AUDI 26-OPERATIONS AUDITING
Compliance Audit
CHAPTER 1
A compliance audit is an audit engagement in
which the goal is to determine whether an organization
is adhering to the terms of a contract or certain rules and
regulations.
Introduction to Operations Auditing
AUDIT
It is a systematic process of objectively obtaining
and evaluating evidence regarding assertions about
economic actions and events to ascertain the degree of
correspondence between these assertions and
established criteria, and communicating the results
thereof. (American Accounting Association)
Comparison of Different Types of Audit
Characteristics of Audit
•
Audit is a systematic process
•
Objectively Obtain and Evaluate evidence about
assertions
•
It ascertains the degree of correspondence
between assertions and established criteria
•
Communicating results to interested users
Operational Auditing
- A future-oriented, systematic, and independent
evaluation of organizational activities.
Types of Audit
According to Data/assertion
1. Financial statement audit
2. Operations audit
3. Compliance audit
According to Auditor
1. External Audit
2. Internal Audit
3. Government Audit
Financial Statement Audit
Financial audit is an objective examination and
evaluation of the financial statements of an organization
to make sure that the financial records are a fair and
accurate representation of the transactions they claim to
represent.
- A review of how an organization’s management and
its operating procedures are functioning with respect
to their effectiveness and efficiency in meeting stated
objectives.
Internal Audit


undergoing a massive transformation
Its role is to provide independent, objective
assurance and consulting services to organizations
in ways that improve their operations.
Institute of Internal Auditors (IIA) in 1941
•
Operations Audit
A systematic process of evaluating an
organization's effectiveness, efficiency and economy of
operations under management's control and reporting
to appropriate persons the results of the evaluation
along with recommendations for improvement.
Evolved to adapt its personality, purpose and
approach to the changes taking place in the field
of management and organizational behavior
Operations Auditing
•
Defined as a future oriented, systematic, and
independent evaluation of organizational
activities.
Key Languages
1. Independence
• Has to do primarily with the position of internal
audit within the organization’s hierarchy.
• Should report to audit committee on the BOD
• Should not be under control of those they audit
2. Objectivity
• related to the auditors’ frame of mind and their
ability to examine documents, processes and
program without bias, without agenda and
without other motive.
• Conflicts of interest are one of the biggest
threats to objectivity
3. Assurance
• Ability to give confidence and make statements
Four Main Reasons Why Organizations Report:
a.
b.
c.
d.
provide shareholders more transparency
gain competitive advantage
improve risk management capabilities
respond to stakeholder pressure
4. Consulting
• Giving advice to management and board, and
engaging activities.
• Address performance on how to improve
organizational programs, process and activities.
8. By bringing a systematic, disciplined approach
• Approach followed when performing work.
• Encapsulated in the Standards, the Practice
Guides and Practice Advisories which provide
a great deal of guidance on how to plan,
execute, and communicate to result.
9. To evaluate and improve the effectiveness
• Evaluating business dynamics and writing
reports that merely list the problems identified.
The definition indicates that we evaluate, but also help
to improve the organization’s ability to achieve the goals
and objectives related to;
a. Risk Management
• Refers to the identification, measurement,
assessment, and response to risks.
b. Control
• those activities that mitigate relevant risks and
helps the organization avoid surprises.
c. Governance Process
• wide subject that includes matters related to
organizational structure, reporting lines, span
of control, resource allocation, accountability
measures, discipline, and reward mechanism.
The Other Parts of the Definition
Operational auditing is a future-oriented,
independent, systematic, and business-focused
evaluation of management.
Also
involves
evaluating
management’s
performance.
May also be concerned with the structure of the
organization
Purpose of operational auditing is to improve
organizational profitability and the attainment of
management of organizational objectives.
5. Designed to add Value
• If the add value in their organization, they
unanimously raise their hands in agreement.
6. Improve an Organization’s Operations
• Many auditors see their roles as that of
checking things and verifying the accuracy of
various items and activities.
7. Help an organization accomplish its objectives
• Controls-based auditing
• Look for controls within the process then check
them to see if they are present and operating.
• Often forget to link those controls to the
relevant risks.
The Risk-Based Audit


Engaging in risk-based auditing means that internal
auditor must exercise and apply a broader view of
organizational risks.
Accounting and financial risk are only limited number
of risk faced by organizations (risks of delays, waste,

inefficiency, poor customer service, system failures
etc.).
Performing risk-based audit requires more
brainstorming, more interaction with process
owners and more in-depth understanding of the
organization’s business.
Auditing Beyond Accounting, Financial, and Regulatory
Requirements
Over time, business leaders and managers witnessed
business failures caused by poor management decisions
and practices.
 Operations Management
 Some related issues are waste, inefficiencies,
supplies arrive late etc.
 Human Resource
 Poorly supervised, trained, and evaluated
employees who become unmotivated and
unproductive.
 IT
 Computes systems designed with inaccurate
understanding of the business needs
 CSR
 Issues from child labor, sweatshop conditions,
abusive management….
 Environmental Health and Safety (EHS)
 Practice and conditions related to poor ventilation,
excessive heat….
The Value Auditors Provide
Internal auditors




Not always regarded as highly as they should be.
Promote the efficient and effective use of resources.
Making sure that duties are defined, structures are
set to ensure behaviors are aligned with objectives
and making recommendations to the board and
senior management.
Serve the public and common interests.
Stakeholders categorized as Economic/Primary and
Noneconomic/Secondary.
Economic or Market Stakeholders (Primary)
 Characterized by having monetary exchange.
 Engaged in transactions with the company as it
carries out its primary purpose of proving society
goods and services.
 Employees, customers, creditors and suppliers are
economic stakeholders.
Noneconomic, Nonmarket Stakeholders (Secondary)
 People, group, or organizations that though not
engaging in direct economic exchange with the firm,
are affected by or can affect its primary activities
and decisions.
 General public, government, social activist groups,
the media, and business supports group belong to
secondary stakeholders.
Identifying Operational Threats and Vulnerability
8.
9.
10.
11.
Future-Oriented Threats and Vulnerability




Operational
- maintaining operational capacity, speed
execution, staffing levels, employee motivation,
knowledge transfer etc.
Technological
- protection of intellectual property and
personally identifiable information, denial of
service attacks, and business continuity due to
staff turnover etc.
Strategic
-concerns related strong customer and vendor
relations, customer loyalty, building effective
business partnerships, outsourcing arrangements
etc.
Environmental
-include reliable supply of water and electricity,
achieving a lower carbon footprint and reducing
amount of natural resources used during business
activities.
Cycle Time- amount of time it takes to complete
one task
The IIA Research Foundation Internal Audit Capability
Model (IA-CM) can be used to assess the internal audit
department’s current condition and also a visioning tool,
helping to draft the course and expectations for the
internal auditing functions.
Internal Audit Capability Model (IA-CM)
LEVEL 1: INITIAL

= net production time
number of units produced
= total production time – downtime
Net production time
Skills Required for Effective Operational Audits
According to IIA Research Foundation Core
Competencies Report, the following are the top
general competencies of internal auditors.
Communication Skills
Problem Identification and Solution Skills
Ability to promote the value of internal audit
Knowledge of industry, regulatory and
standards changes
5. Organization skills
6. Conflict resolution/negotiation skills
7. Staff training
Accounting frameworks, tools, and techniques
Change management skills
IT/CT framework, tools, and techniques
Cultural fluency and foreign languages
Ad hoc/isolated audits
- Internal audit function is unstructured and
operates in an ad hoc manner (as needed or
necessary)
- Performs isolated audits for accuracy and
compliance
- Audit team is often part of a separate
organizational unit with no established
capabilities or infrastructure to support the
function.
LEVEL 2: INFRASTRUCTURE

1.
2.
3.
4.
Compliance Auditing
- IA function focuses on compliance audits
- Evaluate conformity and adherence with
internal policies, laws and regulations.
LEVEL 3: INTEGRATED

Advisory Services
- IA provides guidance
management.
and
advice
to
-
Add value without the auditor assuming
management responsibility.
Services are directed toward facilitator rather
than assurance.
IA focuses on team building and competency,
developing a professionally qualified staff and
effective workforce coordination.
LEVEL 4: MANAGED

Overall Assurance
- IA provides overall assurance on governance,
risk management and control, contributes to
the development of the organization’s
management etc.
- Coordinates its activities to be sufficiently
comprehensive and provide reasonable
assurance at a corporate level.
LEVEL 5: OPTIMIZING

Change Agent
- IA is recognized as key change agent
- Continuously improving its professional
practices
- It plans its workforce needs strategically and
maintains effective ongoing relationships with
other units within the organization.
2420- Quality of Communications
Effective Communications’ Attributes
1. Accurate – no mistakes or errors in the info
presented.
2. Objective – focused on facts and informed
judgment, no bias involved, and results are
neither inflated nor understated.
3. Clear - easy to understand and interpret.
4. Concise - brief by using only as many words as
necessary.
5. Constructive – helping the organization
improve
its
activities
and
promote
advancement through excellence.
6. Complete- nothing relevant or important
missing.
7. Timely – issued promptly because the value of
the message decreases with time.
CHAPTER 2
4 Key Objectives of Operational Audit
1. New Rules
 Can be established internally/externally
 Can also be a result of voluntary adoption
2. Poor Performance
 Inefficiencies, waste, rework or complaints
from customers and vendors
3. Compliance Issues
 Identify anomalies
 Identify instances of noncompliance at org
 Internal audit may investigate conditions
 Help monitor the situation
4. Anomalous Revenues or Expenses
 Internal audit may review the related
transactions to verify if they’re all legitimate
 Unusually high or low, or questionable
expenses are likely to result in the request
for thorough review.
Phases of Operational Audit
(planning, fieldwork, reporting, follow-up)
 PLANNING
 Scoping
- Scope in/ scope out
- Include relevant material
- Exclude irrelevant immaterial
 Budgeting
 Defining the problem
 How the testing will be performed
- Audit procedures
 Announcing Audit
o
Understanding the audit universe
- Separate working paper
1. Company background
2. Understanding business process
3. Gathering/Obtaining SOP
Audit Universe - consist of all auditable activities such
as accounts, processes, programs and functions.
KYC- Know Your Client (External Audit)
SOP- Standard Operating Procedures
o
o
Audit Schedule/ Time Frame
Risk Assessment
- To know how testing will be performed
Operational Audit Styles/ Approach
A. Value for Money Auditing (VFM)
- Makes extensive use of key performance
indicators to explore the cost of achieving
standards of efficiency economy and
effectiveness and whether these costs
represent good value.
B. Benchmarking
- Different department
- Different company with similar industry
- Comparison of one’s own performance in a
specific area.
Objectives:
a)
b)
c)
d)
Maintaining competitive advantage
Establishing current methods
Ensuring future survival
Maintaining awareness of customer
expectation
e) Ensuring that the organization has
appropriate approach to quality issues
Risk Factors
-
Conditions and other variables that in their
present, or absence.
Presence of some factors decreases
likelihood or impact of the underlying
risks.
Employee is competence if:



Market experienced
Educational background
Length of time
Audit Procedures and Their Meaning
1. Verify
- Confirm, prove or corroborate that a fact is
true
2. Trace (source to destination-completeness)
- Involves tracing a transaction from the
source to its destination
- Could be financial, operational, regulatory
report.
3. Vouch
- Involves the reverse-trace
- Transaction from destination to source
4. Reconcile
- Info from two separate sources to verify
accuracy
5. Foot (vertical)
- Add the items in column
6. Cross-foot (horizontal)
- Add the items in row
7. Observe/Tour
- Observe and note physical conditions
8. Inspection
- Viewing, examining
9. Confirmation
- Obtaining evidences
10. Analytical Procedures
- Study of plausible relationship among
financial and nonfinancial data
11. Inquiry
- Used extensively throughout the audit
 FIELDWORK
- Most of the testing is performed
- Includes interviewing, applying testing
methodologies, managing fieldwork, and
providing status updates
- Execution of audit procedures
Types of Audit Procedures
1. Testimonial
- Consist of verbal or written statements
Types:
 based on personal knowledge
- individual state of his own
 hearsay
- based on what was heard
2. Observation
- Observe conditions and dynamics
related to the subject of review.
Examples of items IA wants to observe:
 Security measures
 Customer service area layout
 Verify machinery exists
 Walk perimeter of construction site
 Verify data center meets temperature
Observation can be done in 2 ways:
1) Auditee knows that the auditor is observing
2) Auditee doesn’t know that the auditor is
observing.
3. Document Inspection
- One of the most common procedures
performed by auditors
- Verify the date and amount of
transactions, agreements, evidence…
Chapter 3
Risk Assessments
-
Process of identifying, measuring and analyzing
risk relevant to program or process.
Systematic, iterative, and subject to both
quantitative and qualitative inputs and factors
Dependent on the timeframe of the review.
Types of Document
 Internal
- Invoices produced
- Memos
- Reports
- Policy statements
 External
- Invoices received
- Bank statements
- Confirmation statements
- Credit reports
 Combination
- Contracts
4. Recalculation/ Reperformance
- Mathematical recalculation is a form of
audit evidence
- Consist of checking the accuracy of
document’s records.
- Verify the accuracy and completeness
of work done.
Reasons to Perform Recalculation
 Depreciation expense
 Overtime hours
 Billing amount
 Relevance
 Objective vs subjective
 Documentation
 Externality
 Sample size
 Sampling method
 Corroboration
 Timeliness
 Authoritativeness
 Directness
 Adequacy of controls
Audit Evidence- gives confidence to auditors.
Identification of Risks
-
Key aspect of any risk assessment
Operational Risk Types
Capacity
- Inability to produce as many units as required
- Process generating excessive amounts of waste
- Producing too many defective parts
- Delivering ordered goods or services
- Inability to provide high quality service
Strategic
- Failing to maintain beneficial relationships
w/customer
- Computer system’s inability to support the
operating unit’s needs
- Lack of funding
- Knowledge drain
- Failure to respond
Compliance
- Failure to meet external requirements
- Failure to meet internal standard operating
procedure (SOP) requirement
- Failure to meet combined requirements
Natural Environment
- Energy supply disruption
- Damage from fire, water, and natural disaster
- Inability to secure needed sources
Political
- Changes in legislation or regulation
- Social unrest triggered
Internal constraints typically include
Equipment
- Types of equipment available
People
- Lack of skilled and motivated workers
Policies
- Can prevent process from producing more of
higher quality goods and services.
-
Less likey to cause any significant harm
Critical- moderate- significant damage or harm
- May cause some very short disruptions
- There is significant injury to staff
- Could result in moderate loss of assets
Severe-high-serious damage or harm
May cause significant disruptions or
suspensions in operations
- May cause significat injury or death of workers
- Difficult to manage
Catastrophobic-very high- critical- extreme damage
or harm
- Long term suspension of operations or possible
office or program disclosure
- Concern about imminent loss of life
- Very difficult or impossible to manage
Measurement of Risks
-
After risks have been identified, they must be
measured.
can be either subjective or quantitative
Subjective measures are driven by participants’
experience and intuition about the risks.
Used a three-point scale of high-medium-low
Expanded Likelihood Ratings
Unlikely-very low
- Considerd as not having a realistic probability
- Very little exposure to the threat
Remote-low- somewhat likely
- Have a reasonable probability of occuring and
affecting organization
- Has some but limited exposure to threat
Possible- moderate- likely
Have a fairly high probability of occuring and
affecting organization
- Has a reasonable amount of exposure to threat
Impact- effect of the risks
Likelihood- probability of risks
Expanded Impact Ratings
Negligible- very low
- Very little damage or harm
- No disruption in operations
Marginal- low- minor damage or no harm
- No significant disruptions
Very likely- high
- Have verybhigh probability of occuring and
affecting organization
- High amount of exposure to threat
- Very weak security measures
Certain or imminent- very high
Imminent and expected to occur
- Extremely high exposure to threat
-
-
Lack/absence of security measures
The Risk Matrix
-
Widely used and highly effective tool to record
and analyze the objectives, risks, and controls