Editor’s Note: This is part four of a six-part series on the Internal Audit Value Chain, which can act as a blueprint for building a successful internal audit function. Click here for the other articles in the series.
Quality is such an important aspect to achieving success in business that several companies include it in their company slogans. We all remember Ford’s motto, “Quality is job one,” or the window company that implores us to, “Come home to quality; come home to Andersen.”
Some companies go a step further and emphasize quality by putting it right in the name of the company, such as Quality Inn, Quality Branded (the company that owns the steakhouse chain Smith and Wollensky), and Quality Technology Services. Here’s a fun fact: the “q” in the cotton swab brand Q-tip actually stands for quality.
But you don’t need to be an MBA to understand that quality is a critical aspect of any company that provides a product or service. Lack of consistency in providing quality products and services will result in consumers moving to competitors. This quote from Ronald Reagan, who was writing on the virtues of free-market capitalism, captures the ideal concept of how internal audit should view quality: “Consumers, by seeking quality and value, set the standards of acceptability for products and services by voting with their marketplace dollars.” Quality and compliance are critical for an organization to execute its mission and win over customers.
Since internal audit strives to audit what matters, then quality should be critical to internal audit as well. Indeed, keeping a close eye on quality—and its near cousin compliance—is an essential component of the Internal Audit Value Chain (IAVC).
The Internal Audit Value Chain
It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization. In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the Internal Audit Value Chain (IAVC) and its key components. The IAVC includes “enterprise-wide initiatives impacting functional areas across every organization, involving a combination of people, processes, technology, and ‘tone at the top’ to drive the accomplishment of goals and improve profitability.” Internal audit’s role in the value chain requires understanding the organization’s: (1) strategic direction, (2) risk management and monitoring, (3) operational efficiencies, (4) quality and compliance, (5) financial reporting, and (6) responsiveness to customer and regulatory needs to create value.
This part four installment addresses, as you have now guessed, quality and compliance as a critical means for internal audit to create value by helping business units, management, and other stakeholders sustain or achieve improvements in these vital areas. It does this by evaluating the effectiveness of quality programs and frameworks, identifying root causes of quality and compliance problems, ensuring monitoring systems and controls are functioning correctly, and other work outlined below.
“Quality is Everyone’s Responsibility”
As W. Edwards Deming once famously noted, “Quality is everyone’s responsibility.” That means it must be an important focus from the rank and file up to the CEO, and certainly for internal audit. More specifically, responsibility for quality and compliance throughout an organization (a) begins with front-line business managers, (b) should be supported by risk and controls management and compliance managers, and (c) assured by functions with greater independence, such as internal audit reporting to the audit committee or other governing body. Internal audit has some unique responsibilities when it comes to quality and compliance. Internal audit must communicate and enforce a consistent view of quality and compliance to all stakeholders while incorporating considerations unique to each business unit.
At many organizations, internal audit is viewed as the major enforcer of quality and compliance. If internal audit is a key enforcer, then we need to begin with the following questions:
- Does the internal audit function have a consistent view of quality and compliance as it interacts with others in the organization?
- Is this view on quality and compliance in-line with those of business managers, executive leadership, and other stakeholders?
- If not why not, and what can be done to align the internal audit and stakeholders’ perspectives on quality and compliance?
For this article, quality is defined as: “The measures of how effective the underlying operations execute processes and governance to provide products or services in-line with customers’ expectations and in compliance with internal standards and regulatory requirements.”
The Compliance Connection
Quality and compliance are two sides of the same coin. An organization cannot provide quality products or services without consistently adhering to its own internal compliance requirements. Compliance is the set of standards used by each business line, function, or the organization as a whole to provide a gauge on quality such as acceptable failure rates, on-time delivery rates, or acceptable variation or defect levels.
An Institute of Internal Auditors (IIA) Australia chapter whitepaper by Bruce Turner, “Auditing your entity’s Compliance Framework,” defined compliance “as an entity’s framework designed to ensure that it achieves compliance with both externally and internally imposed requirements, and includes governance structures, programs, processes, systems, controls, and procedures.” The emphasis of this article is on internal and not external or regulatory compliance, meaning the oversight of compliance with internally set standards, particularly as they relate to achieving set measures of quality, but both types of compliance are important and can impact quality.
Internal audit performs an important role in helping management identify and manage aspects of quality and compliance across all line-of-business (LOB) functions regardless of their unique respective operations—without losing focus of the enterprise-wide quality and compliance initiatives critical to the organization’s mission and customers. Internal audit must emphasize that quality is everyone’s responsibility and develop processes to review effectiveness among the LOB functions and how they align with enterprise-wide goals.
In the article, “Optimizing Internal Audit” from the IIA’s Internal Auditor publication, I argued that internal auditors should include a review of policies and procedures to validate that important enterprise-wide quality and compliance issues are addressed continuously and adequately and that existing internal controls are operating efficiently in ongoing internal audits and assessments. For certain industries—such as food processing, medical devices, and many others—the nature of products manufactured and distributed or services provided may require extra scrutiny related to quality and compliance procedures. Other industries, financial services for example, may require added internal control and compliance requirements. Internal factors such as policies, procedures, product specifications, service level agreements, as well as external factors, such as regulatory standards, impact the level of effort needed to address compliance.
Eight Steps to Drive Quality and Compliance
There are eight primary steps internal audit teams can apply throughout an organization in collaboration with other stakeholders to create and sustain value by improving quality and compliance. They include:
1) Evaluate quality and compliance effectiveness efforts using a framework: The emphasis here is on the specific framework used by an internal audit function to validate that business lines are meeting their respective quality and compliance expectations efficiently and effectively.
What tools and methods are used by internal audit to evaluate the effectiveness of each LOB operations underlying quality and compliance processes, people, systems and tools, and governance structure to manufacture products or provide services? What standards are used to evaluate how each LOB operation adheres to internal quality expectations?
It is important to ensure any framework adopted—whether it is Lean, Six Sigma, Total Quality Management (TQM), or others—must address issues unique to each LOB operations and how each function contributes to the enterprise-wide quality and compliance success. Addressing LOB quality and compliance efforts in silos without alignment to enterprise-wide objectives is not an efficient approach.
2) Identify root causes of quality and compliance problems: What skills does internal audit develop to not only understand the operational aspects of each LOB function but also to understand and challenge quality and internal compliance issues specific to that operation?
A generic internal audit approach to quality and compliance reviews without hands-on experience and expertise to apply issues unique to that operation will frustrate business unit managers. Such an approach will often result in an inability for internal audit to identify and communicate root-cause of issues from Step #1. Instead, internal audit will spend more time addressing symptoms.
3) Provide cost-efficient recommendations to address quality and compliance problems quickly: Internal audit must demonstrate a level of expertise needed to gain trust, challenge the status quo, and provide practical, cost-effective recommendations that can be implemented by each LOB function to address quality and compliance issues in a timely manner. Obviously, quality doesn’t exist in a vacuum and quality improvement decisions must be made with regard to pre-determined price points, time-to-market targets, and other factors that achieve enterprise-wide objectives. This is important for internal audit to gain trust from LOB managers and other stakeholders.
Technology, of course, also plays a big role in the assessment and achievement of quality and compliance, and internal audit must keep up on the systems and software that can influence quality. As organizations move towards improving efficiencies through technology and automation, the quality and compliance requirements becomes increasingly important. Configuration and programming errors, or the lack of adopting a new technology, can present significant risks and potential financial loss. Internal audit can and should play a role in the assessment and implementation of new technology that can impact quality and compliance.
4) Collaborate with LOB to remediate findings and implement recommendations: Once trust is earned, and stakeholders see value in the work performed to improve enterprise-wide quality and compliance initiatives, collaboration to remediate findings and implement sustainable recommendations is the logical next step.
Internal audit must collaborate with LOB leaders without compromising independence. The significant cost incurred by the Wells Fargo fiasco serves as a good example to challenge the status quo on internal audit independence expectations and increase the level of support to address potentially significant quality and compliance violations quickly. To increase sales by cross-selling products and services, Wells Fargo failed to identify quality and internal compliance issues as employees opened accounts without customer permission, resulting in negative publicity that began in 2016 and will require several years for the bank to resolve.
What guidance can internal audit provide to remediate findings and implement recommendations on potentially significant quality and compliance violations and minimize the significant costs from regulatory fines and reputational damage? Is maintaining the status quo more important than pushing the limits of internal audit independence expectations and taking preventive steps to minimize the risk of exposing the organization to significant cost and reputational damage?
Efforts from internal audit to support remediation of findings should also include education and training to LOB managers, stakeholders, and executives on standards, laws, and regulations. Training should be tracked, attested to, documented, and refreshed periodically.
5) Develop quality and compliance Key Performance Indicators (KPI’s) and metrics: The next step in improving quality and compliance effectiveness is to measure and track performance. While the quote, “If you can’t measure it, you can’t manage it,” is often wrongly attributed to quality guru Deming—many claim it was actually management sage Peter Drucker—Deming was a strong advocate for the use of quality metrics whenever possible.
Internal audit can collaborate with each LOB Point of Contacts (POC’s) to identify quality and compliance issues unique to each operation and create KPI’s and metrics that align each LOB function to the enterprise-wide objectives to avoid performing tasks in silos.
6) Provide continuous quality and compliance monitoring and auditing: Regulators became aware of the quality and compliance violations at Wells Fargo in 2016. We do not know if Wells Fargo had a framework used by their internal audit function to validate that business lines were meeting their respective quality and compliance expectations efficiently and effectively. If there was a framework in place, did the Wells Fargo internal audit department perform continuous quality and compliance monitoring and auditing?
The quality and compliance requirements for many organizations are not static. The dynamic nature of quality and compliance operations means a static once-a-year internal audit review of key LOB effectiveness will not achieve intended effects. Performing continuous quality and compliance monitoring and auditing could identify issues missed during previous reviews and provide the organization enough time to implement corrective actions, and, if needed, self-report to minimize impact of any potential regulatory fines and reputational damage.
7) Re-evaluate the quality and compliance assessment framework: Given the dynamic nature of the quality and compliance operations, any framework used from step #1, must be evaluated and adjustments made as needed. If the likelihood of significant quality and compliance violations remains low, and there are no major changes to the enterprise-wide strategic objectives, quality expectations, and internal and external compliance requirements, then there is no need to make major changes to the framework.
A good reason to make changes to the internal audit framework is if existing quality and compliance violations are not remediated quickly, or new significant issues are not identified. We could anticipate Wells Fargo made significant changes on how their internal audit function performed quality and compliance effectiveness reviews after the negative publicity that began in 2016. Such changes were significantly late as the bank suffered substantial losses from regulatory fines and reputational damage.
8) Validate existence of an appropriate quality and compliance tone: What lessons can internal audit learn from the recent example of Wells Fargo’s quality and compliance violations resulting from bank employees opening unauthorized customer accounts and charging excessive fees to increase sales through cross-selling?
- When did management first realize such quality and compliance violations occurred?
- When did internal audit first identify quality and compliance violations?
- What did the LOB Managers and Wells Fargo internal audit do to address the violations?
- When did Wells Fargo senior executives and appropriate board committees first become aware of such violations?
- Why was nothing done to resolve the issues immediately?
Internal audit must perform reviews to validate existence of an appropriate quality and compliance tone and reporting structure to executives and board committees. Is quality and compliance baked into the culture of the organization? Without this, any organization remains vulnerable to quality lapses and even excessive regulatory fines and reputational damage.
Developing a Quality Habit
As the whitepaper Auditing Your Entity’s Compliance Framework concluded, compliance remains a primary concern for the boards, executives, and senior management of most entities with reputation risk pushed to new levels because of the complexity and pace of legislative and regulatory change, coupled with an increase in regulatory scrutiny and enforcement. According to this whitepaper, a compliance framework is an important element in the governance of entities for:
- Preventing, identifying, and responding to breaches of laws, regulations, codes, or standards;
- Demonstrating a solid compliance regime to regulators;
- Promoting a culture of compliance; and
- Assisting the entity to be a good corporate citizen.
While these eight steps are not the totality of internal audit’s role in helping the organization improve its quality and compliance initiatives efficiently and effectively, they provide a solid roadmap for internal audit to collaborate with management—without compromising its independence—and create value for the organization along the way. The reality of coping with the “new normal” of doing more with less means internal audit must do more to address the fundamental aspects critical to the long-term survival of the organization and to keep customers happy, and quality is chief among them.
To do this, the organization must provide consumers with the quality and value they seek, including the standards acceptable for products and services so that they can continue voting in the organization’s favor with their marketplace dollars. Executives and managers should empower business unit leaders and internal audit teams to continuously challenge the status quo starting with mission-critical activities to drive and sustain quality and compliance expectations.
As the philosopher Aristotle once said (or something like it): “quality is not an act, it is a habit.”
Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a consulting firm providing audit and governance, risk, and compliance (GRC) solutions to federal government agencies, private-sector businesses, and not-for-profit organizations.