by Eugene A. Razzetti
Directly or indirectly, auditors assess an organization’s auditing goals and objectives whenever they conduct an audit because audit results often uncover problems with the way organizations operate in the present and prepare for the future. That is, in the way that they manage their goals and objectives. ISO 9000, 14000, and 28000 (to name the most popular) require the presence of viable auditing goals and objectives for organizations to become certified. In doing so, they require assessment of the organization’s ability to collect and analyze data, identify threats and assess risks, measure customer feedback and the commitment of top management, and the involvement of stakeholders. In other words, everything the organization needs to create and operate successfully under a collection of actionable auditing goals and objectives.
An organization’s stated goals and objectives may appear dazzling when framed and hanging in the waiting room or employee lounge. However, they often fall into several unfortunate groupings before they (just as often) fall into the waste basket. Realistically, many organizational auditing goals and objectives are:
- Out of date or no longer appropriate
- Unrealistic (i.e., too lofty, too general, or too easy)
- Not measurable or just not measured
- Threatening or vindictive
- Ignored and/or forgotten.
You cannot meaningfully audit meaningless goals and objectives. The following are nine ways in which managers and auditors can create, evaluate, and revise organizational auditing goals and objectives.
Benchmarking—Where are we?
Organizations can’t manage their auditing goals and objectives without first benchmarking their circumstances. That is, determining and quantifying the actual performance of an operation or a process and comparing them to expected performance. Benchmarking identifies the amount of improvement possible. Once completed, an accurate benchmarking allows management to assess operations or processes on a continuing basis to identify areas for improvement. Figure 1 shows the relationship between expected and actual performance. The gap between the two may be strategic, tactical, or operational, depending on the subject.
Figure 1: Expected vs. actual outcomes
Internal benchmarking examines activities that occur inside an organization’s own walls. Areas always in need of internal benchmarking include (but are not limited) to facilities, manufacturing and material handling processes, administration, training, waste, work in progress, and reject rates.
External benchmarking can include customer satisfaction, competitors’ products, recommendations from external consultants and auditors, public databases, and the annual reports of other companies.
Synergy—Don’t leave home without it
Synergy refers to the measurable behavior of whole systems not predicted by the behavior of their component parts taken separately. Synergy can play a vital role in planning and financing global business. Industry deals with how (and to what degree) to integrate capabilities and assets of diverse component organizations and how combining the capabilities can create something greater than their total.
Organizations would do better pursuing synergy rather than innovation because synergy can be quantified, whereas innovation (if not the result of pursuing synergy) often cannot. It follows, therefore, that if synergy can be quantified, it can be audited. What is required for the ongoing pursuit of synergies is a mindset from management that says, “One plus one must equal 2.5 or it’s not worth the doing.” In business, synergy can mean that when separate departments within an organization cooperate and interact, they become more productive and efficient than if they had operated separately. For example, it’s likely more efficient for each department in an organization to deal with one purchasing department rather than for each department to maintain its own purchasing function.
Implementing synergies begins with aligning them and their associated metrics with the gaps or shortcomings discussed earlier and developing objectives. Threat and risk assessments, if properly conducted, should provide the required specificity for identifying the requirements and the synergies, and for planning.
In the development of synergies, management must look for three progressively supporting behaviors:
- Redundancy: Several organizations perform similar activities to achieve the same objectives.
- Commonality: Several organizations perform the same activities to achieve the same objectives.
- Synergy: One organization, by performing one activity for several similar organizations, achieves more than could be accomplished by all the similar organizations each doing the same activity.
Too often, process improvements stop at commonality, confusing it with innovation and synergy. Commonality is a poor substitute for either synergy or innovation. Modern industry has the potential for a high degree of synergy. However, in terms of population, assets, and capabilities optimization of synergy remains elusive. Organizations must develop or combine their material and nonmaterial assets synergistically to achieve and maintain optimal performance of systems and maximum safety and effectiveness for their products.
Managers and auditors must know how to look for or create synergies, how to measure their effectiveness, and how they form the basis for change and (ultimately) continuous improvement.
Performing a strategy analysis
Strategy (not strategic) analysis means auditing an organization at a macro, qualitative level. This should be considered a prerequisite to other analyses, especially as they involve finance. Strategy analysis identifies profit drivers and risks, enabling auditors to assess the sustainability of current performance and to realistically forecast future performance. Strategy analysis examines:
- Significant challenges in product, labor, or financial markets in which the organization is operating.
- Resources such as brand names, proprietary expertise, access to scarce distribution channels, and special organizational processes that create competitive advantage.
- The “fit” of the organization’s resources with its operations (i.e., products or services).
- Organization structure for optimal decision making and/or economies of scale (e.g., centralization vs. decentralization).
- The existence of internal measurement, information, and incentive management systems and whether they optimize operations and coordination
- The degree of rivalry among competitors
- The ease with which new organizations can enter into the same market
- The availability of substitute products
- The power of buyers vs. suppliers
Management’s external communications
Like internal communication (e.g., with employees), external communication (e.g., with investors, regulatory bodies, and the general public) should be forthright, clear, understandable, and as frequent as necessary. It’s safe to assume that management will always have more timely and accurate information about the organization than will outside analysts. For that reason, there is always the possibility (accidental or deliberate) that an information gap will distort the organization’s posture or even its solvency in the eyes of current and potential investors. Management must, on a continuing basis, minimize information gaps as much as possible. Management’s external communications should address:
- Any differences between internal management forecasts of future earnings and cash flows and forecasts by outside analysts. Do any differences reflect future expectations about the future of the economy? Can managers credibly explain these differences?
- Are key business risks identified and effectively? Are they being managed effectively? Are they reflected in financial statements? Are yet “unquantifiable” risks (e.g., technological innovations) discussed?
How much of a financial statement is “voluntary” disclosure? Stated another way, how much information over minimum disclosure requirements does management provide to effectively articulate the organization’s true condition?
- Does the organization report sufficient free cash flow to handle (as applicable) unexpected expenses, to repurchase shares, or to increase dividends?
- Are internal or external audit reports reflected or included?
Additionally, management can communicate with investors through meetings with financial analysts, during which it can describe current performance, strategy, and plan for the future.
Risk management—disciplined subjectivity
Organizations that implement meaningful and effective risk management programs can control the present and the future. However, they must be able to identify the three basic components of risk: threat, criticality, and vulnerability as they apply to their organizations. Once these three components have been identified and assigned consistent numerical values, management can further refine the model by gaming potential courses of action. It is in modeling and gaming the courses of action that risk assessment becomes risk management. See figure 2.
Figure 2: Risk management total picture
Computing risk in any quantifiable, consistent, and auditable manner supports evaluating management goals and objectives because:
- Risks are identified, as well as their effects and interactions
- Contingency plans and courses of action can be developed, including preemptive responses which mitigate or reduce potential impacts
- Expected costs can be reduced, and an appropriate balance between costs and risk exposure achieved, with the goal of reduced risk exposure
- Feedback into the design phases and planning stages is developed as part of the evaluation of risk vs. expected cost
- Opportunities and responses are recognized and gamed in advance
- The integration of planning and cost control is improved
- Members of project teams develop an analytical understanding of the likely problems and responses in their own areas and problems in other areas which will affect them
Expenses are produced from organizational resources that have either:
- Been consumed
- Declined in value
- Been generated by marketing or advertising a product or service
Expenses also include salaries, depreciation, overhead, debt financing, taxes, and realized/unrealized declines in asset values. Many fixed assets are expensed or depreciated over a period of years. That has long been a sound practice, as long as the predicted useful life of the asset is consistent with actual usage. For example: a piece of equipment may depreciate over a ten-year period. However, the addition of a second or third shift during the second year of operation two may now have it running 24/7. Auditors need to look for situations like this and to ensure that expenses, as managed by the organization and as reported in financial statements accurately reflect the situation. Anything else misrepresents the situation and damages the credibility of decisions, including those of management and the auditor.
Auditors provide a valued (if not always welcomed) contribution when they ensure that management accurately and fully measures and analyzes its expenses, and then shares its findings with internal and external stakeholders.
Cash flow analysis—where’s it going?
Cash flow analysis examines the quality of the information shown on the organization’s income statement and/or balance sheet. Organizations normally classify their cash flows according to:
- Operations: sales of goods and services after costs
- Investments: capital expenditures, acquisitions, sales of long-term assets
- Financing activities: cash raised from (or paid to) stockholders and debt holders.
Auditing cash flow can reveal:
- The strength of the cash flow generation processes
- The ability to meet short-term obligations
- The amount of money has been invested in growth
- Whether dividends were paid and by what means
- What type (if any) of external financing the organization relies upon
- If there is excess cash flow after making capital investments
Cash flow should reflect the organization’s business operations, its growth strategy, and its financial policies. Cash flow trends over a number of reporting periods can provide valuable information on the stability of the organization and its management.
Credit analysis—another look from outside
This is another area in which auditors, who may normally focus on internal operations, need to adopt the perspective of potential and current suppliers, customers, competitors, and debt holders. Arguably, credit analysis by outsiders takes place constantly and includes such situations as:
- Potential suppliers determining whether to do business with an organization or extend credit to it.
- Bankers determining whether or not to approve a loan application.
- Fund managers, brokers, or individual investors assessing the soundness of an organization’s securities.
- A raider organization assessing the viability of a merger, acquisition, or hostile takeover and what constitutes fair value.
- Potential customers assessing the efficacy of product warrantees, replacement part availability, servicing, upgrades, and predicted obsolescence.
- Competitors who base their own decisions on the effectiveness of the organization in the market.
- Potential buyers or investors assessing whether a troubled organization can be turned around and how much time and funding this would require.
Performing credit analyses from the point of view of the outsider can provide excellent feedback for managing goals and objectives. Managers and auditors must realize that analysis by actual outsiders is continuous and that they need to stay ahead of it.
Reputation and credibility
Auditing, as we all know, produces subjective and objective evidence of how an organization operates. Each quantifiable finding (i.e., each fact) obvious or hidden, simple or complicated, favorable or unfavorable, also automatically generates a subjective finding (i.e., an opinion); cause for comfort or cause for concern.
For example, a financial statement containing questionable or misleading exhibits can do more damage in the long run than an accurate exhibit that shows bad news. A trend or pattern of misleading statements in any of the areas discussed in this article is a cancer in the organization.
If management has a credibility problem reports of any type or title will be viewed with skepticism, questioned, and likely disregarded. Deliberate falsifications can subject creators to legal and administrative consequences. At a minimum, investors and creditors will take their money elsewhere.
Auditing goals and objectives–Summary
Auditing goals and objectives must be established with demonstrable facts—starting with the initial benchmarking. Optimally auditing an organization’s goals and objectives requires continual scrutiny of the many areas in which the organization performs internally and how faithfully that performance is reported externally. Managers and auditors have an ethical imperative to ensure that their credibility remains unimpeachable. To shrink from that imperative is to travel a lonely road on a very dark night.
About the author
Eugene A. Razzetti, CMC, retired from the U.S. Navy as a captain in 1992, a Vietnam veteran, and having had two at-sea and two major shore commands. Since then, he has been an independent management consultant, project manager, and ISO auditor. He became an adjunct military analyst with the Center for Naval Analyses after September 11, 2001. He has authored two management books and co-authored MVO 8000, a corporate responsibility management standard, and is an adjunct lecturer on strategic management and ethics at Argosy University. He is a certified management consultant with the Institute of Management Consultants and has served on boards and committees dealing with ethics and professionalism in the practice of management consulting. He is a senior member of the American Society for Quality and recently assisted the government of Guatemala with the ISO 28000 certification of its two principal commercial port facilities. He can be reached at www.corprespmgmt.com or firstname.lastname@example.org.