Chapter 4 Objectives, Types & Phases of Operational Auditing

Objectives of an Operational Audit

The objectives of any company are: Productivity, profitability, market expansion, innovation, efficient managerial
performance, upgrading the employees attitude & work performance and discharging social responsibilities. Operational
audits can help the business in the attainment of all these objectives.
The objectives of operational audits can vary depending on the type of organization and its key performance Indicators
(KPIs), or whether the audit is being conducted to answer a specific concern from challenges arising in areas like human
resources, customer relations, or manufacturing slowdowns. There may also be government compliance issues to consider,
such as consumer safety. Part of the objective should also be to maintain quality in the auditing process.
Nevertheless, it can be stated that the overall objective of operational auditing is to assist all levels of management in the
effective discharge of their responsibilities by furnishing them with objective analyses, appraisals, recommendations and
pertinent comments concerning the activities reviewed. The objectives of operational auditing may, therefore, be broken
down into the following activities as follows:
a) Appraisal of company’s objectives
b) Evaluation of company’s policies
c) Evaluation of company’s plans
d) Evaluation of the structure of organization
e) Evaluation of controls
f) Appraisal of performance, which involves examination of work flow, determination of work force, performance of
work load, measurement of productivity, measurement of profitability, performance of job, and appraisal of costs,
g) Evaluation of company’s social responsibilities, e. g. extent of benefits passed on to the consumers, creation of
employment opportunities, etc..

The Process or Phases of the Operational Audit

The process of operational auditing is not much different from other audits performed by the internal auditor. Those include
planning, execution, reporting, and follow-up. Just like the ordinary internal auditing process, the typical operational audit
process involves the following steps:
 Selection or determine the auditor - Typically, a company conducts an operational audit internally. They may have
an internal auditor or audit team whose job is to manage internal or operational audits. However, some companies
may not have an internal audit team or an internal auditor with the necessary knowledge or experience needed, so
they may hire an external specialist to conduct the audit.

 Plan the audit process - The first phase is the planning where the auditor prepares the financial plan. The auditor
needs to obtain an understanding of the business as well as its operation. Then, they need to make an assessment
and target which key operation they should perform. The auditor meets with relevant managers to discuss and plan
their audit method. During this discussion, the auditor gains an understanding of the business and any potential
concerns. They can then identify areas that may require process improvements, providing challenges for them to
focus on during the audit. Through this conversation, the auditor also establishes the scope and timeline of the
audit. Next, they can begin establishing the audit's goals and strategies. These objectives vary but should aim to
support the organization's needs and overall objectives. They may focus on a specific area of the company and its
related processes. For example, a company may perform an operational audit on its hiring practices. The auditor
and managers must establish objectives for those processes to meet, such as increasing the number of employees
 hired over a set period. Then the auditor uses those objectives to assess the company's current procedures and
find improvements

 Conduct the audit - The second phase is the execution where the auditor executes the work as per the financial
plan. Validating key controls and operations involve obtaining the key documents, observing how certain key
controls are performing and inspecting certain documents like sales invoices, goods & delivery notes. The auditor
examines the business areas within the scope of their audit program. The auditor needs to assess the existing
processes and procedures to determine whether they meet the goals set earlier in the audit process. They have
conversations with managers and employees to discuss whether the processes meet expectations. The auditor also
may observe employees as they conduct those procedures and examine every step. Once the auditor understands
and reviews the processes or procedures, they can develop tests to evaluate them. Through those tests, the auditor
may find specific factors that need improvement and generate and experiment with solutions that help fulfill their
objectives. An ideal process works without issues and enables the company to conduct the task in a cost- and time-
efficient manner.

 Report audit findings - The third phase is the reporting where the auditor reports his findings in the report. Once the
key operations and controls have been validated, the report will then be prepared and submitted to the audit
committee. The auditor prepares a report on their findings & includes recommendations for improvements.
Depending on those recommendations, the auditor may also draft an implementation plan to help the company
make the necessary changes. They discuss these recommendations with relevant managers, ensuring that the
management team understands the findings and solutions. The management may agree to follow all the
suggestions or discuss why some changes may not be feasible.

 Perform a follow-up - The fourth phase is the follow up where the auditor takes the follow up that the findings by the
auditor are mitigated by the relevant department. After completing an audit, the auditor sets up a follow-up meeting
with the relevant management team and staff. Just as with any other internal audits, key findings, and
recommendations need to be followed up to determine if such findings and recommendations were acted upon by
management or the department. Commonly, the follow-up is held about six months after the audit. During the
follow-up, the changes made to the processes are discussed and the results assessed. These results are compared
to the objectives set forth by the audit and determine whether they meet those goals or are making some progress
towards them.

Types of Operational Audits

As noted, an operational audit examines the business processes and procedures within a company. Operational audits
focus on the review and assessment of a single or multiple business processes. Operational audits examine the use of unit
resources to evaluate whether those resources are being used in the most effective, efficient & economical manner to fulfill
the firm’s mission and objectives. An operational audit may include elements of the other audit types listed below. This type
of audit may overlap with other types of audits, such as:

 Information Technology (IT) System Audits - Information systems audits investigate overall infrastructure and
networks, technical operations, data center operation, project management, and review security status and
procedures. Information Systems (IS) Audits examine the internal control environment of automated information
processing systems and how people use those systems. Information Systems audits typically evaluate system
input, output, and processing controls; backup and recovery plan; system security; and computer facility reviews. IS
auditing projects can focus on existing systems, as well as systems in the development stage. IT audits are a probe
into the technical operations of a business. They investigate the current network and infrastructure, review the
procedures and status of security, and analyze project management and data center operations.

 Financial Audits or Reviews - Financial audits focus on financial controls as they relate to reporting to internal and
external governing bodies. Financial statement auditing is the bailiwick of external auditors. Internal audits
 complement the work of operational audits, which includes some form of budget, or a financial review. Financial
Audits - Focus on accounting and reporting of financial transactions, including commitments, authorizations, and
receipt and disbursement of funds. The purpose of this type of audit is to verify that there are sufficient controls over
cash and cash-like assets, and that there are adequate process controls over the acquisition and use of resources.
Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the
fairness of the presentation of financial statements. Financial audits center around a business’s financial controls
and procedures concerning reporting externally to governing bodies and internally to upper management. Internal
auditors complete budget and financial reviews, while external auditors handle financial statement audits.

 Marketing Audits - Marketing Audits: A marketing audit is a broad, precise, and autonomous probe into the
marketing of a company or a business. An audit holds both an external situation analysis and a thorough review of
internal marketing goals, strategies, capabilities, processes, and systems. The result is actionable
recommendations to improve progress toward stated goals. Marketing audits are a broad but accurate investigation
into a business’s advertising. The audit examines external results while thoroughly challenging internal strategies,
processes, systems, capabilities, and marketing goals.

 Department Audits: Department Reviews: Different departments or divisions may run a periodic analysis to assess
the adequacy of controls, how well assets are safeguarded, how resources are used, and if there is compliance with
applicable laws. Different departments within a company use different processes and procedures related to their
goals or responsibilities. An audit can assess those processes and find ways to improve them. It can also examine
the department's available resources and how efficiently they use them when conducting processes. For example,
an operational audit could look into specific departments such as human resources, marketing or IT. Different
departments within a company use different processes and procedures related to their goals or responsibilities. An
audit can assess those processes and find ways to improve them. It can also examine the department's available
resources and how efficiently they use them when conducting processes. For example, an operational audit could
look into specific departments such as human resources, marketing or IT.

 Investigative audits: Investigative Audits: When a company suspects a risk of security breach, or when one has
occurred on the part of an individual or department, there is often an investigative audit to understand causes and
additional background information and research. If a company discovers or suspects an error or security breach has
occurred, they may conduct an investigative audit to determine its cause. As part of this audit, they may assess the
processes performed by an employee or department. The auditor may make suggestions to improve those
processes or related procedures to ensure the issue does not occur in the future. Investigations - Seek to establish
evidence of impropriety; imply a systematic track-down of information the auditor hopes to discover or needs to
know. Investigations include alleged instances of fraud, waste and abuse, and improper governmental activities.
If a company discovers or suspects an error or security breach has occurred, they may conduct an investigative
audit to determine its cause. As part of this audit, they may assess the processes performed by an employee or
department. The auditor may make suggestions to improve those processes or related procedures to ensure the
issue does not occur in the future.

 Compliance audits: Compliance Audits: Compliance audits review the level of compliance with external regulatory
requirements or internal policies. This type of audit evaluates whether a company follows relevant external laws,
along with internal policies. The auditor will assess current processes and procedures to ensure they meet any
necessary standards or regulations related to the organization's industry. A company may also have rules for
conduct that all employees much follow, so the audit may inspect compliance with processes for hiring and firing
employees, for example. Compliance Audits - Review adherence to laws, regulations, policies, and procedures.
Examples include federal and state law, Trustee policies, and chancellor’s office directives. Recommendations
typically call for improvements in processes and controls intended to ensure compliance with regulations.
 This type of audit evaluates whether a company follows relevant external laws, along with internal policies. The
auditor will assess current processes and procedures to ensure they meet any necessary standards or regulations
related to the organization's industry. A company may also have rules for conduct that all employees much follow,
so the audit may inspect compliance with processes for hiring and firing employees, for example.

 Follow-up audits: After an operational audit, the company will implement any necessary changes. They may then
set a determined time to conduct a follow-up audit to evaluate the changes' effectiveness. After an operational audit
report has been issued, it is standard practice to follow up to evaluate corrective actions, usually within a six-month
period. After an operational audit, the company will implement any necessary changes. They may then set a
determined time to conduct a follow-up audit to evaluate the changes' effectiveness.

 Internal Control Reviews: - Focus on the components of the organizations major business activities. Areas such as
payroll and benefits, cash handling, inventory and equipment and their physical security, grants and contracts, and
financial reporting are usually subject to review.

 Advisory Services - More consultative in nature than traditional audits and performed in response to requests from
management. Advisory services enhance awareness of risk, control and compliance issues and provide a proactive
independent review and appraisal of specifically identified concerns. Advisory services may include internal control
and risk management reviews, transition reviews, business process assessments, and other activities.