By Bader Sugair and Saleh Karsou

Corporate firms are facing new challenges, as business conditions are subject to renewed industry standards and shrinking market share. What has been considered as a “safe” investment in the past is becoming more unstable with increased risk. Such risks can lead to losing profit as a result of market pressures that force organizations to adopt agile systems with higher investments just to survive. Additionally, the absence of an excellence model poses an unforeseen risk by itself that may exceed traditional risks that arise from the absence of mandatory regulation. The intent of this article is to challenge the common misconception that auditing functions should address only issues related to noncompliance instead of the organization’s overall commitment to excellence.

Internal auditing is designed, in part, to provide assurance to corporate management regarding the extent of risk and controls identification, implementation, and coverage, all in service to helping the organization achieve business objectives. The concept of auditing is often associated with the term “compliance,” where auditing is typically expected to gauge and evaluate how the business is complying with controls which include laws, regulation, policies, procedures, and other risk management controls. Controls are often described as the means to prevent or mitigate the effect of risks. Internal auditing has not been typically associated with concepts relevant to “commitment,” such as performance monitoring and improvement programs that are designed to add value to companies. Such benefits include cost saving, efficiency improvement, employee engagement experience, and technology deployment. In other words, the auditor’s role stops at essential controls, with the assumption that commitment concepts do not play a part within the auditor’s job scope.

To further explain, a traditional business mindset may prioritize compliance with essential controls, as long as business processes are performing without major incidents or business interruption. From this perspective, commitment to performance monitoring and improvement is an additional burden that may not provide value in the short run. It is worth mentioning that traditional business thinking is commonly found in companies that provide standard products and services, such as the manufacturing of raw materials or logistical services.

In this digital age, there is a compelling demand on all industries to expedite their pursuance of excellence, which is driven by a combination of compliance and commitment factors. Newly emerging businesses are growing quickly and becoming market leaders. Most of these new companies have adopted an excellence model that focuses on more innovative solutions based on leading performance measures and improvement projects that harvest Big Data. For example, companies like Shein, Spotify, and Zoom are dominating their respective markets due to their managements’ commitment to innovation and excellence, which are supported by sound strategies and well-defined risk portfolios focused on short- and long-term gains. In these types of scenarios, an emphasis is placed on these organizations to value the commitment to excellence and to allocate extensive resources to remain relevant where strong reputation and brand recognition alone can no longer serve as a protection of these risks.

A compliance-based approach would focus solely on traditional KPIs such as financial profit, supply chain interruption, number of customer complaints, number of fatalities and injuries, and fire incidents. Although these indicators are important and valuable, they do not present the full picture of the health of the organization, as hidden risks and opportunities can still be present. This demonstrates the need for more innovative performance metrics that include consumer behavior and demand fluctuation, digital maturity, inventory carrying costs, and product cycle time that can be effectively integrated with compliance-based KPIs for a more comprehensive operating model.

In conclusion, it is increasingly critical for organizations’ top management to consider adopting an operating excellence model that extends its benefits beyond compliance-based risks to more systematic and unsystematic risks. Such risks may be anticipated if in-depth performance measures are introduced to the business. The auditing function can greatly benefit from the excellence model by expanding the scope to include commitment-based matrices.

As demonstrated below, there is an increased need for the three lines of defense in every organization to strive for a commitment to excellence program, extending beyond pure compliance with existing controls. This will allow for greater innovation and the establishment and fulfillment of higher levels of governance, risk, and controls.

The following points outline the approach of having multiple layers of defense with certain alignment to operational excellence:
• As a first line of defense, organizations’ Boards of Directors or governing bodies must address the objectives of these programs to all levels of management and establish processes to drive the commitment to excellence. This will allow for the continuous innovation and leveraging of digital and transformational means to measure and improve performance ongoingly.
• Second-line defense mechanisms within organizations may include quality, HSE, and other compliance bodies to continually work with the first line to establish and continually improve these programs.
• When it comes to the third line, i.e., the internal auditing function, their role is to provide top management with information indicating the effectiveness of these programs. Internal auditors can also help gauge the implementation, maturity, and continuity of these programs for these businesses to effectively manage risks and thereby reach for higher market share.

About the authors

Bader Sugair is operational excellence coordinator for Saudi Aramco and a certified internal auditor via IIA. Saleh Karsou is operation excellence consultant for Saudi Aramco.