•

Topic 1.
Operational
Auditing:
Definition,
Characteristics
and Guidance
ASST. PROF. RYANT. LIBA, OBA

-
ISO 9001:2015 Lead Auditor/Trainer
Facilitator
 Unit Learning Outcomes
• LOl.l Explain the characteristics of operations
audit. [Cl]
• LOl.2 Differentiate risk-based audit from
control-based audit. [Cl]
• LOl.3 Explain the important role of auditors in
an organization. [Cl]
• LOl.4 Analyze the factors that influenced the
changing nature of operations audit. [C2]
• LOl.4. Identify the required skills in conducting
an effective operations auditing [C3]
 Topic Outline
1. Introduction
Course Outline 2. Definition and Characteristics of Operational
Auditing
3. The Risk-Based Audit
4. Auditing Beyond Accounting, Financial, and
Regulatory Requirements
5. The Organizational Value of Auditors.
6. Identifying Operational Threats and Vulnerabilities
7. The Skills Required for Effective Operational Audits.
8. Integrated Auditing
9. The Standards Relevant to Operational Auditing
 Word to Ponder

Be a Product of the Product!

-
----
....
What does it mean to be a product of the
product? It's quite simple. Be a living
example of what you sell, recommend or
/1/ advise others. Personify what you preach.
Show don't tell. Lead by example.
 Introduction
• Internal audit is undergoing a massive
transformation. While its role to provide
I •-
.
independent, objective assurance and
consulting services to organizations in ways
that improve their operations has remained
• constant for decades and remains true
today, how this has been accomplished has
changed over time.
Definition and Characteristics of Operational Auditing
• Operational auditing is defined as "A future­
oriented, systematic, and independent
evaluation of organizational activities."
• Financial data may be used, but the primary
sources of evidence are the operational
policies and achievements related to
organizational objectives. Internal controls and
efficiencies may be evaluated during this type
of review."
Definition and Characteristics of Operational Auditing

• The Business Dictionary defines operational

audit as "a review of how an organization's
management and its operating procedures are
functioning with respect to their effectiveness
and efficiency in meeting stated objectives.
Definition and Characteristics of Operational Auditing

• Internal auditing is an independent,

objective assurance and consulting activity
designed to add value and improve an
organization's operations.
• It helps an organization accomplish its
objectives by bringing a systematic,
disciplined approach to evaluate and
improve the effectiveness of risk
management, control, and governance
processes.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• Independence has to do primarily with the position

of internal audit within the organization's hierarchy.
Internal audit should report to the audit committee
♦ (or its equivalent) on the board of directors, so it
receives advice and support to perform its duties.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• Objectivity is related to the auditors' frame of

mind and their ability to examine documents,
processes, and programs without a bias,
without an agenda, with no other motive than
to find the truth and communicate it accurately
and promptly.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• Assurance relates to the auditors' ability to give

confidence and make statements regarding the
condition of matters within the organization. It is often
considered a synonym to "compliance11 as has been the
traditional focus of internal auditors for millennia.
• Compliance audits focus on verifying conformity and
adherence of a particular area, process, or system with
policies, plans, procedures, laws, regulations, contracts,
or other requirements that govern the conduct and
actions of that area, process, or system.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

There are four main reasons why organizations

report:

a. Provide shareholders more transparency

b. Gain competitive advantage
c. Improve risk management capabilities
d. Respond to stakeholder pressure
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• Consulting means giving advice to

management and the board and
engaging in activities that helps the
organization resolve nagging business
issues.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• Designed to add value. If you ask a

gathering of internal auditors if they add
value in their organizations, they
unanimously raise their hands in
agreement.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• Improve an organization's operations is a

very interesting statement because many
auditors see their role as that of checking
things and verifying the accuracy of
various items and activities within the
organization.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• Help an organization accomplish its

objectives. Many auditors practice what
has been commonly referred to as
controls-based auditing.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

• By bringing a systematic, disciplined

approach. This refers to the approach
r followed when performing the work.
• This is encapsulated in the Standards, the
Practice Guides and Practice Advisories,
which provide a great deal of guidance on
how to plan, execute, and communicate the
results of the work done.
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing

'
• To evaluate and improve the
effectiveness. Our role as auditors goes
beyond evaluating business dynamics and
writing reports that merely lists the
problems identified .
• •
----"'r:Cb -
Definition and Characteristics of Operational Auditing
Notes to the Definition of Internal Auditing
The definition indicates that we evaluate, but also help to improve the
organization's ability to achieve the goals and objectives related to:
a) Risk management. This refers to the identification, measurement,
assessment, and response to risks.
b) Control. This refers to those activities that mitigate relevant risks and
helps the organization avoid surprises.
c) Governance processes. Corporate governance is a wide subject that
includes matters related to organizational structure, reporting lines,
span of control, resource allocation, accountability measures, discipline,
and rewards mechanisms.
 What is operational auditing?
• Operational auditing is a future-oriented,
independent, systematic, and business­
focused evaluation of management, and
the organization's activities controlled by
management and third parties .
•
• This is done to benefit the organization's
stakeholders who trust internal auditors to
identify anomalies, verify that resources are
handled responsibly, and that the
organization is structured and operating in
ways that it is likely to succeed.
 What is operational auditing?
• The purpose of operational auditing is to
improve organizational profitability and the
attainment of organizational objectives.
• These go beyond a review of internal
•
control issues since management does not
achieve its objectives simply by adhering to
satisfactory systems of internal control.
 Risk-Based Audit

• Engaging in risk-based auditing means

that internal auditors must exercise and

RISK-BASED
apply a broader view of organizational
risks. Accounting and financial risks are
only a limited number of the many risks
organizations face.
• Other examples include the risk of delays,
waste, inefficiency, poor customer service,
excessive customer and employee
turnover, poor quality data, and system
failures.
 Auditing Beyond Accounting, Financial,
and Regulatory Requirements
Over time, business leaders and managers witnessed business failures caused by poor
management decisions and practices. By poor management, referring to inadequate:

• Operations management. Some of the related issues are waste, inefficiencies,

supplies that arrive late, poor customer satisfaction, and limited capacity to
grow as opportunities arise or customers' demands change.
• Human resources. As evidenced by poorly supervised, trained, and evaluated
employees who sometimes become unmotivated and unproductive.
• IT. Computer systems designed with an inaccurate understanding of the
business needs and uses of these systems, poor data capture, and inadequate
reporting mechanisms
 Auditing Beyond Accounting, Financial,
and Regulatory Requirements
Over time, business leaders and managers witnessed business failures caused by poor
management decisions and practices. By poor management, referring to inadequate:

• Marketing. Mass marketing of products and services at a time when customers

prefer to feel unique, or wasteful campaigns because they target the wrong
audience.
• CSR. Issues range from child labor, sweatshop conditions, abusive management,
and inappropriate waste disposal.
• Environmental Health and Safety (EHS) practices and conditions related to
poor ventilation, excessive heat, extreme noise levels, and workplace hazards
caused by chemicals, machinery, and workplace configurations, among others.
The Value Auditors Provide

• Internal auditors are unfortunately not always

regarded as highly as they should be.
• Seen as an obstacle, too many managers and
employees fail to recognize that internal auditors
provide a very valuable service to their clients­
whether they are employees of the firm, or hired
externally to provide internal audit services.
• Internal auditors promote the efficient and
effective use of resources.
 Stakeholders
• An important aspect of the modern manager
and auditor's job is to identify relevant
stakeholders and to understand their interests.
0 !
• It is also important to understand the power
they have to assert these interests.
. . .1Y
: :

--
I
I
... \.
�
, ......................
•
..-·· • This process is called stakeholder analysis,
which asks three fundamental questions:
0
1. Who are the relevant stakeholders?
··•, ... _,/ 2. What are the interests of each
stakeholder?
3. What is the power of each stakeholder?
 Governments
Employees

General
Media
public
Investors Suppliers
Organization
Organization

Activist
Communities groups

Creditors Customers Business

support
groups

Primary (noneconomic) stakeholders. Secondary (noneconomic) stakeholders

Table 1.1 Primary Stakeholders, Nature of Interest, and Power
Stakeholder Interest Power
Employees Maintain stable employment Bargaining power
Receive fair pay Work actions, strikes, and
Work in a safe, comfortable lawsuits
environment Publicity

Suppliers Receive regular orders for Refusing to meet orders

goods/services Supplying to competitors
Be paid promptly
Customers Receive value and quality for Purchasing from competitors
money Boycotting
Receive safe, reliable Refusing to pay
products

Creditors Receive repayment of loans Calling loans

Collect debts and interest Use legal authorities to
repossess assets
Investors Receive a satisfactory return Exercise voting rights
on investments Ability to inspect company
Realize an appreciation in records and reports
value
Source: Adapted from Lawrence, A. T., Weber, J., and Post, j. E. 2011. Business and Society:
Stakeholders, Ethics, Public Policy (11th eel.). Boston: McGraw-Hill Irwin.
 Table 1.2 Secondary Stakeholders, Nature oi Interest, and Power
Stakeholder Interest Power
Governments Promote economic Adopting regulations and
development laws
Raise revenues through Issuing licenses and permits
taxes

0 Media Keep the public informed

Monitor company actions
Activist groups Monitor company actions for
ethical and legal behavior
� :
Publicizing events that affect
the public
lobbying government for
regulations
Gaining public support

. .tcP..\
Business support Provide research and Using staff/resources to help
groups information to improve companies
I
I
�
.. :••••••••••••••••••••••

0 Communities
competitiveness

Employ local residents

Providing legal political
support
Issuing/restricting operating
Ensure local development licenses
·
• ......-,/ lobbying government for
regulations
General public Minimize risks Supporting activists
Achieve prosperity for Pressing government to act
society Praising or condemning
companies
Source: Adapted from Lawrence, A. T., Weber, J., and Post, J. E. 2011. Business and Society:
Stakeholders, Ethics, Public Policy (11th ed.). Boston: McGraw-Hill Irwin.
Identifying Operational Threats and Vulnerabilities
• The traditional approach to internal
auditing was to perform postmortem
reviews to verify that what was done
was done appropriately.
• This was a practice that followed in the
footsteps of public accounting firms,
which inspect transactions that
occurred during the preceding fiscal
year.
Identifying Operational Threats and Vulnerabilities

• I nterna I auditors need to go beyond

inspecting transactions long after they
were performed because the focus now
leans toward an examination of future
threats and vulnerabilities that can derail
the organization's goals and objectives in
the short, medium, and even the long
term.
Future-oriented Threats and Vulnerabilities
• Operational, such as maintaining
operational capacity, speed of execution
(i.e., cycle time), staffing levels,
employee motivation, knowledge
transfer, system development, and
implementation
• Technological, including protection of
intellectual property and personally
identifiable information, denial of
service attacks, business continuity due
to staff turnover, and system
development
Future-oriented Threats and Vulnerabilities
• Strategic, referring to concerns related to
strong customer and vendor relations,
customer loyalty, building effective business
partnerships, outsourcing arrangements,
and mergers and acquisitions
fZisk. • Environmental, which may include reliable
supply of water and electricity, achieving a
lower carbon footprint, and reducing the
amount of natural resources used during
business activities
The Skills Required for Effective Operational Audits
1. Communication skills, such as oral,
written, report writing, and presentation
skills
2. Problem identification and solution skills,
such as conceptual and analytical thinking
3. Ability to promote the value of internal
audit
4. Knowledge of industry, regulatory, and
standards changes
5. Organization skills
6. Conflict resolution/negotiation skills
The Skills Required for Effective Operational Audits

7. Staff training and development

8. Accounting frameworks, tools, and
techniques
9. Change management skills
10. IT/CT* framework, tools, and techniques
11. Cultural fluency and foreign language
skills
 Behavioral Skills of Internal Auditors
Work well with
all management
levels

Possess
Work
governance and
independently
ethics sensitivity

Staff Change catalyst

management skills*
Integrated Auditing

• Business changes, resources change,

and risks change, so both operations
and IT must adapt and continually
improve to support the business and
mitigate risks to acceptable levels.
Key Objectives of Financial Audits
• Ascertain whether in all material respects,
the income statement and the statement
of cash flows accurately and reliably reflect
the activities during the fiscal year
• Ascertain whether in all material respects,
the balance sheet shows the condition of
- the organization as of the last day of the
fiscal year
Internal Audit Capability Model {IA-CM)

Level 1: Initial Ad hoc/isolated audits

The internal audit function is unstructured and operates in an ad
hoc manner. It performs isolated audits primarily exarnining
documents and transactions for accuracy and compliance. The
audit team is often part of a separate organizational unit with no
established capabilities or infrastructure to support the
function.

Source: Adapted from the 2009 IIARF Internal Audit Capability Model (IA-CM) for the Public Sector.
Internal Audit Capability Model {IA-CM)

Level 2: Infrastructure Compliance auditing

The internal audit function focuses on compliance audits, which
evaluate conformity and adherence with internal policies, laws,
regulations, contracts, and other agreements or requirements
that preside over the activities and goals of the area, process, or
system being audited

Source: Adapted from the 2009 IIARF Internal Audit Capability Model (IA-CM) for the Public Sector.
Internal Audit Capability Model {IA-CM)
Level 3: Integrated Advisory services
Internal audit provides guidance and advice to management.
These advisory services add value without the auditor assuming
managen1ent responsibility. These services are directed toward
facilitation rather than assurance and include training, system
development reviews, performance and control self-assessment
(CSA), and counseling. Internal audit focuses on team building
and competency, developing a professionally qualified staff and
effective workforce coordination within the unit and with other
review groups. It uses output performance measures and tracks
cost information. Internal audit is an integral component of the
organization's management team

Source: Adapted from the 2009 IIARF Internal Audit Capability Model (IA-CM) for the Public Sector.
Internal Audit Capability Model {IA-CM)
Level 4: Managed Overall assurance on governance, risk management, and control
Internal audit provides overall assurance on governance, risk
managen1ent and control, contributes to the development of the
organization's management, supports professional bodies, has a
planning mechanism for its workforce, and uses quantitative
and qualitative metrics. It coordinates its activities to be
sufficiently cornprehensive and provide reasonable assurance at
a corporate level that GRC processes are adequate and
functioning as intended to rneet the organization's objectives

Source: Adapted from the 2009 IIARF Internal Audit Capability Model (IA-CM) for the Public Sector.
Internal Audit Capability Model {IA-CM)
Level Characteristics

Level 5: Optimizing Internal auditing recognized as a change agent

Internal audit is recognized as a key change agent, continuously
improving its professional practices, integrating performance
data, global leading practices, and feedback to continuously
strengthen the unit and the organization. It plans its workforce
needs strategically and rnaintains effective ongoing relationships
with other units within the organization to understand the
organization's strategic directions, emerging issues, and risks

Source: Adapted from the 2009 IIARF Internal Audit Capability Model (IA-CM) for the Public Sector.
 Integrated auditing
--------- Auditor focus

Financial/operational/general IT/technical IT

+-----------
Financial/operational auditors
➔
�-------....------------+
♦--------
IT auditors

Integrated auditing
II The Standards -
... -- -
....:
...............
• The Institute of Internal Auditors (IIA) is an ......111
organization which advocates, provides 11111111111
111111111111
1,111,:
educational conferences, and develops
standards, guidance, and certifications for the
internal audit profession.
• The governing body of internal auditors
worldwide, provides guidance for internal
auditors on what should be done, how it
-- ·-
·­

-- -----
should be done, and why.
---
• International Standards for the Professional
Practice of Internal Auditing (Standards) is
- - "I -

mandatory, while following the guidance

provided in the Practice Advisories and
Practice Guides is highly recommended and
encouraged.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 1210-Proficiency Internal auditors must

��
A...«,
possess the knowledge, skills, and other
�.,,,. 0 competencies needed to perform their
� ,;�'\.'-'-'fi;; individual responsibilities. The internal
EXPERT audit activity collectively must possess or
obtain the knowledge, skills, and other
competencies needed to perform its
"'◄.s,-�� responsibilities.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 1210.A3-lnternal auditors must have

��
A...«,
sufficient knowledge of key IT risks and
�.,,,. 0 controls and available technology-based
� ,;�'\.'-'-'fi;; audit techniques to perform their assigned
EXPERT work. However, not all internal auditors
are expected to have the expertise of an
internal auditor whose primary
"'◄.s,-�� responsibility is IT auditing.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 1220.A2-I n exercising due professional

care internal auditors must consider the
use of technology-based audit and other
data analysis techniques.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 1220.A3-lnternal auditors must be alert to

the significant risks that might affect
objectives, operations, or resources.
• However, assurance procedures alone, even
when performed with due professional care,
do not guarantee that aII significant risks
will be identified.
 Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 2010-Planning. The CAE {Chief Audit

Executives) must establish a risk-based
plan to determine the priorities of the
internal audit activity, consistent with the
organization's goals.

By auditing what matters most, the li1nired resources available will be spent rnore wisely and
the co1nmunicarions resulting from chose reviews will be far more valuable co the board and
management.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 2120-Risk management. The internal audit

Risk activity must evaluate the effectiveness and
contribute to the improvement of risk
management processes
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing
• 2120.Al-The internal audit activity must evaluate risk
exposures relating to the organization's governance,
operations, and information systems regarding the:
• Achievement of the organization's strategic
objectives
• Reliability and integrity of financial and operational
information
• Effectiveness and efficiency of operations and
programs
• Safeguarding of assets
• Compliance with laws, regulations, policies,
procedures, and contracts
Elements that must be Examined in Relation
to the Organizations

Financial and
Effectiveness
operational
and efficiency
information

Safeguarding
of assets
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 2130-Control. The internal audit

activity must assist the organization in
maintaining effective controls by
evaluating their effectiveness and
efficiency and by promoting continuous
improvement.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 2201-Planning considerations In planning the

engagement, internal auditors must consider:
• The objectives of the activity being
reviewed and the means by which the
activity controls its performance
• The significant risks to the activity, its
objectives, resources, and operations and
the means by which the potential impact
of risk is kept to an acceptable level
 Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

.I -
..
C:1•- • 2220.Al-The scope of the
i
I
Q> u, ·-
g' >;
.is
1E
customer- - - u,
:::n2
m - •- rt• .,
..,
complex Cl! m .!I!
0. �
" ,....,._
re!ent;ion engagement must include
consideration of relevant systems,
records, personnel, and physical
properties, including those under the

I
t;reat;m
I -- st;rat;egy research �
Pan resour�� control of third parties.
 Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

When engaged in business reviews, internal

auditors are encouraged to:
,- Ill • Incorporate the elements of integrated
auditing so auditors apply a holistic view
during their work
• Evaluate the people, processes, and
technology relevant to the review being
performed, and, examine third parties'
systems, records, personnel, and
properties under their control
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing
• 2310-ldentifying information Internal auditors must
identify sufficient, reliable, relevant, and useful
information to achieve the engagement's objectives.
• Internal auditors collect, analyze, and interpret
data to prove/disprove hypotheses regarding the
design and function of processes and systems as
they relate to the achievement of objectives, and
the effectiveness of risk management procedures.
• Internal auditors must also communicate their
conclusions, and this requires that their
communications be persuasive.
Communication Requirements
• Sufficiency. This means that the auditor needs
enough information, including quantifiable facts
and figures.
• Reliability. Meaning that the information must be
trustworthy and free from distortion.
• Relevance. This relates to the information being
consistent with the objectives and scope of the
review.
• Usefulness. This relates to the information
helping the organization accomplish its
objectives.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

• 2330-Documenting information.
Internal auditors must document
relevant information to support the
conclusions and engagement results
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

••• • 2420-Quality of communications .

Communications must be accurate,
••• objective, clear, concise, constructive,
complete, and timely.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing
Effective Communications
1. Accurate. There are no mistakes or errors in the
information presented.
2. Objective. The auditor's work is focused on
facts and informed judgment, there is no bias
involved, and the results are neither inflated
nor understated.
3. Clear. Easy to understand and interpret.
4. Concise. Brief by using only as many words as
necessary-gone are the days of very lengthy
reports.
Standards Relevant to Operational Auditing
International Standards for the Professional Practice of Internal Auditing

Effective Communications
5. Constructive. Serves the purpose of helping
the organization improve its activities and
promote advancement through excellence.
6. Complete. Nothing relevant or important
m1ss1ng.
7. Timely. Issued promptly because the value of
the message decreases with time.
 References
• Murdock, H. (2017). Operational Auditing, Principles and
Techniques for the Changing World. New York: Taylor and
Francis Group, LLC, NY.
• Gray, L., Manson, S., Crawford, L. (2019). The Audit Process,
7th Edition. Cengage Learning Asia.
• Zehms, K.M., Gramling, A.A., Rittenberg, LR. (2019).
Auditing, 11th Edition. Cengage Learning Asia.
• Fountain, L.A. (2016). Leading the Internal Audit Function.
CRC Pres.