Module 2
Objectives and Phases of Operational Audits
ACELEC 332
1
�Key Objectives of Operational Audits
First, we must determine whose objectives the engagement is intending to address. Internal audit
should be careful not to define the objectives unilaterally. While this may be necessary in certain
occasions, this should not be the prevailing practice, but rather, internal auditors should get
management involvement as much as possible to make sure that the review will meet their needs. The
objectives for the review could be driven by:
1. New rules. Rules can be established internally (e.g., policies and procedures) or externally (e.g., new or
updated laws and regulations), or a combination (e.g., a contract signed by the organization and one or
more external parties).
2. Poor performance. Inefficiencies, waste, rework, or complaints from customers and vendors may trigger
management involvement, resulting in their request to have the matter reviewed by internal audit.
2
�Key Objectives of Operational Audits
3. Compliance Issues. These can be the result of internal quality control initiatives that identify anomalies.
4. Anomalous revenues or expenses. While increases in sales is always welcome news, if these figures appear
dubious, internal audit may review the related transactions to verify they are all legitimate, they have been
recorded in the correct amount, and posted during the correct period.
3
�Phases of the Operational Audit
Like traditional audits, operational audits are also structured in the traditional planning, fieldwork, and
reporting phases. These provide a simple, effective, and time-tested approach to organizing,
performing, and communicating the results of the work done. Following is a description of each of
these phases, and some of the key activities that occur during their performance.
(1) PLANNING
The planning phase includes scoping, budgeting, defining the population of interest, how testing will
be performed, and announcing the audit. Planning is arguably the most important part of an audit.
More than mere words, experienced auditors know that poor planning leads to inefficient auditing
practices as testing activities that can be combined or strategized, are instead done one at a time;
selecting and reviewing transactions together is instead done as multiple steps, and rework is
common as procedures are poorly initiated only to be rearranged and additional information examined
later. Lastly, it also results in poor scheduling of meetings with process owners and other stakeholders.
4
�The following questions can be very helpful when thinking about risk:
▪ What could go wrong?
▪ How could that unit fail?
▪ Are there any liquid assets that require special care and oversight?
▪ What physical assets are bought and used? How do they need to be protected and used for maximum
effectiveness?
▪ What intellectual or digital assets are used and constitute a key success factor? These might include personally
identifiable information, copyrights, and licenses.
▪ How could someone or something disrupt the operations?
▪ What are the objectives and how do we know if the unit is achieving them?
▪ Where are the people, processes, systems, or assets vulnerable?
▪ On what information do they rely the most?
5
�▪ On what do they spend the most money?
▪ How do they bill and collect revenue?
▪ What activities are most complex?
▪ What activities are regulated?
▪ What is their greatest legal exposure?
▪ What decisions require the most judgment?
▪ How could someone steal from the unit?
▪ What systems are in use?
▪ Who has access to these systems and what activities can they perform using it?
6
�Risks Factors
Risk factors play an important role during planning, and, during risk assessments. Risk factors are
conditions and other variables that in their present, or absence either exacerbate or diminish the
underlying risk. The presence of some factors increases the likelihood or impact of the underlying
risks. On the other hand, the presence of some factors decreases the likelihood or impact of the
underlying risks.
- As employees’ competence increases, the risk of errors, omissions, and other operational problems decreases
because they will be qualified to perform their duties, including control activities.
- Another risk factor is the extent of judgement that can be exercised when performing relevant operational and
control activities. As the extent of judgment increases, the underlying risk of error, abuse, and malfeasance
increases. So, these factors have an opposite effect on the underlying risks.
- An example of a risk factor that moves in the same direction as the underlying risk is the number of
transactions. As the number of transactions of interest increases, the risks of errors and omissions increases.
7
�8
�Typical audit steps for audit programs are shown below:
9
�(2) FIELDWORK
The next phase in the engagement’s life cycle is fieldwork. This phase is when most of the testing is
performed, and it includes interviewing, documenting, applying testing methodologies, managing
fieldwork, and providing status updates. It consists primarily of two things
1. Determining if the process or program under review is designed effectively so that the related goals and
objectives are likely to be achieved
2. Verify that the controls in place are performing as designed by management
10
�Types of Audit Evidence
Internal auditors are focused on verifying whether conditions are such that the operation or program
under review is likely to achieve its objectives, and the procedures in place are working as
designed. Deviations and concerns are then communicated through audit reports. During the
review, auditors must substantiate their work, conclusions, and opinions on facts or information
that support their beliefs and can be used to convince others than conditions and practices are as
stated. In other words, auditors gather evidence to support their work and persuade others that
conditions are satisfactory or not.
11
�Testimonial
Testimonial evidence consists of verbal or written statements or assertions given by someone as proof
regarding the matter being discussed. In the case of internal audits, anyone being audited may be
asked to give testimonial evidence during interviews about a variety of topics.
Examples include the steps performed while processing a loan application, how the employee pays
incoming invoices, the procedures to record the purchase of inventory in the accounting system, or
the steps followed when notified that an employee has been hired and access needs to be granted to
the computer systems.
12
�Observation
Auditors typically observe conditions and dynamics related to the subject of the review. The following are examples
of items internal auditors may want to observe and why:
▪ Observe the security measures to prevent unauthorized individuals from entering the facility
▪ Observe the customer service area layout to better understand the flow of customers
▪ Verify that machinery exists and is in working condition
▪ Walk the perimeter of a construction site to confirm there is a fence that restricts access to only authorized individuals
▪ Observe the way that trucks are loaded and unloaded in the warehouse to confirm adherence to safety procedures
▪ Verify that the data center meets temperature and humidity guidelines
The observation can be done in one of two ways:
▪ The auditee knows that the auditor is observing
▪ The auditee does not know that the auditor is observing
13
�Document Inspection
Another common way of collecting evidence is by reviewing documents. In fact, this is one of the most common
procedures performed by auditors who examine documents to verify the date and amount of transactions,
agreements made between various parties, evidence of authorizations and record of decisions made, among
others. The documents can be internal or external.
14
�Recalculation/Reperformance
Mathematical recalculation is a form of audit evidence, and it consists of checking the accuracy of documents or
records. Sometimes auditors reperform the work of others to verify the accuracy and completeness of the work
done, and to confirm that the amount is correct.
15
�An essential aspect of internal auditing is the gathering and analysis of evidence. Evidence is collected to support
the results and conclusions derived from the engagement. Persuasiveness is defined as the confidence it gives the
auditor when reaching a conclusion.
16
�Continuation:
17
�Professional Skepticism
Although internal auditors are encouraged to use a conversational and participative approach when conducting
their reviews, they must also remember that they are tasked with verifying the integrity of the information gathered
and make sure their conclusions are sound.
When obtaining and using evidence, internal auditors should display healthy professional skepticism and verify the
quality of the information gathered and used. Internal auditors should be sufficiently suspicious of data received
and reasonably verify that the information is free from manipulation or modification in ways that can compromise its
quality.
When there are doubts, the auditor must determine if those conditions make the evidentiary matter too unreliable
for use. Similarly, internal auditors should approach interviews and meetings with sufficient skepticism, always
attempting to verify the information provided, corroborate the testimony received, and observing behavioral
changes that could indicate deceit.
18
�Workpapers
Workpapers are documents created by auditors to record the work done. They are a collection of evidentiary
material showing the planning done, the fieldwork activities performed, and the support for all information
mentioned in the audit report or other communication of results. They are also very useful during training and
professional development, and as mentioned previously, also helpful while planning future engagements.
Since workpapers are so important to the entire audit, they require review by the team leader to show there was
proper supervision. The IIA has issued the following standard regarding audit workpapers.
◦ 2330—Documenting information: Internal auditors must document relevant information to support the conclusions and
engagement results (IIA).
19
�The IIA’s Practice Advisory 2330 states that the goal of workpapers are to
▪ Document the planning, performance, and review of audit work
▪ Provide the principal support for audit communication such as observations, conclusions, and the final
report
▪ Facilitate third-party reviews and reperformance requirements
▪ Provide a basis for evaluating the internal audit activity’s quality control program
20
�Flowcharts
Another common type of workpaper is the process flowchart. A flowchart is a diagram of the sequence of
movements or actions of people or things involved in a process or activity. They illustrate a business process and
virtually any process can be drawn in the form of a flowchart. Since the shapes are simple and visual, they are
easy to understand.
21
�Some of the key steps to follow when drawing a flowchart are
▪ Identify the steps through consensus
▪ Walk the process and arrange chronologically
▪ Draw using appropriate symbols
▪ Test for completeness (e.g., symbols, loops, dead ends, arrows, and direction)
▪ Look for problem areas as a team
▪ Get sign-off that the flowchart reflects the process
22
�Internal Control Questionnaire (ICQ)
An internal control questionnaire (ICQ) helps to evaluate internal controls in specific areas by asking key questions.
Internal auditors often use ICQs as a starting point and then supplement them with other information gathering and
control evaluation techniques such as flowcharts and document reviews. They are used by process owners to help
them assess their operation.
23
�Condition of Workpapers
Workpapers should be neat, easy to read, easy to review, and their appearance should be
uniform. Most internal audit departments develop templates to standardize their appearance
and key contents. In general, workpapers should include:
▪ Objective of the procedure performed
▪ Source of the information evaluated
▪ Name of the auditor who performed the work
▪ Date when the work was done
▪ Name and date of supervisory review
▪ Details showing the work done
▪ Reference to other supporting documents, such as relevant objectives, risks, and controls
▪ Results of the testing procedure performed
▪ Conclusion
24
�25
�There are many ways that internal auditors can
indicate the results of their work for transaction-
based testing. Tickmarks show for each transaction
whether the transaction met the criteria applied to
the test. For example, if the auditor selects a sample
of transactions, he will examine each of them to
verify these four attributes:
1. The amount of the transaction was
accurate
2. The transaction shows evidence that it was
for a business-related activity
3. The transaction was approved before
execution
4. The amount processed was recorded in
the corresponding period
26
�Electronic Workpapers
We use the term workpapers to denote the collection of documents related to the planning, fieldwork testing, and reporting
worksheets that lead to the audit report. Many years ago, these items were paper documents, and consisted primarily of
memos and accounting ledgers. These were large lined papers to document rows and columns of accounting transactions
and with tickmarks, note that testing procedures were performed to verify among other things, the accuracy,
completeness, and timeliness of entries.
27
�28
�29
�(3) REPORTING
The third phase of the audit is the communication of results, often referred to as reporting. It consists
of communicating findings, observations, and best practices noted during the review, and developing
recommendations for corrective action.
Findings are the documentation of deviations from what was expected and form the basis for the audit
report. The term “finding” is in disuse by an increasing number of auditors who have found that their
clients resent the label and prefer a term that is less controversial. As such, many auditors are calling
these items “observations.” Other auditors reserve the term “finding” for the more serious reportable
conditions and refer to lower risk items as “observations.” For purposes of our discussion here, we use
the term findings to refer to reportable conditions.
30
�31
�Metrics
People inherently want to do a good job and when properly led and rewarded, will deliver superior
results. Metrics are a great tool to monitor performance and the achievement of organizational
goals. As a result, what matters should be measured, and what is measured should matter.
Unfortunately, many organizations lack reliable data and only use metrics to a small degree. This
limits their ability to know how well or poorly they are doing, and to provide feedback to those
stakeholders affected.
32
�33
�People, Processes, and Technology
Organizations should establish goals that drive their direction, prioritize the allocation of resources,
give employees a sense of mission, and help the organization’s vision become a reality. Consequently,
there are processes designed to facilitate the achievement of these goals, there are people who work
within these processes, and technology and other tools that support both the people and the
processes. This relationship is unbreakable and unavoidable.
Unfortunately, all too often organizations fail to pay sufficient attention to the interdependency between
these elements. A broken process will compromise the achievement of organizational goals. Unskilled
or unmotivated employees will compromise the achievement of these goals. Inadequate or insufficient
technology and tools will also compromise the achievement of these goals. When implementing new
processes, or modifying existing ones, these three elements must be considered and addressed.
34
