CHAPTER 2

1. List three reasons management may ask for an operational audit to be performed and explain how
the audit program would be impacted by each of them.

An operational audit includes a review of the activities executed in an organization. Murdock

(2016 p. 34) enumerated four reasons why management may ask for an operational audit to be
performed which are (1) new rules, (2) poor performance, (3) compliance issues and (4) anomalous
revenues or expenses. Since the question only ask for three reason, let us define the last three.

First, if there are any complaints from the customers as well as the vendors, the first thing that
the company will think is that where do they go wrong. From that, the company should send a request
to an internal auditor to review this matter.

If there are compliances issues, it means that there are anomalies in the internal quality control.
The internal audit department should investigate if there are noncompliance issues at their organization
to help assess the issue and be able to make sound decision.

Anomalous revenues or expenses occurs when these figures look suspicious and untrustworthy,
the management may ask for an operational audit to review the related transactions to ascertained that
these figures are correct in all aspect. It would be easier to perform an operational audit if there is an
audit program that contains detailed information about audit procedures that the auditor will follow to
execute proper auditing.

2. Explain the importance of identifying risk factors and using them during the planning phase.

Risk factors plays an important role during the planning phase. Risk factors are conditions and
other variables that in their present, or absence either exacerbate or diminish the underlying risk
(Murdock, 2016, p. 38). Even though it is not possible to eliminate or anticipate all risk, identifying risk
factors can help to reduce the occurrence of those risks. Examination of the tasks, activities, and
processes in an organization when planning should be executed. During planning meetings, internal
auditors should engage in participative practices, involving process owners as much as possible to
identify relevant activities, systems, people, and performance standards. When auditors do this, they
are better equipped to define the scope more precisely. It plays an important role in identifying the
risks that should be examined during the audit (Murdock, 2016, p. 39). It will help the internal auditor to
identify possible risk and make reasonable steps to prevent it. Internal auditor should also look at
certain risk and try to generate a plan on how to control it effectively and efficiently. Put simply,
understanding, and identifying risk factors can help the internal auditor to identify possible risks of the
company which can serves as a guide in planning the procedures in performing the audit.

3. Explain how an auditor would perform each of the following procedures:

a. Trace - involves tracing the transaction from its source to its destination, which could be a financial,
operational, or regulatory report. Example of tracing a transaction from its source is looking at the cash
receipt or its file creation.

b. Vouch - involves the “reverse-trace” of a transaction from the destination to its source. Like for an
example, from financial operational, or regulatory report to sales order, purchase, and time sheet.

c. Reconcile - tie information from two separate sources to verify the accuracy or expected discrepancies

d. Foot - add the items in a column

e. Cross-foot - add the items in a row

(PLEASE PUT SOME REFERENCE HEHEHHEE)

4. What is testimonial evidence and how is it gathered?

Testimonial evidence consists of verbal or written statements or assertions given by someone as

proof regarding the matter being discussed (Murdock, 2016, p. 41). It is usually gathered during
interviews, but it can also be obtained through questionnaires. It can be requested in writing and the
response can be delivered verbally and vise versa. Interviews often consists of an auditor and one or
more person talking about matters regarding the engagement. One-on-one interviews is the most
common type of how testimonial evidence is gathered but it is also common to conduct in pairs. One of
the key benefits of this practice is having a second auditor present to improve the quality and detail of
the information gathered, and alternate roles as one auditor takes notes while the colleague asks
questions, and vice versa (Murdock, 2016, p. 42).

5. Give two examples where observation is a useful technique to examine operational risks and related
controls.

Murdock (2016 p. 42) enumerated six examples of items that internal auditors may want to
observe and why. Two of those six examples are (1) observe the security measures to prevent
unauthorized individuals from entering the facility and (2) walk the perimeter of a construction site to
confirm there is a fence that restricts access to only authorized individuals.

Physical access to a building or room with no permission is considered as an unauthorized access

which may be done by an outsider or even an employee. When this happens, it can result to theft (both
physical and identity) and worse, may be even endanger the lives of the people in that certain building
or room. Therefore, it is important that the organization should observe security measures and assess
possible threats to prevent it from happening. Construction sites should have visible signage stating, “no
unauthorized entry”, use fences, have guards, and video surveillance and any other security perimeter
to minimize operational risk and related controls. By observing and implementing measures to prevent
unauthorized access, an organization can protect their business, assets, information and even its
employees from internal and external threats that may possibly occur.
6. Give two examples where document inspection is a useful technique to examine operational risks and
related controls.

Murdock (2016 p. 43) enumerated different types of documents both internal and external. He
also states that document inspection is one of the most common procedures performed by auditors who examine
documents to verify the date and amount of transactions, agreements made between various parties, evidence of
authorizations and record of decisions made, among others.

Inspecting financial statements of a company provides more credibility to the reported financial
position and performance of a business. Auditors need to check if the financial statements to be
reported shows a legitimate view of the standing and performance of the company. Obtaining an
understanding in the business and how it operates, and assessing information collected can help to
examine whether there may be operational risks which will possibly occur that can impact financial
statements.

Examining customer orders and compare it to the invoices that sent out and there should be an
identical numerical figure on both documents. You should also compare invoices of checks and receipts
and the amounts should match exactly. Invoices both produced and received should always be reconcile
with its original establishments.

7. Explain professional skepticism and why it is important for all auditors.

Professional skepticism is an attitude that is used to verify the integrity of the data obtained and
conclusions formulated. Auditors should always have the doubt in certain circumstances when gathering
evidence or information and they should exercise healthy professional skepticism to evaluate the quality
of data collected and used. Internal auditors should be sufficiently suspicious of data received and
reasonably verify that the information is free from manipulation or modification in ways that can
compromise its quality (Murdock, 2016, p. 46). Since interview is the most common way to gather
testimonial evidence, internal auditors should do this kind of data gathering while observing changes in
the surrounding or in the behavior of the interviewee. Professional skepticism should always be
exercised by all the editors specially when performing auditing activities to find risk and potential errors
and make a sound decision out of it.

8. Provide three benefits of drawing process maps (flowcharts or value stream maps, as some would
rather call them).

A flowchart is a diagram of the sequence of movements or actions of people or things involved

in a process or activity. Drawing a flowchart, or process mapping, is done to understand how the steps in
a business process work together (Murdock, 2016, p. 48).

Drawing flowcharts or process mapping provides a visual representation of the workflow of an

organization which is most suited to some people. It shows how the process is done and illustrates
effective visual communication of ideas, information, and detailed processes. Employees can easily
understand complicated plans and processes.
 Another benefits that flowcharts may give is that errors may stand out and be obvious. When
doing process mapping, anything that does not add value to the whole workflow is considered as waste
or error. It can help identify errors which will help you to decide how to deal with it or improve it.

Another benefit of drawing flowcharts and process mapping is that is it easier to review. In this
case, the process mapping should be available to everyone at anytime which gives them a place to go to
review what and how things should be done.

9. What is an internal controls questionnaire and how can auditors use it during the planning and
fieldwork phases of audits?

An internal control questionnaire helps to evaluate internal controls in specific areas by asking
key questions (Murdock, 2016, p. 50). Internal auditors usually use internal control as their starting point
of collecting information then later gathers more information applicable to the assessment of the
operation. It is usually used when there is a large amount of information necessary to be collected. In
this case, preparing questionnaires like this can be very helpful in collecting data easily and quickly.

During planning and fieldwork phases, it is still required to gather as much data available for
auditing. Internal control questionnaires help internal auditors to save their time and efficiently use it
because they can obtain information easier than asking the employees one by one.

10. Explain the acronym CCCER.

CCCER stands for criteria, condition, cause, effect, and recommendation (Murdock, 2016, p. 55).

Criteria - it should consist of what was expected to exist or occur.

Condition – refers to what actually exist. It is what the auditor found out as a result of the execution of
audit procedures.

Cause – It is the reason why condition exists and what is its difference from the criteria. Auditors should
focus on the root cause of the problem and avoid focusing on symptoms.

Effect – also called as the consequence. It consists the impact of the condition.

Recommendation – is the action item needed to correct the condition so that the performance is
consistent with the criteria.
References:

Murdock, Hernan. (2016). Operational auditing: Principles and techniques for a changing world. Boca
Raton, FL: CRC Press.