Principle 2 – Quality – for data governance within audit

This article focuses on principle #2 – Quality – for governing data within audit.

This is the 4th article in this series.  The previous articles:

  1. Outlined why the use of data within the IA team should be specifically governed.
  2. Provided a point of view about access to data that is collected or used by the audit team.
  3. Introduced the 3 key principles and detailed principle 1.

Principle 2: Quality

This includes:

  • Sub-principle 2a: Understand the audience and meet their needs.
  • Sub-principle 2b: Focus on the audit objective.
  • Sub-principle 2c: Ensure quality (a.k.a. quality assurance).

 

“Ensure quality” is self-explanatory.

But what do your audience and the audit objective have to do with quality?

To answer this question, let’s ask – what is “Quality”?

In an ideal world, there would be a simple answer to this, but the definitions vary.

 

5 definitions of quality

You may have seen these before, or you might recognize the organization/standard that they were sourced from.

Organization / standard What they say Note
American Society for Quality A subjective term for which each person or sector has its own definition.

In technical usage, quality can have two meanings:

1.   The characteristics of a product or service that bear on its ability to satisfy stated or implied needs

2.   A product or service free of deficiencies.

According to Joseph Juran, quality means “fitness for use”.

According to Philip Crosby, it means “conformance to requirements.”

Definition as provided in the ASQ glossary, accessed on 28/02/2020.
Institute of Internal Auditors Quality is not absolute. The quality of a product or service is the degree to which the product or service meets the customer’s expectations. Not the official IIA definition. We couldn’t find one.
ISO 9000 Degree to which a set of inherent characteristics fulfills requirements.With requirement defined as need or expectation. Source: Wikipedia
Six Sigma Six Sigma Quality: a level of quality that represents only 3.4 defects per million opportunities. A defect free product 99.99966% of the time. Focused on six sigma
The Chartered Quality Institute Delivering an acceptable level of quality in your organisation means knowing who your stakeholders are, understanding what their needs are and meeting those needs (or even better, exceeding expectations), both now and in the future. Extract from the answer to “what is quality”.

 

What does the definition of quality mean for Internal Audit?

There is some spread in terminology in the various sources, but there is a clear focus on customer/user requirements and expectations.

Quality, then, can only be achieved if you know who your customer is (audience), focus on what they need (objective) and ensure that you minimize defects (quality assurance).

2c – QA – is arguably the easiest. We generally nail it, because it is ingrained in our methodologies and we have focused on it from day one.

2b – Objective – sounds easier than it is, because we sometimes get distracted.

This happens often when using data/analytics – we stray from the audit objective and go down rabbit holes.  There is merit to exploring beyond the audit objective and hypothesis.  But not too far, and not for too long.

2a – Audience – is the one that we flounder with the most.

 

Why do we struggle with the “audience” aspect of quality?

We have a tendency, as IA professionals, to say what we want to say rather than what people need to hear.

No, not want to hear – this is not about copping out.  But what people need to hear. 

What is the message?

Not what is the weakness or where did the control fail. But what is the message. For example, what the impact on the business is, what needs to change.

To get the message across effectively, and achieve the desired outcome, we must find the best way to convey it.

So we need to refocus and fix that.  Importantly, we need to recognize that it is an ongoing improvement journey, trying to get better each time, and continuing to push the boundaries.

You probably do this with all your audit work.

 

4 key questions to ask for each sub-principle

 

2a. Understanding the audience
Who is our audience?
How long will they have to spend with our output?
What is the outcome that we / they want to achieve?
What will we need to say, explain and/or show?

 

2b. Focusing on the audit objective
Is this going to help us meet the overall audit objective?
Is this going to help us prove/disprove the hypotheses?
Is there value to the business in exploring this?
(Does it conflict with my role as an auditor? Does it feel like I am going too far?)
Are we asking a question that should have already been answered?
(Would it be better to ask that that question be answered? Should we answer the question once, to show the value in answering it?)

 

2c. Quality assurance
Have I checked my own work?
Do I have a peer to help check my technical work?
Who is going to check that my work makes functional sense?
Have we planned for business validation?

 

Are you satisfied with the quality of your data efforts?