Very few people like to be tested. This is true for the new fiancé, for the student in the chemistry test and, of course, for the CIO. But those who get the hairs on the back of their necks when they think about it forget one thing: you learn a lot about yourself in such an exam, regardless of the outcome.
Above a certain size, company leaders can no longer deal with every little issue themselves. Accordingly, they can’t ensure that every case is handled in their best interest. So rules are drawn up to which employees must adhere. Of course, compliance with these rules also needs to be monitored, and internal and external auditors can be used for this purpose. External audits have the great advantage of being able to demonstrate effectively to the outside world that we are Basel-, IFRS- or GDPR-compliant. Internal audits, on the other hand, have the advantage that the results can initially be processed internally. Normally, both will be combined, if only because external audits are mandatory exercises in many environments.
The object of the audit is usually a business unit, a department, a process environment or a project. The responsible colleagues are normally not very enthusiastic about so much attention. There is a feeling of surveillance, as if they are not trusted with their job and are wasting a lot of time on top of it. However, this assessment misses the point of the audit: monitoring compliance with the rules. Good for those who have prepared themselves internally and organizationally for the audit.
Step 1) Auditors are not aliens
If you want to understand the audit, take a look at the auditor. What are his goals, what task has he been given, by whom and why? An auditor normally audits many different specialist functions and can therefore seldom be as technically in-depth as they are. Therefore, he will rarely be able to judge whether you are doing your job well. Fortunately, this is not his job.
He comes to you because he wants to know if you are doing your job according to the rules. This is not an assessment of the quality of your performance (in terms of efficiency, innovation or employee friendliness) or of you as a person, but only whether the applicable rules in the organization and processes are adequately implemented. In order to ensure that no findings arise here, it is first recommended to know the rules and then to ensure compliance with the applicable rules.
Three levels of regulation can be distinguished
- legal (national and, if applicable, EU law; in this context, also consider the foreign subsidiaries in which your employees may be working)
- from contracts (these can be customer and supplier contracts, but also more general written agreements such as ISO conformity)
- internal regulations (usually there are procedures and guidelines you can follow).
This is of course not little, but it is essential that you deal with these topics. Of course, this does not only apply to the audit, but also in general – in order not to violate external and internal agreements. Even if it sometimes doesn’t look like it, these agreements usually have a purpose that goes beyond the regulation itself.
Step 2) Get dressed up
In order to keep an eye on this admittedly sometimes excessive number of regulations, and to measure your own area against them, a professional audit (organization and processes) and asset management (technology) solution is recommended. You are not the only one facing this problem, and there are vendors out there who specialize in this requirement, and provide appropriate tools. As always, you can work with the Big Four, but you will have to pay for the scope and professionalism of the solution. Alternatively, there are smaller providers on the market that offer similar services for less money, but often not all from a single source.
So let the vendors out there help you. Initial consultations, whitepapers and product introductions usually cost you nothing but time. Then, conduct an evaluation with procurement and, after selecting a solution, schedule an implementation project. Once the project is implemented, know which of your areas require special attention in terms of audits and why.
Don’t forget your employees, either. Depending on the requirements in your area, appoint one or more colleagues to be responsible for compliance, and make sure that they take their job seriously. It is then their job to keep track of the requirements (from the overall body of regulations) that are relevant to your area, and to monitor and, if necessary, ensure that they are reflected in your organization.
Once the audit is over, you should also establish internal planning and tracking processes that take care of the findings. This is where the newly appointed internal compliance officers come in handy. It will be difficult to get understanding from the auditor for the same findings during repeated audits. Since the findings are not always highly critical from an operational point of view, you as a manager must ensure that they are given the appropriate priority and equip those responsible with the necessary clout.
Step 3) Relationship cement
If you manage to view the audit as a helpful support and prepare yourself and your organization adequately for it, the internal and external audits will quickly lose their terror. At the same time, the impact of an audit report has more to offer than just usefulness for you and your department. Audits and their results can have an enormous impact on companies.
Use them to your advantage. If your department is chronically understaffed and covers only the minimum in terms of resources or know-how, necessary due diligence obligations may fall by the wayside. However, if these are still demanded, you can use a corresponding audit report as an argumentation aid in order to be able to grow with the requirements here. Here, too, you should of course be well prepared for the discussion with top management, especially if budgets and headcount are involved. A corresponding report on the table can usefully support your already conclusive arguments either way.
It can also be worthwhile to work together with the auditors during the implementation of projects. For large projects, for example, you can already involve the internal auditors in order to create as good a basis as possible for later audits during the setup phase. Timeline and project budget should then be dimensioned accordingly. For very large projects, it may even be worthwhile to work with external auditors during implementation. Depending on the industry, this may even be advisable in order to avoid expensive adjustments after go-live.
Last but not least, such an audit is also the perfect time to put the rules themselves in the spotlight once again. Are they up-to-date, or do they represent an outdated requirements environment? Do they serve their purpose, or only their purpose in themselves? Is the scope and complexity of the existing rules still manageable, or should they urgently be streamlined? Feedback like this can only be meaningfully generated in the audit if the rules meet practice. By questioning the existing rules and regulations with a correspondingly resilient argumentation, you will certainly not save the world, but you may be able to make life a little easier for you and your colleagues.
As always, good luck with this,
