An organization can feel the pulse of its processes and activities performed through audits. Even organizations that are not-so-mature rely on audits to get a feel for where things stand.
I will write an elaborate article on audits sometime later this year, but for now, I want to discuss briefly the two kinds of audits that companies employ during the course of operation.
Compliance Audits are quite common. In fact, many IT-ians are unaware of any other kind of audits other than compliance audits – and they simply call them audits.
In simple terms, you have processes and procedures in organizations. The checks that are done to see if the activities are performed as per process are compliance audits. The objective is to verify if the process practitioners are conforming to what must be practiced.
Audits are meant to be reactive in nature, and compliance audits fall in line (as it should).
Let me consider an example. A particular process states that Person A moves the car to a particular spot in the parking lot, Person B cleans the windshields and windows, person C cleans the tires and the body and person D dries the vehicle.
The person auditing the process checks if the designated people are doing the activities they are responsible for. If person B goes a step ahead and cleans tires as well, the auditor would consider it as a process non-compliance. As I mentioned earlier, the objective of audits is to check if the processes are being followed to the word or not.
There is a provision for the auditor to go an extra mile, and provide his comments if he feels that a process step is not logical or if it can be enhanced. It’s called as an observation.
OK. I have started blabbering too much about compliance audits; I want to keep all the details for another time. Let me move onto the next kind, which is not as popular.
I consider adequacy audits as the pro-active partner in the auditing business, although many auditors would reject me saying that audits are always reactive, and there is no room for pro-activeness.
Adequacy audits look at the bigger picture. It keeps an eye on the target, and audits the processes, guidelines, policies, supporting material and all other material that would aid in moving the outcomes towards the target.
The purpose is to check if these documents are adequate to achieve what needs to be achieved. While compliance audits take place on the forefront, adequacy audits are mostly done in the backend.
Let me consider the same car cleaning process example. During this audit, I would not be checking who is doing what, but I would look at the output. What do I need at the end of the process? A clean car! By moving the car to the parking lot, is it clean enough? Can this be done somewhere less dusty like indoors? What are the policies that we have for car cleaning – like the kind of shampoo one has to use the brand of duster? Are these equipments helping the cause? What clothes do the cleaners need to wear to ensure no dust rub off takes place during transfers? You get the idea, right?
Why do I consider adequacy audits pro-active?
During adequacy audits, I am not observing the process activities, but what surrounds the process. Even before the process is set in motion, are things that are in place adequate enough? I am not waiting for the process to move, and then comment. I am pro-actively looking at the bigger picture, analyzing things that are set in place, and drawing conclusions.
It is true that this audit is done after the processes, guidelines, policies etc are drafted, but my point of view is to check if they are ample.
Where do you stand?