Where’s the Money? Adding Value Using the Universal Yardstick

by J.P. Russell

Proving system and process auditing is a value-added service has been a topic of considerable interest recently.

The truth is sometimes auditing will never be value added, other times it could be, and a few times it will always be.

In the quality world, we audit systems and processes by comparing what is actually done to what is required or promised. Auditors may audit against government regulations and management system standards such as ISO 9001 and derivative standards such as AS9100, TS 16949 and TL 9000.

Many management system standards require the system to be effective and continually improving. None of the standards require organizations to improve efficiency. In fact, none require organizations to be efficient.1

How can organizations continually improve without involving efficiency? Ever since the transformation of the quality field from inspection to W. Edwards Deming’s never-ending improvement, quality improvement has been about narrowing variation and reducing waste.

Few system standards require reduction of waste or optimal use of resources. Yet, most of the proponents of standards and system auditing want us to believe the implementation of management systems benefits organizations and promotes improvement. The dichotomy is that neither system standards nor audits require or provide adequate guidance to improve the efficiency of organizations and optimize use of resources.

For system and process auditors to find the money, they must first start looking for it. Since the regulations and standards don’t require it, the organization must have a strategy or objective to benefit from the audit process.

Finding the money is not limited to for-profit organizations. Nonprofit organizations should be interested in reducing resources needed to achieve a result (i.e., do more with less). My personal experience with some nonprofit organizations, however, is that they have yet to embrace this concept.

Nonfinancial Monitoring

Interestingly, the Institute of Internal Auditors (IIA) fits system and process auditing into what can be called nonfinancial monitoring. Even though system or process auditors may monitor quality, environmental, and safety management systems, the scope of their audits does not include evaluating financial results such as those found on an income statement.

A recent article in Internal Auditor magazine says although the majority of executives surveyed (249 executives and board members around the globe) cite nonfinancial factors as critical to corporate success. Only about one-third are proficient at monitoring them.2

The article continues, “Executives expressed a need for more nonfinancial information on their companies’ ability to satisfy customers, deliver quality products and services, operate efficiently, and develop new products and services.”

Almost 75% of the executives said they were under increasing pressure to monitor nonfinancial performance. Wow —what an opportunity for the nonfinancial auditors! What if the world army of system and process auditors could fill the gap and show how their findings contribute to the financial side as well?

System and process auditors (i.e., nonfinancial auditors) already monitor what executives say they need more of. However, there seems to be a disconnect between the inefficiencies or opportunities system and process auditors report and the bottom line on the income statement.

System and process auditors are in the perfect position to show top management the money by reporting inefficiencies as well as nonconformances (noncompliances). The money is found by identifying poor process performance indications (i.e., rework, rejects/waste, waiting time, travel of excessive distance, and deviations).3

The whole idea of connecting financial and nonfinancial information is at the root of the Sarbanes-Oxley requirements. Companies are going through exhaustive reviews of line items on financial statements when what they really need to do is compare what is reported to reality:

  • Salespeople know whether they have customers.
  • Business managers know where the money comes from and goes to.
  • Shipping people know whether product is being shipped.
  • Project people know what was built.

Once I audited a transportation company. While I was in the yard looking at rigs and talking to drivers, I went around a corner and saw a huge field filled with abandoned trucks and trailers. There must have been 100 of them. This was not a conformance or performance issue; it was a financial issue.

My immediate thought was, “What is the value of the trucks and rigs on the books and why are they still here?” One way to prop up the assets of the organization would be to revalue the trucks to $10 million dollars. But inflating the value of an asset would be a bad thing and represent risk to the organization. If the trucks and rigs were fully depreciated and written off, there would be a potential windfall from selling used trucks and parts.

William G. Parrett, CEO of Deloitte, who was quoted in the IIA article, said, “It takes more than tracking financial performance to properly mind the store.”4

Most system and process auditors don’t have the financial knowledge or experience to conduct an effective Sarbanes-Oxley type of audit. Neither do most internal financial auditors have the system and process knowledge and experience to conduct an effective process or system audit. Why not team up and perform joint audits? Why not learn from each other?

Reason-Pain Matrix

A tool called the reason-pain (RP) matrix links money with the system and process auditor findings.5 Some organizations have been using this tool for several years to find the money. With it, you should be able to link money to every audit finding. If a finding cannot be linked to organization cost-opportunity-risk (COR), then why address it? Every finding should be linked to management’s COR interests.

In Table 1, I have provided a modified example of an RP matrix for one of 12 facts supporting an audit finding. The other 11 facts and findings are not included in this article.

If audit evidence cannot be linked to COR interests, you should drop it or simply comply because it is the law. This should result in the law being modified to provide more flexibility or the rule being rescinded because it doesn’t make sense and is consuming valuable resources.

 Make Recommendations

Auditors can also point out where the money is by making recommendations—not on how to fix what was found but on opportunities for improvement.

Recently I gave a class in Baltimore, and when I suggested auditors should report process or system improvement opportunities, a student said, “Oh no, I was told to never make recommendations because this was a conflict of interest.”

I explained it would be a conflict of interest only on a subsequent audit when auditors recommend how to fix a finding, nonconformity, or noncompliance. It is OK to report inefficiencies as opportunities for improvement if it is agreed upon as part of the audit purpose.

Compliance Example

Many executives consider compliance to a standard or regulation as the cost of doing business. This conclusion is not entirely true because failure to comply could result in loss of customer goodwill and increases in insurance premiums and legal fees.

Even in a compliance audit, there is money to be found. For example, an eyewash station is found to be in disrepair and nonfunctional. A work order must be issued, and about $400 in labor and materials is needed to get the station working again.

Most of the money for this finding comes from risk avoidance. Let’s assume there was a spill or splash and an employee needs the eyewash station to avoid injury. Multiplying the average settlement cost for partial loss of vision or loss of vision in both eyes by the probability it will occur gives the loss of money that can be avoided. Increased insurance premiums could be avoided. And, last, what is the cost of a good preventive maintenance program compared to leaving the eyewash station in disrepair?

In this instance, system and process auditors can be proactive while financial auditors merely react to the cost of insurance and settlements as a result of personal injury.

ISO 9000’s Image

The ISO 9000 family of standards has a compliance image. This is partly because that is what most executives could relate to when it was implemented and partly because the quality and project managers who wanted an ISO 9001 system sold it to executives as being necessary to sell in the European Union Common Market. In reality, ISO 9001 compliance has never been required to market products, except for some safety related ones, anywhere in the world.

Perhaps partly because of this image problem, ISO 9000’s new definitions differentiate between conformance and compliance. Now, ISO 9001 certified or registered organizations conform to instead of comply with requirements.

Because many executives don’t associate compliance with performance, they don’t expect auditors to be able to find the money. Organizations should work to change the image of system and process monitoring and require auditors to tell them where the money is.

Where is the money? It is all around us. We just need to point it out.


  1. In After the Quality Audit (Quality Press, second edition, 2000, p. 113), co-author Terry Regel and I define efficiency as “the relationship between the result achieved and resources used” (ISO 9000) and efficient as “accomplishing objectives and goal with optimal use of resources.”
  2. Salierno, “Update: Nonfinancial Monitor Falls Short,” Internal Auditor, February 2005, p. 16.
  3. P. Russell, Continual Improvement Assessment, ASQ Quality Press, 2004, p. 56.
  4. Salierno, “Update: Nonfinancial Monitor Falls Short,” see reference 2.
  5. P. Russell and Terry Regel, After the Quality Audit, ASQ Quality Press, 2000.

About the author

J.P. Russell is an ASQ Fellow and a voting member of the American National Standards Institute/ASQ Z1 committee. He is a member of the U.S. Technical Advisory Group to Technical Committee 176, the body responsible for the ISO 9000 standard series. Russell is the managing director of the internationally accredited Quality Web-Based Training Center for Education, www.jprlearning.com, an online auditing, standards, metrics, and quality tools training provider. A former RAB and IRCA lead auditor and an ASQ Certified Quality Auditor, Russell is author of several ASQ Quality Press bestselling books, including Process Auditing Techniques; Internal Auditing Basics; ISO Lesson Guide 2015: Pocket Guide to ISO 9001:2015; and he is the editor of the ASQ Auditing Handbook.

This article first appeared in the ASQ June 2005 Quality Progress Standards Outlook column. Some concepts presented may be outdated. However, the message of the article is relevant today.