What's the next big, big thing? Six Sigma? Nope. ISO 9000? Not really. OK, then what's next? I've been talking to
lots of people from Fortune 500 companies about what's coming down the path. I think the new Institute of Internal Auditors standards are going to change quality and quality auditing. Never heard
of them? Read on. "Firestone Set to Pay $7.5 Million in Suit," shouts a New York Times page-one heading (Aug. 25, 2001). The article goes on: "Bridgestone/Firestone agreed
to pay $7.5 million to the family of a woman who was paralyzed and suffered brain damage during a rollover crash in a Ford Explorer sport-utility vehicle, settling the first of hundreds of
defective-tire lawsuits to go to trial since the recall of 6.5 million Firestone tires a year ago. "Firestone tires have been linked to about 200 deaths and more than 700 injuries.
Firestone has severed its ties with Ford, contending that the design of the Explorer makes the vehicle prone to rollovers. Ford has blamed Firestone for the crashes, saying that Explorers are
safe." The New York Times uses words like "defective," "recall" and similar quality terms we don't much like to hear. The negative human impacts from
this defect nightmare are inestimable. The financial impacts are huge. The known product recall costs for Ford topped $1 billion in 2000 and are reported to be at least $3 billion in 2001. And
these don't include Firestone's and Ford's subsequent litigation costs. Why didn't the companies' quality systems work? This is a multibillion-dollar question that cuts to the heart of
quality management's and ISO 9000's future. We know controls were in place that should have provided a heads-up that something was wrong. But all the trend lines from QS-9000 and ISO 9000
registrations, audits, corrective actions, preventive actions, design controls, rollover data, tire-shredding data, recall data, and inspections didn't point to eliminating the root cause of what
now appears to be cascading catastrophic events. The IIA might have the solution, which might have possibly prevented Ford's and Firestone's problems: risk-management assessments, a key
component of internal auditing. "Internal auditing is an internal, objective assurance and consulting activity designed to add value and improve an organization's operations,"
defines the IIA. "It helps an organization accomplish its objective by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance processes." The IIA is developing new auditing standards around risk management, specifically: "The internal audit activity should assist the organization by
identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems" (IIA Performance Standard 2110).
"Hmm. But what does this have to do with me?" you ask. Read on. Traditionally, internal auditing evaluated financial information's integrity, safeguarded assets and
ensured compliance with financial laws. Now, just like quality, it's expanding its purview. ISO 9000:2000 expanded the standards family's scope to assess processes, develop metrics and
focus on customer satisfaction. The IIA standard also expanded to include "effectiveness and efficiency of operations, improvement of risk management, control…," and "reliability
and integrity of financial and operational information." So why will internal auditing prevail over quality auditing and ISO systems auditing? Internal auditing is important due to its
high corporate profile, mission and reporting level. In most organizations, the head of internal auditing is a senior vice president or vice president. This person usually reports
administratively to the chief financial officer and reports functionality to the board of director's audit committee. The CFO and the board of directors authorize and sponsor internal audits. So,
who reads and acts on your quality audits? Listen up, quality managers and auditors: The economy is soft. Boards of directors don't want surprises. They're looking to internal auditing
to provide assurance that there aren't any "bet the company" surprises looming. All risks are going to be managed much more carefully. I'm also seeing a new position called the
chief audit executive. This person is usually a vice president or above and handles all quality auditing, internal auditing, risk management and compliance activities. At the simplest
level, the term "quality audit" is fading from ISO 9000 vocabulary. Quality auditors are becoming "business assessors" or "process specialists," much like our
counterparts in internal auditing. So, this begs some questions: How are we going to add audit value? How are we going to differentiate ourselves from internal auditing? How are we going
to synergize with internal auditing? The answers to these will affect or infect the future of all quality managers and quality auditors.
For more information about the IIA standards, visit www.theiia.org. About the author Greg Hutchins
is a principal with Quality Plus Engineering in Portland, Oregon. Hutchins is the author of many quality-related books. He is working on the Standard Manual of Auditing, from which this editorial
is derived. E-mail him at ghutchins@qualitydigest.com . |
