This is Part IV – Quality and Compliance of a revised six-part series on the internal audit value chain (IAVC).
The emphasis on product and service quality is even more critical as organizations across the globe scrambled to respond to the unprecedented disruptions from COVID-19. “Quality is Everyone’s Responsibility.”
Initial publication – January 15, 2019. Updated – May 15, 2020.
Quality is such an essential aspect of achieving success in business that several companies include it in their company slogans. We all remember Ford’s motto, “Quality is job one,” or the window company that implores us to, “Come home to quality; come home to Andersen.” Some companies go a step further and emphasize quality by putting it right in the name of the company, such as Quality Inn, Quality Branded (the company that owns the steakhouse chain Smith and Wollensky), and Quality Technology Services. Here’s a fun fact: the “q” in the cotton swab brand Q-tip actually stands for quality.
The emphasis on product and service quality is even more critical as organizations across the globe scrambled to respond to the unprecedented disruptions from COVID-19. Can an organization successfully react to unplanned events if products and service quality are not baked into the company’s culture? The answer is No. To deliver on the quality expectations, all internal compliance requirements must be met. This is one area internal audit can help management to create value, capture, and sustain value.
However, you don’t need to be an MBA to understand that quality is a critical aspect of any organization that provides a product or service. Lack of consistency in delivering quality products and services will result in consumers moving to competitors. This quote from Ronald Reagan, who was writing on the virtues of free-market capitalism, captures the ideal concept of how internal audit should view quality: “Consumers, by seeking quality and value, set the standards of acceptability for products and services by voting with their marketplace dollars.”
Quality and compliance are critical for an organization to execute its mission and win over customers. Quality and compliance are even more critical as an organization adapts and responds to the changing business environment. Since internal audit strives to audit what matters, then quality should be vital to internal audit as well. Indeed, keeping a close eye on quality—and its near cousin compliance—is an essential component of the Internal Audit Value Chain (IAVC).
The Internal Audit Value Chain (IAVC)
It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization. In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the achievement of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:
- Strategic direction and alignment
- Risk management and monitoring
- Operational efficiencies to include Continuous Process Improvement (CPI)
- Quality and compliance
- Financial management and governance
- Responsiveness to create, capture, and sustain value while adapting to the changing business environment.
This part four-installment addresses, as you have now guessed, quality and compliance as a critical means for internal audit to create value, capture, and sustain value by helping business units, management, and other stakeholders achieve improvements in these vital areas.
It does this by evaluating the effectiveness of quality programs and frameworks, identifying root causes of quality and compliance problems, ensuring monitoring systems and controls are functioning correctly, and other work outlined below.
“Quality is Everyone’s Responsibility”
As W. Edwards Deming once famously noted, “Quality is everyone’s responsibility.” That means it must be an essential focus from the rank and file up to the CEO, and certainly for internal audit. More specifically, responsibility for quality and compliance throughout an organization,
a) begins with front-line business managers (1st Line),
b) supported by risk and controls management and compliance managers (2nd Line), and
c) assured by functions with greater independence, such as internal audit reporting to the audit committee or other governing body (3rd Line).
Internal audit has some unique responsibilities when it comes to quality and compliance. Internal audit must communicate and enforce a consistent view of quality and compliance to all stakeholders while incorporating considerations unique to each business unit or function.
At many organizations, internal audit is viewed as the major enforcer of quality and compliance. If internal audit is a crucial enforcer, then we need to begin by answering the following questions:
- Does internal audit (or equivalent function) within your organization have a consistent view of quality and compliance as it interacts with others (1st and 2nd Line Managers)?
- Is this view on quality and compliance in-line with those of business managers, executive leadership, and other stakeholders?
- If not, why not, and what can be done to align the internal audit and stakeholders’ perspectives on quality and compliance?
For this section of the IAVC, quality is defined as: “The measures of how effective the underlying operations execute processes and governance to provide products or services in-line with customers’ expectations and in compliance with internal standards and regulatory requirements.”
The Compliance Connection
Quality and compliance are two sides of the same coin. An organization cannot provide quality products or services without consistently adhering to its own internal compliance requirements. Compliance is the set of standards used by each business function or the organization as a whole to provide a gauge on quality, such as acceptable failure rates, on-time delivery rates, or acceptable variation or defect levels.
An Institute of Internal Auditors (IIA) Australia chapter whitepaper by Bruce Turner, “Auditing your entity’s Compliance Framework,” defined compliance “as an entity’s framework designed to ensure that it achieves compliance with both externally and internally imposed requirements, and includes governance structures, programs, processes, systems, controls, and procedures.” The emphasis of this IAVC publication is on internal and not external or regulatory compliance, meaning the oversight of compliance with internally set standards, particularly as they relate to achieving established measures of quality. Both types of compliance are essential and can impact the quality of products and services differently.
Internal audit performs an important value-add role in helping management identify and manage aspects of quality and compliance across all line-of-business (LOB) functions regardless of their respective unique operations—without losing focus of the enterprise-wide quality and compliance objectives critical to the organization’s mission and customers. Internal audit must emphasize that quality is everyone’s responsibility and develop processes to review effectiveness among the LOB functions and how they align with enterprise goals.
In the article, “Optimizing Internal Audit” from the IIA’s Internal Auditor publication, I argued that internal auditors should include a review of policies and procedures to validate that critical enterprise quality and compliance objectives are addressed continuously, and adequately, and that existing internal controls are operating efficiently as part of the ongoing reviews and assessments. For specific industries—such as food processing, medical devices, and many others—the nature of products manufactured and distributed, or services provided may require extra scrutiny related to quality and compliance expectations.
How many times did you read about faulty ventilators or other ineffective Personal Protective Equipment (PPEs) as organizations and government institutions struggled globally to cope with COVID-19? We can anticipate an increased level of regulatory oversight post-COVID-19 for some products and services to prevent a similar reoccurrence.
Other industries, such as financial services, for example, may require added internal control and compliance requirements. Factors such as policies, procedures, product specifications, service level agreements, as well as external requirements, such as regulatory standards, impact the level of effort needed to address compliance.
Eight Steps to Boost Quality and Compliance (Q&C)
There are eight primary steps internal audit teams can apply throughout an organization in collaboration with stakeholders, to help management create value, capture, and sustain value by improving quality and compliance. They include:
1) FRAMEWORK TO EVALUATE Q&C EFFECTIVENESS: The emphasis here is on using an appropriate framework by an internal audit or equivalent function to validate that business units are meeting their respective quality and compliance expectations efficiently and effectively.
- What tools and methods are used by your internal audit team to evaluate the effectiveness of each LOB operations underlying quality and compliance processes to deliver products or provide services?
- What standards are used to determine how each LOB operation at your organization adheres to internal quality expectations?
It is important to ensure any framework adopted—whether it is Lean, Six Sigma, Total Quality Management (TQM), or others—must address issues unique to each LOB operations and how each function contributes to the enterprise-wide quality and compliance success. Addressing LOB quality and compliance efforts in silos without alignment to enterprise objectives is not an efficient approach.
2) IDENTIFY ROOT CAUSES OF Q&C PROBLEMS: What skills must internal audit develop to not only understand the operational aspects of each LOB function but also to understand and challenge the quality and internal compliance issues specific to that operation?
A generic internal audit approach to quality and compliance reviews without hands-on experience and expertise to apply topics unique to that operation will frustrate business unit managers. Such an approach will often result in an inability for internal audit to add-value by identifying and communicating the root-cause of issues from Step #1. Instead, internal audit could spend more time addressing symptoms.
3) PROVIDE COST-EFFICIENT RECOMMENDATIONS TIMELY: Internal audit must demonstrate a level of expertise needed to gain trust, challenge the status quo, and provide practical, cost-effective recommendations that can be implemented by each LOB function to address quality and compliance issues promptly. This is an essential step for internal audit to add value by boosting quality and compliance.
Obviously, quality doesn’t exist in a vacuum, and quality improvement decisions must be made about pre-determined price points, time-to-market targets, and other factors to achieve enterprise objectives. This is important for internal audit to gain trust from LOB managers and other stakeholders, and help management to create value, capture, and sustain value.
Technology, of course, also plays a significant role in the assessment and achievement of quality and compliance objectives. Internal audit must keep up on the systems and software that can influence quality. As organizations move towards improving efficiencies through technology and automation, the quality and compliance requirements become increasingly important. Configuration and programming errors, or the inability to adopt new technology, can present significant risks and potential financial loss. Internal audit can and should play a role in the assessment and implementation of new technology that can impact quality and compliance.
4) COLLABORATE WITH LOB TO REMEDIATE FINDINGS TIMELY: Once trust is earned, and stakeholders see value in work performed to improve enterprise quality and compliance initiatives, collaboration to remediate findings and implement sustainable recommendations is the logical next step. Internal audit must collaborate with LOB leaders without compromising independence.
- What guidance can internal audit provide to remediate findings and implement recommendations on quality and compliance violations and minimize the costs from regulatory fines and reputational damage?
- Is maintaining the status quo more important than pushing the limits of internal audit independence expectations and taking preventive steps to minimize the risk of exposing the organization to additional cost and reputational damage?
Efforts from internal audit to support remediation of findings from audits and reviews and Continuous Process Improvement (CPI) projects should also include education and training to LOB managers, stakeholders, and executives on standards, laws, and regulations. Training should be tracked, attested to, documented, and refreshed periodically.
5) DEVELOP Q&C KEY PERFORMANCE INDICATORS (KPIs): The next step in improving quality and compliance effectiveness is to measure and track performance.
While the quote, “If you can’t measure it, you can’t manage it,” is often wrongly attributed to quality guru Deming—many claim it was actually management sage Peter Drucker—Deming was a strong advocate for the use of quality metrics whenever possible.
Internal audit can collaborate with LOB stakeholders to identify quality and compliance issues unique to each operation and create KPI’s and metrics that align each function to the enterprise objectives to avoid performing tasks in silos.
6) PROVIDE CONTINUOUS Q&C MONITORING AND REVIEWS: Regulators became aware of the quality and compliance violations at Wells Fargo in 2016. We do not know if Wells Fargo had a framework used by its internal audit to validate that business functions met their respective quality and compliance expectations efficiently and effectively. If there was a framework in place, did the Wells Fargo internal audit department perform continuous quality and compliance monitoring and auditing before 2016?
The quality and compliance requirements for many organizations are not static. The dynamic nature of quality and compliance operations means a static once-a-year internal audit effectiveness review will not achieve intended effects. Performing continuous quality and compliance monitoring and auditing could identify issues missed during previous reviews and provide the organization enough time to implement corrective actions and, if needed, self-report to minimize the impact of any potential regulatory fines and reputational damage.
7) RE-EVALUATE THE Q&C ASSESSMENT FRAMEWORK: Given the dynamic nature of the quality and compliance requirements, any framework used from step #1, must be evaluated and adjustments made as needed. If the likelihood of significant quality and compliance violations remains low, and there are no substantial changes to the enterprise’s strategic objectives, quality expectations, and internal and external compliance requirements, then there is no need to make significant changes to the framework.
A good reason to make changes to the internal audit framework is if existing quality and compliance violations are not remediated quickly, or new significant issues are identified. We could anticipate Wells Fargo made substantial changes in how their internal audit function performed quality and compliance effectiveness reviews after the negative publicity that began in 2016. Such changes were significantly late as the bank suffered substantial losses from regulatory fines and reputational damage.
8) VALIDATE EXISTENCE OF AN APPROPRIATE Q&C TONE: What lessons can internal audit learn from the example of Wells Fargo’s quality and compliance violations resulting from bank employees opening unauthorized customer accounts and charging excessive fees to increase sales through cross-selling?
- When did management first realize such quality and compliance violations occurred?
- When did internal audit first identify quality and compliance violations?
- What did the LOB Managers and internal audit do to address the violations?
- When did senior executives and appropriate board and committees first become aware of such violations?
- Why was nothing done to resolve the issues immediately?
Internal audit must perform reviews to validate the existence of an appropriate quality and compliance tone and reporting structure to executives and board committees. Is quality and compliance baked into the culture of the organization? Without this, any organization remains vulnerable to quality and compliance lapses that could lead to excessive regulatory fines and reputational damage.
Developing a Quality Habit
As the whitepaper Auditing Your Entity’s Compliance Framework concluded, compliance remains a primary concern for the boards, executives, and senior management of most entities with reputation risk pushed to new levels because of the complexity and pace of legislative and regulatory change, coupled with an increase in regulatory scrutiny and enforcement. According to this whitepaper, a compliance framework is an important element in the governance of entities for:
- Preventing, identifying, and responding to breaches of laws, regulations, codes, or standards,
- demonstrating a robust compliance regime to regulators,
- promoting a culture of compliance, and
- assisting the entity to be a good corporate citizen.
While these eight steps are not the totality of internal audit’s role in helping the organization improve it’s quality and compliance initiatives efficiently and effectively, they provide a reliable roadmap for internal audit to collaborate with management—without compromising its independence—and create value for the organization along the way.
The reality of coping with the “new normal” of continuing to do more with less since the 2008 global recession means internal audit must do more to address the fundamental aspects critical to the long-term survival of the organization and to keep customers happy. Quality is chief among them.
To do this, the organization must provide consumers with the quality and value they seek, including the standards acceptable for products and services so that they can continue voting in the organization’s favor with their marketplace dollars. Executives and managers should empower business unit leaders and internal audit teams to continuously challenge the status quo, starting with mission-critical activities to drive and sustain quality and compliance expectations.
As the philosopher Aristotle once said (or something like it): “quality is not an act, it is a habit.”
Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.