An essential step early in the internal audit cycle is gaining familiarity with the process that will be reviewed. Two challenges faced with virtually every audit are the limited knowledge of the stakeholders involved and inadequate understanding of the process itself. Drawing flowcharts with swimming lanes often help ameliorate these issues because these diagrams show the activities performed and the identities of those performing the activities. However, even flowcharts often fail to incorporate other critical components, such as the essential contributors to the process and key supplies for effective product and service delivery.
As internal auditors apply risk-based auditing techniques to their reviews and increase their focus on the needs of customers to achieve organizational aims, it is essential to gain a panoramic understanding of the process. This must be done effectively during the Planning Phase, or the entire review could result in poor outcomes. A SIPOC Diagram can be very helpful in that regard because it identifies the participants, summarizes the process, and lists the inputs and outputs produced. A SIPOC diagram is a tool every internal audit team should consider using to identify the relevant elements of a process before fieldwork begins.
SIPOC is an acronym that stands for suppliers, inputs, process, outputs, and customers. These items form the columns of the matrix and preparing the diagram is very easy. It can be done using flipchart paper, standard notepad paper, directly on a computer using word processing or presentation software, or Post-it notes.
• Suppliers: List the organizations, departments or individuals that provide the inputs required by the process.
• Inputs: List the objects, materials or data that enter the process
• Process: Draw a high-level, four to nine-step, map of the process
• Outputs: List the outputs the process produces
• Customers: Identify the customers that will receive the process outputs
The SIPOC Diagram is particularly useful when defining the scope of the review because it can give internal auditors a high-level overview of the process. All of the elements captured in the SIPOC Diagram are important to understand what the internal auditors are going to review fully. Failing to do so can result in a poorly-defined scope during planning, or limit the team’s ability to understand the process during fieldwork effectively.
SIPOC Diagrams can also help perform a stakeholder analysis, so the key participants in the process are identified. It will help avoid the exasperating situation encountered when deep into the audit cycle someone asks: “Did you talk to so-and-so about this?” Or “Did you know that if X is unavailable, Y performs that task?”. The interactions among the stakeholders involved can help define risk exposures, the size of the operation and related audit coverage needed, and customer requirements. Some stakeholders share in the benefits a company creates, while others bear the risks that are generated as a result of the organization’s activities. Internal auditors should be aware of both.
The following are some key questions internal auditors should ask before every engagement, and the SIPOC Diagram can help answer them:
• Who supplies the inputs the process requires?
• What is supplied and what material or informational inputs enter the process?
• How critical are these inputs to the effective functioning of the program or process?
• What does a high-level breakdown (or flowchart) of the process look like?
• What does the program or process produce?
• Who are the customers of the process?
• What are the requirements of the customers?
In addition to these questions, further analysis of each of the components can provide valuable assessment information too. For example, the location of the suppliers can provide some insights into the length of the supply chain, the risk of foreign currency conversion, and political risk. Suppliers and customers may be internal or external to the organization that performs the process, so all of this is vital information that can inform the auditor about the size, spread, and complexity of the network. Inputs and outputs may be materials, services, data or information, so gaining an understanding about these, can help define the role IT plays during integrated audits.
The SIPOC Diagram is a very simple yet very useful and powerful tool. The time spent preparing it will greatly enhance the value obtained from every internal audit. Good outcomes are the result of effective planning, and SIPOC Diagrams are a great tool to help in that regard.
If you would like to know more about SIPOC Diagrams and other tools and techniques, please join Dr. Murdock when he teaches Lean Six Sigma Skills for Auditors, High-Impact Skills for Developing and Leading Your Audit Team, and Internal Audit School.