Operational and Internal Auditing

Questions and Answers

Which of the following best describes operational auditing?

• An examination intended to detect fraud.
• An evaluation centered on past financial performance.
• An independent assessment of organizational activities focused on future improvements. (correct)
• A systematic review of historical accounting practices.

In what way does internal auditing contribute to an organization's goal achievement?

• By ensuring compliance with financial regulations exclusively.
• By focusing on past financial performance.
• By making management decisions regarding resource allocation.
• By providing independent assurance and consulting activities to enhance operations. (correct)

Why is the independence of the internal audit function critical within an organization?

• To ensure objective assessments without influence from those being audited. (correct)
• To allow auditors to freely change operational procedures.
• To minimize the need for external audits.
• To give the audit team complete control over financial reporting.

What does 'objectivity' refer to in the context of internal auditing?

The auditor's ability to examine information without bias and communicate findings accurately. (A)

In what way does the 'assurance' aspect of internal auditing benefit an organization?

It provides confidence and makes statements regarding compliance. (B)

What is the primary focus of a compliance audit within the assurance function?

To verify conformity with policies, laws, and regulations. (A)

How does the 'consulting' function of internal auditing support an organization?

By providing advice to management and the board to resolve business issues. (D)

What is the ultimate goal of internal audit recommendations for improving an organization's operations?

To enhance efficiency, effectiveness, and reduce errors. (D)

In what way does controls-based auditing support an organization's objectives?

By checking if controls are present and operating as expected to mitigate risks. (B)

What does 'risk management' refer to in the context of internal auditing's role in evaluating organizational effectiveness?

The identification, measurement, assessment, and response to risks. (B)

How do 'governance processes' impact the effectiveness of an organization, as evaluated by internal auditing?

By influencing organizational structure, reporting lines, and accountability measures. (D)

What factors contribute to business failures related to operations management?

Waste, inefficiencies, late supplies, and poor customer satisfaction. (D)

In what way do poorly supervised, untrained and unmotivated employees impact a business under human resources management?

By becoming unproductive and harming the company's goals. (A)

What is a common IT-related factor that contributes to business failures?

Inaccurate understanding of business needs in computer systems and poor data capture. (C)

What is often the result of wasteful marketing campaigns?

Ineffective reach and misuse of resources. (A)

What issues are encompassed by Corporate Social Responsibility (CSR)?

Child labor, sweatshop conditions, and inappropriate waste disposal. (A)

What practices and conditions are related to Environmental Health and Safety (EHS)?

Poor ventilation, excessive heat, extreme noise levels, and workplace hazards. (A)

Which stakeholders are considered primary (economic) stakeholders?

Employees, suppliers, customers, creditors, and investors. (B)

Which stakeholders are considered secondary (noneconomic) stakeholders?

Governments, media, communities, and activist groups. (A)

What potential issues are identified within operational threats and vulnerabilities?

Operational capacity, protection of intellectual property, customer loyalty, and environmental impact. (B)

What strategic concerns should an internal auditor consider when assessing operational threats and vulnerabilities?

Strong customer and vendor relations and outsourcing arrangements. (B)

How does a risk-based approach influence the skills needed by internal auditors?

It requires auditors to acquire and apply skills to examine a broader range of risks. (D)

What are considered top general competencies for internal auditors according to the IIA Research Foundation Core Competencies Report?

Communication, problem identification, and knowledge of regulatory changes. (D)

What behavioral skills are important for internal auditors?

Confidentiality, objectivity, communication, and judgment. (C)

What is the highest level in the Internal Audit Capability Model (IA-CM)?

Optimizing (B)

Which level of the IA-CM model focuses on compliance audits?

Level 2: Infrastructure (C)

In the IA-CM model, what does the 'Integrated' level entail for internal audit?

Providing guidance and advice to management and integrating internal audit into the management team. (C)

What is a key objective of a financial audit?

To ascertain whether the financial statements accurately reflect the activities during the fiscal year. (C)

What is the focus of Standard 1210-Proficiency for internal auditors?

Internal auditors must possess the knowledge, skills, and competencies needed to perform their responsibilities. (A)

What aspect of technology is addressed by Standard 1210.A3 for internal auditors?

Internal auditors must have sufficient knowledge of key IT risks, controls, and available technology-based audit techniques. (A)

What does Standard 2010-Planning require of the Chief Audit Executive?

To establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals. (C)

According to Standard 2120, what must the internal audit activity evaluate?

The effectiveness and contribute to the improvement of risk management processes. (A)

According to Standard 2201, what must internal auditors consider in planning the engagement?

The objectives of the activity being reviewed and the significant risks to the activity. (A)

What elements are key in identifying sufficient information?

Relevance, reliability, and usefulness for accomplishing set objectives. (A)

According to engagement communication, what is the aim of constructive reports?

Serve the purpose of the organization and promote advancement. (D)

Flashcards

Operational Auditing

A future-oriented, systematic, and independent evaluation of organizational activities.

Internal Auditing

An independent, objective assurance and consulting activity designed to add value and improve an organization's operations.

Independence (Internal Auditing)

The positioning of internal audit within the organization's hierarchy, reporting to the audit committee.

Objectivity (Internal Auditing)

An auditor's ability to examine documents, processes, and programs without bias, agenda, or ulterior motives.

Assurance (Internal Auditing)

An auditor's ability to provide confidence and statements regarding the condition of matters within the organization.

Consulting (Internal Auditing)

Giving advice to management and the board, and engaging in activities that help the organization resolve nagging business issues.

Improve an organization's operations

It enhances efficiency, effectiveness, speed and reduces errors.

Risk Management

The identification, measurement, assessment and response to risks.

Control

Activities that mitigate relevant risks and help the organization avoid surprises.

Operations management

Related issues include waste, inefficiencies, late supplies, poor customer satisfaction, and limited capacity to grow.

Human Resources (Auditing)

Poor supervision, training, and evaluation of employees.

IT (Auditing)

Inaccurate systems, poor data capture, and inadequate reporting.

Marketing (Auditing)

Campaigns that target the wrong audience

Corporate Social Responsibility (CSR)

Issues range from child labor, sweatshop conditions, abusive management and inappropriate waste disposal

Environmental Health and Safety (EHS)

Practices and conditions related to poor ventilation, excessive heat, extreme noise levels, and workplace hazards.

Power of employees (stakeholders)

Have bargaining power, can strike, and file lawsuits.

Power of suppliers (stakeholders)

Can refuse orders and supply competitors

Power of investors (stakeholders)

Can exercise voting rights and inspect records.

Operational Threats

Maintenance of operational capacity, speed of execution, staffing levels, employee motivation, knowledge transfer, etc.

Technological Threats

Protection of intellectual property, denial of service attacks, business continuity due to staff turnover, and system development

Strategic Threats

Concerns related to strong customer and vendor relations, customer loyalty, building effective business partnerships, outsourcing arrangements, and mergers and acquisitions.

Environmental Threats

Reliable supply of water and electricity, achieving a lower carbon footprint, and reducing the amount of natural resources used during business activities.

Skills for Operational Audits

Paradigm shift from controls-based to risk-based auditing.

Communication skills

Oral, written, report writing, and presentation skills.

Problem identification

Conceptual and analytical thinking

Behavioral Skills

Confidentiality, Objectivity, Communication, Judgement.

Managed (IA-CM)

Internal audit provides overall assurance on governance, risk management and control

Compliance Auditing

evaluate conformity and adherence with internal policies, laws, regulations, contracts

Financial Audit Objectives

Ascertain that income statements and cash flows accurately and reliably reflect fiscal year activities

Risk-Based Audit Planning

Establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals.

Audit Risk Management

Evaluate risk exposures relating to the organization's governance, operations, and information systems.

Reliability (Information Quality)

Information must be trustworthy and free from distortion.

Concise Communication

Brief by using only many words as necessary.

Constructive Communication

Serves the purpose of helping the organization improve its activities and promote advancement through excellence.

Study Notes

Operational Auditing Definition

• A future-oriented, systematic, and independent evaluation of organizational activities
• Financial data can be used
• The primary sources of evidence are the operational policies and achievements related to organizational objectives
• Internal controls and efficiencies can be evaluated during this type of review
• A review of how an organization's management and its operating procedures function with respect to their effectiveness and efficiency in meeting stated objectives.
• A business might perform an operational audit

Internal Auditing Overview

• An independent, objective assurance and consulting activity designed to add value and improve an organization's operations
• Helps an organization accomplish its objectives by bringing a systematic, disciplined approach
• Evaluates and improves the effectiveness of risk management, control, and governance processes

Elements of Internal Auditing

• Independence is tied to the position of internal audit within the organization's hierarchy
• Internal audit should report to the audit committee (or its equivalent) on the board of directors for advice and support
• Should not be under the control of those they audit; requires a direct reporting line to the highest authority within the organization
• Requires support by top management
• Objectivity is related to the auditor's ability to examine documents, processes, and programs without bias or an agenda
• Objectivity means finding the truth and communicating it accurately and promptly
• Maintaining healthy professional and social relationships without becoming too cozy with others in the organization
• Assurance relates to the auditor's ability to give confidence and make statements regarding matters within the organization (Compliance)
• Compliance audits focus on verifying conformity and adherence of an area, process or system
• Compliance adherence to policies, plans, procedures, laws, regulations, contract, or other requirements
• Consulting means giving advice to management and the board
• Consulting involves engaging in activities that helps the organization resolve nagging business issues
• Designed to add value to the organization
• Improving an organization's operations includes their evaluation, their recommendation gives improvement on organization's operations
• Improvement of operations enhances efficiency, effectiveness, speed, and reduces errors when implemented
• Help an organization accomplish its objectives through controls-based auditing
• Auditors look at controls within the process then check if the controls are present and operating as expected
• Auditors should properly respond to risks that threaten the organization's objectives
• Bringing a systematic, disciplined approach refers to the work approach

Further Internal Audit Functions

• Internal audit can evaluate and improve effectiveness and improve the organization's ability to achieve the goals and objectives related to risk management
• Risk management includes the identification, measurement, assessment, and response to risks
• Control refers to those activities that mitigate relevant risks and help the organization avoid surprises
• Governance processes refers to organizational structure, reporting lines, span of control, resource allocation, accountability measures, discipline and reward mechanisms
• Corporate governance relates to ethical behavior by directors and others charged with the creation

Negative Impacts Caused By Poor Management Decisions

• Business leaders and managers witnessed business failures from poor management decisions and practices
• Operations management causes waste, inefficiencies, supplies that arrive late, poor customer satisfaction and limited capacity to grow as opportunities arise or customers' demand change
• Human resources causes poorly supervised, trained and evaluated employees who sometimes become unmotivated and unproductive
• IT systems create an inaccurate understanding of the business needs and uses of these systems
• IT systems utilize poor data capture and inadequate reporting mechanism
• Marketing causes wasteful campaigns because the company target the wrong audience
• Corporate Social Responsibility (CSR) issues range from child labor, sweatshop conditions, abusive management, and inappropriate waste disposal
• Environmental Health and Safety (EHS) results in poor ventilation, excessive heat, extreme noise levels, and workplace hazards caused by chemicals, machinery and workplace configurations, among others.

Primary Stakeholders

• Primary stakeholders include employees, suppliers, customers, creditors and investors
• Their interest is for maintaining fair work environments and practices and receiving value for services and goods
• Their power stems from bargaining power and the use of legal avenues

Secondary Stakeholders

• Secondary stakeholders include governments, media, activist groups, business support groups, communities and the general public
• Their interest in the organization relates to economic development, ethical behavior, competitiveness and general safety
• Their power stems from the ability to influence the public and use lobbying for regulations

Identifying Operational Threats and Vulnerabilities

• Instead of focusing on past issues, internal audits should focus on future threats and vulnerabilities
• Operational capacity, speed of execution, staffing levels, employee motivation, knowledge transfer, system development and implementation
• Technological including protection of intellectual property and personally identifiable information, denial of service attacks, business continuity due to staff turnover, and system development
• Strategic concerns related to strong customer and vendor relations, customer loyalty, building effective business partnerships, outsourcing arrangements, and mergers and acquisitions
• Environmental concerns may include reliable supply of water and electricity, achieving a lower carbon footprint, and reducing the amount of natural resources used during business activities.

Skills Required for Operational Audits

• Internal auditors must acquire and apply different skills for controls and risk based auditing
• Auditors must examine risk exposures and the measures in place to address more than accounting and financial risks
• Core competencies: communication skills, problem identification and solution skills, ability to promote the value of internal audit, knowledge of industry, regulatory, and standards changes
• Core competencies include: organization skills, conflict resolution/negotiation skills, staff training and development, accounting frameworks/tools/techniques, change management skills
• Core competencies include IT/CT framework/tools/techniques, cultural fluency and foreign language skills
• Behavioral skills include: confidentiality, objectivity, communication, judgment, work well with all management levels, possess governance and ethics sensitivity
• Behavioral skills include: being team players, relationship building, working independently, team building, leadership, influence, facilitation, staff management and change catalyst skills

Internal Audit Capability Model (IA-CM)

• Level 1: Initial - audits are ad hoc/isolated
• Level 2: Infrastructure - compliance auditing
• Level 3: Integrated - advisory services
• Level 4: Managed - overall assurance on governance, risk management, and control
• Level 5: Optimizing - Internal auditing recognized as a change agent

Intergrated Auditing

Key Objectives of Financial Audit

• Ascertain whether in all materials respects, the income statement and cash flows accurately and reliably reflects activities during a fiscal year
• Ascertain whether in all material respects, the balance sheet shows the condition of the organization as of the last day of the fiscal year

The Standards For International Internal Auditors

• 1210-Proficiency includes knowledge skills, and other competencies needed to perform their individual responsibilities
• 1210.A3: Internal auditors must have sufficient knowledge of key IT risks, controls, and technology-based audit techniques
• 1220.A2: When exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques
• 1220.A3: Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources
• 2010-Planning: The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity and the consistency of the organization's goals
• 2120-Risk management: The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes
• 2120.A1: The internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding objectives, financials, ethics and assets
• 2130-Control: The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement
• 2201-Planning considerations: Objectives, risk, and resources
• 2220.A1: Scope of engagement must include consideration of relevant systems, records, personnel, and physical properties
• 2310-Identifying information: Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives
• 2410.A2-Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications, including in the report or notes on those who did well.
• 2420-Quality of communications: communications must be accurate, objective, clear, concise, constructive, complete, and timely