Updated: Nov 15, 2019
Audits were first adopted by financial institutions to identify and prevent fraud. Their focus was to test the integrity of accounting procedures and financial data. Since then, audit practices have developed alongside of changes to standardized accountancy to become a crucial role in: governance, risk, and compliance activities.
The audit function has grown beyond the financial function to cover other compliance programs such as: occupational health and safety, process safety management, environmental, quality, security, and so on. However, there are important differences between auditing financial statements and ensuring compliance outcomes particularly when it involves safety.
Not understanding these differences has resulted in the misapplication of audits as outlined in the the following four misuses:
1. Audits are focused on activity within the compliance program
The role of audits is to validate program outcomes and verify that compliance reports are accurate. However, all too often, audits are used to prescribe "how" compliance should be met. This happens all too frequently with external but also with internal auditors that have their own view of how compliance should be done. This practice was rightly stopped in the financial sector as audit firms cannot provide advice of this kind. Unfortunately, this correction has not yet taken hold across many regulatory, standards and certification organizations.
2. Audit findings are used to set compliance obligations
All too often audit findings produce a list of corrective actions that are used directly by compliance managers without first revising and obtaining approval for the affected compliance obligations. This poses several problems particularly when the audit findings inappropriately prescribe remedies. Another problem, often experienced, is that findings can be based on an auditor's interpretation of the standard or regulation, This leaves companies struggling to revise their approaches only to have them change again the following year when a different auditor conducts the audit.
Companies should not immediately accept remedies or an auditor's particular interpretation. Instead, companies should make up their own minds as to the level of commitment and hold management accountable for the means by which they are met. Compliance responsibility is a managerial role and not that of an audit committee or auditor.
3. Audit findings are used as the only source for compliance improvement
Many companies only use audit findings to drive change to their compliance programs. However, this is not enough as audit findings are too slow to provide feedback, and are too late since they are based on outcomes that happen after the fact. Everyone knows that this doesn't make sense when it comes to safety, quality or dealing with the environment. This is like waiting until you hit the guard rail before you realize that you were driving outside the lines. Companies need to use leading indicators and actions instead of waiting for an audit to tell them they are off side.
Also, findings never specify aspirational or voluntary goals that companies may choose to pursue. Standards along with regulations are at best minimum specifications and companies may choose to go above and beyond them. Doing so would help promote trust, strengthen a company's social license and demonstrate that compliance is valued. The argument that we are dong enough by doing the minimum that regulation demands is a weak argument especially when it comes to safety.
4. The audit function inappropriately assumes managerial accountability for compliance
The lack of clear accountability for compliance obligations often results in the audit function taking on this role and determining how compliance should be met and what the obligations should be. This diminishes the responsibility of managers who have the compliance role and should be the ones who are accountable.
In addition, the audit function requires significant resources to fill in the accountability gap which they are unable to do. This results in many companies being uncertain of where the goal line is and where they are in relationship to it. So they invest tremendous effort in preparing for and conducting audits every year to discover the status of their compliance.
Companies are now conducting pre-audits to get ready for internal audits to get ready for external audits. All of these in hopes that they satisfy a benchmark specified by an external auditor or regulator which is something that companies should already know and be certain of. When it comes to safety, waiting for an audit every year (or every other year) is far too late to find this out and creates unnecessary risk for employees and stakeholders.
All of these misuses result in the audit function being too expensive and not capable of meeting the increasing demands of compliance. However, more importantly, the audit function ends up being on the wrong side of compliance.
Companies should take ownership of their compliance obligations and execute proactive steps to ensure that they are met. They should not defer or wait for an external auditor to tell them if they have achieved their own compliance obligations. Meeting compliance obligations is a performance process just like anything else a company does and it is time to bring it back inside and in front where it belongs.