Relearning the value of
internal auditing
describes how Lloyd’s Register re-engineered its approach to internal audits and rediscovered their value
Two years ago, at Lloyd’s Register we realized that our internal audit system was becoming increasingly stale. Our business is changing radically, but we have been doing audits in much the same way ever since we gained ISO 9001 certification in the early 1990s. It was time for a re-think.
The way we were
Much of our business within the Lloyd’s Register Group is based on surveying, inspecting and auditing, but we ourselves exist in a regulated environment: we know the meaning of death by audit! Our internal audit system was helping us to maintain compliance with those external regulations, but it was not helping us to achieve the step-change in efficiency and effectiveness that we desired.
Compliance is important, but we wanted more than that. We wanted to:
- to give our management an insight on the performance of the organization
- to deliver ideas for business improvement
- to identify and reward best practice
First, we had to ask whether we were just being hard on ourselves. We needed to find out if other parts of the business shared our perception. We ran a global survey of those involved in internal audits over the previous year, both auditors and auditees. Fortunately, we have a very open and honest culture – we knew that we could rely on our colleagues to be candid.
The results of the survey were clear. While it was not all bad news there was tremendous support for change. The main area of dissatisfaction was that the audits were only scratching the surface. Our audit scope had grown over the years, and we were covering everything, but not to sufficient depth.
The question was how to convince management that we needed to change. Right on cue, an external assessor identified an important issue that our internal audit had missed, raising questions about the effectiveness of our process. We had the reason to change and change now.
The project
The first thing we did was to put our internal audit schedule on hold. Our project charter clarified the need for change and our vision for success. We then used a number of change management tools to anticipate, understand and overcome resistance – stakeholder mapping, building relationships, workshopping of solutions, process modelling and, above all, communication.
What we changed:
Before: |
After: |
Too many audits, not enough depth |
Focus on depth and effectiveness. Quality not quantity |
Audits not aligned to the business |
Planning audits based on evaluation of risk and performance |
Audit scope too wide |
Each audit has a themed approach |
Routine, calendar-based audit schedule |
No fixed intervals – frequency depends on strategic importance and performance |
Too many people trained to perform internal audits |
We selected the best auditors and reduced the overall resource by 80% |
Not enough expertise or experience amongst the auditor base |
Re-train the auditors with a focus on systems auditing and auditing for improvement |
Checklist overload – the perception of a tick-box approach |
Trained, experienced auditors less reliant on checklists |
Reports focus on compliance and local corrective action |
Reports focus on the positives. Root cause analysis identifies opportunities for improvement at the system level |
Where we are now
The reaction to our new process has been overwhelmingly positive. The lack of checklists makes the relationship between auditor and auditee much more open, with auditors spending a lot of time actually listening to people. Feedback has been good even when we have presented serious findings. Our ratio of improvement findings to non-compliance is running at an average of 2.5:1.
Our audits are now joined up with the business: the findings are subject to regular review by top management, we have established links between the findings and the group strategy, the dashboards, the risk register and our business improvement hopper.
This work is now paying off as we work on our integrated management system, which for us has two meanings: integration of the various management system elements (quality, health and safety and environment) in the PAS 99 sense, but also integration of the management system into the business.
We used to focus on getting the internal audits done and we didn’t understand why we failed to attract much interest in our findings. Our new process has a high profile, and the findings are being used as a management tool. Sometimes you need to change your own behaviour in order to get others to change theirs.
About the author
Robert Stables is management system manager in group business assurance at Lloyd’s Register. www.lr.org
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
