Objectives and Phases of Operational Audits

Questions and Answers

What is the MOST critical factor in ensuring an operational audit adds value to the organization?

• The seniority of the auditors involved.
• The budget allocated for the audit engagement.
• The usage of sophisticated auditing tools and technologies.
• Clearly defined, communicated, and understood objectives. (correct)

When defining the objectives of an operational audit, what approach should internal auditors generally take?

• Seek management involvement to ensure the review meets their needs. (correct)
• Prioritize objectives based on auditor's expertise.
• Focus solely on objectives related to financial performance.
• Define objectives unilaterally to maintain independence.

Which of the following factors could MOST directly drive the objectives of an operational audit?

• The CEO's personal interests and hobbies.
• New rules or regulations. (correct)
• A decline in employee satisfaction survey scores.
• The implementation of a new Enterprise Resource Planning (ERP) system by the IT department.

What is the KEY reason why a reputation for ethical conduct attracts investors?

Investors believe ethical companies have lower long-term risks. (D)

Which of the following is the MOST direct way that operational audits relate to an organization's infrastructure?

Audits examine the resources allocated to achieve objectives. (A)

What is a PRIMARY concern regarding the assignment of responsibilities within an organization's infrastructure?

Placing responsibility without corresponding accountability. (A)

In the context of operational reviews, what aspect of CSR (Corporate Social Responsibility) is MOST relevant?

Aligning CSR expectations with stakeholder values. (D)

What is the MOST effective way that well-designed technology supports an organization?

By supporting the achievement of organizational objectives. (C)

Which proverb BEST encapsulates the importance of the planning phase in an operational audit?

Failing to plan is planning to fail. (A)

What is the PRIMARY purpose of the CAE (Chief Audit Executive) performing a risk assessment?

To create an audit plan based on the organization's audit universe. (B)

Why is it important for the CAE to collaborate with senior management and the board of directors during the enterprise risk assessment?

To get their buy-in into the audit process and understand their priorities. (B)

What are the TWO key outputs that should be generated from an effective enterprise risk assessment?

A strategic plan impacting company operations and an audit plan. (C)

What is the PRIMARY benefit of developing multiyear audit plans?

To facilitate future planning and resource needs identification. (B)

When performing individual audits within the audit plan, what is a key responsibility of the auditor in charge?

To define the scope, objectives, work schedule, and budget for the engagement. (D)

What should internal auditors consider in addition to accounting and financial risks?

Risks, such as operational, legal, corporate image, and IT-related risks. (B)

Why is it important to ask 'What must go right for them to succeed?' during a risk assessment?

To identify opportunities and critical success factors. (B)

How does an increase in employee competence typically affect the risk of errors and omissions?

It decreases the risk due to improved performance. (C)

How does an increased extent of judgment in operational activities affect the underlying risk of error, abuse, and malfeasance?

It increases the risk because it provides more opportunities for subjective interpretations. (D)

Why is it important for internal auditors to engage in participative practices and involve process owners in planning meetings?

To define the scope more precisely and avoid missing important aspects of the operation. (B)

When reviewing prior audit workpapers, what caution should auditors exercise?

Remember that each audit is unique to its time and context. (C)

What can result from spending too little time planning an audit (e.g., less than 25% of the total time)?

Execution problems during fieldwork. (C)

What word BEST summarizes the procedures and action words used in audit program steps?

Verify (C)

What is the PRIMARY purpose of tracing a transaction in an audit?

To follow a transaction from its origin to its final destination. (C)

Why is underreporting the amount of time it takes to perform audit tasks (i.e., 'eating time') not a good practice?

It compromises the calculations and estimates for the work to be completed. (B)

During fieldwork, what two things primarily consist the work?

Verification of the design effectiveness for achieving objectives and control performance as designed. (B)

How should the auditor approach the situation? The auditors obtain and review the documents received, analyze data, and hold meetings with process owners, and may find there are obvious issues even at this stage. Is that planning or testing?

It doesnt matter much. (C)

What action should be taken after the testing begins and the auditor discovers that conditions were different than those anticipated?

Those managing the engagement need to evaluate the situation and decide how to rearrange the remaining work given the resources available. (C)

What is the PRIMARY difference between testimony and hearsay?

Testimony is first-hand knowledge, while hearsay is based on what someone else said. (B)

Why is it important to do two or more auditees present? This is better described as a facilitated meeting than a typical interview and what is a key benefit?

All are true. (C)

What potential effect can auditor observations have when the auditee is AWARE the auditor is watching them?

Will typically change behavior so it is viewed favorably by the auditor. (B)

What is the MOST important consideration when auditors observe working conditions?

Being mindful of the possibility of altered behavior. (C)

What is the PRIMARY purpose of document inspection during an audit?

To verify the date and amount of transactions. (D)

In the context of reviewing accounts payable payments, what specific element might an auditor examine to make sure the approver is authorized to do so?

The name of the person who approved the payment. (A)

What should an auditor do if a client does not have the phone number, street address, website, contact information, the print is slanted or has mathematical errors (e.g., tax rate or amount)?

Auditor should examine the document further. (D)

Why is it useful to compare the amount of allowance to gross sales over a period of time?

To identify potential accounting irregularities. (C)

Accounting staff often review the balance in the allowance for doubtful accounts as part of the month-end closing process, to make sure the balance is reasonable when compared to what?

Latest bad debt forecast. (C)

Flashcards

Operational Audit

Review of activities in a program or process to achieve objectives.

Operational Audit Phases

Planning, fieldwork, reporting, and follow-up.

Clearly Defined Objectives

Essential for engagement success, prevent wasted resources, and protect audit function.

New Rules

Rules established internally or externally that drive audit objectives.

Poor Performance

Inefficiencies, waste, rework, or complaints that prompt audit requests.

Compliance Issues

Quality control issues, noncompliance, or regulatory concerns.

Anomalous Revenues/Expenses

Suspicious sales or expenses requiring audit verification.

Infrastructure

Underlying foundation and resources of an organization or system.

Audit Focus

Evaluate efficiency, effectiveness, and economy of operations.

Planning Phase

Determining the scope, budget, and testing methods for review.

Audit Universe

Analysis of all auditable activities and associated risks.

Audit Plan

Identifies review areas based on resources and organizational needs.

Tactical Risk Assessment

Identifies activities, risk factors, significance, and likelihood of risks.

Risk Factors

Conditions and variables that affect the underlying risk.

Important Risk Factors

Competence of employees or complexity of operations.

Participative Practices

Internal auditor's role in identifying relevant activities and standards.

Internal Auditor's Duty

Verifying management is achieving organizational goals.

Verify

Confirm, prove, or corroborate the truth of a fact.

Trace

Tracking a transaction from source to destination.

Vouch

Opposite of tracing; from destination back to source.

Fieldwork

Tasks in testing, interviewing, and providing updates.

Testimonial Evidence

Verbal or written statements as proof.

Observation

Directly observing conditions and dynamics.

Auditor's Evaluation

Physically evaluating facilities, conditions, and practices.

Document Inspection

Reviewing records to verify dates, amounts, and authorizations.

Recalculation/Reperformance

Checking document accuracy or redoing work.

Persuasive Audit Evidence

Consistency, relevance, and objectivity.

Walkthrough

Checking flow from start to end through organization.

Professional Skepticism

Sufficient skepticism is needed to verify data integrity.

Attributes of Findings

Used to show what was expected vs. what occurred.

Design Deficiencies

Deficiencies in program or process structure.

Operating Deficiencies

Controls not performing as designed.

Follow-Up

Verifying corrective actions after findings are reported.

Value Demonstration

Compares preaudit and postaudit statistics to show value.

Metrics

Assesses and compares expected vs. actual performance.

Study Notes

Objectives and Phases of Operational Audits

• An operational audit reviews activities in a program or process.
• The success of an operational audit depends on the people involved, areas of focus, and communication.
• Operational audits are similar to financial reviews, requiring business objective identification.
• The life cycle of an operational audit: planning, fieldwork, and reporting.
• Follow-up actions depends on issue severity.

Key Objectives of Operational Audits

• Clearly defined, communicated, and understood objectives are essential for success, and alignment with engagement sponsors is key.
• Internal audit should involve management to meet their needs.
• New rules, internally (policies/procedures) or externally (laws/regulations), drive objectives.

Rules Considerations as Objectives

• New rules can result from voluntary adoption, such as Corporate Social Responsibility (CSR).
• Ethical conduct attracts customers, employees, and investors.
• Funds employing social screens have increased, holding trillions in assets.
• Poor performance, such as inefficiencies and complaints, may trigger internal audit reviews.
• Compliance issues, whether internal quality control or external regulator findings, can prompt audits.
• Anomalous revenues or expenses may lead to a review to verify legitimacy and correct recording.

Infrastructure Examination for Objectives

• Effective internal auditors examine the organization's infrastructure.
• Infrastructure includes resources, planning, budget, and technological systems.
• Management reports must be accurate, detailed, and properly distributed.
• Organizational structure should assign responsibility and accountability effectively.
• Business risks, internal/external changes, and governance impacts also influence objectives.

Governance and Compliance

• Consideration for ethics, EHS, operational consistency, and CSR.
• Focus on efficiency, effectiveness, and economy of operations, activities, and programs.
• Engagements conducted on governance, risk management, and control.
• Technology affects objective definitions; effective systems support goal achievement.

Phases of the Operational Audit

• Operational audits follow traditional planning, fieldwork, and reporting phases.
• Planning includes scoping, budgeting, defining the population of interest, testing methods, and announcing the audit.
• Planning is crucial to avoid inefficient practices and scheduling issues.

Planning Process

• The planning process begins with a risk assessment to prepare an audit plan, which allows the CAE to prepare an audit plan based on the results of an analysis of the organization's audit universe.
• The audit universe spans auditable activities, assessing risks to objective achievement at the enterprise level.
• Enterprise risk assessment involves senior management and the board for input and buy-in.

Audit Plan

• Should generate a strategic plan for management and an audit plan.
• Audit plan identifies review areas based on resources, needs, and organizational priorities.
• CAEs using multiyear audit plans facilitate future planning and identify resource needs.

Auditor Tasks

• Communicating timing, requesting reports/documents, coordinating staff, and defining scope, objectives, work schedule, and budget.
• Tactical risk assessment identifies auditable activities, risk factors, and their significance.
• Risk considerations expand beyond accounting/financial risks to include operational, legal, and IT-related risks.

Risk Factors

• Understanding potential negative aspects such as legal liability and corporate image.
• Identifying potential risks and how the unit could fail can be identified by asking key questions.
• Identify any assets that require special care and oversight, intellectual or digital assets which help determine key success factors.

Considerations

• What are the objectives and how do we know if the unit is achieving them?
• Where are the people, processes, systems and assets vulnerable?
• On what information to they rely on most?
• Internal audit is able to assist management in achieving organizational goals by limiting the harm that could have been done to a company.
• Need to also identify opportunities and prepare responses for those events

Internal Auditor Skills and Limitations

• Should determine how the organization should be allocating it's resources.
• Risk assessments should not be limited, instead help to identify the opportunities that can help an organization's preparedness.
• Risk factors play an important role which could diminish underlying factor.
• Competence of employees increase, especially that of errors, omissions, and other operational problems decrease.
• Extent of judgement that can be exercised when performing relevant operational and control activities.

Participative Practices

• Internal auditors should engage with process owners.
• Auditors are better equipped to define the scope more precisely, including identifying the risks that should be examined during the audit.
• While reviewing prior workpapers caution is warranted, as auditors must remember that each audit is the reflection of the objectives, scope, conditions, and expectations at the time it was performed.

Audit Steps

• Are shown in Table 2.1.
• Board of directors, senior management, and middle management are accountable for the strategy, objectives, risks, and controls of the areas under their responsibility.
• Auditors work is to verify that management has put structure, policies, procedures, and metrics into place to achieve its objectives.
• Time Logs can provide previous estimates.
• Auditors reviewing the amount of time it takes to perform tasks is usually not a good idea.

Fieldwork Phase

• This phase consists of verifying if the process or program can is effectively designed so that the management goals and objectives are likely to be achieved.
• Even though identifying issues are a part of testing, that doesn't mean that it can't be identified in earlier stages, those outcomes should be documented.
• Planning may occur during fieldwork due to finding conditions that were different than anticipated or items that were not seen as low.

Audit Evidents

• Internal auditor's are concerned with whether the program is working as designed.
• Gather evidence to support/persuade others for satisfactory conditions.
• There are different types of audit evidence that auditors gather and evaluate during the reviews.
• Verbal or written statements given as a proof for the matter being discussed are known as testimonial evidence.
• There are two types of testimonial knowledge, those being whether that is someone's knowledge about somehting, while hearsay is based on what was heard.

More on Audit Evidents

• Auditors assume that auditees are making truthful statements.
• False statements made to the auditor are grounds for disciplinary action.
• Interviews are a common form of gathering evidence which may involve speaking to one or more individuals.
• Have a pair of auditors present to improve the quality and detail of the information gathered.

Auditors Observations

• Observing the security measures to prevent unauthorized individuals from entering the facility.
• Ensure that machinery exists and is working properly.
• Auditors visually evaluate physical facilities, conditions, and practices to verify they exist, their condition, valuation, and protection.
• There are two ways this can be done: auditee knows and when auditee does not.

More on Observation

• Auditees are unaware of observation, allowing for genuine behavior.
• Social desirability bias may alter behavior when auditees know they are observed.
• The change and behavior may influence to the way things are reported.

Collecting Evidence

• Collection through reviewing documents is the most common.
• Verify data and amounts of transactions, agreements made between various parties, and all record of decisions made.
• The documents can be internal/external
• Auditors are not experts on altered/forged documents, they should pay close attention to each document in search of anomalous elements constituting red flags.

Audit Evidence: Evaluation

• Mathematical recalculation checks accuracy of documents/records and confirms correctness.
• Example: Allowance for uncollectible balances based on percentage of sales.
• Companies can fraudulently modify financial results by manipulating allowance amounts.
• Consistent review process with month-end/quarterly updates being enough.
• Persuasiveness of audit evidence gives auditor confidence in conclusion.

Attributes of Persuasive Audit Evidence

• Relevance to audit objectives.
• Objective evidence (two auditors likely to agree).
• Documentation over unrecorded evidence.
• Externality third-party is better over internally.
• Sample sizes play a role in providing persuasion for larger samples.
• Statistical samples as well.
• Authoritative Evidence is more persuasive.
• A walkthrough adds additional level of evidence.

Auditor Scope: Best Practices

• Step by step in addition to asking questions may reduce the possibility of fraudulent behavior.
• Balance inquisitor with conversational dynamics to avoid causing stress and anxiety for the auditee.
• Professional judgement with the amount of evidence is needed.
• Professional skepticism: auditors verify data integrity.
• Verify reliable information and corroboration with documentation and statements.
• Subject matter experts (SMEs) provide knowledge and assistance. SMEs could be internal/external.

Audit Documentation

• Workpapers document audit work and support results.
• Collect and show all of the evidence to show planning and findings.
• IIA Standard 2330: Must document relevant information to conclusions.

Documentation Considerations

• Narrative are common types of workpapers, as they describe a business process.
• Auditors are able to understand the process, which can illustrate potential weakness and strengths.
• A flowchart is a diagram of the sequence of movements or actions of people or things involved in a process or activity.
• Process mapping leads to a better understanding of potential weaknesses and strengths.

Internal Control Questionnair

• Helps to evaluate internal controls in specific areas.
• ICQs are a starting point with other information gathering and control evaluation techniques.
• Preparing and sending a questionnaire can be helpful to collect large amounts of data quickly.
• Auditors should remember that respondents are only going to answer the question asked, so the questions should be worded clearly.

Workpapers Essential Features

• Neat, easy to read and in uniform.
• Includes the objectives, source, auditor's name, when the work was done and what the results were.
• References to all supporting documents.
• Key steps ensure high workpaper quality.

Types of Tickmarks

• Show for each transaction whether the transaction met the criteria applied to the test.
• Auditors select a samples of transactions and examine each of them to verify these for attributes.
• The auditor would indicate the name of the organization, audit, process, and the source of the information.
• Auditor would indicate the transactions are being examined, which has four attributes and would receive tickmarks in the corresponding location.

Formulas for testing

• To verify or test the amount of payment is accurate: a formula that would subtract the amount of the invoice from the amount paid is simple, should be $0.00.0
• An analysis can be done by approved.

The Reporting Phase

• Consists of communicating findings, observations, and best practices noted during the review, developing recommendations for corrective action.
• The term "finding" is in disuse by an increasing number of auditors who have found that their clients resent the label and prefer a term that is less controversial, but not always.
• Must document the criteria, condition, cause, and effect as well.
• There are two types of deficiencies: design and operating.

Follow up Phase

• To verify that the corrective actions are indeed applied.
• Timeline depends on the risk associated with the finding.
• The purpose for a follow up is to check on what management did to address the issue reported.
• If the severity of the observation was low a review of the item may suffice to close the observation in the finding database.

Metrics Considerations

• Show the value internal auditing has on an organization.
• Key tool for the monitor performance and the achievement of organizational goals.
• Organizations lack reliable data and use metrics to only a small degree.
• Can improve by including the application of the balanced scorecard.

Internal Environment

• It is better to improve through workers, processes and technology.
• But must have goals that drive the direction, prioritize the allocation of resources and give employees a sense of mission.
• This requires clear expectations about what is allowed and can be done regarding behavior, management is ultimately responsible.