Bursting The Bubble (Original Publication Date 21/03/2017)

Next time you are at work, take a look around. How well do the individual departments work together?

Would you say you have a good understanding of how each department works? Or how their roles fit with your own?

Everyone likes to think that their own role is the most important, that the business couldn’t function without their department.

Wrong!

One thing we often see in internal auditing is that each department is working within a silo, staying inside their own little working bubble oblivious to what else is happening around them in the business.

While focusing on the details of whatever it is you do is a good thing, it shouldn’t be at the expense of the big picture.

Regardless of the industry no business can operate with just one department. Even small single operator businesses require you to wear multiple hats as you take on different roles within your business.

Let’s take a look at a simple example of the steps in manufacturing an existing product and selling it to our customers –

Before you even consider making more you need to determine the amount of the product you currently have in stock, do they have an expiry date, is it a seasonal product that is only required at certain times of the year, is there a current need for extra to be made and does the business have the resources to make more at this moment?

The above questions are usually reviewed by someone within the planning department. They will also determine how much of the product is to be made and the amount of raw materials that will be needed to be purchased.

The information is then usually passed to management to approve the production, purchase of the raw materials and the amount of time and staff required to complete the manufacturing of the product. Discussions with the finance department are usually included at this time to make sure the business has the available funds to complete all the tasks.

Once the planning process is complete and has been approved
the details of the raw material are passed to the purchasing department. Here they will have a list of approved suppliers that they use to draft purchase orders to buy the raw materials needed. Again these will need to be approved before they are sent to the suppliers, this approval is also usually completed by management.

After the raw materials have been ordered the finance department need to release the payment to make sure the goods are delivered on time. The financial records need to be updated to reflect that the business has spent this money and what it was for. Later on they will also need to match up this payment with the invoices received as part of their reconciliation process.

So we have ordered our raw materials the rest should be easy right?

The suppliers have started to deliver our raw materials so now someone needs to check them to make sure the orders are correct and the goods are in a usable condition. The best way to do this is to compare the purchase orders and invoices with the goods received.

Depending on the size of the business and the type of materials received this could be anyone from the receptionist to warehouse staff or site foreman. In larger businesses, and again depending on the type of goods, you may have one person signing off to confirm the goods were received on site and another checking the quality of the raw materials.

Any paperwork relating to the raw material will need to be kept and copies may need to be sent to different departments to ensure their records are accurate. When there is paperwork involved this is where things can get messy if there is a lack of communication or if you don’t understand why
the other departments need them and what time frames they need them in.

You can’t pay an invoice if you don’t know what you are paying. You also shouldn’t accept the goods on site if you don’t know the products and quantities that should be there.

Now that we have our materials we can make our products.

Once again, depending on the size and set up of the business, how raw materials are stored, recorded and distributed for use can be very different. One point that should remain the same is that it should be recorded when each material is used, by whom and how much. Without this information you
won’t know what you need when you start the planning process next time you want to make the product.

We start making our product using the work instructions that were developed before we originally began making this product in the first place. The work instructions are used to make sure that every product is made the exact same way and has consistent quality.

Each time someone discovers a way to make the manufacturing process better the work instructions and other documents for the process need to be updated so they stay current. Your internal audit department can also review the process to make sure the work instructions are actually being followed.

If you are using any equipment to make your products you need to make sure that the equipment is in good working order. The maintenance
department would need a schedule in place to test, repair and replace the
equipment as necessary. Discussions with risk management and/or internal audit staff can help when making these schedules.

Also any incident that occurred during the manufacturing process, such as breakdown of equipment, the production process not being completed right or injury of staff, would need to be recorded, investigated and resolved.

Before the product can be sold it would need to be checked for quality, you don’t want to be selling an inferior or faulty product.

We now have a finished product sitting in our store room waiting to be sold, but who do we sell it to and for how much?

The how much would be previously worked out by management, again the finance department would be involved to confirm how much it cost you to make the product and how much profit you wanted to make.

Market research conducted by someone involved in research and development would have been needed in the beginning to look at what other
similar products were selling for and what people would be willing to pay.

As for who to sell to, your market research would have already looked into that in the beginning so you already know who your customers are. The marketing department will have put together a campaign to target the right customers leaving it up to the sales department to get the product to the customer.

That is a pretty involved process already, but we aren’t finished quiet yet.

Similar to ordering and buying the raw materials we now have to reverse that process to get the products out of our storage are and to the customer.

Our Packing department would need to package up the right amount of each product for the customers. We would need to create invoices that the customer would need to pay. The warehouse would need to confirm that the
right products went to the right customer. And our finance department would need to make sure the customer paid and that the payments were recorded and reconciled correctly.

Also, since we had staff making the products our payroll department would need to know who was working and what times they worked so they could be paid for their time.

While all the above is happening there are still some departments working in the background. Two main ones to consider are out IT department who are making sure staff have access to the systems and information they need.

The other is our cleaners. Regardless of if you choose to use internal staff or an external cleaning company someone has to keep the work space clean, tidy and free from potential hazards.

Looking at the above example our simple production and sales process has involved the following departments:

Management

Planning

Purchasing

Finance

Warehouse

Quality Control

Document Management

Production

Maintenance

Marketing

IT

Packaging

Sales

R&D

Risk Management

Internal Audit

Incident Investigation

Payroll

Cleaning

As you can see every department is involved. If you were to take just one of those departments out of the mix things would get messy very quickly! Control checks could be missed, you might not have the resources you
need to finish the production or pay staff, you could be missing sales opportunities, or more importantly you could be selling a product that is not fit for use and could be dangerous.

Quite often during an Internal Audit if I see there is a breakdown of communication or if staff are unsure of the roles of different areas I will
recommend that staff from one department go and shadow staff in other
departments for a short time. I get them to go and sit in to see what it is the
other staff members actually do. They get the opportunity to ask questions and get a better understanding of how the departments work together.

Essentially they begin to see the business as a jigsaw with all the pieces fitting together to make a whole rather than a collection of individual silos.
Please note: The above article is not intended for use as standalone audit advice. For an individual review of the audit and compliance requirements for your business please contact KLM Audit & Compliance (katrina@klm-audit.com)

 

So, What Is Your Job? (Original Publication Date 22/02/2017)

Over the years I gotten very used to family and friends telling me they
ave no idea what I do for a living. What I did find interesting is that when I
applied for audit roles at accounting firms some of the feedback I received
included ‘We don’t know where you would fit with what we do’

Now please don’t take this as me having a go at the accountants, I have a lot of respect for them and the work they do. Their role has purpose and value for the organisations they work with, just like my role. It is just that the purpose and value of our roles are very different.

I have mentioned before that I am not an accountant. When asked what I
do I usually reply with ‘I specialise in compliance and operational audits’ or
‘I relieve the worry and stress business people often feel when dealing with
compliance issues’

But what exactly does that mean?

First a little clarification on compliance audits versus operational audits.

Compliance audits are any audits relating to an external document. This could include –

    • Legislation such as the Estate Agents Act;
    • Standards such as ISO 9001 or the Good Manufacturing Practice;
    • A contract or deed allowing you to provide goods
      or services, such as the government contracts to provide employment services

Basically they relate to any document that you haven’t written yourself
and that you have to follow, meaning you are compliant to it, so that you can
continue operating in your chosen field and be able to provide your goods or
services.

Most industries have a number of different external documents they need
to be compliant to so at times it can get complicated.

While your internal auditor can help you get ready for a compliance
audit, the actual audit is carried out by an external auditor. The external
auditors are employed by the governing body responsible for the document they are auditing against.

For example an auditor from Consumer Affairs will audit a real estate agency to determine if they are following the requirements of the act. An auditor from the Department of Employment will audit an employment services
provider to make sure they are following the guidelines set out in the Deed and their individual contract.

When organisations talk about being ‘Audit Ready’ they are talking about compliance audits. They want to make sure they pass the external audit and can continue to trade.

In contrast operational audits are all about your own internal policies, procedures, work instructions and the countless other documents you have created for your business.

I like to think that these documents create the culture of your business.

When you start your business you put together your business plan which
gives you the structure, or how you want your business to look, e.g. sole trader versus a company, manufacturing of products or providing a service.

Your internal documents create the feel of your business, essentially they are the heart of your business. They state how you want your staff to interact with each other and clients / customers, as well as the level of
quality and consistency you want your products or services to have.

A good internal auditor will not only know how to read these documents, they will know how to get them to talk!

Every one of these documents make up the story of your business. They can tell you where the business has been, where it is now, where you want to take it and what is stopping you from getting there.

A well planned internal audit schedule can also provide the majority of the information you need for strategic planning for years to come.

By taking into account your compliance audit requirements when you create your internal documents, such as referencing the relevant external documents and aligning your policies and procedures with their requirements, you can make sure that any operational audits are also helping to keep you audit ready.

So, getting back to the question of what it is I do.

Short answer – all of the above and more!

I can actually come in at any stage, such as –

    • Creating the internal documents,
    • Creating an internal audit program,
    • Training new auditors,
    • Creating an audit schedule and conducting the risk
      assessments that go with it,
    • Conducting and reporting on operational audits,
    • Preparation for compliance audits,
    • And yes, even conduct the compliance audits
      themselves

It is a complex occupation, you have to be able to understand and interpret a wide range of legal documents, often for industries that you have had no experience in. Plus there are always challenges being thrown at you.

My favourite challenge so far was being asked to completely revise an
internal audit program –

    • Create all new policies, procedures, work
      instructions and forms,
    • Create risk assessment tools and preform the
      initial assessments,
    • Create and deliver a training package for both
      lead auditors and support auditors

And I had six weeks to do it all and have the program up and running –
hey who needs sleep anyway!

But honestly, I wouldn’t have it any other way

Please note: The above article is not intended for use as standalone audit advice. For an individual review of the audit and compliance requirements for your business please contact KLM Audit Compliance (katrina@klm-audit.com)

 

I Quit Sugar! (Original Publication Date 24/01/2017)

January is almost over and we are starting to look at all those New Year’s resolutions we made for ourselves, all the things that we were going to stick to that would make our lives better than previous years

How are we all going with them? No judgement, hey sometimes we do put a little too much pressure on ourselves.

Now please don’t take offence but the resolution I get a little chuckle out of is the “I am quitting sugar” ones.

Looking at it logically, when people tell me they no longer eat sugar, the questions that run through my mind are – Do you still eat fruit? Vegetables? Meat? Any type of grain, nut or seed? Dairy products?

Answering yes to any of those food groups means that you do still in fact eat sugar in some form, including things that your body converts to sugar such as carbohydrates. Unless your diet consists of nothing but purified water then a better statement for you is “I don’t eat any added sugar”

People can also have this same misconception when it comes to risk management. I have a similar chuckle when I get told the goal for the year is to eliminate all risk. Just like getting rid of all sugar, getting rid of all risk isn’t as easy or practical as you might think.

There are three common types of risk:

  • Inherent risk – This is the risk before risk management strategies and controls are put in place. You can look at this as known risk
  • Residual risk – This is the risk that remains after risk management strategies and controls are put in place. This in contrast could be considered unknown risk
  • Key Risk – Any extreme or high inherent risk. This would be anything that instantly sets off alarm bells in your mind

Without going in to a full risk management training session I just want to show an example of what can happen if you get fixated on removing all risk.

For this example let’s say our business operator, we’ll call her Lisa, has decided to take the food industry by storm with a selection of gourmet cheeses. Lisa has been making cheese in her local area for a while, has
become very well-known, and has decided to expand.

As her product is perishable she has invested in having a new cool room installed, it has all the bells and whistles, including an alarm to let her know if the temperature is outside the pre-set desired range.

Now Lisa is one of those people who wants to remove every possible risk, with this in mind she decides that her biggest risk is loss of power to the cool room so starts her risk management plan there.

The simplest way to manage the risk of power loss is to have an alternate supply – a back-up generator. Great! Nice and easy! MMM but is there a chance that the generator might fail as well? Possibly, this would fall under the residual risk category. And we must remember Lisa wants no risk left!

So Lisa now adds a second generator just in case. But has that actually removed that residual risk? Not really, while the odds might be getting smaller there is still the possibility that both generators could fail at the same time.

Lisa is so focused on getting rid of ALL risk that she kind of goes overboard and before you know it there are 20 generators lined up beside the cool room. Has this removed all the risk? No, it has lowered the odds considerably but the chance of all generators failing at once is still there. Is it practical? I would say no, having to find space for and maintain all that equipment is a strain on Lisa’s resources that really isn’t necessary!

How about we forget about getting rid of all risk and look at a more practical risk management strategy.

So we have a cool room where our identified risk is loss of power, I am going to add breakdowns in there as well.

Starting with the breakdown possibility, creating a regular testing and maintenance schedule, conducted by a qualified professional, will reduce the chance of the equipment failing and help it to operate better.

Now the power loss, yes a back-up generator is a good idea but you probably would be ok with just one. Doing a little research, such as how often your area has lost power in the last few years and how long each outage lasted can help with this decision, if you have only had one outage in the past three years that lasted for about 10 minutes you can be fairly confident that can be considered a lower risk.

With your generator, again a testing and maintenance schedule is beneficial to make sure it will work when you need it.

So we have break downs covered and are a little more informed about the power supply issues in the area, does that mean we have removed all risk?

Nope – Murphy’s Law, if it can go wrong it will! We can never predict everything, and for those things we can’t there is insurance! Should the worst happen and Lisa was to lose all her stock, or even the equipment, she has thought of that and managed the risk by having everything insured.

There you have it, we covered it all without having to buy 20 back-up generators. The thing to remember when conducting risk assessments and determining how you manage those risks is to understand that you will never
remove all residual risk and ask yourself the following questions –

Do you feel you have covered all the current inherent risk?

Do you feel comfortable with the techniques you have used to manage the risks?

Do you feel comfortable with the remaining amount of residual risk?

Would your risk management plan stand up to external review?

(For example, just because you are comfortable storing flammable chemicals in a cardboard box rather than a fire resistant cabinet doesn’t mean that an auditor would agree with you!)

If you can answer yes to all of these then you have the beginnings of a basic risk management policy. However this policy should never be a write and forget exercise, circumstances constantly change, and as a result risk
management should be reviewed on a regular basis.

Please note:
The above article is not intended for use as standalone risk management advice. For an individual review of the audit and compliance requirements for your business please contact KLM Audit & Compliance (katrina@klm-audit.com)

 

Take Care Of The Corners (Original Publication Date 10/01/2017)

I find spending time with family over the Christmas and New Year period helps to remind you how precious your time together is and the things you can learn from each other.

Growing up I had the privilege of being able to get to know my great grandmother. Nanna Etchell was the ultimate stereo- typical great grandmother from her generation. She was always sewing, knitting, cooking,
gardening and she always wore a cardigan and an apron over her dress.

The other thing I remember about her was she had little sayings for everything she did, there were so many I have lost count of them all. There is one that always stayed with me though. As a kid it never really made a lot of sense, it was her saying for when she was cleaning the floor –‘if you take care of the corners, the middle takes care of itself’ But you still have to clean the whole floor anyway don’t you?

Looking back on it now and rewording it based on my experience with auditing it has actually become something that I use in practice every day – ‘if you take care of the details, the big picture will take care of itself’

Too many of us are so concerned about the big picture, the standards, deeds or contacts we have to be compliant to, that the details can begin to get lost. What we forget is if those details are lost then the big picture starts to get a bit fuzzy.

Countless times I have seen organisations in a panic over a pending external audit, pouring over every little detail of the standard, wanting to make sure they are ‘audit ready’ and feel confident they are compliant so there will be no surprises at the end. I have seen them spend a lot of time and money having someone conduct a ‘pre-audit’ to those exact standards and look at me like I have completely lost the plot when I suggest it is pointless!

I think I may have heard a majority of my current audience also gasp in shock at that statement! Let me explain it a little.

Say for example you are an ISO certified organisation who is about to undergo a re-certification audit. You have an external auditor coming in who is being paid to audit to that particular ISO standard. This auditor has most likely conducted the same audit many times, they know what they are looking for and what evidence they are expecting to see. Is it the best use of
your internal auditor’s time to recreate the exact same audit that someone else is being paid to do?

‘But we need to pass the audit’ I hear you say. Yes, passing an audit is always a good thing, but this one particular external audit is part of your big picture. If you focus solely on that one standard then your internal audits are not going to provide you with the information you need to make strategic decisions on growth opportunities for your organisation or give you a true indication on what is happening day to day.

‘So what should we do?’ This is where the details are the key!

Yes your internal auditor should have an understanding of the standards you operate under and the compliance requirements of these, but that shouldn’t be the sole focus of their role. Providing it has been confirmed that your internal documents are written with these compliance requirements as a base and reference the specific standards, and the internal documents are being used correctly, then this should take care of the big picture issue and
ensure that you are audit ready at all times.

Once it has been determined that your internal documents are compliant to the standards this allows your internal auditor to get on with the role they are actually there for, making sure you have the valuable information you need to ensure your organisation is performing at its best. Are your employees following the documented work instructions correctly? Are internal controls in place and being followed? Are you looking for opportunities to improve procedures or are you still doing things the same way because that is how you have always done it?

By getting your internal audit program to work for you rather than be a carbon copy of the external auditors you can be confident that your business will be in a stronger position to pass an external audit as the potential threats can be identified long before the external auditors arrive. This way, rather than be in a panic and have all hands on deck trying to get ready for your external audit, and possibly putting staff from multiple areas behind in their own workloads, you can continue on with business as usual!

Please note: The above article is not intended for use as standalone audit advice. For an individual review of the audit and compliance requirements for your business please contact KLM Audit & Compliance (katrina@klm-audit.com)

 

You’re Fired! (Original Publication Date 13/12/2016)

Not a subject we like to think about, especially at this time of year, but I wanted to share how using the correct approach to investigations can help you to make better decisions for your business.

This example was shared by a former colleague, who unfortunately can’t remember where he first heard it so if you recognise your own work I apologise. I feel the scenario very clearly demonstrates the importance of knowing how to ask the right questions.

Scenario –

A manager is walking through the workshop and notices a dripping pipe, he calls over the workshop supervisor.

(Manager) “Why is this pipe dripping? It needs to be fixed immediately!” The manager then walks off without waiting for a reply.

Two weeks later the manager is walking through the workshop again and
sees the same pipe dripping, he is a little annoyed that his instructions weren’t carried out and speaks to the workshop supervisor again.

(Manager) “I thought I told you to fix that pipe, it is a simple 5 minute job! Consider this your last warning, if you can’t perform one simple task you’re fired!” Once again the manager walks off before an explanation can be given.

Three days later the manager checks and finds that the same pipe is still leaking. By now he has gone beyond annoyed and is furious. He finds the workshop supervisor.

(Manager) “That’s it, you can’t follow a simple instruction so you’re fired!”

So what are everyone’s thoughts? Was the manager right in firing the
workshop supervisor? Yes I know I made the manager a little harsh in regards to not allowing the supervisor to offer an explanation, but I am wanting to make a point.

On face value it would appear the supervisor was not capable of getting
the job done, and possibly didn’t care about the safety of the work environment, which would make him a liability to the business. If that is the case then would you really want him working there?

Now let’s just back up a little and give the manager some basic incident
investigation skills.

(Manager) “Why is this pipe dripping? It needs to be fixed immediately!”

(Workshop Supervisor) “It has been happening ever since we changed
suppliers for the washers we use in the pressurised pipes, the old ones lasted ages but with these new ones it feels like we are changing them almost daily!”

(Manager) “So why don’t you just order them from the old supplier if they work better?”

(Workshop Supervisor) “The old supplier isn’t on the approved supplier list anymore, this new supplier is the only one we can order from”

(Manager) “I’ll look into it and see what is going on”

The manager goes into the purchasing department.

(Manager) “Do you know why we changed suppliers for the washers in the
pressurised pipes?”

(Purchasing Officer) “No idea! We just received a message from the
accounting department saying we had to update the list of approved suppliers. Although I have noticed that even though we’ve only been using the new supplier for a short time we have placed way more orders that we would’ve with the old supplier in the same time period!”

The manager goes to the accounting department to try to get to the bottom of things.

(Manager) “Do you know why we changed suppliers for the washers in the
pressurised pipes?”

(Finance Officer) “It was after you sent the email saying we were to
try to cut costs for items that were considered non-essential, you asked us to find new suppliers that were more cost effective and remove any old suppliers from the list. I have noticed that although the new supplier is cheaper per item the spending on those items have almost tripled compared to the same time last year!”

Ah now it becomes clearer! It wasn’t that the workshop supervisor was
being lazy, it was actually the manager who was trying to save a few dollars
that was the cause of the problem.

The point I feel this scenario illustrates is that your business decisions shouldn’t be made on assumptions, the way you perceive something to
be is not always the case – the washers may have appeared to be cheaper but not only were they actually costing more but they were also creating extra work putting a strain on resources.

Regardless of which type of investigation you are conducting – a risk
assessment, incident investigation or an internal audit, the person conducting the investigation needs to go in with an open mind and the ability to ask the right questions to the right people.

This was a very simplified example, the manager got the relevant
answers from the first person he spoke to in each department which is not always the case.

The thing I would like you to take away from this is that your business, and the decisions you make for that business, are too important to make
without knowing the facts. Being able to understand exactly what is happening, how it affects other departments and staff goes a long way to being able to make informed decisions that will help your business be the best it can be.

For those trained in auditing and risk management asking the right questions and being able to see trends and patterns that others may overlook is not just part of our job, it is part of who we are. And unlike popular opinion we are not there to find fault, the reports we produce can actually be one of the most valuable tools you can have when it comes to strategic planning for your business.

Please note: The above article is not intended for use as standalone audit or incident investigation advice. For an individual review of the audit and compliance requirements for your business please contact KLM Audit & Compliance ( katrina@klm-audit.com )

I am Not An Accountant (Original Publication Date 16/11/2016)

Traditionally, when people hear the word audit, most instantly think financial records.

This is understandable, because the first audits to be conducted were technically financial, although the currency used was the bartering of goods rather than coin.

Records still needed to be kept and checked to keep track of the number of baskets of corn you received for your lama fleece, and if you were paid in full or still had a partial payment owing.

With this in mind, when most people hear “auditor”, they instantly translate this to mean “accountant”, but this is not always the case, as the Institute of Internal Auditors – Australia website also discusses.

Since the beginning of the industrial revolution, the way we conduct business has evolved.

We decided we need our workplaces to be safe, for responsibilities and accountability to be defined and to create consistency in how things are done.

To do this, we started writing things down. We have legislation for every industry, standards for things like work health and safety and quality management, contracts for our customers and organisations we do business with.

Businesses created policies, procedures, work instructions, codes of conduct and ethical standards.

We now have mountains of documents telling us everything we need to effectively complete any task in any industry.

But how do we know if people are following any of it? With our desire to do the right thing came the birth of a new breed of auditors – the compliance and operational auditor, more commonly referred to as the internal auditor.

The simple description of an internal auditor is someone who reviews the documentation relevant to an organisation and observes the current work practices to confirm they are compliant.

For me, I don’t feel that definition does justice to the full extent of the role.

Being an internal auditor is complex and demanding.

Not only do you need to be able to understand and interpret a wide range of legislation and legal documents to determine the compliance requirements, you also need to develop an understanding of the day-to-day operations of all aspects of the organisation.

For example, on one day, you might be auditing of the staff’s understanding of the code of conduct and how it relates to their role.

The next day, it might be a reconciliation of payroll deductions.

The day after that, you might sit in on a particular step of a manufacturing process.

The next day, you could be auditing the disaster recovery plan for the IT department.

And this is only a small selection of what may be required by an internal auditor.

Think of any task that may be performed by a staff member, from the cleaner to the CEO, and I can guarantee that an internal auditor has conducted an audit on it.

It is this diversity and challenge that I love about auditing.

You can learn so much about the industry, organisation and the individual roles and how they all fit together.

With this bigger picture overview, you can also see the areas and work practices that are working well and those that could benefit from improvement strategies.

By taking the time to speak with staff at all levels who are involved with the different stages of a procedure or process you can also give a voice to those who may not feel confident approaching senior management with their thoughts and ideas.

The information gathered during an audit engagement can be valuable to the decision makers as it provides a snapshot of exactly how each
area is currently performing, unfortunately there are times when things that look good on paper tell a very different story in practice.

So, while a basic understanding of financial reporting can be beneficial in certain areas of internal auditing, an open mind, the ability to understand legal documents and how they apply to the organisation, relationship building skills and a willingness to learn things that may not be specifically listed of your position description, are far more important.

I am definitely not an accountant, but should you feel the need to label me, I am more than happy to go with audit specialist!