UNIT 1 – Introduction to Operations Auditing

The businesses being served by the internal auditors

are changing due to globalization, technological
advancements, relentless competition, and new social
demographic, and financial landscape. The use of checklists,
prepared questionnaires, and reviewing the same documents
year after year is no longer efficient and effective in assessing
the company’s operations.

Learning Outcomes

At the end of this unit, you should be able to:

Apply the modern way of performing an operational audit.
Enhance your skills as an auditor.
Evaluate the problems of an organization’s operations.
Evaluate the primary and secondary stakeholders of an organization.
Use the standards as your guide in operational auditing.

This unit aims to give you a preview in the world of operational

auditing. This subject is focused on internal auditing, particularly on the
operations of an organization. There will be no computations all
throughout the semester but you will be challenged to think outside the
box in order to help improve an entity.
Before we formally start our lesson, please answer the short essay on the
next page by inputting your answers on this link:
https://docs.google.com/forms/d/e/1FAIpQLSeRKaxd8sPAvClwRXJCeX
DqH2VRppZT36JA6mrBtgAOfbZCmA/viewform?usp=sf_link
 Pre-test

Essays

Define the following terms in your own understanding.

1. Auditing
2. Internal Auditing
3. Operations Auditing

The next section is the content of this unit. It contains vital information of the topics based on
the learning outcomes. Please read and understand the contents carefully.

Content

As your instructor, I would like to advise you to avoid reading it

in the eyes of a student wanting to pass the subject. In contrast, do read
the contents with the intention of helping organizations locally or
internationally in the future.
You will soon be part of the working professionals. Always think
about what you can contribute to our society.

What is Operational Auditing?

Operational Auditing is defined as:

“A future oriented, systematic, and independent evaluation of organizational activities.

Financial data may be used, but the primary sources of evidence are the operational policies and
achievements related to organizational objectives. Internal controls and efficiencies may be
evaluated during this type of review.”

According to the Business Dictionary, it can also be defined as

“A review of how an organization’s management and its operating procedures are

functioning with respect to their effectiveness and efficiency in meeting stated objectives.” For
example, a business might perform an operational audit if its senior management has become
convinced that operational improvements can be made and need to be identified.
Let us take a deeper look into what operations auditing is all about:

 The purpose of operational auditing is to improve organizational profitability and the

attainment of organizational objectives. These go beyond a review of internal control issues
since management does not achieve its objectives simply by adhering to satisfactory
systems of internal control. Instead, management must define its goals, set appropriate
strategies, staff the organization with enough and competent workers, and execute
effectively.

 Operational auditing also involves evaluating management’s performance, since they have
a fiduciary responsibility toward the organization’s owners and other relevant
stakeholders. Over the past few decades, the expectations of stakeholders have increased
monumentally creating a more challenging environment for managers and auditors alike.
These expectations range from CSR, to acting ethically, safeguarding key information, and
maintaining a positive reputation.

 Another important aspect of operational auditing is that rather than merely verifying that
employees are performing their duties according to established policies and procedures,
internal auditors also verify a variety of qualitative aspects of the organization and its
activities. Regarding procedures documentation, internal auditors are expected to verify
that these documents are up to date, that they are relevant, that they reflect the best way to
perform the work with regards to efficiency and effectiveness, that these documents are safe
from unauthorized change, they are understood by employees, and that their location is
known by employees so they can refer to them for guidance when there are questions.

 Operational audits may also be concerned with the structure of the organization, since a
poorly structured organization, or one where information does not flow accurately and
promptly jeopardizes efforts to achieve objectives. Instead, poorly structured organizations
tend to be disorganized, inefficient, have high employee, customer, and vendor turnover,
and become wasteful. All of these manifestations of dysfunction erode the ingredients for
success and an auditor who brings a fresh and objective perspective to the review can
identify these weaknesses.

As of now, some of you might be wondering how it is different

from internal auditing. In order to address the confusion, read the next
page for what internal auditing is all about.
 What is Internal Auditing?

According to the Institute of Internal Auditors (IIA), Internal Auditing is defined as follows:

“Internal auditing is an independent, objective assurance and consulting activity designed to

add value and improve an organization’s operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.”

Although this definition has been in place for years, it is still misunderstood by many non-
auditors, and unfortunately, even by some internal auditors. The misunderstanding stems from a
variety of reasons and heavily influenced by the legacy of auditors performing financial reviews and
internal auditors having accounting backgrounds.
The definition reflects a modern view of the profession and positions auditors in such a way
that they can provide much more valuable assistance to their organizations. The definition creates a
variety of challenges and opportunities for internal auditors, who are no longer engaged in a static,
routine, repetitive, and accounting/finance-focused activity, but instead admonishes internal
auditors to review business programs, processes, and initiatives in innovative ways that can add
tangible value to the organization.

Traditionally, when people hear the word internal auditors, they

tend to replicate the same work that external auditors do. Even some of
you might believe that it will be a tedious list of work papers and
checklists in order to find faults in companies. Below are some of the
scenarios that lead to the evolution of the work of internal auditors.

Common problems in the traditional internal auditing:

 The audit function focused on assessing an organization’s control or operational

effectiveness with the standardization and could do so quickly by using checklists,
prepared questionnaires, and reviewing the same documents year after year to
verify consistency.
 The focus on standardization limited the auditor’s ability to be creative. This led
the internal auditors to isolate themselves from the businesses they examined
that they were supposed to support.
 Generally, management believed did not believe that the internal audit function
was making an effective contribution to the company. Some of them wondered
why some audits were being performed in the first place.
 Reviewing and reperforming accounting procedures seemed wasteful if the
organization was already paying their external auditors to audit the accounting
practices that led to the publishing of the company’s financial reports.
Changing roles of Internal Auditors

Today internal audit is achieving a healthier balance among

 Operational
 Reporting
 Compliance
 Information technology (IT)
 Fraud
 Strategic topics

It is now looking beyond the immediate fiscal year and taking a closer look at longer term trends
and the future implications of current dynamics. It is now identifying a wider set of essential skills,
and finding that to succeed as a trusted advisor to the board and management, it must bring into its
ranks people with a wider skillset, including broad business skills, strong communication skills, and
familiarity with technology.

What is the difference between Operations Auditing and Internal Auditing?

An operational audit acts similarly to an internal audit because an internal auditor conducts
the process. Though they both look at internal processes, there are still some differences between
the two. Typically, a business may conduct an internal audit when something goes wrong within its
processes and procedures. The internal audit will examine the mistake and what allowed it to
occur. Then the company can focus on improving its processes to ensure the error does not happen
again. An internal audit assesses success by seeing whether the process gets completed with no
mistakes.

An operational audit differs because it looks for the potential for improvement within the
company's business operations. It also tends to focus on factors related to processes, such as their
effectiveness and efficiency. Rather than performing an audit due to an issue occurring, the
operational audit examines business areas that may benefit from process improvements. The
operational audit will evaluate a process by assessing whether it completed a task without mistakes
and met company standards for efficiency related to cost, time and resources used.
Operations Auditing Process

I. Determine the auditor

Typically, a company conducts an operational audit internally. They may have an

internal auditor or audit team whose job is to manage internal or operational audits.
However, some companies may not have an internal audit team or an internal
auditor with the necessary knowledge or experience needed, so they may hire an
external specialist to conduct the audit.

II. Plan the audit process

The auditor meets with relevant managers to discuss and plan their audit method.
During this discussion, the auditor gains an understanding of the business and any
potential concerns. They can then identify areas that may require process
improvements, providing challenges for them to focus on during the audit. Through
this conversation, the auditor also establishes the scope and timeline of the audit.

Next, they can begin establishing the audit's goals and strategies. These objectives
vary but should aim to support the organization's needs and overall objectives. They
may focus on a specific area of the company and its related processes. For example,
a company may perform an operational audit on its hiring practices. The auditor and
managers must establish objectives for those processes to meet, such as increasing
the number of employees hired over a set period. Then the auditor uses those
objectives to assess the company's current procedures and find improvements.

III. Conduct the audit

Now the auditor examines the business areas within the scope of their audit
program. The auditor needs to assess the existing processes and procedures to
determine whether they meet the goals set earlier in the audit process. They have
conversations with managers and employees to discuss whether the processes meet
expectations. The auditor also may observe employees as they conduct those
procedures and examine every step.

Once the auditor understands and reviews the processes or procedures, they can
develop tests to evaluate them. Through those tests, the auditor may find specific
factors that need improvement and generate and experiment with solutions that
help fulfill their objectives. An ideal process works without issues and enables the
company to conduct the task in a cost- and time-efficient manner.
IV. Report audit findings

The auditor develops a report on their findings and includes any recommendations
for improvements. Depending on those recommendations, the auditor may also
draft an implementation plan to help the company make the necessary changes.
They discuss these recommendations with relevant managers, ensuring that the
management team understands the findings and solutions. The management may
agree to follow all the suggestions or discuss why some changes may not be feasible.

V. Perform a follow-up

After completing an audit, the auditor sets up a follow-up meeting with the relevant
management team and staff. Commonly, they hold the follow-up about six months
after the audit. During the follow-up, they discuss the changes made to the processes
and assess their results. They measure these results to the objectives set forth by
the audit and determine whether they meet those goals or are making some
progress towards them.

Auditing beyond Accounting, Financial, and Regulatory Requirements

In the past, internal auditors predominantly had accounting degrees, graduated from
university accounting programs, generally were recruited from external public accounting audit
firms, and held CPA certifications. As such, their focus and experience was acquired in the
accounting field and saw most audit matters through the prism of accounting requirements.
They then would apply a very effective methodology: Are they doing what the rulebook says? If
“Yes,” the test results were satisfactory. If “No,” the results were documented and communicated as
findings. In essence, a very predictable pass/fail approach to auditing.

Over time, business leaders and managers witnessed business failures caused by poor
management decisions and practices such as:

 Operations management
Some of the related issues are waste, inefficiencies, supplies that arrive late,
poor customer satisfaction, and limited capacity to grow as opportunities arise or
customers’ demands change.

 Human resources.
As evidenced by poorly supervised, trained, and evaluated employees who
sometimes become unmotivated and unproductive.
  IT
Computer systems designed with an inaccurate understanding of the
business needs and uses of these systems, poor data capture, and inadequate
reporting mechanisms.

 Marketing
Mass marketing of products and services at a time when customers prefer to
feel unique, or wasteful campaigns because they target the wrong audience.

 Corporate Social Responsibility

Issues range from child labor, sweatshop conditions, abusive management,
and inappropriate waste disposal.

 Environmental Health and Safety (EHS)

Practices and conditions related to poor ventilation, excessive heat, extreme
noise levels, and workplace hazards caused by chemicals, machinery, and workplace
configurations, among others.

There’s a long list of changes in the business industry that paved way to the enhancement of
the role of the internal auditors. In light of these dynamics, internal auditors have risen to the
challenge by embracing a methodology that goes beyond accounting and more closely aligns itself
with the recurring business risks and practices.

The Value Auditors Provide

Internal auditors are unfortunately not always regarded as highly as they should be. Seen as
an obstacle, too many managers and employees fail to recognize that internal auditors provide a
very valuable service to their clients—whether they are employees of the firm, or hired externally
to provide internal audit services.

Internal auditors promote the efficient and effective use of resources. Since organizations
operate with the funding received or authorized by their owners or contributors, it is imperative
that the organization operates with this principle of financial fiduciary responsibility.
Fiduciary duty -is a legal duty to act solely in another party’s interests. Parties owing this
duty are called fiduciaries. The individuals to whom they owe a duty are called principals. Fiduciaries
may not profit from their relationship with their principals unless they have the principals’ express
informed consent. They also have a duty to avoid any conflicts of interest between themselves and their
principals or between their principals and the fiduciaries’ other clients.
Recognition of the duties that all employees have to the principals is central to the proper
discharge of their responsibilities as employees, who should always act in the interests of the main
stakeholders of the organization. To this effect, internal auditors contribute to this process by
making sure that these duties are defined, that structures are set to ensure behaviors are aligned
with these objectives, and making recommendations to the board and senior management when
there are discrepancies jeopardizing the success of these arrangements.
 In the aggregate, internal auditors serve the public and common interests by making sure
that owners receive the return on their investments that they are entitled to, and that the means of
generating those profits are within the confines of the law. Beyond shareholders, however, internal
auditors help the process of making sure that the interests of all relevant stakeholders are met.
Stakeholders can be categorized as economic/primary and noneconomic/secondary.

Figure 1.1 Primary (economic) stakeholders

An important aspect of the modern

Employees manager and auditor’s job is to
identify relevant stakeholders and
to understand their interests. It is
also important to understand the
power they have to assert these
Investors Suppliers
interests. This process is called
stakeholder analysis, which asks
Organization
three fundamental questions:

1. Who are the relevant

stakeholders?

2. What are the interests of each

Creditors Customers
stakeholder?

3. What is the power of each

stakeholder?

Table 1.1 Primary Stakeholders, Nature of Interest, and Power

Stakeholder Interest Power

Employees -Maintain stable employment -Bargaining power
-Receive fair pay -Work actions, strikes, and
-Work in a safe, comfortable lawsuits Publicity
environment
Suppliers -Receive regular orders for -Refusing to meet orders
goods/services -Supplying to competitor
-Be paid promptly
Customers -Receive value and quality for money - -Purchasing from competitors
Receive safe, reliable products -Boycotting
-Refusing to pay
Creditors -Receive repayment of loans -Calling loans
-Collect debts and interest -Use legal authorities to
repossess assets
Investors -Receive a satisfactory return on -Exercise voting rights
investments -Ability to inspect company
-Realize an appreciation in value records and reports
Figure 1.2 Secondary (noneconomic) stakeholders.

A business’s relationships go
Governments
beyond those primary involvements
to others.
General Public Media Secondary interactions occur when
other individuals and groups show
an interest in or concern about the
Organization
activities of the organization.
Noneconomic, nonmarket, or
Communities Activists groups secondary stakeholders are people,
groups, or organizations that though
not engaging in direct economic
Business support
groups exchange with the firm, are affected
by or can affect its primary activities
and decisions.

Table 1.2 Secondary Stakeholders, Nature of Interest, and Power

Stakeholder Interest Power

Governments -Promote economic development -Adopting regulations and
-Raise revenues through taxes laws
-Issuing licenses and permits
Media -Keep the public informed -Publicizing events that affect
-Monitor company actions the public
Activists groups -Monitor company actions for ethical -Lobbying government for
and legal behavior regulations
-Gaining public support
Business support -Provide research and information to -Using staff/resources to help
groups improve competitiveness companies
-Providing legal political
support
Communities -Employ local residents -Issuing/restricting operating
-Ensure local development licenses
-Lobbying government for
regulations
General public -Minimize risks -Supporting activists
-Achieve prosperity for society -Pressing government to act
-Praising or condemning
companies
 Identifying Operational Threats and Vulnerabilities

Internal auditors need to go beyond inspecting transactions long after they were
performed because the focus now leans toward an examination of future threats and vulnerabilities
that can derail the organization’s goals and objectives in the short, medium, and even the long term.
In fact, focusing on future events and the future implications of present events would
add more value to their organizations than reporting primarily on past events. When this happens,
as has been common practice in the past, the organization dedicates itself on correcting past issues,
which creates rework.

These future-oriented threats and vulnerabilities can be:

 Operational
- such as maintaining operational capacity, speed of execution (i.e., cycle time),
staffing levels, employee motivation, knowledge transfer, system development,
and implementation.

 Technological
- including protection of intellectual property and personally identifiable
information, denial of service attacks, business continuity due to staff turnover,
and system development.

 Strategic
- referring to concerns related to strong customer and vendor relations, customer
loyalty, building effective business partnerships, outsourcing arrangements, and
mergers and acquisitions.

 Environmental
- which may include reliable supply of water and electricity, achieving a lower
carbon footprint, and reducing the amount of natural resources used during
business activities
Internal auditors can no longer be content with reviewing the accuracy, completeness, and
authorization of compliance and financial transactions. It is no longer enough to audit from the
perspective of stated controls “ticking and tying” transactions from one source to a recorded entry,
but most apply a far more dynamic and insightful methodology—one that is risk based.
 Skills Required for Effective Operational Audits

The paradigm shift in the work of internal auditing from being controls-based to risk based
means that internal auditors must acquire and apply different skills to their trade from what they
did in the past. Auditors must examine risk exposures and the measures in place to address more
than accounting and financial risks.
According to the IIA Research Foundation Core Competencies Report, the following are the top
general competencies of internal auditors

1. Communication skills, such as oral, written, report writing, and presentation skills
2. Problem identification and solution skills, such as conceptual and analytical thinking
3. Ability to promote the value of internal audit
4. Knowledge of industry, regulatory, and standards changes
5. Organization skills
6. Conflict resolution/negotiation skills
7. Staff training and development
8. Accounting frameworks, tools, and techniques
9. Change management skills
10. IT/CT* framework, tools, and techniques
11. Cultural fluency and foreign language skills

In terms of behavioural skills, internal auditors should possess the following skills:

 Confidentiality
 Objectivity
 Communication
 Judgment
 Work well with all management levels
 Possess governance and ethics sensitivity
 Be team players
 Relationship building
 Work independently
 Team building
 Leadership
 Influence
 Facilitation
 Staff management
 Change catalyst skills
The Standards relevant to Operational Auditing

The Institute of Internal Auditors (IIA) is a leader in certification, education, and research
for professionals engaged in evaluating an organization's operations and controls.
Established in 1941, the Institute of Internal Auditors awards the Certified Internal
Auditor (CIA) designation, a globally accepted certification for internal auditors.
The IIA has its global headquarters in Altamonte Springs, Florida, and has more than
200,000 members worldwide through 103 institutes and 159 chapters in the United States, Canada,
and the Caribbean.
The Institute of Internal Auditors Philippines Inc. (IIAP) was registered with SEC in
1982 and formerly known as The Institute of Internal Auditors, Inc. – Manila Chapter. It was
founded on August 14, 1948 by Mr. Santiago F. Dela Cruz Sr. along with a small group of accountants
actively engaged in the profession.

The Institute of Internal Auditors' primary professional designation is the certified

internal auditor (CIA) designation. By earning the CIA designation, individuals demonstrate deep
professional knowledge of the internal audit profession. Globally, this mark is recognized as an
expert level standard for competency and professionalism throughout the internal audit field.
The Institute of Internal Auditors also offers the certification in risk management
assurance (CRMA), and the qualification in internal audit leadership (QIAL) certification.
As a historically significant discipline, internal auditing is often overlooked. The IIA
honors this storied function by educating experts and the general public on how historians have
traced the roots of internal auditing to centuries B.C., as merchants verified receipts for grain
brought to market. The expansion of corporate business and commercial enterprise drove the
profession's growth in the 19th and 20th centuries. Demand grew for systems of control in
companies conducting operations in various locations while employing thousands of people. Today,
many people associate the genesis of modern internal auditing with the establishment of the
Institute of Internal Auditors.

The following standards are relevant to operational auditing:

1210—Proficiency Internal auditors must possess the knowledge, skills, and other competencies
needed to perform their individual responsibilities. The internal audit activity collectively must possess
or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

1210.A3—Internal auditors must have sufficient knowledge of key IT risks and controls and available
technology-based audit techniques to perform their assigned work. However, not all internal auditors
are expected to have the expertise of an internal auditor whose primary responsibility is IT auditing.
1220.A2—In exercising due professional care internal auditors must consider the use of technology
based audit and other data analysis techniques.

1220.A3—Internal auditors must be alert to the significant risks that might affect objectives,
operations, or resources. However, assurance procedures alone, even when performed with due
professional care, do not guarantee that all significant risks will be identified.

2010—Planning. The Chief Audit Executive (CAE) must establish a risk-based plan to determine the
priorities of the internal audit activity, consistent with the organization’s goals.

2120—Risk management. The internal audit activity must evaluate the effectiveness and contribute to
the improvement of risk management processes.

2120.A1—The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the

 Achievement of the organization’s strategic objectives.

 Reliability and integrity of financial and operational information
 Effectiveness and efficiency of operations and programs
 Safeguarding of assets
 Compliance with laws, regulations, policies, procedures, and contracts

2130.A1—The internal audit activity must evaluate the adequacy and effectiveness of controls in
responding to risks within the organization’s governance, operations, and information systems
regarding the:

 Achievement of the organization’s strategic objectives.

 Reliability and integrity of financial and operational information
 Effectiveness and efficiency of operations and programs
 Safeguarding of assets
 Compliance with laws, regulations, policies, procedures, and contracts

2130—Control. The internal audit activity must assist the organization in maintaining effective
controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2201—Planning considerations. In planning the engagement, internal auditors must consider:

 The objectives of the activity being reviewed and the means by which the activity controls its
performance
 The significant risks to the activity, its objectives, resources, and operations and the means by
which the potential impact of risk is kept to an acceptable level
2220.A1—The scope of the engagement must include consideration of relevant systems, records,
personnel, and physical properties, including those under the control of third parties

2310—Identifying information. Internal auditors must identify sufficient, reliable, relevant, and useful
information to achieve the engagement’s objectives.

2330—Documenting information. Internal auditors must document relevant information to support

the conclusions and engagement results

2410.A2—Internal auditors are encouraged to acknowledge satisfactory performance in engagement

communications.

2420—Quality of communications. Communications must be accurate, objective, clear, concise,

constructive, complete, and timely.