Objectives & Phases of

Operational Audits
Key Objectives of Operational Audits
 objectives of the review willd depend on several factors

 first of all, we must determine whose objectives the engagement

is intending to address

 internal auditors should be careful not to define the objectives

unilaterally, rather, should get management involvement as
much as possible to make sure that the review will meet their
needs
Key Objectives of Operational Audits
 when defining objectives, effective internal auditors examine the
organization’s infrastructure

infrastructure - underlying foundation or basic framework of a

system or organization & the resourcesm such as personnel,
buildings or equipment required for an activity
Key Objectives of Operational Audits
 objectives of the review could be driven by:
1. new rules
2. poor performance
3. compliance issues
4. anomalous revenues or expenses
Phases of the Operational Audit
1. Planning
3.
 What must go right for them to succeed? Reporting
 Risk Factors 4. Follow-Up
2. Fieldwork  Metrics
 Types of Audit Evidence
 Testimonial
 Observation
 Document Inspection
 Recalculation/Reperformance
 Professional Skepticism
 Workpapers
 Flowcharts
 Internal Control Questionnaire
 Condition of Workpapers
 Electronic Workpapers
Planning
 includes scoping, budgeting, defining the population of interest,
how testing will be performed, & announcing the audit

 the most important part of an audit

Planning
key steps for effective planning:
 performance of risk assessment that allows the CAE to prepare an audit
plan based on the results of an analysis of the organization’s audit
universe

 audit universe consists of all auditable activities: accounts, processes,

programs & functions within an organization & the risks assocaited
with their ability to achieve their objectives

 at this point, the risk assessment is done at the enterprise level

Planning
key steps for effective planning:
 the ERM should be done collaboratively with senior management & the
board of directors

 the risk assessment should generate two key outputs:

1) a strategic plan impacting company operations for management use
2) an audit plan
Planning
what must go right for them to succeed?

 internal auditors can help management achieve its organizational goals

by focusing on the review of activities with the highest significance &
likelihood of harming the organization

 organizations must also excel at delivering, consistently, what the

customer needs & wants
Planning
risk factors - are conditions & other variables that in their
presence or absence, as the case may be, either exacerbate or
diminish the underlying risk

the presence of some factors actually decreases the likelihood or

impact of the underlying risks
Planning
risk factors
 competence of employees
 the extent of judgment that can be exercised when performing relevant operational
& control activities
 number of transactions
 time since the last audit was performed
 the geographical dispersion of operations
 level of motivation of employees
 the ethical climate
 complexity of operations
 asset size
 volume
 pressure to produce or achieve organizational goals
Planning
Fieldwork
 this phase is when most of the testing is performed, it includes:
 interviewing
 documenting
 applying testing methodologies
 managing fieldwork
 providing status updates
Fieldwork
 it consists of primarily two (2) things:

1. determining if the process or program under review is designed

effectively so that the related goals & objectives are likely to be
achieved

2. verify that the controls in place are performing as designed by the

management
Fieldwork
 types of audit evidence

 testimonial
 verbal or written statements or assertions given by someone as proof regarding
the matter being discussed
 two types:
 personal knowledge
 hearsay
 auditors should be careful to corroborate verbal statements
Fieldwork
 types of audit evidence

 observation
 auditors typically observes conditions & dynamics related to the subject of the
review
 auditors visually evaluate physical facilities, conditions & practices to verify they
exist, their condition, valuation & protection
 obervation can be done in one of two ways:
 the auditee knows the auditor is observing
 the auditee does not know that the auditor is observing
Fieldwork
 types of audit evidence

 document inspection
 another way of collecting evidence is by reviewing documents
 one of the most common procedures
 documents can be external or internal
 although auditors are not expected to be experts on altered or forged
documents, they should pay close attention to each document in search for
anomalous elements constituting red flags
Fieldwork
Fieldwork
 Persuasiveness is defined as the confidence it gives the auditor
when reaching a conclusion.
Fieldwork
 Professional Skepticism
 when obtaining & using evidence, internal auditors should display
healthy professional skepticism & verify the quality of information
gathered & used

 internal auditors should be sufficiently suspicious of data received &

reasonably verify that the information is free from manipulation or
modification in ways that can compromise its quality
Fieldwork
 Professional Skepticism
 internal auditors should approach interviews & meetings with sufficient
skepticism, always attempting to
 verify the information provided
 corroborate the testimony received
 observing behavioral changes that could indicate deceit

 corroboration may involve obtaining supporting documentation to

substantiate claims made or finding others to verify the accuracy of
statements received
Fieldwork
 Professional Skepticism
 another important source of information to ensure auditor is working
with reliable data is to obtain the assistance of a subject matter expert
(SME)

 SMEs
 can be internal or external
 must be willing to work with the auditor
 credentials are important
 has superior & unquestionable academic & certification credentials
 strong practical & experiential knowledge
Fieldwork
 auditor self-generated evidence is the best

 there is a clear & critical differece between fact & opinion that
internal auditors should understand
 FACTS are statements & information that can be proven to be true
through verification. If a statement or piece of information is true, it is
always true.
 OPINIONS are subjective statements based on personal beliefs, so they
are not always true for everyone. They can be based on facts, but they
are someone’s personal interpretation of facts & such are open for
debate.
Fieldwork
 Workpapers
 are documents created by auditors to record the work done

 collection of evidentiary material showing planning done, fieldwork

activities performed , & support for all information mentioned in the
audit report or other communication of results

 require review by the team leader to show there was proper supervision
Fieldwork
 Workpapers may include:
 process narratives
 flowcharts
 copies of policies & procedures
 checklists
 organizational charts
 management & financial reports
 analysis of testing
 correpondence
 questionnaires
 pictures
Fieldwork
 Flowcharts
 another common type of workpaper
 a diagram of the sequence of movements & actions of people or things
involved in a process of activity
 they illustrate a busines process & virtually any process involved in a
process or activity
 the shapes are simple & visual, they are easy to understand
Fieldwork
 Flowcharts key steps
 identify the steps through consensus
 walk the process & arrange chronologically
 draw using appropriate symbols
 test for completeness
 look for problem areas as a team
 get sign-iff that the flowchart reflects the process
Fieldwork
 Internal Control Questionnaire (ICQ)
 helps to evaluate internal controls in specific areas by asking key
questions
 internal auditors often use ICQs as a starting point & then supplement
them with other information gathering & control evaluation techniques
such as flowcharts & document reviews
 very helpful when the auditor needs to collect large amounts of
information
 when prepraing ICQ, auditors should remember that respondents are
going to answer the question asked, so the questions should be
worded clearly
Fieldwork
 Condition of Workpapers
 Workpapers should be neat, easy to read, easy to review & their
appearance should be uniform.
 In general, workpapers should include:
 objective of the procedure performed
 source of the information evaluated
 name of the auditor who performed the work
 date when the work was done
 name & date of supervisory review
 details showing the work done
 reference to other supporting documents
 results of the testing procedure performed
 conclusion
Fieldwork
there are many ways that internal auditors can indicate the results of their
work for transaction-based testing.

tickmarks show for each transaction whether the transaction met the
criteria applied to the test
Reporting
 third phase of the audit - communication of results
 consists of communicating findings, observations & best
practices noted during the review & developing
recommendations for corrective action
Reporting
 two types of deficiencies:
 design
 operating

 findings should be discussed with the process owners & other

relevant stakeholders before being included in the report
Follow-Up
 timeline to when the follow up should occur depends on the risk
associated with the finding

 a follow up review means that the auditor is checking to make

sure the corrective action was performed, so it consists of
checking what management did to address the issue reported
End of Chapter 2
thank you. study well. God bless.