Operational Auditing Principles and Techniques for a Changing World 2022 PDF

Summary

This book, "Operational Auditing, Principles and Techniques for a Changing World", second edition, published in 2022, covers operational auditing, its principles, and techniques. It explores various aspects including risk assessment, fieldwork, reporting, and follow-up. The book, by Hernan Murdock, is intended for professionals in the auditing sector.

Full Transcript

Operational Auditing Internal Audit and IT Audit Series Editor: Dan Swanson PUBLISHED Operational Auditing, Second Edition Managing IoT Systems for Institutions and...

Operational Auditing Internal Audit and IT Audit Series Editor: Dan Swanson PUBLISHED Operational Auditing, Second Edition Managing IoT Systems for Institutions and Principles and Techniques for a Changing World Cities By Hernan Murdock By Chuck Benson ISBN: 9780367562366 ISBN: 9781138590489 The Complete Guide for CISA Examination Fraud Auditing Using CAATT Preparation A Manual for Auditors and Forensic Accountants to By Richard E. Cascarino Detect Organizational Fraud ISBN: 9780367551742 By Shaun Aghili ISBN: 9780367145613 Blockchain for Cybersecurity and Privacy Architectures, Challenges, and Applications How to Build a Cyber-Resilient By Yassine Maleh, Mohammad Shojafar, Organization Mamoun Alazab, and Imed Romdhani By Dan Shoemaker, Anne Kohnke, ISBN: 9780367343101 and Ken Sigler ISBN: 9781138558199 The Cybersecurity Body of Knowledge The ACM/IEEE/AIS/IFIP Recommendations for a Auditor Essentials Complete Curriculum in Cybersecurity 100 Concepts, Tips, Tools, and Techniques for By Daniel Shoemaker, Anne Kohnke, Success and Ken Sigler By Hernan Murdock ISBN: 9780367900946 ISBN: 9781138036918 Corporate Governance Project Management Capability A Pragmatic Guide for Auditors, Directors, Investors, Assessment and Accountants Performing ISO 33000-Based Capability Assessments By Vasant Raval of Project Management ISBN: 9780367862756 By Peter T. Davis, Barry D. Lewis ISBN: 9781138298521 Why CISOs Fail The Missing Link in Security Management--and How A Guide to the National Initiative for to Fix It Cybersecurity Education (NICE) By Barak Engel Cybersecurity Workforce Framework (2.0) ISBN: 9781138197893 By Dan Shoemaker, Anne Kohnke, and Ken Sigler The Audit Value Factor ISBN: 9781498739962 By Daniel Samson ISBN: 9781138198128 Operational Auditing Principles and Techniques for a Changing World Second Edition Hernan Murdock Second edition published 2022 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742 and by CRC Press 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN © 2022 Taylor & Francis Group, LLC First edition published by CRC Press 2017 CRC Press is an imprint of Taylor & Francis Group, LLC Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750- 8400. For works that are not available on CCC please contact [email protected] Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. ISBN: 978-0-367-56236-6 (hbk) ISBN: 978-0-367-77142-3 (pbk) ISBN: 978-1-003-09693-1 (ebk) Typeset in Garamond by MPS Limited, Dehradun Contents Author.......................................................................................................................................xv 1 Definition, Characteristics, and Guidance..................................................................... 1 Introduction.......................................................................................................................1 Definition and Characteristics of Operational Auditing....................................................3 The Other Parts of the Definition............................................................................... 9 The Risk-Based Audit......................................................................................................10 Auditing Beyond Accounting, Financial, and Regulatory Requirements.........................12 The Value Auditors Provide....................................................................................... 13 Identifying Operational Threats and Vulnerabilities.......................................................17 The Skills Required for Effective Operational Audits.....................................................18 Integrated Auditing..........................................................................................................19 The Standards..................................................................................................................22 Summary..........................................................................................................................29 Questions.........................................................................................................................31 2 Objectives and Phases of Operational Audits............................................................. 33 Introduction.....................................................................................................................33 Key Objectives of Operational Audits.............................................................................33 Phases of the Operational Audit......................................................................................35 Planning...........................................................................................................................36 What Must Go Right for Them to Succeed?............................................................. 37 Risk Factors................................................................................................................ 38 Fieldwork.........................................................................................................................40 Types of Audit Evidence.................................................................................................41 Testimonial................................................................................................................. 41 Observation................................................................................................................ 42 Document Inspection................................................................................................. 43 Recalculation/Reperformance...................................................................................... 43 Professional Skepticism............................................................................................... 46 Workpapers................................................................................................................. 47 Flowcharts................................................................................................................... 48 Internal Control Questionnaire.................................................................................. 50 Condition of Workpapers........................................................................................... 51 Electronic Workpapers................................................................................................ 53 v vi ▪ Contents Reporting.........................................................................................................................55 Follow-Up........................................................................................................................57 Metrics........................................................................................................................ 58 People, Processes, and Technology..................................................................................61 Summary..........................................................................................................................62 Questions.........................................................................................................................62 3 Risk Assessments........................................................................................................... 65 Introduction.....................................................................................................................65 Risk Assessments..............................................................................................................66 Identification of Risks................................................................................................. 66 Measurement of Risks.....................................................................................................68 The Risk Matrix......................................................................................................... 71 Assessing Risk and Control Types...................................................................................71 The Importance of CSAs.................................................................................................77 Business Activities and Their Risk Implications..............................................................78 Future Challenges and Risk Implications........................................................................82 Summary..........................................................................................................................86 Questions.........................................................................................................................86 4 The 8 Es......................................................................................................................... 89 Introduction.................................................................................................................... 89 The 8 Es..........................................................................................................................90 Effectiveness................................................................................................................ 90 Efficiency.................................................................................................................... 91 Economy..................................................................................................................... 92 Excellence................................................................................................................... 92 Ethics.......................................................................................................................... 93 Equity......................................................................................................................... 96 Ecology....................................................................................................................... 98 Emotion.................................................................................................................... 101 Implications for Internal Auditors.................................................................................102 Summary........................................................................................................................102 Questions.......................................................................................................................103 5 Control Frameworks................................................................................................... 105 Introduction...................................................................................................................105 Control Frameworks......................................................................................................106 The COSO Frameworks: ICF and ERM................................................................. 106 Control Environment....................................................................................................106 Communication, Consistency, and Belief in the Message........................................ 109 Form over Substance................................................................................................ 110 Entity Level Controls............................................................................................... 111 Tone in the Middle.................................................................................................. 115 Risk Assessment.............................................................................................................115 Business and Process Risk......................................................................................... 117 Contents ▪ vii Technological and Information Technology Risks................................................... 119 Financial Risks.......................................................................................................... 120 Control Activities...........................................................................................................128 Information and Communication.................................................................................131 Monitoring Activities.....................................................................................................137 IT and Its Impact on Organizational Success...............................................................138 Global Technology Audit Guides (GTAGs).............................................................138 COBIT..........................................................................................................................139 ISO................................................................................................................................140 ITIL...............................................................................................................................141 CMMI...........................................................................................................................143 Summary........................................................................................................................145 Questions.......................................................................................................................146 6 Tools............................................................................................................................. 149 Introduction...................................................................................................................149 Histograms.....................................................................................................................150 Control Chart................................................................................................................151 Pareto Chart..................................................................................................................153 Cause and Effect (Fishbone, Ishikawa) Diagram...........................................................157 Force Field Analysis.......................................................................................................161 Flowchart/Process Flow Map/Value Stream Map..........................................................164 Common Process Improvement Areas...........................................................................171 Takt Time.....................................................................................................................172 Eight Areas of Waste.....................................................................................................175 Affinity Diagram/KJ Analysis........................................................................................177 Check Sheet...................................................................................................................178 Scatter Diagram.............................................................................................................181 5S...................................................................................................................................183 Seiton........................................................................................................................ 183 Seiri........................................................................................................................... 183 Seiso.......................................................................................................................... 184 Seiketsu..................................................................................................................... 184 Shitsuke.................................................................................................................... 184 RACI Diagram..............................................................................................................185 Responsible............................................................................................................... 185 Accountable (Also Approver).................................................................................... 186 Consulted................................................................................................................. 186 Informed................................................................................................................... 186 How to Construct a RACI Chart............................................................................ 186 Communications Plan...................................................................................................187 Communications Matrix................................................................................................188 Suppliers, Inputs, Process, Outputs, and Customers Map............................................188 Poka Yoke/Mistake Proofing.........................................................................................190 Benchmarking................................................................................................................192 Five Whys......................................................................................................................194 Work Breakdown Structure...........................................................................................195 viii ▪ Contents Summary........................................................................................................................196 Questions.......................................................................................................................197 7 Eight Areas of Waste................................................................................................... 199 Introduction...................................................................................................................199 Eight Areas of Waste.....................................................................................................199 Overproduction........................................................................................................ 200 Waiting..................................................................................................................... 201 Transporting............................................................................................................. 202 Unnecessary Paperwork or Processing...................................................................... 203 Unnecessary Inventory.............................................................................................. 204 Excess Motion.......................................................................................................... 204 Defects...................................................................................................................... 205 Underutilized Employees.......................................................................................... 207 Identifying, Assessing, and Preventing the Occurrence of Muda..................................208 Summary........................................................................................................................210 Questions.......................................................................................................................212 8 Quality Control........................................................................................................... 213 Introduction...................................................................................................................213 Understanding Assertions and Using Quality Improvement Methodologies.................213 The Link between Process Weaknesses and Internal Control.......................................219 Six Sigma and Lean Six Sigma......................................................................................220 ISO 9000 and ISO 31000............................................................................................224 Summary........................................................................................................................229 Questions.......................................................................................................................229 9 Documenting Issues.................................................................................................... 231 Introduction...................................................................................................................231 Using the CCCER/5C Model to Document Findings.................................................231 Criteria...................................................................................................................... 232 Condition................................................................................................................. 232 Cause........................................................................................................................ 233 Effect......................................................................................................................... 233 Recommendation...................................................................................................... 234 Making Findings and Recommendations Persuasive.....................................................235 Using Quantitative Methods to Improve the Quality and Impact of Audit Findings..........................................................................................................237 Persuasion and Diversion...............................................................................................238 Developing Useful, Pragmatic, and Effective Recommendations for Corrective Action.....................................................................................................239 Summary........................................................................................................................239 Questions.......................................................................................................................240 10 Continuous Monitoring.............................................................................................. 241 Introduction...................................................................................................................241 Continuous Auditing of High-Risk Activities...............................................................241 Contents ▪ ix Data Analysis Software Applications..............................................................................244 Using CAATTs to Achieve Operational Excellence......................................................248 CCM and CCA.............................................................................................................250 Robotic Process Automation, Artificial Intelligence, and Machine Learning................251 Summary........................................................................................................................252 Questions.......................................................................................................................253 11 Change Management................................................................................................... 255 Introduction...................................................................................................................255 Identifying and Introducing Adaptive and Innovative Changes....................................255 Eight-Step Model..........................................................................................................256 Unfreeze, Change, and Refreeze....................................................................................257 Plan-Do-Check-Act.......................................................................................................259 Project Risk Assessment and the Risk of Failure...........................................................260 Understanding and Managing Resistance to Change....................................................263 The Big Three: People, Process, and Technology.........................................................267 Dysfunctions............................................................................................................. 270 Summary........................................................................................................................271 Questions.......................................................................................................................272 12 Project Management................................................................................................... 273 Introduction...................................................................................................................273 Project Management......................................................................................................273 Unique...................................................................................................................... 274 Temporary................................................................................................................ 274 Project Phases................................................................................................................274 Initiation................................................................................................................... 275 Planning.................................................................................................................... 279 The Critical Path Method and the Program Evaluation and Review Technique (PERT)................................................................................... 280 Executing.................................................................................................................. 282 Closing...................................................................................................................... 283 Monitoring and Controlling..................................................................................... 283 Keys to Success and Reasons IT Projects Fail...............................................................284 Project Selection............................................................................................................289 Project Metrics...............................................................................................................293 Project Software.............................................................................................................293 Summary........................................................................................................................294 Questions.......................................................................................................................294 13 Auditing Business Functions and Activities.............................................................. 295 Introduction...................................................................................................................295 Project Management......................................................................................................295 Overview................................................................................................................... 295 Important Documents.............................................................................................. 296 Key Objectives.......................................................................................................... 296 Key Risks.................................................................................................................. 296 x ▪ Contents Key Actions by Phase............................................................................................... 297 Contracts and Contracting............................................................................................299 Overview................................................................................................................... 299 Key Objectives.......................................................................................................... 299 Key Risks.................................................................................................................. 300 Typical Controls....................................................................................................... 300 Purchasing, Vendor Selection, and Management..........................................................300 Overview................................................................................................................... 300 Key Objectives.......................................................................................................... 302 Key Risks.................................................................................................................. 303 Typical Controls....................................................................................................... 303 Bidding..........................................................................................................................304 Overview................................................................................................................... 304 Key Objectives.......................................................................................................... 304 Key Risks.................................................................................................................. 304 Typical Controls....................................................................................................... 305 Pricing...........................................................................................................................305 Key Objectives.......................................................................................................... 306 Key Risks.................................................................................................................. 306 Typical Controls....................................................................................................... 307 Product Receipt (Quality).............................................................................................307 Overview................................................................................................................... 307 Key Objectives.......................................................................................................... 307 Key Risks.................................................................................................................. 307 Typical Controls....................................................................................................... 308 Human Resources..........................................................................................................308 Overview................................................................................................................... 308 Key Objectives.......................................................................................................... 309 Key Risks.................................................................................................................. 309 Typical Controls....................................................................................................... 309 Recruitment...................................................................................................................310 Key Objectives.......................................................................................................... 310 Key Risks.................................................................................................................. 311 Typical Controls....................................................................................................... 311 Training and Development...........................................................................................312 Key Objectives.......................................................................................................... 312 Key Risks.................................................................................................................. 312 Typical Controls....................................................................................................... 312 Employee Benefits..........................................................................................................312 Key Objectives.......................................................................................................... 312 Key Risks.................................................................................................................. 312 Typical Controls....................................................................................................... 313 Employee Termination..................................................................................................313 Key Objectives.......................................................................................................... 313 Key Risks.................................................................................................................. 313 Typical Controls....................................................................................................... 313 Employee Evaluations....................................................................................................313 Contents ▪ xi Key Objectives.......................................................................................................... 313 Key Risks.................................................................................................................. 314 Typical Controls....................................................................................................... 314 Accounting, Finance, and Treasury Operations............................................................314 Overview................................................................................................................... 314 Treasury.........................................................................................................................315 Key Objectives.......................................................................................................... 315 Key Risks.................................................................................................................. 315 Typical Controls....................................................................................................... 315 Payroll............................................................................................................................316 Key Objectives.......................................................................................................... 316 Key Risks.................................................................................................................. 316 Typical Controls....................................................................................................... 316 Accounts Payable...........................................................................................................317 Key Objectives.......................................................................................................... 317 Key Risks.................................................................................................................. 317 Typical Controls....................................................................................................... 317 Accounts Receivable.......................................................................................................317 Key Objectives.......................................................................................................... 317 Key Risks.................................................................................................................. 318 Typical Controls....................................................................................................... 318 Fixed Assets...................................................................................................................318 Key Objectives.......................................................................................................... 318 Key Risks.................................................................................................................. 318 Typical Controls....................................................................................................... 319 Inventory.......................................................................................................................319 Key Objectives.......................................................................................................... 319 Key Risks.................................................................................................................. 319 Typical Controls....................................................................................................... 319 Information Technology................................................................................................320 Overview................................................................................................................... 320 IT Processing Operations..............................................................................................321 Key Objectives.......................................................................................................... 321 Key Risks.................................................................................................................. 321 Typical Controls....................................................................................................... 321 Backups and Storage......................................................................................................322 Key Objectives.......................................................................................................... 322 Key Risks.................................................................................................................. 322 Typical Controls....................................................................................................... 323 IT Access.......................................................................................................................323 Key Objectives.......................................................................................................... 323 Key Risks.................................................................................................................. 323 Typical Controls....................................................................................................... 323 Personal Devices............................................................................................................324 Key Objectives.......................................................................................................... 324 xii ▪ Contents Key Risks.................................................................................................................. 324 Typical Controls....................................................................................................... 324 Systems Development....................................................................................................325 Key Objectives.......................................................................................................... 325 Key Risks.................................................................................................................. 325 Typical Controls....................................................................................................... 325 Foundations...................................................................................................................326 Overview................................................................................................................... 326 Key Objectives.......................................................................................................... 326 Key Risks.................................................................................................................. 326 Typical Controls....................................................................................................... 326 Auditing Management...................................................................................................327 Overview................................................................................................................... 327 General Objectives.................................................................................................... 327 Key Risks.................................................................................................................. 328 Typical Controls....................................................................................................... 328 Ethics Hotlines..............................................................................................................328 Overview................................................................................................................... 328 General Objectives.................................................................................................... 329 Key Risks.................................................................................................................. 329 Typical Controls....................................................................................................... 329 Production.....................................................................................................................329 Key Objectives.......................................................................................................... 329 Key Risks.................................................................................................................. 330 Typical Controls....................................................................................................... 330 14 The Toyota Production System.................................................................................. 333 Introduction...................................................................................................................333 The 14 Principles..........................................................................................................334 Conclusion.....................................................................................................................336 Questions.......................................................................................................................336 15 Organizational Structure............................................................................................. 339 Introduction...................................................................................................................339 Organizational Hierarchies and Structures....................................................................339 Tall or Vertical......................................................................................................... 340 Functional................................................................................................................. 340 Matrix....................................................................................................................... 341 Organizational Charts....................................................................................................342 General Characteristics of Top Organizations...............................................................343 Summary........................................................................................................................344 Questions.......................................................................................................................345 16 Conclusion................................................................................................................... 347 Using Operational Audits to Help Reposition the Internal Audit Function.................347 Developing Operational Talent.....................................................................................348 Contents ▪ xiii Transformation: Becoming Trusted Advisors................................................................348 Applying Consulting Skills Effectively during Operational Audits................................349 Operational Excellence and Cultural Transformation: Role of Internal Audit..............350 Bibliography.......................................................................................................................... 351 Index...................................................................................................................................... 353 Author Hernan Murdock, CIA, CRMA, is vice president, Content and Programming at ACI Learning. He has held positions as director of training for an international audit and consulting firm, and various audit positions while leading and performing audit and consulting projects for clients in the manufacturing, transportation, high tech, education, insurance, and power generation industries. Dr. Murdock is a senior lecturer at Northeastern University where he teaches management, leadership, and ethics. He earned a DBA from Argosy University, Sarasota, Florida in 2007; a CSS from Harvard University, Cambridge, Massachusetts in 1996; and an MBA and BSBA from Suffolk University in 1992 and 1990, respectively. He also holds the following certifications: CRMA Certification in Risk Management Assurance (IIA), 2013; QAR Accreditation in Internal Quality Assessment/Validation (IIA), 2008; AchieveGlobal Leadership and Customer Service: Deliver and Develop Levels, 2007; IDC Certified Instructor (IIA), 2006; and CIA Certified Internal Auditor (IIA), 2001. He is the author of Auditor Essentials: 100 Concepts, Tools, and Techniques for Success (CRC Press, 2019), 10 Key Techniques to Improve Team Productivity (The IIA Research Foundation, 2011) and Using Surveys in Internal Audits (The IIA Research Foundation, 2009). He has also written articles and book chapters on whistleblowing programs, international auditing, mentoring programs, fraud, deception, corporate social responsibility, and behavioral profiling. Dr. Murdock has conducted audits and consulting projects, delivered seminars and invited talks, and made numerous presentations at internal audit, academic, and government functions in North America, Latin America, Europe, the Middle East, and Africa. Dr. Murdock can be reached at [email protected]. xv Chapter 1 Definition, Characteristics, and Guidance Be a Product of the Product What does it mean to be a product of the product? It’s quite simple. Be a living example of what you sell, recommend or advise others. Personify what you preach. Show don’t tell. Lead by example.1 John B. Petersen III Introduction Internal audit is undergoing a massive transformation. While its role to provide independent, objective assurance and consulting services to organizations in ways that improve their operations has remained constant for decades and remains true today, how this has been accomplished has changed over time. Since the founding of the Institute of Internal Auditors (IIA) in 1941, the profession has evolved to adapt its personality, purpose, and approach to the changes taking place in the fields of management and organizational behavior. Universities and other academic institutions capitalized on the lessons of the industrial era and developed organization theories that created systems whereby centralization, a defined hierarchy, distinct authority levels and reporting lines, clear rules, and the division of labor were the norm. Internal audit adapted to this approach and adopted it, so its methodologies were consistent with these theories. Standardization was the norm and organizations implemented rigid guidelines for how they functioned. Consequently, internal auditors did the same and implemented stan­ dardized approaches to audit their clients in those organizations. This search for consistency resulted in the proliferation of checklists, standard audit programs, and procedures. In the end, internal auditing evolved in a way that validated the organizations’ hierarchy and structure, its centralization, assignment of rigid authority, discipline, rules, and the division of labor procedures against the standard model. The audit function, then, focused on assessing an organization’s control or operational effectiveness with this standardization and could do so quickly by using 1 2 ▪ Operational Auditing checklists, prepared questionnaires, and reviewing the same documents year after year to verify consistency. There was, and for those who continue to audit this way, a concealed risk. The focus on standardization limited the auditor’s ability to be creative. Creative thinkers were not sought for nor gravitated toward the profession. Using the excuse, and the legitimate need for independence, internal auditors isolated themselves from the businesses they examined and were supposed to support. Some even abstained from making recommendations to improve the weaknesses they identified. This risk became apparent in the 1960s and lasted through the 1980s. While internal auditors were protecting their independence, the businesses they served were changing due to globalization, technological advancements, relentless competition, and a new social, demographic, and financial landscape. Companies no longer operated using the standard model. Since manufacturing moved to different countries, it was impractical to have a single procurement function with a single manager overseeing all purchasing activities. Since customers were now located around the world, the approval of customer orders could no longer be handled expeditiously and competently by the sales manager. Purchasing and sales decisions were now being made by regional general managers at the countries where these activities took place. Approving and making adjustments to customer accounts, were no longer handled manually and personally by the company’s controller. There was no need to. The local staff could handle that under the supervision of their local management team. The company’s enterprise resource planning (ERP) system provided the necessary separation of duties and limited transaction processing to those authorized. Many internal auditors missed these changes and were slow to adapt to the changing landscape, instead believing that the world still operated by the standard business model. The result? Many became irrelevant. Some internal auditors still used their standard checklists, asked the same questions, searched for the same documents, and applied the rules of the standard business model. They continued to insist that outdated procedures be followed, like having the sales vice president approve all customer orders and the corporate controller print out the credit memos and sign them. There was little disagreement about the need for effective internal auditing. Broad consensus existed about the importance of having a strong and reliable internal control environment. Generally, management believed in the importance of having sound internal controls, but did not believe that the internal audit function was making an effective contribution to the company. Boards of directors and their management teams slowly lost confidence in an internal audit function that focused so disproportionately, and inflexibly, on traditional business models that they recommended changes to the business that were clearly out of step with how the company needed to function. The disproportionate focus on compliance led many auditors to focus on what they thought was important to the business and less on what was truly important to the business. Management became disenchanted with auditors who wanted to refrain from making changes, even when the internal and external environments demanded quick and judicious modifications to the business structure and its practices. Beyond the methodology, some managers even wondered why some audits were being performed in the first place. As if that weren’t enough, there was another problem. Internal audit in many ways evolved as an offshoot of external audit (i.e., public accounting) and excessively replicated external auditing by focusing on accounting transactions and the process of preparing financial statements. While the focus was generally more detailed and the materiality thresholds used by internal auditors was much lower, reviewing and reperforming accounting procedures seemed wasteful if the organi­ zation was already paying their external auditors to audit the accounting practices that led to the publishing of the company’s financial reports. Definition, Characteristics, and Guidance ▪ 3 Much has changed since then. Starting in the early 1990s, internal audit began a transfor­ mation process that is bringing it more in line with the true needs of the organizations it serves and the related stakeholders. The emergence of the stakeholder theory and topics about corporate governance, quality, and cycle time, in addition to the constant advocacy work of the IIA have brought many changes to the profession. The dot com meltdown in 2000/2001 and the enact­ ment of the Sarbanes–Oxley Act of 2002 were wake up calls for the profession. Today internal audit is achieving a healthier balance among operational, reporting, com­ pliance, information technology (IT), fraud, and strategic topics. It is now looking beyond the immediate fiscal year and taking a closer look at longer term trends and the future implications of current dynamics. It is now identifying a wider set of essential skills, and finding that to succeed as a trusted advisor to the board and management, it must bring into its ranks people with a wider skillset, including broad business skills, strong communication skills, and familiarity with technology. But there is still work to be done. The State of Internal Audit 2013 report from Thomson Reuters Accelus states that although internal auditors are beginning to evaluate more strategic- level risk management and monitoring activities, most internal audit departments continue to focus primarily on process assurance and monitoring activities. Respondents to the survey in­ dicated there is a lack of skilled resources due to the changing role of internal auditors away from traditional quantitative assessments and toward becoming a qualitative assessor of the organiza­ tion’s goals and strengths. This condition remains true as this book goes to print. In this book, we discuss these dynamics and lay the foundation for effective operational audits. We begin by defining and understanding the definition, role, and practices of modern internal auditing in general and the evolving world of operational auditing in particular. We examine the concept and manifestation of organizational risks and how internal auditors must adopt a risk- based auditing approach, which will allow it to better support the objectives of the organization. Integrated auditing is a concept that has been in place for decades, yet many internal auditors still struggle to practice it effectively. We discuss key attributes of effective integrated audits and why it is essential for effective operational audits. We end this chapter with a review of selected Standards for the Professional Practice of Internal Auditing (the Standards). But more than list them, we discuss their implications in the broader topic of operational auditing, and how these standards can be applied successfully. Definition and Characteristics of Operational Auditing Operational auditing is defined as “A future-oriented, systematic, and independent evaluation of organizational activities. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Internal controls and efficiencies may be evaluated during this type of review.”2 The Business Dictionary defines operational audit as “A review of how an organization’s management and its operating procedures are functioning with respect to their effectiveness and efficiency in meeting stated objectives. For example, a business might perform an operational audit if its senior management has become convinced that operational improvements can be made and need to be identified.”3 I worked in banking operations for 6 years after graduating from college. Over time, one of my roles involved working with the marketing and IT departments to bring new product concepts to market and ensure their smooth implementation and operation. The work involved managing 4 ▪ Operational Auditing account creation and servicing of loan programs from account setup to payoff. There was a great deal of paper involved and the work was tedious, time consuming, and often stressful. Due to the growth of the organization, the large volume of paper files and the related logistical difficulties of finding files at various stages of processing and storing documents, and manually reviewing each file to ascertain its credit worthiness, the company embarked on a reengineering project. I was invited to participate as a business partner during the reengineering and restructuring project and I gladly accepted the offer. The result was several months documenting existing pro­ cesses while brainstorming how to make the processes faster, cheaper, and better for all involved. We hired an external consulting firm and as I split my time between my regular work and the sessions with the consultants, I got an education on brainstorming, documentation, meeting facilitation, collaboration, negotiation, flowcharting, and time management, among many others. In the end, we successfully introduced a credit scoring system that reduced the amount of time and the number of people needed to process loan applications, we replaced paper records with scanned images for document safekeeping and underwriter review, and were able to provide faster and more accurate status updates about the loan application process and related disbursements. I leveraged this experience when I subsequently left the bank to work as a business analyst in the insurance industry. For 2 years, I documented business requirements for software engineers, tested systems before rollout, and helped train end users. This involved facilitating workshops to define business requirements and system specifications, performing process design, mapping and analysis, and creating training materials. My role also involved writing client acceptance test procedures to verify that all requirements were included in the design. This experience taught me the intricacies of interviewing and working closely with computer programmers and operations personnel, facilitating meetings, documenting system layout and functionality, and training users. It also helped me to gain a more in-depth understanding of the nature of internal controls at various levels of system design, assessing the significance of system flaws, and postrelease reporting requirements. My third career move was more directly related to my original career aspiration: work in international business. I wanted to take advantage of my professional experience, diverse personal background, and multiple language skills, so I contacted the internal audit department and asked for an informational interview. The internal audit manager who interviewed me asked many questions and appeared to be more interested in my experience documenting, analyzing, and improving business processes, than my degree in finance. During our interview, we spoke about the importance of asking “who,” “what,” “when,” “where,” and “how” regarding the activities performed within a process, the people working within that process, and the systems supporting both the people and the process. One aspect of the conversation that still resonates with me was how animated she became when we discussed the importance of asking “why.” While “who,” “what,” “when,” “where,” and “how” provide very valuable information to describe the process and understand how the process behaves, “why” pro­ vides even more valuable information because it pertains to the purpose of the activities performed. As I knew then, and have come to observe repeatedly over the years, there are countless individuals in organizations working feverishly on activities with an unclear or undefined purpose. In some extreme cases, they perform activities that lack any purpose whatsoever, but they con­ tinue performing those activities “because we have always done things that way.” The interview was very productive and successful and I was offered a job within a few days. I promptly accepted the offer and so began my career working on the international team of a company that was rapidly expanding in Latin America. I became an internal auditor. Definition, Characteristics, and Guidance ▪ 5 My relatives, friends, and business acquaintances were very supportive of my career decision, and I was very happy for their support. What I was not expecting, however, was the general lack of awareness about internal auditing as a profession, and what internal auditors did in particular. Some of their first words often became a statement along the lines of “Oh, so you are going to work for an accounting firm?,” or “I didn’t know you wanted to work for the IRS!,” or the question “Did you major in accounting?” or something along those lines. Essentially, in the mid-1990s, internal auditing was generally unknown, and for those with some inkling about the profession, the tendency was to associate it with accounting, compliance, and tax-related work. There was a general lack of awareness and while I was learning about internal auditing too, I knew that internal auditors did more than accounting, compliance, and tax work. I took the opportunity to explain as best I could the expanding role of internal auditors and how they helped management at multiple levels. I was doing my own advocacy work explaining the work of auditors in general and the exciting opportunities that this presented for me. Since those days, the IIA has done an impressive job raising awareness through advocacy about internal auditing.4 This effort was enhanced through the formidable work done by Cynthia Cooper, who with her staff unraveled the massive fraud at WorldCom; Sherron Watkins, who was instrumental in alerting others of the accounting irregularities in financial reporting at Enron; and Coleen Rowley, who documented the mishandling of information and failure to take appropriate action at the Federal Bureau of Investigation (FBI). In fact, their work was so instrumental in uncovering these problems, that they jointly received the Time Person of the Year award in 2002 as The Whistleblowers.5 As we take a closer look at internal auditing, it is helpful to review the definition of internal auditing as promulgated by the IIA. According to the IIA, the definition of internal auditing “states the fundamental purpose, nature, and scope of internal auditing”6 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization ac­ complish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Although this definition has been in place for years, it is still misunderstood by many nonauditors, and unfortunately, even by some internal auditors. The misunderstanding stems from a variety of reasons and heavily influenced by the legacy of auditors performing financial reviews and internal auditors having accounting backgrounds. The definition reflects a modern view of the profession and positions auditors in such a way that they can provide much more valuable assistance to their organizations. The definition creates a variety of challenges and opportunities for internal auditors, who are no longer engaged in a static, routine, repetitive, and accounting/finance-focused activity, but instead admonishes in­ ternal auditors to review business programs, processes, and initiatives in innovative ways that can add tangible value to the organization. 6 ▪ Operational Auditing The definition contains some key language that is important to note: 1. Independence has to do primarily with the position of internal audit within the organiza­ tion’s hierarchy. Internal audit should report to the audit committee (or its equivalent) on the board of directors so it receives advice and support to perform its duties. Furthermore, internal audit should not be under the control of those they audit. This direct reporting line to the highest authority within the organization will help internal audit reach its full po­ tential, and also get the attention from those whose influence, recognition, and respect can compel corrective action of any anomalies identified by the auditors. 2. Objectivity is related to the auditors’ frame of mind and their ability to examine documents, processes, and programs without a bias, without an agenda, with no other motive than to find the truth and communicate it accurately and promptly. Conflicts of interest are one of the biggest threats to objectivity, so internal auditors must be careful to balance maintaining healthy professional and social relationships with others in the organization without be­ coming too cozy with them. 3. Assurance relates to the auditors’ ability to give confidence and make statements regarding the condition of matters within the organization. It is often considered a synonym to “compliance” as has been the traditional focus of internal auditors for millennia. Compliance audits focus on verifying conformity and adherence of a particular area, pro­ cess, or system with policies, plans, procedures, laws, regulations, contracts, or other re­ quirements that govern the conduct and actions of that area, process, or system. Internal auditors provide reasonable assurance, not absolute assurance, because there are nu­ merous variables to contend with constantly, but also because there are no certainties in life. However, this does not mean that internal auditors do substandard work knowing that they can’t guarantee results. Internal auditors are expected to display competence, knowledge, and act with due professional care in all they do to provide the best assurance possible. Compliance can be driven by requirements that are internal or external, regulatory or not, explicit or implied. I mention implicit, because the subject of corporate social responsibility (CSR), humane working conditions, and lower ecological impact is not always formally codified, but stakeholders are increasingly demanding compliance with higher ethical and moral standards of conduct. In fact, the Value of Sustainability Reporting study from the Boston College Center for Corporate Citizenship and EY (Ernst & Young) states that 68% of the 579 global organizations surveyed make a sustainability disclosure annually. Sustainability reports are becoming a leading business practice for large organizations worldwide. There is increasing interest among organizations and investors in these types of reports as a way to make sure that environmental and social impacts are managed and as a way to assess the quality and commitment of management to economic, environmental, social, and governance topics. According to the report, there are four main reasons why organizations report: a. Provide shareholders more transparency b. Gain competitive advantage c. Improve risk management capabilities d. Respond to stakeholder pressure Definition, Characteristics, and Guidance ▪ 7 The word “stakeholder” is a broad term used to denote any person or group that affects, or is affected by, an organization’s policies, decisions, and actions. Stakeholders may be voluntary or involuntary, and either bear risks or share benefits. Since there is a strong, and ever more in­ tertwined relationship between organizations and the environment in which they operate, there are shared interests and an interdependence that develops between any organization and other groups. Making sure that there is fair treatment and consistent, universal adherence to established social regulations are key objectives of compliance reviews. Sustainability reports can be issued in accordance with the Global Reporting Initiative Guidelines7 or another standard. Although it requires a great deal of work, the report indicates that the financial and social advantages outweigh the costs. In fact, half of the respondents indicated that sustainability reporting gave them a competitive advantage, so it implies that organizations should assess their sustainability practices and that these should inform corporate strategy. CSR should function as a built-in, self-regulating mechanism enabling organizations to monitor and ensure compliance with laws, ethical standards, and international norms. The ex­ pectation is that CSR is deliberately included, and there is consideration of the public interest into corporate decision making. Organizations are expected to honor the triple bottom line: people (social), planet (environment/ecology), and profit (economic). Since there are assurance implications involved, survey respondents indicated there are challenges too. These include availability of data, accuracy and completeness of data, and internal buy-in. 4. Consulting means giving advice to management and the board, and engaging in activities that helps the organization resolve nagging business issues. These engagements address performance, how to improve organizational programs, processes, and activities, and how to become more flexible, nimble, and responsive to business challenges. It also relates to the special projects that internal auditors sometimes work on. Lastly, consulting also relates to the way auditors do their work suggesting that the traditional mindset and role of the auditor as the corporate cop is being redefined and replaced by a more business-minded professional whose goal is to be respected more so than being feared. 5. Designed to add value. If you ask a gathering of internal auditors if they add value in their organizations, they unanimously raise their hands in agreement. If you pose the same question to nonauditors, the response is often far less enthusiastic. In fact, some may even argue that internal auditors are a necessary evil and an expense they can’t do without because regulations, the board of directors, or other stakeholders demand the existence of an internal audit function. One of the goals of this book is to show how this goal of adding value can be achieved, and do so convincingly. 6. Improve an organization’s operations is a very interesting statement because many auditors see their role as that of checking things and verifying the accuracy of various items and activities within the organization. But improve an organization’s operations? Some would argue that this is a rather broad subject, a tall order, a complex goal, a challenging aspiration, and an insurmountable target. I believe it is not only achievable, but also expected of modern internal auditors. Over the years, internal auditors have made many positive contributions to their organizations, but in some cases, they have become part of a problem: creating bureaucracy within organizations by recommending a never ending list of controls to mitigate risks, some of which are miniscule in their theoretical assessment and smaller yet if they were to materialize. Some audit teams operate under the mindset that they have to find something so they can produce a report, which inevitably will result in a series of recommendations for additional control procedures. In this book, we will examine ways in which internal auditors can help to improve operations to enhance efficiency, 8 ▪ Operational Auditing effectiveness, speed, and yes, reduce errors. By doing this, we will be better prepared to address business risks. 7. Help an organization accomplish its objectives. Many auditors practice what has been com­ monly referred to as controls-based auditing. In essence, they look for the controls within the process or program of their review, then check them to see if they are present and operating as expected. While this is important, they often forget to link those controls to the relevant risks, and link these risks to the business objectives that those risks threaten. All of this to say that the starting point for everything auditors do should be the identification of the relevant business objectives. With that in mind, then, internal auditors must do their work in ways that help the organization achieve its objectives by properly responding to the risks that threaten these objectives. By focusing on this, internal auditors can add value and the possibilities are almost endless. During my early years in internal audit, one of my audit managers told me: “Think of yourself as running this department. Now, how would you then run it so it is successful?” With this in mind, I was told to prepare the audit program that would guide me and my team’s work checking on the elements that should be there to improve their likelihood of success, and the roadblocks that could get in their way. Very wise words! 8. By bringing a systematic, disciplined approach. This refers to the approach followed when performing the work. This is encapsulated in the Standards, the Practice Guides and Practice Advisories, which provide a great deal of guidance on how to plan, execute, and communicate the results of the work done. Our methodology is quite extensive, and it provides enough direction and flexibility as a framework to examine virtually any aspect of an organization’s operations. 9. To evaluate and improve the effectiveness. Our role as auditors goes beyond evaluating business dynamics and writing reports that merely lists the problems identified. The defi­ nition indicates that we evaluate, but also help to improve the organization’s ability to achieve the goals and objectives related to: a. Risk management. This refers to the identification, measurement, assessment, and re­ sponse to risks. b. Control. This refers to those activities that mitigate relevant risks and helps the orga­ nization avoid surprises. c. Governance processes. Corporate governance is a wide subject that includes matters related to organizational structure, reporting lines, span of control, resource allocation, accountability measures, discipline, and rewards mechanisms. Corporate governance relates to ethical behavior by directors and others charged with the creation and preservation of wealth for all stakeholders. The IIA’s Position Paper on Organizational Governance states that since internal auditors are tasked with providing assurance on the risk management, control, and governance processes of their clients, they are one of the cornerstones of effective organi­ zational governance. Auditors provide independent, objective assessments on the appro­ priateness of the organization’s governance structures and the operating effectiveness of specific governance activities. They are catalysts for change, advising, or advocating im­ provements to enhance the organization’s governance structure and practices.8 In my experience as an auditor, trainer, and consultant, I still find that too many auditors practice the traditional form of auditing that can be described as tick and tie. Another way to describe it is adding rows and columns on spreadsheets and reports to verify their mathematical Definition, Characteristics, and Guidance ▪ 9 accuracy. While this is important to verify accuracy and completeness, modern internal auditing is far more complex and while it presents numerous challenges due to its very expansive nature, it also provides countless opportunities to add value in new and innovative ways, also for internal auditors to demonstrate their abilities. Internal auditors often have college degrees and many also possess master’s degrees. They often have professional certifications ranging from Certified Public Accountant (CPA), Certified Internal Auditor, Certified Information Systems Auditor, and Certified Fraud Examiner (CFE), among many others. They typically have many years of experience and have a great deal of knowledge to tap into as they examine business activities. The new role of internal audit provides many oppor­ tunities to leverage this knowledge and experience for the betterment of their organizations. By focusing on what I consider the “other parts of the definition,” internal auditors would find that they can expand and enhance their work in ways that would create a much more positive and rewarding experience with management. Furthermore, it makes for a more exciting experi­ ence as auditors would not be limited by old practices and would have the freedom and flexibility to evaluate business risks in innovative ways. After comparing the two definitions, operational auditing and internal auditing are indeed quite similar! The Other Parts of the Definition While many people focus on the accounting and compliance aspects of internal auditing, the definition mentions other aspects of the trade that are not as widely embraced and practiced by auditors. By this, I mean words like “consulting,” which speaks more literally to the special projects that internal auditors sometimes embark on. While the definition refers to “assurance,” which refers to traditional compliance work, I believe consulting refers to more than just special projects. It also includes the way auditors do their work. I have found that by not only thinking of consulting as special projects, but also thinking in terms of the auditors’ attitude, disposition, frame of mind, and working practices, it would go a long way toward living the intentions of “and consulting activity.” For example, many internal auditors focus on one-on-one interviews and scantily practice facilitated sessions, where you bring together several employees for discussion, fact finding, problem identification, brainstorming solutions, and prioritizing alternatives. Another example is not being so afraid of scope creep that auditors fail to examine the root causes of business issues sufficiently. In this book, I present numerous tips, tools, and techniques to improve the interaction with audit clients and root cause analysis, among other critical activities. Another aspect of the definition is “… improve an organization’s operations.” To me these words speak volumes about the importance of not only checking processes to make sure that control activities are performed according to procedures documentation, but also looking at the risk of bottlenecks, slowdowns, rework, and other operational dysfunctions that are the result of what I consider “the other types of risks.” Internal auditors have focused disproportionately on accounting and financial risks, the risk of poor recordkeeping and classification, financial abuse, and theft. But many organizations thrive or fail based on their ability to manage the risk of inefficiency, ineffectiveness, rework, and delays better than the competition. The importance of managing these dynamics does not escape the nonprofit sector, as many NGOs, academic, and government institutions are increasingly operating with reduced budgets while struggling to achieve their mission and objectives. So what is operational auditing?9 10 ▪ Operational Auditing Operational auditing is a future-oriented, independent, systematic, and business-focused evaluation of management, and the organization’s activities controlled by management and third parties. This is done to benefit the organization’s stakeholders who trust internal auditors to identify anomalies, verify that resources are handled responsibly, and that the organization is structured and operating in ways that it is likely to succeed. The purpose of operational auditing is to improve organizational profitability and the at­ tainment of organizational objectives. These go beyond a review of internal control issues since management does not achieve its objectives simply by adhering to satisfactory systems of internal control. Instead, management must define its goals, set appropriate strategies, staff the organi­ zation with enough and competent workers, and execute effectively. Operational auditing also involves evaluating management’s performance, since they have a fiduciary responsibility toward the organization’s owners and other relevant stakeholders. Over the past few decades, the expectations of stakeholders have increased monumentally creating a more challenging environment for managers and auditors alike. These expectations range from CSR, to acting ethically, safeguarding key information, and maintaining a positive reputation. Another important aspect of operational auditing is that rather than merely verifying that employees are performing their duties according to established policies and procedures, internal auditors also verify a variety of qualitative aspects of the organization and its activities. Regarding procedures documentation, internal auditors are expected to verify that these documents are up to date, that they are relevant, that they reflect the best way to perform the work with regards to efficiency and effectiveness, that these documents are safe from unauthorized change, they are understood by employees, and that their location is known by employees so they can refer to them for guidance when there are questions. Operational audits may also be concerned with the structure of the organization, since a poorly structured organization, or one where information does not flow accurately and promptly jeopardizes efforts to achieve objectives. Instead, poorly structured organizations tend to be dis­ organized, inefficient, have high employee, customer, and vendor turnover, and become wasteful. All of these manifestations of dysfunction erode the ingredients for success and an auditor who brings a fresh and objective perspective to the review can identify these weaknesses. In the end, operational auditing is designed to evaluate the effectiveness and efficiency of business activities, processes, programs, functions, and units. The scope may be different from traditional fiscal-year scope periods, since achieving these objectives may require an analysis of multiple time periods to identify, analyze, and understand trends, patterns, outliers, and other positive or negative dynamics of interest. These other risks are of importance to internal auditors, since our definition indicates that we are responsible for risk management, as stated in Standards 2010 (Planning), 2100 (Nature of Work), and especially 2120 (Risk Management). The Risk-Based Audit Engaging in risk-based auditing means that internal auditors must exercise and apply a broader view of organizational risks. Accounting and financial risks are only a limited number of the many risks organizations face. Other examples include the risk of delays, waste, inefficiency, poor customer service, excessive customer and employee turnover, poor quality data, and system failures. Although these risks actually characterize the working environments in many Definition, Characteristics, and Guidance ▪ 11 organizations, and affected employees readily describe the impact these risks have on profitability and the organization’s ability to succeed, many auditors fail to identify, measure, and assess sufficiently the mechanisms in place to mitigate those risks. Some organizations have come a long way in their attempts to correct this deficiency, such as hiring auditors with more diverse backgrounds. Over the past decade, I have met many auditors with diverse academic and professional backgrounds, such as engineering, nursing, geology, and biology degrees and backgrounds, among others. While hiring auditors without auditing experience poses some training challenges, it helps to bring into the unit a diversity of skills and mindsets that enriches the department and provides valuable insights into other risks affecting the organization. Furthermore, the drive to achieve diversity provides a competitive edge for the profession as we broaden our recruitment efforts and thrive to make sure that every auditor individually, and internal audit departments collectively, possess the knowledge and proficiency to perform their duties. While traditionalists may find this expansion of auditor backgrounds puzzling, it is consistent with the guidance provided by the IIA. The IIA is the governing body of internal auditors worldwide. Founded in 1941, it counts more than 180,000 members in 180 countries10 and has issued guidance for internal auditors in the form of the Standards for the Professional Practice of Internal Auditing (the Standards), Practice Advisories, Practice Guides, and Position Papers. These documents provide guidance on what internal auditors should do, and how.11 This concept of risk-based auditing is in contrast to what has been dubbed controls-based auditing. The latter is defined as audits that focus on identifying and evaluating internal controls without enough regard to their value to the process. This can happen because auditors take a preexisting work program without researching the nuances of the present audit scope sufficiently or even when they perform planning activities, their interviews and other research only focuses on identifying existing controls without fully understanding the key risks and objectives of the process under review. Even when auditors perform interviews and walkthroughs, they could allow their accounting bias to steer the questions they ask and the documents they request for examination. When performing controls-based audits, the auditor then listens and searches for references to controls with the intention of verifying their existence and effectiveness. In effect, they are testing the controls in relative isolation, without fully understanding their connection to the underlying objectives and risks of the process or program under review. Performing risk-based audits requires more brainstorming, more interactions with process owners, a more in-depth understanding of the organization’s business, and a mechanism to ad­ dress past, present, and future vulnerabilities and scenarios that threaten the achievement of business objectives. Since internal auditors are being asked to do more with less, they can’t afford to review controls just because they are there. Internal auditors need to assess whether those controls are key to the achievement of objectives and only focus on those that are. The IIA’s publication on the 2015 Common Body of Knowledge (CBOK) global survey is entitled “Driving Success in a Changing World: 10 Imperatives for Internal Audit” and it confirms that the internal audit profession is making substantial progress in making itself relevant to business overall. There is still reference to the expectation gap between what stakeholders consider to be of value and what the internal audit function is delivering. But more than half of respondents now state that their activities are fully or mostly aligned with the strategic plan of their organization. Chief Audit Executives (CAEs) report they will focus almost as much on strategic business risks (70%) as operational risks (72%). This shows the continued and fundamental shift away from the traditional approach of focusing on accounting/financial controls and instead moving closer to the review of the organization’s primary objectives. 12 ▪ Operational Auditing The report advises internal auditors to anticipate the needs of stakeholders, develop forward- looking risk management practices, and support the business objectives, identify, monitor, and deal with emerging technology risks and enhance audit findings through the greater use of data analytics. But the report also shows that many organizations are still struggling. In part this is because the environment in which they work is constantly changing; new regulations are con­ stantly legislated and new risks evolve as the world itself evolves, particularly the world of data and technology. Auditing Beyond Accounting, Financial, and Regulatory Requirements With all of these matters in mind, it behooves internal auditors to look beyond traditional ac­ counting, financial, and regulatory requirements. In the past, internal auditors predominantly had accounting degrees, graduated from university accounting programs, generally were recruited from external public accounting audit firms, and held CPA certifications. As such, their focus and experience was acquired in the accounting field and saw most audit matters through the prism of accounting requirements. The other key focus area was compliance with regulatory requirements. In this case, au­ ditors adopted a fairly binary approach to audits by attempting to understand the rules and regulations affecting a program or process. They then would apply a very effective metho­ dology: Are they doing what the rulebook says? If “Yes,” the test results were satisfactory. If “No,” the results were documented and communicated as findings. In essence, a very pre­ dictable pass/fail approach to auditing. For many years, this became the standard operating practice of auditors and even today, some audits require a similar approach due to their reg­ ulatory and compliance focus, but we must be careful not to default to this approach when the expectation is broader. Over time, business leaders and managers witnessed business failures caused by poor man­ agement decisions and practices. By poor management, I am referring to inadequate: ▪ Operations management. Some of the related issues are waste, inefficiencies, supplies that arrive late, poor customer satisfaction, and limited capacity to grow as opportunities arise or customers’ demands change. ▪ Human resources. As evidenced by poorly supervised, trained, and evaluated employees who sometimes become unmotivated and unproductive. ▪ IT. Computer systems designed with an inaccurate understanding of the business needs and uses of these systems, poor data capture, and inadequate reporting mechanisms. ▪ Marketing. Mass marketing of products and services at a time when customers prefer to feel unique, or wasteful campaigns because they target the wrong audience. ▪ CSR. Issues range from child labor, sweatshop conditions, abusive management, and in­ appropriate waste disposal. ▪ Environmental Health and Safety (EHS) practices and conditions related to poor ventila­ tion, excessive heat, extreme noise levels, and workplace hazards caused by chemicals, machinery, and workplace configurations, among others. Another catalyst enhancing the role of internal auditors and moving it beyond compliance is the increase in stakeholder demands for advisory and consulting activities. Discussions within the D

Use Quizgecko on...
Browser
Browser