By Craig D’Souza
The fundamental role of an auditor of ISO management systems and other compliance and certification schemes is to assess the organization’s compliance against a particular standard. However, depending on the type of audit and the skill and experience of the auditor, in many cases it is highly beneficial for the auditee to go above and beyond compliance, and focus on growth imperatives. Note that third-party auditors must not step over the line in terms of what is considered consulting, however first- and second-party auditors certainly have flexibility in this regard.
Auditors play an integral role in identifying, verifying, and validating the risks of an organization through careful evaluation of evidence and determining the effectiveness of the controls developed and implemented within an organization to mitigate risks. In assessing this evidence, auditors can not only help auditees go above and beyond compliance; they can also be system enablers by using diverse and accessible skills and toolsets to help audited organizations grow and ultimately flourish.
Objective: How auditors add value and contribute to organizational growth
This article is intended to function as a resource, detailing how auditors can significantly improve the value provided to the organization being audited. The main purpose of the article is to consider the following broad questions:
- Where do pockets of innovation exist within organizations?
- How can auditors spot these pockets of innovation?
- What are some best practices that auditors can use to help develop collaborative ecosystems within these audited organizations?
In addressing these questions, we will share insights into how auditors can contribute towards thinking above and beyond compliance, achieving higher levels of innovative outputs and ultimately pushing the boundaries of organizational growth. A framework for this work is offered, and recommendations are made as to how incorporating a culture of engagement can influence the organizational growth imperative.
Preliminary questions that need to be addressed
For organizations that wish to go above and beyond compliance, here are several questions that need to be better understood by the auditor:
- What compliance data is collected (i.e., quality assurance, environmental metrics)?
- Where and how is this data collected (i.e., is it from disparate sources, location dependent, accurate, etc.)?
- How is the risk assessment process conducted?
- What are the costs of potential noncompliance/nonconformance/errors (i.e., what will be the effect if things go wrong)?
- How is organizational growth measured (i.e., innovation output, customer acquisition, sales revenue, profit margin)?
Although the role of an auditor can sometimes be limited to a mere tick-the-box exercise, in truth most auditors are sometimes the only independent eyes and ears on an organization, gathering useful data and evidence from across a broad cross section of that organization. One example is through interviewing staff and gathering information on organizational culture and employee engagement, both of which are critical components for successful organizational growth.
We are recommending the following framework be used by auditors to help drive organizational growth for audited organizations:
Demonstrating value by being prepared and asking the right questions from the outset; these questions form part of understanding the context of the organization (as per clause 4.1 of ISO 9001:2015):
- What is the founders’ purpose and vision?
- Why does the organization exist?
- What underpins the key organizational culture and innovation systems (i.e., the norms, practices, communication, informal and formal culture, team dynamics, incentive mechanisms, etc.)?
- What data does the organization use to measure growth and/or success (i.e., revenue, customer satisfaction, profit, recruitment, engagement, attrition, training, etc.)?
- What is the mindset(s) of the executive team?
- What is the product or service being offered?
- What is the business model and how does it solve customer needs and/or pain points?
- Review the results of any SWOT/PESTLE/Porters Five Forces analysis on the organization’s products and/or services?
Note: Running facilitated workshops and/or individual interviews with a cross section of staff from the various business units/teams would be a highly valuable exercise.
Knowledge and understanding of relevant ISO standards and how those standards support the United Nations’ 17 Sustainable Development Goals:
- ISO 10010:2022, “Quality management—Guidance to understand, evaluate and improve organizational quality culture”
- ISO 44001:2017, “Collaborative business relationship management systems—Requirements and framework”
- ISO 56000:2020, “Innovation management—Fundamentals and vocabulary”
Understand how organizational growth may influence any one or more of the following dynamics:
- Scale supply (i.e., a repeatable system/process, such as eWaste recycling)
- Scale demand (i.e., use of recycled materials and recycled content, as eWaste material may reduce the total cost of ownership, environmental certification/ethos, environmental publicity)
- Scale simplicity (i.e., technology and interface used to collect data and maximize productivity and recycling efficiency; for example, what type and location of product is most viable)
- Key customer metrics such as customer acquisition, sales cycle, conversion, customer satisfaction, and customer attrition rates
- People and culture, including training and capability gaps
Ultimately, all the stakeholders want to see the success of the organization being audited. The auditing process is ultimately designed to help bring about improvements and change, and we would expect this would allow the organization to maximize benefits for all (i.e., shareholders, the community, etc.).
In summary, although the auditor plays a critical role in encouraging the audited organization to go above and beyond compliance, it is the skill, the depth of experience, and the knowledge that the auditor has gained through the audit process which provides an invaluable opportunity to enhance the value of the auditing function. This helps the organization go above and beyond compliance and shifts the focus of the audit more towards more of a growth-focused capability.
We hope this article provides a useful resource and a starting point for discussion. It is by no means an exhaustive list of attributes to consider, however, if you would like to contribute to the conversation, please get in touch with me directly. You can email me here.
You may wish to review the following resources describing the truth about the culture of innovation:
- 12 Key Characteristics of a Culture of Innovation (With Tips) from Indeed.com
- Auditing Risk Culture: A Practical Guide from the Institute of Internal Auditors (Australia)
- The Hard Truth About Innovative Cultures from the Harvard Business Review
About the author
Craig D’Souza is the managing director of E-Risk360, a governance, risk management, and compliance professional with training across ISO management system assurance and certification. He is registered with Exemplar Global as a lead auditor in management systems including ISO 9001, ISO 14001, ISO 18001/AS 4801/ISO 45001, and ISO 27001. He has experience in providing integrated risk management consulting, auditing, and training solutions across these areas, focusing on quality, environmental, occupational health and safety, and information security risks. His main area of focus is to use a management systems approach to help organizations grow and ultimately flourish using a range of business scorecards, toolsets, and powerful visualizations.