The future of auditing: a blended approach

The business world is facing unprecedented change as the need to address commercial, environmental and stakeholder expectations intensifies. Businesses and the standards industry are having to adapt, align and perform to meet these challenges, and traditional auditing methods are struggling to achieve this.

The obstacles facing the auditing and third-party industry include:

• limited sample sizes;
• human error, including inconsistent analysis of evidence and reporting;
• traditional auditing using backward-looking data, with no predictive data analytics;
• no measurement of people's behaviours, or their impact on, or risk to, compliance and business performance; •
• poor insight as to how and where improvements, efficiency and effectiveness can be driven.

However, it is not only internal audit that must change to meet this challenge; so does third-party certification.

Management systems

There are numerous management systems; for example, closed and open. The essential difference is that a closed system does not adapt to its external environment, whereas an open system does, by understanding that environment and changes.

Closed management system:

• not adaptive to the environment;
• 'A' always leads to be 'B';
• pre-determined;
• SPC;
• focus on reducing/managing variation.

Open management system:

• adaptive to the environment;
• ever-changing, continuous improvement;
• focus on managing variety.

From an auditing viewpoint, it is important to note that Annex SL, and therefore all management system standards, are open systems by definition. The key clause is Clause 4, which requires all organisations to understand their scope and boundary, as well as the external environment. From this, organisations are required to manage their impact in terms of risk, which in turn influences objective setting and resource planning. We can reference Deming (closed system) and Acoff (open system) for this analysis.

"By embracing a new science base and a blended approach to auditing, the industry can meet the challenges of the business world and provide a valuable service to organisations of all sizes."

Ian Rosam CQP MCQI, Chief Product Officer at DeepFathom

To this, we can overlay other academic management system rigour, in this case The Management of Innovation, published by T Burns and G M Stalker in 1961. Through their work we can view a management system as mechanistic and organic. The characteristics are listed below:

Mechanistic management system:

• closed system/non-adaptive;
• focused on outputs;
• mental constructs;
• linear – A leads to B, leads to C;
• SPC, Six Sigma, KPIs;
• predetermined;
• management of variation.

Organic management system:

• open system/adaptive;
• focused on outcomes/results;
• mental constructs are not reality;
• reality is complex; alignment of people's behaviour;
• reality can't be measured on a spreadsheet;
• reality can't be predetermined;
• management of variety.

The essential differences are that an organic management system is free of mental constructs such as process maps, procedure documents, and so on, instead focusing on the ‘here and now’. The organic system is adaptive and therefore open to the external environment, just like Annex SL and management system standards.

The auditing oxymoron

To audit a mechanistic system, the audit methods assume a mental construct, a defined requirement. The auditor who audits that requirement is looking for tangible objective evidence of compliance at some point in the past – it is backward-looking.

But to audit the organic system requires an understanding of the patterns of people’s behaviour, arguably the most influential organisational asset, where the objective evidence is intangible and where no mental constructs exist – it just ‘is’. Consequently, the audit mechanistic techniques fail in understanding performance.

All systems are a combination of open and closed, mechanistic and organic system characteristics. By using only traditional mechanistic audit techniques to audit the whole management system on their own, which is currently the case, renders an objective evidence gap, simply because the intangible behavioural evidence isn't being collected.

The mechanistic/closed system audit techniques are not as effective at the organic/open system level. The consequence then is that the auditor does not have a complete view of performance or compliance to Annex SL and, therefore, the management system standards it underpins, increasing the risk that audit results are inherently unsafe.

A similar logic applies to internal auditing and reporting risk to the effectiveness of process and system performance to deliver results and compliance – essential given the global focus on environmental, social and governance (ESG).

Closing the objective evidence gap

The approach needed to close the evidence gap is a blend of the traditional onsite audit methods, together with remote auditing and new behavioural and experiential audit methods. This sees the strengths of all techniques maximised and their weaknesses minimised, thus meeting the challenges the business world now faces.

Using a range of techniques within the framework of ISO 17021-1:2015 Conformity assessment – Requirements for bodies providing audit and certification of management systems – Part 1: Requirements and the mandatory documents allows for different audit approaches, including behavioural auditing needed to audit an open, adaptive and organic management system.

The question is how do we audit patterns of behaviour and teams and collect the intangible objective evidence.

What is happening is that the certification and auditing processes are increasingly being digitised, making it easier to plan audits, collect tangible and intangible evidence, analyse that evidence, and create risk-based reports with visualisations and benchmarks that are more informative to users of certification activities and that enable auditors to add their own text within a framework.

Auditors can explain the consequences of a finding in business terms. This provides insights into not only what the nonconformance is, but also translates this into what the consequences of not correcting the nonconformity would be for the business. It is not about telling the organisation what to do or how to improve, but about making them aware of the consequences – something more valuable than just stating the nonconformance.

Summary

To conclude, auditing needs to enhance its methods to meet the changing needs of industry.

Auditors need to see and understand the complexity of how an organisation works (organic thinking) and how this then interplays with current, more traditional methods (mechanistic thinking) to create audit plans, audit solutions and risk-based reports ie, use a different, more complete, science base as a first principle.

The value proposition to the users of certification and internal audit services needs to be enhanced, giving more value to business managers.

The challenges facing the auditing industry are significant, but the opportunities are also great. By embracing a new science base and a blended approach, the industry can meet the challenges of the business world and provide a valuable service to organisations of all sizes.