Chapter 2 Objectives and Phases of Operational Audits PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document details the objectives and phases of operational audits. It covers topics like new rules, poor performance, compliance issues, and anomalous revenues/expenses, as well as the organization's infrastructure. It also describes the planning, fieldwork, and reporting phases of operational audits, and explains different types of audit evidence.
Full Transcript
# Chapter 2 Objectives and Phases of Operational Audits "Out of clutter, find simplicity" - Albert Einstein ## Introduction Operational audits involve a review of program or process activities. The goal is to determine whether the objectives of the program or process are being met. Many factors c...
# Chapter 2 Objectives and Phases of Operational Audits "Out of clutter, find simplicity" - Albert Einstein ## Introduction Operational audits involve a review of program or process activities. The goal is to determine whether the objectives of the program or process are being met. Many factors can impact the effectiveness of an operational audit. These factors include those related to the people involved, the areas of focus, and the communication and coordination of the audit. ## Key Objectives of Operational Audits Defining the objectives of an engagement is essential. Without clearly defined, communicated, and understood objectives, everyone involved is likely to drift during the course of the review. Objectives can arise from a variety of factors, including: * **New Rules:** Internal or external rules such as policies, procedures, laws, regulations, or contracts. CSR (Corporate Social Responsibility) initiatives are an increasingly important factor, and many argue CSR is now within the scope of internal audit. * **Poor Performance:** Inefficiencies, waste, rework, or complaints from customers and vendors can trigger management involvement. * **Compliance Issues:** Internal quality control initiatives or external regulatory reviews can lead to an audit. * **Anomalous Revenues or Expenses:** While increased sales are generally welcomed, internal auditors may review the related transactions if the figures appear dubious. Similarly, unusually high or low expenses may also result in a review. When defining the objectives, internal auditors should examine the organization's infrastructure. Infrastructure includes the underlying foundation or basic framework of a system or organization, and the resources needed for an activity, such as personnel, buildings, or equipment. Operational audits, in many ways, share similarities to traditional accounting/financial reviews, but there are some differences. Both require the identification of the corresponding business objectives, and both audit life cycles can be divided into three phases: planning, fieldwork, and reporting. ## Phases of the Operational Audit Operational audits follow the traditional planning, fieldwork, and reporting phases. ### Planning Planning is arguably the most important part of an audit. The planning phase includes: * **Scoping:** Determining the scope of the audit and identifying the population of interest. * **Budgeting:** Estimating how much resources are needed for the audit. * **Risk Assessment:** This is a critical part of planning. It entails evaluating the risks associated with the audit universe - consisting of all auditable activities such as accounts, processes, programs, and functions. * **Announcing the Audit:** Communicating the audit to stakeholders, including process owners. The planning process ideally involves senior management and the board of directors to ensure buy-in. This leads to two key outputs: * A Strategic Plan for company operations. * An Audit Plan that identifies what will be reviewed. The audit plan should identify the resources needed. The auditor should also consider industry specific, compliance, and IT-related risks. ### Fieldwork Fieldwork is the phase when most of the testing is performed. It includes: * **Determining if the process or program under review is designed effectively** to achieve the related goals and objectives. * **Verifying that the controls in place are performing as designed by management.** Fieldwork can sometimes involve planning and sometimes testing. Key tasks during fieldwork include: * Communicating with the process owner. * Requesting needed financial and operational reports and documents. * Coordinating staff availability. * Identifying the systems in use. * Defining the scope, objectives, work schedule, and budget for the engagement. ### Reporting The reporting phase of an audit involves communicating the results, or the findings, of the audit. It consists of documenting findings, observations, and best practices noted during the review. It also consists of developing recommendations for corrective action. #### Types of Audit Evidence The most common types of audit evidence are: * **Testimonial Evidence:** This type of evidence can be verbal or written statements or assertions. * **Observation:** Auditors visually evaluate physical facilities, conditions, and practices and verify they exist, condition, valuation, and protection. * **Document Inspection:** Auditors review documents to verify the date and amount of transactions, agreements made between various parties, evidence of authorizations, and records of decisions. #### Attributes of Persuasive Audit Evidence Evidence must be relevant, objective, documented, external, and derived from a large sample size using a statistical method. It should be corroborated, timely, and authoritative. Direct evidence is more persuasive than indirect. Evidence from well-controlled and reliable systems is more persuasive. #### Workpapers Workpapers are documents that provide the support for an audit. They include the planning done, the fieldwork activities, the support for all information mentioned in the audit report or other communication of results. They are useful for training and professional development. Workpapers should be neat, easy to read, and easy to review. #### Internal Control Questionnaire (ICQ) ICQs can be used to evaluate internal controls in specific areas of an organization by asking key questions. Internal auditors might use an ICQ as a starting point and then supplement it with other information-gathering techniques. #### Condition of Workpapers Workpapers should be: * Neat. * Easy to read. * Easy to review. * Uniform. * Contain the objective of the procedure performed. * Include the source of information evaluated. * Include the name of the auditor who performed the work. * Contain the date the work was done. * Contain the name and date of supervisory review. * Detailed showing the work done. * Include a reference to other supporting documents, such as relevant objectives, risks, and controls. * Contain the results of the testing procedure performed. * Include a conclusion. #### Tickmarks in Workpapers Tickmarks provide a visual way to show the results of a transaction-based test. #### Variance Amount in Workpapers The variance amount is a simple formula that subtracts the amount of the invoice from the amount paid. It's useful for quantifying the extent of discrepancies noted during the test. #### Approved Column in Workpapers The approved column helps determine if activities are reversed and performed retroactively. #### Recording Period in Workpapers This variance helps determine if the recording date aligns with the close and reporting date. #### Electronic Workpapers Electronic workpapers include documents that are prepared using templates in a document management application or using common tools such as Microsoft Word and PowerPoint. Key features of electronic workpaper systems include: * Access controls. * Budget management. * Data analytics. * Integration with popular productivity tools. * Document preparation and management. * Findings documentation and tracking. * Support for multiple users. * Report writing. * Review notes. * Risk and control assessment. * Risk matrix. * Task assignment. * Time tracking. * Version control. * Online/offline functionality. #### Findings Findings are deviations from what was expected and form the basis for an audit report. They are typically documented as a CCCER, which stands for Criteria, Condition, Cause, Effect, and Recommendation. #### Follow-Up Both management and auditors should verify that the corrective actions are in fact applied and the problems are fixed as expected. Failure to do so often results in findings being ignored. #### Metrics Metrics are important to monitor performance and provide a comparison between what should have been done and what was actually done. They help to: * Monitor performance and the achievement of organizational goals. * Inform management and stakeholders of how well programs and processes are performing and to identify the areas that require improvement. * Ensure employees understand the connection between measurable performance and reward. * Make sure data is used for decision making, not just for the sake of collecting it. * Communicate performance results to different stakeholders. * Promote a holistic, balanced-scorecard approach. #### People, Processes, and Technology The success of organizational goals depends heavily on the ability to effectively combine people, processes, and technology. #### Summary Operational audits provide a great deal of versatility as they can be implemented in any aspect of a business operation. Risk assessment plays an important role in operational audits. Auditors should carefully document all audit evidence, including testimonial evidence, observation, document inspections, and metrics. Risk assessments are central to the work of internal auditors and help to define the audit plan, the individual audit programs, and the amount of effort that should be exerted to verify the condition of workplace elements. ## Questions 1. List three reasons why management may ask for an operational audit to be performed, and explain how the audit program would be impacted by each of them. 2. Explain the importance of identifying risk factors and using them during the planning phase. 3. Explain how an auditor would perform each of the following procedures: * Trace * Vouch * Reconcile * Foot * Cross-foot 4. What is testimonial evidence, and how is it gathered? 5. Give two examples where observation is a useful technique to examine operational risks and related controls. 6. Give two examples where document inspection is a useful technique to examine operational risks and related controls. 7. Explain professional skepticism and why it is important for all auditors. 8. Provide three benefits of drawing process maps (flowcharts or value stream maps, as some would rather call them). 9. What is an internal controls questionnaire, and how can auditors use it during the planning and fieldwork phases of audits? 10. Explain the acronym CCCER.