Professional Documents
Culture Documents
Developing Operational Review Programmes For Managerial and Audit Use
Developing Operational Review Programmes For Managerial and Audit Use
Operational audits are a forward looking process, and are part of many organizations’
ongoing business improvement process toolkit. The findings of operational audits are
intended to diagnose which areas need attention and to safeguard assets by averting
potential future risks. The Operational Auditing Handbook borrows The Institute of
Internal Auditors’ (IIA) definition of an operational audit: “A systematic process of
evaluating an organization's effectiveness, efficiency and economy of operations under
management's control and reporting to appropriate persons the results of the evaluation
along with recommendations for improvement.”
While an audit is usually associated with financial matters, operational audits are more
comprehensive and go beyond financial data (although that type of reporting is often
included). The primary information sources are policies and achievements related to the
objectives of the organization.
Operational audits are a ‘deep dive’ into every facet of management. As a result, start-
to-finish time frames can vary from a few weeks to many months, depending on scope,
complexity, and size of the organization, and whether the audit is for the entire entity or
a particular business unit. Unlike financial audits, which are conducted by external
entities, operational audits are often carried out by an internal auditor.
Understanding the true status of operations is the basis for a healthier, more competitive,
and more profitable organization.
The internal audit isn’t immune to the pressures organizations can experience, so
auditors need to find innovative means to help their company succeed. Many
companies or specific departments (such as IT) focus on incremental improvement to
improves processes, products, and services, or all three.
Operational Audit Challenges
When asked about the biggest challenges to conducting operational audits, Kandarpa
says, “Top management support for the auditing program can sometimes be difficult to
obtain, since, by its nature, the process highlights management issues.” He adds,
“There needs to be effective management processes in place to handle conflict
management which may arise due to the audit, and a systems approach to linking
organizational goals and objectives.”
Change Management
Change management needs to be well-handled. The results of the audit will likely lead to
multiple changes, and team members and managers may have difficulty adjusting to
different expectations, processes, personnel, or budgets. Change can also affect teamwork,
but those issues can be mitigated. To learn about how to manage and build strong teams
who can deal with change, review Everything You Need to Know About Team
Assessments.
A helpful tool to help manage change is to use RACI (Responsible, Accountable, Consulted,
Informed) principles to achieve change that may result from an operations audit. Get more
details on how to implement RACI effectively by reading A Comprehensive Project
Management Guide for Everything RACI, which also includes free templates to help teams
cope and flourish during times of change. Operational Auditing Expenses
There are costs involved during and after an audit. If the auditor is a consultant, of
course, there will be fees for their engagement. There is also the cost of having projects
or production slow temporarily when managers and employees are working with the
auditor. If the auditor usually holds another position within the company, there may be a
slowdown in his or her regular job responsibilities. As mentioned, there may be costs
associated with necessary changes.
Auditor Evaluation
Considering the major responsibility of the auditing position (whether the auditor or
auditors are operating internally or externally), Kandarpa believes that “The competence
of the auditor or auditors should be determined based on explicit evaluation criteria.”
He provides this evaluation checklist to help assist in the selection of the best
candidate:
Initiating the Audit: Establish initial contact with the auditee and any designated
leaders. Determine the feasibility of the audit and review the assignment to
ensure the objectives are achievable.
Preparing Audit Activities: Review pertinent documents. Prepare the audit
plan, assign work as needed, and organize necessary action plans and
documents.
Conducting Audit Activities: Conduct a meeting to confirm that all parties
agree to the proposed plan. Introduce team members to management and each
other. Double check that you can perform the audit actions defined in the plan as
intended. Review documents as needed throughout the process. The team
should regularly meet to review and exchange information, assess progress, and
reassign work if necessary.
When asked about using checklists, Kandarpa explains, “Checklists vary based on the
purpose, audit type, and audit criteria. However, the audit process and auditing
principles remain constant.”
Here’s a checklist that you can use as a framework. Each part of the checklist will likely
need to be broken down into separate activities - plan, do, check, and act - based on
the size and scope of your particular operational audit. To help organize more granular
activities, you’ll find downloadable templates later in this article.
Operational Audit and Audit Plan Examples
To see what operational audit processes and documentation looks like in practice,
we’ve included some examples.
Government Audits: For entities of any size - from cities to the United States federal
government - the documentation is made available to the public in the interest of
transparency.
Non-Government Audits: By definition, audits are proprietary, internal processes that
an organization’s management uses for its own improvement. They are released for
public viewing based on the organization’s discretion.
Financial audits: This type of audit provide an opinion about whether or not financial
statements are true based on accounting standards for the benefits of tax authorities,
customers, investors, and regulators.
-------------------
An operational review program is an internal process designed to help teams, across all
departments and geographies, work together toward common organizational goals.
Audit Programme
An audit program is a set of directions that the auditor and its team
members need to follow for the proper execution of the audit. After
preparing an audit plan, the auditor allocates the work and prepares a
program which contains steps that the audit team needs to follow
while conducting an audit. Thus, an auditor prepares a program that
contains detailed information about various steps and audit procedures
to be followed by the audit.
Audit Programme
An audit program provides a basic plan for the audit team regarding the
entity’s business, its size, how to conduct the audit, allocation of work
among team members and the estimation of time within which it should
complete the work.
It contains details regarding the relevancy of evidence, materiality level,
risk tolerance, measure of the sufficiency of the evidence. Thus,
programs enhance the accountability of the audit team and its members
for the work performed by them.
PROCESS GOVERNANCE
Process governance is a major issue, and yet often forgotten and overlooked by
organizations.
In short, we can say that process governance is the way in which a company can
consolidate the process management initiatives within standards, rules, and guidelines
that all go together towards a common goal.
The term governance alone can be understood as the ability to target and orchestrate joint
efforts with the authority and acceptance of all.
In the context of process governance, its purpose is to prevent isolated and disconnected
management initiatives from processes contributing only small, localized results. It is
necessary for process improvements to add value to the supply chain in a consistent,
systematic and integrated manner, given the strategic plan set by the top management of
the company.
In short, process governance should be able to promote the guidance and direction of process
management to create synergy between initiatives and continuous improvement. For this
purpose, it can make use of some initiatives.
Through these initiatives and to achieve the objectives indicated above, there are three
levels of responsibility:
As can be seen, the degree of responsibility increases from the first level, more
operational, through to the second, management, and to a more strategic third level,
where alignment with the top management of the company is essential.
As you have seen, the concept of process governance is a kind of guardian of your
company’s integrity and should maintain its consistency with the organization’s goals. To
implement it correctly, the use of appropriate and current BPM tools is essential.
Everybody knows that BPM is a powerful method that can solve your company’s
problems while making it grow. However, what are some real life and proven BPM
benefits? That is what we will approach next.
5 BPM benefits that will make you want to
implement it now
1 – Wastage reduction
When we talk about wastage, we mean all kinds of wastage. Resources, money, time,
efforts, all these are essential for a company and must be wisely allocated. If this does not
happen, the product/service may be delivered, but not on the most effective way. This
causes client’s dissatisfaction, loss of money and disorganization.
With BPM, the processes are scanned and understood, thus making it easier to spot
bottlenecks and improvement points. We cannot fix what we cannot understand, and
BPM brings the best tool to understand the company: process mapping. To map a process
is to organize all the steps, participants and information that the process holds. This will
result in a better allocation of resources and removal of redundant tasks and therefore in a
wastage cut. This is a priceless benefit of Business Process Management.
Once the processes are automatized, they become available to all the staff. Everybody can
visualize and understand the process and their role in it. The manager has access to all the
information, can see in which step the process is and what everybody is doing. This BPM
benefit will clearly result in more organized processes, more transparent actions and more
effective results.
5 – Better communication
Common employees’ complaint is about the lack of information, unsafety about
what exactly is expect of them and absence of communication between sectors. With
BPM, this will radically change, as all the information is easily accessed and updated by
all. The roles, as well, are determined and clear, making the job much more organized
and the expectations controlled.
The benefits of Business Process Management can take some time to appear. However,
they are lasting and dependable. The whole culture of the company must change to
receive the BPM methodology and really embrace it. With the control that the method
offers, it is easy to measure just how much the company improved and grew! Now
that you know the benefits Business Process Management can bring, see how to
successfully implement it here!
Risk management does require some investment of time and money but it does not need to
be substantial to be effective. In fact, it will be more likely to be employed and maintained
if it is implemented gradually over time.
The key is to have a basic understanding of the process and to move towards its
implementation.
The four main risk categories of risk are hazard risks, such as fires or injuries; operational
risks, including turnover and supplier failure; financial risks, such as economic recession;
and strategic risks, which include new competitors and brand reputation. Being able to
identify what types of risk you have is vital to the risk management process.
An organization can identify their risks through experience and internal history, consulting
with industry professionals, and external research. They may also try interviews or group
brainstorming, as discussed in this Project Manager article 8 New Ways to Identify Risks .
It’s important to remember that the risk environment is always changing, so this step
should be revisited regularly.
2. Measure frequency and severity
What is the likelihood of a risk occurring and if it did, what would be the impact?
Many organizations use a heat map to measure their risks on this scale. A risk map is a
visual tool that details which risks are frequent and which are severe (and thus require the
most resources). This will help you identify which are very unlikely or would have low
impact, and which are very likely and would have a significant impact.
Knowing the frequency and severity of your risks will show you where to spend your time
and money, and allow your team to prioritize their resources.
More details on risk maps can be found in our blog posts on the topic: The Importance of
Risk Mapping and How to Build a Risk Map.
3. Examine alternative solutions
What are the potential ways to treat the risk and of these, which strikes the best balance
between being affordable and effective? Organizations usually have the options to accept,
avoid, control, or transfer a risk.
Accepting the risk means deciding that some risks are inherent in doing business and that
the benefits of an activity outweigh the potential risks.
To avoid a risk, the organization simply has to not participate in that activity.
Risk control involves prevention (reducing the likelihood that the risk will occur) or
mitigation, which is reducing the impact it will have if it does occur.
Risk transfer involves giving responsibility for any negative outcomes to another party, as
is the case when an organization purchases insurance.
4. Decide which solution to use and implement it
Once all reasonable potential solutions are listed, pick the one that is most likely to achieve
desired outcomes.
Find the needed resources, such as personnel and funding, and get the necessary buy-in.
Senior management will likely have to approve the plan, and team members will have to be
informed and trained if necessary.
Set up a formal process to implement the solution logically and consistently across the
organization, and encourage employees every step of the way.
5. Monitor results
Risk management is a process, not a project that can be “finished” and then forgotten
about. The organization, its environment, and its risks are constantly changing, so the
process should be consistently revisited.
Determine whether the initiatives are effective and whether changes or updates are
required. Sometimes, the team may have to start over with a new process if the
implemented strategy is not effective.
If an organization gradually formalizes its risk management process and develops a risk
culture, it will become more resilient and adaptable in the face of change. This will also
mean making more informed decisions based on a complete picture of the organization’s
operating environment and creating a stronger bottom line over the long-term.
Separation of Duties
Separation of duties involves splitting responsibility for bookkeeping, deposits,
reporting and auditing. The further duties are separated, the less chance any single
employee has of committing fraudulent acts. For small businesses with only a few
accounting employees, sharing responsibilities between two or more people or
requiring critical tasks to be reviewed by co-workers can serve the same purpose.
Internal control structure
The internal control structure is derived from the way management runs an operation or
function and is integrated with the management process. Although the components
apply to the entire University, small and mid-size departments may implement them
differently than large ones do. Together, they are designed to provide reasonable
assurance that overall established objectives and goals are met.
OVERVIEW
There are two basic categories of internal controls – preventive and detective.
An effective internal control system will have both types, as each serves a
different purpose. As you perform routine processes, or when you are
thinking of implementing a new procedure or process, it is important to ask
the following questions to help determine the appropriate control:
Separation of duties
Pre-approval of actions and transactions (such as a Travel
Authorization)
Access controls (such as passwords and Gatorlink authentication)
Physical control over assets (i.e. locks on doors or a safe for
cash/checks)
Employee screening and training (such as the PRO3 Series to
increase employee knowledge)
DETECTIVE CONTROLS
Detective controls are designed to find errors or problems after the
transaction has occurred. Detective controls are essential because they
provide evidence that preventive controls are operating as intended, as well as
offer an after-the-fact chance to detect irregularities.
All businesses, whether they are corporates or SMEs, need some level of
internal control over their finances to ensure they stay on the right side of the
law. As well as ensuring the efficiency and accuracy of accounting and
financial reporting, internal controls, procedures and systems are key to
ensuring businesses and their employees deal with their money in a legal and
responsible way.
Within accounting, there are seven internal control procedures that need to be
followed to ensure a business’s finances are fully legal and compliant. This
article will explain more about internal control systems and how you can
ensure your accounts meet their requirements, starting with the definition of
internal control.