Updated: Aug 9
Audits were first adopted by financial institutions to identify and prevent fraud. Their focus was to test the integrity of accounting procedures and financial data. Since then, audit practices have developed alongside of changes to standardized accountancy to become a crucial role in governance, risk, and compliance activities.
At the same time, the audit function has grown beyond the financial function to cover other compliance programs such as: occupational health and safety, process safety management, environmental, quality, security, and so on.
However, there are important differences between auditing financial statements and ensuring compliance outcomes particularly when it involves safety. Not understanding these differences has resulted in the misapplication of audits as outlined in the following four misuses:
1. Audits go beyond the "what" and provide remedies for the "how"
Auditing should verify the integrity of reports and the processes used to create them. However, all too often, audits are used to prescribe "how" compliance should be met. Providing remedies happens all too frequently with external but also with internal auditors that have their own view of how compliance should be done.
This practice was rightly stopped in the financial sector as audit firms cannot provide advice of this kind. Unfortunately, this correction has not yet taken hold across many regulatory, standards and certification organizations supporting quality, safety, security, sustainability, and other compliance objectives.
2. Audit findings are used to set compliance obligations
Audit findings produce a list of corrective actions that are often used directly by compliance managers to establish what the obligations should be. This poses several problems particularly when the audit findings inappropriately prescribe remedies as discussed earlier.
Another problem is that findings can be based on an auditor's interpretation of a standard or regulation, This leaves companies struggling to revise their approaches only to have them change again the following year when a different auditor conducts the audit.
Companies should not immediately accept remedies or an auditor's particular interpretation. Instead, companies should decide for themselves the level of commitment for each obligation and hold management accountable for the means by which they are met. Compliance accountability is a managerial role and not that of an audit committee or auditor.
3. Audit findings are used as the only source for compliance improvement
Many companies only use audit findings to drive change to their compliance programs. These findings can be helpful but are not enough as audit findings are too slow to provide feedback, and are too late to prevent risk from becoming a reality.
Relying only on audits doesn't make sense when it comes to safety, quality or dealing with the environment. This is like waiting until you hit the guard rail before you realize that you were driving outside the lines. Companies need to use leading indicators and actions instead of waiting for an audit to tell them when they are off side.
Also, findings never consider stakeholder or voluntary goals that companies may choose to pursue. Standards along with regulations are at best minimum specifications and companies may choose to go above and beyond them and often do.
It is observed that over 50% of obligations are driven by stakeholder expectations not regulatory requirements. This is expected to increase with further adoption of ESG objectives. Including the entire scope of obligations would help promote trust, strengthen a company's social license and demonstrate that compliance is valued.
Doing the minimum that regulation demands is a weak position especially when it comes to safety.
4. The audit function inappropriately assumes managerial accountability for compliance
The lack of clear accountability for compliance obligations often results in the audit function taking on this role and determining how compliance should be met and what the obligations should be. This diminishes the responsibility of managers who have the compliance role and should be the ones who are accountable.
In addition, the audit function requires significant resources to fill in the accountability gap which they are unable to do. This results in many companies being uncertain of where the goal line is and where they are in relationship to it. As a result, they spend tremendous effort in preparing for and conducting audits every year to discover the status of their compliance.
Companies are now conducting pre-audits to get ready for internal audits to get ready for external audits. All of these in hopes that they satisfy a benchmark specified by an external auditor or regulator which is something that companies should already know and be certain of. When it comes to safety or cybersecurity, waiting for an audit every year (or every other year) is far too late to find this out and creates unnecessary risk for employees and stakeholders.
All of these audit misuses result in significant waste and more importantly the lack of compliance assurance, the very thing that organizations (inappropriately) look to audit to provide.
Companies should take ownership of their compliance obligations and execute proactive steps to ensure they are met. They should not defer or wait for an external auditor to tell them if they have achieved their own compliance obligations. Meeting compliance obligations is a performance process just like anything else a company does and it is time to bring it back inside and in front where it belongs.