They can also be rather instructive
A friend and I once went to one of our firm’s locations only to find that it was “unavailable” due to an audit. The auditors, visibly annoyed and sharpening their fine-toothed combs, were awaiting the arrival of their boss – summoned by one of our colleagues. He had called the head auditor to complain, he told us, because his auditors were disrespectful and uncooperative. The man arrived moments later, followed shortly by our colleague’s boss, and our colleague soon became much wiser.
My former colleague’s view of audits, sadly, is not unique. Legal and regulatory requirements show no signs of abating in the future. Managing compliance requires a clear focus, but many view audits purely as a distraction. Like much else when it comes to governance, risk management and compliance (GRC), your point of view is central to how you manage. Is it something you actively manage – or a box you check?
Everyday challenges like staff turnover, organizational changes, new products, and market shifts make for plenty distractions even without the current economic mess, but how you view compliance matters. Is compliance a distraction from the central task of keeping the company afloat? Is it an area expected to provide data that the firm can exploit for new opportunities? What can the current processes and technologies provide? Are they sufficient for the task set them?
The audit is not the problem
The automated tools available to help with GRC often focus on compliance, because it is the easiest of the three to automate, but they do not make the task effortless. The tools require implementing and they do not come for free. There is even a debate about whether or not auditing can be completely automated and therefore continuous, but automation is here to stay and it needs to be managed well – and how exactly do you do that? What do you want the tools to achieve? What do you want your audits to achieve?
For starters, you can avoid the mistake my colleague made. The fireworks that morning were pretty impressive, even at a respectful distance. One of the many lessons was that taking on the auditors was a high-risk proposition. It was a lesson we had already digested, but repetition often reinforces learning. The auditor is not the enemy.
Your audit is also a resource
Many managers, and indeed entire firms, forget to set goals for their audits beyond mere compliance. “Mere compliance” may sound a touch rich for firms struggling to achieve compliance, but there are some oft-overlooked opportunities in the process. The rules and regulations may be burdensome, but they are usually intended to prevent problems – and they cannot be ignored.
Auditors see a lot of different ways – both good and bad – of doing whatever it is that they audit. Many firms fail to gain the benefit of this experience by being overly defensive. A different approach is to welcome them. Ask questions, take notes and seek their advice. Rare is the expert who does not like an audience. Most of them take a pretty penny for coming to visit. You might as well get full value for money.
Many firms have realized that the data their compliance systems produce can be a resource as well. The ability to ensure that your data is safe, that your systems are secure, and your staff is aware is key to certification, for example. That certification can often be turned into higher-value services and better margins. Compliance can be an advantage as well as a cost, and your audits are one of the many tools you can use to create and maintain advantage.
I never heard what became of my colleague, but while I imagine he was also rash in other ways, I like to think that he tackled his next audit differently.