Auditing behaviours need

to change

Ian Rosam argues that auditors must stop evaluating the past and start assessing the future to make sure audits stay relevant



The financial meltdown has affected everyone. It could be argued that it was caused in part by a breakdown in confidence that management systems and processes would perform as they should. These systems were audited internally and by third parties, with reports reviewed by senior management, so what went wrong with the auditing? And more importantly how can we stop the same thing happening to us?

Looking to the past

Managers need to know what is likely to happen so they can have a level of confidence in the future performance of their systems and processes. Instead they are generally provided with pictures of what has already happened. Is the auditing industry is too focused on analysing the past and failures? The problem with looking at the past is that we can’t change it – no one can do anything about that has already happened.

But we must look at activities that have already happened or there would be no objective evidence to audit – right? But objective evidence can come from other sources as well. The problem with traditional audit results, key performance indicators, business results and surveys is that they are all lag indicators of risk. In other words they are derived from events that have already taken place. We do not need to throw these away, but we need to consider introducing lead indicators – measures that give confidence in what is likely to happen.

Auditing behaviours

So how can we do this? Traditionally auditors, both internal and third party, look at the outputs or results of activities, processes or systems. However, not all outputs are tangible, such as culture and leadership. So to get a better picture of what is really happening, we could audit these actions.

Auditors cannot be there every time something happens, so we need to enlist the support of more eyes on the ground. I am not suggesting we need more auditors, in fact rather the opposite. We need a different method of auditing to collect evidence about people’s behaviour. Seeing what they actually do not what they say they do or write down.

Behaviours are the lead indicators we need, because they happen before an outcome occurs. Understanding and reporting the likely impact of behaviours will alert management to the need for change in order to influence future outcomes. The key is to get evidence from everyone involved in or affected by the subject, ie all the stakeholders, and identify the impact of the behaviours of others. This is 360-degree auditing. For example:

  • when auditing purchasing, involve people outside of the purchasing department
  • if you are examining sales, talk to operations and customers
  • when performing an ISO 9001 audit, talk to customers, suppliers and other stakeholders

This approach is essential in order to understand real risks but it is resource hungry, so use other IT methods to collect and analyse this data. Your auditing methods also need to be different, as auditing behaviours are poles apart from what we have traditionally used.

In your report

Managers then need to understand the potential impact of this tactical data on their objectives, so when reporting, do not just report what this indicates in terms of nonconformances, report what counts. For instance, if you are auditing a sales process, what is more interesting to management? The risk of their sales targets and profitability objectives not being met or that some forms haven’t been completed?

Both need to be reported, but what directly effects the manager is more likely to be listened to. Alternatively, in an ISO 9001 audit, which is more use to management: knowing the compliance position (a picture of the past) or risks to drivers of business performance and maturity (a picture of future risk)? Is it of more interest for him or her to know that a particular clause didn't conform six months ago or that resources are not being used effectively or focused on their business objectives?

Finally, here are my top tips for working towards a new kind of auditing. Focus on behaviours that drive outcomes (what it means to the organization) not just outputs (what is produced). This allows you to assess what actually happens in the real world, not just what people write down.

You can’t change the past but you can change the future by using behaviours as lead indicators of risk rather than audit results and key performance indicators which are lag indicators. Let’s learn from our auditing past. We should not throw it away, but grow our auditing skills and approaches to meet the needs of the future.


About the author

Ian Rosam is a director of the High Performance Organization Group (www.the-hpo.com). He has published a number of books on auditing. He can be contacted on E: ian.rosam@the-hpo.com

 
Online Forums logo
Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums.