in Terms of Reference)

Selection ofwork plan

items

Figure 5.7 The expectation gap – what is actually examined during an audit

and, therefore, the audit result can never give management a 100 per cent

assurance. Selection of a solid, risk-based and representative sample is criticallyimportant. Therefore it is important that the auditee and their boss understand

this concept and how it influences the final audit opinion.

Use the ToR document – which the auditee should have seen already – as an agenda

to confirm their use of the reference framework and to discuss the major challenges

to their overall objectives and the key risks in each of their main business processes.

Tip – By explaining the purpose of the initial meeting to the auditee beforehand,

this may encourage him, or his senior staff, to make a presentation of some of the issues currently affecting the area being audited.

Confirm ToR

Up to this point, the ToR will usually have only been a draft. Once the audit’s

objectives and approach are clear, it is usual for the auditee and lead auditor to each

sign the document to signify agreement.

Since the assurance committee is responsible for the overall assurance plan, as they see

the ‘big picture’ – the metaphorical complete jigsaw, where each piece needs to be

audited at the right level at the right frequency with no overlaps, and no gaps – you

and the auditee cannot exclude (or include) scope areas willy nilly. If the auditee has

101



Set-up

a real problem, then you will have to refer the issue back up your line of authoritybefore agreeing to a change.

Generally the ToR will be agreed to at this meeting and it is helpful if the auditee

can be persuaded to circulate a copy of the approved document to the line staff.

Agree to a provisional timetable

Depending upon exactly when the opening meeting is held, the audit team maybe able to present the auditee with quite a detailed overview of the timing plan.

Referring to our suggested 20/60/20 division of time helps to show the auditee thatwe have used the background materials, and that the audit team will conclude their work with an audit report, which includes where possible, appropriate and agreed

recommendations.

Agree to progress meetings

Surprisingly, auditors do not know everything! It is wise for all auditors to remember

this. Agreeing a programme of contact or short meetings with the auditee – perhapsevery day or two – to discuss early findings and observations is invaluable. It goeswithout saying that if not needed, these can be cancelled. Agreeing with the auditee,

if you can, upon what the audit team has found at an early stage will be helpfulduring the audit conclusion stage.

Confirm auditee involvement

As has been said, the auditee may be apprehensive, so make it clear that the auditteam will not only value any input at every stage of the process but is expectingan active interest and involvement throughout the audit. Give the auditee an openinvitation to visit the audit team room at any time to see what is going on.

A-Factor 34: You get one chance to make a first impression – take it!

A sample agenda for an initial meeting will be available on thisbook’s companion website from November 2006 at http://books.elsevier.com/

companions/0750680261

Time and resource planning

Detailed planning is critically important if an audit’s objectives are to be fully met.

Even in the shortest audits, the original timetable will be a best estimate and will needregular updating to make the most of the resources available to cover the necessaryactivities and use any planned contingency time to best effect.

102



Set-up

Concluding

OffsiteOffsite Onsite

Overall

Activity

Review and testingSet-up

Resources

Team leader

Auditor 1

Auditor 2

Auditor 3

Figure 5.8 Audit time and resource planning

The timetable should include the necessary activities for both the audit team and,to the extent possible, the auditee’s staff and other staff in the organization beingaudited. The timetable showing the total resource requirement should be discussed atan early stage with the auditee to get their support for the proposed timings, logistics,

the interview schedule and dates of key meetings.

Figure 5.8 shows the audit time plan at overall, activity and resource levels.

Once you have confirmed that allocation of approximately 60 per cent of resourceavailable for the fieldwork stage, as a broad guideline, reckon on spending 25 per centon reviewing the potential adequacy of the auditee’s control framework and 20 per

cent on testing the application and effectiveness of the controls. This leaves a contin-gency of 15 per cent which can be allocated after the lead auditor has finished a formalsupervisory review to confirm the quality of the team’s planned review and testing.

As shown in Figure 5.9, this supervisory review would normally be carried outno later than three-quarters of the way through the fieldwork stage. Its purpose isto challenge work done by audit team members, confirm the quality of the audit

findings (and how well they have been documented), and confirm how the individualauditors will spend the remaining 15 per cent of time available in the fieldworkstage.

Audit logistics

The lead auditor should assume responsibility for communicating with and organizingthe audit team as soon as they are appointed. Simple things can be overlooked whentrying to get everybody together to start an audit:

103



Set-up

Review and verify stage (60% overall time)

Lead Auditor review

V

Contingency

15%

Verify

20%

Review

25%

Figure 5.9 Scheduling the lead auditor review

• team members don’t know the start date (and have conflicting bookings whichthey cannot get out of )

• work or country entry visas not applied for in sufficient time or at all

• mandatory inoculations not obtained

• flights booked to Budapest, not Bucharest; Austria, not Australia

• local accommodation fully booked (perhaps due to a large trade fair)

• After late night arrival at airport, the taxi would not take sterling, euros or dollars.

A detailed list of items for the lead auditor to consider as part of the preparation and

planning work are in Appendix 1. From November 2006, this will be available on this

book’s companion website at http://books.elsevier.com/companions/0750680261

Tip – Apply to your local passport office for a second passport. In many territories,

it is legal to have two passports, on the basis that you may need to send one to aforeign embassy for visas at the same time as you are travelling. Your employer

will need to endorse this request in the UK.

Useful addresses for the UK passport Agency are:

1. London Passport Office 2. Peterborough Passport Office

Globe House Aragon Court

89 Eccleston Square Northminster RoadLondon PeterboroughSW1V 1PN Cambridgeshire

PE1 1QG

104



Set-up

3. Liverpool Passport Office 4. Durham Passport Office

101 Old Hall Street Millburngate House

Liverpool DurhamL3 9BD DH1 5ZL

5. Glasgow Passport Office 6. Belfast Passport Office

3 Northgate Hampton House

96 Milton Street 47-53 High StreetCowcaddens Belfast

Glasgow BT1 2QS

G4 0BT

7. Newport Passport Office

Olympia House

Upper Dock StreetNewport

GwentNP20 1XA

Application forms for UK passports are available from main post offices or fromwww.passport.gov.uk

Develop a work planEach audit requires a work plan. The work plan is a separate, tangible deliverablewhich, although initially created during the set-up stage of the audit, will be activelyused by the lead auditor to allocate and manage the resources in the audit team tothe best effect. The work plan assigns particular work items (the selected risk areasfor review and verification) to those members in the team who have appropriateknowledge and experience. Progress against the work plan should be monitoredby the lead auditor in terms of the quantity and quality of the review and testingwork done during the fieldwork stage. It also helps to keep the conduct of the audit

on time.

The lead auditors will use their own, and the team’s, good understanding of the maincorporate, departmental and operational opportunities and risks to start the processof creating a work plan that will be the focus of the audit team’s efforts throughoutthe fieldwork stage.

Creating an appropriate work plan is an analytical and speculative process in whichthe whole team participates. It is done by identifying initially those situations thatmay arise either in the business environment surrounding the organization or within

the operational activities of the organization, and subsequently have an impact onthe achievement of the organization’s business objectives. The team must then selectthose subprocesses and business activities in the area being audited, upon which thesuccess of both the auditee’s area of accountability and of the overall organization, ismost reliant.

105



Set-up

Experience has shown us that particular business circumstances tend to increase the

likelihood or impact of risky or opportunistic situations arising in an organization,for

instance:

• when even a slight deviation from the control design would result in a dispro-portionately major loss (e.g. signals passed at danger on the rail network)

• wherever a supply chain or business process has a link or interface, there is

potential for failure due to omission (e.g. to take responsibility for a critical action)

or due to duplication of effort (e.g. doing the same work twice)

• in parts of a business undergoing organizational change, it will be more likely

that appropriate maintenance or amendment to the control framework will not

be happening

• the sheer complexity of business today and the speed of change (often led byexternal events and determined by senior management) creates stress on people

and on systems at all levels within the business

• frustrations can creep into personnel’s attitudes and actions if ineffective or exces-

sive controls are not identified (if not already known about) and either changed

or eradicated

• management’s knowledge about and commitment to correct control failures is

often well illustrated by how they reacted previously to the discovery of poor perfor-

manceor operational losses. Failure to assist with theidentification,measurementand

mitigation of such poor performance or loss would be a cause for concern.

These possible risk areas are illustrated in Figure 5.10.

Actuallosses

Potentialfor major loss

Links andinterfaces

Organizational

stress

Over/undercontrolled

Reorganization

Figure 5.10 Known risk areas

106



Set-up

The business activities selected by the audit team for inclusion in the work planmust always be challenged by the lead auditor, in terms of asking ‘why will theresults of reviewing these activities form a significant and relevant part of my auditteam’s assurance to management?’ This type of challenge process will result in the

identification of the most important business processes to be reviewed and tested.

Tip – Assess each ‘risky’ situation that might occur by validating it in termsof how many main business objectives will be directly impacted, should the

exposure to risk become an incident. Use the references codes created during the

familiarization with the auditee’s organization for the corporate and operational

business objectives (e.g. C1, D2 or M3).

The coverage of every audit is restricted in the number of discrete business activitieswhich can be put in the work plan by the time available to review the referenceframework and test the underlying controls fully. To be clear, there will always bemore potential risk areas than there is time to fully review and verify them.Withthis restriction in mind, the content of the work plan must be finalized by the leadauditor before the in-depth analysis and review of the reference framework is started.This finalization includes a review of the sample selected to determine that the scopeof the ToR has been adequately covered.

A-Factor 35: The work plan is, and should remain, a dynamic tool which is

continuously referred to by the lead auditor. It should be adapted to takeaccount of discoveries made by the audit team in the review process.

For example, the review work may unearth a major area of risk not previouslyconsidered which may have to replace an item already in the plan.

Developing an interview strategy

For each of the risk areas included as a work plan item, it is necessary to:

• identify the people who are involved with the relevant business activities (fromBoard level down to operations)

• decide what type of documentation is likely to be needed to reflect application of the relevant control framework

• be clear on how, when and where the activities are carried out.

A useful audit tool for all auditors is a reference or map of each of the potentialinterviewees to a list of the risk areas selected. Of course, we cannot be certain of

their actual involvement until we meet them, but the likelihood of them being ableto contribute to the audit team’s review of each risk area will usually be seen fromtheir position in the organization chart, or their job title. This process not only helpsthe audit team to cover the most ground at each interview, but it also helps allocateresponsibility for particular work plan items to individual auditors efficiently.

107



Set-up

Work plan items

Site

√Site manager

√HSE advisor

√Wks coordinator

√Senior QA eng

√Materials coord

√Plannning engineer

√Proj Eng design

√Pr manager

√Corp planner

√Welding engineer (QA)

√Medical officer

√Senior Q system

√Corp QS (HSE)

√HSE manager

√Contract manager

√General manager

Head office

R9R8R7R6R5R4R3R2R1Interviewee

R1. Local contractors

R2. Work plan & estimate

R3. Bidding extra work

R4. Crew mobilization

R5. Flowlines / hook up

R6. Drilling services

R7. Emergency jobs

R8. Preventive mtce.

R9. Health at camp

Work plan items

Figure 5.11 Mapping work plan items to interviewees

Figure 5.11 illustrates how this mapping may look, with work plan items along the

top (indexed on the left), and interviewees down the side. Each ‘tick’ represents a

probable requirement for an interview. By looking across each line, an auditor cansee the areas to be covered with each individual at an interview.

Prepare the right questions to ask

Once individual auditors know which work plan items they have been allocated

by the lead auditor, they can start to create effective interviewing agendas and

questions.

Since each work plan item must be reviewed and tested individually, the responsibleauditor needs to decide the best approach to take to obtain the most information out

of each interviewee.

A-Factor 36: Time constraints and the need for audit efficiency means that

the auditor should not set out planning to ask questions about every control

element of the reference framework. They need to decide which of the con-

trol elements are critical as a basis for good risk management of the business

activity being audited.

For example, as illustrated in Figure 5.12, project management activities are criti-cally reliant upon good organizational controls such as designated project manager

and project team members, authorized budget, management control systems, andmanagement review controls such as project steering committee and committee

minutes.

108



Set-up

Work plan item:

: ) s ( k s i R

l o r t n o c s s e n i s u b d e t c e p x E

framework ::yciloP

:noitazinagrO

:serudecorP

:noisivrepuS

dnaweiveR

:lasiarppa

tekramwenpolevedottce jorpyeK

stiforp / selasesaercnioteruliaF

evisnepxeroetalooT

tluciffidooT yrtsudninihtiwnoitatuperfossoL

?devorppaneebytilibisaefsaH?raelcytilibatnuoccasI

?dedivorpgniebsecruoserevaH

?deraperpneebnalpelbaveihcanasaH

ydobweiver / gnireetsaerehtsI

ezirohtuaotecalpni ?senotselimtanoitaunitnoc

Figure 5.12 Selection of key business control framework elements

By approaching each work plan item in this manner, an auditor will be able to

prepare themselves in an organized way:

1. Create direct and appropriate closed questions (i.e. which can be answered ‘yes’

or ‘no’) to establish which controls in the selected elements of the reference

framework are expected to be applied to manage the risks arising. Answers will

often be provided by corporate policies, local legal obligations and senior levels

of management’s statements.

2. Prepare a series of related open and closed questions for each of these expected

controls to confirm the extent to which such controls are actually in place within

the auditee’s organization.

3. Ask these questions in an appropriate way to individuals at various levels and withdifferent responsibilities in the organization. Their answers will give the auditor

information about whether these key controls are known about and how well

they are understood, implemented, checked and reviewed from top to bottom

or across departmental boundaries in the same organization.

4. Confirm whether these controls are being applied as designed and to what extent

their application is effective by further interviewing, detailed examination of

documents, observation of activities and verification of assets.

By preparing a set of questions and then inspecting documents and interviewingindividuals at different levels in the organization and at different stages of the work

cycle, the auditor will be able to quickly establish the extent to which the expected

reference framework has been adopted within the auditee’s organization and if it is

effectively supporting the achievement of its business objectives.

109



Set-up

Pros…

• Saves time = quick start• Expert’s questions• Full coverage of subject area• Lends appearance of

credibilty• Detailed and complete

Cons…

• Blinkered approach• Limits auditor’s thinking• One size does not fit all • May not understand what the

question is trying to find out • Questions done = audit done

Figure 5.13 Pros and cons of standard questionnaires

Standard audit programmes and/or control questionnaires may be useful tools toavoid reinventing the wheel. However, such generic audit aids have advantages anddisadvantages that must be carefully weighed. Generally they must be adapted to

reflect the actual environment encountered and hence become appropriate to theparticular business activities being audited. That takes time!

Figure 5.13 summarizes some of the pros and cons of standard questionnaires.

Audit working papers and the audit file

The lead auditor and the audit team members need to be well organized to recordthe information obtained during the fieldwork. It is quite normal that the rules for

the retention of audit working papers and the final audit reports are specified by thenational legislation, or in audit codes adopted in the country or organization wherethe audit is being carried out.

Figure 5.14 shows an example document retention schedule which was developedby the UK National Archive. It sets out maximum periods for retention.

As soon as the audit work plan has been approved by the lead auditor, each auditor in the team should open audit finding working papers (AFWP) for each item in the

work plan for which they have been assigned responsibility to carry out the fieldworkand report back to the team and lead auditor.

On pages 128–129, there is a sample AFWP. This particular document is represen-tative of a form used by the authors, and is commended.

From November 2006, a copy of this will be available on this book’s companionwebsite at http://books.elsevier.com/companions/0750680261

These AFWPs will be actively used by individual auditors to record:

• the title of the risk area for audit

• the initial justification for including the business activity as a work plan item

• which controls are expected in the reference framework

110



Set-up

Disposal after…

When supersededWhen superseded

Model retention schedule from UK National Archives 2003 website

Audit reports withexamination of long-term

contracts 6 yearsFraud investigation papers 6 years after legal proceedingsOther audit reports 3 years

Reports

Terms of reference 3 yearsProgrammes/plans/strategies 1 year after last date of planCorrespondence 3 yearsMinutes of meetings andrelated papers (inc. Audit Ctee) 3 yearsWorking papers 3 years

Undertakings

Internal audit guidesProcedure manuals

Other records

Figure 5.14 Audit working paper retention guideliness

• details of evidence of strength and weakness obtained from the reviewing and

verification work

•

logical support for any control weakness identified• the specific impact of the identified control weakness on the organization’s

objectives

• the root cause of the control weakness (if identified)

• evaluation of the significance of any control weakness

• recommendation for appropriate remedial action

• a space for response or reaction by the auditee.

Each audit will have a master audit file, containing all the audit records. This will beretained for a period agreed upon after the audit. The audit file should be structured to

enable the auditors to find documentation easily at every stage of the audit. Individual

auditors will have preferences about naming the various sections of the file; however,

a simple document referencing system, with an index at the front of the file, should

be used.

A-Factor 37: Each audit will have a master audit file, containing all the audit

records. This will be retained after the audit for an agreed period.

A-Factor 38: Before the time available for the set-up stage runs out, each

auditor should have a series of individual agendas for their first interviews

ready, together with lists of appropriate questions which will enable them to

start the next stage of the audit.

111



6 Review and Verify

Introduction

As described in Chapter 1, ‘risk’ can be defined as anything – opportunity, threat,activity or event – with potential for impact on the achievement of the organization’sbusiness objectives. Risk may thus be perceived as being positive and helpful to theorganization – ‘up-side risks’, or alternatively be believed to be a negative exposure

to be avoided – ‘down-side risks’. We have additionally referred to the characteristicsof these risks elsewhere as of ‘value creation’ and ‘value protection’ respectively.

An essential first step for any auditor is to identify and consider significant risks in thecontext of the host organization’s business environment. As we have seen, the businessenvironment is turbulent – ‘more things will change in the next ten years than in theprevious 100’. It is probably in a permanent state of flux as a result of dynamic changesin the political, economic, legal, social or technical perspectives or otherwise.

As described in Chapter 5, auditors use a process for identifying a sample of potentially

significant risks for inclusion in an audit work plan. Auditors estimate the significanceof identified individual risks (e.g. by using a risk assessment matrix to qualitativelyassess the significance of each identified risk area), and their relationships to eachother. We have suggested three questions that invariably assist auditors (they mayassist management too) to decide the significance of the identified risks:

• How often will this happen (likelihood)?

• How big could the impact be (severity)?

• Who is likely to be impacted by an occurrence (which of the stakeholders)?

The authors have commended that HSEQ auditors focus upon the relative positionof risks in the risk matrix – a useful discipline is to focus on the top 10 –20 risk areas.

Whilst there are many quantitative risk measurement, evaluation and estimationmethodologies and software toolkits available to assist with this, our experiencegained over many audits suggests that unless absolutely necessary, it is wise to avoidthe ‘numbers game’. Quantitative methods are usually better suited for use by riskmanagers within organizations, charged with dynamically recording the significantrisks, aspects and impacts and prioritizing these for subsequent improvement.

Tip – For an example of risk-ranking software available, readers could refer towww.crsrisk.com for a useful downloadable toolkit.

112



Review and Verify

However risks have been identified and prioritized, Chapter 2 explains why the greater the risk (i.e. the greater the value of the opportunity, or the greater the value to beprotected from threat), the more resilient and reliable – and more emphatically set at the

heart of the organization – any framework for risk control should be expected to be.

Chapter 3 describes how to plan a programme of organization-wide audits, whichprovides assurance through the appointed audit committee, and Chapter 4 providesan overview of The Audit Process Roller Coaster ©, the vision effective lead auditorsshould have in their mind.

Chapter 5 describes how to set up a particular audit, concluding with the developmentof a work plan for any particular audit.

A-Factor 39: Understand that we base our overall audit opinion on the effi-cient and structured control of the risks in our work plan, which was selectedbecause of the potential risks to the achievement of the organization’sobjectives.

This chapter will explain, with examples, how to reliably and effectively establishthe actual system (review) for business control in the auditee’s operations, and thenverify (test) how well it works.

In this chapter, we enter the steeper part of our planned descent from the top of TheAudit Process Roller Coaster ©. As stated earlier, we call this the ‘top down’ approachto auditing.

Top down – the controlled descent

Our model for audit referred to throughout the book is The Audit Process Roller Coaster ©. Earlier (Chapter 5), we described how to try to ‘stay at the top’ of the firstslope as long as possible throughout our audit set-up stage, even though we know

that an auditor’s enthusiasm to get started on the audit (like an invisible but powerfulforce, akin to gravity) inexorably tries to pull us down from our high-level view of the organization into ever finer detail.

We will have plenty of time to look at detail later (if we continue to plan our audit well).Our controlled descent is very focused onto the risk areas we have selected in our workplan – it is as though we are ‘guided by the rails’ of the metaphorical rollercoaster.

A risk-based audit is not a low-level compliance check. For each selected risk area(i.e. high gross risk as explained in Chapter 1), the auditor is looking for reliable

evidence of planning, implementation and monitoring procedures of the managementand how continual improvement is sought (a structured means of control – ‘PDCA’).

Applying an OHSAS 18001:1999 approach, this would mean development anddeployment of occupational health and safety policy specific to the particular

113



Review and Verify

organizational risk selected, clear and transparent planning for control of the specificrisk, implementation and internally assured operation of the selected control framework,timely checking of how these controls work in practice (such as site supervision), withcorrective action if and where gaps may be noted, with a scheduled management review

to provide longer-term assurance and to promote and drive continual improvement,as expressed by the primary clauses in the standard:

• OH&S policy

• planning

• implementation and operation

• checking and corrective action

• management review.

Drilling down into the facts ‘top down’ in the selected risk areas focuses the auditor’sattention on the work plan sample, rather than those risks which may often presentthemselves as symptoms of a basic loss-of-control (basic causes) during the conduct of the audit, e.g. as sometimes spotted on the plant tour or a management walk-about.

Inthislattercase,itisalltooeasyfortheinexperiencedauditortoreportthefactsasfound,set in a long list of low-level findings, tantamount to hazard-spotting. In our judgement,these are not audit findings, and they are characteristics of the past, not the future:

• worker not wearing hard hat, and/or high-visibility jacket

• paper cup in the metal recycling container

• yard not swept

• box on form not signed

• a ladder ‘abandoned’ in the yard

• bund not pumped free of rainwater.

In our opinion, these are purely symptoms of a possibly greater issue for management’s

attention – in these cases possibly ‘ineffective supervision’. But again, we are aheadof ourselves.

Case study

An audit at an organization highlighted a mutual aid arrangement with its com-petitors in the event of an emergency, for example fire or spillage. The auditors

were advised that fire fighters would be brought with all their equipment to

the affected site by helicopter, ready to respond. In verifying this system, it

was discovered that the connectors for refilling the competitor’s self-containedbreathing apparatus (SCBA) tanks was incompatible. After a 30 –45 minute heli-copter transfer, the only air available was that in the tanks brought to site –

possibly 20 minutes – as refilling by the host organization was not possible.

114



Review and Verify

Review and verify

We plan for the review and verify stage of an audit to take 60 per cent of the total

audit time. So in the conduct of a two-week (ten working days) audit, this will take

six days and can be further broken down into:

• review – 25 per cent (2.5 days) and

• verify – 20 per cent (2 days)

plus an allowance for contingency of 15 per cent (1.5 days).

The contingency allowance is important. It gives the lead auditor, or an auditor,

time to go back and check, or take a larger sample size (e.g. to speak to more people

or review more documentation, in order to confirm matters about which they are

not sure).

These elements are detailed below.

Review

The review stage commences with our use of the audit work plan, which comprisesa sample selected by the audit team of potentially high (gross) risk areas. It is upon

this sample that the audit team will later base the overall audit opinion.

It is these risk areas that have been chosen for review and verification against the selected

reference framework, and the work plan guides all the subsequent auditing activities.

An audit is similar to any other type of project, and it should be managed as one with

a carefully thought-through time plan. The review stage as described above, usually

takes around 25 per cent of the total audit time. This is shown in Figure 6.1.

A-Factor 40: Manage an audit as any other project, with careful time plan-

ning, including an allocation for contingency.

Audit finding working papers

The review stage commences with the preparation of an audit finding working paper

(AFWP) for each risk area in the work plan. We have presented an example of an

AFWP on pages 128 and 129, and this can be freely copied to assist with audits. Thenumber of boxes, section titles and so on are not absolutely prescriptive, but we have

found in our work as auditors that this format works very well, as it presents a logical

(structured and repeatable) auditing process, with a complete and detailed record of

the auditing work.

115



Review and Verify

Auditor’s time Auditee’s time

Review &testingstage (60%)

Supervisory review

Contingency

15%

TestReview

25% 20%

Advising colleagues

Preparing documents

Interviews

Progress meetings

Reading documents

Interviews

Conducting interviews

Developing findings

Figure 6.1 Time plan and activity summary - Review stage

We have also included sample AFWPs – both blank and completed – on the book’s

companion website. From November 2006, these will be available for download

from http://books.elsevier.com/companions/0750680261

With the downloaded versions an auditor can, if they wish, make minor amendments

to our forms to suit their own preferences. When you type into the boxes, the

suggested boxes extend to contain the text wholly.

Figure 6.2 shows our audit thought process, highlighting the connection of the review

stage to the business environment, the business objectives, and the risks.

AFWP – step one

Give the AFWP a ‘working title’, as per your audit work plan.

AFWP – step two

The next step – the second box of the AFWP (see p. 128) – is to confirm to the

management why we have selected this particular risk area as significant and worthy

of a portion of our and their time for review and verification. This second box is

very important. For those readers who may have an insurance background, this isakin to a possible maximum loss (PML) scenario, where ‘worst case’ is considered.

Some readers may have involvement in emergency exercises. Likewise this is similar

to the disaster scenario which may have been selected as the trigger for response and

recovery.

116



Review and Verify

Organization’senvironment

Review

Business objectives

Expected controlframework

Actual controlframework

Verify

Findings

Draft report & presentationfinal report

hgilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe

e c n e u q e s n o C e c n e u q e s n o C t n e d i c n I n a f o t n e d i c n I n a f o

noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow

sneppaHlarevesrepsemit

taraeynoitacol

thgilS thgilStcapmi tcapmi

detimiLtcapmi

elbaredisnoCtcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaMyru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoLegamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoLllips

ro jaMllips

evissaMllips

Increasing

Severity elbatpeccanU

ksiRetaroprocnIserusaeMnoitcudeR

P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t

thgilS thgilSyru jni yru jni

thgilS thgilSegama

d egamadthgilS thgilS

kael kael

d o o h i l e k i l g n i s a e r c n I d o o h i l e k i l g n i s a e r c n I

R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevorpmI

dnaserudecorPnoisivrepuS

h

gilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe


noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow


taraeynoitacol


detimiLtcapmi

elbaredisnoCtcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaMyru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoLegamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoLllips

ro jaMllips

evissaMllips

Increasing



P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t


thgilS thgilSegama


kael kael


R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevorpmI


Applied?Effective?

Gaps?

Risks

hgilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe


noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow


taraeynoitacol


detimiLtcapmi

elbaredisnoC

tcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaM

yru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoL

egamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoL

llips

ro jaMllips

evissaMllips

Increasing

Sev

erity elbatpeccanU


P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t


thgilS thgilSegama


kael kael


R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevorpmI


h

gilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe


noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow


taraeynoitacol


detimiLtcapmi

elbaredisnoC

tcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaM

yru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoL

egamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoL

llips

ro jaMllips

evissaMllips

Increasing

Sev

erity elbatpeccanU


P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t


thgilS thgilSegama


kael kael


R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevorpmI


Compare

Residualrisk

so what?

Figure 6.2 Audit thought process, showing Review stage

For example, we may write in Box 2:

‘A small, contained explosion in the tank farm will disrupt operations, and lead toadverse media reaction. A large, uncontained explosion will terminate – perhapspermanently – operations on this site, and impact significantly on the neighbouringindustrial and residential occupants and the company’s own deliveries to customers.’

Do keep it reasonably credible, and explain the scenario clearly. It is unlikely that anymanagement team (or audit committee) will believe ‘Thousands may die as machineguard fails’.

If applicable, we can also refer to specific business objectives, e.g. ‘to avoid adversemedia coverage’.

Also consider re-reading Chapter 5 to review the need for familiarising yourself withthe auditee’s business objectives and their significance in determining ‘risk’. Re-readthe Tip on page 94 to enable you to save time by using your own set of referencecodes for the business objectives.

AFWP – step three

With the AFWP, our third step is to set out clearly (for ourselves and our auditee)our considered expectation of a structured means of control per risk area. Start byselecting a key set of controls, without which our opinion would be of inadequate

117



Review and Verify

control. Record this set of controls in the third box of the corresponding AFWP. Itdepends which framework we are using in our audit and how this may be expressed,

but as we know, the general framework of PDCA will guide us.

For example, if we have selected ‘explosion at tank farm’ as a significant risk, we mayhave a basic expectation (based on PDCA) as follows.

PlanA specification for the tank farm based on national/international design codes.

Fire alarms and fixed fire suppression systems.

Safe systems of work, based on detailed risk assessments.

Trained, competent staff and supervision.

DoSafe systems of work implemented.

Incidents, accidents and near-misses reported.

CheckActive supervision on all shifts.

Non-compliances identified, investigated and rectified.

Act

Regular management reviews of performance.

Learning incorporated into future plans and targets.

We do not aim or claim to have identified every expectation, and while this is a

very basic example, we trust the reader could extrapolate this approach into a future,interconnected series of expected controls for other risk areas, either against other

specific risk control frameworks, or against PDCA.

We give one further example below, this time against OHSAS 18001:1999. Again,we do not claim to have identified every expectation. Note also how the formal

headings from the standard could be aligned (in an auditor’s mind) to PDCA.

Example Work plan item ‘Asbestos Exposure – Maintenance Team’

OH&S policy A written statement of health and safety policy, signed by a member of the top

management within the last two years, which has been communicated to all staff,expresses awareness of asbestos as a possible health risk to workers, and committing

to minimizing this risk.

118



Review and Verify

Planning

An asbestos management plan which is up to date, and identifies all possible asbestos

exposures. This may include laboratory sampling to identify crocidolite, amosite,

chrysotile and other asbestos fibres. In the absence of sampling, the plan should

identify possible asbestos containing materials (ACMs), and these should be treated asthough they are asbestos until proved to the contrary.

Asbestos-containing materials scheduled for regular, planned inspections to observe

any deterioration in their condition.

Selected ACMs (e.g. in locations near forklift truck entrances, where they could be

easily damaged), and those which have already deteriorated should be scheduled for

safe removal.

Affected staff scheduled for asbestos awareness training.

Plans for contractors to be briefed.

Implementation and operation

The OH&S policy is clearly communicated to workers – records available.

Asbestos management plan is up to date.

Affected staff have received asbestos awareness training – records retained.

Contractors briefed – records retained.

Selected ACMs taken from site by authorized contractors to approved disposal

sites.

Waste disposal records retained.

Checking and corrective actionRegular ACM inspection records.

Periodic review of records for all potentially affected staff and contractors to ensure

training/briefings have been provided.

Management review

Planned reviews at regular intervals by top management on how the organization is

delivering upon its commitment to asbestos safety set out in its OH&S Policy.

A-Factor 41: This preparation of the expected control framework is done

(probably) before the site work commences, but is essential for focusing the

auditor’s questions during the review and the testing in the later verification

stage.

119



Review and Verify

Tip – On preparing questions for interviews: know what you want out of a

meeting before you go in. You (the auditee and the auditor) are both busy, and

keeping to the point is essential. An agenda that shows the risk-activities to be

discussed – particularly when meeting with senior and middle managers – canreally help.

As can be seen, each of an auditors ‘expectations’ can be checked in turn against

the documentation and systems established at site level, and as described by the site

management – i.e. ‘this is how we expect it to be done here’ – during our series of

planned interviews.

The audit thought process (see Figure 6.2 on page 117) provides a useful pictorial

revision of the first steps of any audit, but then – in its highlighted horizontal aspect – shows the nature of the comparison between the auditors’ expectation (based on the

applicable reference framework) and that which management have established for

their operations.

At this point, we need to highlight the possible differences in approach between:

1. audits of ISO-type, where the review may be between the expectation caused

by and set out in the applicable clause of the standard, and the organization’s

requirement in its own manual/documentation, and2. our risk-based approach where we are focusing on structured control of selected

significant risks using a reference framework.

ISO-type audits

The former can become a binary process – and the approach needed if there is no

defined expectation (refer to Chapter 2).

Risk-based audits

In the latter case, the review process can become more intellectual (and for an auditor,

much more rewarding). It requires judgement on behalf of the auditor to decide

the right mix and the right elements for control that should be present, and then

consulting with the auditee and agreeing they should be (and are) there.

NB – We have noted clause 4.4.6 in ISO 14001 and OHSAS 18001 which draws

management’s attention to operational controls. Properly, these operational controls

should be based upon the significance tests set out in clause 4.3.1, and are thus

themselves risk-based operational controls.

120



Review and Verify

Sources of information

As we have seen, the well-prepared auditor will already have much relevant infor-

mation at his disposal, gathered and sorted at the set-up stage. The importance

of developing and then using a good filing system for the paperwork cannot beoverstated. Being able to find particular documents when they are needed is vitally

important. Few things appear worse than an auditor who cannot find the source of

the facts.

The auditors may have seen, for example:

• table of contents from applicable manuals

• training matrices

• job descriptions

• example work methods/risk assessments.

Collectively, these documents obtained from the auditee before the audit starts may

show the site has thought about its own risks and addressed them with a collection of

controls. Of course, much more information will (usually) be available to the auditors

when the team is actually on site. It will probably have access to:

• organization’s archive records – reading

• organization’s library of standards and procedures – reading

• people actually doing the work – observing

• staff for interview questions – asking

and so on.

Each of these approaches for gaining information has pros and cons, and provides

different information on management’s desired approach to control.

Reading

Reading documents – if they are up to date, and not too long (!) – can be a very

illuminating source of information at the review stage.

A key drawback is that in many organizations, the documentation can lag the current

practices. By ‘lag’, we do not mean non-compliance, which is discussed later. What

we mean is that the documentation does not reflect the possibly newer practices inthe organization. This may be the situation because with ‘continuous improvement’

activities within organizations so prevalent (‘ change is the only constant ’),

the written system has not or can not keep up with the work in the field. What’s

also true, and a common drawback, is that in some organizations, the drafter of the

121



Review and Verify

system has decided ‘why use one page when a hundred-and-five will do’. Even at thisearly stage, we may have found a possible area for useful comment to management

if this were to be so!

Tip – If you are given a 105 page document to read, look through the table

of contents and the section headings. You’ll get a feel for the document, andprobably, where the sections relevant to the work plan may lie.

Observing

Observing can be a very powerful method of learning how work should be done.

A useful question for an auditor is ‘can you tell me/show me how you should dox?’ A trusted member of the organization’s staff will then usually demonstrate thedesigned system in its application.

A key drawback here is to slip into a testing mode and decide too early that ‘someone

is doing something correctly/incorrectly’. At this stage, we are simply trying tocompare (and write down for later testing) management’s chosen system with the

expectation we have developed on our AFWP.

Tip – Don’t be frightened to ask someone to ‘do it again’ when learning byobserving. It is important that auditors understand how work has been designedduring the review stage.

Asking

Asking too can be a very powerful method of learning how a task should be completed.

‘Do you have a procedure for x?’ or ‘What method have you been trained to usefor y?’ are good questions at this stage; again, we’ll be testing later whether it works(or not).

If one person from the management team gives a ‘wrong’ answer – i.e. different from

our expectation – it does not per se give an auditor an audit finding. When we testthe system in application later, we can decide then whether this ‘wrong/different’

system of control gives reasonable output of control (or not).

Tip – Remember that ‘auditors are from Missouri’. Let us explain.

In the US, states have nicknames – Florida is the ‘sunshine state’; Texas the ‘lonestar’ state; New York the ‘big apple ’ and so on. Missouri is unofficially known as

122



Review and Verify

Figure 6.3 Missouri ‘Show Me’ state licence plate

the ‘Show Me’ state (Figure 6.3), though there are several different explanations as

to the origins of this. Two of these are summarized below.

Version 1: Missouri became known as the ‘Show Me’ state in 1899, when Congress-

man Willard D Vandiver said, ‘I come from a country that raises corn and cottonand cockleburs and Democrats, and frothy eloquence neither convinces nor satisfies

me. I’m from Missouri. You’ve got to show me.’

Version 2: Another version of the ‘show me’ legend places the slogan’s origin in the

mining town of Leadville, Colorado. There, the phrase was first employed as a term

of ridicule and reproach. A miner’s strike had been in progress for some time in the

mid-1890s, and a number of miners from the lead districts of southwest Missouri had

been imported to take the places of the strikers. The Joplin miners were unfamiliar

with Colorado mining methods and required frequent instructions. Pit bosses began

saying, ‘That man is from Missouri. You’ll have to show him.’

Whichever version of this you may prefer, remember to ask – at the review AND

the verification stages – to see the relevant procedures, methods and forms you are

told are important to the effective control of the particular risk. This can sometime

feel repetitive, and has even been known to make auditees annoyed who, at times,

feel they are not being believed.

Tip – A great way to put your auditee’s mind at rest is to briefly explain the

Missouri story at the start of an audit interview. That explains why, as an auditor,

you will want them to ‘show me’ the essential requirement (i.e. their expected

control framework and related documentation) each time.

123



Review and Verify

It may sound like motherhood, but unless you ask the right questions, you

won’t always get the most useful or actionable information. For example,

too many companies use satisfaction surveys that are constructed to answer

questions based on their own hierarchy of needs, i.e. ‘What do we want to

know?’, rather than ‘What does the client see as important?’. – Carey Evans, Relationship Audits & Management, London.

Case study

In 1998, we conducted a pre-audit on an Asian airline that wished to becomecertified to ISO 14001. We spent two weeks in-country looking at airport, airside

and maintenance operations.

During our work, we had already decided to conduct a water balance because

in a dry country (as it was), water (even then) was seen as a scarce resource. It

was selected as an example of a sustainability opportunity.

In our review, we hypothesized that all the water purchased by the airline as a

raw material would approximately balance with the water ultimately leaving the

organization. Of course, aircraft cooling systems and toilets are filled with water

and then fly away. But a corresponding number of aircraft are filled with water andfly back. A water balance is a recognized tool, and can be applied in most auditsettings.

From paid water supply invoices, we soon knew the value paid and hence could

calculate the volume. We set about seeking its path through the organization to

its disposal point. We looked at aircraft washing, aircraft systems, catering, toilets,

and cleaning. Within a day, we knew that a lot (90 per cent) of the purchasedwater was ‘missing’.

We considered various options:

1. Were employees stealing it and taking it home?

2. Were there leakages in the underground pipework systems?

3. Had there been a site subdivision, and was someone else receiving water

without paying for it?

4. Were the water supply bills incorrectly totalled?

5. Were our calculations incorrect?

We asked a lot of questions to resolve this but will merely summarize the outcome

of this part of the pre-audit project.

124



Review and Verify

The answers to the above five questions were – 1, no; 2, probably but not

significantly large losses; 3, no; 4, no; and 5, no.

What we discovered in our verification was that the incoming water was

measured by a linear flow meter, approximately twenty years old. Therewas no evidence that it had been calibrated, and now when one cubic

metre of water passed through the meter, it spun like the office fan!

Approximately 500 per cent over-readings were the result, and approxi-

mately $20 000 USD equivalent the (annual) saving for our client. We

were also able to provide the underlying information that resulted in anegotiated settlement for a one-off refund of $20 000 USD to cover all

past errors.

When we checked in at the airport to come home, we were upgraded to FirstClass. Clearly our client had appreciated our audit on this occasion! And we are

able to tell you about the experience here.

Three months later, the client achieved ISO14001:1996.

Ultimately, there will be a possible two main outcomes that we can expect from the

review process.

Possible review outcomes

There are probably two main outcomes of the review process for each risk area in

the audit work plan:

1. the framework’s design may appear to provide reasonable assurance, or

2. the framework’s design may appear not to work as intended – there may

be a gap between the actual framework in place and the management’s

expectation.

Either of these outcomes (our opinions) is good information. Remember that audit

is not about finding things wrong – remember I Will Audit:

• I – An independent assessment of the control frameworks.

• W – An opinion that the control framework is well balanced – between levels of

risk and degrees of control.• A – With the overall appropriateness for this organization.

Accordingly, either of these outcomes will be included in step 4 of completing the

AFWP, which will be described later.

125



Review and Verify

An example of an AFWP appears on the following pages, though in practice they are

a two-sided sheet. These are blank pages, which can be photocopied for use in your

own audits.

By this stage of the audit process, the first three boxes should have been filled in, atleast in draft:

• title of work plan item

• risk and reason for selection

• expected framework of controls.

We have included a number of sample AFWPs – both blank ones, and

examples of completed ones for reference purposes on the book’s compan-ion website. From November 2006, these will be available for download from

http://books.elsevier.com/companions/0750680261

As we progress through our work plan, completing our comparison between the

expectation for control created by the appropriate parts of the reference framework

and the organization’s own selected controls, we can start to populate Box 4 on the

AFWP. As shown, auditors should do this reporting both positive (+ve) and negative

(−ve) facts, based on the information gathered, and cross-refer to our other working

papers as necessary.

Tip – Do not refer to individual interviewee’s names in audit working papers

or reports. Do not divulge ‘who told you’ that something works or not. Fromfollowing our methodology, anyone would be able to follow in our footsteps

and may come to a very similar conclusion to the one that we did. We suggest

that you refer to documents (title, reference number, etc.) and insofar as people

are concerned, stick to ‘the audit team were told that ’. This of course also

allows you to maintain the confidentiality you may have promised respondents. If ‘everyone’ told you something – good or bad – a useful term to use is ‘Everyone

we spoke to told us that .’

When we are sure we have established how the site’s management requires its employ-

ees to manage the risk areas we have selected, we can commence our verification (or

testing) stage.

Verify

Once management’s framework for control has been established by the review

process, the next stage for the auditor is to verify it (or test it) in operation.

126



Review and Verify

Organization’senvironment

Review

Business objectives

Expected controlframework

Verify

sgnidniF

Draft report & presentationfinal report

hgilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe


noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow


taraeynoitacol

thgilS thgilS

tcapmi tcapmi

detimiLtcapmi

elbaredisnoCtcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaMyru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoLegamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoLllips

ro jaMllips

evissaMllips

Increasing


ksiRetaroprocnI

serusaeMnoitcudeR

P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t


thgilS thgilSegama


kael kael


R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevorpmI


h

gilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe


noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow


taraeynoitacol

thgilS thgilS

tcapmi tcapmi

detimiLtcapmi

elbaredisnoCtcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaMyru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoLegamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoLllips

ro jaMllips

evissaMllips

Increasing


ksiRetaroprocnI

serusaeMnoitcudeR

P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t


thgilS thgilSegama


kael kael


R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevorpmI


Applied?Effective?

Gaps?

sksiR

hgilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe


noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow


taraeynoitacol

thgilS thgilS

tcapmi tcapmi

detimiLtcapmi

elbaredisnoC

tcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaM

yru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoL

egamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoL

llips

ro jaMllips

evissaMllips

Increasing

Sev

erity

elbatpeccanU


P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t


thgilS thgilSegamad egamad

thgilS thgilSkael kael


R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevor

pmI


h

gilSt

ru jniy

lpoePe

thgilSgamad

e

tessAs

hgilStkael

orivnE-n

tnem

lbarelotnIe


noitatupeR

tn

edicnIsah

derruccoruoni

ynapmoc

draeHnafo

tnedicniehtni

yrtsudni

sneppaHlareves

semit repniraey

ynapmoc

reveNdraeh

nifodlrow


taraeynoitacol

thgilS thgilS

tcapmi tcapmi

detimiLtcapmi

elbaredisnoC

tcapmi

ro jaMlanoitan

ro jaMlanoitanretni

roniMyru jni

ro jaM

yru jni

elgniSytilataf

elpitluMseitilataf

roniMegamad

lacoL

egamad

ro jaMegamad

evisnetxEegamad

roniMllips

lacoL

llips

ro jaMllips

evissaMllips

Increasing

Sev

erity

elbatpeccanU


P e o p l e

P e o p l e

A s s e t s

A s s e t s

E n v i r o

n m e n t

E n v i r o

n m e n t


thgilS thgilSegamad egamad

thgilS thgilSkael kael


R e p u t a t i o

n

R e p

t u

a t i o

n

PRALAserusaeM

hguorhtevor

pmI


Residualrisk

so what?

erapmoC Actual controlframework

Figure 6.4 Audit thought process, showing Verify stage

As shown in Figure 6.4, there should be a very clear linkage between the results of review and those controls or BCF elements that can be selected and now verified. Asauditors, having established management’s preferred (or chosen) control framework,it is very important that we verify/test that it actually works as intended, and if not,to try to assess the significance of the residual exposures to the achievement of thebusiness objectives. It is upon this verification that we can give our assurance (or not)to both, the auditee in our ‘no surprises’ meetings and at the final exit meeting, andto the audit committee in our final report.

There are three possible outcomes to the verification step.

Possible verification outcomes

There are probably three main outcomes of the verification process for each risk area:

1. the activity/work is controlled as designed

2. controls are not implemented, leading to unauthorized exposures and/or inade-quately uncontrolled risks

3. control is implemented as designed, but is still not effective at controlling thespecific risk adequately.

Again, any of these outcomes is good information to progress the audit. Remember auditing is not about finding things wrong.

127



Review and Verify

AUDIT FINDING WORKING PAPER (AFWP)

Box 1 – Work Plan Item (Descriptive Title/Reference No.)

Box 2 – Risk(s)(Refer Business or Process Objectives which may be affected )

Box 3 – Risk-based Business Control Framework Expected (Main

expectations, according to ToR’s Reference Framework, or PDCA)

Box 4 – Identified and Proven Status of Control (Both +ve and −ve

examples from Review and Verify stage – Refer to documents, interviews and examples)

+

ve

−ve

128



Review and Verify

Box 5 – Specific Impact – Significance of Control Weakness (in terms of the effect

on relevant Business Objectives)

Box 6 – Failing Business Control Framework Element(s)

Box 7 – Root Cause

Box 8 – Weakness Level Serious High Medium Low

Box 9 – Recommendation/Corrective Action (SMART )

Box 10 – Auditee’s Response

Prepared by (auditor) and date: Reviewed by (lead auditor) and date:

129



Review and Verify

A-Factor 42: I Will Audit (Independent, Well-balanced, Appropriate) given

the needs of the auditee’s organization.

Control works as intended

Audit verification can often show that the intended system has been communicated

to operators, and actually works, based on the sample we have taken.

Tip – As an auditor, remember to remind your auditee that you are not giving

a 100 per cent guarantee that this system has and will always work with absolute

reliability – you are not! But you can advise that it works as tested. We call this

‘reasonable assurance’; the more time we can give to testing, the more confidencewe have in the assurance.

Tip – We can also leverage our testing sample by reference to and reliance on

others’ audit work, in which case we need to verify their processes.

Control is not implemented, so does not or may not work as intended

In the alternative, the audit verification may show that whilst authorized procedures

are in place, the control framework is applied differently. This may or may not

give rise for concern since the actual control may be more cost-effective, or in the

structured means of control there is a compensating control which is making up for

the apparent control failure.

Tip – When such compensating controls are identified, the lead auditor should

satisfy themselves that the auditee both knows about the situation and has anaction plan to either reinstate the authorized control framework or revise it. Often,

compensating controls are found in the supervisory control element because ‘loyal

employees’ recognize the shortcomings of implementing the approved BCF andout of professionalism or the ‘goodness of their hearts’ do things to ensure a suc-

cessful outcome, i.e. employees are not injured. Clearly, in these circumstances,

the audit finding will be reported for urgent management attention.

Tip – Telling an auditee that the staff is working well and doing a good job (if this really is true!) is always well received in our experience. If they have thought

about their work, and have improved it, all that may be necessary is to bring thedocumented system into line with what is actually happening, at a low or nil cost

in most circumstances.

130



Review and Verify

Control is implemented as designed, but not effective

Thirdly, management’s controls may be implemented as intended. However, to

give a reasonable assurance, auditors should be able to report whether or not this

expected implementation done correctly is proving to control the identified riskadequately.

For example, an annual check that hearing protection is worn is probably too infre-

quent to determine the effectiveness of the policy, whilst an annual check of the

cables on a goods lift may give reassurance.

Tip – Tell it as you see it. Sparing someone’s feelings does not enhance your

credibility, it can only undermine it. But of course there are techniques to deliver

bad news without shutting down the audit!

A-Factor 43: To check for controls in place = verify implementation and

effectiveness of management’s expected control. For expected controls not

considered appropriate or necessary by management = verify acceptability

of residual exposure.

AFWP – step four

Whatever auditors find at the review and verify stage, they should write it down

onto the AFWP as evidence of control (either positive or negative) in Box 4. On a

hard copy form, this can be limited by the space available, whilst on an ‘electronic’

form, the text box can grow to accommodate all of the evidence obtained.

We commend auditors to give a full account of what they have found, as this will

supply the facts that provide an audit trail leading to their opinion.

Tip – Tell the truth. Don’t be afraid to describe precisely what was found but

don’t over-embellish a minor shortfall. Honesty is always the best policy.

Case study

Benefits of health and safety audits in a medium-sized public sector organization.

Organization: A government-funded agency supporting young people across four

local authority areas, with 160 employees receiving an annual grant of around

£11 million (GBP).

131



Review and Verify

As part of a new government initiative to support young people, this organization

was set up to support teenagers through a transitional stage in their lives. With

government funding, and a statutory requirement to deliver services, this new

organization had to recruit staff from a range of youth work, voluntary and

private sector backgrounds in order to meet its targets.

As part of the business plan, a health and safety procedures manual, training

programme, and a health and safety audit programme was introduced into the

organization. Many of the staff had never experienced audit interviews before

and the range of backgrounds and lack of organic growth meant that the conceptof auditing was met with concern.

The health and safety audit programme focused on an inspection of the site to

ensure office hazards were being correctly managed, and interviews of a structuredselection of staff representing front-line staff, administrators, team leaders and

managers. Managers were given a copy of the audit report and were re-auditedafter three months to ensure that the recommendations had been implemented.

The number of non-compliances was used as a key performance indicator for

effectiveness of the safety management system.

Once the first round of audits had been completed it was possible to identify a

range of benefits for the organization as follows:

• non-compliances were actioned, where previous initiatives had failed

• the audit encouraged compliance because staff knew they would be checked

• the audit reinforced company policies and procedures

• compliance could be demonstrated to regulators

• local and organization-wide problems could be identified for action

• resources and re-training could be targeted to where it was required

•

by signing the report, managers understood health and safety was their responsibility

• stratified auditing encouraged all staff to consider their responsibility for

safety

• The audit interviews also provided an opportunity to refresh training pro-

visions

• The audit process improved the safety culture at the organization

• Staff reported that the process demonstrated the organization was really con-

cerned about their and their clients’ health and safety, which improved morale

• Key performance indicators provided a proactive quantifiable measure of

the effectiveness of the safety system.

132



Review and Verify

Confirming findings with the lead auditor

It is important that an auditor discusses and confirms their preliminary and developingfindings with the lead auditor and shares them with the rest of the audit team. This

is discussed in Chapter 10.

Confirming findings with the auditee (AFWP Box 5)

As areas of strength and weakness emerge, the lead auditor will wish to hold periodic‘no surprises’ meetings with the auditee to confirm issues identified that have arisenin the audit, and/or seek guidance if necessary.

‘No surprises’ is a powerful technique which we commend, because:

• auditor errors and misunderstandings are identified at an early stage, when theycan be corrected i.e. confirming the facts

• missing documents, awkward interviewees and other day-to-day issues can beresolved whist the auditors are on site

• The audit team seeks the earliest ‘buy-in’ from the auditee to findings as theyarise; this delivers on the pre-audit ‘sale’ of the process and shows that the auditeeis not a ‘secret process’

• Auditees like it – they can tell their boss ‘the facts’ and ‘the progress’ and share (if given) the early good news or start to develop corrective actions if appropriate.

Tip – Use the power of ‘no surprises’, even on a short audit. Even if the audittakes one day, take lunch or coffee with the auditees and talk with them about

what has been found, and how the work is progressing – you’ll be glad you did!

A-Factor 44: The best recommendations auditors ever make are those thathave been agreed upon with the auditee. The best chance of gaining agree-ment arises from bringing the auditee on their side at the earliest possibleopportunity.

In Chapter 7, we will gather and group together our detailed findings to present tothe auditee. We call this the ‘bottom up’ stage of The Audit Process Roller Coaster ©.

Sampling techniques/sample sizing

In this section, we will explain the techniques available to assist auditors to consider

whether or not the management system, as prescribed, is in place, and how tointrusively (but selectively) verify it in operation.

If we wish to know how many residents of New York State watched the lastSuperbowl on the television, would we have to ask all 18.98 million inhabitants of

133



Review and Verify

the state? The answer is assuredly ‘no’. To establish how many may have watched it,

we would ask a sample of inhabitants whether they watched the game, and extrapolate

this to the wider population. The same would be true for political opinion polls or

public opinion on likely Oscar ® winners.

Likewise, if we wish to know if all the effluent discharged is within the limits set

by a consent (or permission), we do not have to spend all day down the drains! We

would take a sample of water analysis results (or indeed organize a series of samples)

and possibly look at the organization’s or external inspectors’ test results, and base

our opinion upon this information.

As auditors, we have a variety of sampling tools and techniques at our disposal, and the

merits of each are presented further on. In reality, a mix of these techniques may be used

in each audit. In addition to those described, there are a broad range of mathematical,

statistical and analytical tools which tend to go beyond what is required in a risk-basedHSEQaudit.Suggested reading on statistical techniquesis available in the bibliography.

We use and commend the following techniques:

• observation

• corroboration

• examination of records

• brown paper exercise

• independent confirmation.

Observation

A straightforward verification: watch the activity taking place and compare with the

standard as reviewed. Does it match?

Tip – Auditing is not a covert exercise and therefore auditors should tell the

auditee which activities they would like to observe and at which stages of the

process. You should ask the auditee to advise the appropriate site supervisors

that you will be attending at a particular time on a particular day. As soon aspossible after you arrive at the work site, appropriately clothed and with the

requisite personal protective equipment (PPE), you should introduce yourself to

the foreman or senior supervisor and confirm that they will be carrying out the

activities which you would like to observe. There should be no reason why you cannot describe your test plan to the foreman and, if there is an appropriateopportunity, to the operators. Once this is done and you have checked the

necessary paperwork (e.g. permits to work or operators’ licences), try to become

as inconspicuous as possible so that both the supervisor and operators forget you

are there observing them.

134



Review and Verify

Corroboration

A very useful technique – ask several people the same question, and compare their

responses.

For example – ‘In your opinion, how well was the recent fire evacuation prac-

tice conducted?’ If the practice was indeed conducted well, several people will

verify this. Nine out of ten positive responses may also represent a verification

(depending upon what No. 10 said!). However, if most people describe chaos, it

probably was!

Tip – For note-taking – ‘Work as a team if you can – one of you asks, and one

of you writes down the response(s). It is difficult to ask, listen and write at the

same time. Decide who is doing what. It is probably best if the ‘techie’ asks the‘techie’ questions. If the reply is ‘techie’ or important, make sure the note-taker

has an accurate record of what was said – ask the note taker to read it back for agreement – yours and the interviewees’.

Tip – When you are auditing an activity which is carried out by a close-knit

group of colleagues, do not be surprised if you get the same responses to the same

question from each person in the work group. Generally speaking, the closer the

group, there will be a feeling of ‘them’ and ‘you’. In these circumstances, youwill need to corroborate (check) what they say against substantive evidence (e.g.transactional documents, procedures or reports). If you need to rely on another

person’s word, then that person needs to be independent of any influence of the

first group.

Case study

During an audit in Asia, an auditee told an auditor (at least) three times that the

site did not have all the necessary building and planning consents for the site

buildings.

The auditor was apparently too focused on his questions concerning constructionmaterials and fire separations, and missed the main point that this ‘whistle blower’

was trying to make. The result was involvement between headquarters, senior

management and site management, which led to an action plan to acquire the

necessary consents before the local authorities stopped work on the site.

A-Factor 45: Learn by listening closely! There is more to hear than ‘yes’

or ‘no’!

135



Review and Verify

Tip – LISTEN

• L – Look interested and it may rub off on your interviewee (enthusiasm can be

infectious)!

• I – Inquire with questions which are relevant to your interviewee’s area of

responsibility and/or competence.

• S – Stay focused on your interview agenda items so you cover the ground in the

time available.

• T – Test your understanding of the facts by asking supplementary questions and

summarizing.

•

E – Evaluate whether you need to carry on reviewing/verifying a particular agenda item and, if so, where to probe.

• N – Neutralize your emotions. Do not get distracted by irritation or obfuscation.

Tip – Post-interview analysis of interview notes : use a good recording sys-tem/proforma to facilitate the post-interview analysis of the facts. Figure 6.5

illustrates a simple proforma that gives you all you need to extract from your

interview notes.

Examination of records

Organizations produce many records and documents such as:

• purchase orders

• invoices

Interview with: Date:

Time:

Facts learned Work plan

item No.+/- BCF

Element

Figure 6.5 Pro-forma for post-interview analysis

136



Review and Verify

• inspection reports

• accident records

• minutes of meetings

• contractual records

• performance appraisals

• advertising budgets

• training plans

• recruitment results

• competency evaluations

and many more

Examining some of these records and documents – our audit sample – is almost

always a good idea. An auditor should select the sample size before the sampling

starts. The following table suggests example sample sizes for various population sizes.

Size of Population Sample Suggested Size of Sample (%)

2–10 100

11–25 50

26–100 25

101–500 10

501–1000 5

1000+ 1–2

An alternative statistical approach, and easier to remember, is a ‘square root sample’ –

if there have been (say) 144 accidents, a reasonable sample size is the square root of 144 i.e. 12. Take the individual records of the sample from different places in the

sequence (i.e. not the most recent twelve, or the earliest twelve). Random number

generators (on some mobile telephones today), or random number tables can be

used to identify a random sample, but in most cases we do not think that this is

necessary.

As you get more used to creating an appropriate sample, we commend that you add

or subtract from your original sample size and thereby ‘correct’ it – for example:

1. If the job is done by lots of people, you may take a larger sample to ensure

broader coverage.

2. If you have met the only operator of a process, and you are impressed by the

knowledge and expediency, you may choose to take a smaller sample.

137



Review and Verify

Tip – If examining training records, an example/suggested sample may be to

look at a sample structured in the following way:

• the newest starter

• the longest server

• the first alphabetically

• the last alphabetically

• the most senior employee

• the most junior.

Use numbers 1, 4, 9, 16, 25, 36, 49, 64, 81, 100 and so on (square numbers) to make

up your planned sample size.

Brown paper exercise

A brown paper exercise commences (if taken literally) by covering a large wall or a

table top with brown paper. Onto this, take a work system e.g. a document flow –

and map out the route where each piece passes, and where it ends up.

Reworking a system in this way shows an auditor what to expect in the records of a

department. When you have completed the brown paper exercise, follow the system

for the sample set of transactions in reality, to see if the outcomes are the same.

Tip – Before you start such an exercise, ask the auditee whether a flow chart of the relevant business process/activities already exists. If there is, that is fine; save

yourself time and use it. If it is only available in digital form to be viewed on a

computer screen, there may still be value in carrying out the above exercise to

increase the transparency (to you) of the controls.

Independent confirmation

Sometimes, we may need an independent confirmation that ‘something’ is right. For

example:

•

a composite wall panel is indeed non-combustible• a passenger lift winding cable is indeed safe

• an electrical transformer does not contain PCB (polychlorinated biphenyl)

• a water sample contains particular levels of zinc

138



Review and Verify

There are a broad range of laboratories and independent specialists who offer suchand similar analytical services.

Similarly we may need independent confirmation of legal issues, in which case the

lead auditor should arrange access to an appropriately qualified solicitor.

Tip – In any of the above cases, if this independent expertise can only be provided

outside the auditee’s organization, it will have to be paid for. So make sure you

have the necessary budget provision before committing the audit department to

such expenditure.

Sampling summary

Whichever blend of sampling approaches is taken, there will tend to be a variety of outcomes to the verifications. These can be statistical, quantitative or qualitative.

Statistically significant

This involves expressing an audit opinion in statistical terms – e.g. ten out of ten= 100per cent, a statistically valid sample. The degree of confidence in relying upon the results

of a sample is stated in terms of standard deviations from the norm. If you are experiencedenough (or have an appropriate software package) to calculate the right sample sizes andcarry out the tests accordingly, you will be able to say you are 99 per cent, 95 per cent or 68 per cent confident in whether something is happening or not.

You will find reference to a user-friendly statistical sampling software package in thebibliography.

Case studyAll employees (100 per cent) at an off-shore oil terminal in Asia were male

Sikhs. The terminal served a sour field, and a known hazard was H2S. Emer-

gency alarms and procedures were established, and all the employees had been

provided with personal issue H2S respirators. Male Sikhs do not shave. Therespirators provided would almost certainly not seal against a bearded face. Thus,

100 per cent of employees remained at risk of exposure in the event of a

leak.

Quantitative

Expressing an audit opinion in quantitative terms, e.g. we checked 20, and 19 of these were OK.

139



Review and Verify

Tip – Sample sizes will often be determined by the time available and the cost of

carrying out the tests, given the audit scope and objectives. A key to controlling

the audit effort at this stage is knowing how significant the results of the work

already done in a particular area are and how much more information is necessaryto attain through detailed testing.

Qualitative

Expressing an audit opinion in qualitative terms, e.g. everyone we spoke to told us

that .

Tip – Whether the testing approach is quantitative or qualitative, the actual

selection of items within the sample can be skewed towards factors which thelead auditor judges as being important, for example, transactions which are a

representative cross-section, items of higher value and high risk exposure, activ-

ities carried out during high pressure times (e.g. shift handover or emergency

response), and focus on current or recent periods. These will be different in other

situations as, for example, when one is testing the robustness of the managementsystem over a period of time (e.g. the effectiveness of a steering committee of a

major project).

A-factor 46: Whatever you decide as the sampling strategy, record the sam-

ple size, how it was derived and the results of the sample (i.e. what the

sample told you) in Box 4 of the AFWP.

140



7 Concluding the Audit

Introduction

In Chapter 5, we looked at the ‘top down’ approach to audit, and in Chapter 6, we

looked at the conduct of the review and verification. This third stage of the audit

process is to conclude the audit ‘bottom up’ in such a way that you help management

to understand the status of what they have in place and where, if necessary, it mayneed improvement.

You should still have at least 20 per cent of the total time scheduled for the audit

available for this stage.

Staying with the vision of an audit being like a ride on a roller coaster, the concluding

stage of the ride starts just after the roller coaster has bottomed out. Your heart has

missed a beat and your stomach is coming back up to meet your mouth, and then

there is a momentary release of tension until you see the steepness of the climb

upwards directly in front of you. But the speed of descent down the roller coaster,with its resultant flood of information into the audit team’s group brain, normally

provides sufficient momentum to enable you to reach the top of the slope, at which

point the audit team should be ready to issue an audit report.

Figure 7.1 illustrates the concluding stage of The Audit Process Roller Coaster ©, andthis chapter describes how to do it.

A-Factor 47: Acceleration ‘top down’ provides sufficient momentum for the

journey ‘bottom up’ the roller coaster.

Concluding the audit – ‘bottom up’

However well the team leader and the audit team have performed in the previous

two stages of the audit, it will all count for little or nothing if the audit work tobe performed in this stage of the audit process is not fully understood and carried

out with precision, imagination and creativity. The challenge for the audit team

throughout their work is to create an appetite for the audit findings and the consequent

opportunities for business improvement. The final proof of the audit pudding will of course be determined by how senior management relish the eating!

Figure 7.2 illustrates the main activities involved in concluding the audit. The figure

breaks down the work to be performed in this stage of the audit process into a

141



Concluding the Audit

Review & verify

Summary

Verydetailed

Level ofdetail

involved

Reporting

Issue final report

Prepare Report: Part 1

Present findings and conclusions

Evaluate overall level of control

Prepare structured Report: Part 2

Re-evaluate remedial actions

Develop important issues

Clear findings and recommendations

Determine Audit opinion

Report

Figure 7.1 The Audit Process Roller Coaster © – concluding stage

• Complete record of findings

• Agree areas of strength and control weakness

• Map results onto business control framework

• Identify and focus on main issues

• Evaluate control framework

• Discuss findings and main issues with auditee

• Determine audit opinion

• Prepare and present findings and report

Figure 7.2 Main activities in concluding stage

number of discrete activities. These activities are not necessarily carried out in the

sequence in which they appear in the schematic or in this chapter, since the best

results will come from using an iterative approach. That is to say, at the start of this

stage, auditors will have available to them a lot of detail regarding the individual

controls and control framework relevant to each of the work plan items they have

had responsibility for auditing. Auditors not only need to assess this information in

terms of its impact on the particular risk exposures associated with each work plan

item, but they also need to review the results as a whole. It will then be possible to

identify if there are any common traits or patterns that can be reported as a summaryfinding. Each auditor must also share the results of their audit work in a structured

way so that members of the audit team can similarly compare the detail of their own

audit findings to the results of their colleagues’ audit work to determine if there are

any further common traits that could be reported as a summary finding.

142




Getting a clear picture from the mass of information

The starting point for the concluding stage of the audit should be: (1) a completedset of factually accurate audit finding working papers (AFWPs), i.e. one AFWP for

each risk area in the work plan, and (2) an accurate picture of the auditee’s actualbusiness control framework (BCF).

By this stage, lead auditors should have ensured that they have challenged robustlythe details within the content, logical extension and conclusion of every AFWPprepared by each audit team member. The underlying fieldwork should demonstratesufficient, relevant, reliable evidence which is comprehensively cross-referenced tothe source of that evidence and to transactional documentation which is linked tothe organization’s BCF. The audit papers should also be properly filed as describedearlier in this book.

Lead Auditors should also have ensured that the work carried out in preparing theAFWPs is clearly traceable directly to individual or groups of Work Plan items. Thenthe team leader can demonstrate that the team has fully audited the effectiveness of the BCF, as applied to the high-risk activities selected for the work plan.

In Figure 7.3, we have presented the key words in the AFWP associated with theresults of a particular audit finding (in this case, work plan item 3.1) and the leadauditor checking this off for completeness against the work plan.

Identify control weaknesses

In her recipe for Jugged Hare, celebrated British writer on domestic science, Mrs.Isabella Beeton (1836–1865) reputedly said ‘First, catch your Hare.’ Likewise, this isimportant for auditors.

PWFA 2.p 1.3metIPW

Control weakness

tnemeleFCBgniliaF

tnemeleFCBesuactooR

noitcalaidemeR

Work plan

enoDmetIepocS

1.1gniredrO

2.1

1.2gnivieceR

2.2

egarotS 1.3

1.4gnissecorP

2.4etc. (let ‘etc.’ run on with

‘processing’)

Figure 7.3 Lead auditor checking coverage of work plan

143




First, they must clearly identify a control weakness. Fortunately, the audit process we

have followed will do that at each stage:

• the review stage will identify whether there are any gaps in the design of the

business control framework• the verification (or testing) stage will identify if there is non-compliance with the

expected controls

• substantive testing will identify those controls that produce ineffective results.

Tip – This identification of control weaknesses needs to be followed by a processof analysis and synthesis as soon as possible, if the audit team are going to be

successful in meeting their objective of reducing the number of audit findings.

At this interim stage the classification will fall into three categories:

• OK – because the audit fieldwork has clear evidence of adequacy of control

design, appropriate levels of compliance and effective outcomes

• Failing – because there is clear evidence of inadequacy of design, varying degrees

of non-compliance and ineffective outcomes

• Uncertainty – because final testing to confirm strength or weakness has not been

completed.

But as soon as possible in the ‘concluding the audit’ stage, the lead auditor should

have classified all of the audit findings, the fieldwork for which has been satisfactorily

completed, as OK or Failing.

Tip – If the lead auditor is in any doubt as to the sufficiency or reliability of

the evidence obtained by the responsible auditor, then that part of the fieldwork

must remain inconclusive. If appropriate, the work-in-progress can be passed tothe local internal auditor to complete.

As a general rule, in most major organizations it is likely that there will be a signifi-

cantly greater number of controls which are likely to be classified as OK, than those

classified as Failing. Sometimes this grates with auditors because they think their job

is to find failing controls, and they may forget to fully record the evidence of control

strength and complete the AFWP accordingly.

Tip – In reality, a talented and effective auditor is one who makes a judgement,based upon factually accurate findings, about the strength or weakness of the

BCF they find to be in place. That final judgement is built up from incremental

judgements based upon the results of the audit fieldwork for each work plan item.

144




Categorize control weaknesses

The audit process followed will gradually increase the audit team’s knowledge andunderstanding of how well discrete, and progressively larger, parts of the auditee’s

BCF function.

The lead auditor must optimize using the group brain of the audit team througha structured process of analysis and synthesis to assimilate the underlying facts andextract the similarities between or common denominators within individual control

weaknesses. This information can then be used as the basis for grouping or clusteringdetailed audit findings into higher-level audit issues.

For example, an auditor may note the following weaknesses:

• staff not wearing PPE

• housekeeping falls short of expectation

• site speed limit exceeded from time-to-time

• signatures missing from small sample of documents

• level 1 audit programme behind schedule

and so on.

In our example here, we believe these are not several individual control weaknesses,but one. That one weakness seems to be related to the efficiency and effectiveness of

supervision.

There are no obvious categories an auditor would necessarily choose for this groupingor clustering process. However, possible categories are suggested in Figure 7.4.

ecnatropmifoytiroirpyB• Most (Red)

• Next (Amber)

• Least (Green)

tsocyB)xepO(liN•

)xepO(woL•

)xepaC(hgiH•

noitazinagroyB

• Process 1

• Process 2

• Site A

• Department B

By reference framework element

yciloP•

gninnalP•

noitcaevitcerroc&noitatnemelpmI•

weiveR•

Figure 7.4 Grouping and clustering findings

145




We have provided four examples of possible groups, though of course there are many

other possibilities:

By priority

Auditees like to know which weaknesses need to be addressed first, and which maywait. A typical manner of clustering weaknesses is into priority groups, such as:

• immediate

• up to three months

• three to six months

•

one year

Another way to do this is simple colour-coding, with a traffic light approach – red

(highest priority), amber and green (lowest priority) to show which need the earliest

attention.

By cost

Ultimately, some weaknesses will require expenditure, either from revenue or cap-ital budgets. A useful alternative to clustering weaknesses ‘by priority’ is to cluster

‘by cost’, with nil and low cost items (revenue) separated from matters requiring

application from capital budgets.

By organization

Athirdoptionistogroupweaknessesunderorganizationalheadings–byprocess,depart-ment, building or site for example. This approach can be used in conjunction with one

of the other groups, i.e. each department, control weaknesses are clustered by priority.

By reference framework

Throughout our work, commencing with the ToR, we have referred to one or

more reference frameworks. A useful clustering could be under the elements of the

framework – PDCA, or whatever. This is a useful approach, as it tends to cluster further the weaknesses into their root causes.

Tip – Discuss with the auditee how he or she may wish to see the weaknessesgrouped. Should there be a preference, and you have flexibility to prepare the

report in this way, it would be a good idea to satisfy these preferences.

146




A significant number of failings or root causes falling within any of these objectives,components or elements, may become the signposts leading to meaningful higher-

level issue. However, literally any relevant category can be used to group detailed

control weaknesses into a few main audit findings. Suitable categories will become

obvious to the audit team as they begin to get into the process.

Identify root causes of control weaknesses

Of course a huge potential benefit of carrying out internal audits would be lost if each auditor, the audit team and the lead auditor did not ask the simple question,

‘Why, or how, was it possible for this aspect of the control framework to fail?’

Finding a significant control weakness and getting the auditee’s agreement that they

will fix the problem, is certainly a good result from the audit. However, unless theauditor and auditee unearth the root cause of the control failure, it is quite possible

that the benefit of the fix will be short-lived, as there may be a similar control (thatwas not reviewed in this audit work plan) which is already failing or will be allowed

to fail soon.

By identifying the root cause of a particular weakness, the auditor is likely to expose

similar controls that have not been audited but which, if they were failing, would havea negative impact on the auditee’s organization achieving their business objectives.

There are various, established techniques, proprietary software tools and well-documented techniques available for root cause analysis. Some applicable titles are

provided in the bibliography. However, we believe that an effective way of findingthe root cause of a control failure is to ask questions about how well other key

controls in the same BCF were and are working.

For example, if the identified control failing is a procedure then ask the question

‘Was this failing identified by a supervisory control? If so, what was done about it?’And if the supervisory control had failed, then one needs to ask the question ‘Does

an adequately designed supervisory control exist and was it operating properly?’ And

if there was no suitable supervisory control, then one needs to ask the question ‘Arethere sufficient competent manpower or other automated resources available to carry

out the necessary supervision?’ Then one could ask the question ‘Were the risksassociated with the control failure properly assessed? If so, what was the agreed risk

response to structure? If not, is there a fit-for-purpose hazard and effect management

process in place?’

Case study

An employee of a large organization had cut his hand on a sheet of steel in a

power press shop. The investigating health and safety officer applied a technique

of asking questions about how well other controls within the same BCF for hand

147




protection were working, applying the style of ‘domino theory’ (Boyle, 2002;

Fuller and Vassie, 2004).

The injury was a serious cut to the left hand. Instead of blaming the worker,

the investigation chose to consider the possible reasons why the worker was notwearing the strong gloves that had been approved for use on that type of work.

It was discovered that those gloves were not available that day in the stores and

that the worker had ‘done his best’ and got on with the work without wearing

them. Instead of blaming the store-keeper, the investigation chose to consider the

reasons the stores did not have gloves. It was discovered that the glove supplier,having been chased five times for a delivery, had made five delivery promises to

the store-keeper. Instead of immediately blaming the supplier, the investigation

chose to consider why the delivery promises had not been kept. It was discovered

that the supplier had not been paid for three months by the large organization,but had been promised five times that ‘the cheque would be posted today’, andin each case, it had not been received, and accordingly the account not settled

and normalized.

If the organization had blamed the worker, the probable outcome would have

been further cut hands, rather than resolution of the weakness in the accounts

department.

As long as the auditor keeps asking questions about the existence and effectiveness of controls in the BCF, this approach will track down the control failure at the highestlevel in framework, for example, unearthing a failure to have clear objectives or direction. This approach is shown in Figure 7.5.

lanoitarepO

XXgniliaf

gnirotinoM

g?niliaf

nalP

g?niliaf

noitazinagrO

g?niliaflasiarpparoweiveR

ng?iliaf

sisylanatiduArevocnutsum

sesuactoor

Root causesat a higher

level?

smelborP

spOtalevel

sevitcejbO

g?niliafyciloPnoitceriD

spO

tnemeganaM

s i g n i l i a f l o r t n o c f o t c e f f E

s n o i t a r e p o n i t s r i f t l e f y l l a r e n e g

r a e b l l i w e r e h t t u B e r u l i a f s i h t r o f n o s a e

k r o w e m a r f l o r t n o c e h t n i l e v e l r e h g i h a t a

Figure 7.5 Tracking down the root cause

148




Tip – In addition to fixing the failing control and addressing the issues surrounding

the root cause, another valid audit recommendation would be for the auditee to

review the effectiveness of each of the other controls potentially affected by the

same root cause.

Prioritize control weaknesses

Before a team member tries to persuade the lead auditor that they have identified a

control weakness, they should ask themselves ‘So what?’ In other words, at an early

stage they should be looking for control issues that are significant and not ‘quick

hits’ which will just add to the mass of lower-level audit findings in which senior

management have little interest.

A-Factor 48: A significant finding is one to which the answer to the ‘So

what?’ question is assessed in terms of a significant impact which the control

weakness is very likely to have on the auditee’s ability to meet their imme-

diate business objectives or more significantly the ability of the organization

to meet its corporate objectives.

The particular business objectives that are most likely to be impacted, are probably

the same ones reviewed when the AFWP was opened and the high-risk nature of

the selected work plan item was challenged and validated.

Along with the ‘So what?’ question, the auditor can also get answers to two other

questions to help him prioritize the control weakness level. The first is ‘How easy is

it going to be to fix the whole problem?’ The assessment of ‘easy’ would include ease

of access to the required competence, sufficient availability of those resources’ time,

and sufficient financial resources. The second is ‘Why has it been left to an internal

audit to discover this control weakness?’ Here the auditor needs to realize that many

audit findings are not necessarily ‘news’ to auditees. However, what may be ‘new’

is a different perspective leading to a clear understanding of exactly how exposedeither the auditee or possibly the business will be if they continue to condone the

status quo.

Control weaknesses can be prioritized using various gradations of terminology to

signify their importance. Generally, there is no need to go further than splitting the

control weaknesses between serious, high, medium and low.

The two higher categories are reserved for control weaknesses that to a greater or

lesser degree of impact and/or timeframe will affect the achievement of corporate

objectives until senior management takes timely action to address the weaknesses.

The two lower categories are used to classify control weaknesses that impact the

achievement of the auditee’s process or departmental objectives, without significant

impact on the corporate objectives.

149




Low level weaknesses are generally those that affect the economy and efficiency of

the auditee’s outputs.

There needs to be some means of flagging to the management, those situations where

control weaknesses that have been identified and reported previously to higher-level management (whether through a previous independent audit or departmental

monitoring activity) but have not been properly and effectively reacted to by them.

One way of handling such situations is to prioritize the underlying audit finding at

one level higher than the original rating. However, the delay in a timely reduction

of exposure may have resulted in the situation worsening, in which case the control

weakness may be prioritized at an even higher level in its own right.

Reduce the number of discrete findings

One of the reasons why the majority of internal audit reports don’t possess a ‘wow

factor’ is because they include too many often low-level findings. A mass of audit

findings, whilst quite correctly identifying things that have happened but should not

have happened, will not be attractive to most senior managers.

Tip – Senior managers do not expect to look at a plethora of findings and detail.

They wish to be told how they can help the business. They expect lower-levelmanagers to take care of the detail!

The challenge for the audit team during the concluding stage is to interpret what

the mass of information, acquired during the fieldwork, is saying about the state of

risk management throughout the auditee’s area of responsibility. The result of their

interpretation then needs to be expressed in high-level terms.

Tip – Whatever the number of discrete audit findings that the audit team have

produced as a result of the detailed audit fieldwork, the lead auditor needs to set astretch target for the team to develop a maximum of twenty main audit findings

and a maximum of (say) five final messages for management. Figure 7.6 shows in

simple style how this can be achieved by clustering them together.

To achieve this step change in squeezing out more value from the audit fieldwork

and increasing the chance of senior management involvement in putting right what

needs to be put right, the audit team must use a structured approach towards groupingand clustering the lower-level audit findings. This work will demonstrate the audit

team’s understanding of how many of the basic audit observations and findings can be

built up into meaningful, substantial findings of interest to management because they

relate to their efforts to achieve or even exceed their corporate business objectives.

150




Review & verify

yrammuS

yreV

deliated

foleveL

liated

devlovni

gnitropeR

Report

sgnidnif002

sgnipuorg02

segassemyek5

Figure 7.6 Reduce the number of findings for senior management

Sharing the detailed findings

The success of the audit methodology described in this book depends upon the ability

of each auditor to share relevant parts of the information they have obtained duringtheir part of the fieldwork. To do this, we need a means of recording key statements

of fact onto a simple simulation of the auditee’s BCF. To add comprehension of the

information we need to allocate the facts to each element and to say whether the factindicates strength or weakness.

The physical nature of such a BCF for use in this audit methodology can either

be individual wall charts or a database in a computer. However, what is important

is that the whole audit team can easily see, essentially at a glance, every item of

discrete factual information allocated to each BCF element, and to see how the factsare populating the overall BCF. Figure 7.7 shows how facts can be transferred from

interview download into the elements of the BCF summary sheets.

Tip – When the audit team has more than two or three members, it becomesmore difficult to share A4-sized working papers. An approach commended by

the authors is to use A1-sized, flipchart-sized sheets which can be wall-mounted.

Everyone can see them, and discussions concerning ‘the facts’ are easier.

This fact-loaded ‘vision’ of the BCF will quite quickly become a veritable treasure

trove of the knowledge which has been extracted during the fieldwork by every

member of the audit team and contributed to by each of them, working individually

or with others. New facts (positive or negative) should be populated onto the BCF

151




BCF wallcharts

.c t E AFWP = Audit findingworking papers

BCF = Business controlframework

AFWPs

.c t E

Interview download analysis worksheet

BCF#

+/–Fact learned Workplan #

Work planitem # 2.1

Work planitem # 3.2

Element # 2e.g. Organization

1. No project manager

2. Risk assessment done

3. Budget not approved

4. Up to date guidelines

–

–

1.2

3

21.2

2

2.3+

+ 31.2

Negative facts

Negative facts

Positive facts

Positive facts

Element # 3e.g. Procedures

Figure 7.7 Downloading information after an interview

as soon as auditors are sure of the accuracy of the information they have obtained,

together with hard documentary evidence, where applicable, to prove it.

Facts can also be added to the BCF as the audit team extrapolate new facts from the

original facts, obtained during their fieldwork, and when they are confident which

individual control element of the BCF to record the information against. Some

photographs of BCF wall-sheets populated with facts from actual audits are shown in

Figure 7.8.

For the methodology to work, it is critically important to record all the results of

the audit fieldwork based on full coverage of the work plan. An auditor’s natural

reaction is to skate over, mentally and practically, areas where the expected controls

are in place, their purpose is well understood by different levels of management and

they are applied correctly, their application and effectiveness is regularly confirmed

and there is evidence of incorrect application being identified and corrected. In other

words, auditors tend not to notice risk areas where there is plenty of evidence of

strength. But they must!

Tip – Unless all the areas of strength found in the BCF are recorded as fully as

examples of weakness, then there will not be an accurate weighting of strongcontrols to influence the audit team’s deliberations when they come to determine

the overall audit opinion.

152




Figure 7.8 Wallcharts aid sharing of information

Tip – It is important to be able to trace every positive and negative fact recorded

on the BCF back to its original source and to the auditor who carried out

the fieldwork and, if relevant, the work plan item to which the facts refer.Figures 7.7 and 7.9 show how to do this.

Tip – The aggregate information obtained during the fieldwork, recorded onAFWPs and allocated to an element of the BCF, will be the factual and logical

basis upon which the audit opinion is founded.

A-Factor 49: All areas of strength found in the BCF must be recorded as

fully as examples of weakness, so there is accurate weighting of each.

Keep in contact with the auditee

Regular contact with the auditee at this stage of the audit can give many benefits;not least, discussing in a low-key manner apparent control weaknesses discovered

during the fieldwork, and either having your misunderstandings clarified with the

opportunity for re-auditing specific controls, or getting to agreement with the auditee

about the facts, the extent of the weakness and the root cause.

153




Figure 7.9 Interview download sheets show how information has been processed

If auditees understand why an auditor is concerned, they generally will provide

resources for further testing, checking and quantifying exposure to particular risk

scenarios, particularly if the control weakness is likely to affect the successful perfor-

mance of their department.

Such a consultative approach (particularly if practised by the lead auditor from the

start of the audit) will often result in the auditee giving assistance to the audit team

at a time when The Audit Process Roller Coaster © is running on pretty steep rails,

and time is critical.

Formulating effective remedial action is another task the auditee will be more eager

to assist with once they have understood and participated in a joint analysis of a

particular control weakness. Although you will have ideas as to what needs to be

done to rectify the situation, it is better to encourage the auditee to suggest what can

be done and what improvement they expect to achieve.

Tip – The degree of interest and commitment to make changes to the way the

control framework operates and the amount of cooperation to ensure that theultimate change has the required effect, will normally be in direct proportion to

the openness, constructiveness and professional manner in which the lead auditor

handles the auditee during the concluding stage.

154




Stand back and analyse information obtained

This requires careful organization and recording of every fact, both positive as wellas negative. Everything obtained should contribute something when the audit team

have to make their final evaluations of each control weakness, every element of theauditee’s BCF, and the overall BCF.

Tip – The challenge for the audit team, during the latter part of the fieldwork

stage and the initial part of the concluding stage of the process is to effectively

use the mass of discrete facts obtained during the fieldwork.

As AFWPs are completed, their underlying weakness ratings (serious, high, medium,low) should be recorded both on the specific AFWPs in question, and onto theappropriate business control element of the BCF wall charts.

Even though all the analyses of the information gathered during the fieldwork maynot have been fully completed and the conclusions drawn about the controls may not

yet have been entered onto the BCF wall charts, the audit team should be encouragedto start paying more attention to the information as a whole. This is the momentwhen the methodology that uses wall charts, rather than a database hidden within acomputer, comes into its own.

A-Factor 50: The audit team has to be able to see the balance of the emerging

facts if it is to apply its mind to what those facts mean. Large wall charts

are a fantastic idea, because they lend visibility.

From a relatively cursory analysis of all the information (sorted into positive andnegative impacts upon each control element) each member of the team should beable to see the extent to which there is correlation between the results of their audit findings (which came out of focusing on individual work plan items) and theaggregate information on the wall charts. Looking for this correlation early on in the

concluding stage will encourage the audit team that the dual approach to evaluatingthe overall BCF is working.

Tip – Taking this holistic view may also help individual auditors to understand

better the dynamics of the control framework within the areas they have been

looking at, especially when working on the analysis of root causes.

Business control assessment matrix

At a certain stage in this process, the lead auditor can open a summary evaluationtool called a business control assessment matrix (BCAM). Rather than having a lot of detailed information, as has been recorded on the wall charts, the BCAM will only

155




record any resultant Failings, with its respective weakness level, and root cause for

each audit finding. Figure 7.10 shows an example of a BCAM.

As more AFWPs are completed, and control weaknesses identified and grouped into

generic findings of control weakness, the resulting information can be recorded onthe BCAM.

Tip – The lead auditor needs to be aware of the source of the information to

avoid recording both, the results of discrete control weaknesses (or strengths) as

well as the aggregate results of a group of the same control weaknesses.

Develop main issues

The audit team, and especially the lead auditor, must now use the momentum created

by the roller coaster to confidently develop the main issues which their audit work

has brought to the surface.

The most significant criterion for selecting such main issues will be finding issueswhich directly and significantly affect the achievement of corporate objectives. The

most important issues are those which clearly demonstrate activities within the audi-

tee’s organization that are having or will have, with some high degree of certainty,

a significant negative impact on the achievement of corporate objectives, in both

quantitative (‘the what’) and qualitative (‘the how’) terms.

This stage of the audit process is a key opportunity for the lead auditor to demonstrate

sound judgement as well as technical ability.

Findings and recommendations

Prepare summary audit findings

As Mrs Beeton instructed in her recipe for Jugged Hare, now that you have your main

ingredients, you can start to prepare them for serving. In this instance, the preparation is

to write them up in a style which will be suitable for consumption by senior managers.

Tip – It is important to give each main issue a ‘catchy title’ to capture manage-

ment’s imagination. These, we think, are NOT catchy:

• Housekeeping

• General health and safety

• Deficiencies in quality policy, page 47, paragraph 2, section 3c, iii, 2nd bullet

156



Policy Organization Procedure

Overall management system ratings →

Ref.# Work plan item

1 DHO – project Management

2 Inland depot – Project mgement

3 Systems implement (ADM/RAM)

4 Strategic stock reserve legislation

5 Stock outs

6 Jetty operations – spill in river

7 Rail operations – prod. crossover

8 Stock losses9 Tank storage integrity

10 Fire protection

11 Inland depot – deliveries

12 Own fleet deliveries (bulk)

13 Contractor fleet deliveries (bulk)

14 Delivery scheduling

15 Cash/credit rating control

Overall audit opinion =

Figure 7.10 Business control assessment matrix (BCAM)

1 5 7




• PPE (personal protective equipment) – Lack of fully documented risk assess-

ments in accordance with the Health and Safety (PPE) Regulations 1992 and

the Management of Health and Safety at Work Regulations 1999; both as

amended several times.

We think the examples that follow are ‘catchy’ since they grab the reader’s

attention. We commend writing in this style:

• Explosion at tank farm

• Asbestos exposure – maintenance team

• Product contamination – customers poisoned

• Risk of spill – river Thames.

Three to five carefully selected words can give a powerful message to senior manage-

ment and compels them to read further. Keep the title in draft at this stage as required,

and it can be revised (or confirmed) later. Without trying to be too funny or too

incredible, we suggest you think how a tabloid or ‘red top’ newspaper may report

on this potential risk area on its front page. ‘Housekeeping’ will not sell newspapers.

‘Explosion at tank farm’ would (and has!), as Figure 7.11 illustrates.

This is printed under the GNU Free Documentation License on Wikipedia

Figure 7.11 Buncefield oil terminal in the news

158




The narrative should lead the reader’s thought process as follows:

• What is the business activity?

• What are the key risks inherent in that activity, and how might they impact

business objectives?

• What are the key controls expected to be in an effective control framework?

• Which controls (in which control elements) are present and the extent of their

effectiveness?

• Which controls (in which control elements) are failing and the impact of this

failure?

• What is the root cause of the failure?

• What needs to be done to improve the situation?

• How urgent is the matter?

Drafting these summary audit findings is likely to go through a number of iterationssince on them hangs much of the potential success of the whole audit.

Initial preparation of recommendations

Historically, auditors have been castigated by auditees because they only ‘bring prob-lems, not solutions’. That is not really surprising since it is the auditee who needs to

decide exactly what, when and how they should react to audit findings. However, if the ‘no surprises’ contact between the lead auditor and the auditee has been successful

and the auditee fully understands and accepts the control issues which the audit hassurfaced, then they are more likely to take the initiative and propose what they see

as the most appropriate remedial action.

The lead auditor needs to be prepared to assist the auditee to arrive at a workable

solution that is likely to be effective. So, in exactly the same way as the audit findingmust be completely defensible from challenge by the auditee, similarly the lead auditor

should be able to assess the robustness of the auditee’s proposed solutions, on thebasis of reliable facts and information. For example, what level of competence and

seniority of personnel would be required, and are such individuals available; howmuch time will the necessary work take, and can the auditee afford to wait that long;

how much will it cost? All these facts need to have been researched as well as possiblein the final part of the fieldwork.

In the best scenario, the auditee will discuss the underlying issues and provision of

the necessary resources with his line manager. However, with the more serious auditfindings, generally the process will take quite some time for management to acceptthe significance of a control weakness and work out what to do. Often there are

knock-on effects which need to be carefully examined and external parties need tobe consulted.

159




Draft audit report Part 2

The audit report is split into two parts. Part 1 is the management summary and Part 2

is the full detailed report. Part 2 is prepared first, followed by Part 1 (as most managers

know, it is usual to prepare the management summary last of all).

Clearly what is required from the whole report is a readable, logically thought out

report that presents the audit team’s conclusions and the basis upon which they have

arrived at them.

The report deals in turn with any serious, high or medium level weaknesses, recording

the detailed findings in much the same way as the structured contents of the AFWPs,

and the summary information about the main findings. Using previously prepared

information, such as that on the AFWPs, eliminates the task of a major re-write to

create Part 2 of the audit report.

The first section for each issue detailed comprises a full story of each issue (or group

of issues) describing the expected controls, the actual controls found, the residual risk

resulting from any difference between the two, the root cause of the problem and

the impact of the risk on the process and/or company objectives. The second section

is for remedial action. A typical layout for this is shown in Figure 7.12.

In its entirety, the content of audit report Part 2 must drive the reader towards

the same understanding and conclusion that lead the audit team to their final auditopinion regarding the adequacy or inadequacy of the auditee’s BCF as it is currently

in place and functioning.

Evaluate each BCF element

A key part of the audit methodology explained in this book is that the effectiveness

of the reference framework in controlling the risks within the auditee’s area of

Part 2 – Findings and actions

Issue

Descriptive heading

Descriptive heading

Expected control

Actual control

Residual risk

Impact of risk

Expected controlActual control

Residual riskImpact of risk

Action

Removing cause

Exposure

Reducing risk

Reducing risk

Removing cause

Figure 7.12 Audit Report Part 2 structure

160




responsibility, is primarily assessed by reviewing and verifying how well the relevant

key controls within the reference framework are applied to all of the essential tasks

occurring in the audit team’s sample of high gross risk activities in the auditee’s part

of the business.

The results of auditing each of these activities are recorded on the AFWPs. Simul-

taneously the underlying control strengths and weaknesses are used to populate the

control elements within the reference framework. Figure 7.13 illustrates how this is

applied in practice.

Before we start to write Part 1, the management summary, of the audit report, we must

write a summary of how each control element in the auditee’s BCF is contributing or

detracting from its overall effectiveness. The summary for each element should make

the reader absolutely clear as to why the audit team have assessed the element either

to be positive or negative in its contribution. This summary should demonstrate thesame inescapable conclusions which the audit team arrived at in selecting the main

findings, and be based on the same irrefutable evidence and logical analysis.

The result of the positive or negative assessments of each control element can then be

added to the top of the BCAM . The audit team should now compare these control

element assessments against the failing controls and the root causes (and areas of strong

control) for each of the work plan items and subsequently developed summary items.

Figure 7.14 shows how this is done in practice.

BCF wallcharts

Audit finding working paper

1. Procedures not up-to-date (–)

2. Hazard and effects mangement process complete (+)

3. Hazard register in use (+)

4. Training budget not approved (–)

5. Policy recently revised to reflect new

legislation (+)

Procedures

Work plan item # 2.1

)s(ksiR

Expected control framework

Actual control status

Element # 2

Element # 4

Organization

Element #1Policy

Positive facts

Negative facts Positive facts

Negative facts

Positive facts

Negative facts

Risk assessment

.c t E

Positive facts

Negative facts

Element # 3

Figure 7.13 Checking the facts on AFWP against the information on the BCF wallcharts

161




elementFCBhcaefotnemssessA– / + – / + – / +– / + – / +

Review &

appraisalnoisivrepuSserudecorP

General management

stnemevoMovements inward

Storage/stock mgt

Road fleet planning

Road fleet ops

Deliveries

Facilities maintenance

Scope area

Business control assessment matrix

noitazinagrOyciloP

Ordering/supply

)CR(woL3.8 )CR(hgiH5.8 )F(woL3.8)F(hgiH5.8

)F(hgiH1.7

)CR(woL4.7

)CR(hgiH(1.7

)CR(woL3.3 )F(woL3.3

)CR(muideM1.6 )F(woL4.6)F(muideM1.6

)CR(woL4.6

)CR(hgiH2.1)CR(muideM6.1

)F(muideM6.1 )F(hgiH2.1

)CR(muideM3.2 )F(muideM3.2

)CR(woL1.4)F(woL1.4

)F(muideM2.4

(F) = Failed element

RC) = Root cause (

)F(woL4.7

)F(hgiH4.3

)F(woL2.2

)CR(muideM2.5 )F(hgiH4.5)F(muideM2.5)CR(hgiH4.5

)CR(hgiH4.3

)CR(woL2.2

)CR(muideM2.4

Figure 7.14 BCAM – Cross-reference between each element and individual work plan

item’s results

Only once this overall cross-referencing exercise has been completed can the audit

team confidently say that they have arrived at their overall audit opinion using asobjective a basis as was possible.

Overall audit opinion

How to determine the overall audit opinion

It is generally accepted practice today for audit opinions for internal control audits

to have an even (two or four) number of gradations, such as good, fair, poor andunacceptable. This reduces the possibilities for auditors to ‘sit on the fence’ – ’I’veseen better, I’ve seen worse, I’ll put it in the middle’.

Many large organizations have devised their own gradation models, and some havedispensed with them completely.

Tip – Hours of erudite debate have surrounded the distinction between a ‘review’

and an ‘audit’. Our distinction is that an audit will result in a level of assurance

being given to the auditee and the audit committee as a result of the audit work.

A review is primarily focused at identification of individual areas of strength andweakness which will be reported individually, and is not required to aggregate

the impact of these findings in the form of a single audit opinion.

162




Good Very few andspecific

No desire or need to take more or less riskNo follow-up required by auditee’s function head

Fair Roomfor overall

enhancement

Actions needed to enhance design and/oroperation of control framework–to adjust riskexposure. Next level of management should beadvised of and review actions required

Poor Overall causefor concern

Key elements of design and/or operation needimprovement. Significant gap between thecurrent level of risk exposure and the ‘target’level. Next level of management should monitorimplementation of actions and improvements

Unaccept-able

Wide-ranging,may affect orexpose otherparts of Co.

The next level of management should take urgentaction to confront the situation and commitappropriate resources. Shareholder’s seniorrepresentative should monitor the improvement

Opinion Concern Senior management involvement

Figure 7.15 The implication of the audit opinion

A-Factor 51: Overall audit opinions should have an even number of grada-tions. The overall audit opinion should reflect the overall level of concern

resulting from the audit work.

Each gradation should be clearly defined in terms of an objective assessment of

the level of concern that should be felt by the audit’s sponsor and the con-

sequential degree of follow-up required from senior management as shown in

Figure 7.15.

Caution is required when using the absolute number of findings to determine

the audit opinion directly. Such a quantitative approach can provide a support-

ing crosscheck, but as we have said, our approach is based upon grouping weak-

nesses, rather than counting them! It is the audit team’s judgement on the con-

cern arising from the overall weaknesses that provides the audit opinion to senior

management.

Arriving at an audit opinion is not an art, nor can it be called a science. As professional

auditors using an effective methodology, we strive to arrive at an opinion as a team

based on objective evidence (of both weakness and strength). However, in the final

analysis it is the lead auditor’s responsibility to make the decision and he or she willuse their judgement to weigh all the facts available to them.

A-Factor 52: The lead auditor is ultimately responsible for the conduct of

the audit, and the overall audit opinion.

163




‘No surprises’ with auditee

Once the audit team have got to this stage of concluding the audit, it is important

that there should be a final meeting with the auditee (and possibly the sponsor of the

audit) so that a final opportunity is given to the auditee to raise questions about anyaspect of the audit, the way it was conducted and its overall outcome.

The lead auditor should be prepared for a reaction if they must tell the auditee and

the sponsor that the audit opinion is Poor or Unacceptable. As soon as the lead

auditor realizes that there is a likelihood of this outcome, they can prepare by briefing

the auditee at earlier meetings by stressing on the depth and breadth of the control

failures which the audit team are finding.

The lead auditor should also keep in mind what they heard at their initial meetings

with the auditee, and possibly the sponsor, regarding their self-assessment of thecurrent effectiveness of the BCF that was to be audited.

Of course, however much logic there is to the conclusion, it is human nature that

ambitious managers will not take kindly to criticism and will wish to avoid being

judged to have failed. This emotional element will be even more prevalent if the

audit results are part of the auditee’s and/or sponsor’s personal performance appraisal

upon which their annual bonus is based! And the wider the gap between the auditee’s

self-assessment and the audit opinion, the tougher the final clearance meeting will be.

Even at this late stage, the lead auditor must listen carefully to the auditee’s (and possibly

the sponsor’s) contributions to the discussion. Clearly the most important outcome from

this meeting will be unequivocal support for everything that has happened during the

auditandmostparticularlyfortheresults.Iftheleadauditordoesnottaketheopportunity

atthisstagetoreactpositivelytotheauditeeandthesponsor,heorshemaybejeopardising

the achievement of a 90 per cent win at the expense of losing 100 per cent of the audit.

A-Factor 53: The audit opinion is not negotiable once the audit team has

arrived at its decision.

Prepare audit report Part 1

Thisreportdeliverstheauditresultstoseniormanagement.Itspellsouttheauditopinion,

the major audit findings, and an assessment of each element of the BCF. It might also

describe remedial actions, if they have been discussed and agreed with the auditee.

Therefore it is critically important to develop an audit report which senior man-

agement will read with interest (because of the significance of the overall level of assurance in the audited area) and credulity. The painstaking work of getting hold

of and documenting the detailed facts, in an organized way, has been done and now

the auditor’s task is to explain to the auditee ‘what it all means’ and, if necessary,

to discuss with the auditee management ‘what improvements they need to make’.

164




An imaginative approach by the team leader in how to do this will increase thelikelihood of the overall success of the audit.

Tip – Remember that Part 2 provides the platform for the conclusions in Part 1,thus nothing can be reported in Part 1 unless it is linked to a weakness reported

in Part 2 and has been fully discussed with the auditee management.

In addition to declaring and formalizing the audit result, Part 1 allows the lead auditor to preface the report with an introduction to the audit. The first few paragraphs of this executive summary will describe a business environment which is very familiar to senior management. Therefore the lead auditor needs to achieve two things:firstly, make the point that he and his team understand the challenges to be faced

by the organization and the contribution of the auditee’s department to successfullyachieving the corporate objectives, and, secondly, set a scene which is going to berudely disrupted when the main audit findings are read.

Appendices to either part of the report should enhance the reader’s understanding of the audit’s coverage, process and result, and nothing else. Figure 7.16 shows a typicalformat for this.

Presentation to management

Strictly speaking, detailed guidance on how to make management presentations fallsbeyond the scope of this book. Over the years, however, we have learned some

Issue ActionExposure

Part 2 – findings and actions

Audit report – part 1

Executive summary

ssenisubdnanoitcudortnI

tnemnorivnenoinipotiduA

snoitcadnasgnidnifrojaM

FCBfotnemssessA

Appendices

TOR/work plan

IntervieweesAction plan

Descriptive heading

Expected control

Actual control

Expected control

Actual control

Residual risk

Impact of risk

Reducing risk

Removing cause

Reducing risk

Removing cause

Descriptive heading

Residual risk

Impact of risk

..…n i l i a t e d e h t y b d e t r o p p u S

..…n i l i a t e d e h t y b d e t r o p p u S

Figure 7.16 Layout of executive summary of audit report

165




techniques relating to ‘how to do it’ and ‘how not to do it’. These techniques are

consolidating into the following four A-Factors:

A-Factor 54: Have clear objectives, strategies and tactics for you and your

team during the presentation.Your objective is to help management arrive atthe right decision regarding their reaction to your audit’s findings. Whether

this opinion is a ‘good’ or ‘unacceptable’ (or anywhere in between), initiation

of some response is likely to be necessary, whether this is consolidation of

existing strengths, or a survival strategy and keeping the board out of jail

respectively. The strategy should be to focus management’s attention onto

a few key messages, and the tactics will be to support these messages with

factual evidence to the extent demanded by any person in the room.

A-Factor 55: Know who will be attending the meeting, and so far as possible,

ensure that the attendees are the appropriate audience with sufficient timeavailable for the full duration. You (or the auditee) send to each attendee an

agenda, and a short description of how the audit team wish to conduct the

presentation. Requests from management for pre-meetings or discussions

as a result of this should be met.

A-Factor 56: Remember the audit is not over. The best outcome of the pre-

sentation will be full support for the findings, and commitment to making

the appropriate response. However, if, for whatever reason, management is

not able to accept either the findings or commit, then maintain a dialoguegoing with the audited organization to give management the opportunity

to express why agreement and commitment is not possible.Your aim is still

to optimize the effect of all the hard work done by the audit team.

A-Factor 57: If despite following this guidance, and ideally having broad

support from the auditee, you do not feel that further discussion will result

in management’s agreement and commitment, your only course of action

is to refer the matter to the internal audit manager (with a view to their

reporting this outcome to the Chair of the internal audit committee).

166



8 Personal Relationships

Introduction

This chapter explains some important features with regard to personal relationships.

It encourages auditors to think about the need to establish the best possible rela-

tionships with the wide variety of individuals who could have a significant effect on

the outcome of the audit. The success of such relationship-building is to move theperception of the relationship from a feeling of win:lose or lose:win to an expectation

of win:win.

The lead auditor and the members of the audit team should start thinking about this

important aspect of their work at the outset of the audit – starting at the time of

their initial planning. Only in this way will they increase the chances of achieving a

win:win outcome in the relationships that they will have with the auditee and all of

the personnel involved at every stage of the audit.

One prerequisite, an expectation for this chapter is that readers will already know

the essential rules and techniques to establish good interpersonal relationships and be

capable of practicing them. Another premise of this chapter is that the lead auditor

and the audit team are competent auditors and therefore their findings and their

audit conclusion have been arrived at in a defensible manner with full documentary

evidence to support their findings, and that there is a rational logic leading up to

their conclusions.

The nature of the critical personal relationship between the lead auditor and the team

members is dealt with separately in Chapter 10.

Behaviour and communication

Experienced auditors will recognize that behaviour of human beings is probably the

most important factor impacting on whether the business control framework being

audited will be robustly effective or not.

It takes a special sort of individual to inspire, empower and lead people to worktowards the achievement of specific goals. It takes other sorts of characteristics to tell

them how to do their jobs, to follow up on matters of fine detail, and to confirm

what is expected next. Both of these individuals can, should they so choose, learn

from what happened and respond accordingly next time.

167



Personal Relationships

To do their job well, all auditors need a natural ability to communicate and create

relationships quickly. An engaging personality that can develop rapport quickly, and

make the most of the initial short period of time in which relationships form or

storm.

A key aspect is to put people at ease, as well as to be at ease themselves at all times

and in all company. Key skills for this include having a courteous, personable and

professional manner at all times whilst being able to listen carefully, speak engagingly

and explain what you want to do concisely and coherently. Smiling helps, especially

when greeting individuals with a firm handshake.

Case study

The pre-audit preparation had been carried out in the UK for a major audit to be

carried out on the foreign subsidiary of this large marketing company. There had

been considerable contact with the managing director of the subsidiary, who was

the auditee, and the local internal audit department. The dates for the audit team’s

arrival and the period for fieldwork had been agreed on, together with a target

date for the close-out meeting with the auditee and his senior management team.

The four-person-strong audit team flew out and established themselves in their

hotel. The internal audit manager collected them from the hotel the next morning

for the audit briefing meeting arranged with the managing director. However,

it soon materialized that the managing director was not around and had only

informed his finance director by telephone late the previous evening at his home,

that he was taking his annual leave starting immediately, and therefore could he

look after the audit team who would be starting an audit of the company the

following morning.

However well you plan, sometimes you will find people who do not wish to

cooperate!

Influence

As auditors, we need to develop influence. This is not the same as ‘power’, where

people may do as we wish them to because of our status or title. Generally, auditors

do not have power, but they can become very influential.

There are at least a dozen different influencing styles, and here we comment briefly

on each of them. It is useful to think of your own preferred style, and then to

consider the other eleven, and how they may permit you to become (even) more

influential.

168




Coerce

This is when you insist, or even threaten. If used sparingly, you become respected

for being able to stand up for yourself, even in the face of sharp resistance.

Educate

This concerns providing information and new ideas. People will learn from you, and

you will be respected if your information or examples are seen as relevant.

Sell

This concerns emphasizing the benefits of your suggestions. Enthusiasm will help

you to sell, but few like an ‘over sell’.

Logical

This means presenting an argument based on logic and reasoning. The other person has

to have the time to relax, sit back and be objective for your reasoning to be accepted.

Emotive

Here, you seek to appeal to emotions, feelings and values. It can involve trying to

make people feel guilty. A trusted manager can be very influential when appealing

to people’s emotions to get them to put a big effort into a worthwhile cause.

Expert

This is where you apply your superior knowledge or expertise. You need to be very

credible to use this style, and be aware of others who may know the facts too. The

expert style at meetings is to be quiet at the start while others struggle with the facts.

Then analyse the situation, and suggest a course of action.

Model

This means leading by example, and you will be around long enough for people to

copy you. ‘Do as I do’ is much more influential than ‘Do as I say’.

169




Charisma

These individuals rely upon their charisma, and strength of ego. You have a large supply

of charm and humour to carry this off – successful where a straight-faced boss may fail.

Negotiate

This characteristic concerns encouraging compromise all round to achieve a negoti-

ated outcome, which satisfies a little of all parties’ wishes. Negotiators NEVER give

up; there is a little ground to give and take.

Joint problem-solving This is about mutual agreement of the best decision. ‘Let’s work together to fix this’

comprises the style, but a high level of trust is needed. If you successfully pull it off, a

level of commitment to the outcome is the reward. People support what they create.

Non-directive

With this style, you encourage the other person to develop their own analysis of the

problem, and come to their own solutions. Asking only questions is the style.

Tip – Lee Bryce’s book The Influential Manager (1991) is an excellent read for

those auditors desiring a larger input in this important area.

Relationships

The concept of auditing is well established in many fields such as finance, health and

safety, competencies, competitive performance/delivery and so on. A new area of

activity for many business students is auditing business-to-business relationships.

In a commercial environment increasingly focused upon personal accountability, the

need for relationships which actively contribute to the success of the overall business

strategy has never been greater. The desire for client/customer satisfaction has been

replaced by the need for commitment and endorsement. Therefore, measuring busi-

ness relationships is as important as the other traditional commercial metrics – what

gets measured gets done!

If you provide any type of services to a client, you need to be sure you are at least

delivering to – if not exceeding – expectations. And if you’re buying services you

need to be sure you’re getting the best possible performance. Relationship auditing

170




helps service providers and service users measure, manage and maximize the potential

of their stakeholder relationships.

Case study

How relationship auditing has benefited an organization

One of Europe’s largest law firms decided to initiate an independent audit of

one of its high value relationships with a financial services provider. The audit

uncovered that whilst the client was happy with the service delivered, it was

unsure whether the firm had the resources to handle an upcoming new large-scale

product launch and was thus considering a panel review. Senior clients hadn’t

mentioned this concern but a junior client, pleased to be included in the review

process, was eager to help.

Communicating such intelligence promptly to the right people meant the firm

was able to take pre-emptive steps to reconfigure its resources, and communicate

that fact to the client’s decision-makers. In possession of such facts, and suitably

reassured, the client decided not to bother with a review and simply assign the

extra business to the said law firm. The value of this one assignment paid for a

three-year relationship auditing programme across the firm’s top 50 clients and

still had a six figure sum ‘in the bank’.

In the same programme, a relationship audit uncovered that a client individual, at

the time number 3 in the pecking order, was extremely unhappy with the service

being provided. The firm had previously concentrated its attention on the Chief

executive and the number 2, both of whom had the power of appointment. The

number 3 was due to be promoted to replace the retiring number 2.

The firm was surprised but armed with this intelligence put in place a remedial

strategy which, within 12 months, turned the ‘renegade’ into an ‘apostle’ and

not only secured but grew the number and value of the firm’s assignments.

Individuals whose help you may need

One of the first things you should do whenever commencing an audit assignment

(or frankly, any management assignment), is to make two lists.

First list

On the first list, write the names of all those people or positions who you think you

will need to make contact with during the audit.

171




The key thing is to be imaginative and not to constrain your thinking only to those

people or positions relevant to the operational activities within the auditee’s area.

Figure 8.1 shows just a small sample of individuals with whom relationships may

need to be forged before or during various stages of the audit.

Second list

On the second, write the names of all those people with whom you have a current

relationship and who could assist you during this audit.

Tip – Retaining the business cards of other auditors, subject practitioners, peers,

etc. is a good way of building your contact base. To be truly effective, you need

to find a good reason to make contact – to stay in touch – a minimum of two

times per year.

Tip – Attending meetings of your practitioner group (e.g. health and safety group)

is a good way to make contacts. And if you are ready, offer to present to the

group on a subject of your choice.

Audit committee chairmanAudit committee members

Auditee’s line managerAudit sponsor

Internal auditors – managementInternal auditors – previous auditsFraud investigatorsExternal auditorsRegulators

Technical advisers – internal and externalLegal department

Operational staffProject teamsSupport staff

Auditee’s customers – internal and externalAuditee’s suppliers – internal and external

Personal network of technicalcontacts

Figure 8.1 Groups of potentially useful contacts to be developed in an audit

172




Networking relationships

As noted in the sections above, all auditors have an opportunity to build a network

of contacts, which will invariably be helpful in the future.

Case study

An HSE practitioner was teased by friends when he was in his 20s for spending

too much time attending business meetings in the evenings. When he was in his

30s, he was the managing director of a medium-sized HSE consultancy group.

Most of his employees, and most of his customers, were connected via his contacts

over ten years earlier.

Senior auditors will tend to find that over time they will develop a good network

of auditor contacts inside and outside the internal audit department with whom they

can discuss issues on which they would like guidance or a second opinion.

In addition to building relationships with other auditors, an excellent and career-

focused auditor will look to build relationships with senior managers in various

functional and operational areas of the business in which they work. These may be on

the basis of friendship, professional interest or personal respect for audit work donein their areas. Relationships and contacts with colleagues who, when requested, are

able to give authoritative advice on legal and technical issues are particularly useful.

Generally the best relationships are built and rely upon the understanding by both

parties that any information sought and information provided is handled, unless

otherwise stated, in confidence and treated as personal and non-attributable.

You cannot start thinking about relationships too soonThe lead auditor should endeavour to find out as much as possible as to why this

audit is being carried out. The majority of internal audits are carried out because

they are the next in line in the corporate audit plan. Remember, their priority in this

audit plan was decided by the internal audit manager following on from the results

of a risk assessment of the organization’s business activities, and later approved by the

audit committee.

However, some audits will have been triggered for particular reasons other than

being ‘next in line’. Sometimes, they will be given priority because an incidenthas occurred either in the area to be audited or in a similar area elsewhere in

the organization. Sometimes senior management needs a level of assurance given

particular circumstances already existing or likely to occur in the short-term in the

area to be audited or in the business environment affecting the area.

173




Whatever the reason for the audit, the lead auditor should, as part of his initial

preparation, always make contact with the internal audit manager, the audit sponsor

(who may also be a member of the audit committee), and depending upon the reason

for the audit, possibly even the Chair of the audit committee. As necessary, try to

arrange a meeting to discuss the audit generally and to get their input on any matters your early research has shown to be interesting or unusual.

A-Factor 58: Time spent on reconnaissance is seldom wasted.

Case study

Most of the pre-audit preparation had been carried out in the UK for a series of

audits to be carried out over an eight-month period outside the UK. This hadrequired a lot of e-mail and telephone contact with a number of senior managers

in the auditees’ areas of operations, the local internal audit department, and the

local contracting and procurement department.

Upon arrival in the country, the lead auditor arranged to see the sponsor of

the audits (two organization levels above most of the auditees), essentially as a

courtesy but also to run past him a few of his initial thoughts regarding the

development of an appropriate audit work plan. From their discussion, he found

out that the audits had been postponed for nearly two years and they were onlyhappening now because of the personal insistence of the company’s managing

director (MD).

When he got out of that meeting, he called the MD’s secretary to make an

appointment to see him and he was not really surprised when she told him that

the MD had already asked her to arrange a meeting with him. The information

which the MD provided was invaluable to the success of the audits since it

guided the audit team’s detailed work planning and how they related to some

key individuals in the auditee’s department. The audit results had a profound

impact on how that company changed its view of a significant area of social

accountability.

Although a (draft) Terms of Reference should be issued already for the audit in

question, which should clearly state the expected deliverables from the audit (i.e. to

provide assurance to senior managers, to identify areas needing improvement, and to

assist management as to how to improve), the lead auditor should also try and find

out if there are any particular circumstances surrounding the area of the business tobe audited of which he should be aware.

A lead auditor’s preparations would normally require them to review the reports

of the previous audits, including those by other internal audit or review bodies

174




(e.g. a review by the health and safety committee). Whilst these audit reports may

have been accepted by management at the time they were done, the lead auditor

may still wish to contact the person who led the audit at the time to find out if

there were any particular issues that had been the focus of the auditee’s or manage-

ment’s attention at the time of the closeout of the audit. Similar inquiries may bemade with external auditors (e.g. on a statutory audit or a Level 3 certification/re-

certification audit) or with regulators (e.g. following a health and safety accident

investigation).

A key characteristic of these contacts will be informality. However, generally third

party contacts will necessarily be more formal unless the lead auditor in question

already knows the other person.

Also, the lead auditor needs to use his relationship with senior managers to find out

how they assess the control framework about to be audited and where they think thestrengths and weaknesses lie. If they say that they don’t have a view, or don’t know,

that is useful information in its own right.

The lead auditor can also ask to see a copy of the most recent management self-

assessment (MSA) results, but this should only be used as a parameter to measure the

audit’s early findings. If there is a significant divergence between the audit’s results

and the MSA, then a more detailed comparison could be made later.

Bringing down barriers and changing perceptions

In many organizations the audit department, the auditing function and even auditors

themselves are still viewed with suspicion and even a degree of disdain by those

individuals who are likely to be audited or at least involved in audits.

As members of an auditor training organization, the authors regularly hear from course

delegates that this antipathy between the hunter and the hunted – the policeman and

the offender – remains alive and kicking.

Case study

Food and Drug Administration (FDA) auditors in the USA were mentioned as

usually being very confrontational, requiring excessive detail in paper evidence,

and having little concern for efficiency of their management system requirements.

Most FDA audits are reported as ‘competitive’, with the auditees seeking to

give no information other than what is specifically requested, and the auditorstrying to identify ‘stones to turn over’ so as to find hidden faults – this type of

auditor/auditee relationship is not good practice.

175




The two great ‘lies of audit’ persist:

Auditor: ‘We have come to help you.’Auditee: ‘You are most welcome.’

Many heads of internal audit, especially in larger organizations, would like to thinkthat this is not the case because of the way in which their departments have been

modernized in recent years. Many organizations have formally adopted professionalauditing standards, such as The Institute of Internal Auditors’ standards which state thatinternal auditors can indeed see themselves as consultants to the business. However,every time an audit is carried out is the moment of truth as far as those potentially

suspicious individuals are concerned.

Our challenge as twenty-first century auditors is to progressively reverse these

perceptions.

Whatever the past or current perception of audit may be within an organization, it ispossible to generate a receptive and creative atmosphere by focusing on building goodpersonal relationships between every auditor on the team and those whose assistancewill be sought in preparing for and carrying out the audit.

The essential steps in building good personal relationships are:

• do not expect to be liked immediately

• accept that suspicion is entirely normal and do not equate it with people havingsomething to hide; give them the benefit of your doubt

• ensure you have the tools and knowledge to persuade people of the benefits of audit and be ready to use them at every level in an organization

• bring as many people on board at the beginning of the audit by inviting them tomeet you and the audit team, hear about the audit process and how you would

value their support

• be open about the audit process – there is nothing secretive about it – and confirmthat an internal audit is being done to assure management that all is well or toalert them if their intervention is required

• describe how that intervention might take place

• give pertinent examples of how audits have helped organizations such as this one

• explain how the auditors will focus their attention and scrutiny on ‘the system’and not on ‘individuals’

• demonstrate all the auditors’ competencies to do the audit in the particular part

of the business being audited without saying ‘We are brilliant and we knoweverything!’

• adapt your approach (i.e. how you are dressed, and how you speak) and inter-personal style (i.e. using first or family names) to the people with whom you arecommunicating

176




• start every formal interview by stating clearly why you have chosen that personto speak to and how they can help you to do the audit effectively

• discuss the agenda you have prepared and invite your interviewee to add other issues to the agenda and to decide the order in which they would like to discuss

them

• offer confidentiality if you think that will help to get to the truth, and do notbreach that confidentiality later

• do not judge what you find out, until you are certain you have obtained thetruth, and even then ask yourself ‘So what?’

• report back to individuals if you say you will

• return any documents you ‘borrow’

• practice humility• tell them ‘I am from Missouri’, and explain why this is so (see Tip in Chapter 6,

pages 122–3 and Figure 6.3).

Show your interest in operations

The main sources of information to assist you during the audit – in addition to theauditee and his or her immediate subordinates who are working in the area being

audited – will be the operational and support services personnel.

Generally, these people will be helpful. They will usually either give you the infor-mation needed, or point you in the direction of relevant evidence to support theexistence and effectiveness of parts of the business control framework.

However, we, as auditors, would not be doing our job properly if we did not check or corroborate such information by referring to an independent source, such as another person, or comparing the information obtained verbally against physical evidence or supporting documentation. This action of confirming what we have just been told

can elicit from the people who gave you the information emotions of frustrationand even annoyance or anger. They think that you do not trust them! Handling thispart of any relationship, especially at the operational level, is critically important. Soexplain the next step of the process at the end of every interview and meeting.

Testing outside the auditee’s operational area is required when auditors want to seekfurther confirmation of the effectiveness of particular controls from individuals or documentation in customer and supplier organizations. Auditors need to be awarethat their relationships inside the auditee’s department will have to be particularlywell grounded to withstand the strains that often arise when the auditee’s personnel

are told or find out that the auditors wish to make inquiries or seek confirmationfrom third parties outside the immediate boundaries of the auditor’s scope area.

In addition to confirming clearance with the auditee, out of courtesy and on thegrounds of confidentiality, auditors must be prepared to handle such sensitivity which

177




arises irrespective of whether the customers and suppliers are internal or external to

the overall organization.

Take time to get your message across

Human nature alone would suggest that auditors are unlikely to be welcomed with

open arms as the bearer of bad news. This could be in the form of serious control

weaknesses, or a poor or unacceptable audit opinion. ‘If they don’t like the news, they

shoot the messenger’. However, the extent to which this reaction will be evoked will

be very much dependent upon how the lead auditor delivers the message. Clearly,

just dumping the bad news on the auditee’s desk on the final day, as he heads for the

car park or the airport, is not going to help anyone.

Tip – Provide the audit opinion at an early point, once it is known. Be prepared

to explain why and how the opinion was derived, particularly those opinions

which may be seen as ‘bad news’.

Case study

An auditor had spent approximately two hours presenting the detailed findingsof an audit to the management team. When the final slide announced the

audit opinion as ‘poor’, the managing director said ‘Please put the first slide on

again ’.

When applicable, contrast the audit team’s early indicators of poor control with

perhaps the more optimistic expectation of senior managers (which the lead auditor

may have heard about). An experienced lead auditor would commence ‘drip-feeding’

the bad news to the auditee through a series of ‘no surprises’ meetings from an earlystage in the audit.

In contrast, passing on a Good or Satisfactory audit opinion is usually an easy and

pleasant affair. This is because management will feel that they have ‘passed the audit

test’. They are not feeling threatened, since they will see the result in the same light as

having just been told ‘everything in your area of responsibility is being well-managed’.

They then get on with their usual job. However, such ready acceptance may not

be what the lead auditor really wants, or the outcome that the audit warrants. It is

probably inappropriate in most circumstances, so some auditees and their management

teams need to be encouraged to rigorously challenge even seemingly good news;they should examine the methods used by the auditor to arrive at the good news,

and the documentation that the audit team has prepared to support it. This process

should result in auditees and management above them understanding the strengths

and weaknesses of their management control framework more fully. Only then should

178




they feel confident of the extent to which they can bask in the reflected glow of the

audit team’s assessment.

Tip – This process of ‘educating’ the management team can be done best through

a series of ‘progress’ meetings.

Such progress meetings can be set up in a similar way to the ‘no surprises’ meetings

from as early a moment as the lead auditor has something to which he wishes to

draw to the auditee’s attention.

Don’t drop your guard until the report is deliveredThe lead auditor may have prior warning that there is going to be difficulty in

closing out the audit at the presentation. Usually this would be because the auditee

has mentioned or stated that the management team cannot (or will not) accept

the audit opinion. This can still be the case, even if the lead auditor has initiated

and participated in copious ‘no surprises’ meetings, has responded appropriately to

questions and challenges from the auditee’s staff or even the auditee personally.

In this type of scenario, the auditee may be prepared to make accusations and

threats, and fight every finding in the hope of unearthing some factual inaccuraciesupon which the auditors have relied in arriving at their conclusions. If they are

successful, they hope to cast aspersions on the reliability of the remaining part of the

auditors’ work.

It may be that some ‘big guns’ – intimidating, large or boisterous, or very senior

managers – may be assembled at the final presentation. Auditees cannot sustain

this type of behaviour on their own. They need the support of their subordinates

which will be provided either willingly or as result of coercion. Quite reasonably

you cannot and should not expect them to come to your aid in the final closeoutmeeting, whatever they have said to you privately. A key relationship that will need

to be relied upon in these circumstances will be that between the lead auditor and

the auditee’s line manager. In certain circumstances, others may necessarily become

involved, including the internal audit manager, the audit sponsor or even the Chair

of the audit committee.

Case study

A highly competent technical professional had been working in internal audit of a major global business for a relatively short period, when she was appointed as

the lead auditor for an audit which was to cover the engineering department of

a large subsidiary.

179




She and her team completed the audit and the results did not reflect well on the

subsidiary’s management. In fact, there were some serious issues which needed

urgent management attention. This meant that the audit opinion was going to

be no better than Poor, and possibly Unacceptable.

The auditee knew this but could not bring himself to accept it or some of the

main findings, even though the supporting evidence had been fully and clearly

documented and explained to him. He decided to wait until the final presentation

to try to cut the lead auditor down to size. He gathered his troops around him

in three locations – having organized a video conferencing facility – and by her

own words, the lead auditor was so nervous she could not apply her lipstick in

the Ladies when she had gone there, immediately before the meeting, to seek a

refuge to compose herself for what she knew was going to be a very rough ride.

The tension in the three locations was growing as the seats in the three conference

rooms filled. The lead auditor, the audit team, and auditee finally took their

places. The scene was set; this auditee was going to teach this particular auditor

a lesson she would not forget!

Just as the lead auditor was drawing breath to start the audit results presentation,

there was a disturbance at one of the remote locations. Everybody’s eyes looked

at the distracting video screen. A late arrival had entered that conference room

and was offered a seat in the front row.

The scene had been set for a totally unnecessary demonstration of bully boy

tactics which probably would have resulted in accusations, denials and counter-

accusations, many probably of a personal nature. The audit result would have

stood but people would have been damaged. But the presentation went off

without much more than a few clarifications. The auditee was very quiet and

the lead auditor got the acceptance of the findings and a commitment to take

urgent action to address the control weaknesses.

Why the swing around?

The late arrival was the auditee’s boss, who had been tipped off about the audit

results and the planned showdown by a telephone call from the internal audit

manager.

Tip – Invest the necessary time to get the essential facts relating to the audit result

to a level of management that does not see it as personal criticism, and who will

want to ensure the auditee listens and responds with actions.

Although it is advisable for the audit team leader to discuss with the auditee who will

attend the final presentation, particularly which members of senior management, at

180




times there are senior individuals who invite themselves at the very last moment –

possibly because they haven’t got anything better to do and are looking for some

sport! Their motives of attending may or may not be known and therefore it will

be difficult to prepare to handle any interjections that may arise from them. Their

aim can be to disrupt the smooth flow of the audit team’s presentation, and if theopportunity arises, to call the auditors’ credibility into doubt. This can be a very

difficult situation to handle, but a good way to deal with it is to raise the possibility of

something like this happening with the auditee and get them to agree that they will

field any questions coming from such a quarter.

A-Factor 59: Don’t drop your guard until the assignment is complete. It is

essential to rehearse the nature of objections, and to try to see things from

the other person’s perspective. Anticipate and have in mind answers to the

types of questions auditees and others are likely to pose.

181



9 The Written Report

Introduction

This chapter relates to the areas we described towards the end of Chapter 7 –

concluding the audit. Chapter 8 – personal relationships focused on the critically

important aspects of the lead auditor’s and the auditors’ abilities to connect on anemotional and psychological level with the auditee and auditee staff. This chapter

focuses on the equally important ability, particularly of the lead auditor, to be able to

put the same information in an attractive written form.

As you’ll have read, good – no, excellent – interpersonal relationships between the

audit team throughout the entire audit process, in particular those with the lead

auditor leader and those with the auditee, are very important. This is especially true

at this point of the process, where we will seek to turn all of the time and effort

put into the audit (i.e. the set-up, review and verification, and concluding) into a

written report that is generally accepted and agreed for its content, easy to read, and

welcomed by the receiver as being a useful contribution to their business.

One of our main premises for writing this book was our passionate belief that auditing

is really all about facilitating business improvement. Such improvements, as we foresee

them, are only possible if our messages – carefully worded, factually correct, and (if

possible) agreed upon with our auditee through our ‘no surprises’ process while we

are on site – are clearly replicated and enhanced through the written report.

A-Factor 60: The written report is an essential document which compelsbusiness improvement if you get it right.

In this chapter you’ll learn:

• how to write really great reports that are easy to read, and truly welcomed by the

receiver

• the use of powerful words

•

how to deal with abbreviations and references• why it is so vitally important to read the report after writing it but before

submitting it

• how to formally submit audit reports and recommendations.

182



The Written Report

How to write great reports

Let us start with a question. In your experience, which parts of any book, prior to a

purchase, get read?

We guess that you answered ‘the summary on the back page’, ‘the profile of the

author’ and/or ‘the first page’. This would be our answer too. This is because we all

know that if these ‘headlines’ do not quickly engage our interest as readers, we will

put the book back on the shelf, and pick up another instead. We have choice.

If we now asked you, in your experience which parts of any management report

are likely to get read, likewise, we suspect you may well answer ‘the management

summary’, ‘the table of contents’, and ‘the recommendations’.

This would be our answer too, again. This is because we all know that if these

‘headlines’ do not quickly engage our interest as readers, we put the report back in

the envelope and find something else to do in the office.

Well, the same is true for the auditee, senior management of both the auditee function

and internal audit, and the audit committee members. All of these people have very

busy days, and lots of other things they could choose to be doing with their time. If

our report is not ‘a good and easily digestible read’ from the start, it is unlikely to be

read with a degree of interest that you would like.

In this section, we offer some tips and hints on how to write reports that are easy to

read and more likely to be welcomed by the reader. Some early characteristics that

need to be correct are common sense (but lots of people still get these wrong!):

• names on the cover of the report must be spelled correctly

• audit title and dates of audit

•

auditee’s and sponsor’s names and titles• names and job titles of recipients

• company name fully and correctly expressed – plc, SA, Sdn Bhd, Ltd, etc.

• audit team membership.

Making sure these straightforward facts are correct gives a (perhaps unconscious)

feeling of comfort to the reader. Get these incorrect, and they may already be doubting

the audit team’s ability to have done a good audit, let alone present a coherent and

useful message.

Tip – Your report has one chance to make a first impression. Use it!

183



The Written Report

PART 1

– Introduction and business

environmnet– Audit opinion– Major findings and actions– Assessment of BCF– Introduction and business

Appendices

– TOR/work plan

– Interviewees

– Action plan

+

Issue ActionExposure

Part 2 – Findings and actions

Descriptive heading

Expected control

Actual control

Expected control

Actual control

Residual risk

Impact of risk

Reducing risk

Removing cause

Reducing risk

Removing cause

Descriptive heading

Residual risk

Impact of risk

Management summary

Figure 9.1 Audit Report structure

Other important objectives must be:

• clear structure• simple layout

• a concise extract of the audit’s conclusion(s).

A clear structure is:

• Part 1 – executive summary

• Part 2 – audit report (with appendices).

A simple layout and the relationship between the two parts of the report is shown in

Figure 9.1.

Title

So let’s start – give the document a clear title on the cover. We have previously

commended sharp titles of three to four words, and we do so again here.

Contrast:

HSE Audit Report – O’Hare Airport

with

184



The Written Report

A report into health, safety and environmental management systems, aligned to

OHSAS 18001:1999 and ISO 14001:2004 at O’Hare International Airport, Terminals1, 2 and 3, Chicago, IL, United States of America

We choose the former every time.

Tip – Don’t try to be too clever. Don’t try to show that we know ‘everything’

on the cover. Compel the reader to turn on to find out which terminals (in our

example) are covered by the report.

Cover page

Experienced auditors seem able to prepare a cover page using a format carried intheir minds.

We commend you try to establish your own format; it helps a lot when you areunder time pressure to prepare the final report.

Our model is shown here. This has worked well in setting the scene in hundreds of audits around the World:

• [‘draft’ or ‘final’] audit report of a [add type of audit here] at [add name of organization and short-form address here] on [add date here, including the year]

• auditee [name and job title] and sponsor [name and job title]

• lead auditor and team members [add your and the team’s names and designatoryletters, the name of your organization if a contractor].

Tip – Designatory letters (1): Use the ones relevant to the audit, with your

highest qualification first (if you have more than one). Avoid a long list, unless

you really do have several (relevant) degrees!

Tip – Designatory letters (2): If you do not have any designatory letters, it may

be a good time to set about formalizing practical skills with formal qualifications

and/or membership of a RELEVANT technical body. Chapter 3 provides the

names of some major auditor registration bodies.

Table of contents

This is an important section of the report since it helps readers familiarize themselveswith what we have included in our report and where they can find it. In our

experience, this is one of the first pages readers will look at.

185



The Written Report

We suggest that experienced auditors could/should build a library of ‘tables of

contents’ templates – perhaps one for each reference framework they are auditing

against.

The table of contents should show the following appendices: terms of reference, auditwork plan, description of the audited reference framework, audit scope, and list of

all contributors to the audit.

Tip – Take a template as an ideal starting point for the report; you then only

need to amend each main heading.

Tip – If you do not know Microsoft Word’s ‘Tables and Index’ tab, then find

out. Making sure that the page numbers align with the table of contents can be

done automatically. After proofreading, after peer review (details hereunder) and

just before the ‘final check’, press the Refresh key and the page numbers are

updated.

Tip – Similarly an essential skill is to know how to copy or cut text using

‘Control-C’, or ‘Control-X’ and paste it using ‘Control-V’ into the same or

another document.

The foot of this page is a good place to put a note of thanks and acknowledge the

cooperation received. Unless it is absolutely necessary, do not list individuals by name

and/or job title.

Disclaimer statements

It seems to us that most auditors these days include a disclaimer statement within their

reports. We are not lawyers and therefore we suggest that you discuss the pros and consof doing this with people who can advise you about the benefits of such a statement.

What we do suggest is not to put the disclaimer either on the cover or on the bottom

of the table of contents. We have been advised that any warning given in the UK

should be no less prominent than the text surrounding it, but as a general point, we

advise auditors to start with positive messages.

Let us be clear:

• an auditor cannot know everything, verify every record, speak to each employee

in an audit lasting two weeks, let alone a few days

• any audit is an intentional sample, designed to give reasonable assurance to readers

to the extent that the work plan has been completed

186



The Written Report

• our report is not a guarantee of zero loss in those areas which are found to be

adequately controlled

• corrective action is the responsibility of the auditee.

However:

• we have followed a structured audit process

• our results are likely to be replicable by others following in our footsteps and

referring to our working papers

• we have reported our conclusions based on the facts obtained during our work

(of course, we rely upon the facts reported to us being true!).

Between these two positions lies (1) our credibility as auditors and (2) our desire totake account of and manage our own risks.

A statement used by the authors is shown below. We use it at the end of the

management summary, and again at the start of the recommendations. As we too

are risk managers, we cannot commend these particular words to you, but we show

them to give you a ‘feel’ for what your lawyers may suggest you use.

‘We have taken into account risk factors which we were aware of at the time of

the auditor’s visit(s). It should be noted that there might be other not reasonably

identifiable factors that may be relevant or other matters, which in the opinion of

the auditor do not constitute risks in the context of the report. In preparing reports,

we may suggest improvements, which in our opinion will reduce risks. It should

not be inferred that other risks could not be reduced or further controlled, nor that

identified risks could not be reduced further by other measures or in other ways.’

A-Factor 61: Discuss ‘disclaimer statements’ with competent legal advisers

in your jurisdiction.

Executive summary (Part 1 of the report)

We think that the management summary or executive summary is possibly the most

important section of the report. In our experience, it is the section that senior

managers look at first, as it provides a full account of the audit’s outcome in a

‘nutshell’. Either they will love it, or loathe it. It is up to the lead auditor to promote

continued reading by the way in which the summary is written and presented.

Accordingly, it should not be rushed. We commend you to write it last, when thebody of the report – with all the key findings, exposures and recommendations

finalized – and appendices have been prepared. The lead auditor must know what

the ‘big picture messages’ are going to be, and will have a fair inkling of how senior

management will react.

187



The Written Report

The time to begin writing an article is when you have finished it to your

satisfaction. By that time you begin to clearly and logically perceive what it is

that you really want to say.

– American writer Mark Twain – born Samuel Langhorne Clemens

(1835–1910); from his Notebook, 1902–1903.

A good management summary could (literally) be taken from the report to stand

alone. If possible, restrict it to two pages. This distillation aims to bring transparency

and clarity to the issues which the audit team communicate to senior management.

The executive summary should comprise four sections:

1. introduction and business environment

2. audit opinion

3. major findings and actions needed

4. assessment of the business control framework (or ToR’s reference framework).

Once again (twice, actually), we quote from Mark Twain as a reminder that focus

takes time:

I am sorry for writing you a four-page letter. I did not have the time to write

you a one-page letter

– Writing to his wife

To get the right word in the right place is a rare achievement. To condense the

diffused light of a page of thought into the luminous flash of a single sentence,

is worthy to rank as a prize composition just by itself Anybody can have

ideas – the difficulty is to express them without squandering a quire of paper

on an idea that ought to be reduced to one glittering paragraph.

– Letter to Emeline Beach, 2 October 1868.

Introduction and business environment

The introduction and business environment section should describe in concise terms:

• type of audit performed

• which part(s) of the business was audited

• extract (by relevance to the audit’s findings) of the corporate challenges, objectives

and major projects

• description of aspects of the organization’s business environment which are both,

critical to the business’ future success and relevant to the audit’s findings.

188



The Written Report

This is your opportunity to prepare the minds of senior management, most of whomwill be reading the report for the first time, so that they easily recognize their companyand subconsciously give you the credit for having neatly encapsulated the key (andnot all) of internal and external environmental factors which are challenging and

supporting their business’ potential success.

A-Factor 62: Senior management should recognise that the executive sum-mary describes their business as they see it. It must demonstrate that theaudit team have approached the audit in terms of assuring managementthat they have a successfully managed business and not just assessing howtheir HSEQ management system measures up against the specified referenceframework.

Much of the factual information which will be appropriate for use in the intro-

ductory paragraph would have been obtained at the start of the audit process, dur-ing the lead auditor’s and audit team’s familiarization with the auditee’s businessenvironment.

Now that the audit has been completed and its conclusions arrived at, only thoseaspects of this familiarization work (e.g. political, economic, social, technological,infrastructural, legislative, etc. environmental factors; business strategies and objectives;corporate level risks and opportunities; and operational risks) which have a clear relationship with the major findings, need to be mentioned in the executive summary.

Tip – The reason for a highly selective approach to what is mentioned in the

introductory paragraph of the executive summary, is to keep the reader’s attention

focused on only those matters that you need them to think about.

Either you will be commending them on a strong and effective BCF regardingsome of the critical issues affecting the company’s future or you will be setting themup, to relax in their comfort zone, before delivering a message which cannot bedeflected.

Setting them up by allowing the reader to recognize vital issues within their ownorganization, and winning their interest and commitment because you will report(in the next paragraph) that the relevant part of the management framework requiresimprovement and may possibly be unacceptable.

Audit opinion

This section is the ‘newspaper headline’ that really matters to senior managers.

A-Factor 63: Whether auditors like it or not, managers will be judged bythe results of audits. The body of those standing in judgement includes theboard of directors, remuneration committees, external regulators, the legalsystem, and other stakeholders.

189



The Written Report

In such an environment, it is only human nature that ‘good news’ will be well

received and ‘bad news’ will evoke a knee-jerk rejection.

Therefore, the audit opinion paragraph needs to pack a punch. It must succinctly

describe the auditors’ assessment of each of the elements of the reference framework – is it in place? could it work as designed? does it work? This description should be

structured so that the reader is given brief examples of strengths and weaknesses

within each element which are relevant to and supportive of the major findings, and

the totality of these facts must lead the reader along a path of irrefutable logic that

ends in the reported audit opinion.

A-Factor 64: A well written paragraph delivering a ‘poor’ or ‘unacceptable’

audit opinion, will have the effect that ‘the reader may not like it, but the

logic and the facts cannot be denied’.

Major findings and actions

This section will be a summary of what has been reported in detail in Part 2 of the

report – bullet points can be a very useful way of condensing text.

The key challenge is to demonstrate clearly what management action needs to be

taken and over what time frame in order to avoid the identified potential businessoutcome. Don’t try to say everything again but tell a compelling short story which

forces the reader to make the link between the control failure in the reference

framework and the impact on their business’ future success (or failure, if they take

no action).

The basic logical thought process used throughout the audit can form an initial

template:

• a title that imparts feeling as well as description to the issue

• the risks to business success of any control failure

• the presence, absence, strength or weakness of relevant controls

• the action and urgency required to improve the control framework.

Assessment of the BCF

This information can either be retained in the body of the executive summary

or attached as an appendix with only a table of the results in the body of the

report.

190



The Written Report

For example:

# BCF Element Positive Negative

1 Policy +

2 Organization −

3 Procedures +

4 Supervision +

5 Review and appraisal −

For each element of the BCF, there should be a clear and concise description of

the most important examples of strength and weakness in control which were found

during the audit. If appropriate, make the link between specific examples and the

respective high-risk activity (i.e. work plan item).

Ensure that the paragraph for each BCF element can both be read as a stand-

alone commentary on the audit’s findings with regard to that element’s particular

control failings, as well as presenting a balanced report (i.e. in terms of quantity and

significance of control failings described) of that element’s overall contribution to the

assessed effectiveness of the overall management system (i.e. as shown in the table of

results of the BCF).

Audit findings and actions (Part 2 of the report)

Part 2 of the report presents the details behind the comments and conclusions pre-

sented in Part 1 of the report.

The layout of the detailed information will normally be determined by the

organization being audited. Figure 9.1 shows a format with three key elements

reported in separate columns:

1. status of the control framework – comparing expecting controls with actual controls

2. exposure of the business – identifying the extent of unauthorized residual risk

3. actions – required to strengthen the failing controls and address the root cause

of the failure.

Therefore, the overriding objective for the auditor when detailing the status of

the control framework (needed to effectively manage specific inherent risks within

activities which are critical to the business) is for the reader to agree with the auditor’s

statement of expectation of particular controls and to be able to clearly note wherethere are gaps between that expectation and the type and quality of controls found/not

found and working/not working. To the extent necessary, details of verification can

be included or cross-referenced to appended documentation (e.g. list of interviewees

and contributors to the audit).

191



The Written Report

The overriding objective for the auditor when detailing the exposure of the busi-

ness, resulting from the control failure, is for the reader to clearly appreciate the

impact of the existing situation upon the organization’s key business objectives, both

quantitative and qualitative.

A-Factor 65: Detailed reporting of each audit finding should examine the

extent to which the audited organization has delivered on the definition of

business control.

Without action being implemented to correct the failings identified within the BCF,

no improvement will occur. However, irrespective of whether it is auditee or auditor

who decides what the appropriate action needs to be, the description of the necessary

action needs to reflect a SMART approach:

• Specific – clearly defined action

• Measurable— defined performance level and timing

• Achievable – can be done by designated action party

• Right – it is appropriate in light of the problem

• Timely – urgency in line with seriousness.

From a technical standpoint, clarity of wording in recommendations (especially in

report Part 2) is critical. Actions that need to be taken will be understood in such away that there can be a genuine commitment on the basis of a full understanding of

what, how and when action needs to be taken.

Often clarity is a matter of balance. For example:

• being specific in what is required, balances conciseness with writing a paper;

• improving matters that are impacting business objectives simultaneously in the

corporate realm and at the process level, requires balance; and• clearly identifying the person with responsibility for taking the required actions,

needs to be balanced against the person with accountability to ensure that the

result is effective.

When drafting recommendations and seeking conciseness, it is always difficult but

very necessary to avoid vague action words such as:

• consider rather use: estimate, evaluate, measure, calculate, compute

• ensure rather use: check, verify, certify, justify, investigate

• review rather use: amend, adjust, correct, recreate, rewrite

• monitor rather use: analyse, investigate, revise, overhaul, repair.

192



The Written Report

Format

Tip – Tables and figures in the text of the report should be shown as follows:

• Tables of figures = Table 1, 2, 3,

and

• Pictures, photographs, images, graphs = Figure 1, 2, 3,

Tip – For abbreviations and references, such as COSHH, RIDDOR, OSHA,

NOSA, etc. state the full term once with the abbreviation in brackets, and then

use the abbreviation alone thereafter.

Reading after writing, before submitting

This section highlights why it is important to read the report after writing it and

before submitting it. It shares some of our experiences (humorous, but still serious)

from 20+ years as auditors.

Think of the things that distract you when you are reading someone else’s work:

•

spelling mistakes• obvious errors of fact

• excessive use of ‘absolute’ terms (e.g. no training) – what, absolutely none, ever?

• poor punctuation.

Spell-check carefully, a starting point is to use proprietary spell checkers within word

processing software – so long as the limitations are recognized. Additional proofreading

is very important to be sure that ‘there’ is not incorrectly spelled ‘their’, and so on.

Case study

A Master’s degree student had appointed a personal tutor for his dissertation. The

student sent in several of the early chapters for review and comment. The tutor

sent back a note which said:

I am unable to concentrate upon the (no doubt excellent) content of your work, as I am continually distracted by your poor punctuation and

grammar.

Learning = learn to punctuate if you need to!

193



The Written Report

It is very difficult to proofread your own work, so each audit team member’s work

should be read by a colleague and every part of the audit report should be read by at

least two people – specifically looking for spelling, formatting and typographical errors.

Other reasons to check documents after completing the writing, but before submittingthem include:

• it is good practice

• it may be in your organization’s quality system (e.g. ISO 9001:2000) to internal

review

• auditees will pick up on errors to deflect from all important issues and possibly as

an excuse not to do what was intended, if not accurately stated.

Tip – Peer review of reports is a very good idea. Read audit reports after you

have written them, but before submitting them. Often the brain can work faster

than the hand, or the report may not say quite what you wished it to!

Case study

One of the authors was close to submitting the following report some years ago:

the site has much carnage in its workshops, but this is well documented

and clearly marked.

The report was supposed to say ‘ the site has much cranage [i.e. many cranes]

in its workshops ’, but our pals at the software company had pre-programmed

their integral spell-checker to auto-correct. Some surnames can be hopelessly

auto-corrected too, and this can be very embarrassing. If you do not believe us,

try spell-checking ‘Pernis’, ‘Hyster’ or ‘McVities’.

If the reader is not to be distracted while reading, we need to make sure that correct

familiar technical language is used. Which health and safety practitioner would not

be distracted by incorrect referral to the main health and safety legislation in their

country?

Submitting audit reports

There will come a point in time when the report is to be submitted to your

client/auditee – either because submission is contractually due, or because you feel

that it is ready to be read.

194



The Written Report

There are two basic approaches to submitting audit reports:

• here it is (e.g. final report)

•here is a draft for comment prior to our final report.

Here it is

Some audit reports are very much of this type. Any auditor that has worked with, for

example, a certification body would have prepared the audit report while progress-

ing through the audit, by recording the evidence of the work in a chronological

fashion.

The report is collated, and with a summary front page, and recommendations at the

back, is handed to the auditee on the last day.

This is a cost-effective way of audit reporting, but does not allow for major issues

such as ‘can the auditee read my writing’ and (relatively) minor issues such as spell-

checking.

Here is a draft

This is our preference, and we commend this approach to you. If you can (and of

course this depends upon what has been agreed to in terms of the time and budget

for the whole audit), we suggest that a draft report is presented to the client – ideally

in time for them to read it before the final presentation.

If you can do this, you can refer to it during the presentation, e.g. for facts and tables

of information.

Give (say) two weeks for comment after the presentation and prior to final issue of

report.

Comment does not equal changes, it equals only an opportunity to comment.

Change inaccuracies, spellings.

Remove unnecessarily contentious statements – e.g. ‘incompetent’, or absolute neg-

atives/positives (‘no’, ‘not’, ‘always’, etc.)

Resolve questions raised in draft.

Take account of auditee’s concerns and preferences regarding actions.

195



The Written Report

‘Final check’

It is a really good idea to do a ‘final check’ as the last thing to do before you put the

whole report into the envelope with an appropriately worded covering letter.

Tip – Send the invoice separately to the report.

A-Factor 66: Regularly maintain an off-site back-up of all computer files to

prevent irretrievable loss.

196



10 Teamworking

Introduction

In Chapter 8 of this book, we discussed the importance of creating and maintaining

good working relationships with individuals outside the audit team. However, the

lead auditor must also ensure that all the individuals in their audit team work well

together.

Before we do this, we must recognize that many audits are undertaken by lone

auditors. This has its difficulties.

Difficulties of working on your own

Many audits are carried out by a singleton auditor, even in quite large organizations.

However, as we said in Chapter 3 of this book, this is not an approach that we would

support or recommend.

When there is a need for analysing and synthesizing the many and various strands of

information coming in from a variety of sources to arrive at an opinion about the

effectiveness of a business control framework (BCF), there should be at least two

auditors on site, with access to a senior colleague off-site – please see A-Factor 21 on

page 74.

By the time an auditor has completed half to three-quarters of the review and

verify stage in the auditing methodology described in this book, they will havegenerated a vast amount of information about the way in which the auditee and their

subordinates have created and are using each of the elements of the BCF (or multiple

control frameworks). The auditor may also have decided which controls he wishes

to verify/test for application and effectiveness, and possibly have got the results of

verifications already carried out. After doing all this work, there is a need to stand

back and reflect on what it all means, especially in preparing for the ‘no surprises’

meeting with the auditee.

In this situation, it is extremely difficult for an auditor working on his or her own to

be able to arrive at a balanced assessment taking into account all the positive as wellas the negative indicators. Having at least two auditors is preferable to allow reasoned

discussion and argument which is more likely to result in the balance that the audit

is required to produce, and provide management with relevant high-level messages

for improvement.

197



Teamworking

Initial meetings

It is generally unlikely that the lead auditor will personally know all the individuals

assigned to the audit team – and sometimes, may not know any of them.

The size and composition of the team will vary according to the complexity of the

audit to be performed, and the audit intensity required. The lead auditor’s first action

with regard to ensuring effective teamworking will be to have a brief discussion with

each team member and thereby confirm that he has been given a sufficient number

of people with the right competencies to carry out the audit.

A-Factor 67: The lead auditor’s first action to promote effective teamwork-

ing is to have an early discussion with each team member.

Once the team composition has been finalized, the lead auditor should arrange tohave an early one-on-one meeting (of perhaps an hour?) with each member of the

audit team. The aim is for the lead auditor and the team member to get to know a

little (more) about each other in an unpressurized situation.

The lead auditor should try to find out the level of personal and professional com-

mitment and operational readiness the team member has regarding their assignment

and the audit team, and whether they are likely to be distracted during the period of

the audit by either personal or work issues. He should also confirm the level of their

auditing experience and whether they have any particular specialization which willbe useful in allocating them to do specific tasks.

The team member should be encouraged to ask as many personal and assignment-

related questions as they like at this meeting since they should understand that the

next meeting will be with the whole team and there will be an emphasis upon getting

on with the job and less time for personal questions.

If the team leader has compiled a package of relevant background reading already,

then he should give a copy to each team member, together with a copy of the

draft terms of reference, and ask that they thoroughly acquaint themselves withthe information and be prepared to talk about the business environment, corporate

business objectives, corporate and auditee opportunities and risks, and operational

risks within each scope area (Figure 10.1) at a meeting with the whole team.

Laying down the ground rules

The lead auditor needs to make it clear to the team members from the outset, both

in private and in plenary session, that the best results will be produced by any auditteam, as long as:

• each auditor ensures that they are clear about their individual accountabilities for

auditing particular items in the work plan; they execute the necessary fieldwork to

198



Teamworking

Business Environment – political; economic; social and technological:

Corporate and key Departmental Objectives, Strategies and Plans:

Main Company Risk and Opportunities:

Figure 10.1 Set-up stage – familiarization with background data

199



Teamworking

INITIAL MAIN OPERATIONAL RISK ASSESSMENT:

Scope Area 1:

Scope Area 2:

Scope Area 3:

Scope Area 4:

Scope Area 5:

Scope Area 6:

Figure 10.1 Set-up stage – familiarization with background data – Pg2

200



Teamworking

a high standard; they record all of the information obtained in their own working

papers and they share the same information (analysed across the elements of the

BCF) with the other team members

• each auditor is committed to give and receive positive criticism of both the team’s

and their own work and behaviour

• each auditor is committed to listen to their fellow team members explaining the

results of their fieldwork and the conclusions they have drawn from those results

before they challenge what their colleague has done

• each auditor welcomes that the product of their fieldwork and the logic of their

thinking and argumentation will be challenged by the other audit team members

(as well as the lead auditor)

• each auditor is willing to seek assistance from other team members as well as the

lead auditor so as to optimize the quality of their own work.

Confirming findings with the lead auditor

As each team member progresses through the audit, it is a very good idea for there

to be regular meetings with the lead auditor to report back on what has been found

so far in their fieldwork. The lead auditors can either do this one-on-one with their

team members or involve other team members.

Periodic confirmation by the lead auditor with his audit team that they are on track

and covering the work plan items allocated to them is a critical supervisory aspect of

the lead auditor’s role. This is beneficial and essential because:

• if a team member cannot convince the lead auditor there is a finding, they will

be unlikely to convince the auditee; and

• the lead auditor also needs to hear about the quality of risk management in the

auditee’s area and the degree of strengths and weaknesses in the management

system at an early stage. The lead auditor will want to know whether any major or serious control weaknesses have been identified so that they can advise the

auditee as necessary, during their ‘no surprises’ meetings.

Playing as a team

If the lead auditor is successful in engendering the above style of teamwork, it will

result in an individuality of committed performance together with an open and

vigorous discussion amongst team members, including reasoned challenge and debate

without irritation or rancour, and the result will be that every team member feelscommitted to every finding.

This team-playing attitude is especially important during the conclusion stage when

the lead auditor has to sign off each of the auditor’s Audit Finding Working Papers

201



Teamworking

and initiate the sharing of information amongst the audit team through the medium

of the BCF (simulated on the wall charts), so that the team together can start to

evaluate, group and summarize the findings. This can only be done from a base of

common understanding of the factual information on the BCF. All auditors need

to be prepared to explain and support the facts that they have contributed to thewall charts. This process can generate some heat which the lead auditor will need to

ensure is productive rather than destructive.

At the end of this process the facts upon which the audit opinion is going to be

formed would have been agreed on by the whole team. Similarly, each team member

assigned responsibility for preparing a balanced assessment of an individual element of

the control framework, in a form suitable for inclusion in the management summary,

will work more effectively since they will have previously been involved in discussions

which referred to most of the positive and negative indicators which they will use in

preparing their summary.

Cabinet rules – ‘our opinion’

Each member of the audit team has to be clear that the lead auditor is ultimately

accountable for presenting the result of all their work and may therefore have to

make judgement calls based on his assessment of all the facts available to him.

If the team has operated in the effective and creative way described above then it is

less likely that there will be any serious disagreement between any member of the

audit team and the lead auditor. However, should there be such a disagreement, then

it will be incumbent upon the lead auditor to remind the team member in question

that audit reports do not include ‘minority opinions’.

A-Factor 68: The only place for the audit team to disagree is in the team

room. Outside the team room, they must be united. There must be no

minority opinions in audit reports.

Consulting with external team members

The lead auditor needs to remember that there will be experts outside the audit team

to whom he could turn for advice and guidance.

This is particularly relevant when the team are assessing the possible impacts and

consequences of the auditee’s actions as uncovered during the audit. The reality is

that the report is likely to be seen by third parties, such as contractors or regulatory

authorities. If there is an error either by commission or omission that impacts them,

they are free to challenge the audit results.

In sensitive situations such as those affecting occupational health and safety of cus-

tomers, employees or the local community, especially if there have been any recent

incidents in the area being audited, the lead auditor must be prepared to speak to

202



Teamworking

technical or legal experts. They should be treated as part of the audit team. For

example, a lawyer could assist the team by providing appropriate language to describe

a control weakness that needs to be strengthened so as to prevent the reoccurrence

of incidents.

Auditors can be held liable for defamation if an audit report is inaccurate and sub-

sequently harms the subject of the report. Clearly, truth is the best defence against

such legal action and therefore working closely with legal experts is important even

as early as the recording of evidence and deliberations of findings. In sensitive areas,

contact with legal experts should not be left until drafting the audit report.

In certain jurisdictions, expressions in an audit report referring to poor management

practices and unacceptable levels of exposure to certain risks, could lead to civil and

criminal action which could result in substantial punitive damages and imprisonment

for senior managers involved and some indemnification may be avoided in contractualdocuments such as insurance policies.

Peer review

Towards the end of the audit, if it is possible to arrange, the lead auditor should be

given access to another senior internal auditor, who will either have experience of

auditing a similar area or would have been sufficiently briefed on the background

of the particular audit, so that they will be able to review the main audit findingsand the draft audit report in order to confirm their agreement with the draft audit

opinion.

Such a ‘peer review’ process is always likely to make a significant contribution to

the quality assurance surrounding an audit; however, it becomes an essential part of

audits carried out by one or two auditors.

A-Factor 69: It is a real bonus if the lead auditor has access to a competent

colleague with the time to carry out a peer review to confirm their draft

audit opinion.

A-Factor 70: The auditee can become the most important team member!

203



Appendix 1 – Preparation,Preparation, Preparation

Introduction

This appendix, we think, is perhaps the most important section of this book. Weencourage lead auditors to cut it out, photocopy it, or if you wish amend it to

take account of your own experiences or specific requirements, we recommendalternatively that you download a copy of it from the book’s companion website

at http://books.elsevier.com/companions/0750680261 after November 2006. Wewelcome especially constructive feedback from users of these checklists, as we very

much intend to incorporate and credit the better suggestions received into futureeditions of this book.

This appendix provides a practitioner’s guide to audit preparation and conduct. Just

as many people have a packing list for their holidays and other travel, where each year they add to their list something they forgot, well, this has been our preparationlist for many years. We use this each time we go to do an audit, and we commend it

to you, though of course, it does not claim to be absolutely definitive. You will findlots of tips and suggestions here to think about – whether you are to join (or lead)

your first or 1001st audit.

Amongst our suggestions, tips and techniques, you’ll find our thoughts on:

• preparation of the audit team

• personal preparation – visas, jabs, local currency, credit cards

• preparation – documentation

• getting there – transport, accommodation, ticketing

• subject preparation – business background, organization objectives, interviewschedule

• doing the audit.

These checklists are provided for the guidance of current and trainee auditors, par-ticularly lead auditors. Whilst it is unlikely that any list of this type can be absolutely

complete, it does aim to cover many of the main areas, and in turn to give a rea-sonable assurance that the main additional requirements for team-leading (over and

above those of the audit team members) have been covered.

204



Appendix 1 – Preparation, Preparation, Preparation

How the checklist is structured

The checklist (and supporting commentary) is divided into three sections, hence this

appendix is called ‘preparation, preparation, preparation’:

• set-up stage

• conducting the audit

• after the audit.

Set-up stage

1. Confirm with internal audit manager the requirement for an audit.As a lead auditor, it is essential that the requirement to participate in an audit is

confirmed (in writing if possible). You’ll need the audit duration and intensity

(i.e. number of auditors). If you are providing this service as a contractor, this

confirmation constitutes your work order. Another important request at this time

is for the draft of terms of reference (ToR).

2. Confirm the audit dates and duration.

Confirm the dates /duration for the audit with the nominated individual at

the location(s) /process(es) to be audited. If no specific individual is nominated,

the site manager (or similar) is likely to be the auditee. We recommend thatconfirmation of this information is sent to the auditee in writing. Mention the

orientation visit if this is required (see 9 below).

3. Identify/select the other audit team members.

The lead auditor should write to each nominated member of the audit team, wel-

coming them to the team, briefly describing their involvement, and confirming

the dates and duration of the audit.

4. Develop and send pre-audit requests (for information and documents needed in

advance of audit).

Approximately three months in advance of the audit (or as time allows), request

in advance the desired information from the location. This gives time for follow-

up at –2 months and –1 month if the required items are not received. We have

included an example text, showing what may be useful to request in advance in

Appendix 3.

5. Receipt of pre-audit documentation.

When pre-audit documentation arrives, be sure to read it. Check it against the

list of information requested, and as necessary, follow up on essential items not

received.6. ‘One month out checks’

These constitute the ‘final arrangements’. Check (for self and audit team):• passports and necessary entry/exit visas (a six-month validity beyond the

planned return date is a good standard)

205




• ticketing/travelling arrangements

• immunizations, etc. – some territories require evidence of inoculations at

border control (e.g. yellow fever)

•

business travel insurance• accommodation for the duration of stay – the auditee can often recommend

suitable, convenient locations and may also have preferential rates agreed

upon

• a supply of local currency and an ATM-enabled credit card

• availability of translators (where needed)

• immunizations/anti-malarial tablets

•

initial meeting point logistics for auditors• PPE (e.g. safety shoes, flameproof overalls, etc.).

7. Send draft ToR (3 ‘A’s, reference framework, scope).

Send the draft ToR to the auditee approximately one month before the audit

is due to commence. This is an ideal way of confirming the final details to the

location.

8. Sift and send pre-audit materials to audit team members.

There is no need to send everything. Choose wisely and send copies of the

information that is most likely to be helpful to the auditors as they start to preparefor this assignment. One month before is an ideal time beforehand.

9. Arrange pre-audit orientation visit to site.

Within the month before the audit (as discussed in Chapter 5), it is useful for

the lead auditor to make a short orientation visit to the location.

Conducting the audit

Lead auditors have the principal responsibility for ‘delivering the overall audit service’

with a fact-based written audit report.

The lead auditor is also responsible:

• as the principal contact between the auditee and the auditors

• for convening and chairing all meetings of the audit team

•

for being the principal presenter at entry and exit meetings/presentations• arranging and conducting ‘no surprises’ meetings with the auditee

• for scheduling meetings with auditee’s staff, and coordinating overall timekeeping

• for motivating the audit team – coaching/coordinating/maintaining team discipline

206




• to check/proofread all documentation (e.g. working papers) produced by the

team

• for security of data and materials

•

to ‘decide’ where the team cannot (sometimes this can be as the ‘casting vote’ – the lead auditor is responsible for the overall audit opinion)

• to coordinate production of the draft report

• for QA (quality assurance).

After the audit

The lead auditor takes the following responsibilities following the conclusion of the

on-site work, and after the audit team has dispersed:

• finalize (having received and taken account of any auditee comments) and

submit the final audit report with recommendations to auditee, and others as

agreed/required

• gather, index and securely archive/securely destroy (depending upon contrac-

tual arrangements and/or professional indemnity insurance requirements) audit

working papers and other documents

• sending letters of thanks (as appropriate) to the auditee and each member of theaudit team

• arrange for charging or invoicing (as required) for the fees and expenses incurred.

An excellent lead auditor should also:

• regularly back up all computer and mobile phone data at a secure, out-of-office

location

• undertake CPD (continuing professional development), and maintain a CPD

logbook of developmental training and experience of auditing

• provide one-to-one coaching/support/training to their staff

• be aware of the need for the provision of professional indemnity insurance (we

recommend that this be discussed with a licensed insurance broker)

• be a member of a recognized auditing organization such as the International

Register of Certificated Auditors (IRCA) or on an auditor register, such as

that maintained by the Institute of Environmental Management and Assessment

(IEMA). This latter register was formerly known as the EARA register.

207



Appendix 2 – A-Factors

In this appendix, for ease of reference and revision, we have gathered together the

seventy (70) ‘A-Factors’ presented throughout the chapters in the text.

A-Factors (Asbury, Ashwell or Auditing Factors) represent the authors’ consolidation

of the essential knowledge and skills for undertaking risk-based audits.

Chapter 1

A-Factor 1: Organizations are concerned with transforming inputs to outputs. Inputs create

outputs, and outputs create inputs.

A-Factor 2: Organizations are inseparably intertwined with their external environment. Their

managers should take account of this to achieve their organizations’ objectives.

A-Factor 3: The structure of an organization is a means to an end, not an end in itself.

A-Factor 4: Recognize that ultimately market forces tell organizations – if they are listening

carefully – what to produce (quality), when to produce it (delivery on time) and the price to

charge (price). Set out, these objectives should be represented in the business plan.

A-Factor 5: Top management should balance the influences of the competing external and

internal environments to face its target market(s) with aligned and well-communicated businessobjectives.

A-Factor 6: Risk is anything which may hinder or assist achievement of business objectives. It

is generally quantified in terms of its residual likelihood and severity. Value creation and value

protection are the essence of an organization’s success.

A-Factor 7: R = L ×S Risk = Likelihood ×Severity.

A-Factor 8: Look for the application of ERIC whenever and wherever there is a significant

risk.

A-Factor 9: Know that ultimately an audit is an independent and balanced assurance to

stakeholders regarding an organization’s ability to meet its business objectives, in increasingly

volatile business environments.

208




Chapter 2

A-Factor 10: Keep things simple – remember PDCA.

A-Factor 11: To carry out successful management system audits effectively, an auditor needsa relevant internal control reference framework against which the auditee’s performance can be

assessed.

A-Factor 12: Only by using a ‘structured management approach’ can an auditee turn their

high-cost Controls into profit-enhancing Control.

A-Factor 13: Whatever the auditee’s reference framework is, an auditor needs to have their

own standard ‘structured management approach’ which they can use to simplify the complexity

of an auditee’s framework, or to have something to hand if there is a vacuum.

A-Factor 14: Do not permit the terminology and detail used to describe any business control

framework to deflect you from the structured simplicity of Plan–Do–Check–Act.

Chapter 3

A-Factor 15: An audit should provide a reflection, as if in a mirror, of the auditee’s business

control framework.

A-Factor 16: A prime reason for audit is organizational improvement, as well as providing

assurance.

A-Factor 17: A rolling, balanced audit plan is a foundational and essential component in

preparation for providing internal and external assurance to stakeholders.

A-Factor 18: The audit committee is responsible for keeping the audit plan under regular

review.

A-Factor 19: The audit objectives can be referred to as ‘the 3 As’ as an aide- memoire –

Assure, Alert, Advise.

A-Factor 20: The Terms of Reference are the contract for the audit – the agreement between

the organization and its auditors of ‘what’ will be delivered by the end of the audit. No audit should commence without agreed ToR .

A-Factor 21: For Level 2 audits, the team should comprise a minimum of two members (i.e.

a lead auditor, plus one other auditor), with access to support for peer review.

209




A-Factor 22: Recognize the importance to the overall audit opinion of an objective view from

an independent audit team.

A-Factor 23: First impressions count. Get the highest level of professional qualifications that

you can, pursue CPD, and use your (applicable) designatory letters on business cards, reportsand other stationery.

Chapter 4

A-Factor 24: The Audit Process Roller Coaster © comprises two simple dynamics – top down

and bottom up.

A-Factor 25: The main deliverable of The Audit Process Roller Coaster © is an audit report

that triggers improvement.

A-Factor 26: A lead auditor can decide, if it is a relatively inexperienced audit team working

in an area of the business which they do not know well, that the set-up time can be increased

above 20 per cent and the time available for the audit fieldwork decreased by the extra time

used for set-up. At least 20 per cent must be retained for the reporting stage.

A-Factor 27: Regular monitoring by the lead auditor of progress against the audit work plan

and of findings which are arising, should ensure that the audit is completed on time, using those

resources available to provide a level of assurance concerning the control framework within the auditee’s area of responsibility.

A-Factor 28: Whilst there is a logical sequence of activities within the review and verify stages,

the main tasks will be performed more than once. This is especially true during interviewing,

when there will be a number of iterations and the enquiries undertaken move inexorably down

into finer granularity of detail, across various lines of enquiry, and possibly across a number of

different control frameworks.

Chapter 5

A-Factor 29: Lead auditors must have a clear view of their process, and know how to react at

each stage.

A-Factor 30: If the audit is not carried out as scheduled, or if either the audit reference

framework/audit scope are significantly changed, the corporate audit plan should be amended.

A-Factor 31: The audit’s ToR is generally not negotiable. It has been approved by the audit

committee as one of their ‘jigsaw pieces’ and the scope areas need to be covered completely.

A-Factor 32: As a lead auditor, it is important to encourage your team to be speculative.

Think ahead about the business environment in the audit setting, and about how your auditee

will be managing their part of the business in the light of future challenges.

210




A-Factor 33 : The key to a successful audit set-up is to have a well-prepared audit team.

A-Factor 34: You get one chance to make a first impression – take it!

A-Factor 35: The work plan is, and should remain, a dynamic tool which is continuously referred to by the lead auditor. It should be adapted to take account of discoveries made by the

audit team in the review process.

A-Factor 36: Time constraints and the need for audit efficiency means that the auditor should

not set out planning to ask questions about every control element of the reference framework,

They need to decide which of the control elements are critical as a basis for good risk management

of the business activity being audited.

A-Factor 37: Each audit will have a master audit file, containing all the audit records. This

will be retained after the audit for an agreed period.

A-Factor 38: Before the time available for the set-up stage runs out, each auditor should have

a series of individual agendas for their first interviews ready, together with lists of appropriate

questions which will enable them to start the next stage of the audit.

Chapter 6

A-Factor 39: Understand that we base our overall audit opinion on the efficient and structured

control of the risks in our work plan, which was selected because of the potential risks to the

achievement of the organization’s objectives.

A-Factor 40: Manage an audit as any other project, with careful time planning, including an

allocation for contingency.

A-Factor 41: This preparation of the expected control framework is done (probably) before the

site work commences, but is essential for focusing the auditor’s questions during the review and the testing in the later verification stage.

A-Factor 42: I Will Audit (Independent, Well-balanced, Appropriate) given the needs of the

auditee’s organization.

A-Factor No 43: To check for controls in place = to verify implementation and effectiveness

of management’s expected control. For expected controls not considered appropriate or necessary

by management = verify acceptability of residual exposure.

A-Factor 44: The best recommendations an auditor ever makes are those that have been agreed upon with the auditee. The best chance of gaining agreement arises from bringing the auditee

on their side at the earliest possible opportunity.

A-Factor 45: Learn by listening closely! There is more to hear than ‘yes’ or ‘no’!

211




A-factor 46: Whatever you decide as the sampling strategy, record the sample size, how it was

derived and the results of the sample (i.e. what the sample told you) in box 4 of the AFWP.

Chapter 7

A-Factor 47: Acceleration ‘top down’ provides sufficient momentum for the journey ‘bottom

up’ the roller coaster.

A-Factor 48: A significant finding is one to which the answer to the “so what?” question is

assessed in terms of a significant impact which the control weakness is very likely to have on the

auditee’s ability to meet their immediate business objectives or more significantly the ability of

the organization to meet its corporate objectives.

A-Factor 49: All areas of strength found in the BCF must be recorded as fully as examples

of weakness, so there is accurate weighting of each.

A-Factor 50: The audit team has to be able to see the balance of the emerging facts if it is to

apply its mind to what those facts mean. Large wall charts are a fantastic idea, because they

lend visibility.

A-Factor 51: Overall audit opinions should have an even number of gradations. The overall

audit opinion should reflect the overall level of concern resulting from the audit work.

A-Factor 52: The lead auditor is ultimately responsible for the conduct of the audit, and the

overall audit opinion.

A-Factor 53: The audit opinion is not negotiable once the audit team has arrived at its

decision.

A-Factor 54: Have clear objectives, strategies and tactics for you and your team during the

presentation. Your objective is to help management arrive at the right decision regarding their

reaction to your audit’s findings. Whether this opinion is a ‘good’ or ‘unacceptable’ (or anywhere in between), initiation of some response is likely to be necessary, whether this is consolidation

of existing strengths, or a survival strategy and keeping the board out of jail respectively. The

strategy should be to focus management’s attention onto a few key messages, and the tactics will

be to support these messages with factual evidence to the extent demanded by any person in the

room.

A-Factor 55: Know who will be attending the meeting, and so far as possible, ensure that the

attendees are the appropriate audience with sufficient time available for the full duration. You

(or the auditee) send to each attendee an agenda, and a short description of how the audit team

wish to conduct the presentation. Requests from management for pre-meetings or discussions asa result of this should be met.

A-Factor 56: Remember the audit is not over. The best outcome of the presentation will be

full support for the findings, and commitment to making the appropriate response. However,

212




if, for whatever reason, management is not able to accept either the findings or commit, then

maintain a dialogue going with the audited organization to give management the opportunity

to express why agreement and commitment is not possible. Your aim is still to optimize the

effect of all the hard work done by the audit team.

A-Factor 57: If despite following this guidance, and ideally having broad support from the

auditee, you do not feel that further discussion will result in management’s agreement and

commitment, your only course of action is to refer the matter to the internal audit manager (with

a view to their reporting this outcome to the Chair of the internal audit committee).

Chapter 8

A-Factor 58: Time spent on reconnaissance is seldom wasted.

A-Factor 59: Don’t drop your guard until the assignment is complete. It is essential to rehearse

the nature of objections, and to try to see things from the other person’s perspective. Anticipate

and have in mind answers to the types of questions auditees and others are likely to pose.

Chapter 9

A-Factor 60: The written report is an essential document, which compels business improvement if you get it right.

A-Factor 61: Discuss ‘disclaimer statements’ with competent legal advisers in your jurisdiction.

A-Factor 62: Senior management should recognise that the executive summary describes their

business as they see it. It must demonstrate that the audit team have approached the audit

in terms of assuring management that they have a successfully managed business and not just

assessing how their HSEQ management system measures up against the specified reference

framework.

A-Factor 63: Whether auditors like it or not, managers will be judged by the results of

audits. The body of those standing in judgement includes the board of directors, remuneration

committees, external regulators, the legal system, and other stakeholders.

A-Factor 64: A well written paragraph delivering a ‘poor’ or ‘unacceptable’ audit opinion,

will have the effect that ‘the reader may not like it, but the logic and the facts cannot be

denied’.

A-Factor 65: Detailed reporting of each audit finding should examine the extent to which the audited organization has delivered on the definition of business control.

A-Factor 66: Regularly maintain an off-site back-up of all computer files to prevent irretrievable

loss.

213




Chapter 10

A-Factor 67: The lead auditor’s first action to promote effective teamworking is to have an

early discussion with each team member.

A-Factor 68: The only place for the audit team to disagree is in the team room. Outside the

team room, they must be united. There must be no minority opinions in audit reports.

A-Factor 69: It is a real bonus if the lead auditor has access to a competent colleague with the

time to carry out a peer review to confirm their draft audit opinion.

A-Factor 70: The auditee can become the most important team member!

214



Appendix 3 – Suggested List of Pre-audit Documents

Preamble

This useful text and checklist provides some basic ideas for the initial list of documents

and information to be requested from the auditee.

Some lead auditors have ‘fill in the blanks’-type questionnaires, which are sent toa location in advance of an audit for gathering information. Personally, we do notfavour this approach, as the answers are often too closed to be of real assistance, butas we have said, in Appendix 1, we would be pleased to hear from auditors whofavour this alternative approach.

Suggested text

In advance of the xxx audit scheduled to commence on xx/xx/20xx, the auditteam would like to receive hard/soft (state preference) copies of the following doc-uments in English language (or state preference). To allow the necessary prepara-tion, we request that they arrive no later than xx/xx/20xx. Please send these to

______________________________________ (address), marked for the attentionof _____________ (name of lead auditor).

• Directions to site and an area map

•

Site rules, pointing out any particular training, PPE or other mandatory accessrequirements

• Site plan showing perimeter, buildings and major processes

• Comprehensive organization chart

• Business plan and organization’s major objectives

• Operating licences and permits (e.g. fire, environmental, waste, fleet, etc.)

• List of applicable laws and regulations

• Table of contents – xxx manual (state subject – health & safety, quality, etc.)

• Minutes of most recent xxx management review meeting, or similar (state subjectrequired)

• Training matrix (or similar)

215



Appendix 3 – Suggested List of Pre-audit Documents

Final words

In our experience, ‘less is often more’. Don’t ask for complete manuals, as a table of

contents will usually suffice. We suggest keeping the list tight and short – that way,

you’ll be more likely to receive all the items requested. If the items do not show upby the due date, send up to two reminders. Please don’t be disappointed if some or

all of your requested information does not show up – this is surprisingly common.

But do be ready to work a little harder in the set-up stage to fill in the gaps!

216



Glossary

ACM Asbestos-containing material

AFWP Audit finding working paper

BCAM Business controls assessment matrix

BCF Business control framework

CFC Chlorofluorocarbon

CoCo Criteria of Control BoardCOSO Committee of Sponsoring Organisations of the Treadway

Commission

CSR Corporate social responsibility

ERIC Eliminate, Reduce, Isolate, Control

EU European Union

FDA Food and Drug Administration

G8 Group of 8

GATT General Agreement on Tariffs and Trade

GDP Gross domestic product

IMF International Monetary Fund

IPPC Integrated Pollution Prevention and Control

ISO International Standards Organisation

KPI Key performance indicator

MSA Management self-assessment

OECD Organisation for Economic Co-operation and Development

PCAOB Public Company Accounting Oversight Board

PDCA Plan, Do, Check, Act

PEST Political, Economic, Social, Technical

PML Possible maximum lossPPE Personal protective equipment

RPI Retail price index

SCBA Self-contained breathing apparatus

SMART Specific, Measurable, Achievable, Right, Timely

SWOT Strengths, Weaknesses, Opportunities, Threats

ToR Terms of reference

US/USA United States/United States of America

UK United Kingdom

WTO World Trade Organisation

217



References

Asbury, S.W. (2005). A risk-based approach to auditing. The Environmentalist – Issue

Number 29, June 2005. Institute of Environmental Management and Assessment.

Bernstein, P.L. (1996). Against the Gods – The Remarkable Story of Risk. Wiley.

Blanpain, R. and Inston, R. (1996). The Bosman Case . Sweet and Maxwell.

Boyle, T. (2002). Health and Safety: Risk Management. The Institution of Occupational

Safety and Health.Bryce, L. (1991). The Influential Manager. Piatkus.

Budd, S.A. and Jones, A. (1994). The European Community: A Guide to the Maze.

Kogan Page.

Deming, W.E. (1989). Out of the Crisis. Massachusetts Institute of Technology.

Eves, D. and Gummer, J. (2005). Questioning Performance – The Director’s Essential

Guide to Health, Safety and the Environment. The Institution of Occupational

Safety and Health.

Fuller, C.W. and Vassie, L.H. (2004). Health and Safety Management – Principles and

Best Practice. Prentice Hall.

Handy, C. (1994). The Empty Raincoat. Arrow Business Books.Health and Safety Executive (1997). Successful Health & Safety Management. 2nd

edition, HSG65 HSE Books.

IIA-UK & Ireland (2004). Institute of Internal Auditors – UK and Ireland. Code of

Ethics and International Standards for the Professional Practice of Internal Auditing. IIA,

p. 4.

Johnson, S. (1999). Who Moved My Cheese? Vermilion.

OHSAS 18001:1999 Occupational Health and Safety Management Systems – Specification.

British Standards Institution.

Toone, B. (2004). Protect Your People – and Your Business. The Institution of Occu-pational Safety and Health.

Willis Corroon (1996). Environmental Management Manual. Willis Corroon Environ-

mental Forum.

Zakaria, F. (2006). Voices. Newsweek, Volume CXLVII, No. 22, 29 May 2006, page

28. Newsweek International

218



Bibliography

The titles in this bibliography are informative references to assist readers to learn more

about corporate environments, management and management systems, and tools and

techniques relating to the subject matter of business and auditing.

Titles noted represent books and technical standards which we have found useful

over the years of our work to help us to really understand the role and context of auditing. The list is not exclusive, and other titles not included may be equally useful

to readers.

Books

Barton, T.L. et al. (2002). Making Enterprise Risk Management Pay Off. Financial

Times/Prentice Hall.

Bendell, T., Boulter, L. and Kelly, J. (1993). Benchmarking for Competitive Advantage.Pitman Publishing.

Blanchard, K. and Johnson, S. (1983). The One Minute Manager . Fontana.

Borge, D. (2001). The Book of Risk. Wiley.

Brooks, I. and Weatherspoon, J. (1997). The Business Environment: Challenges and

Changes. Prentice Hall.

Buchholz, R.A. (1998). Principles of Environmental Management – The Greening of

Business. Prentice Hall.

Campbell, D.J. (1997). Organisations and the Business Environment. Butterworth-

Heinemann.

Chisnall, P. (1989). Strategic Industrial Marketing. Prentice Hall.

Cormack, D. (1987). Team Spirit . MARC Europe.

Covey, S.R. (1989). The 7 Habits of Highly Effective People. Simon & Schuster.

Crainer, S. et al. (1996). Leaders on Leadership. The Institute of Management.

Curwin, J. and Slater, R. (1991). Quantitative Methods for Business Decisions. Chapman

and Hall.

Dalton, A.J.P. (1998). Safety, Health and Environmental Hazards at the Workplace.

Cassell.

Daniels, J.D. and Radebough, L.H. (1997). International Business: Environments and

Operations. 8th edition, Addison-Wesley.Davies, P. (1990). Your Total Image – How to Communicate Success. Piatkus.

Drucker, P. (1970). Drucker on Management . Management Publications Limited for

British Institute of Management.

Eichenwald. K. (2005). Conspiracy of Fools: A True Story. Random House.

219



Bibliography

Finlay, P. (2000). Strategic Management – An Introduction to Business and Corporate Strategy. Prentice Hall.

Friedman. T.L. (2005). The World is Flat . Penguin Group.Graham, A. (1990). Investigating Statistics. Hodder and Stoughton.

Goldratt, E.M. (1988). The Goal . Gower.Goldratt, E.M. (1994). It’s Not Luck. Gower.Greeno, J.L. et al. (1988). The Environmental, Health, and Safety Auditor’s Handbook.

Arthur D. Little, Inc.Handy, C. (1995). Waiting for the Mountain to Move . Arrow Books.Handy, C. (1995). Beyond Certainty . Hutchinson.Handy, C. (1997). The Hungry Spirit. Hutchinson.Hart, M. (1993). Survey Design and Analysis Using Turbostats. Chapman and Hall.Heller, R. (1998). In Search of European Excellence. HarperCollins.Hendy, J. and Ford, M. (2004). Redgrave, Fife and Machin – Health and Safety.

Butterworth.Hill, T. (1991). Production/Operations Management . Prentice Hall.Huczynski, A. and Buchanan, D. (1991). Organisational Behaviour . Prentice Hall.

Jay, A. (1967). Management and Machiavelli. Pelican. Jenkins, M., Pasternak, K. and West, R. (2005). Performance at the Limit – Business

Lessons from Formula 1 Motor Racing. Cambridge University Press Johnson, G. and Scholes, K. (1999). Exploring Corporate Strategy. Prentice Hall.Kolk, A. (2000). Economics of Environmental Management . Prentice Hall.Kolluru, R.V. (1994). Environmental Strategies Handbook – A Guide to Effective Policies

and Practices. McGraw Hill.Kolluru, R. et al. (1996). Risk Assessment and Management Handbook. McGraw Hill.Lorriman, J and Kenjo, T. (1994). Japan’s Winning Margins. Oxford University Press.Magretta, J. (2002). What Management Is. HarperCollins.Mintzberg, H., Ahlstrand, B. and Lampel, J. (1998). Strategy Safari. Prentice Hall.Morgan, G. (1986). Images of Organisation. Sage.Morris, H. and Willey, B. (1996). The Corporate Environment. Pitman.Moser, C. and Kalton, G. (1971). Survey Methods in Social Investigation. Heinemann.Moss-Kanter, R. (1989). When Giants Learn to Dance . Touchstone Simon and Schuster.Neale, A. and Haslam, C. (1995). Economics in a Business Context. Chapman and Hall.

Pascale, R.T. and Athos, A.G. (1986).The Art of Japanese Managememt. Penguin.Peters, T. (1988). Thriving on Chaos. Pan Books.Peters, T. (1992). Liberation Management. Pan Books.Peters, T. (1994). The Tom Peters Seminar. MacMillan.Peters, T. (1994). The Pursuit of Wow! MacMillan.Peters, T. (1997).The Circle of Innovation. Hodder and Stoughton.Peters, T. and Waterman, R.H. (1982). In Search of Excellence. HarperCollins.Porteous, A. (1996). Dictionary of Environmental Science and Technology. Wiley.Pritchard, P. (2000). Environmental Risk Management. Earthscan.Steiner, G.A. and Steiner, G.F. (1994) Business, Government and Society; A Managerial

Perspective. 7th edition, McGraw Hill.Welford, R. and Gouldson, A. (1993).Environmental Management & Business Strategy.

Pitman Publishing.Worthington, I. and Britton, C. (2000). The Business Environment. 3rd edition,

Prentice Hall.

220



Bibliography

Technical standards

ANSI/AIHA Z10-2005 American National Standard for Occupational Health and Safety

Management Systems. ISBN 1 931504 64 4.

BS 8800:1996 Guide to Health & Safety Management Systems. British StandardsInstitution.

EMAS – Eco-Management and Audit Scheme.

HACCP – Food Hygiene – Hazard and Critical Control Point.

ILO-OSH 2001 Guidelines on Occupational Safety and Health Management Systems.

International Labour Organisation. ISBN 92 2 111634 4.

ISO 9001:2000 Quality Management Systems – Requirements. International Standards

Organisation.

ISO 14001:2004 Environmental Management Systems – Requirements with Guidance for

Use . International Standards Organisation.ISO 17799 Code of Practice for Information Security Management . International Standards

Organisation.

ISO/TS 16949 Quality Management System. International Automotive Task Force.

OHSAS 18001:1999 Occupational Health & Safety Management Systems – Specification.

British Standards Institution.

PAS 99 Integrated Management System Standard. British Standards Institution.

QS-9000 Quality Management Systems for Suppliers to the Automotive Industry . General

Motors, Chrysler and Ford.

221



Comments from coursedelegates

This was an outstanding course with clear objectives, good methodology, good

time management and excellent facilitators. The good balance between tutorial

and practice made the course highly effective. I am confident in my future role

as an auditor.

Ismaila Mbaye

Health Adviser

Dakar, Senegal

An excellent course. Far more relevant with practical needs and requirements

for auditing within my environment compared with [an] ISO Auditors course.

Captain Kevan McGregor

Team Leader Vessel Quality Assurance

Houston, TX, USA

The process used (viz. roller coaster) made us go deeper in checking at the test

stage – that was great for understanding the methodology.

Alfredo Santos

HSE Adviser

Sao Paolo, Brazil

I have found the audit course extremely useful both in terms of content and

presentation. In addition, my expectation of the course in terms of ‘audit team

approach’ were fully met.

Daryoush Leicy

Head of Exploration & Production Onshore HSE

Kazakhstan

Excellent course. Covered my expectations and more. Very helpful and easy

to understand even with a huge amount of information presented.

Daniel Rodriguez

Leader Engineer for Instrumentation & Electricity – Surface Operations Support

Venezuela

222



Comments from course delegates

For the first time in my 30-year career in construction, I have understood the

audit process and no longer regard it in the negative way that I once did.

Henryk Akielan

Offshore Construction Superintendent

Kazakhstan

More confident now to ‘balance’ audit reviews and testing, what to look for

and when evidence is enough.

Arphee Caymo

HSE Adviser Brunei

I rode the roller coaster! [Case study was] a masterpiece!! I am happy to

recommend others to participate in this course for their work within [our]

Technical & Operational Excellence Group.”

David A. Harding

Technical Manager

Rijswijk, The Netherlands

Now I believe I can positively contribute to audit. Helped me to understand

internal audit structure.

Emmanuel Monnif

HSSE Line Advisor

Cameroon

Although designed primarily for auditing, almost all aspects of management

development are touched upon ... in a very exciting and comfortable/relaxedenvironment.

Okey Onuoha

Senior Operations Readiness Engineer

The Hague, The Netherlands

“A very well structured and informative course. The approach and methodol-

ogy to conduct a risk-based audit was very well put forward. The tedium of

the sheer volume of documents and tutorials all came to good fruition.

Bijan Vakilzadeh

Senior Safety Engineer

Kazakhstan

223



Comments from course delegates

From you I have learned a great deal of skills (interpersonal & from an auditing

perspective) which will make my future auditing involvement so much more

effective.

Andre NortonHead of HSE Audit

Johannesburg, South Africa

I found what I wanted, a new approach. The training was very useful and

good. I think I can be in an audit team in a real audit, and it will help me toapply the things that I learnt from this training. The roller coaster approach is

very useful.

Ayhan Erden

Civil SuperintendentOffshore Civil Works

Kazakhstan

I came to the course with no auditing experience and a moderate understanding

of the HSE MS. So I was looking to gaining that ‘high level’ knowledge. Thetheory, complemented by the syndicate exercise, really validated and drove

home the principles I was hoping to get.

Cody Buyer

Wells HSE Supervisor Geophysical Operations

Houston, TX, USA

There is a lot of mystique around the auditing process. This course has lifted

the veil and revealed it to be suitable for use in any management situation. Ithas given me a valuable reminder that I can use existing skills in a variety of

ways and I have learned new skills to complement.

Mike Pincock

Production TechnologistRijswijk, The Netherlands

This course is well known in the Well Engineering community. I will continueto send my staff on this course as I found the content very applicable for Well

Engineers and the course itself is well designed and enjoyable.

Co Vleugel Head of Well Engineering

Syria

I feel very confident now about participating in [an] HSE MS Audit.

Nico Meijboom

Chemicals Customer Service

Rotterdam, The Netherlands

224



Index

Accountability, . . . . . . . 40, 54, 62, 105, 170,

174, 192

ACM see Asbestos containing material

Adelphia see Business, control failings

A - F a c t o r s , . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6 8

AFWP see Audit finding working

paper

Ahold see Business, control failings

ALARP see Risk

American Society for Quality,

The (ASQ), . . . . . . . . . . . . . . . . . . 78, 80

ANSI/AIHA Z10–2005, . . . . . . . . . . . . . . . 68

Areas of strength and weakness, . . . . . . . .133

Asbestos containing material, . . . . . . . . . . 122

Assurance, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Assure, Alert, Advise (3 As) see Terms of

Referenceaudit, . . . . . . . . 60, 61–2, 63, 64–7, 69–70

business, 61

reasonable, . . . . . . . . 42, 60, 125, 131, 186

Audit:

appropriate, . . . . . . . . . . . . . . . . . . . . . . . . 70

balance, . . . . . . . . . . . . . . . . . . 60, 62, 69–70

compliance,..............12, 52, 61, 64

d e f i n i t i o n , . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1

file, . . . . . . . . . . . . . . . . . . . . . . . 90, 110, 111

findings,. . . . . . . . . . . .117, 156–62, 191–3documenting, . . . . . . . . . . . . . . . . 8 3, 164

grouping, . . . . . . . . . . . . . . . . . . 150, 156

prioritizing, . . . . . . . . . . 112, 149, 150

reducing the number of . . . . . . . . . . 150

HSEQ, . . . . . . . . . . . . . . . . . . . 68, 112, 134

independent, . . . . . . . . . . . . . . . . . . . . . . 150

interview strategy, . . . . . . . . . . . . . . 90, 107

interviewing,..............88, 107, 108

a n a l y s i n g f a c t s , . . . . . . . . . . . . . . . . . . . 1 5 5

recording facts, . . . . . . . . . . . . . 155, 160

levels of, . . . . . . . . . . . . . . . . . . . . . . . . . 63–8

l e v e l 1 , . . . . . . . . . . . . . . . . . . . . . . 6 5 , 1 4 5

level 2, . . . . . . . . . . . . . . . . . . . . . 65–6, 68

level 3,. . . . . . . . . . . . . . .65, 66, 67, 175

management system,.............38, 79

opinion, . . . . . . . . . . . . . . . 162–6, 189–190

level of concern, . . . . . . . . . . . . . 88, 163

planning, . . . . . . . . . . . . . . . . . . . . . . . 60–81

frequency, . . . . . . . . . . . . . . . 69, 70, 101

i n t e n s i t y , . . . . . . . . . . . . . . . . . . . . . . . . . 6 9

process roller coaster see Audit Process

Roller Coaster ©, The process

stages:

conclude, . . . . . . . . . . . . . . 102, 116, 141

r e p o r t , . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8

review, . . . . . . . . . . . 116, 120, 123, 150

set-up, . . . . . . . . . . . . . . . . . . . . . . . 86, 89

verify, . . . . . . . . . . . . . . . . . . 87, 118, 129

report:

a c t i o n s , . . . . . . . . . . . . . . . . . . . . . . . 1 9 1 – 2

disclaimer see Disclaimer statementsdraft, . . . . . . . . . . . . . . . . . . . . . . 160, 195

executive summary, . . . . . . . . . . . 187–8

finalizing, . . . . . . . . . . . . . . . . . . . . . . . . 86

part 1, . . . . . . . . . . . . . . . . . . . 164–5, 187

part 2, . . . . . . . . . . . . . . . . . . . . . 160, 191

peer review, . . . . . . . . . . . . . . . . . . . . . 203

recommendations, . . . . . . 159, 183, 187

results, . . . . . . . . . . . . . . . . . . . 161, 164, 165

site visit, . . . . . . . . . . . . . . . . . . . . . . . . . 97–8

sponsor, . . . . . . . . . . . . . . . . . . . . . . 164, 179team:

c a b i n e t r u l e s , . . . . . . . . . . . . . . . . . . . . 2 0 2

external team members, . . . . . . . . 202–3

meetings with the team,..........201

membership of, . . . . . . . . . . . . . . . 60, 94

selection of, . . . . . . . . . . . . . . . . . . 72, 74

working on your own,...........197

test plan:

sampling, . . . . . . . . . . . . . . . . . . . 119, 134

testing see Verify

thought process, . . . . . . . . . . 120, 159, 190

time planning:

contingency,.. . . . . . . . . . . . . . .102–104

logistics, . . . . . . . . . . . . . . . . . . . . . . . . 103

225



Index

Audit (Continued)

work plan:

work plan item, . . . . . . . . . . . . . . . . . 107

Audit finding working paper:

example of, . . . . . . . . . . . . . . . . . . . . . 115

Audit Process Roller Coaster ©, The:

bottom up, . . . . . . . . . . . . . . . . . . 83, 133

top down, . . . . . . . . . . . . . . . . . . . 84, 113

Auditee:

challenge by, . . . . . . . . . . . . . . . . . . . . . . 159

meetings with:

close out, . . . . . . . . . . . . . . . . . . . . . . . . 99

initial, . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

no surprises, . . . . . . . . . . . . . . . . . . . . . 164

presentation to management,. . . . . . 165progress meetings,. . . . . . . . . . .102, 179

Auditor:

continuing professional

development, . . . . . . . . . . . . 23, 76

i n d e p e n d e n c e , . . . . . . . . . . . . . . . . . . . . 7 4

registration, . . . . . . . . . . . . . . . . . . . . . . 76

r o l e , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4

Aural Mining see Business, control failings

Barings Bank see Business, control failingsBEAC, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Beeton, Mrs. I., . . . . . . . . . . . . . . . . . 143, 156

Bernstein, P. L., . . . . . . . . . . . . . . . . . . . 26, 27

B o s m a n , J e a n - M a r c , . . . . . . . . . . . . . . . . . . . 2 0

Bottom up see Audit Process Roller

Coaster ©, The

BP Texas City see Business, control failings

British Credit and Commerce International

(BCCI) see Business, control failings

BS 7799, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68BS 8800, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Buncefield Oil Terminal see Business,

control failings

Business:

control failings, . . . . . . . . . . . 147, 148, 191

A d e l p h i a , . . . . . . . . . . . . . . . . . . . . . . . . x i x

A h o l d , . . . . . . . . . . . . . . . . . . . . . . . . . . . x x

Aural Mining, . . . . . . . . . . . . . . . . . . . . xx

Barings Bank, . . . . . . . . . . . . . . . . . . . . xx

BP Texas City, . . . . . . . . . . . . . . . xx, 53

British Credit and Commerce

International (BCCI),. . . . . . . . .xx

Buncefield Oil Terminal, . . . . . xx, 158

Cable & Wireless, . . . . . . . . . . . . . . . . xx

Enron, . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Global Crossing, . . . . . . . . . . . . . . . . . xix

HealthSouth, . . . . . . . . . . . . . . . . . . . . xix

Longford Gas Plant,. . . . . . . . . . . . . . .xx

P a r m a l a t , . . . . . . . . . . . . . . . . . . . . . . . . . x xPiper Alpha, . . . . . . . . . . . . . . . . . xvi, xx

Resona Bank, . . . . . . . . . . . . . . . . . . . . xx

Shell . . . . . . . . . . . . . . . . . . . . . . . . . . x, 27

T y c o , . . . . . . . . . . . . . . . . . . . . . . . . . . . x i x

Worldcom-MCI, . . . . . . . . . . . . . . . . x ix

d e f i n i t i o n o f , . . . . . . . . . . . . . . . . . . . . . 3 , 5 1

ethics, . . . . . . . . . . . . . . . . . . . . . . . . . . 39, 54

improvement, . . . . . . . . . . . . . 79, 144, 182

Business control:

m o d e l , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5o r g a n i s a t i o n , . . . . . . . . . . . . . . . . . . . . . . . . 4 5

policy, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

p r o c e d u r e s , . . . . . . . . . . . . . . . . . . . . . . . . . 5 5

review and appraisal, .............. 56–7

structure, . . . . . . . . . . . . . . . . . . . . . . . . 53–4

supervision, . . . . . . . . . . . . . . . . . . . . . . 55–6

Business control framework (BCF):

a c t u a l , . . . . . . . . . . . . . . . . . . . . . . . . 1 4 6 , 1 5 5

expected, . . . . . . . . . . . . . . . . . . . . . . . 84, 98

w e a k e l e m e n t ( s ) , . . . . . . . . . . . . . . . . . . . 1 6 4

weakness level, . . . . . . . . . . . . . . . .149, 156

well balanced, . . . . . . . . . . . . . . . . . . . . . 125

Business controls assessment matrix

( B C A M ) , . . . . . . . . . . . . . . . . . . . . . 1 5 5 – 6

Business environment:

e c o n o m i c , . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5

l e g a l , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 8

political, . . . . . . . . . . . . . . . . . . . . . . . . . 5, 10

resources, . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Business objectives:

c o d e o f c o n d u c t , . . . . . . . . . . . . . . . . . . . . 4 7

qualitative, . . . . . . . . . . . . . . . . . . . . . . . . . 51

quantitative, . . . . . . . . . . . . . . . . . . . . . . . . 46

Business process:

analysis, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

control, . . . . . . . . . . . . . . . . . . . . . . . . . 33, 45

core, . . . . . . . . . . . . . . . . . . . . . . . . . . . 33, 51

s e r v i c e , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1

Cable & Wireless see Business, control

failings

Cadbury Committee, . . . . . . . . . . . . . . . . . . 40

Chlorofluorocarbon (CFC), . . . . . . . . . . . . 19

226



Index

Committee of Sponsoring Organisations

of the Treadway Commission

(COSO):

Enterprise Risk Management –

Integrated Framework,. . . . . . . .41–2

Integrated Framework of Internal

Control, . . . . . . . . . . . . . . . . . . . 39, 41

Competence:

auditor, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

C o m p e t i t o r s , . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Compliance, . . . . . 12, 52, 57, 61, 64, 66, 99

Consequence, . . . . . . 24, 24, 31, 53, 63, 202

Continuing professional development see

Auditor

Controls:business see Business control

d e f i n i t i o n o f , . . . . . . . . . . . . . . . . . . . . . 3 , 5 1

containment, . . . . . . . . . . . . . . . . . . . . . . . 26

detection, . . . . . . . . . . . . . . . . . . . . . . . . . . 26

framework see Business control

framework (BCF)

internal see Internal control

mitigation, . . . . . . . . . . . . . . . . . . . . . 26, 106

p r e v e n t a t i v e , . . . . . . . . . . . . . . . . . . . . . . . . 2 6

restoration, . . . . . . . . . . . . . . . . . . . . . . . . . 26reasonable assurance, . . . . . . . . 42, 60, 131

self-assessment, . . . . . . . . . . . . . . . . . . . . . . 56

structured means of, . . . 42, 113, 117, 133

weakness:

remedial action, . . . . 56, 154, 159, 167

Corporate governance,. . . . . . . . . . . . . . . . .62

Corporate social responsibility, . . . . . . . . . 57

C o s t , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 4 6

Criteria of Control Board (CoCo),. . . . . . 40

Critical success factors, . . . . . . . . . . . . . 45, 52CSR see Corporate social

responsibility

Customers, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Deming, W.E.:

14 points of management see

Management

system of profound knowledge see

Management

Wheel, . . . . . . . . . . . . . . . . . . 33, 37, 60, 67

Directors:

executive, . . . . . . . . . . . . . . . . . . . . . . . . . . 60

n o n - e x e c u t i v e , . . . . . . . . . . . . . . . . . . . . . . 6 0

Disclaimer statements, . . . . . . . . . . . . . . 187–8

Eliminate, Reduce, Isolate,

Control, . . . . . . . . . . . . . . . . . . . . . . . . . 30

E M A S , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8

Employees,. . . . . . . . . . . . . . . . .6, 37, 48, 126

Enron see Business, control failings

E n t e r p r i s e , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2

Environment:

a u d i t s , . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 , 8 0

e c o n o m i c , . . . . . . . . . . . . . . . . . . . . . . 1 5 – 1 8

external, the, .. . . . . . . . . . . . . . 3–4, 10–15

f a c t o r s , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1

internal, . . . . . . . . . . . . . . . . . . . . . . . . . . 7–10

l e g a l , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 8

political, . . . . . . . . . . . . . . . . . . . . . . . . 10–14

EQFM Excellence Model, . . . . . . . . . . . . . 68ERIC see Eliminate, Reduce, Isolate,

Control

Ethics:

a c c o u n t a b i l i t y , . . . . . . . . . . . . . . . . . . . . . . 4 0

h o n e s t y , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 0

integrity, . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

European Union (EU), . . . . . . . . . . 5, 13, 19

Expectation gap, . . . . . . . . . . . . . . . . . . . . . 100

External audit see Statutory audit

ExxonMobil see Longford Gas Plant

Familiarisation:

background information, . . . . . . . . . . 93–6

F i b o n a c c i , . . . . . . . . . . . . . . . . . . . . . . . . . . 2 6 – 7

Findings see Audit

Food and Drug Administration

(FDA), . . . . . . . . . . . . . . . . . . . . . . . . . 175

Foreign Corrupt Practices Act, . . . . . . . . . 39

Frequency, . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

General Agreement on Tariffs and Trade

( G A T T ) , . . . . . . . . . . . . . . . . . . . . . . . . . 1 3

Global Crossing see Business, control

failings

G o v e r n m e n t , . . . . . . . . . . . . . . . . . . . . . . 1 3 – 1 4

Greenbury Committee, . . . . . . . . . . . . . . . . 40

Group of 8 (G8), . . . . . . . . . . . . . . . . . . . . . . 13

H A C C P , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8

H a m p e l C o m m i t t e e , . . . . . . . . . . . . . . . . . . . 4 1

Hazard:

al zahr , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 7

Health see Health and safety

227



Index

Health and safety:

audits, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Executive (HSE), . . . . . . . . . . . . . . . . . . . 25

policy, . . . . . . . . . . . . . . . . . . . . . . . 113, 118

HealthSouth see Business, control failings

Hierarchy of risk control see Eliminate,

Reduce, Isolate, Control

H o n d a , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4

HSE-MS, . . . . . . . . . . . . . . . . . . . . . . . . 92, 223

HSG65, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

ILO-OSH 2001, . . . . . . . . . . . . . . . . . . . . . . 68

Impact, . . . . . . . . . . . . . . . . . . . . . . . . . . 18, 167

Improvement, . . . . . . . . . . . . . . . . . . . . 71, 182

Information:reading, . . . . . . . . . . . . . . . . . . . . 93, 96, 121

sources, . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Institute of Environmental Management

and Assessment (IEMA), . . . . . . . 78, 80

Institute of Internal Auditors (IIA),. . 76, 80,

81, 176

Insurance:

Lloyd’s list, . . . . . . . . . . . . . . . . . . . . . . . . . 28

Integrated Pollution Prevention and

Control (IPPC), . . . . . . . . . . . . . . . . . . 32Internal audit:

c o m m i t t e e , . . . . . . . . . . . . . . . . . . . . . . . . . 6 1

manager, . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Internal control:

a c t i o n , . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1 – 2

aim, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

comparison, . . . . . . . . . . . . . . . . . . . . . . . . 56

standard, . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

International Auditor and Training

Certification Association, The( I A T C A ) , . . . . . . . . . . . . . . . . . . . . . . . . 8 1

International Monetary Fund (IMF), . . . . 17

International Personnel Certification

Association, The (IPC), . . . . . . . . . . . 81

International Register of Certificated

A u d i t o r s ( I R C A ) , . . . . . . . . . . . . . . . . . 7 6

International Standards Organisation

(ISO), . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Interview strategy see Audit

Interviewing see Audit

ISO 14001:2004, . . . . . . . . . . . . . . . . . . 8, 185

ISO 17799, . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

I S O 9 0 0 1 : 2 0 0 0 , . . . . . . . . . . . . . . . . . . . . . . 1 9 4

ISO/TS 16949, . . . . . . . . . . . . . . . . . . . . . . . 68

John Lewis Partnership, . . . . . . . . . . . . . . . . 48

Juran, J., . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Kaizen, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Key Performance Indicator (KPI), . . . 37, 56KonTraG, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Law:

c i v i l , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 9

classification and sources, . . . . . . . . . . . . 18

criminal, . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

enforcer, . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

implementer, . . . . . . . . . . . . . . . . . . . . . . . 12

international, . . . . . . . . . . . . . . . . . . . . . . . 19

maker, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12tort, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Lead auditor:

role, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

supervisory review,. . . . . . . . . . . . . . . . .103

Legislation, . . . . . . . . . . . . . . . 5, 19, 110, 194

L i k e l i h o o d , . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 – 6

Lloyd’s list see Insurance

Longford Gas Plant see Business, control

failings

Management:

14 points of, . . . . . . . . . . . . . . . . . . . . . . . . 35

good practice, . . . . . . . . . . . . . . . . . . . . . 194

lateral learning, . . . . . . . . . . . . . . . . . . . . . 62

system of profound knowledge, . . . . . . 35

system thinking, . . . . . . . . . . . . . . . . . . . . 34

tone at the top, . . . . . . . . . . . . . . . . . . . . . 52

truths, . . . . . . . . . . . . . . . . . . . . . . . . . . . 35–8

Management self-assessment(MSA), . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Meetings see Auditee

M e r r i t t , C . W . , . . . . . . . . . . . . . . . . . . . . . . . . 5 2

Mission, . . . . . . . . . . . . . . . . . . . . . . . 24, 79, 81

Missouri, . . . . . . . . . . . . . . . . . . . . . . . 122, 123

Objectives see Business objectives

OHSAS 18001:1999, . . . . . . . . . 71, 113, 118

Opinion see Audit, opinion

Organisation:

organisational theory,. . . . . . . . . . . . . . .7–8

structure, . . . . . . . . . . . . . . . . . . . . . . . . 8–10

Organisation for Economic Co-operation

and Development (OECD), . . . . 17, 18

228



Index

Parmalat see Business, control failings

Passport Office:

addresses of, . . . . . . . . . . . . . . . . . . . . . . . 104

PCAOB see Public Company Accounting

Oversight Board (PCAOB)

PDCA see Plan, Do, Check, Act

Performance measurement,.............46

Personal protective equipment

( P P E ) , . . . . . . . . . . . . . . . . . . . . . . . . . . 1 4 5

PEST see Political, Economic, Social,

Technical

Peters Commission, . . . . . . . . . . . . . . . . . . . 40

Piper Alpha see Business, control failings

Pisano, L. see Fibonacci

Plan, Do, Check, Act,. . . . . . . . . . . . . . . 33–4Policy:

health and safety,..............113, 118

Political, Economic, Social, Technical, . 1–2

Possible maximum loss (PML), . . . . . . . . 116

Preparation see Familiarisation

Probability, . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Public Company Accounting Oversight

Board (PCAOB), . . . . . . . . . . . . . . . 217

QS-9000, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Quality:

a u d i t s , . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 , 6 8

management system, . . . . . . . . . . . . . . 67–8

of staff, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Q u e s t i o n n a i r e s , . . . . . . . . . . . . . . . . . . . . . . 1 1 0

R A B Q S A , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9

Records:

f i l i n g , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 1

retention of records,. . . . . . . . . . . . . . . .110working papers, . . . . . . . . 110–11, 115–20

Reference framework, . . . . . . . . . . . 41–2, 71,

146–7

Relationships:

networking, . . . . . . . . . . . . . . . . . . . . . . . 173

Report see Audit

Reputation, . . . . . . . . . . . . . . . . . . . . . . . 25, 28

Resona Bank see Business, control failings

Resources:

capital, . . . . . . . . . . . . . . . . . . . . . . . . . . 3, 21

labour, . . . . . . . . . . . . . . . . . . . . . . . . . . 3, 21

land, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3, 21

natural, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Retail price index (RPI), . . . . . . . . . . . . . . 16

Review, . . . . . . . . . . 56–7, 88, 112, 115, 125

Risk:

ALARP, . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

a p p e t i t e , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 0

area, . . . . . . . . . . . . . . . . . . . . . . . . . 107, 110

a s s e s s m e n t , . . . . . . . . . . . . . . . . . . . . . . 4 8 – 5 0

assessment matrix (RAM),. . . . . . . 31, 112

assessment software, . . . . . . . . . . . . . . . . . 32

a w a r e n e s s , . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 1

b a l a n c e , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9

d a r e , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 7

d e f i n i t i o n , . . . . . . . . . . . . . . . . . . . . . . . . . . 2 7

e x p o s u r e s , . . . . . . . . . . . . . . . . . . . . . . . . . . 2 5

gross, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

i d e n t i f i c a t i o n , . . . . . . . . . . . . . . . . . . . . . . . 9 1management framework,. . . . . . . . . . . . .42

matrix, . . . . . . . . . . . . . . . . . . . . . . . . 50, 112

n e t , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 6

opportunity, . . . . . . . . . . . . . . . . 45, 112–13

residual, . . . . . . . . . . . . . . . . . . . . . . . . . . 25–6

risicare , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

tolerance, . . . . . . . . . . . . . . . . . . . . . . . . . . 28

universe, . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Root cause, . . . . . . . . . . . . . . . . . . . . . . . 147–9

Rudd, Sir Nigel, . . . . . . . . . . . . . . . . . . . . . . 25

Safety see Health and safety

Sample:

s a m p l i n g , . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3 3

s i z e o f , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3 7

t e c h n i q u e s , . . . . . . . . . . . . . . . . . . . . . . 1 3 3 – 4

Sarbanes Oxley Act , . . . . . . . . . . . . . . . . . . . . x i x

Self-contained breathing apparatus

(SCBA), . . . . . . . . . . . . . . . . . . . . . . . . 118

Set-up, . . . . . . . . . . . . . . . . . . . . . . . . . 86–7, 89Severity, . . . . . . . . . . . . . . . . . . . . . . . 24, 25, 26

Shell see Business, control failings

Show Me state see Missouri

Site visit see Audit

Six Sigma, . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

So what?, . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Social responsibility,.................57–9

Society,. . . . . . . . . . . . .15, 19, 25, 28, 78, 80

Software see Risk, assessment software

Specific, Measurable, Achievable, Right,

Timely (SMART), . . . . . . . . . . . . . . 193

Stakeholders, . . . . . . . . . . . . . . . . . . . . 3 2, 60–2

Standards:

global, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

229



Index

g u i d e l i n e s , . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3

international, . . . . . . . . . . . . . . . . . . . . . . . 39

l e g a l , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 9

principles, . . . . . . . . . . . . . . . . . . . . . . 39, 53

Statutory audit:

expectation gap, . . . . . . . . . . . . . . . . . . . . 60

opinion, . . . . . . . . . . . . . . . . . . . . . . . . . . 164

true and fair view, . . . . . . . . . . . . . . . . . 124

Strengths Weaknesses Opportunities

Transparency,. . . . . . . . . . . . . . . . .32, 40, 190

True and fair view see Statutory audit

Trust, . . . . . . . . . . . . . . . . . . 19, 122, 170, 177

Turnbull Committee, . . . . . . . . . . . . . . . . . . 41

Tyco see Business, control failings

United Kingdom (UK),.. . . . . . . . . . . . . . .13

U n i t e d S t a t e s ( U S ) , . . . . . . . . . . . . . . . . . . . . 8 0

U i d S f A i