AUDOPE – CO2 Handouts

CARLOS HILADO MEMORIAL STATE UNIVERSITY

OPERATIONS AUDITING
BSA 3

INTRODUCTION TO OPERATIONS AUDITING

DEFINITION AND CHARACTERISTICS OF OPERATIONS AUDITING

An operational audit is an examination of the manner in which an organization conducts business, with the
objective of pointing out improvements that will increase its efficiency and effectiveness.

Beyond financial auditing activities, internal auditors, government auditors, and CPAs also do operational
auditing, which deals with efficiency and effectiveness of an organization. Other auditors use the terms
management auditing or performance auditing instead of operational auditing to refer to these activities,
while others do not distinguish among the terms performance auditing, management auditing, and
operational auditing and use them interchangeably.

We prefer to use operational auditing broadly, as long as the purpose of the test is to determine the
effectiveness or efficiency of any part of an organization. Testing the effectiveness of internal controls
by an internal auditor may therefore be considered part of operational auditing—if the purpose is to help
an organization operate its business more effectively or efficiently. Similarly, determining whether a
company has adequately trained assembly line personnel may also be operational auditing, if the purpose
is to determine whether the company is effectively and efficiently producing products.

The three major differences between operational and financial auditing are:
1. the purpose of the audit;
2. distribution of the report, and
3. inclusion of nonfinancial areas in operational auditing.

Purpose of the Audit. This is the most important difference. Financial auditing emphasizes whether
historical information was correctly recorded, while operational auditing emphasizes effectiveness and
efficiency. Financial auditing is oriented to the past, while operational auditing focuses on improving future
performance. An operational auditor, for example, may evaluate whether a type of new material is being
purchased at the lowest cost to save money on future raw material purchases

Distribution of the Reports. Financial auditing reports are typically distributed to external users of financial
statements, such as stockholders and bankers, while operational audit reports are intended primarily for
management. The widespread distribution of financial auditing reports requires a well-defined structure and
wording, as shown in Figure 3-1 on page 47. The limited distribution of operational reports and the diverse
nature of audits for efficiency and effectiveness allow operational audit reports to vary considerably from
audit to audit.

Inclusion of Nonfinancial Areas. Financial audits are limited to matters that directly affect the fairness of
financial statement presentation, while operational audits cover any aspect of efficiency and effectiveness
in an organization. For example, an operational audit might address the effectiveness of an advertising
program or efficiency of factory employees.

Effectiveness versus Efficiency

Effectiveness In an operational audit for effectiveness, an auditor, for example, might need to assess
whether a governmental agency has met its assigned objective of achieving elevator safety in a city. To
determine the agency’s effectiveness, the auditor must establish specific criteria for elevator safety. For

1 | 13 P a g e
 AUDOPE – CO2 Handouts

example, is the agency’s objective to inspect all elevators in the city at least once a year? Is the objective
to ensure that no fatalities occurred as a result of elevator breakdowns, or that no breakdowns occurred?

Efficiency Like effectiveness, there must be defined criteria for what is meant by doing things more
efficiently before operational auditing can be meaningful. It is often easier to set efficiency than effectiveness
criteria if efficiency is defined as reducing cost without reducing effectiveness. For example, if two different
production processes manufacture a product of identical quality, the process with the lower cost is
considered more efficient. Operational auditing commonly uncovers several types of typical inefficiencies,
including:

Types of Inefficiency Example

• Acquisition of goods and services is • Bids for purchases of materials are not
excessively costly. required.
• Raw materials are not available for production • An entire assembly line must be shut down
when needed. because necessary materials were not
ordered.
• There is duplication of effort by employees. • Identical production records are kept by both
the accounting and production departments
because they are unaware of each other’s
activities.
• Work is done that serves no purpose. • Copies of vendors’ invoices and receiving
reports are sent to the production department
where they are filed without being used.
• There are too many employees. • The office work could be done effectively with
one less administrative assistant.

Relationship Between Operational Auditing and Internal Controls

Management establishes internal controls to help meet its goals. Three concerns are vital to establishing
good internal controls:
1. Reliability of financial reporting
2. Efficiency and effectiveness of operations
3. Compliance with applicable laws and regulations

The organization’s objectives are categorized as follows:

• Strategic objectives are those goals that management sets specifically related to stakeholder
interests. For discussion purposes, the term objectives will be used when discussing what an
organization wants to achieve and the term strategy when discussing the way management intends
to achieve those objectives.
• Operations objectives pertain to the effectiveness and efficiency of the entity’s operations,
including operational and financial performance goals, and safeguarding resources against loss.
• Reporting objectives pertain to internal and external financial and nonfinancial reporting and may
encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard
setters, or the entity’s policies.
• Compliance objectives pertain to adherence to laws and regulations to which the entity is subject.

Operational audits are distinguished from other types of internal audit by having an objective to review
efficiency, effectiveness, economy and ethics (known as the 4Es). They may also have other objectives
such as assessing compliance with regulation or testing the controls of an information system, but the direct
examination of one or more of the 4Es is what is important. (NOTE: To be discussed in detail in our next
hand-outs on Key Objectives of Operations Audit)

Another term commonly used is performance auditing which has fundamentally the same objective:

2 | 13 P a g e
 AUDOPE – CO2 Handouts

Operational Auditing Performance Audit

An audit of the use of resources to assess whether An audit of the management of an organization,
those resources are being used in the most program, or function to identify whether it is being
efficient and effective ways to fulfill an carried out in an efficient and effective manner and
organization’s objectives. whether management practices promote
improvement.

The term ‘operational audit’ is most commonly used in the corporate sector whereas the term
‘performance audit’ is often used in the public sector. Corporate sector operational audits are conducted
within the organization, while public sector performance audits may be performed by internal audit or by
the external auditor.

Characteristics of Operational Audit

The operational audit is an examination of the way in which an organization conducts its business, in
order to point out improvements that increase its efficiency and effectiveness.

The process is analogous to other types of auditing, such as financial auditing, but with the operational
audit, a much more in-depth investigation of the business is conducted.

It does not focus on a single project or department, because each department plays a role in the overall
operational process and is interrelated with the others.

Operational audits are objective, performed by an internal or external auditor. They provide a new
perspective on the good and not so good aspects of organizational practices and processes.

THE VALUE AUDITORS PROVIDE THROUGH OPERATIONS AUDITING

Value is provided by improving opportunities to achieve organizational objectives, identifying operational

improvement, and/or reducing risk exposure through both assurance and consulting services.

The Value Proposition

The three (3) components of the value proposition are defined as follows:
1. Assurance = Governance, Risk, and Control. Internal audit provides assurance on the
organization’s governance, risk management, and control processes to help the organization
achieve its strategic, operational, financial, and compliance objectives
2. Insight = Catalyst, Analyses, and Assessments. Internal audit is a catalyst for improving an
organization’s effectiveness and efficiency by providing insight and recommendations based on
analyses and assessments of data and business process.
3. Objectivity = Integrity, Accountability, and Independence. With commitment to integrity and
accountability, internal audit provides value to governing bodies and senior management as an
objective source of independent advice

3 | 13 P a g e
 AUDOPE – CO2 Handouts

RISK-BASED AUDIT APPROACH

Risk is defined as the threat that an event, action or inaction will adversely affect the auditee’s ability to
successfully achieve its mandate, and objectives and execute its strategies successfully.
Risk-based auditing (as discussed in the 2002 Position Statement from the IIA.UK & Ireland) is an approach
that focuses on the response of the organization to the risks it faces in achieving its goals and objectives.

Unlike other forms of audit, it starts with risks rather than the need for controls. It aims to give independent
assurance on the management of risks and ‘to facilitate improvements where necessary’. The scope of audit
assignments undertaken and the priority given to them should be determined by risk, taking full account of
the organization’s own view of risk.

A risk-based approach to audit planning should not mean that the internal audit activity only undertakes
audits of business processes that are considered (by the board, top management and the chief audit
executive) to be of high risk. A proportion of internal audit time should be allocated to undertake audits of
areas of the business not perceived to represent significant risk—in case there are concealed risks in those
parts of the organization.

The process of performing a risk-based audit starts with defining the risk areas. Typically, higher-risk areas
will take longer than lower-risk ones. This is because of the time required to conduct the initial review.
Then, auditors need to implement the plans and prepare reports to document their findings. They must
also be prepared to run threat scenarios with the client before the audit is performed. Once the audit has
been completed, the report will provide the results and recommendations. It is important to note that the
actual risk can be lower or higher than estimated depending on what was found during the audit.

4 | 13 P a g e
 AUDOPE – CO2 Handouts

Risk-Based Planning
Here we seek a facilitation risk-based approach where we promote risk assessment and review areas of
particular concern. This would involve:
• Corporate board level risk assessment – identify and classify key risks (top ten – risk policy).
• Risk management – assign these risks to responsible managers and ensure they establish a risk
management framework (avoid, accept, transfer, insure, contingency plans and/or controls).
• Operational level CRSA (Control Risk Self-Assessment) programs – where risks are identified
and associated controls reviewed by work groups (for action planning).
• Discussion – talk to management about their risk assessment and key controls that they are
dependent on.
• Risk database – prepare a risk database and isolate areas of high risk and controls that are crucial
to business success, based on the organization’s risk management process in operation.
• Discuss the results with the audit committee and allow corporate and operational risk assessment
to drive the annual audit plans for assurance and consulting work.

We focus on helping the board and management establish good risk management practices and then
review the areas of continuing concern (i.e. high residual risk) – or simply review key areas deemed
critical to business success. The internal audit plan reflects a combination of the supporting role in helping
establish risk management (consulting services) and audits of high risk areas (assurance-based) that have
been identified by the board and senior management through their risk register

Benefits of Risk-Based Audit Approach

1. The risk-based audit plan is flexible and effective means of focusing resources on specific areas
that require remediation. It can help ensure the ongoing efficiency of a company’s operations by
ensuring that it meets regulatory requirements.
2. The process is more efficient and effective if the head of an internal audit team is able to
understand the stakeholder’s risk appetite.
3. The risk-based audit approach helps an auditor to manage the risks in an audit and maintain its
quality. It aims to reduce the work of the auditors by focusing on high-risk areas and minimizing
the workload on low-risk ones.

5 | 13 P a g e
 AUDOPE – CO2 Handouts

4. The audit can meet the objective of reducing costs and increasing efficiency. It is important to
consider the risks associated with each area, as they affect the overall quality of the audit. So, a
risk-based audit will help you to avoid costly mistakes that will lead to a material misstatement.

IDENTIFYING OPERATIONAL THREATS AND VULNERABILITIES

Threat is any type of danger, which can damage or steal data, create a disruption, or cause a harm in
general. Common examples of threats include malware, phishing, data breaches and even rogue
employees. A threat is what we are trying to protect against.

Vulnerability is a weakness in hardware, software, personnel or procedures, which may be exploited by

threat actors in order to achieve their goals. Vulnerabilities can be physical, such as a publicly exposed
networking device, software-based, like a buffer overflow vulnerability in a browser, or even human, which
includes an employee susceptible to phishing attacks. A vulnerability is a weakness or gap in our protection
efforts.

Risk is a combination of the threat probability and the impact of a vulnerability. Risk is the intersection of
assets, threats, and vulnerabilities.

Examples of Operational Risks

• Information technology (e.g., IT management, security, availability)
• Physical assets (e.g., real estate; property, plant and equipment)
• Sales and marketing (e.g., advertising, pricing, customer support)
• People (e.g., recruiting, retention, development)
• Research and development (e.g., market research, product design and development, product
testing)
• Supply chain (e.g., planning, inventory, distribution)
• Hazards (e.g., natural events, terrorist acts)

6 | 13 P a g e
 AUDOPE – CO2 Handouts

THE SKILLS REQUIRED FOR EFFECTIVE OPERATIONAL AUDITS

Risk management skills

The ultimate aim of internal auditors is to reduce the overall business and operational risks to which the
company may be vulnerable. This requires a thorough understanding of risk management principles and
their application in the real world.

In addition to identifying risks, internal auditors are also expected to come up with plans and implementation
strategies in order to better control and monitor those risks in the future. This means that the role is not only
about identifying problems but also remedying them.

Problem-solving skills
Internal auditors can come across complex problems on a daily basis. For example, consider a situation
where you need to figure out how to process a massive database of transactions for any errors or intentional
manipulation. As another example, consider a situation where you detect an operational error and have to
devise a mechanism to prevent and control for it in the future.

Such problems require out-of-the-box thinking and the ability to tap into previous experience in order to
solve them. A multidisciplinary approach is usually called for which combines operational, technological,
risk management and business principles.

Accounting experience
Accounting experience is always preferred as the internal audit function has a lot in common with the role
of accountants. It is because of this reason that most internal auditors have an accounting background or
even professional accounting certifications.

This is not a mandatory requirement in all cases, but it is definitely something that can add value to your CV
as an internal auditor.

Project management skills

Some internal audit tasks can be big enough to qualify as independent projects in their own right. Auditors
must then put on their project management hats in order to effectively plan, execute and report on such
audit missions.

Planning for audit projects starts with understanding the goals of the project, the resources available, the
timelines, manpower needs, cross-department support, external consultants, etc. Once the requirements
are in place, a plan must be drawn up and goals, deliverables, and responsibilities stated.

Then the actual execution begins where the internal audit team must communicate with all other business
functions in order to get the relevant data and other information necessary for them to perform their audit
mission. This is followed by data analysis and other checks and ends with a final audit report prepared for
management.

Product knowledge
In order to successfully audit a business function or process, a deep and thorough understanding of the
underlying product or service is necessary. Some products can be quite complex and internal auditors need
to have the necessary product knowledge to effectively perform their duties.

For example, an internal auditor working at a financial institution may need to have experience with
derivatives, fixed income products, credit risk and so on. While an internal auditor working at a
manufacturing company might need to understand how the head office works, how the factories operate,

7 | 13 P a g e
 AUDOPE – CO2 Handouts

how the distribution centers operate, how the sales offices handle their data, how the service centers
perform their roles, what are the tasks assigned to third party vendors and so on.

Regulatory knowledge
Internal auditors look at regulatory reports and also need to audit financial statements and the data that
goes into them. This requires a thorough understanding of local laws related to their business as well as
international accounting and reporting standards.
In addition to all of this, companies also have their own internal guidelines, control mechanisms and
governance rules that need to be followed. All of this necessitates a considerable amount of ongoing
training.

Communication skills
Internal auditors spend a lot of time gathering data and information from other teams and communicating
the result of their audits with management and leadership. Both of these tasks require exceptional verbal,
written and interpersonal communication skills.

Effective communication is necessary in order to get the relevant data from the correct people and at the
right time. Similarly, corporate leadership expects concise and to the point results which internal auditors
must effectively communicate to them.

Data analytics
Internal audit is a rather data-driven function which necessitates the use of advanced computational and
data analytics techniques. This is why many companies now prefer candidates with data analytics and
computational programming experience of some sort. For example, experience in SQL or other database
management tools will be considered quite relevant.

Leadership skills
Internal auditors are expected to lead a team of professionals in order to achieve their goals. This requires
team management, budgeting, task allocation, coordination, conflict management and all the other skills
needed to effectively run a department.

Internal auditors have their own chain of command which can go all the way up to Chief Audit Officer or
Chief Internal Auditor. Going higher up the chain of command means more responsibility, while also offering
more opportunities for professional growth.

INTEGRATED AUDITING

8 | 13 P a g e
 AUDOPE – CO2 Handouts

An integrated audit differs from a non-integrated audit in terms of scope and overall complexity. A
traditional audit and an integrated audit differ in scope and depth and breadth of coverage.

For example, a traditional audit may focus on financial or operational aspects while an integrated audit will
take a more global approach that looks at several aspects including, but not limited to, financial, operational,
IT, regulatory, compliance, environmental, and fraud.

The complexity of an integrated audit is directly related to its broader nature, which may require:
• The use of multiple audit techniques to accomplish the desired outcome.
• Increased use of external resources or increased knowledge of staff and additional skill sets.
• Enhanced project management skills to ensure coordination and effective completion of the audit.
• A balanced approach to risk identification and rating, especially with unfamiliar areas that have not
been traditionally reviewed.
• Increased oversight and creativity to think outside the box by the auditor, and communication
among all parties involved in the engagement.
• Changes in the current staffing model.

9 | 13 P a g e
 AUDOPE – CO2 Handouts

Advantages of Integrated Audit Approach

• Adopting an integrated audit approach can increase the internal audit activity’s credibility, resulting
in increased relevance of its work and a greater opportunity to be seen as an essential participant
in major projects from the outset.

• Many find that auditors increase their confidence and become more proficient in other facets of the
organization’s operations, increasing their effectiveness.

• Other advantages include increased coverage, improved reporting and more effective risk
assessments and audit planning.

STANDARDS APPLICABLE TO OPERATIONS AUDITING

Standards are principle-focused and provide a framework for performing and promoting internal auditing.

Standards for the Professional Practice of Internal Auditing

The purpose of the Standards is to:
1. Delineate basic principles that represent the practice of internal auditing as it should be.
2. Provide a framework for performing and promoting a broad range of value-added internal audit
activities.
3. Establish the basis for the measurement of internal audit performance.
4. Foster improved organizational processes and operations.

The Standards consist of Attribute Standards (the 1000 Series), Performance Standards (the 2000
Series), and Implementation Standards (nnnn.Xn).

10 | 13 P a g e
 AUDOPE – CO2 Handouts

The Attribute Standards address the characteristics of organizations and individuals performing internal
audit activities.

The Performance Standards describe the nature of internal audit activities and provide quality criteria
against which the performance of these services can be measured.

The Attribute and Performance Standards apply to internal audit services in general.

The Implementation Standards apply the Attribute and Performance Standards to specific types of
engagements (for example, a compliance audit, a fraud investigation, or a control self-assessment project).
There is one set of Attribute and Performance Standards, however there may be multiple sets of
Implementation Standards: a set for each of the major types of internal audit activity. Initially, the
Implementation Standards are being established for assurance activities (noted by an "A" following the
Standard number, e.g., 1130.A1) and consulting activities (noted by a "C" following the Standard number,
e.g., nnnn.C1).

ATTRIBUTES STANDARDS PERFORMANCE STANDARDS

1000 - Purpose, Authority, and Responsibility 2000 - Managing the Internal Audit Activity
• 2010 – Planning
• 2020 - Communication and Approval
• 2030 - Resource Management
• 2040 - Policies and Procedures
• 2050 – Coordination
• 2060 - Reporting to the Board and Senior
Management
1100 - Independence and Objectivity 2100 - Nature of Work
• 1110 - Organizational Independence • 2110 - Risk Management
• 1130 - Impairments to Independence or • 2120 – Control
Objectivity • 2130 - Governance
1200 - Proficiency and Due Professional Care 2200 - Engagement Planning
• 1210 – Proficiency • 2201 - Planning Considerations
• 1220 - Due Professional Care • 2210 - Engagement Objectives
• 1230 - Continuing Professional • 2220 - Engagement Scope
Development • 2230 - Engagement Resource Allocation
• 2240 - Engagement Work Program
1300 - Quality Assurance and Improvement 2300 - Performing the Engagement
Program • 2310 - Identifying Information
• 1310 - Quality Program Assessments • 2320 - Analysis and Evaluation
• 1320 - Reporting on the Quality Program • 2330 - Recording Information
• 1330 - Use of "Conducted in Accordance • 2340 - Engagement Supervision
with the Standards” 2400 - Communicating Results
• 1340 - Disclosure of Noncompliance • 2410 - Criteria for Communicating
• 2420 - Quality of Communications
• 2430 - Engagement Disclosure of
Noncompliance with the Standards
• 2440 - Disseminating Results
2500 - Monitoring Progress
2600 – Management and Acceptance of Risk

ATTRIBUTE STANDARDS

11 | 13 P a g e
 AUDOPE – CO2 Handouts

1000 - Purpose, Authority, and Responsibility. The purpose, authority, and responsibility of the internal
audit activity should be formally defined in a charter, consistent with the Standards, and approved by the
board.

1100 - Independence and Objectivity. The internal audit activity should be independent, and internal
auditors should be objective in performing their work.
• 1110 - Organizational Independence. The chief audit executive should report to a level within the
organization that allows the internal audit activity to fulfill its responsibilities.
• 1120 - Individual Objectivity. Internal auditors should have an impartial, unbiased attitude and
avoid conflicts of interest.
• 1130 - Impairments to Independence or Objectivity. If independence or objectivity is impaired
in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The
nature of the disclosure will depend upon the impairment.

1200 - Proficiency and Due Professional Care. Engagements should be performed with proficiency and
due professional care.
• 1210 – Proficiency. Internal auditors should possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity collectively should
possess or obtain the knowledge, skills, and other competencies needed to perform its
responsibilities.
• 1220 - Due Professional Care. Internal auditors should apply the care and skill expected of a
reasonably prudent and competent internal auditor. Due professional care does not imply
infallibility.
• 1230 - Continuing Professional Development. Internal auditors should enhance their knowledge,
skills, and other competencies through continuing professional development.

1300 - Quality Assurance and Improvement Program. The chief audit executive should develop and
maintain a quality assurance and improvement program that covers all aspects of the internal audit activity
and continuously monitors its effectiveness. The program should be designed to help the internal auditing
activity add value and improve the organization and operations and to provide assurance that the internal
audit activity is in conformity with the Standards and the Code of Ethics.
• 1310 - Quality Program Assessments. The internal audit activity should adopt a process to
monitor and assess the overall effectiveness of the quality program. The process should include
both internal and external assessments.
• 1320 - Reporting on the Quality Program. The chief audit executive should communicate the
results of external assessments to the board.
• 1330 - Use of "Conducted in Accordance with the Standards." Internal auditors are encouraged
to report that their activities are "conducted in accordance with the Standards for the Professional
Practice of Internal Auditing." However, internal auditors may use the statement only if assessments
of the quality improvement program demonstrate that the internal audit activity is in compliance
with the Standards.
• 1340 - Disclosure of Noncompliance. Although the internal audit activity should achieve full
compliance with the Standards and internal auditors with the Code of Ethics, there may be instances
in which full compliance is not achieved. When noncompliance impacts the overall scope or
operation of the internal audit activity, disclosure should be made to senior management and the
board.

PERFORMANCE STANDARDS

2000 - Managing the Internal Audit Activity. The chief audit executive should effectively manage the
internal audit activity to ensure it adds value to the organization
• 2010 – Planning. The chief audit executive should establish risk-based plans to determine the
priorities of the internal audit activity, consistent with the organization's goals.

12 | 13 P a g e
 AUDOPE – CO2 Handouts

• 2020 - Communication and Approval. The chief audit executive should communicate the internal
audit activity and plans and resource requirements, including significant interim changes, to senior
management and to the board for review and approval. The chief audit executive should also
communicate the impact of resource limitations.
• 2030 - Resource Management. The chief audit executive should ensure that internal audit
resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.
• 2040 - Policies and Procedures. The chief audit executive should establish policies and
procedures to guide the internal audit activity.
• 2050 – Coordination. The chief audit executive should share information and coordinate activities
with other internal and external providers of relevant assurance and consulting services to ensure
proper coverage and minimize duplication of efforts.
• 2060 - Reporting to the Board and Senior Management. The chief audit executive should report
periodically to the board and senior management on the internal audit activity and purpose,
authority, responsibility, and performance relative to its plan. Reporting should also include
significant risk exposures and control issues, corporate governance issues, and other matters
needed or requested by the board and senior management.

2100 - Nature of Work. The internal audit activity evaluates and contributes to the improvement of risk
management, control and governance systems
• 2110 - Risk Management. The internal audit activity should assist the organization by identifying
and evaluating significant exposures to risk and contributing to the improvement of risk
management and control systems.
• 2120 – Control. The internal audit activity should assist the organization in maintaining effective
controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
• 2130 – Governance. The internal audit activity should contribute to the organization's governance
process by evaluating and improving the process through which (1) values and goals are
established and communicated, (2) the accomplishment of goals is monitored, (3) accountability is
ensured, and (4) values are preserved.

2200 - Engagement Planning. Internal auditors should develop and record a plan for each engagement.
• 2201 - Planning Considerations. In planning the engagement, internal auditors should consider:
o The objectives of the activity being reviewed and the means by which the activity controls
its performance.
o The significant risks to the activity, its objectives, resources, and operations and the means
by which the potential impact of risk is kept to an acceptable level.
o The adequacy and effectiveness of the activity’s risk management and control systems
compared to a relevant control framework or model.
o The opportunities for making significant improvements to the activity’s risk management
and control systems.
• 2210 - Engagement Objectives. The engagement’s objectives should address the risks, controls,
and governance processes associated with the activities under review.
• 2220 - Engagement Scope. The established scope should be sufficient to satisfy the objectives of
the engagement.
• 2230 - Engagement Resource Allocation. Internal auditors should determine appropriate
resources to achieve engagement objectives. Staffing should be based on an evaluation of the
nature and complexity of each engagement, time constraints, and available resources.
• 2240 - Engagement Work Program. Internal auditors should develop work programs that achieve
the engagement objectives. These work programs should be recorded.

2300 - Performing the Engagement. Internal auditors should identify, analyze, evaluate, and record
sufficient information to achieve the engagement's objectives.
• 2310 - Identifying Information. Internal auditors should identify sufficient, reliable, relevant, and
useful information to achieve the engagement’s objectives.

13 | 13 P a g e
 AUDOPE – CO2 Handouts

• 2320 - Analysis and Evaluation. Internal auditors should base conclusions and engagement
results on appropriate analyses and evaluations.
• 2330 - Recording Information. Internal auditors should record relevant information to support the
conclusions and engagement results.
• 2340 - Engagement Supervision. Engagements should be properly supervised to ensure
objectives are achieved, quality is assured, and staff is developed.

2400 - Communicating Result. Internal auditors should communicate the engagement results promptly.
• 2410 - Criteria for Communicating. Communications should include the engagement’s objectives
and scope as well as applicable conclusions, recommendations, and action plan.
• 2420 - Quality of Communications. Communications should be accurate, objective, clear,
concise, constructive, complete, and timely.
• 2430 - Engagement Disclosure of Noncompliance with the Standards. When noncompliance
with the Standards impacts a specific engagement, communication of the results should disclose
the:
o Standard(s) with which full compliance was not achieved,
o Reason(s) for noncompliance, and
o Impact of noncompliance on the engagement.
• 2440 - Disseminating Results. The chief audit executive should disseminate results to the
appropriate individuals.

2500 - Monitoring Progress. The chief audit executive should establish and maintain a system to monitor
the disposition of results communicated to management.

2600 – Management’s Acceptance of Risk. When the chief audit executive believes that senior
management has accepted a level of residual risk that is unacceptable to the organization, the chief audit
executive should discuss the matter with senior management. If the decision regarding residual risk is not
resolved, the chief audit executive and senior management should report the matter to the board for
resolution.

The Institute of Internal Auditors; Standards for Professional Practice of Internal Auditing
Internal Auditing (Assurance & Advisory Services) 4 th Edition; Anderson, Head, Ramamoorti, Riddle,
Salamasick, Sobel
Integrated Auditing – Practice Guide; IIA Global
Auditing and Assurance Services – An Integral Approach 14th Edition; Arens, Elder, Beasley

14 | 13 P a g e