Module 1 Definition Characteristics and Guidance

Download as pdf or txt
Download as pdf or txt
You are on page 1of 28

MODULE 1

DEFINITION, CHARACTERISTICS,
AND GUIDANCE
ACELEC 332 – Operations Auditing

1
OPERATIONAL AUDITING
§Operational Audit is defined as “a future-oriented, systematic, and independent
evaluation of organizational activities.”
§ Financial data may be used, but the primary sources of evidence are the operational policies and achievements
related to organizational objectives.
§ Internal controls and efficiencies may be evaluated during this type of review.”

ØOperational Audit is “a review of how an organization’s management and its operating


procedures are functioning with respect to their effectiveness and efficiency in meeting
stated objectives.” (Business Dictionary)

2
INTERNAL AUDITING
ØInternal auditing is an Independence 1, Objectivity 2 Assurance 3 and Consulting 4
activity Designed to add value 5 and Improve an organzation’s operations 6.

ØIt helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and governance processes (Institute of Internal
Auditors).

3
The definition contains some key languages that is important to note:

1. Independence has to do primarily with the position of internal audit within


the organization’s hierarchy. Internal audit should report to the audit
committee (or its equivalent) on the board of directors, so it receives
advice and support to perform its duties.
- Furthermore, internal audit should not be under the control of those they audit. This
direct reporting line to the highest authority within the organization will help internal
audit reach its full potential, and get the attention from those whose influence,
recognition, and respect can compel corrective action of any anomalies identified by
the auditors.

4
2. Objectivity is related to the auditors’ frame of mind and their ability to
examine documents, processes, and programs without a bias, without an
agenda, with no other motive than to find the truth and communicate it
accurately and promptly.
- Conflicts of interest are one of the biggest threats to objectivity, so internal auditors
must be careful to balance maintaining healthy professional and social relationships
with others in the organization without becoming too cozy with them.

5
3. Assurance relates to the auditors’ ability to give confidence and make
statements regarding the condition of matters within the organization. It
is often considered a synonym to “compliance” as has been the
traditional focus of internal auditors for millennia.
- Compliance audits focus on verifying conformity and adherence of a particular area,
process, or system with policies, plans, procedures, laws, regulations, contracts, or
other requirements that govern the conduct and actions of that area, process, or
system.

6
4. Consulting means giving advice to management and the board and
engaging in activities that helps the organization resolve nagging
business issues.
- These engagements address performance, how to improve organizational programs,
processes, and activities, and how to become more flexible, nimble, and responsive
to business challenges.
- It also relates to the special projects that internal auditors sometimes work on.
- Lastly, consulting also relates to the way auditors do their work suggesting that the
traditional mindset and role of the auditor as the corporate cop is being redefined
and replaced by a more business-minded professional whose goal is to be respected
more so than being feared.

7
5. Designed to add value. If you ask a gathering of internal auditors if they
add value in their organizations, they unanimously raise their hands in
agreement. If you pose the same question to non-auditors, the response
is often far less enthusiastic. In fact, some may even argue that internal
auditors are a necessary evil and an expense they can’t do without
because regulations, the board of directors, or other stakeholders
demand the existence of an internal audit function.

8
6. Improve an organization’s operations is a very interesting statement
because many auditors see their role as that of checking things and
verifying the accuracy of various items and activities within the
organization. But improve an organization’s operations? Some would
argue that this is a rather broad subject, a tall order, a complex goal, a
challenging aspiration, and an insurmountable target. I believe it is not
only achievable, but also expected of modern internal auditors.

9
7. Help an organization accomplish its objectives. Many auditors practice
what has been commonly referred to as controls-based auditing. In
essence, they look for the controls within the process or program of their
review, then check them to see if they are present and operating as
expected.
- While this is important, they often forget to link those controls to the relevant risks and
link these risks to the business objectives that those risks threaten. All of this to say
that the starting point for everything auditors do should be the identification of the
relevant business objectives. With that in mind, then, internal auditors must do their
work in ways that help the organization achieve its objectives by properly responding to
the risks that threaten these objectives. By focusing on this, internal auditors can add
value and the possibilities are almost endless.

10
8. By bringing a systematic, disciplined approach. This refers to the
approach followed when performing the work. This is encapsulated in the
Standards, the Practice Guides and Practice Advisories, which provide a
great deal of guidance on how to plan, execute, and communicate the
results of the work done. Our methodology is quite extensive, and it
provides enough direction and flexibility as a framework to examine
virtually any aspect of an organization’s operations.

11
9. To evaluate and improve the effectiveness. Our role as auditors goes
beyond evaluating business dynamics and writing reports that merely lists
the problems identified. The definition indicates that we evaluate, but also
help to improve the organization’s ability to achieve the goals and
objectives related to:
a. Risk management. This refers to the identification, measurement, assessment, and
response to risks.
b. Control. This refers to those activities that mitigate relevant risks and helps the
organization avoid surprises.
c. Governance processes. Corporate governance is a wide subject that includes
matters related to organizational structure, reporting lines, span of control, resource
allocation, accountability measures, discipline, and rewards mechanisms. Corporate
governance relates to ethical behavior by directors and others charged with the
creation and preservation of wealth for all stakeholders.

12
RISK-BASED AUDIT
ØEngaging in risk-based auditing means that internal auditors must
exercise and apply a broader view of organizational risks.
- Accounting and financial risks are only a limited number of the many risk's organizations
face.
- Other examples include the risk of delays, waste, inefficiency, poor customer service,
excessive customer and employee turnover, poor quality data, and system failures.
- Although these risks characterize the working environments in many organizations, and
affected employees readily describe the impact these risks have on profitability and the
organization’s ability to succeed, many auditors fail to identify, measure, and assess
sufficiently the mechanisms in place to mitigate those risks.

13
AUDITING BEYOND ACCOUNTING, FINANCIAL,
AND REGULATORY REQUIREMENTS
Some audits require a similar approach due to their regulatory and
compliance focus, but we must be careful not to default to this approach
when the expectation is broader. Over time, business leaders and managers
witnessed business failures caused by poor management decisions and
practices, such as:
a. Operations management. Some of the related issues are waste, inefficiencies, supplies that arrive
late, poor customer satisfaction, and limited capacity to grow as opportunities arise or customers’
demands change.
b. Human resources. As evidenced by poorly supervised, trained, and evaluated employees who
sometimes become unmotivated and unproductive.
c. IT. Computer systems designed with an inaccurate understanding of the business needs and uses
of these systems, poor data capture, and inadequate reporting mechanisms.
d. Marketing. Mass marketing of products and services at a time when customers prefer to feel
unique, or wasteful campaigns because they target the wrong audience.
e. CSR. Issues range from child labor, sweatshop conditions, abusive management, and
inappropriate waste disposal.
f. Environmental Health and Safety (EHS) practices and conditions related to poor ventilation,
excessive heat, extreme noise levels, and workplace hazards caused by chemicals, machinery,
and workplace configurations, among others.

14
THE VALUE AUDITORS PROVIDE
ØInternal auditors are unfortunately not always regarded as highly as they
should be. Seen as an obstacle, too many managers and employees fail to
recognize that internal auditors provide a very valuable service to their
clients—whether they are employees of the firm or hired externally to provide
internal audit services.

15
An important aspect of the modern manager and auditor’s job is to identify relevant stakeholders and to
understand their interests. It is also important to understand the power they must assert these interests.
This process is called stakeholder analysis, which asks three fundamental questions:
1. Who are the relevant stakeholders?
2. What are the interests of each stakeholder?
3. What is the power of each stakeholder?

16
17
18
IDENTIFYING OPERATIONAL THREATS AND
VULNERABILITIES
Internal auditors need to go beyond inspecting transactions long after they were
performed because the focus now leans toward an examination of future threats and
vulnerabilities that can derail the organization’s goals and objectives in the short,
medium, and even the long term. In fact, focusing on future events and the future
implications of present events would add more value to their organizations than
reporting primarily on past events.
Threats and vulnerabilities:
a) Operational, such as maintaining operational capacity, speed of execution (i.e., cycle time), staffing levels,
employee motivation, knowledge transfer, system development, and implementation
b) Technological, including protection of intellectual property and personally identifiable information, denial of
service attacks, business continuity due to staff turnover, and system development
c) Strategic, referring to concerns related to strong customer and vendor relations, customer loyalty, building
effective business partnerships, outsourcing arrangements, and mergers and acquisitions
d) Environmental, which may include reliable supply of water and electricity, achieving a lower carbon
footprint, and reducing the amount of natural resources used during business activities

19
SKILLS REQUIRED FOR EFFECTIVE OPERATIONAL
AUDITS
The following are the top general competencies of internal auditors:
1. Communication skills, such as oral, written, report writing, and presentation skills*
2. Problem identification and solution skills, such as conceptual and analytical thinking*
3. Ability to promote the value of internal audit
4. Knowledge of industry, regulatory, and standards changes*
5. Organization skills
6. Conflict resolution/negotiation skills
7. Staff training and development
8. Accounting frameworks, tools, and techniques
9. Change management skills
10. Information technology framework, tools, and techniques
11. Cultural fluency and foreign language skills

*The three common core competencies identified in the report are communication skills, problem identification and solution skills, and keeping
up to date with industry and regulatory changes and professional standards.

20
In terms of behavioral skills, internal auditors should possess the following skills:
§ Confidentiality
§ Objectivity
§ Communication
§ Judgment
§ Work well with all management levels
§ Possess governance and ethics sensitivity
§ Be team players
§ Relationship building
§ Work independently
§ Team building
§ Leadership
§ Influence
§ Facilitation
§ Staff management
§ Change catalyst skills*

21
INTEGRATED AUDITING
Another important development over the past decades is the emergence of
integrated auditing as a type of audit. These are characterized by the
simultaneous inclusion of business and IT subjects in the review. Whereas in
the past traditional auditors would perform a review of accounting/ financial
controls, and IT auditors would perform their assessment of IT risks and
controls separately, during the 1990s this new practice, commonly referred to
as integrated auditing, emerged.

22
23
Ø Financial and operational auditors are increasingly expanding their focus and incorporating IT
applications and general IT topics in their reviews. Conversely, IT auditors, who have traditionally
focused on IT technical subjects including general and application matters, are increasingly widening
their view and including operational and financial elements to their review. This means that
operational and financial auditors need to know the systems in use, and IT auditors need to know
the business and how it uses the systems in place.

24
ØThis approach is a refreshing departure from the previous practice of conducting financial
audits, operational audits, and IT audits, all separate and at different points in time, of the same
unit. This antiquated approach was disruptive to the organization, costlier due to the repeated
reviews by different audit groups, and when communicating results, it did not provide a
comprehensive view that linked process, finance, and IT in one audit report.
ØSo, integrated audits are designed to address IT questions while simultaneously examining
the business dynamics.

25
THE STANDARDS
ØThe Institute of Internal Auditors (IIA), which is the governing body of
internal auditors worldwide, provides guidance for internal auditors on what
should be done, how it should be done, and why.
ØAdhering to the International Standards for the Professional Practice of
Internal Auditing (Standards) is mandatory, while following the guidance
provided in the Practice Advisories and Practice Guides is highly
recommended and encouraged.
ØPlease refer to: International Standards for the Professional Practice of
Internal Auditing (pdf)

26
THE STANDARDS

27
END OF MODULE 1

28

You might also like