The world changes, and it does so more and more rapidly. Massive and radical changes have been and are taking place, altering both economic and social activity and the functions, objectives and responsibilities of internal auditing.
Development
1. The internal audit. Its evolution over time.
We can clearly differentiate two stages in the evolution of internal audit. In a first phase it was limited to the administrative vision of Taylor and Fayol's thinking. Thus, it had the clear objective of verifying compliance with internal rules, processes and policies. Given the existence of various regulations, the internal auditor had as a fundamental field of action to verify compliance with them. But while the external auditor aimed to verify the accuracy of a company's financial information to various external users, be they investors, creditors, banks or the state, the internal audit was and will be clearly focused on serving the interests of the owners. and directors of the same.
To make such objectives effective, it focused its interest in verifying compliance not only with external regulations, but also with all those internal norms and procedures in order to avoid problems in the interests of outside the company, on the one hand, and to make the implementation of organizational objectives and goals, as well as protecting the organization's assets against various types of risks, among which fraud was and must be a crucial objective.
The arrival in the first instance of TQM and after reengineering and continuous improvement, led organizations to face new functions in the area of internal audit.
2. Evolution of the environment and companies.
In the first phase of business, companies were faced with a higher demand for products and services than those offered by companies, thus the main concern of companies and their internal audits was to protect the effectiveness and efficiency of operations, the reliability of financial information, compliance with laws and regulations, and above all, protect the physical and financial assets of the company.
In the second phase, when faced with an offer that exceeds consumer demand, taking care of assets such as customers, quality, levels of satisfaction, and now facing environmental problems, caring for ecology is crucial.
A way of auditing that was typical of an era of little change was first shaken by the arrival of computer processes in the company, and then, in the face of global competition, due to the need to reduce costs, strengthen quality, improve service delivery, increase customer satisfaction levels, reduce response times and continually improve performance on each of the aforementioned indicators.
The jump from the Second Wave to what Alvin Tofler has called the Third Wave meant the appearance of new assets. Intangible assets and knowledge management are becoming increasingly important and transcendent, thereby leading internal auditing to new and more sophisticated lines of action.
It is no longer enough just to protect the classic assets of a company, today it is essential to care for and protect assets as important as customers, databases, patents, and even a fundamental asset such as its personnel, with all its experience, knowledge and productivity levels.
Caring for and protecting the company in its proper functioning, in the quality of its products and services, in the satisfaction of customers and consumers, and in the verification and promotion of continuous improvement, implies ensuring the survival and competitive capacity of the company. same.
It is no longer enough to verify the correlation between physical inventories and accounting, today it is critical to be competitive, and the audit is given to ensure these objectives.
3. New requirements of the Internal Audit.
Although the new requirements and obligations in terms of quality, environment and safety, among others, require specialists in the field, the function of internal audit in companies is not to advise on such aspects, but rather to ensure the compliance with them.
Not only is there a need for a third party to validate information from sectors such as production, purchasing, warehouses, customer services, sales and finances, among others, regarding their efficiency and effectiveness, but also the urgent need to protect the assets preventing and detecting waste such as: high turnover of customers and staff, high financial and opportunity costs materialized in excess inventories, low levels of customer and consumer satisfaction, and pollution levels higher than those legally permitted, among others.
Internal audit must not only actively participate in the survey and evaluation of internal control, but must also act proactively in the implementation of anti-fraud systems, and application of contingency plans.
Standards on quality and environment, regulations on foreign trade of the different commercial blocks, new technologies in continuous appearance, new forms of electronic interaction between the company with its subsidiaries, suppliers, customers, and the community, lead to new risks, and with this to new obligations on the part of the audit.
In a world in constant and rapid change, internal auditing cannot be far from it, having to evolve in the face of new and greater demands, offering new obligations, accompanied by new methods and tools.
The Kaizen or continuous improvement system, as well as Total Quality Management, require the commitment and discipline of each and every one of the areas of the organizations. This implies the need for internal audit to continually improve its own performance, but also to verify and advise on the continuous improvement of the other areas of the organization, which of course includes continuous improvement in internal control processes.
4. New responsibilities
Thus, given the continuous appearance of new management tools, internal auditing is compelled to ensure, among other things, their application and good use. This certainly implies a very strong commitment. We said before that the audit should ensure not only the assets of the company but also its competitive capacity. Taking care of the latter means spreading, supporting and monitoring new and good practices. Thus, by using benchmarking you can verify and promote best practices for maintaining the highest competitiveness. To be competitive is to continue in the fight for the subsistence or continuity of the company.
As Fernando Gaziano (Deloitte Chile) brilliantly expresses it, “auditors and astronomers fully share one idea: the universe expands. Just as after the "big bang" a universe of planets and stars began and continues to expand, in the same way the world of the Internal Auditor is ever wider. As never before, today you are probably facing one of the most important changes in your profession, having to tackle aspects related to Corporate Governance and the new risks that organizations face.
5. Internal audit as an activity and strategic cost.
Within this new context and under a strong paradigm shift, the activity that until recently could and was considered with contempt by the other areas of the organization, became a strategic activity. What does it mean to be an activity considered strategic? It means not being merely a consumer sector of resources, with the sole objective of verifying and verifying compliance, but moving to protect key aspects and assets of a company or organization, and thereby lead not only to significant savings but also to generate and be a source support for checking and monitoring continuous improvement in each process, area, product and indicator of the organization.
Thus, internal audit is conceived as an independent and objective assurance and consultation activity, designed to add value and improve the operations of an organization, helping it to meet its objectives by providing a systematic and disciplined approach to assess and improve the effectiveness of management, control and governance processes.
This business aspect reviews the reliability and integrity of the information; compliance with policies and regulations; safeguarding of assets; economic and efficient use of resources and compliance with established operational goals and objectives.
Smartly defined, internal auditing can and should help manage risks, eliminate complexities and redundancies around controls, and reduce costs, thereby improving competitiveness and protecting the company's value to its shareholders.
In relation to what has been said, it should be said that during the Latin American Internal Audit Congress held in Argentina during 2006, Dr. Marisol Pantoja, a member of the PriceWaterhouseCoopers firm in the United States, stated that “before cases such as Enron and WorldCom, among others, the budget assigned by companies to internal audit tasks, in general, was quite limited, applying cyclical control programs, while now aiming to know both financial and non-financial risks to which the company is exposed to. Being clear this evolution in the United States, spreading it to other countries of the world ”. Then adding that the Audit Committee became an icon, gaining more and more ground in its close relationship with Internal Audit,to the point that even the external auditors reinforced their links with the companies' internal auditors.
6. Continuous improvement applied to internal audit
To be part of the internal audit, it is no longer enough just to handle accounting, financial, legal, economic, administrative and computer concepts, now it is also essential to have knowledge in operations management, logistics, financial engineering, organizational behavior, applied statistics, quality, productivity and sales among others.
Internal auditors report to management and communicate with the Audit Committee and senior management. Due to their qualification and extensive knowledge of operations, these technicians frequently act as advisers to management.
For all these reasons, lifelong learning is, in this context, not only a necessity but also a labor obligation for the specialist, who must be alert to any type of risk that may jeopardize the achievement of the organization's strategic objectives for That works.
The business world has been experiencing in the last fifty years an avalanche of management methodologies, productivity tools and managerial terminology. The breakneck pace with which changes occur has been further accelerated by innovation and technology. In this age of knowledge and information it is vital to have a good understanding of what tools are available and how they should be used. Organizations need to understand how to measure and execute strategies and how to make good use of both financial and non-financial measurement tools. In this context, internal auditing cannot be foreign, and must be fully introduced to evaluate the good use of the different tools, verifying, among other things, the correct use of data,as the correct calculation and use of the different information generated.
The teleinformatics boom revealed both in business and customer services via the Internet, and banking services through the use of ATMs, has led to the existence of new risks and needs, and with it the need for new services. and requirements by the internal auditors.
Today, well into the 21st century, the Sarbanes-Oxley Act has been enacted in the United States, designed to control managers and avoid scandals like those already cited around corporations like Enron, WorldCom, Tyco and many others. For this reason, executives are forced to certify the accuracy of their financial data and the existence of internal systems and controls that support the accuracy and veracity of the data. However, even considering the significant investment in technology, most companies do not know which products and which customers generate their benefits and to what extent.
Companies on the Fortune 1000 list are actively pursuing lean production with the purpose of speeding up their processes and the implementation of Six Sigma to carry out control. Many Scorecard initiatives are also taking place. Knowledge management and other intangible factors that drive companies to find non-financial measurement and evaluation systems help overcome the shortcomings of traditional cost management and evaluations guided by generally accepted accounting principles.
Currently, the core measure appears to be CRM, customer relationship management, and business intelligence systems. These tools, in addition to ERP systems, strategic planning systems, and e-commerce technology solutions, are implemented at a very rapid rate. Just look at the phenomenon of Internet auctions that companies like eBay and Yahoo have created. Big and serious problems took place. The problem then was that companies rushed to implement the technology without ensuring that they had the core structure and internal controls in place to support the reliability of such systems.
Given all this avalanche of new circumstances, needs and obligations, the internal audit is forced to continuously improve its way of controlling and verifying, making use of the new quality techniques and continuous improvement, apart from being forced by its members to expand and perfect their knowledge and skills day by day.
In this way and in conjunction with informatics, sophisticated software is being developed to carry out an evaluation of internal control according to the COSO® report, assess risks and carry out evaluation audits.
As a fundamental tool of the continuous improvement process, the Deming Improvement Circle must always be used, which foresees an interrelation of successive steps; The first of these is Planning, which is followed by Execution (Carry out), thirdly, the results obtained are evaluated, and then Action (Acting) is taken to correct and standardize the applied processes. The process starts again in an endless process of improvement aimed at achieving higher levels of quality, considerable increase in productivity, cost reduction, shorter or shorter process times and cycles, better and shorter response times, higher levels of satisfaction among others.
A real improvement is not conceived but the root cause of the problems is fully attacked, for which the application of "The five why?" Is recommended. In this way we do not limit ourselves to merely finding and solving symptoms, but rather the true root cause.
7. Audit as generator and controller of continuous improvement
As a product of the new context in the business world, new ways of measuring results have been generated, and with it new needs and objectives to be audited.
There are three main reasons why these new ways of measuring results have taken place:
- First, traditional management accounting is no longer useful and relevant to a company striving to achieve or stay at a world-class level. Second, customers increasingly demand higher standards of quality, performance, and flexibility. And finally, there have been and are changing in a substantial way the management techniques and methods used in organizations that produce both goods and services.
8. The importance of the SPC and its application in internal audit
If something has changed the way of thinking about quality, it has been the use and understanding of Statistical Process Control. This tool is that as a result of the activities and teachings of Deming, Juran and Ishikawa began to be used as a method and instrument of control and continuous improvement in the various management indicators of the company, be it financial ratios, costs, productivity and levels of satisfaction among others.
The idea starts from the fact that a process, be it of production, control, transport, etc., always involves a multitude of factors or variables. Since the factors do not always act in exactly the same way, fluctuations appear in the characteristics of the product, service, process, or in the levels of the different economic-financial ratios.
Given that these variations are unavoidable, those responsible for the process must establish what are the tolerable limits for them, so that all those products, services or ratios that go outside these limits are considered non-compliant.
The Statistical Process Control (SPC) is a tool that allows predicting these variations, reducing them and keeping them within limits that are reasonable for the organization's set of processes.
Since not all variations can be controllable, we must classify them into two groups:
- Controllable variations (assignable causes) These are variations that can be identified and that should be discovered and eliminated. Uncontrollable variations (non-assignable causes) These are random variations, which are very difficult to control. These types of variations are specific to the process and cannot be reduced or eliminated unless the process is modified.
When a process is affected only by a series of random variations produced by non-assignable causes, it is when the operation of the process is said to be under statistical control.
When, in addition to non-assignable causes, variations due to assignable causes appear in the process, the process is said to be out of statistical control.
The mission of the SPC is to measure the variations that occur in the processes, study the probable reasons for these variations and act to correct them, so that the processes are always under control.
The Statistical Process Control (SPC) can be used to control the behavior of different indicators ranging from costs, liquidity and solvency ratios, through levels of user satisfaction, total cycle times, hours of arrival of transport, inventory levels, product turnover ratios, quality levels, the number of errors and shortcomings, the ratio of bad debt among many others.
9. Classic tools
Pareto chart. It serves to separate the vital few from the trivial many. This tool has countless applications, from helping to concentrate efforts in the areas of greatest risk or danger, to the allocation of resources in those activities or tasks that generate the greatest results in terms of control and analysis.
Ishikawa's diagram. Used in auditing both for problem solving, as well as to analyze prevention measures.
Dispersion diagram. It serves the purpose of analyzing correlations between different factors in order to assess their degree of correspondence.
Histogram. It allows knowing the frequency with which certain phenomena or events occur, so as to be able to solve research problems, and to evaluate degrees of controls by frequency levels.
Graph of evolution over time. It allows monitoring of certain behaviors or phenomena in order to assess the levels of problems, risks, improvement and dangers.
Stratification. It makes it possible to detect both problems and incidence factors, being very useful when advising action measures.
Fluxograms. Fundamental when it comes to understanding and / or understanding organizational processes. It allows evaluating both internal controls and risk points.
10. The new tools
During the last years of the 20th century, many of the leading European companies have observed strategic plans oriented towards the implementation of Total Quality techniques in the ways of working with the aim of improving the total performance of companies through the contribution that it has all the departments, both those directly linked to production and those not linked.
The Seven New Management and Planning Tools support the Total Quality strategy in the functional areas of organizations and companies, both manufacturing and service provision, in order to be used by managers and executives in a similar way how classic tools support various departments and organizational processes. These tools are capable of helping managers commit to Total Quality programs, identify improvement opportunities in their organizations, and implement improvement programs.
These Seven New Management and Planning Tools emerged from a selection made during the 1970s in Japan by a committee of the Japanese Union of Scientists and Engineers (JUSE).
The selected set is made up of the following tools:
- Affinity Diagram Relations Diagram Tree Diagram Prioritization Matrices Matrix Diagrams Decision Process Diagram Arrow Diagram
These tools promote creativity and are capable of adapting to the different problems that may arise.
Affinity Diagram
The affinity diagram starts from data of the type “ideas or opinions” and uses cards to rearrange this data into groups with a common idea. It is a very useful tool when you have a large amount of information from different sources. For example, customer needs, expectations or demands taken from claims, warranty problems, internal control problems, reliability problems, etc. The analysis of this data is not usually easy, both due to the type of the data and the disparity of the sources, and this tool is very useful when analyzing and extracting information from this data.
Relationship Diagram
Together with the Affinity Diagram, it is a tool used in general planning. Unlike the Affinity Diagram, this diagram makes use of the logical side of the brain. Determine which idea has influence over another, representing this relationship with an arrow in the direction of influence.
Ideas joined by arrows of this type form a graph that can be interpreted by identifying those ideas that have the most arrows coming out of them or those ideas that have the most arrows going into them. Like the Affinity Diagram, its objective is to identify the different categories in which the ideas represented can be grouped.
Tree diagram
It has an organization chart-like appearance, with the goal of identifying ideas in increasing detail. The question that triggers the process is: What is the main component of this idea ?, then going on to answer the question: How should this idea be put into practice?
The Tree Diagram is a tool that goes beyond affinity and relationship diagrams, being essential in identifying those elements that may have been forgotten during the brainstorming process prior to the affinity or relationship diagram.
Prioritization Matrices
This tool is used to prioritize tasks, activities, or topics, based on known weighting criteria. To do this, it uses a combination of two of the exposed techniques, the tree diagram and the matrix diagram, reducing the possible options to those that are most effective and desirable.
Matrix Diagram
The Matrix Diagram is perhaps the most widely used and best known of the seven tools. This tool confronts two sets of ideas and compares them with the objective of deciding if there is a correlation between them.
Decision Process Diagram
This diagram is a tool used to detect what can go wrong in a process. This diagram of the decision process explicitly lists countermeasures for everything that can go wrong. This tool is often used in planning activities not previously undertaken. The activity is to identify and record everything that can go wrong, thereby substantially improving the likelihood of success in the project.
Arrow Diagram
Similar tool to PERT or CPM, its fundamental difference with them is that being a very simplified method it can be used by most of the people in the organization. The arrow diagram shows the existing paths when developing an activity. The purpose of this tool is to determine what is the minimum possible time in the realization of a project, graphically representing all those activities that can be carried out simultaneously.
The seven new tools can be used individually for the purposes outlined above, but when they show their greatest effectiveness is when they are used in combination in the identification and resolution of problems.
Most problem solving methodologies are based on answering the following five questions:
- What is the problem? What are the causes of the problem? How is the problem solved? What options to take? When and how to act?
11. The Internal Control Matrix System as a revolutionary tool.
The Internal Control Matrix System is the result of the computerized application of the Internal Control Matrix.
This matrix arose as a result of who this writes of his experience during eleven years like internal auditor of a banking entity. Given the need to avoid that some normative, technical or regulatory aspect of the many that involved each of the banking activities, products and services, was left without being properly analyzed, evaluated and consequently adopted prevention, detection and correction measures, The first matrix was devised (in this way it served as the Poka-Yoke; that is, an error-proof system), which had as its headings of its numerous columns the different general rules that could involve each sector or product. -service of the organization. Thus we have the regulations of the Central Bank, those of the Civil and Commercial Codes, those of national taxes,provincial and municipal, laws and regulations in corporate, cooperative, labor, those related to stock market operations, technical standards in accounting, security, insurance, among many others.
Regarding the rows, they correspond to the various sectors (accounting, investments, stock-financial, human resources, tax, among many others) and products or services (checking accounts, savings banks, fixed terms, transfers, letter import credit, credits, leasing, among others).
The first objective was to check for each intersection of the matrix if there were any regulations that affected a sector or product, and if it did, verify compliance with said regulations.
Thus, in the first instance, the matrix served as a method and tool for prevention and planning.
In a second stage, each score was assigned a score in order to examine how well the different rules, regulations or technical aspects were being complied with, with the clear intention of evaluating the responsible sectors, detecting patterns of behavior and trends that should be corrected.
This matrix continued to be applied subsequently in different companies and activities as a result of my acting as an internal auditor or as a result of my outsourced activities of said activity. Thus, its application in agri-food companies, clinics and sanitariums, construction and transport companies, among many others, not only allowed evaluating its effectiveness, but also allowed its improvement. Over time, aspects related to total quality management, detection-prevention and elimination of waste (dumb), ISO standards, among many others, were added.
As a result of its application, significant improvements were achieved both in the detection and prevention and elimination of deficiencies, with its consequent cost savings. As basketball specialists say "there is no better attack than a good defense."
In a second phase and as a result of the urgent need to achieve continuous controls at an allowable cost, especially for those organizations with numerous branches, and given the technical possibilities provided by the emergence of the Internet and Intranet, we opted for the development of the System Internal Control Matrix.
In this way, through the parameterization of disaggregated and successive matrices, certain control responsibilities are assigned based on items and periodicities to personnel from the different sectors and branches of a company, who with their key record the control and the results obtained.
On the other hand, each control point is assigned a weight based on the specific weight it has within the risk and performance levels. Then, as a result of the controls, reports appear with degrees of risks and problems by sector, branch, regulations and product or service.
Thus, a general problem in the field of labor safety standards can be detected, or general problems can be observed in a certain branch, or problems can be detected in the application of different regulations regarding a product or service. In other words, the system then in its final report allows a stratified analysis, which makes it possible to apply certain analyzes and action plans, both to detect and to prevent and solve problems.
12. Conclusions
The world changes, and it does so more and more rapidly. Massive and radical changes have been and are taking place, altering both economic and social activity, as well as the functions, objectives and responsibilities of internal auditing. Internal audit cannot be sidelined from these changes. Its members must accept the change and manage it to keep pace with advances in both business and technology.
Regarding business management, we are facing an unfinished revolution started by Deming, which Japanese companies made theirs, but not Western ones. The need to apply the fourteen Deming points to different business and administrative activities would improve the analysis, understanding and correction of the different defects and difficulties observed in different organizations.
Continuous improvement is not only applicable to industrial processes, but also to administrative, service, and internal audit and control activities. Much more, in this new business scheme, the Internal Audit bears the great responsibility of ensuring continuous improvement in each and every one of the areas, processes, products and services of the organization, in order to make competitiveness feasible. of it in the market.
Internal Audit must make use of all the tools used by the most competitive companies in the world.
With the New Economy, new businesses have emerged, new risks and dangers, new strategic assets, and with all this new obligations and responsibilities for the members of the Internal Audit, who are therefore forced to remain alert and trained to face the new challenges.
The brand, the knowledge, the patents, the clients, the distribution channels, are some of the new fundamental and critical assets for any company.
Within this trend, internal auditing has become a strategic and key activity in the area of prevention.
In this regard, KH Spencer Pickett states that “in all countries, to a greater or lesser degree, they agree to recognize the great value of an internal audit service, making it difficult to find another particular corporate service that is so encompassed in laws and regulations and that both bear the burden of society's expectations. ”
Recommended bibliography:
Basic Manual of Internal Audit - KH Spencer Pickett - Management 2000 - 2007
Understanding International Accounting Standards - Amat, Perramon, Carenys and others - Management 2000 - 2005
World Class Industry Data Systems - Brian Maskell - Productivity - 1995
New Trends in Management Control and Accounting - Bagur, Ripio and others - Deusto - 2006
* Content of the exhibition prepared for the International Congress of Costa Rica-2007.
