Internal Auditor Involvement in ISO 9001 2000.

A recent study tracks the expansion of ISO 9001 200 and urges greater internal auditor involvement.

The number of ISO 9000 certificates issued by the end of 2004 totaled more than 250,000, according to the most recent survey of ISO 9001 2000 Certificates Worldwide." Hundreds more have been awarded since. Such widespread allegiance to ISO affects all aspects of the business environment, including the internal audit department.

Recent global research conducted for The Research Foundation documents the growing interest in ISO 9001 2000 and the resulting impact on the internal audit function. Almost half the internal auditors responding to the survey indicated that their companies have acquired or are planning to acquire ISO 9001 2000 registrations. Quality auditing, the control environment, and quality improvement in internal audit departments appear to be the three primary areas to be impacted by ISO 9001 2000 initiatives.

Quality Auditing

Across the globe, quality auditors are growing in number and professionalism due to the increasing availability of internal auditor training courses. Quality auditing is seen by many as an important part of business process re-engineering and total quality management. Many quality auditors no longer focus on compliance as their only objective, but go on to address continuous improvement and follow up their audit recommendations with management.

At present there is little evidence of coordination and liaison between quality and other types of auditing; but in many organizations the integration of quality auditing with other internal audit services at strategic, tactical, and operational levels will soon be a reality. Already, there are signs that audit work performed by quality auditors overlaps the work of other internal or external auditors. If for no other reason, the cost of auditing will drive management and audit committees to review how all auditors communicate and interact with each other.

When survey participants were asked how they see their interaction with quality auditors developing during the next five years, most predicted increased coordination and liaison. However, only a small percentage believe there will be more joint auditing or that internal and quality auditing will become one function.

Respondents whose organizations are ISO 9001 registered were asked to denote which of nine audit types could be improved by coordination and liaison with quality auditing. Most noted that compliance auditing would be improved, while half named operational auditing. Few saw any added value to their financial auditing. Surprisingly few saw reduced total audit costs as a benefit of increased coordination. In reality, however, links between quality and other types of auditing appear to be essential if an organization is to achieve maximum benefit from its monitoring and total auditing costs.

Control and ISO 9001

In organizations that are registered to the ISO 9001 standard, the impact on control systems is significant, although often overlooked. For example, survey respondents were asked to consider the objectives of internal control, as stated in The IIA's Standards, and to indicate which objectives could be influenced by TQM or ISO 9001. Most respondents stated that ISO and TQM could have an impact on "compliance with laws and regulations" and the "accomplishment of objectives;" however, few perceived any influence on "the safeguarding of assets".

The failure to recognize any influence of TQM or ISO 9001 on the safeguarding of assets indicates that most respondents do not see the connection between quality and physical security over buildings, material, and cash. Yet, TQM can reduce levels of control through its change environment, empowerment, a nd teamwork; and ISO 9001 focuses strongly on inspection and checking activities.

Such weak perceptions of the link between quality and the control environment can also be found in internal auditing literature. Few organizations or previous researchers have attempted to relate quality to governance and regulation or to link the objectives of each in common mission and policy statements. An appendage to the Canadian Institute of Chartered Accountants' Criteria of Control Board (CoCo) guide does relate its control criteria to the Malcolm Baldrige quality award criteria, demonstrating a clear link between each. However, the control guide makes no reference to quality standards or ISO 9001.

Yet, it is not difficult to see the quality requirements of ISO 9001 in the accepted control frameworks. Building a frame of reference between both can be an excellent learning exercise for every internal auditor.

Linking ISO 9000 and Control.

Each of ISO 9001's quality requirements can influence all the elements of control identified in Internal Control - Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Comparing the ISO 9001 quality requirements with the COSO control elements shows important links between the two.

For example, the quality principles of customer focus, leadership, teamwork, analysis, and continuous improvement can also be applied to each of the COSO elements. Quality, although not specifically mentioned in COSO, is an important requirement of the COSO control objectives: assuring the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations.

Quality requirements are also present in the control framework and criteria of control defined by CoCo. According to CoCo, control involves purpose, commitment, capability, monitoring, and learning. The following CoCo description of a properly controlled environment could apply equally to a quality system:

A person performs a task, guided by an understanding of its purpose (the objective to be achieved) and supported by capability (information, resources, supplies, and skills). The person will need a sense of commitment to perform the task well over time. The person will monitor his or her performance and the external environment to learn about how to do the task better and about changes to be made. The same is true of any team or work group. In any organization of people, the essence of control is purpose, commitment, capability, and monitoring and learning.

Still, little practical evidence exists that organizations see how forging a connection between quality and control is essential for success, and even for survival. Despite the fact that both COSO and CoCo link control requirements to quality, there is still a lag between theory and practice.

Quality as Control.

Any risk analysis focused on an organization's vision and mission must consider the risk of poor quality and dissatisfied external customers and stake holders. Any study of internal control frameworks in organizations will always show clear links between the control requirements of efficiency, effectiveness, and economy, and the quality requirements of ISO 9001. When visions for excellence and quality missions are married to control environments for governance, both are more successful; both can and do drive improvement in each other.

In the near future, many organizations are expected to make public statements on their environmental management and assessment systems. All internal auditors should be interested in seeing how managements relate their quality, governance, conduct, and environmental practices in future control frameworks and public statements to their stockholders. As evidenced by The IIA's recent involvement in this arena, internal auditors may find it advantageous to lead the debate and practice in these emerging relationships.

Immediate Impacts

Internal audit departments are not only affected by ISO through the emergence of quality auditing and new approaches to internal control; some internal audit functions have gone so far as to register their own services to the standard, training staff as quality auditors and providing quality management advice as part of their service. Almost 25 percent of the respondents said they have considered registering some or all of their internal auditing services to ISO 9001; of those, 60 percent actually pursued assessment and became ISO registered.

Why Register?

The research findings revealed some surprising attitudes regarding the benefits of registering the internal audit function. Survey respondents ranked nine organizational attributes that might be improved as a result of ISO 9001 registration. The highest ratings went to image, consistency, efficiency, teamwork, and communication.

This Article was Provided by a Driso Consultant.

Driso provide ISO 9001 2000 consultancy, auditing, software, and training Services.
They also supply Easy ISO 9001 2000® software for initially setting up an ISO 9001 2000 compliant Quality Management System or improving upon an existing one.
Click here to contact Driso Consultancy Services. See what they can do for you and your business.

If you have an interesting ISO 9001 2000 article that you would like to publish on this page to share with other like minded people please click on the [Submit Article].
Full recognition will be given to the author.    [Submit Article]

Copyright © Driso Ltd. (2005)