All based in the cloud. Reduce your audit and admin timings today
Maximising Assurance Through Audit Methodology and Technology
A case study on how Komatsu Oceania’s Risk and Assurance Department combined their audit methodology and iSystain’s technology to significantly decrease audit preparation and administrative time.
Case Study Introduction
At Komatsu’s recent Global Internal Auditor meeting, held in Milwaukee, Shane Hubble, Komatsu Oceania’s Risk and Assurance Manager, amazed his peers with the scope, coverage and integrity of the assurance activities delivered over the past few years by Komatsu Oceania’s small team of three.
Naturally there was a great deal of interest in how this was achieved. This case study discusses how, under Shane’s leadership, the combination of experience, progression, methodology and technology delivered a result in efficiency and effectiveness beyond expectation.
CORRECTIVE ACTIONS PER YEAR
BRANCH AUDITS PER YEAR
BRANCH AUDIT DAYS PER AUDIT
Lead by Shane Hubble, Komatsu’s Risk and Assurance team of Shane, Balaji Jallipalli and Rose Kizana manage the assurance objectives for 5 Komatsu entities, across 60 significant sites in Australia, New Zealand, and New Caledonia.
One aspect of the assurance coverage is to assess sites’ compliance to key policies, better practices, regulatory requirements, and assess high-rated risk areas at each site. This is performed in the Branch Audit process. Branch Audits cover compliance, policy awareness, culture, HSE, financial results, sales and procurement processes and asset verification.
One of the objectives of Shane’s team is to provide assurance to the executives, Board of Directors and stakeholders that controls are in place to ensure each site meets their objectives.
These objectives include:
1. People and Safety, 2. Compliance with laws, regulations, policies and Komatsu rules, 3. Quality, 4. Customer, stakeholder and staff satisfaction; and 5. A return to shareholders.
Each year, every significant site in Australia, New Zealand and New Caledonia (60 sites), completes a Branch Audit self-assessment using the Control Self-Assessment audit instrument and the Risk and Assurance team selects 25 of these sites to visit for onsite verification audits.
This means the Risk and Assurance team have a total of 85 audits to schedule, support, advise and report on. They also need to review non-conformances, assign and monitor corrective actions and monitor action close out.
Aside from the administration burden, the team struggled with the usual errors and version control issues associated with working with and maintaining multiple spreadsheets. The spreadsheet-based audit template versions were also difficult to manage across the broad scope, resulting in some lack of consistency and a large amount of time being spent to ensure accuracy. Additionally, all non-conformances had to be actioned, and those actions tracked to completion. Tracking and managing the completion and effectiveness of up to 600 actions at any time was a challenge.
Prior to combing their audit methodology with iSystain’s technology the time spent on activities by Shane’s team looked like this: 4 days for the 25 audits completed by the Risk and Assurance Team + 2 days for the 60 site Controlled Self-Assessment Audits totalling 220 days. Now the team spend 1.5 days on the 25 they complete + 0.5 for the 60 CSAs, totalling 68 days. This has delivered a time saving of 152 days, a significant amount for a team of 3.
Overall Audit Management
Since implementing iSystain’s Audit module, Shane and his team have cut the time spent on audit preparation and delivery time by 150 days per year. What used to take the team two to four days now takes less than one.
Audit Preparation Activities
The preparation time spent on each audit has reduced by 2.5 days per audit. The most useful preparation functions are the scheduling tools, site audit notifications which include a link to their online audit instrument, as well as access to previous audit details and the status of their actions.
Corrective Action Management
Even more impressive has been the time saved managing audit non-conformance actions and scoring each audit. Where creating, assigning, tracking and closing out actions and scoring the audit used to take two days, these tasks are now automated and take less than one hour per audit. This allows the auditor to complete, discuss and email the final audit report to the manager, while on site, this has increased buy-in dramatically. The audit question level action configuration option, Audit Action Plan Review and editing tools and automated action assignment function and scoring models are key to this improvement.
How it was achieved
In 2015, Shane joined forces with the Komatsu National HSE Team to review software platforms for their integrated objectives. The iSystain platform was selected and Shane and his team consulted with iSystain to identify the best configuration approach.
They started by converting their spreadsheets into a centralised Audit Instrument Library for reusable audit instruments linked to audit scheduling and reporting functions. Due to the flexibility of the instrument development options, they were able to build both English and French instructions into the same instrument.
The next step was converting their complicated previously manually maintained formulas and drop lists into individual Scoring Models. iSystain was able to handle the many types of scoring models Komatsu needed to reflect the weighting and selection options required to apply the materiality and risk profile of each of the assessment items in the audit instrument. These Scoring Models were linked to the individual requirements in the Audit Instrument.
Then, they defined the workflow process and roles required to automate the audit scheduling, instrument deployment, completion tracking and communications across the organisation.
The entire process was road tested with the sites and feedback integrated as quickly as possible. At every step, Shane, Balaji and Rose remained conscious of the need to engage and support the sites as they changed from the familiarity of spreadsheets to a new software technology.
Once the system was live, improvements to the audit preparation, communication, audit status and results monitoring were quickly realised. The automatic creation of the audit instrument with all the information and scoring options during the deployment step immediately saved significant time and reduced errors. The centralisation of the corrective actions improved visibility and tracking of close out status.
However, they were still creating actions in iSystain manually, and Shane and his team were keen to explore a way of automating this action creation step. Working with the iSystain design team, led by Jenni Mulligan (an experienced assurance auditor herself), they focused on a design that would deliver the automation and valuable action guidance, but not clog up the system with actions that had not been reviewed and vetted in the broader context of Komatsu’s activities.
They designed an action review and editing ‘staging view’ that was created once the audit was completed. When the site or audit team completes an Audit, the Assurance team are notified and taken to this staging view, where they can delete any repetitive actions, select or modify actions, or adjust completion dates before the Actions are created and Actioners notified.
This controlled creation of actions provides Komatsu with the ability to review and adjust actions on site with the team as part of the close out meeting. When Shane’s team completes an onsite audit, they are now able to show management their site score and allocate the remedial action plans on the day of the audit, before leaving the site.
From there, each action is tracked to completion with the option to send reminders to action owners to complete or update the status automatically from the system. The ability to report on the status of actions directly via iSystain is also very helpful for reviewing and managing large volumes of actions.
A Winning Combination of Methodology and Technology
Since Shane’s presentation to his international peers earlier this year, Komatsu has shown interest in extending the use of iSystain and Shane’s methodology in other regions, such as South America and Africa.
Meanwhile, Shane and his team are embarking on the implementation of iSystain’s Enterprise Risk and Governance modules. Following the same approach of combining modern and practical methodologies and frameworks with effective technology, they seek to continue to contribute to Komatsu’s competitive advantage by providing stakeholders with even more assurance.
About Komatsu Oceania
Komatsu is an industry leader in the supply and service of earth moving equipment and other associated significant production value products. Through advanced innovative technology solutions and highly capable people Komatsu is at the forefront of building a sustainable future for its customers, its people and the communities in which it operates. Komatsu is focused on its People Powered Technology and is driven by the success of its Customers and its People. Komatsu employ over 3,400 people across their Oceania operations (covering Australia, New Zealand, New Caledonia and Indonesia).
iSystain is a cloud-based software suite designed to measure and manage your corporate responsibility and sustainability reporting activities. iSystain's flexible framework centralises all safety, environment, community and social impact data collection and reporting needs. Underpinned by a configurable workflow engine iSystain's business process modules such as Risk, Audit, Events, Sustainability, Community Investment, Compliance, Supplier and Governance work together to drive our Clients beyond data collection and reporting to action and improvement.
Shane has over 15 years internal audit, compliance and enterprise risk management experience and is currently the Head of Internal Audit & Risk at Komatsu Oceania. Shane’s passion is in assisting companies to manage and understand the various enterprise risks that may hinder their objectives. Shane is a Professional Fellow of the Institute of Internal Auditors (IIA) and a volunteer IIA NSW Council Chapter Member. Shane holds a Bachelor of Management, is a Chartered Accountant and a Certified Internal Auditor.
Jenni Mulligan, iSystain Co-founder and Principal Consultant
Jenni has worked with over a 100 companies across the globe helping them drive sustainable development, demonstrate corporate responsibility, and manage risk to health, safety, environment and the community. Throughout her career, she has been a passionate and well-respected management systems auditor and coordinated several global and national assurance programmes. Jenni’s experience, learnings and expertise has been incorporated into the Audit solution to ensure it is user friendly for auditors and delivers value and insight for businesses.