Republic of the Philippines

Mountain Province State Polytechnic College

Bontoc, Mountain Province

OPERATIONAL AUDIT OVERVIEW

Module 1 of 4 Modules

Operations Auditing

Jude F. Mango, CPA

Accountancy and Business Education Cluster

2nd Semester, School Year 2020-2021

INTRODUCTION
This module focuses on discussion of operations auditing in broad view. We
begin by defining and understanding the definition, role, and practices of modern
internal auditing in general and the evolving world of operational auditing in
particular. We examine the concept and manifestation of organizational risks and how
internal auditors must adopt a risk based auditing approach, which will allow it to
better support the objectives of the organization. Integrated auditing is a concept that
has been in place for decades, yet many internal auditors still struggle to practice it
effectively. We will discuss key attributes of effective integrated audits and
why it is essential for effective operational audits. We end this chapter with a review of
selected Standards for the Professional Practice of Internal Auditing (the Standards).
But more than list them, we will discuss their implications in the broader
topic of operational auditing, and how these standards can be applied successfully.

Situational problems will be provided with suggested answers and explanations

when necessary. Questions that are provided will serve as your practice sets and
drills. It is highly encouraged that you work independently and honestly on the cases
first before trying to compare it with the answers given for you to assess your current
learning curve objectively. It is vital for you to keep in mind your long term goal for
now, which is to pass the licensure examination, while going through your module.
Practice quality study habits and we will assure you quality education as well.

This module is good for 9 hours and is expected to be finished at the end of the
3rd week of our class schedule. You can submit your outputs (only the ANSWER
SHEETS which is provided at the end of this module) through the following:
 Via Online:
Scanned copy or picture of your output that is finalized in the ANSWER SHEET
converted to pdf file.
1. Email account: [email protected]
Indicate the course code of this subject on the subject of your email.
2. Facebook Messenger Account: Jude F. Mango
Rename your file with the course code of this subject.

 Manually:
1. Through the retrieval facilities as may be arranged by the College later.
2. Personally or if below 21 years old through a family or friends at the BSA
Faculty Room 402 Old Academic Building.

o Note: Please do not submit any of your output through our class group chat. If
you have any issues, you are free to ask me through my facebook account.

MODULE OUTLINE
To give you a picture on what lessons are expected from this module, here is a
summary of the lessons:
Lesson I: Operations Audit Overview
A. Characteristics of Operational Audit
B. Modern Developments in Operations Audit
C. The Standards and Code of Ethics

1
 At the end of the module, you should be able to:
1. correctly prepare recommendations as operations auditor on a given situation;
and
2. develop the value of objectivity by understanding the role of an operations
auditor.

LESSON 1: Definition and Characteristics of Operational Auditing

At the end of the lesson, you should be able to:
1. explain clearly the definition, role, and practices of
modern internal auditing in general and the evolving world of
operational auditing in particular; and
2. develop the value of the conduct of operations audit
and internal auditing standards as a means of giving
answers to problems.

LET’S ENGAGE!
Continuous improvement is one of the most challenging goals of every
organization. It is very easy to say than done as they say. On the audit perspective,
what relevance can we make to contribute on the said goal? What are the technical
aspects that are vital for us to know in order to maximize our skills in achieving such
goal?

Characteristics of Operational Auditing

The responsibilities and conduct of audits by internal

and external auditors differ in one important way.

Internal Auditor External Auditor

They are responsible to the management They are responsible to the users of
and the board. financial statements who rely on the
auditor to add credibility to financial
statements.
Both require competence and objectivity in performing their work and reporting the
results.
Both follow a similar methodology in performing their audits, including planning and
performing tests of controls and substantive tests.
Both consider risk and materiality in deciding the extent of their tests and evaluating
results. However, their decisions about materiality and risks may differ because
external users may have different needs than management or the board.

External auditors rely on internal auditors when using the audit risk model to
assess control risk. If internal auditors are effective, the external auditors can
significantly reduce control risk and thereby reduce substantive testing. As a result,
external auditors may reduce their fees substantially when the client has a highly
regarded internal audit function. External auditors typically consider internal auditors
effective if they are:
a. independent of the operating units being evaluated;
b. competent and well trained; and
c. have performed relevant audit tests of the internal controls and financial
statements.

Auditing standards permit the external auditor to use the internal auditor for
direct assistance on the audit. By relying on the internal audit staff for performing
some of the audit testing, external auditors may be able to complete the audit in less

3
time and at a lower fee. When internal auditors provide direct assistance, the external
auditor should assess their competence and objectivity and supervise and evaluate
their work.

As we take a closer look at internal auditing, it is helpful to review the definition

of internal auditing as promulgated by the IIA.

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control, and governance
processes.

The definition reflects a modern view of the profession in such a way that they
can provide much more valuable assistance to their organizations. The definition
creates a variety of challenges and opportunities for internal auditors, who are no
longer engaged in a static, routine, repetitive, and accounting/finance-focused activity,
but instead admonishes internal auditors to review business programs, processes, and
initiatives in innovative ways that can add tangible value to the organization.

The definition contains some key language that is important to note:

1. Independence has to do primarily with the position of internal audit within the
organization’s hierarchy. Internal audit should report to the audit committee (or its
equivalent) on the board of directors so it receives advice and support to perform its
duties. Furthermore, internal audit should not be under the control of those they
audit. This direct reporting line to the highest authority within the organization will
help internal audit reach its full potential, and also get the attention from those whose
influence, recognition, and respect can compel corrective action of any anomalies
identified by the auditors.

2. Objectivity is related to the auditors’ frame of mind and their ability to examine
documents, processes, and programs without a bias, without an agenda, with no other
motive than to find the truth and communicate it accurately and promptly. Conflicts
of interest are one of the biggest threats to objectivity, so internal auditors must be
careful to balance maintaining healthy professional and social relationships with
others in the organization without becoming too cozy with them.

3. Assurance relates to the auditors’ ability to give confidence and make statements
regarding the condition of matters within the organization. It is often considered a
synonym to “compliance” as has been the traditional focus of internal auditors for
millennia. Compliance audits focus on verifying conformity and adherence of a
particular area, process, or system with policies, plans, procedures, laws, regulations,
contracts, or other requirements that govern the conduct and actions of that area,
process, or system.

Internal auditors provide reasonable assurance, not absolute assurance,

because there are numerous variables to contend with constantly, but also
because there are no certainties in life. However, this does not mean that
internal auditors do substandard work knowing that they can’t guarantee
results. Internal auditors are expected to display competence, knowledge, and
act with due professional care in all they do to provide the best assurance
possible. Compliance can be driven by requirements that are internal or
external, regulatory or not, explicit or implied.

4. Consulting means giving advice to management and the board, and engaging in
activities that help the organization resolve nagging business issues. These
engagements address performance, how to improve organizational programs,
processes, and activities, and how to become more flexible, nimble, and responsive to
business challenges. It also relates to the special projects that internal auditors

4
sometimes work on. Lastly, consulting also relates to the way auditors do their work
suggesting that the traditional mind set and role of the auditor as the corporate cop is
being redefined and replaced by a more business-minded professional whose goal is to
be respected more so than being feared.

5. Help an organization accomplish its objectives. Many auditors practice what

has been commonly referred to as controls-based auditing. In essence, they look for
the controls within the process or program of their review, and then check them to see
if they are present and operating as expected. While this is important, they often forget
to link those controls to the relevant risks, and link these risks to the business
objectives that those risks threaten. All of this to say that the starting point for
everything auditors do should be the identification of the relevant business objectives.
With that in mind, then, internal auditors must do their work in ways that help the
organization achieve its objectives by properly responding to the
risks that threaten these objectives. By focusing on this, internal auditors can add
value and the possibilities are almost endless.

6. By bringing a systematic, disciplined approach. This refers to the approach

followed when performing the work. This is encapsulated in the Standards, the
Practice Guides and Practice Advisories, which provide a great deal of guidance on
how to plan, execute, and communicate the results of the work done. Our
methodology is quite extensive, and it provides enough direction and flexibility as a
framework to examine virtually any aspect of an organization’s operations.

7. To evaluate and improve the effectiveness. Our role as auditors goes beyond
evaluating business dynamics and writing reports that merely lists the problems
identified. The definition indicates that we evaluate, but also help to improve the
organization’s ability to achieve the goals and objectives related to:

a. Risk management. This refers to the identification, measurement, assessment, and

response to risks.

b. Control. This refers to those activities that mitigate relevant risks and helps the
organization avoid surprises.

c. Governance processes. Corporate governance relates to ethical behavior by directors

and others charged with the creation and preservation of wealth for all stakeholders.
The IIA’s Position Paper on Organizational Governance states that since internal
auditors are tasked with providing assurance on the risk management, control, and
governance processes of their clients, they are one of the cornerstones of effective
organizational governance. Auditors provide independent, objective assessments on
the appropriateness of the organization’s governance structures and the operating
effectiveness of specific governance activities. They are catalysts for change, advising,
or advocating improvements to enhance the organization’s governance structure and
practices.

8. Another aspect of the definition is “… improve an organization’s operations.” It

highlights the importance of not only checking processes to make sure that control
activities are performed according to procedures documentation, but also looking at
the risk of bottlenecks, rework, and other operational dysfunctions that are the result
of what I consider “the other types of risks.” Internal auditors have focused
disproportionately on accounting and financial risks, the risk of poor recordkeeping
and classification, financial abuse, and theft. But many organizations thrive or fail
based on their ability to manage the risk of inefficiency, ineffectiveness, rework, and
delays better than the competition.

5
 So what is operational auditing?

Operational auditing is a future-oriented, independent, systematic, and

business-focused evaluation of management, and the organization’s activities
controlled by management and third parties. This is done to benefit the organization’s
stakeholders who trust internal auditors to identify anomalies, verify that resources
are handled responsibly, and that the organization is structured and operating in
ways that it is likely to succeed.

The purpose of operational auditing is to improve organizational profitability

and the attainment of organizational objectives. These go beyond a review of internal
control issues since management does not achieve its objectives simply by adhering to
satisfactory systems of internal control. Instead, management must define its goals,
set appropriate strategies, staff the organization with enough and competent workers,
and execute effectively.

Operational auditing also involves evaluating management’s performance, since

they have a fiduciary responsibility toward the organization’s owners and other
relevant stakeholders. Over the past few decades, the expectations of stakeholders
have increased monumentally creating a more challenging environment for managers
and auditors alike. These expectations range from CSR, to acting ethically,
safeguarding key information, and maintaining a positive reputation.

Another important aspect of operational auditing is that rather than merely

verifying that employees are performing their duties according to established policies
and procedures, internal auditors also verify a variety of qualitative aspects of the
organization and its activities. Regarding procedures documentation, internal auditors
are expected to verify that these documents are up to date, that they are relevant, that
they reflect the best way to perform the work with regards to efficiency and
effectiveness, that these documents are safe from unauthorized change, they are
understood by employees, and that their location is known by employees so they can
refer to them for guidance when there are questions.

Operational audits may also be concerned with the structure of the

organization, since a poorly structured organization, or one where information does
not flow accurately and promptly jeopardizes efforts to achieve objectives. Instead,
poorly structured organizations tend to be disorganized, inefficient, have high
employee, customer, and vendor turnover, and become wasteful. All of these
manifestations of dysfunction erode the ingredients for success and an auditor who
brings a fresh and objective perspective to the review can identify these weaknesses.

Internal auditors, government auditors, and CPAs also do operational

auditing, which deals with efficiency and effectiveness of an organization. Other
auditors use the terms management auditing or performance auditing instead of
operational auditing to refer to these activities, while others do not distinguish among
the terms performance auditing, management auditing, and operational auditing and
use them interchangeably. We prefer to use operational auditing broadly, as long as
the purpose of the test is to determine the effectiveness or efficiency of any part of an
organization. Testing the effectiveness of internal controls by an internal auditor may
therefore be considered part of operational auditing—if the purpose is to help an
organization operate its business more effectively or efficiently. Similarly, determining
whether a company has adequately trained assembly line personnel may also be
operational auditing, if the purpose is to determine whether the company is effectively
and efficiently producing products.
Operational versus Financial Auditing

6
 1. Purpose of the Audit: This is the most important difference. Financial auditing
emphasizes whether historical information was correctly recorded, while
operational auditing emphasizes effectiveness and efficiency. Financial auditing
is oriented to the past, while operational auditing focuses on improving future
performance. An operational auditor, for example, may evaluate whether a type
of new material is being purchased at the lowest cost to save money on future
raw material purchases.
2. Distribution of the Reports: Financial auditing reports are typically
distributed to external users of financial statements, such as stockholders and
bankers, while operational audit reports are intended primarily for
management. The widespread distribution of financial auditing reports requires
a well-defined structure and wording. The limited distribution of operational
reports and the diverse nature of audits for efficiency and effectiveness allow
operational audit reports to vary considerably from audit to audit.
3. Inclusion of Nonfinancial Areas Financial audits are limited to matters that
directly affect the fairness of financial statement presentation, while operational
audits cover any aspect of efficiency and effectiveness in an organization. For
example, an operational audit might address the effectiveness of an advertising
program or efficiency of factory employees.

Effectiveness versus Efficiency

Before an operational audit can be performed, auditors must define specific

criteria for measuring effectiveness and efficiency. In general, effectiveness refers to
meeting objectives, such as producing parts without defects. Efficiency refers to
determining the resources used to achieve those objectives, such as determining
whether parts are produced at minimum cost.

1. Effectiveness In an operational audit for effectiveness, an auditor, for example,

might need to assess whether a governmental agency has met its assigned
objective of achieving elevator safety in a city. To determine the agency’s
effectiveness, the auditor must establish specific criteria for elevator safety. For
example, is the agency’s objective to inspect all elevators in the city at least
once a year? Is the objective to ensure that no fatalities occurred as a result of
elevator breakdowns, or that no breakdowns occurred?
2. Efficiency Like effectiveness, there must be defined criteria for what is meant
by doing things more efficiently before operational auditing can be meaningful.
It is often easier to set efficiency than effectiveness criteria if efficiency is
defined as reducing cost without reducing effectiveness. For example, if two
different production processes manufacture a product of identical quality, the
process with the lower cost is considered more efficient.

Criteria for Evaluating Efficiency and Effectiveness

A major challenge of operational auditing is in selecting specific criteria for

evaluating whether efficiency and effectiveness have occurred. In auditing historical
financial statements, accounting standards provide the broad criteria for evaluating
fair presentation, and audit objectives facilitate more specific criteria in deciding
whether those standards have been followed. In operational auditing, there are no
well-defined criteria.
To establish criteria for operational auditing, auditors could define the
objectives as determining whether some aspect of the entity could be made more
effective or efficient, and recommending improvements. This approach may be
adequate for experienced and well-trained auditors, but it provides little guidance for
most auditors.

7
Specific Criteria: More specific criteria are usually desirable before starting an
operational audit. For example, suppose that you are doing an operational audit of the
equipment layout in plants for a company. Here are some specific criteria, stated as
questions, that might be used to evaluate plant layouts:

• Were all plant layouts approved by home office engineering at the time of original
design?
• Has home office engineering done a re-evaluation study of plant layout in the past 5
years?
• Is each piece of equipment operating at 60 per cent of capacity or more for at least 3
months each year?
• Does layout facilitate the movement of new materials to the production floor?
• Does layout facilitate the production of finished goods?
• Does layout facilitate the movement of finished goods to distribution centers?
• Does the plant layout effectively use existing equipment?
• Is the safety of employees endangered by the plant layout?

Sources of Criteria To develop specific evaluation criteria, the operational auditor

can use several sources, including:

a. Historical performance. Criteria can be based on actual results from prior

periods. By using these criteria, auditors can determine whether things have
become “better” or “worse” in comparison. The advantage of this approach is
that the criteria are easy to derive. However, they may not provide much insight
into how well or poor the results are compared to what they could be.

b. Benchmarking. Entities within or outside the client’s organization may be

sufficiently similar to the client’s organization to use their operating results as
criteria. Auditors should use care in selecting organizations to use as
benchmarks. It makes little sense to benchmark with dissimilar organizations
or those that perform at a substandard level. For internal comparable entities,
the data are often readily available to use as criteria. Outside organizations are
often willing to make their operating information available. Also, benchmarking
data are often available through industry groups and governmental regulatory
agencies.

c. Engineered standards. It may be possible in some engagements to develop

criteria based on engineered standards. For example, auditors can use time and
motion studies to determine efficient production output rates. These criteria are
often time-consuming and costly to develop because they require considerable
expertise, but in some cases it may be worth the cost. Standards can be
developed by industry groups for use by all their members, thereby spreading
the cost.

d. Discussion and agreement. Sometimes objective criteria are difficult or costly

to obtain, and are best developed through discussion and agreement. The
parties involved should include management of the entity to be audited, the
operational auditor, and the entity or persons to whom the findings will be
reported.

Relationship between Operational Audit and Internal Controls

Management establishes internal controls to help meet its goals. Three

concerns are vital to establishing good internal controls:
1. Reliability of financial reporting
2. Efficiency and effectiveness of operations
3. Compliance with applicable laws and regulations

8
 Obviously, the second of these three client concerns directly relates to
operational auditing, but the other two also affect efficiency and effectiveness. For
example, management needs reliable cost accounting information to decide which
products to continue producing and the billing price of products. Similarly, failure to
comply with a law can result in a large fine to the company.

Two things distinguish “internal control evaluation and testing” for financial and
operational auditing: purpose and scope.

a. Purpose: The purpose of operational auditing of internal control is to evaluate

efficiency and effectiveness and to make recommendations to management. In
contrast, internal control evaluation for financial auditing has two primary
purposes: to determine the extent of substantive audit testing required and,
when applicable, to report on the effectiveness of internal control over financial
reporting.

For both financial and operational auditing, the auditors may evaluate
the control procedures in the same way, but for different purposes. An
operational auditor might test whether internal verification procedures for
duplicate sales invoices are effective to ensure that the company does not offend
customers, but also to collect all receivables. A financial auditor often does the
same internal control tests, but the primary purpose is to reduce confirmation
of accounts receivable or other substantive tests. (A secondary purpose of many
financial audits is also to make operational recommendations to management.)

b. Scope: The scope of operational auditing concerns any control affecting

efficiency or effectiveness, while the scope of internal control evaluation for
financial audits is restricted to the effectiveness of internal control over
financial reporting and its effect on the fair presentation of financial statements.
For example, an operational audit can focus on policies and procedures
established in the marketing department to determine the effectiveness of
catalogues in marketing products.

Types of Operational Audit

Operational audits fall into three broad categories: functional, organizational,

and special assignments. In each case, part of the audit is likely to concern evaluating
internal controls for efficiency and effectiveness.

a. Functional Audits Functions are a means of categorizing the activities of a

business, such as the billing function or production function. Functions may be
categorized and subdivided many different ways. For example, the accounting
function may be subdivided into cash disbursement, cash receipt, and payroll
disbursement functions. The payroll function may be subdivided into hiring,
timekeeping, and payroll disbursement functions. A functional audit deals
with one or more functions in an organization, concerning, for example, the
efficiency and effectiveness of the payroll function for a division or for the
company as a whole.

A functional audit has the advantage of permitting specialization by

auditors. Certain auditors within an internal audit staff can develop
considerable expertise in an area, such as production engineering. They can be
more efficient and effective by spending all their time auditing in that area. A
disadvantage of functional auditing is the failure to evaluate interrelated
functions. For example, the production engineering function interacts with
manufacturing and other functions in an organization.

b. Organizational Audits An operational audit of an organization deals with an

entire organizational unit, such as a department, branch, or subsidiary. An

9
 organizational audit emphasizes how efficiently and effectively functions
interact. The plan of organization and the methods to coordinate activities are
important in this type of audit.

c. Special Assignments In operational auditing, special assignments arise at the

request of management for a wide variety of audits, such as determining the
cause of an ineffective IT system, investigating the possibility of fraud in a
division, and making recommendations for reducing the cost of a manufactured
product.

Who performs Operational Audit?

Operational audits are usually performed by one of three groups: internal

auditors, government auditors, or CPA firms.

a. Internal Auditors are in such a unique position to perform operational audits

that some people use the terms internal auditing and operational auditing
interchangeably. It is, however, inappropriate to conclude that all operational
auditing is done by internal auditors or that internal auditors do only
operational auditing. Many internal audit departments do both operational and
financial auditing, often simultaneously. Because they spend all their time
working for the company they are auditing, internal auditors have an advantage
in doing operational audits. They can develop considerable knowledge about the
company and its business, which is essential to effective operational auditing.

To maximize their effectiveness for both financial and operational

auditing, the internal audit department should report to the board of directors
or president. Internal auditors should also have access to and on-going
communications with the audit committee of the board of directors. This
organizational structure helps internal auditors remain independent. If internal
auditors report to the controller, it is difficult for them to do independent
evaluations and make recommendations to senior management about
inefficiencies in the controller’s operations.

b. Government Auditors perform operational auditing, often as a part of doing

financial audits. Performance audits include the following:

• Economy and efficiency audits. The purpose of an economy and efficiency

audit is to determine:
1. Whether the entity is acquiring, protecting, and using its
resources economically and efficiently
2. The causes of inefficiencies or uneconomical practices
3. Whether the entity has complied with laws and regulations
concerning matters of economy and efficiency

• Program audits. The purpose of a program audit is to determine:

1. The extent to which the desired results or benefits established by
the legislature or other authorizing body are being achieved
2. The effectiveness of organizations, programs, activities, or
functions
3. Whether the entity has complied with laws and regulations
applicable to the program

The first two objectives of each of these types of performance audits are clearly
operational in nature, while the final objective concerns compliance.

c. CPA Firm does an audit of historical financial statements, part of the audit
often consists of identifying operational problems and making recommendations
that may benefit the audit client. The recommendations can be made orally, but

10
 they are typically included in a management letter. (For coverage of
management letters.

The background knowledge about a client’s business, which an external

auditor must obtain while doing an audit, often provides useful information for
giving operational recommendations. An auditor who has a broad business
background and experience with similar businesses is more likely to be effective
at providing clients with relevant operational recommendations than a person
who lacks those qualities.

Clients commonly engage a CPA firm to do operational auditing for one or

more specific parts of its business. For example, a company can ask the CPA
firm to evaluate the efficiency and effectiveness of its computer systems.
Usually, management engages the CPA firm for these audits only when the
company does not have an internal audit staff or if the internal audit staff lacks
expertise in a certain area. In some cases, management or the board of
directors outsources the entire internal audit function to a CPA firm or co-
sources select internal audit activities, such as IT operational auditing
activities, to be done jointly by a CPA firm and certain members of the
company’s internal audit staff. In most cases, the CPA firm’s management
consulting staff performs these services. Note that CPA firms cannot provide
these services to their public company audit clients.

Independence and Competence of Operational Auditors

The two most important qualities for an operational auditor are independence
and competence. The auditor should report to the appropriate level of management to
ensure that investigation and recommendations are made without bias. Independence
is seldom a problem for CPA firm auditors because they are not employed by the
company being audited. The independence of internal auditors is enhanced by having
the internal audit department report to the board of directors or president.

The responsibilities of operational auditors can also affect their independence.

The auditor should not be responsible for operating functions in a company or for
correcting deficiencies when ineffective or inefficient operations are found. For
example, it would negatively affect auditors’ independence when they audit an IT
system for acquisitions if they designed the system or are responsible for correcting
deficiencies they found during the audit.

While it is acceptable for auditors to recommend changes in operations,

operating personnel must have the authority to accept or reject those
recommendations. If auditors had the authority to require implementation of their
recommendations, their independence would be reduced.

Competence is, of course, necessary to determine the cause of operational

problems and to make appropriate recommendations. When operational auditing deals
with wide-ranging operating problems, however, competence can be a major obstacle.
For example, imagine the difficulties of finding qualified internal auditors who can
evaluate both the effectiveness of an advertising program and the efficiency of a
production assembly process. The internal audit staff doing that type of operational
auditing will presumably has to include some personnel with backgrounds in
marketing and others in production.

Phases in Operational Auditing

The three phases in an operational audit are planning, evidence accumulation

and evaluation, and reporting and follow-up.

1. Planning for operational audits is similar to planning for audits of historical

financial statements that we’ve discussed in earlier chapters. Like auditors of

11
 financial statements, the operational auditor must determine the scope of the
engagement and communicate it to the organizational unit. It is also necessary
to:
• Staff the engagement properly
• Obtain background information about the organizational unit
• Understand internal control
• Decide on the appropriate evidence to accumulate

Auditors select objectives based on the criteria developed for the

engagement, depending on the specific circumstances at hand. For example,
the objectives for an operational audit of the effectiveness of internal controls
over payroll will be dramatically different from those of an operational audit of
the efficiency of a research and development department. Yet, these diverse
objectives might be part of a single operational audit.

The breadth of operational audits often makes staffing more complicated

than in a financial audit. Not only are the areas diverse, such as production
control and advertising, but the objectives within those areas often require
special technical skills. For example, the auditor may need an engineering
background to evaluate performance on a major construction project.

Finally, unlike financial audits, operational audits require auditors to

spend more time with the interested parties agreeing on the terms of the
engagement and the criteria for evaluation. Regardless of the source of the
criteria for evaluation, it is essential that representatives of the entity to be
audited, the operational auditor, and the entity or persons to whom the findings
will be reported are clear and in agreement on the objectives and criteria
involved.

2. Evidence Accumulation and Evaluation. Because internal controls and

operating procedures are a critical part of operational auditing, it is common to
use documentation, client inquiry, analytical procedures, and observation
extensively. Confirmation, reperformance, and recalculation are used less
extensively for most operational audits than for financial audits because the
existence and accuracy objectives are not relevant for most operational audits.

Just like financial auditors, operational auditors must accumulate

sufficient appropriate evidence to provide a basis for a conclusion about the
objectives being tested. For an audit of elevator safety, the auditor must
accumulate sufficient evidence about elevator safety inspections. After the
evidence is accumulated, the auditor must decide whether it is reasonable to
conclude that an inspection is made annually of each elevator in the city by a
competent inspector.

3. Reporting and Follow-Up Two major differences in operational and financial

auditing reports affect operational auditing reports:
a. In operational audits, the report is usually sent only to management, with a
copy to the unit being audited. The lack of third-party users reduces the
need for standardized wording in operational auditing reports.
b. The diversity of operational audits requires a tailoring of each report to
address the scope of the audit, findings, and recommendations.

12
 Operational auditors often take a significant amount of time to clearly
communicate audit findings and recommendations. Follow-up is common in
operational auditing when auditors make recommendations to management to
determine whether the recommended changes were made, and if not, why not.

So far, did you understand the theories behind the

definition of operational audit? Are they clear to you?
If you have questions, feel free to connect with me
through my facebook account!

LESSON 2: Modern Developments on Operational Audit

At the end of the lesson, you should be able to:

1. explain clearly the concept and manifestation of

organizational risks and how internal auditors must adopt a
risk based auditing approach, which will allow it to better
support the objectives of the organization.

LET’S ENGAGE!

After we established the underlying concepts of operations audit, we are now going
to start on certain approaches in applying the discussed concepts starting with risk-
based audit.

The Risk-Based Audit

Engaging in risk-based auditing means that internal

auditors must exercise and apply a broader view of
organizational risks. Accounting and financial risks are only a
limited number of the many risks organizations face. Other
examples include the risk of delays, waste, inefficiency, poor customer service,
excessive customer and employee turnover, poor quality data, and system failures.

This concept of risk-based auditing is in contrast to what has been dubbed

controls-based auditing. The latter is defined as audits that focus on identifying and
evaluating internal controls without enough regard to their value to the process. This
can happen because auditors take a pre-existing work program without researching
the nuances of the present audit scope sufficiently or even when they perform
planning activities, their interviews and other research only focuses on identifying
existing controls without fully understanding the key risks and objectives of the
process under review.

Even when auditors perform interviews and walkthroughs, they could allow
their accounting bias to steer the questions they ask and the documents they request
for examination. When performing controls-based audits, the auditor then listens and
searches for references to controls with the intention of verifying their existence and
effectiveness. In effect, they are testing the controls in relative isolation, without fully
understanding their connection to the underlying objectives and risks of the process
or program under review.

Performing risk-based audits requires more brainstorming, more interactions

with process owners, a more in-depth understanding of the organization’s business,
and a mechanism to address past, present, and future vulnerabilities and scenarios

13
that threaten the achievement of business objectives. Since internal auditors are being
asked to do more with less, they can’t afford to review controls just because they are
there. Internal auditors need to assess whether those controls are keys to the
achievement of objectives and only focus on those that are.

Auditing Beyond Accounting, Financial, and Regulatory Requirements

1. Compliance

The other key focus area was compliance with regulatory requirements. In this
case, auditors adopted a fairly binary approach to audits by attempting to understand
the rules and regulations affecting a program or process. They then would apply a very
effective methodology: Are they doing what the rulebook says? If “Yes,” the test results
were satisfactory. If “No,” the results were documented and communicated as findings.
In essence, a very predictable pass or fail approach to auditing. For many years, this
became the standard operating practice of auditors and even today, some audits
require a similar approach due to their regulatory and compliance focus, but we must
be careful not to default to this approach when the expectation is broader.

2. Poor Management

Over time, business leaders and managers witnessed business failures caused
by poor management decisions and practices. By poor management, we are referring
to inadequate:

a. Operations management. Some of the related issues are waste, inefficiencies,

supplies that arrive late, poor customer satisfaction, and limited capacity to
grow as opportunities arise or customers’ demands change.
b. Human resources. As evidenced by poorly supervised, trained, and evaluated
employees who sometimes become unmotivated and unproductive.
c. IT. Computer systems designed with an inaccurate understanding of the
business needs and uses of these systems, poor data capture, and inadequate
reporting mechanisms.
d. Marketing. Mass marketing of products and services at a time when customers
prefer to feel unique or wasteful campaigns because they target the wrong
audience.
e. CSR. Issues range from child labor, sweatshop conditions, abusive
management, and inappropriate waste disposal.
f. Environmental Health and Safety (EHS) practices and conditions related to poor
ventilation, excessive heat, extreme noise levels, and workplace hazards caused
by chemicals, machinery, and workplace configurations, among others.

The Stakeholder Analysis

In the aggregate, internal auditors serve the public and common interests by
making sure that owners receive the return on their investments that they are entitled
to, and that the means of generating those profits are within the confines of the law.
Beyond shareholders, however, internal auditors help the process of making sure that
the interests of all relevant stakeholders are met. Stakeholders can be categorized as
economic/primary and noneconomic/secondary.

Economic or market stakeholders are characterized by having a monetary

exchange between them. They engage in transactions with the company as it carries
out its primary purpose of providing society with goods and services. Consequently,
employees, customers, creditors, and suppliers are economic stakeholders. They are
sometimes referred to as primary stakeholders as well, because they are critical to the
company’s existence and activities.

An important aspect of the modern manager and auditor’s job is to identify

relevant stakeholders and to understand their interests. It is also important to

14
understand the power they have to assert these interests. This process is called
stakeholder analysis, which asks three fundamental questions:

1. Who are the relevant stakeholders?

2. What are the interests of each stakeholder?
3. What is the power of each stakeholder?

To the extent that internal auditors can help management identify, plan for,
and respond effectively to the primary and secondary stakeholders, the organization
will encounter less pushback and it will likely be able to operate with fewer
disruptions. In addition, during the planning phase of any audit, planners should
identify the internal and external stakeholders involved to make sure they seek their
input as to what their objectives, concerns, and plans are for the area audited. This
will result in more effective and value-added reviews.

Stakeholder Interest Power

Primary Stakeholders
Employees Maintain stable employment Bargaining power
Receive fair pay Work Actions, strikes, law suits
Work in a safe, comfortable Publicity
environment
Suppliers Receive regular orders for goods Refusing to meet orders
or services Supplying to competitors
Be paid promptly
Customers Receive value and quality for Purchasing from competitors
money Boycotting
Receive safe, reliable products Refusing to pay

Creditors Receive repayment of loans Calling loans

Collect debt and interest Use legal authorities to repossess
assets
Investors Receive a satisfactory return on Exercise voting rights
investments Ability to inspect company
Realize an appreciation in value records and reports

Secondary Stakeholders
Government Promote economic development Adopting regulations and laws
Raise revenue through taxes Issuing licenses and permits

Media Keep the public informed Publicizing the events that affect
Monitor company actions the public
Activist Groups Monitor company actions for Lobbying government for
ethical and legal behavior regulations
Gaining public support
Business Provide research and Using staff/ resources to help
Support information to improve companies
Groups competitiveness Providing legal political support
Communities Employ local residents Issuing operating licenses
Ensure local development Lobbying government for
regulations
General Public Minimize risks Supporting activists
Achieve prosperity for society Pressing government to act
Source: Adapted from Lawrence, A. T., Weber, J., and Post, J. E. 2011. Business and Society:
Stakeholders, Ethics, Public Policy (11th ed.). Boston: McGraw-Hill Irwin.

Identifying Operational Threats and Vulnerabilities

15
 Internal auditors need to go beyond inspecting transactions long after they were
performed because the focus now leans toward an examination of future threats and
vulnerabilities that can derail the organization’s goals and objectives in the short,
medium, and even the long term. In fact, focusing on future events and the future
implications of present events would add more value to their organizations than
reporting primarily on past events. When this happens, as has been common practice
in the past, the organization dedicates itself on correcting past issues, which creates
rework.

These future-oriented threats and vulnerabilities can be

a. Operational, such as maintaining operational capacity, speed of execution (i.e.,

cycle time), staffing levels, employee motivation, knowledge transfer, system
development, and implementation
b. Technological, including protection of intellectual property and personally
identifiable information, denial of service attacks, business continuity due to
staff turnover, and system development
c. Strategic, referring to concerns related to strong customer and vendor relations,
customer loyalty, building effective business partnerships, outsourcing
arrangements, and mergers and acquisitions
d. Environmental, which may include reliable supply of water and electricity,
achieving a lower carbon footprint, and reducing the amount of natural
resources used during business activities

These threats and vulnerabilities can be evaluated in the medium and long
terms, but also beyond the national borders of the organization’s country of
operations. As such, internal auditors are engaged in international auditing,
evaluating home office and host country dynamics, finding out if local laws exist,
whether they are enforced and how, and which requirements supersede which, if
applicable. Even political issues, social unrest, and demographic shifts are of
importance to today’s auditors, since any of these changes can affect their
organizations and their ability to achieve their objectives economically and in timely
fashion.

Integrated Auditing

Another important development over the past decades is the emergence of

integrated auditing as a type of audit. These are characterized by the simultaneous
inclusion of business and IT subjects in the review.

As we examine the approach employed by public accountants, their focus was

centered on financial assertions, such as occurrence, completeness, accuracy,
classification, existence, and valuation of accounting, and financial information, as
inputs for the organization’s financial statements. It is important to remember the key
objectives of financial audits:
1. ascertain whether in all material respects, the income statement and the
statement of cash flows accurately and reliably reflect the activities during the
fiscal year
2. ascertain whether in all material respects, the balance sheet shows the
condition of the organization as of the last day of the fiscal year

At the other end of the spectrum, we can place highly technical IT reviews,
involving matters like database configuration and security, user authentication,
operating system reliability, and network perimeter security. Between these two
extremes, we can place IT general controls, such as physical security and
environmental controls, backup procedures, user authorization, business process
controls surrounding reconciliations, and exception reporting. Other areas of focus
include production and change management, disaster preparedness and recovery, and
business continuity.

16
 Financial and operational auditors are increasingly expanding their focus and
incorporating IT applications and general IT topics in their reviews. Conversely, IT
auditors, who have traditionally focused on IT technical subjects including general
and application matters, are increasingly widening their view and including
operational and financial elements to their review. This means that operational and
financial auditors need to know the systems in use, and IT auditors need to know the
business and how it uses the systems in place.

This approach is a refreshing departure from the previous practice of

conducting financial audits, operational audits, and IT audits, all separate and at
different points in time, of the same unit. This antiquated approach was disruptive to
the organization, costlier due to the repeated reviews by different audit groups, and
when communicating results, it did not provide a comprehensive view that linked
process, finance, and IT in one audit report.

Over time it became apparent that accounting/financial controls are

increasingly dependent on computer systems. For example, exception reports, which
identify transactions that do not meet pre-established criteria, are the result of a
computer algorithm that defines rules. When these rules are not met, the transactions
are noted on these reports for review and resolution. If traditional internal auditors
don’t understand the exception rules, and don’t know how to review the code in the
system to verify its accuracy, the reliance placed on the exception report could be
misplaced.

Another example has to do with reports and reconciliations. As noted above, if

the algorithm in the computer systems is not understood, and the procedures to check
it are unknown, how can anyone rely on these reports? Both members of management
and internal auditors could be relying on system-generated reports that contain
unknown errors. If the auditors don’t know how to review the underlying computer
code, they could be signing off on faulty information, which would negatively affect the
assurance they are supposed to provide to the board and management.

So, integrated audits are designed to address IT questions while simultaneously

examining the business dynamics. In small organizations, it was, and may still be
possible in some cases, to have individual auditors who have the depth of knowledge
to examine both the accounting/financial and the IT aspects of business operations.
As organizations grow in size and complexity, it is more common today to achieve
integrated audits through team composition. These reviews require coordination so
that auditors work from a single risk matrix that identifies all relevant objectives,
risks, controls, and audit steps, the related documentation crosses over smoothly and
the resulting report is comprehensive in its coverage of operational, financial, and IT
subject areas.

So far, did you understand the concepts of risk- based

audit approach? Are they clear to you?
If you have questions, feel free to connect with me
through my facebook account!

LESSON 3: Internal Audit Standards and Code of Ethics

At the end of the lesson, you should be able to:

1. explain clearly the concepts in effective integrated audit

and its impact to effective operation audit; and

17
 2. identify and explain the relevant internal auditing standards and code of ethics.

LET’S ENGAGE!

Integrated auditing is a concept that has been in place for decades, yet many
internal auditors still struggle to practice it effectively. We discuss key attributes of
effective integrated audits and why it is essential for effective operational audits.

We end this module with a review of selected Standards for the Professional
Practice of Internal Auditing (the Standards). But more than list them, we discuss
their implications in the broader topic of operational auditing, and how these
standards can be applied successfully.

The Standards

The following passages and related commentary

represent a selection of standards relevant to operational
auditing and reflections on my experience implementing them
in my work.

1210—Proficiency Internal auditors must possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities. The internal audit
activity collectively must possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.

Internal audit is not a static profession, but rather one where its practitioners
must remain proficient in terms of knowledge and skill to perform their duties
effectively. Being qualified upon hire is one thing. Internal auditors must make sure
they remain qualified throughout their career. This of course is a big challenge
because business dynamics are constantly changing, but there is no alternative and
we must keep up with the changes affecting our organizations. Internal auditors must
adopt a learning mind-set, continue to educate themselves, and stay up to date.

One of the greatest assets auditors have is their credibility. They earn this by
delivering consistently accurate, useful, and timely communications that incorporate
insightful opinions and recommendations when appropriate. Credibility cannot be
achieved if the auditor lacks knowledge about the organization and the linkages
between the issues noted, the causes of these issues, and an appreciation for the
priorities and challenges of the organization. A deep understanding of the organization
will make it possible to also understand the context in which issues are occurring.
This in turn will help to formulate pragmatic and business-appropriate
recommendations that get to the root cause of the issues identified.

1210.A3—Internal auditors must have sufficient knowledge of key IT risks and controls
and available technology-based audit techniques to perform their assigned work.
However, not all internal auditors are expected to have the expertise of an internal
auditor whose primary responsibility is IT auditing.

1220.A2—In exercising due professional care internal auditors must consider the use of
technology based audit and other data analysis techniques.

Using these technology-based audit techniques allows auditors to examine very

large amounts of data that would be impossible or unfeasible to do manually. This is
often referred to as computer-assisted audit tools and techniques (CAATTs). Those
who have adopted this practice often reduce the amount of time and effort it takes to
evaluate these large volumes of data as they automate the audit process. There are
many tools available for auditor use, including ACL, IDEA, Minitab, SAS, and many
others. Microsoft Excel and Access are also very capable tools for a wide variety of
tests.

18
 Another important aspect of technology-based techniques is the use of
electronic work paper packages for work paper and project management, document
retention, and team collaboration. There are many benefits to keeping a centralized
repository of audit work papers. These include ease of storage and retrieval of current
and past work papers, backups of the documents, remote access, coordination among
team members, and standardization of forms and procedures.

1220.A3—Internal auditors must be alert to the significant risks that might a ffect
objectives, operations, or resources. However, assurance procedures alone, even when
performed with due professional care, do not guarantee that all significant risks will be
identified.

While performing risk-based auditing, internal auditors must remember that

the focus of their work is not limited to assurance considerations unless it is
mandated as such, or the scope of the audit is defined that way specifically. Reviews
must also include the operational aspects of the program, process, or organization
being examined. Success can be measured using a variety of criteria and success is
not achieved only by meeting compliance expectations.

2010—Planning. The CAE must establish a risk-based plan to determine the priorities of
the internal audit activity, consistent with the organization’s goals.

The internal audit department’s audit plan, which identifies the audits that will
be performed by the internal audit function, must be based on the identification and
measurement of risks to the organization. In the past, many internal audit
departments developed and executed audit plans that followed other criteria and were
characterized by cyclical and often repetitive reviews. Sometimes these audits were not
the most needed based on past issues or organizational priorities, but were seen as
safe and consistent with what internal auditors traditionally examined.

2120—Risk management. The internal audit activity must evaluate the e ffectiveness and
contribute to the improvement of risk management processes.

Among the responsibilities of the board and management is establishing a

mechanism to identify, measure, and determine the best way to respond to relevant
risks to the organization. Internal auditors for their part should ascertain to what
degree this mechanism and its underlying processes are effective. This assessment
relies heavily on the determination that the organization’s vision and mission are
clear, provide a sense of direction, and are supported by the organization’s structure
and objectives. Also, significant risks are identified and assessed, and appropriate risk
responses are selected that align risks with the organization’s risk appetite.

There are very specific roles presented here that I want to reiterate: the board
and management establish the structure and mechanism of the risk management
processes, while internal audit evaluates, verifies the degree of effectiveness, and
recommends improvements where appropriate. A large number of organizations do not
have risk management processes in place, and many that do, experience limited
success with them.

2120.A1—The internal audit activity must evaluate risk exposures relating to the
organization’s governance, operations, and information systems regarding the:
1. Achievement of the organization’s strategic objectives
2. Reliability and integrity of financial and operational information
3. Effectiveness and efficiency of operations and programs
4. Safeguarding of assets
5. Compliance with laws, regulations, policies, procedures, and contracts

19
2130.A1—The internal audit activity must evaluate the adequacy and e ffectiveness of
controls in responding to risks within the organization’s governance, operations, and
information systems regarding the:
1. Achievement of the organization’s strategic objectives
2. Reliability and integrity of financial and operational information
3. Effectiveness and efficiency of operations and programs
4. Safeguarding of assets
5. Compliance with laws, regulations, policies, procedures, and contracts

We mention these two Standards together because they address areas of focus
related to risk exposures (2120.A1) and controls (2130.A1), and share similar
language. The focus of the internal audit activity is broad and complex. It must
evaluate risk exposures related to the organization’s governance, risk management,
and compliance infrastructure, the design and function of its operations, and the
reliability of its IT infrastructure. All of these elements must also be examined in
relation to the organizations’:

1. Strategy. Organizations should have a plan of action, related policies, and a

suitable structure so they increase the likelihood of achieving their mission and
see their vision become reality.

2. Financial and operational information. The quality of financial information has

received a great deal of attention from external and internal auditors alike for
many years. However, opportunities generally abound when it comes to
operational information where I often find that it is insufficient, unreliable, or
too generalized to provide the level of insight that managers and their staff
need. Other common issues include the limited ability to generate needed
reports from computer systems and the excessive restrictions on access to
information, well beyond what segregation of duty considerations might dictate.

This in many ways explain why so many organizations still rely

disproportionately on spread sheets to run the organization even though they
spend heavily buying, configuring, deploying, and maintaining ERP systems.

3. Effectiveness and efficiency. While most auditors perform tests to determine

levels of accuracy, completeness, classification, and valuation of transactions,
not enough emphasis has been given to the organization’s ability to achieve its
objectives (i.e., effectiveness). In fact, many organizations lack clearly stated,
cascading, and interrelated objectives that begin at the enterprise level, and are
sufficiently linked downward through the business unit, department, and
process, and down to the individual level. On the other hand, efficiency has
received limited coverage over the years from internal auditors, whose focus has
been on compliance and financial risks resulting in few findings that target long
cycle times, waste, redundancies, bureaucracy, and rework.

4. Safeguarding of assets. External and internal auditors routinely examine the

purchase, use, safeguarding, valuation, depreciation, and disposal of assets. In
fact, for many auditors reviewing the existence, condition and accounting of
land, buildings, machinery, vehicles, and inventory is part of every year’s
annual plan and these items receive the scrutiny they deserve. What may be
also important to examine is whether there are other assets that have not
received sufficient attention.

5. Compliance. When we consider compliance we should also pay close attention to

the complexities that modern day organizations are exposed to. I am referring
for example to co-sourcing and outsourcing and the fact that this raises liability
issues, performance management, and the safeguarding of data and personnel.
Personal and data protection are becoming increasingly important as otherwise

20
 strangers have physical and logical access to data, facilities, assets, customers,
and vendors.

2130—Control. The internal audit activity must assist the organization in maintaining
effective controls by evaluating their effectiveness and efficiency and by promoting
continuous improvement.

While internal auditors have focused on internal controls for decades, the IIA
states that internal auditors must assist their organizations in maintaining effective
controls. This means first of all, that the board and management own the internal
controls and internal auditors assist them by verifying that the controls are effective.
In addition, this standard also indicates that internal auditors should go beyond the
effectiveness of these controls, but also examine their efficiency. In other words, avoid
wasted resources, time, or effort while performing the control activity. Lastly, and in
regard to promoting continuous improvement, while examining the current situation is
pertinent, internal auditors must also help management embrace the practice of
continuous improvement to always search for faster, cheaper, and better ways of
performing control activities. Because an action was effective in the past, it does not
mean that it will continue to be effective in the future. In fact, stubbornly maintaining
the status quo when conditions warrant modification can be costly and impair future
success.

2201—Planning considerations In planning the engagement, internal auditors must

consider:
1. The objectives of the activity being reviewed and the means by which the activity
controls its performance
2. The significant risks to the activity, its objectives, resources, and operations and the
means by which the potential impact of risk is kept to an acceptable level.

It states that while planning engagements we must consider the objectives of

the entity, program, or process being audited and how management controls its
performance, as well as the risk management procedures in place. Over the years, I
have found that
a. A large number of employees have unclear or unknown objectives
b. The programs and processes they work in also lack clear objectives
c. When there are objectives, there are often few if any metrics in place to gauge
the achievement of these objectives
d. Risk identification, assessment, and management procedures are limited or non-
existent, so there is no clear mechanisms to ascertain what the organization
does to keep these risks at an acceptable level

Given these gaps, internal auditors have many opportunities to add value to
their organizations while they work on meeting the requirements of this standard.

2220.A1—The scope of the engagement must include consideration of relevant systems,

records, personnel, and physical properties, including those under the control of third
parties.

When engaged in business reviews, internal auditors are encouraged to

a. Incorporate the elements of integrated auditing so auditors apply a holistic view
during their work
b. Evaluate the people, processes, and technology relevant to the review being
performed, and, examine third parties’ systems, records, personnel, and properties
under their control

These requirements are a reflection of the highly important role that

outsourcing and co-sourcing have had on organizations over the last several decades,
and that from all appearances will continue well into the future.

21
2310—Identifying information Internal auditors must identify sufficient, reliable,
relevant, and useful information to achieve the engagement’s objectives.

Internal auditors collect, analyse, and interpret data to prove/disprove

hypotheses regarding the design and function of processes and systems as they relate
to the achievement of objectives and the effectiveness of risk management procedures.
Internal auditors must also communicate their conclusions and this requires that
their communications be persuasive. To accomplish this, communications must meet
the requirements of
a. Sufficiency. This means that the auditor needs enough information, including
quantifiable facts and figures.
b. Reliability. Meaning that the information must be trustworthy and free from
distortion.
c. Relevance. Tis relates to the information being consistent with the objectives
and scope of the review.
d. Usefulness. Tis relates to the information helping the organization accomplish
its objectives.

Quite often, when client’s express confusion, disagreement, or skepticism about

the internal auditors’ communication, it is because the auditor has not met one or
more of these four attributes.

2330—Documenting information. Internal auditors must document relevant information

to support the conclusions and engagement results

Internal auditors must make sure that in all aspects of their work, they base
their conclusions and support their communications with facts. The rigor of their data
collection activities, the sophistication of their analysis, and the maintenance of
detailed records of the items examined and procedures performed, will increase the
likelihood that management will accept the observations presented and be more
inclined to accept the recommendations made.

While intuition can be helpful in many situations, it can be a very problematic

ingredient in the auditors’ toolbox if it is not supported by facts and explainable
procedures. All conclusion and results must be substantiated and referenced in the
corresponding work papers or the auditor’s work could be in question.

2410.A2—Internal auditors are encouraged to acknowledge satisfactory performance in

engagement communications.

Internal auditors have traditionally provided exception-based reports. This term

means that internal audit communications address what is abnormal or unexpected in
the areas examined during the review. While there is a great deal of value in providing
reports to the board and management that identify issues noted, the long term and
continuous effect of providing exception based reports is often less than positive.
These reports are eventually interpreted by others as meaning that internal auditors
only look at what is broken.

Furthermore, if an auditor examines 10 areas within their scope of work, and

finds issues with two of these 10 areas and reports only on these, audit clients will
wonder if the auditor even noticed that eight of the 10 areas examined met
performance expectations. The reports could be perceived as being unfair and biased.

To address this misunderstanding, and the resulting halo effect that this would
cause, internal auditors should acknowledge satisfactory performance in their
communications. If the report is relatively short, a sentence may suffice. For longer
reports, sometimes a full paragraph is enough.

2420—Quality of communications. Communications must be accurate, objective, clear,

concise, constructive, complete, and timely.

22
 One of the most important aspects of internal auditing is effective
communications. Although internal auditors spend many hours planning, performing
fieldwork, and writing the report, the client does not see most of this effort. Our
product is the audit report, so it must impress the client.

Effective verbal communications are also essential for effective audits and
overall success. They help auditors communicate the objectives for the audit and
methodology that will be used. It also makes it possible to get the needed documents
and win support for recommendations, while helping to build healthy relationships.

Effective communications, whether written or verbal, meet these seven attributes:

a. Accurate. There are no mistakes or errors in the information presented.

b. Objective. The auditor’s work is focused on facts and informed judgment,
there is no bias involved, and the results are neither inflated nor
understated.
c. Clear. Easy to understand and interpret.
d. Concise. Brief by using only as many words as necessary—gone are the days
of very lengthy reports.
e. Constructive. Serves the purpose of helping the organization improve its
activities and promote advancement through excellence.
f. Complete. Nothing relevant or important missing.
g. Timely. Issued promptly because the value of the message decreases with
time.

Institute of Internal Auditors

Professional guidance for internal auditors is provided by the Institute of

Internal Auditors (IIA), an organization similar to the AICPA that establishes ethical
and practice standards, provides education, and encourages professionalism for its
approximately 170,000 worldwide members. The IIA has played a major role in the
increasing influence of internal auditing. For example, the IIA has established a highly
regarded certification program resulting in the designation of Certified Internal Auditor
(CIA) for those who meet specific testing and experience requirements.

The IIA professional practice framework includes a code of ethics and IIA
International Standards for the Professional Practice of Internal Auditing (known
as the “Red Book”). All IIA members and Certified Internal Auditors agree to follow the
Institute’s Code of Ethics, which requires compliance with the Standards.

Ethical Principles
a. Integrity of internal auditors establishes trust and thus provides the basis for
reliance on their judgment.
b. Objectivity: Internal auditors exhibit the highest level of professional objectivity
in gathering, evaluating, and communicating information about the activity or
process being examined. Internal auditors make a balanced assessment of all
the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgments.
c. Confidentiality: Internal auditors respect the value and ownership of
information they receive and do not disclose information without appropriate
authority unless there is a legal or professional obligation to do so.
d. Competency: Internal auditors apply the knowledge, skills, and experience
needed in the performance of internal auditing services.

Rules of Conduct
a. Integrity
Internal auditors:
1. Shall perform their work with honesty, diligence, and responsibility.
2. Shall observe the law and make disclosures expected by the law and the
profession.

23
 3. Shall not knowingly be a party to any illegal activity or engage in acts that
are discreditable to the profession of internal auditing or to the organization.
4. Shall respect and contribute to the legitimate and ethical objectives of the
organization
b. Objectivity
Internal auditors:
1. Shall not participate in any activity or relationship that may impair or be
presumed to impair their unbiased assessment. This participation includes
those activities or relationships that may be in conflict with the interests of
the organization.
2. Shall not accept anything that may impair or be presumed to impair their
professional judgment.
3. Shall disclose all material facts known to them that, if not disclosed, may
distort the reporting of activities under review.
c. Confidentiality
Internal auditors:
1. Shall be prudent in the use and protection of information acquired in the
course of their duties.
2. Shall not use information for any personal gain or in any manner that would
be contrary to the law or detrimental to the legitimate and ethical objectives
of the organization.
d. Competency
Internal auditors:
1. Shall engage only in those services for which they have the necessary
knowledge, skills, and experience.
2. Shall perform internal auditing services in accordance with the International
Standards for the Professional Practice of Internal Auditing.
3. Shall continually improve their proficiency and the effectiveness and quality
of their services.

International Standards for the Professional Practice of Internal Auditing

The International Standards for the Professional Practice of Internal Auditing are
divided into attribute standards for internal auditors and audit departments, and
performance standards for the conduct and reporting of internal audit activities.

a. Attributable Standards
1. Purpose, Authority and Responsibility. The purpose, authority and
responsibility of the internal audit activity must be formally defined in an
independent audit charter, consistent with the definitions of internal
auditing, the code of ethics, and the standards. The chief audit executive
must periodically review the internal audit charter and present it to senior.
Management and the board for approval.
2. Independence and Objectivity. The internal audit activity must be
independent and internal auditors must be objective in performing their
work.
3. Proficiency and Due Professional Care. Engagements must be performed
with proficiency and due professional care.
4. Quality Assurance and Improvement Program. The chief audit executive
must develop and maintain a quality assurance and improvement program
that covers all aspects of the internal audit activity.

b. Performance Standards
1. Managing the Internal Audit Activity. The chief audit executive must
effectively manage the internal audit activity to ensure it adds value to the
organization.
2. Nature of Work. The internal audit activity must evaluate and contribute to
the improvement of risk management, control, and governance processes
using a systematic and disciplined approach.

24
 3. Engagement Planning. Internal auditors must develop and document a plan
for each engagement including the engagement’s objectives, scope, timing
and resource allocations.
4. Performing the Engagement. Internal auditors must identify, analyse,
evaluate, and document sufficient information to achieve the engagement’s
objectives.
5. Communicating Results. Internal auditors must communicate the
engagement results.
6. Monitoring Progress. The chief audit executive must establish and maintain
a system to monitor the disposition of results communicated to
management.
7. Management’s Acceptance of Risk. When the chief audit executive believes
that senior management has accepted a level of residual risk that may be
unacceptable to the organization, the chief audit executive must discuss the
matter with senior management. If the decision regarding residual risk is
not resolved, the chief audit executive must report the matter to the board
for resolution.

So far, are there questions regarding the branches of

accounting and R.A. 9298 Sectors of Accountancy? Are
they clear to you?
If you have questions, feel free to connect with me
through my facebook account!

GENERAL RUBRICS FOR ESSAY OUTPUTS

Criteria Value
100% 75% 50% 25%
1. Content The output contains The output The output The output
Accuracy all of the required contains all contains contains very
(60%) information* with of the most of the few items of the
some additional required required required
significant information information information
information
2. Lay-out  There is a  Most  Most of the  Components
or consistency in its component component are
Delivery components that s are s are not inconsistent.
(40%) allows the reader consistent consistent.
to locate within the
information easily. publication
.

References:
___________(n.d.) What is Internal Audit. https://www.iia.org.uk/what-is-internal-
audit/

Are you okay? [image] (n.d.). https://flourishpeople.com.au

Chambers, Andrew D. (2015). The Operational Auditing Handbook: Auditing Business &
IT Processes. Lincolnshire, England.

It’s your turn [image] (n.d.). https://itsyourturninc.com

Lawrence, A. T., Weber, J., and Post, J. E. 2011. Business and Society: Stakeholders,
Ethics, Public Policy (11th ed.). Boston: McGraw-Hill Irwin.

25
Learning objectives clipart [image] (n.d.). https://www.google.com/

Learning Outcomes [image] (n.d.). https://sites.google.com

Let’s Talk about it [image] (n.d.). https://lta-it.com/contact/

Murdock, Hernan (2017). Operational Auditing: Priniciples and Techniques for a

Changing World. CRC Press, New York.

26