“Out of clutter, find simplicity”

Albert Einstein
 INTRODUCTION
➢ An Operational Audit involves a review of the activities performed in a program or process in the
pursuit of its objectives by individuals, who are often supported by a variety of tools.

This Section consist:

➢objectives of operational audits,
➢how they are defined and what they mean for the audit
➢phases of operational audits and;
➢the dynamics associated with each phase
➢role of data during operational audits and;
➢the impact of management practices on people, the process, and technology
Key Objectives of Operational Audits
Without clearly defined, communicated, and understood objectives, all
involved are likely to drift during the course of the review by asking for
irrelevant documentation, interviewing people unnecessarily, examining
transactions, and analyzing process characteristics that are alien to the
priorities embraced by the sponsors of the engagement.

The objectives of the review will depend on several factors. First of all, we
must determine whose objectives the engagement is intending to address. Internal
audit should be careful not to define the objectives unilaterally.
Key Objectives of Operational Audits
The objectives for the review could be driven by:

New Rules
➢ Rules can be established internally (e.g., policies and procedures) or externally
(e.g., new or updated laws and regulations), or a combination (e.g., a contract
signed by the organization and one or more external parties).

Poor Performance
➢ Inefficiencies, waste, rework, or complaints from customers and vendors may
trigger management involvement, resulting in their request to have the matter
reviewed by internal audit.
Key Objectives of Operational Audits
The objectives for the review could be driven by: (Cont.)

Compliance Issues
➢ These can be the result of internal quality control initiatives that identify
anomalies.

Anomalous Revenues or Expenses

➢ While increases in sales is always welcome news, if these figures appear
dubious, internal audit may review the related transactions to verify they are all
legitimate, they have been recorded in the correct amount, and posted during the
correct period.

➢ Similarly, unusually high or low, or otherwise questionable expenses, are likely to

result in the request for a thorough review.
Key Objectives of Operational Audits
• The objectives of an operational audit could include examining the collection of resources
allocated to a program or process for it to accomplish its objectives.

• This may also include the Entity’s Planning, Budget, and Technological Systems.

When defining the objectives, effective internal auditors examine the

Organization’s Infrastructure:

• The infrastructure could also include management reports because the extent, accuracy,
proper distribution, and amount of detail contained in it weigh heavily on management’s
ability to perform its duties.

• Lastly, this infrastructure may also include the organizational structure and the
assignment of responsibility and accountabilities
Key Objectives of Operational Audits
• Concerns over business risks, internal and external changes in the internal
and/or external environment and dynamics affecting the organization’s
governance may also influence the objectives of an operational review.

• In general, the focus is on assessing and reporting on the efficiency,

effectiveness, and economy of operations, activities, and programs; and
conducting engagements on governance, risk management, and control.

• Technology may also influence the definition of objectives.

➢ Generally speaking, an organization or a program is comprised of processes
designed to support the organization’s program, processes, and units.
 Phases of the
Operational
Audit

Like traditional audits, operational audits are

also structured in the traditional planning,
fieldwork, and reporting phases.
Phases of the Operational Audit
The Planning Phase Includes:
• Scoping
• Budgeting
• Defining The Population Of Interest
• How Testing Will Be Performed And;
• Announcing The Audit.

Planning is arguably the most important part of an audit.

Planning process begins long before the actual audit begins.

Phases of the Operational Audit
Key Steps For Effective Planning:

The starting point should be the performance of a risk assessment that allows the CAE to
prepare an audit plan based on the results of an analysis of the organization’s audit universe.

At this point, the risk assessment is done at the enterprise level.

➢ This enterprise risk assessment should be done collaboratively with senior

management and the board of directors. By involving them, the CAE will get their
input about plans, concerns, and priorities.
Phases of the Operational Audit
This risk assessment should then generate two key outputs:
➢ (1) a strategic plan impacting company operations for management use and;
➢ (2) an audit plan.
The audit plan identifies what the internal audit function will review based on available
resources and the needs and priorities of the organization.
When performing each of the audits in the audit plan, the auditor in charge must
perform a number of tasks. These includes:

• Communicating With The Corresponding Process Owner About The Timing Of The Review
• Requesting Needed Financial And Operational Reports And Documents,
• Coordinating Staff Availability,
• Identifying The Systems In Use And;
• Defining The Scope, Objectives, Work Schedule, And Budget For The Engagement.
Phases of the Operational Audit

In addition to the enterprise risk assessment discussed above,

• a more tactical one should also be performed for each audit.
• At a more refined level, this risk assessment should identify auditable activities,
relevant risk factors, and the relative significance/consequence and likelihood/
probability of those risks.

Depending on the scope and objectives for the engagement, they should also consider
other risks, such as operational, legal liability, corporate image (e.g., reputation),
industry specific, compliance, and IT-related risks.
Phases of the Operational Audit
The Following Questions Can Be Very Helpful When Identifying Risk:
• What could go wrong?
• How could that unit fail?
• Are there any liquid assets that require special care and oversight?
• What physical assets are bought and used? How do they need to be protected and
used for maximum effectiveness?
• What intellectual or digital assets are used and constitute a key success factor?
These might include personally identifiable information, copyrights, and licenses.
• How could someone or something disrupt the operations?
• What are the objectives and how do we know if the unit is achieving them?
• Where are the people, processes, systems, or assets vulnerable?
• On what information do they rely the most?
Phases of the Operational Audit
What Must Go Right for Them to Succeed?

✓ Internal auditors can help management achieve its organizational goals by focusing
on the review of activities and other exposures with the highest significance and
likelihood of harming the organization.

✓ Organizations must also excel at delivering, consistently, what the customer needs
and wants.
Phases of the Operational Audit
What Must Go Right for Them to Succeed?

✓ Internal auditors’ position within their organizations’ hierarchy, their adoption

and use of a risk-based approach, their broad skillset and knowledge of their
organizations, makes them uniquely qualified to add value.

✓ Proactive auditors will look beyond isolated negative events and also look for
the interdependencies that management’s strategic objectives and resources
have.
Phases of the Operational Audit
Risk Factors

Consequently, risk assessments should not be limited to the identification of risks, but should
also:
Help to identify opportunities,
Determine the organization’s preparedness an;
Identify those responsible for appropriately responding to those events

❑ Risk factors are conditions and other variables that in their present, or absence, as the case
may be, either exacerbate or diminish the underlying risk.
❑ The presence of some factors increases the likelihood or impact of the underlying risks.
Phases of the Operational Audit
Risk Factors

Another risk factor is the extent of judgement that can be exercised when performing relevant
operational and control activities.
➢ As the extent of judgment increases, the underlying risk of error, abuse, and malfeasance
increases. So these factors have an opposite effect on the underlying risks.
Phases of the Operational Audit
Risk Factors

• During planning meetings, internal auditors should engage in participative practices,

involving process owners as much as possible to identify relevant activities, systems,
people, and performance standards.

• When auditors plan engagements in relative isolation, they often miss important aspects
of the operation and the systems in use that may play an important role in identifying the
risks that should be examined during the audit
Phases of the Operational Audit
Risk Factors

• Internal auditors also benefit from reviewing prior audit workpapers as it provides
insights into the operation reviewed, areas of concern, location of relevant data and
documents, key individuals, amount of time various procedures took for completion, and
verbal observations brought to the attention of process owners.

• Good planning will prevent avoidable problems during fieldwork and good planning
demands that a suitable amount of time be invested in these activities
Phases of the Operational Audit
Typical Audit Steps For Audit Programs

With that in mind, internal

auditors’ duty is to verify that
management, with the authority
received from the board of
directors, establish the structure,
policies, procedures, and metrics
to achieve the vision, mission,
and objectives of the enterprise,
and this should be done within
the parameters of ethical
behavior, legal requirements,
and stakeholder expectations.

Other typical procedures include compare, prepare, obtain,

verify, count, and recalculate.
Phases of the Operational Audit

The Planning Phase also involves estimating the amount of time tasks will take for
completion. This can be done by examining the time logs from previous audits to provide
an estimate about the possible time for the current audit.

It is also important to remind auditors that because of the reliance placed on previous time
estimates, underreporting the amount of time it takes to perform tasks is usually not a good
idea.
END OF PRESENTATION
Feel free to reach out to us if you have any questions.