NOTES IN ELE OA: OPERATIONS AUDITING

CHAPTER 1: Definition, Characteristics, and Guidance Changes in the internal audit function
• During the 1990s, internal audit changed which
Internal audit is undergoing a massive transformation brought it more in line with the true needs of the
• Its provision of independent and objective organizations it serves and the related
assurance and consulting services to stakeholders.
organizations remained constant for decades. • The stakeholder theory, topics on corporate
• The means to accomplish the provision of governance, quality, and cycle time emerged.
assurance and consulting services changed over Moreover, advocacy works of the Institute of
time. Internal Auditors (IIA) also brought changes.
• Internal auditors adapted to the theories that • Dot com meltdown in 2000/2001, and the
created systems whereby centralization, a enactment of the Sarbanes-Oxley Act of 2002
defined hierarchy, distinct authority levels and were wake-up calls for the profession.
reporting lines, clear rules, and division of labor
were the norm. Current issues in the internal audit function
• Standardization was the norm as internal audit • The State of Internal Audit 2013 report from
adapted to this approach. Thomson Reuters Accelus states that most
• This search for consistency resulted in the internal audit departments continue to focus
proliferation of the following: primarily on process assurance and monitoring
o checklists; activities.
o standard audit programs; and • The report also indicated that there is a lack of
o procedures. skilled resources due to the changing role of
• The audit function focused on assessing an internal auditors away from traditional
organization’s control or operational quantitative assessments and toward becoming a
effectiveness with this standardization. qualitative assessor of the organization’s goals
and strengths.
The risks of standardization
• The focus on standardization limited the Definition and characteristics of internal auditing
auditor’s ability to think creatively which was • It is a future-oriented, systematic, and independent
considered a concealed risk (from the 1960s to the evaluation of organizational activities. Financial data
1980s). may be used, but the primary sources of evidence
o Creative thinkers were not sought for nor are the operational policies and achievements
gravitated toward the profession. related to organizational objectives. Internal
o Internal auditors isolated themselves controls and efficiencies may be evaluated during
from the businesses they examined and this type of review.
were supposed to support. • It is also defines as a review of how an organization’s
o Some auditors abstained in creating management and its operating procedures are
recommendations to improve the functioning with respect to their effectiveness and
weaknesses they identified. efficiency in meeting stated objectives (Business
• Businesses were changing due to globalization, Dictionary).
technological advancements, relentless • Internal auditing is an independent, objective
competition, and a new social, demographics, assurance and consulting activity designed to add
and financial landscape. value and improve an organization’s operations. It
o Standardization was no longer the norm helps an organization accomplish its objectives
(e.g. manufacturing companies moved to by bringing a systematic, disciplined approach to
different countries). evaluate and improve the effectiveness of risk
• Internal auditors missed these changes and were management, control, and governance process
slow to adapt to the changing landscape. (Institute of Internal Auditors).
o Most of them recommended changes to o This definition creates a variety of
the business based on traditional challenges and opportunities for internal
business models. auditors, who are no longer engaged in a
static, routine, repetitive, and
External audit and internal audit accounting/finance-focused activity.
• Internal audit became an offshoot of external o Internal auditors are assigned to review
audit which excessively focused on accounting business programs, processes, and
transactions and the process of preparing initiatives in innovative ways that can
financial statements. add tangible value to the organization.
NOTES IN ELE OA: OPERATIONS AUDITING
Key language in the definitions • It is imperative that organizations operated with
1. Independence the principle of financial fiduciary responsibility.
2. Objectivity • Internal auditors provide:
3. Assurance o assurance the duties of the employees are
4. Consulting aligned with the interests of the main
5. Designed to add value stakeholders;
6. Improve an organization’s operations o the structures set to ensure behaviors are
7. Help an organization accomplish its objectives aligned with these objectives; and
8. By bringing a systematic, disciplined approach o recommendations to the board and
9. To evaluate and improve the effectiveness senior management when there are Commented [m1]: Specify each bullet
discrepancies.
The Risk-Based Audit • Internal auditors serve the public and common
• Engaging in risk-based auditing means that interests by making sure that owners receive the
internal auditors must exercise and apply a return on their investments that they are entitled
broader view of organizational risks. to and that the means of generating profit are
• This requires more brainstorming and within the confines of the law.
interactions with process owners, a more in-
depth understanding of the organization’s Economic or market stakeholders
business, and a mechanism to address past, • Characterized by having a monetary exchange
present, and future vulnerabilities and scenarios between the company.
that threaten the achievement of business
objectives.

Risk defined
• A probability or threat of damage, injury,
liability, loss, or any other negative occurrence
that is caused by external or internal
vulnerabilities, and that may be avoided through
preemptive action.
• Example of risks: accounting and financial risks,
risk of delays, waste, inefficiency, poor customer
service, excessive customer and employee
turnover, poor quality data, and system failures.

Auditing beyond accounting, financial, and regulatory

requirements
• The focus and experience of internal auditors was
required in the accounting field and took audit
matters through the lenses of accounting
standards. Moreover, compliance to regulatory
were also given focus by internal auditors. Stakeholder Interest Power
• There is a need to focus on the following:
o Operations management Employment
o Human resources stability Bargaining power,
o Information technology Employees Fair pay, safe strike, lawsuits,
o Marketing workplace and publicity
o Corporate social responsibility environment
o Environmental Health and Safety Refuse to take
Regular orders for
• There is an increase in stakeholder demands for orders,
Suppliers goods & services,
advisory and consulting activities. Supply to
payment
• Internal auditors have risen to the challenge by competitors
embracing a methodology that goes beyond Order from
accounting and more closely aligns itself with the Value and quality
competitor,
recurring business risks and practices. Customers for money, safe &
Boycott, payment
reliable products
refusal
The value auditors provide
NOTES IN ELE OA: OPERATIONS AUDITING

Lawsuits to & issuing operating

Payment for loans, licenses
demand payment,
Creditors collect debts with
repossession of Supporting
interests
assets Minimize risks, activists, pressing
Voting rights, General achieve the gov’t. to act,
Satisfactory return Public prosperity for praising or
inspect company
Investors on investment, society condemning
records and
value appreciation companies.
reports.

Non-economic, non-market, secondary stakeholders Identifying Operational Threats and Vulnerabilities

• These are people, groups, or organizations that • Focusing on future events and future
though not engaging in direct economic implications of present events add more value.
exchange with the firm are affected by or can • These future-oriented threats and vulnerabilities
affect its primary activities and decisions. can be the following:
o Operational
o Technological
o Strategic
o Environmental
• These threats can be evaluated in the medium
and long terms but also beyond national borders
of the company’s country of operations.
• The mandate to address emerging and evolving
risks is clear. Risks are emerging at an
unprecedented pace, and stakeholders’
impatience with surprises is evident (IIA 2015
Global Pulse of Internal Audit, Embracing
Opportunities in a Dynamic Environment).

The skills required for effective operational audits

• According to IIA Research Foundation Core
Competencies Report, the following ae the top
general competencies of internal auditors.
o Communication skills, such as oral,
written, report writing, and presentation
skills
Stakeholder Interest Power o Problem identification and solution
skills, such as conceptual and analytical
Economic thinking
Laws, regulations,
Governments development, o Ability to promote the value of internal
licenses, permits
Taxes audit
Public Publicizing events o Knowledge of industry, regulatory, and
information, that affect the standards changes
Media
monitoring of public, create o Organization skills
company actions public opinion. o Conflict resolution/negotiation skills
Lobbying o Staff training and development
Monitor
government for o Accounting frameworks, tools, and
company actions
Activists regulations, techniques
for ethical & legal
Gaining public o Change management skills
behaviour
support o IT/CT* framework, tools, and
Research & Use staff to help techniques
Business
information to companies, o Cultural fluency and foreign language
Support
improve Provide legal & skills
Groups
competitiveness political support • The three common core competencies and
Ensure local internal auditor must possess are:
Lobbying for
development, o Communication skills
Communities government
employ local o Problem identification
regulations, issuing
residents o Solution skills
NOTES IN ELE OA: OPERATIONS AUDITING
• To acquire these skills, internal auditors must do and continually improve to support the business
the following at the individual level: and mitigate risks to acceptable levels.
o Reflect on their present competencies, • These are characterized by the simultaneous
identify their job needs, and perform a inclusion of business and IT subjects in review.
gap analysis to meet their current skill • Public accountants will perform a review of
requirements. accounting and/or financial controls which
o Define their career ambitions and chart a include the following assertions: occurrence,
roadmap to acquire the skills and completeness, accuracy, classification, existence,
competencies needed in the future. and valuation of accounting and financial
• Communication skills are also essential not only information.
as it relates to fellow auditors, but also process • Moreover, it is important to remember the key
owners and operators. objectives of financial audits:
• At the internal audit unit level, the department o Ascertain whether in all material
should perform a skills analysis to identify their respects, the income statement and the
present skill repertoire, and those needed to statement of cash flows accurately and
perform audit and other reviews competently in reliably reflect the activities during the
the next 3–7 years. fiscal year.
• The IIA Research Foundation Internal Audit o Ascertain whether in all material
Capability Model (IA-CM) can be used to assess respects, the balance sheet shows the
the internal audit department’s current condition condition of the organization as of the
and also as a visioning tool, helping to draft the last day of the fiscal year.
course and expectations for the internal auditing • IT auditors will perform highly technical IT
function. reviews, involving matters like database
configuration and security, user authentication,
operating system reliability, and network
perimeter security.
•

Integrated auditing
• Business changes, resources change, and risks
change, so both operations and IT must adapt
NOTES IN ELE OA: OPERATIONS AUDITING
CHAPTER 2: Objectives and Phases of Operational significance or consequence and likelihood or the
Audits probability of those risks.
• The auditor should consider other risks such as
Drivers of review objectives operational, legal liability, corporate image, Commented [m2]: Read infrastructure
1. New rules – can be established internally, industry specific, compliance, and IT-related
externally, or a combination of both. risks.
2. Poor performance – inefficiencies, waste, rework, • Internal auditors should focus on the review of
or complaints from customers and vendors. activities and other exposures with the highest
3. Compliance issues – may result from internal significance and likelihood of harming the
quality control initiatives that identify anomalies. organization. They also add value to the
This can help monitor the situation and verify organization through the adoption of risk-based
that follow-through on corrective actions take approach and their broad skillset and knowledge of the
place in anticipation of future additional organization.
compliance reviews. • Proactive auditors will look beyond isolated
4. Anomalous revenues or expenses – internal negative events and also look for
audit may review and verify if the related interdependencies that management’s strategic
transactions are legitimate. objectives and resources have.
• Risk factors are conditions and other variables
Phases of the Operational Audit that in their presence or absence either exacerbate
Planning the Audit or diminish the underlying risk. These play an
• Scoping, budgeting, defining the population of important role during planning and risk
interest, how testing will be performed, and assessments.
announcing the audit. o Example 1: As the competence of
• This is the most important part of the audit. employees increases, the risk of
• Planning begins with the performance of a risk operational problems decreases.
assessment that allows the Chief Audit o Example 2: As the extent of judgment
Executives (CAEs) to prepare an audit plan based increases, the underlying risk of error,
on the results of an analysis of the organization’s abuse, and malfeasance increases.
audit universe. o Example 3: As the number of transactions
o Audit universe – consists of accounts, of interest increases, the risks of errors
processes, programs, and functions and omissions increases.
within an organization as well as the
risks associated with their ability to
achieve their objectives.
• The risk assessment is done at the enterprise
level.
• This must be done with the senior management
and the board of directors.
• This will generate a strategic plan and an audit
plan.
o Audit plan – identifies what the internal
audit function will review based on
• During planning meetings, internal auditors
available resources.
should:
• Tasks in audit planning include: o Engage in participative practices
o Communicating with the corresponding involving process owners as much as
process owner about the timing of the possible to identify relevant activities,
review; systems, people, and performance
o Requesting needed financial and standards.
operational reports and documents; o Review prior audit workpapers as it
o Coordinating staff availability, provides insights into the operation. It is
identifying the systems in use; and important to familiarize oneself with
o Defining the scope, objectives, work what was done previously and the
schedule, and budget for the results of that review.
engagement.
• Spending less than 25% of the total time on
• The risk assessment should identify auditable planning will lead to execution problems during
activities, relevant risk factors, and relative fieldwork.
NOTES IN ELE OA: OPERATIONS AUDITING
• The planning phase also involves estimating the Observation
amount of time it takes for completing the tasks • Auditors visually evaluate physical facilities,
through examining time logs from previous conditions, and practices to verify they exist, their
audits. condition, valuation, and protection.
• This can be done in one of two ways:
o The auditee knows the auditor is
observing; or
o The auditee does not know that the
auditor is observing.
• Social desirability bias may be present using the
first method of observation.

Document Inspection
• This is one of the most common procedures
performed by auditors who examine documents
to verify the date and amount of transactions,
agreements made between various parties,
evidence of authorizations, and record of
Fieldwork decisions made.
• This phase includes interviewing, documenting, • Documents can be internal or external, financial
applying testing methodologies, managing or non-financial, and an auditor may be
fieldwork, and providing status updates. searching for specific items on the document.
• It consists primarily of two things:
o Determining if the process or program
under review is designed effectively so
that the related goals and objectives are
likely to be achieved.
o Verify that the controls in place are
performing as designed by management.
• Internal auditors are not expected to be experts
Types of Audit Evidence on altered or forged documents but should pay
Testimonial evidence attention to each document in search of
anomalous elements constituting red flags.
• It consists of verbal or written statements or
assertions given by someone as proof regarding
Recalculation/Reperformance
the matter being discussed.
o Examples: steps performed while • It is a form of audit evidence that consists of
processing a loan application, how the checking the accuracy of documents or records.
employee pays incoming invoices, • Auditors reperform the work of others to verify
procedures to record the purchase of the accuracy and completeness of the work done,
inventory in the accounting system. and to confirm that the amount is correct.
• Testimony is what the individual states about his
or her own personal knowledge about something
while hearsay is testimony based on what was
heard about that topic (auditors should corroborate
verbal statements).
• Testimonials do not have to be sworn during
internal audits but it is assumed that auditees are
making truthful statements about their • An essential aspect of internal auditing is the
assertions. gathering and analysis of evidence.
• This are usually obtained during interviews so it • The walkthrough is a useful mechanism to
is typically verbal. This can be also written if improve the quality of audit and gain a better
provided in a questionnaire or as a result of an- understanding of the completeness and accuracy
email. of the data used when performing reviews.
• Interviews are a very common form of evidence o This consists of the process of observing
gathering and involves an auditor speaking with the flow of transactions from beginning
one or more individuals about matters related to to end and, where applicable, disclosure
the engagement. in an organization’s financial statements.
NOTES IN ELE OA: OPERATIONS AUDITING
o This identify areas where errors and o Provide the principal support for audit
misstatements could occur and to test the communication such as observations,
overall design of the controls. conclusions, and the final report
o Facilitate third-party reviews and
reperformance requirements
o Provide a basis for evaluating the
internal audit activity’s quality control
program
• These may include process narratives,
flowcharts, copies of policies and procedures,
checklists, organizational charts, management
and financial reports, analysis of testing,
correspondence, questionnaires, and pictures.

Narratives
• These are one of the most common workpapers
prepared by auditors.
• These consist of a description of a process or
business activity and are usually prepared to
explain how work is being done in an area being
audited (including the controls, risks, weaknesses,
and critical elements in the process).

Professional Skepticism
• Internal auditors should display healthy
professional skepticism and verify the quality of
information gathered and used.
• Internal auditors should be sufficiently
suspicious of data received and reasonably verify Flowchart
that the information is free from manipulation or • It is a diagram of the sequence of movements or
modification in ways that can compromise its actions of people or things involved in a process
quality. or activity.
• Corroboration may involve obtaining supporting • They illustrate a business process and virtually
documentation to substantiate claims made or any process can be drawn in the form of a
finding others to verify the accuracy of flowchart.
statements received.
• Subject matter expert (SME) can help auditors in
ensuring that they are working with reliable data.
• Internal auditors should obtain as much reliable
evidence as possible and base any opinions on the
careful analysis of the related facts.

Workpapers
• These are documents created by the auditors to
record the work done.
• They are a collection of evidentiary material • Process mapping is done to understand how the
showing the planning done, the fieldwork steps in a business process work together. This
activities performed, and the support for all can be very helpful to understand where
information mentioned in the audit report or inefficiencies occur and how a process can be
other communication of results. improved by reducing excessive hand offs,
• IIA’s Practice Advisory 2330 – Documenting delays, and redundancies.
information: Internal auditors must document • Some of the key steps to follow when drawing a
relevant information to support the conclusions and flowchart are:
engagement results o Identify the steps through consensus;
o Document the planning, performance, o Walk the process and arrange
and review of audit work chronologically;
NOTES IN ELE OA: OPERATIONS AUDITING
o Draw using appropriate symbols;
o Test for completeness (e.g., symbols,
loops, dead ends, arrows, and direction);
o Look for problem areas as a team; and
o Get sign-off that the flowchart reflects the
process.
Conditions of Workpapers
• Workpapers should be neat, easy to read, easy to
review, and their appearance should be uniform.
• Workpapers should include:
o Objective of the procedure performed
o Source of the information evaluated
o Name of the auditor who performed the
Internal Control Questionnaire (ICQ) work
• This helps to evaluate internal controls in specific o Date when the work was done
areas by asking key questions. o Name and date of supervisory review
• This is used by auditors as a starting point and o Details showing the work done
then supplement them with other information o Reference to other supporting
gathering and control evaluation techniques (e.g. documents, such as relevant objectives,
flowcharts and document reviews). risks, and controls
• They are used by process owners to help them o Results of the testing procedure
assess their operations. performed
• Open-ended questions require the respondent to o Conclusion
elaborate on the information provided. • All workpapers should be clear enough so
o Please describe the process of processing another person can reproduce or repeat the work
customer payments done.
o Tell me about the systems that you use to • The auditor will examine each of them to verify
make purchases and who has access to it? these four attributes:
o What happens when a customer comes to o The amount of the transaction was
the service window? accurate.
o Why did you choose to change vendors? o The transaction shows evidence that it
• Closed-ended questions are designed to elicit a was for a business-related activity.
discrete answer (e.g. Yes or No, amount, name, o The transaction was approved before
date, or similar specific item). execution.
o Does the receiving department enter the o The amount processed was recorded in
amount of items received immediately the corresponding period.
into the inventory system upon receipt?
o How many shipments of incoming
materials do you receive per day?
o How many workers are on each crew?
o When was that sales office opened?
o Are all department personnel familiar
with the company’s requirements
concerning the handling of private and
confidential information?
o Do your computers/applications contain
private or confidential information about
patients?
o Does your area collect any individually
identifiable private or confidential
information on paper forms or records?
o If cash is accepted, are prenumbered
receipts used to track payment?