implementing value-added auditing, levels 1 & 2
In this article, we will discuss each of the four steps (Managing, Planning, Conducting and Reporting), of Value-Added Auditing (VAA) and the corresponding activities that fulfill these steps. We have broken these activities down into levels to help ensure that VAA is sustainable and it is producing tangible results. This article will address the first two levels of all four steps.
Step 1: Managing the VAA
Senior leadership and board level commitment are essential for successful VAA. Implementing VAA in an environment with anything less then this commitment will fail. The benefits of a true VAA program are measureable. Benefits can include increased efficiencies, financial benefits, enhanced patient safety, increased competitive position in your market, cultural benefits and assurance of compliance with applicable rules and laws.
Activity 1- Senior Management Commitment (Board Level & C-Suite)
This is paramount for success. ISO 9001:2015 requires a deeper leadership engagement.
Level 1: Tone at the Top- No commitment, no VAA. It’s that simple
Level 1: Focus on regulatory, competition, customers, risk, projects and operational effectiveness & efficiency
Level 2: Includes level 1 and it adds the linkage of operational to financial processes during the VAA
Activity 2- An audit “lead” is identified and will have ultimate responsibility for the VAA. This is an executive level position with this responsibility. VAA is a new level of auditing and requires leadership from the executive level.
Level 1-2: Strategic & tactical responsibilities should be established.
Activity 3- Audit Staff is identified. Your current auditors should be included and consider adding auditors with business office knowledge, revenue cycle and risk. This may include staff to assist in the VAA through activities other than auditing (such as analysts).
Level 1: Basic competency gained from a previous internal audit training course
Level 2: Adds basic business and operational process knowledge
Level 2: Deeper knowledge of technical standards such as NIAHO, NFPA, OSHA & ISO
Activity 4- Value-Added Auditor requirements are specific for those who will be conducting the VAA.
Level 1: Demonstrate principles of auditing from ISO 19011
Level 2: Ability to discover relevant and accurate information. These are proven auditors with a history of meaningful findings
Level 2: These auditors understand risk and can speak with a strong degree of authority regarding risk management topics
Level 2: VAA auditors need to have experience and understanding of systems thinking.
Activity 5- Organizing the VAA function is the first operational step for success.
Level 1- 3: VAA has more horsepower and higher visibility; therefore effective planning the VAA process is foundational for success.
Level 1- 3: Determine the lead auditor responsibilities
Level 1- 3: Establish reporting system with the organization
Step 2: Planning the VAA
Planning properly enhances assurance and reduces the likelihood of asking uninformed questions, chasing false leads, missing risk, not understanding controls, too much time in less significant areas, missing operational deficiencies, overemphasizing minor deficiencies, staying in comfort zone and auditing in circles. Effective planning is essential.due to the enhanced nature of a VAA.
Activity 1- VAA Preparation
Level 1-4: Determine the scope of the audit and dates/times
Level 1-4: Assemble the audit team, based on competence and availability
Activity 2- Understand the audit and business objectives, specifically for the process or area audited.
Level 1: Determine the audit objectives (begins with finding conformance to requirements and should grow to include efficiencies, cost of quality, etc.)
Level 2: Adds alignment of audit objectives to business objectives (are we auditing what’s important?)
Activity 3- Notify auditee of date, time and what processes will be audited
Level 1-2: Notification and share the expectations of the audit
Activity 4- Understand auditees’ processes and documentation
Level 1-2: Document review, previous audit results, CA/PA
Level 1-2: Applicable standards review
Level 1-2: Vertical process analysis (understand how the process to be audited interacts with higher level and lower level processes and objectives
Level 1-2: Additional preparation needed to complete when there is no documentation (procedures, SOP’s, etc.) to audit against.
Activity 5- Develop Audit Plan
Level 1: Describe the deliverable(s)…begin with an end in mind.
Level 1: Create work breakdown structure (who will audit where, when, etc.) This will help prevent scope creep
Level 1: Identify resources and timeline
Level 2: Identify audit risks and constraints. A powerful, necessary step to help ensure audit objectives are achieved.
Level 2: Align with strategic objectives. This is likely a significant change, and this is foundational in VAA. How does the audited process align vertically with organizational objectives?
Activity 6- Develop Audit Survey, a tool to assist the auditor in preparation for the VAA. This activity is most important in complex organization, systems and processes.
Level 1-2: Create a simple list of questions from planning to establish a foundation of basic system/process understanding.
Step 3: Conducting the VAA
Conducting a Value-Added Audit (VAA) is more complex and thorough than a typical QMS audit. Value-Added audits are completed by a much more competent auditor who will plan and conduct a comprehensive audit that covers a such items as: organizational maturity, process capability, risk-based thinking, effectiveness of controls, vertical objectives and cost of quality as well as the traditional QMS audit items. The sampling process must also create the confidence level necessary to achieve audit objectives.
Activity 1- Assess the organizational maturity in the system and process audited.
Level 1-2: Use the Capability Maturity Model (CMM) with traditional levels of maturity (Ad hoc, repeatable, defined, managed and optimizing).
Activity 2- Assess process capabilities
Level 1-2: Breakdown the process into traditional components: inputs, activities (who, what, how and metrics) and outputs. Review available data to best assess how capable the process is performing as intended.
Activity 3- Assess system/process risk
Level 1: Evaluate the appropriate risks (enterprise/business, process, product/service and people)
Level 1: Assess risk management maturity in the system/process
Activity 4- Evaluate control effectiveness to achieve intended results
Level 1: Determine the degree of process conformance to requirements; is there data demonstrating that we are meeting requirements?
Level 1: Determine the degree of process non-conformance; is there data demonstrating that we are not meeting requirements?
Level 2: Determine the degree of meeting process objectives
Level 2: Determine the degree of meeting organizational objectives (from vertical process analysis).
Activity 5- Assess evidence gathered to ensure that findings created would be received with confidence.
Level 1-2: Gather sufficient evidence (based on risk) by interview, observation or documented information of primary process(es) audited
Level 1-2: Make a reasonable determination of evidence authenticity through verification (risk-based sampling methods)
Activity 6- Create findings based on the evidence gathered.
Level 1-4: Compare evidence to criteria to create findings (conformance, non-conformance, opportunity for improvement or innovation)
Level 1-4: Classify findings based on levels of importance (risk, repeat finding, etc.)
Activity 7- Conduct exit meeting
Level 1-4: Conduct a formal exit meeting with agenda and invite leadership and auditees if appropriate
Level 1-4: Share the findings based on evidence gathered and gain agreement from organization
Level 1-4: Determine the date for completion and delivery of the final report.
Step 4: Reporting VAA results
The audit report will be the documented information that summarizes the audit findings and can be used to close out the audit and possibly to begin activities for corrective action, improvements or innovations. VAA incorporates the Senior Leadership and the Board of Directors; therefore they should be apprised of the VAA results. Due care is exercised when creating and sharing this report as some information may be considered confidential.
Activity 1- Communicate Audit results to appropriate parties
Level 1-4: Take due care to capture all findings in report in clear, concise, objective, constructive and timely fashion
Level 1-4: Board and Senior Leadership should receive the report first
Level 1-4: Communicate in a language appropriate to the reader(s)
Activity 2- Determine report format (this may have been determined with the organization in the planning step.
Level 1-4: VAA report must add value to customer
Level 1-4: Report format may be agreed upon before the actual audit
Level 1-4: Report should include audit findings, Cost of Quality data, benchmarking opportunities, resources used, status of audit objectives achieved during the audit and potential improvements or innovations. Items requiring urgent response should be easily identified.
Activity 3- Correct, prevent, predict and preempt
Level 1-4: Corrective and Preventive actions identified in the report must be initiated.
Level 1-4: VAA should identify trends by means of sampling and help the customer predict certain risks.
Level 1-4: Organizations will take preemptive actions to mitigate risks
Activity 4- Maintain audit records
Level 1-4: The final audit report will become documented information and maintained per customer requirements.
Level 1-4: Auditor notes should also be maintained with the report
Level 1-4: Confidentiality must always be maintained.
Thank you for your interest and time to read all the way to here. The next article on VAA will discuss Levels 3 and 4. Here we dive into a deeper perspective of adding value through auditing. I am passionate about what I do and I would welcome the opportunity to learn more about you and the journey your hospital is taking to enhance your internal audit program. I can be reached by email at tschmidt@bluesynergyassociates.com or you can call me at 1-844-424-7825. Your comments are always welcome.
Stay safe,
Ted
Step 1: Managing the VAA
Senior leadership and board level commitment are essential for successful VAA. Implementing VAA in an environment with anything less then this commitment will fail. The benefits of a true VAA program are measureable. Benefits can include increased efficiencies, financial benefits, enhanced patient safety, increased competitive position in your market, cultural benefits and assurance of compliance with applicable rules and laws.
Activity 1- Senior Management Commitment (Board Level & C-Suite)
This is paramount for success. ISO 9001:2015 requires a deeper leadership engagement.
Level 1: Tone at the Top- No commitment, no VAA. It’s that simple
Level 1: Focus on regulatory, competition, customers, risk, projects and operational effectiveness & efficiency
Level 2: Includes level 1 and it adds the linkage of operational to financial processes during the VAA
Activity 2- An audit “lead” is identified and will have ultimate responsibility for the VAA. This is an executive level position with this responsibility. VAA is a new level of auditing and requires leadership from the executive level.
Level 1-2: Strategic & tactical responsibilities should be established.
Activity 3- Audit Staff is identified. Your current auditors should be included and consider adding auditors with business office knowledge, revenue cycle and risk. This may include staff to assist in the VAA through activities other than auditing (such as analysts).
Level 1: Basic competency gained from a previous internal audit training course
Level 2: Adds basic business and operational process knowledge
Level 2: Deeper knowledge of technical standards such as NIAHO, NFPA, OSHA & ISO
Activity 4- Value-Added Auditor requirements are specific for those who will be conducting the VAA.
Level 1: Demonstrate principles of auditing from ISO 19011
Level 2: Ability to discover relevant and accurate information. These are proven auditors with a history of meaningful findings
Level 2: These auditors understand risk and can speak with a strong degree of authority regarding risk management topics
Level 2: VAA auditors need to have experience and understanding of systems thinking.
Activity 5- Organizing the VAA function is the first operational step for success.
Level 1- 3: VAA has more horsepower and higher visibility; therefore effective planning the VAA process is foundational for success.
Level 1- 3: Determine the lead auditor responsibilities
Level 1- 3: Establish reporting system with the organization
Step 2: Planning the VAA
Planning properly enhances assurance and reduces the likelihood of asking uninformed questions, chasing false leads, missing risk, not understanding controls, too much time in less significant areas, missing operational deficiencies, overemphasizing minor deficiencies, staying in comfort zone and auditing in circles. Effective planning is essential.due to the enhanced nature of a VAA.
Activity 1- VAA Preparation
Level 1-4: Determine the scope of the audit and dates/times
Level 1-4: Assemble the audit team, based on competence and availability
Activity 2- Understand the audit and business objectives, specifically for the process or area audited.
Level 1: Determine the audit objectives (begins with finding conformance to requirements and should grow to include efficiencies, cost of quality, etc.)
Level 2: Adds alignment of audit objectives to business objectives (are we auditing what’s important?)
Activity 3- Notify auditee of date, time and what processes will be audited
Level 1-2: Notification and share the expectations of the audit
Activity 4- Understand auditees’ processes and documentation
Level 1-2: Document review, previous audit results, CA/PA
Level 1-2: Applicable standards review
Level 1-2: Vertical process analysis (understand how the process to be audited interacts with higher level and lower level processes and objectives
Level 1-2: Additional preparation needed to complete when there is no documentation (procedures, SOP’s, etc.) to audit against.
Activity 5- Develop Audit Plan
Level 1: Describe the deliverable(s)…begin with an end in mind.
Level 1: Create work breakdown structure (who will audit where, when, etc.) This will help prevent scope creep
Level 1: Identify resources and timeline
Level 2: Identify audit risks and constraints. A powerful, necessary step to help ensure audit objectives are achieved.
Level 2: Align with strategic objectives. This is likely a significant change, and this is foundational in VAA. How does the audited process align vertically with organizational objectives?
Activity 6- Develop Audit Survey, a tool to assist the auditor in preparation for the VAA. This activity is most important in complex organization, systems and processes.
Level 1-2: Create a simple list of questions from planning to establish a foundation of basic system/process understanding.
Step 3: Conducting the VAA
Conducting a Value-Added Audit (VAA) is more complex and thorough than a typical QMS audit. Value-Added audits are completed by a much more competent auditor who will plan and conduct a comprehensive audit that covers a such items as: organizational maturity, process capability, risk-based thinking, effectiveness of controls, vertical objectives and cost of quality as well as the traditional QMS audit items. The sampling process must also create the confidence level necessary to achieve audit objectives.
Activity 1- Assess the organizational maturity in the system and process audited.
Level 1-2: Use the Capability Maturity Model (CMM) with traditional levels of maturity (Ad hoc, repeatable, defined, managed and optimizing).
Activity 2- Assess process capabilities
Level 1-2: Breakdown the process into traditional components: inputs, activities (who, what, how and metrics) and outputs. Review available data to best assess how capable the process is performing as intended.
Activity 3- Assess system/process risk
Level 1: Evaluate the appropriate risks (enterprise/business, process, product/service and people)
Level 1: Assess risk management maturity in the system/process
Activity 4- Evaluate control effectiveness to achieve intended results
Level 1: Determine the degree of process conformance to requirements; is there data demonstrating that we are meeting requirements?
Level 1: Determine the degree of process non-conformance; is there data demonstrating that we are not meeting requirements?
Level 2: Determine the degree of meeting process objectives
Level 2: Determine the degree of meeting organizational objectives (from vertical process analysis).
Activity 5- Assess evidence gathered to ensure that findings created would be received with confidence.
Level 1-2: Gather sufficient evidence (based on risk) by interview, observation or documented information of primary process(es) audited
Level 1-2: Make a reasonable determination of evidence authenticity through verification (risk-based sampling methods)
Activity 6- Create findings based on the evidence gathered.
Level 1-4: Compare evidence to criteria to create findings (conformance, non-conformance, opportunity for improvement or innovation)
Level 1-4: Classify findings based on levels of importance (risk, repeat finding, etc.)
Activity 7- Conduct exit meeting
Level 1-4: Conduct a formal exit meeting with agenda and invite leadership and auditees if appropriate
Level 1-4: Share the findings based on evidence gathered and gain agreement from organization
Level 1-4: Determine the date for completion and delivery of the final report.
Step 4: Reporting VAA results
The audit report will be the documented information that summarizes the audit findings and can be used to close out the audit and possibly to begin activities for corrective action, improvements or innovations. VAA incorporates the Senior Leadership and the Board of Directors; therefore they should be apprised of the VAA results. Due care is exercised when creating and sharing this report as some information may be considered confidential.
Activity 1- Communicate Audit results to appropriate parties
Level 1-4: Take due care to capture all findings in report in clear, concise, objective, constructive and timely fashion
Level 1-4: Board and Senior Leadership should receive the report first
Level 1-4: Communicate in a language appropriate to the reader(s)
Activity 2- Determine report format (this may have been determined with the organization in the planning step.
Level 1-4: VAA report must add value to customer
Level 1-4: Report format may be agreed upon before the actual audit
Level 1-4: Report should include audit findings, Cost of Quality data, benchmarking opportunities, resources used, status of audit objectives achieved during the audit and potential improvements or innovations. Items requiring urgent response should be easily identified.
Activity 3- Correct, prevent, predict and preempt
Level 1-4: Corrective and Preventive actions identified in the report must be initiated.
Level 1-4: VAA should identify trends by means of sampling and help the customer predict certain risks.
Level 1-4: Organizations will take preemptive actions to mitigate risks
Activity 4- Maintain audit records
Level 1-4: The final audit report will become documented information and maintained per customer requirements.
Level 1-4: Auditor notes should also be maintained with the report
Level 1-4: Confidentiality must always be maintained.
Thank you for your interest and time to read all the way to here. The next article on VAA will discuss Levels 3 and 4. Here we dive into a deeper perspective of adding value through auditing. I am passionate about what I do and I would welcome the opportunity to learn more about you and the journey your hospital is taking to enhance your internal audit program. I can be reached by email at tschmidt@bluesynergyassociates.com or you can call me at 1-844-424-7825. Your comments are always welcome.
Stay safe,
Ted