Towards an augmented audit service
To be competitive performing with good quality, improving customer satisfaction, and increasing operational efficiency have become key. Concepts and methods such as Total Quality Management, Six Sigma and Lean have been implemented to manage these demands. Also, ISO management system standards such as ISO 9001 have gained widespread attention and are now implemented by more than one million organisations worldwide. Following this diffusion of ISO management system standards, internal and external audits have become a universal activity in organisations that are certified towards any of these standards. However, audits are reported to have a negative association within many organisations as they are perceived as an inspection activity focusing on compliance and documentation. As a result, management have started to ask for return on investment for the non-negligible costs associated with certification and periodical external and internal audits. The purpose of this thesis is to explore and describe how an organisation can advance the process for internal and external auditing to add value beyond verifying compliance towards a standard. This thesis builds on a qualitative research design and departs from quality management, process management, exploitation and exploration, ambidexterity, and service logic. Data has mainly been collected through interviews and questionnaires.
The three appended papers contribute to the purpose of this thesis by bringing forward examples of how an organisation can operationalise practices for business-relevant audits, but they also point towards possible challenges in the audit process. By abandoning the cyclic audit programme and instead align the audit programme to an organisation’s strategies and risks, a more business relevant audit programme can be established. Furthermore, introducing an audit sponsor for each individual audit establishes a closer connection with management. This practice also enhances customer (auditee) participation, which is a central component in a service logic. However, this closer participation from management may jeopardise auditor independence, which is one of the principles of auditing. Findings also indicate that ISO knowledge is more of a qualifying factor, which means that ISO compliance can be argued to be a primary responsibility for the audit provider, and a resource that the audit provider contributes in the audit process. Further, auditors apply requirements in the management system standard, such as requirements for process control across various types of processes, even though they were characterised as explorative. This indicates that there might be a challenge for auditors in moving between exploitative and explorative processes, which could be a result of auditors lacking organisational knowledge and context-related skills. However, the findings show that this can be mitigated by spending more time in the preparation phase of the audit and by adding experts to the audit team. Finally, implementing new report designs and shortening the time from the closing meeting until delivery of the audit report increases the accessibility of the audit services.