Operational Audits

Mentioning the word audit can conjure up thoughts of financial audits that are often done
to assure stakeholders that financial statements are accurate and complete. However,
that’s not the only type of auditing that’s useful to a business. Organizations of every
type — government, universities, hospitals, manufacturers, banks, and others — need to
understand where they are doing well, and where they need to improve to achieve
sustainable growth. Many companies are looking to operational audits to create greater
value by improving operational performance including dimensions of quality, speed,
agility, efficiency, environment, customer value, and cost.

This guide will help you understand the basics of operational audit processes with expert
insights, checklists, examples to help you start gaining the internal business intelligence
needed to support informed decision making and continuous improvement.

What Are Operational Audits?

Operational audits are a forward looking process, and are part of many organizations’
ongoing business improvement process toolkit. The findings of operational audits are
intended to diagnose which areas need attention and to safeguard assets by averting
potential future risks.

The Operational Auditing Handbook borrows The Institute of Internal Auditors’ (IIA)
definition of an operational audit: “A systematic process of evaluating an organization's
effectiveness, efficiency and economy of operations under management's control and
reporting to appropriate persons the results of the evaluation along with
recommendations for improvement.”

While an audit is usually associated with financial matters, operational audits are more
comprehensive and go beyond financial data (although that type of reporting is often
included). The primary information sources are policies and achievements related to the
objectives of the organization.

Operational audits are a ‘deep dive’ into every facet of management. As a result, start-
to-finish time frames can vary from a few weeks to many months, depending on scope,
complexity, and size of the organization, and whether the audit is for the entire entity or
a particular business unit. Unlike financial audits, which are conducted by external
entities, operational audits are often carried out by an internal auditor.

What Is the Objective of an Operational Audit?

“The first step is to establish its objectives, can vary depending on the type of
organization and its KPIs, or whether the audit is being conducted to answer a specific
concern from challenges arising in areas like human resources, customer relations, or
manufacturing slowdowns. There may also be government compliance issues to consider
such as consumer safety.”

Part of the objective should also be to maintain quality in the auditing process. “The
standards that apply are defined by ISO 19011, and that is what I recommend as a best
practice. The graphic below covers the main standard areas that govern audits:

Source: How to Conduct a Quality Internal Audit

1. Integrity: Withstand pressures that may be exerted and take care to comply with
any legal requirements.
2. Fair Presentation: Present all results fairly and report significant concerns.
3. Due Professional Care: Use diligence, due care, and reasoned judgments in
every situation.
4. Confidentiality: Keep information secure, and protect confidential or sensitive
information.
5. Independence: Maintain impartiality and keep actions and reporting bias-free.
6. Evidence-Based: Depend on a fact-based approach to reach reliable conclusions.

Understanding the true status of operations is the basis for a healthier, more competitive,
and more profitable organization.
Benefits of Organizational Audits
Conducted by an internal or external auditor, audits are objective. They supply a fresh
perspective on the good and not-so-good aspects of organizational practices and
processes. The final report should make management aware of problems they might not
have otherwise understood, and gives them a knowledge-base for making improvements.
Executives can also use organizational audit results to motivate team members and
emphasize existing or new goals. Subsequent actions can then lead to greater
profitability, legal compliance, and employee satisfaction in the long term.

From an overarching perspective, operational audit programs are valuable to four

entities:

The Organization can achieve its aims by applying disciplined, systematic methods to
assess and advance the effectiveness of control, risk management, and governance
processes.

 The Individual can continuously improve their ability to apply knowledge and
skills to deliver the intended results.
 The End User or Consumer receives more cost efficient and high-quality
products or services.
 The World benefits from a better, more sustainable future.

Organizations can expect to achieve five primary goals or main advantages by

performing any operational audit:

 Influence Positive Change: Understand how future processes, policies,

procedures, and other types of management are producing maximum effectiveness
and efficiency.
 Review Internal Controls: Establish the potential impact of successes and
failures in the specialized functional areas of operation.
 Understand Risks: The type of risks associated with business and operational
risk range from business interruption, employee omissions or errors, IT system
failure, product failure, safety and health issues, loss of key employees, fraud, loss
of suppliers, and litigation.
 Identify Improvement Opportunities: As a result of understanding risks,
auditors can determine where to make improvements and how to mitigate risks
and improve opportunities. The broad categories of risk - and where
improvements should occur - are operational risk, financial risk, environmental
risk, and reputational risk.
  Inform Senior Management: The results of the audit should appear in a clear
report that provides objective analysis, appraisals, recommendations, and
pertinent comments concerning the activities reviewed.

Operational Audits Are Continuous Improvement Tools

To meet the challenges of a rapidly changing marketplace and regulatory environment,

companies must continually reinvent the way they do business. “The most widely used
tools are the plan-do-check-act or Deming Cycle, which the auditor uses in their own
auditing activities.” Organizations should conduct audits regularly to support continuous
improvement and to check the progress of quality measures recommended in previous
audits.

The internal audit isn’t immune to the pressures organizations can experience, so
auditors need to find innovative means to help their company succeed. Many companies
or specific departments (such as IT) focus on incremental improvement to improve
processes, products, and services, or all three.

Operational Audit Challenges

When asked about the biggest challenges to conducting operational audits, “Top
management support for the auditing program can sometimes be difficult to obtain,
since, by its nature, the process highlights management issues.” He adds, “There needs
to be effective management processes in place to handle conflict management which
may arise due to the audit, and a systems approach to linking organizational goals and
objectives.”

Change Management
Change management needs to be well-handled. The results of the audit will likely lead
to multiple changes, and team members and managers may have difficulty adjusting to
different expectations, processes, personnel, or budgets. Change can also affect
teamwork, but those issues can be mitigated. To learn about how to manage and build
strong teams who can deal with change, review Everything You Need to Know about
Team Assessments.

A helpful tool to help manage change is to use RACI (Responsible, Accountable,

Consulted, Informed) principles to achieve change that may result from an operations
audit. Get more details on how to implement RACI effectively by reading A
Comprehensive Project Management Guide for Everything RACI, which also includes
free templates to help teams cope and flourish during times of change.

Operational Auditing Expenses

There are costs involved during and after an audit. If the auditor is a consultant, of course,
there will be fees for their engagement. There is also the cost of having projects or
production slow temporarily when managers and employees are working with the
auditor. If the auditor usually holds another position within the company, there may be
a slowdown in his or her regular job responsibilities. As mentioned, there may be costs
associated with necessary changes.

Auditor Evaluation
Considering the major responsibility of the auditing position (whether the auditor or
auditors are operating internally or externally), “The competence of the auditor or
auditors should be determined based on explicit evaluation criteria.”

He provides this evaluation checklist to help assist in the selection of the best candidate:
Demand for Internal Auditing Experts Is increasing
As proof that the number of operational audits is increasing, the need for internal auditing
experts is on the rise. Robert Half International has found that the demand for internal
auditors in the United States is going strong and that the need for internal auditors is
growing faster than the average for all occupations through 2024. Demand for the
profession is also mounting in Europe and Asia.

Different Types of Operational Audits

In addition to overall operational audits, some subcategories cover specific business
functions and operations:

 Financial Audits or Review: Financial audits focus on financial controls as they

relate to reporting to internal and external governing bodies. Financial statement
auditing is the bailiwick of external auditors. Internal audits complement the work
of operational audits, which includes some form of budget, or a financial review.
 Operational Audits: As noted, operational audits focus on the review and
assessment of single or multiple business processes.
  Department Reviews: Different departments or divisions may run a periodic
analysis to assess the adequacy of controls, how well assets are safeguarded, how
resources are used, and if there is compliance with applicable laws.
 Information System (IT) Audits: Information systems audits investigate overall
infrastructure and networks, technical operations, data center operation, project
management, and review security status and procedures.
 Investigative Audits: When a company suspects a risk of security breach, or
when one has occurred on the part of an individual or department, there is often
an investigative audit to understand causes and additional background information
and research.
 Compliance Audits: Compliance audits review the level of compliance with
external regulatory requirements or internal policies.
 Marketing Audits: A marketing audit is a broad, precise, and autonomous probe
into the marketing of a company or a business. An audit holds both an external
situation analysis and a thorough review of internal marketing goals, strategies,
capabilities, processes, and systems. The result is actionable recommendations to
improve progress toward stated goals.
 Follow-Up Audits: After an operational audit report has been issued, it is
standard practice to follow up to evaluate corrective actions, usually within a six
month period.

Operational Audit Process and Checklist

The overall process flow for operational audits, has a set of steps, which includes the use
of PDCA for quality and continuous improvement:
 Source: How to Conduct a Quality Internal Audit,

 Establishing Objectives: Base objectives on management goals and priorities.

Consider the characteristics of products, projects, processes, and any changes to
them. Take into account management system requirements, contractual and legal
requirements, and other requirements. Evaluate suppliers and the needs and
expectations of interested parties, including customers. Take into account the
auditee’s level of performance, risks, previous audit results, and the maturity of
the management system being audited.
 Establishing the Audit Program: Identify the responsibilities of the audit
program manager and establish his or her competence of the person. Determine
the scope and potential risks, then set procedures and identify resources.
  Implementing the Audit Program: Define the objectives, scope, and criteria,
and select the audit team members and assign responsibility to the audit team
leader. Manage the outcome and records.
 Monitoring the Audit Program: Assess conformity with the program, schedule,
and objectives, and then assess the performance of the audit team members and
the ability of the audit teams to implement the plan. Evaluate feedback of all
stakeholders. Some factors can determine the need to modify the program,
including audit findings, the demonstrated level of management system
effectiveness, and changes to the auditee’s management system, standards, and
other requirements.
 Reviewing and Improving the Audit Program: Evaluate if objectives have been
achieved. Use lessons learned as inputs for continual improvement. The review
should consider results and trends, conformity with procedures, the evolving
needs and expectations of interested parties, records, alternative or new auditing
methods, the effectiveness of the measures to address associated risks, and
confidentiality and information security issues relating to the audit program.

Operational Audit Activities

What’s included in a typical audit implementation? Provides an overview and a brief
look into the details for each phase:

Source: How to Conduct a Quality Internal Audit,

 Initiating the Audit: Establish initial contact with the auditee and any designated
leaders. Determine the feasibility of the audit and review the assignment to ensure
the objectives are achievable.
 Preparing Audit Activities: Review pertinent documents. Prepare the audit plan,
assign work as needed, and organize necessary action plans and documents.
 Conducting Audit Activities: Conduct a meeting to confirm that all parties agree
to the proposed plan. Introduce team members to management and each other.
Double check that you can perform the audit actions defined in the plan as
intended. Review documents as needed throughout the process. The team should
regularly meet to review and exchange information, assess progress, and reassign
work if necessary.

Source: How to Conduct a Quality Internal Audit,

 Collecting and Verifying Information: After you receive the audit documents,
review the information sources. Audit the evidence and evaluate it against the
audit criteria. Review conclusions.
 Generating Audit Findings: The findings will conform or not conform with
audit criteria. For a non-conforming finding, record the supporting evidence.
Review the information with the auditee to ascertain if the evidence is correct. The
team should meet to review findings at designated and/or appropriate audit stages.
 Conducting the Audit Activities: Before the closing meeting to review findings,
the audit team should confer and collect information against objectives. The team
should agree on conclusions, prepare recommendations, and discuss follow-up.
Have a closing meeting facilitated by the team leader to present the findings and
conclusions.
 Preparing and Distributing the Audit Report: The team leader reports the
results with a complete, accurate, concise, and clear audit record, and delivers it
within the agreed period. In case of a delay, auditee and program manager should
 discuss why it happened. The report must be dated, reviewed, and approved based
on agreed upon procedures. Distribute the report as defined in the plan to the
appropriate recipients.
 Completing the Audit: Work is complete when all planned audit activities are
accomplished. Documents are kept or destroyed based on the procedures and
applicable requirements set at the beginning of the audit. If disclosure is necessary,
inform the audit client and auditee as soon as possible. Add lessons learned from
the audit to the continual improvement process.

Operational Auditing Checklists

When asked about using checklists, explains, “Checklists vary based on the purpose,
audit type, and audit criteria. However, the audit process and auditing principles remain
constant.”

Here’s a checklist that you can use as a framework. Each part of the checklist will likely
need to be broken down into separate activities - plan, do, check, and act - based on the
size and scope of your particular operational audit. To help organize more granular
activities, you’ll find downloadable templates later in this article.
Audit PBC Checklist Template
Whether you have an internal or external auditor, the entire process is much easier when
you’re prepared. Based on the goal of the audit, the checklist can be a valuable guide to
gathering needed documents, clarifying objectives to the team, and keeping key
stakeholders in the loop. This template helps manage and track the pre-audit, and you
can share it with your auditor in real time to generate comment threads, attach documents
and track status with RYG alerts.

Operational IT Audit Guide

If you’re preparing for an IT audit, this complete guide for IT managers, security officers,
systems engineers, developers, or help desk managers provides information to maximize
efficiency of your audit, ensure security, and create repeatable processes

Operational Audit and Audit Plan Examples

To see what operational audit processes and documentation looks like in practice, we’ve
included some examples.

Government Audits: For entities of any size - from cities to the United States federal
government - the documentation is made available to the public in the interest of
transparency.

Non-Government Audits: By definition, audits are proprietary, internal processes that an

organization’s management uses for its own improvement. They are released for public
viewing based on the organization’s discretion.

Financial audits: This type of audit provide an opinion about whether or not financial
statements are true based on accounting standards for the benefits of tax authorities,
customers, investors, and regulators. To learn more specific about financial audits, read
Financial Audit Manual: Processes, Requirements and Checklists.

 City Operational Audit Examples - El Paso, Texas: Like most cities, El Paso
Texas reports each fiscal year on multiple operations, functions and services, such
as community and human development management, capital improvements, and
other specific areas it governs. The internal audit for Fiscal Year 2017 is available
in multiple downloadable sections. The reports focus on different areas each year,
as well. Review El Paso Internal Audit for Fiscal Year 2017 and El Paso Internal
Audit for Fiscal Year 2016.
 State Operational Audit Plan Example - Indiana Office of Management &
Budget: Deloitte & Touch performed an audit for the for the Indiana Department
of Revenue for its oversight agencies in 2012. You can review the full results in
its Controls and Performance Audit.
 Hospital Operational Audit Plan Document Example - University of Texas
(UT): The Office of Internal Audit for UT Health North conducted a risk-based
audit which reviewed equipment leases, acquisitions, maintenance, and
warranties. You can examine the full 27-page document at Capital Equipment
Operational Audit.
 University Internal Audit Plan - University of Colorado: Operational audits
evaluate whether university processes are adequate and function in a manner that
helps ensure achievement of objectives. They review operations to see what can
be improved, conduct investigations into suspected or reported irregularities,
assess programs and initiatives, consult with stakeholders, and provide feedback
to ensure sound business practices. You can review the current University of
Colorado Department of Internal Audit 2018 Audit Plan.
 Public Facilities - The Port of Seattle: Airport public parking operation
management controls were reviewed to ensure that transactions were handled
correctly in the Seattle-Tacoma International Airport garage and to ensure
facilities were well-managed. Examine The Internal Audit Report:
Comprehensive Operational Audit Airport Public Parking Operation to see the
results.
 Credit Union - Sample Credit Union Report on Operations: This is a reporting
template credit unions follow to comply with National Credit Union
Administration (NCUA) standards for operations and management review.
Examine the 22-page format in Sample Credit Union Report on Operations.
 Non-Profit/International Relief - United Nations (UN) Audit: The United
Nations performed an audit to track how logistical support was hampered in its
African Union-United Nations Hybrid Operation in Darfur from January 2008
through 2010. Review the Audit of Logistic Operations in UNAMID full report.
 Intellectual Property - World Intellectual Property Organization: A 2015
operational report examined the effectiveness and efficiency of essential business
processes including organizational structure, risk management, and controls.
Review the Audit of the Management of WIPO Customer Services.
 Pharmaceutical Manufacturing - Univar: Univar is a leading global distributor
of chemistry and related innovative products and services. Labtopia, a consulting
firm, created a sample audit report for suppliers to use to report on operations.
Review the 18-page template Audit Report.
 Manufacturing - Factory Audit Report (Asia): Asian Inspection provides the
means for its customers to conduct operational audits. The format for a report
includes workflow charts, system management, labor, hygiene and social
responsibility sections. View the 33-page Factory Audit Report.