MODULE 2:

OPERATIONAL AUDIT FRAMEWORK

Operational Audit
 An operational audit is a study of a specific unit of an organization for the purpose of measuring its
performance. The main objective of this type of audit is to assess entity's Performance, identify areas
for improvements and make recommendations to improve performance.

Internal auditor's responsibilities in operational audits

In operational audits, the company's management is responsible for setting operating standards. In
contrasts, the internal auditor's responsibilities are to determine that:
a. Management has established such standards.
b. The standards are being met.
c. Deviations from established standards are being identified and corrected.
d. Corrective action has been taken.

Different Types of Operational Audits

In addition to overall operational audits, some subcategories cover specific business functions and operations:
a. Financial Audits or Review: Financial audits focus on financial controls as they relate to reporting to
internal and external governing bodies.
b. Operational Audits: operational audits focus on the review and assessment of single or multiple
business processes.
c. Department Reviews: Different departments or divisions may run a periodic analysis to assess the
adequacy of controls.
d. Information System (IT) Audits: Information systems audits investigate overall infrastructure and
networks, technical operations, data center operation, project management, and review security
status and procedures.
e. Program or effectiveness audit: an audit to determine whether the entity has been effective in
achieving the desired results or benefits of the program or activity
f. Investigative Audits: When a company suspects a risk of security breach, or when one has occurred on
the part of an individual or department, there is often an investigative audit to understand causes and
additional background information and research.
g. Compliance Audits: Compliance audits review the level of compliance with external regulatory
requirements or internal policies.
h. Marketing Audits: A marketing audit is a broad, precise, and autonomous probe into the marketing of
a company or a business.
i. Follow-Up Audits: After an operational audit report has been issued, it is standard practice to follow
up to evaluate corrective actions, usually within a six month period.
j. Economy audit: an audit to determine whether company objectives or goals are met at a cost
commensurate with the task
k. Efficiency audit: whether company objectives or
goals are met at the least or minimal costs or resources

Conducting a Quality Internal Audit

1. Integrity

1|Page
 2. Fair Presentation
3. Due Professional Care
4. Confidentiality
5. Independence
6. Evidence-Based

Advantages of Operational Audit

1. Influence Positive Change: Understand how future processes, policies, procedures, and other types of
management are producing maximum effectiveness and efficiency.
2. Review Internal Controls: Establish the potential impact of successes and failures in the specialized
functional areas of operation.
3. Understand Risks: The type of risks associated with business and operational risk range from business
interruption, employee omissions or errors, IT system failure, product failure, safety and health issues,
loss of key employees, fraud, loss of suppliers, and litigation.
4. Identify Improvement Opportunities: As a result of understanding risks, auditors can determine
where to make improvements and how to mitigate risks and improve opportunities. The broad
categories of risk - and where improvements should occur - are operational risk, financial risk,
environmental risk, and reputational risk.
5. Inform Senior Management: The results of the audit should appear in a clear report that provides
objective analysis, appraisals, recommendations, and pertinent comments concerning the activities
reviewed.

2|Page
Audit Assurance Engagement
Type Objective Conclusion
Reasonable Reduction in assurance engagement risk to an
Positive form of expression of
Assurance acceptably low level in the circumstances of the
engagement the practitioner’s conclusion
Engagement

Elements of an Assurance Engagement:

1. A three party relationship involving a practitioner (CPA), a responsible party, and intended users;

Practitioner Responsible Party

The term practitioner as used in

Intended Users
professional standards, which The responsible party is the
relates only to practitioners person (or persons) responsible The intended users are the
performing audit or review for the subject matter or the person, persons or class of
engagements with respect to subject matter information (the persons for whom the
historical financial information. assertion) in an assurance practitioner prepares the
engagement. assurance report. The
The ethical requirement responsible party can be one of
regarding professional The responsible party may or the intended users, but not the
competence can be satisfied by may not be the party who only one whenever practical, the
the practitioner using work of engages the practitioner (the assurance report is addressed to
persons from other professional engaging party). The all the intended users, but some
disciplines, referred to as responsible party ordinarily cases there may be other
experts. When this happens, the provides the practitioner with a intended users.
practitioner should be satisfied written representation that
that those persons carrying out evaluates or measures the The practitioner may not be able
engagement collectively possess the subject matter against the to identify all those who will
requisite skills and identified criteria, whether or read the assurance report,
knowledge, and that the not it is to be made available as particularly where there are
practitioner has an adequate level an assertion to the intended large numbers of people who
of involvement in the engagement users.
and understanding of the work have access to it.
which of the work for which any
expert is used

2. An appropriate subject matter;

 Subject matter have different characteristics, including the degree to which information about
them is qualitative versus quantitative, Objective versus subjective, historical versus prospective,

3|Page
 and relates to a point in time or covers a period. Such characteristics affect the precision with
which the subject matter can be evaluated or measured against criteria and the persuasiveness
of available evidence. In any case, the assurance report notes characteristics of particular
relevance to the intended users.

3. Suitable criteria

 Criteria are the benchmarks used to evaluate or measure the subject matter including, where
relevant, benchmarks for presentation and disclosure, criteria can be formal or less formal.

Assurance Engagement Applicable Criteria

Audit of financial statements Philippine Financial Reporting Standards (PFRS)
Established internal control framework or individual control
Assurance on internal control
objectives specifically designed for the engagement
Compliance audits Applicable law, regulation or contract

Characteristics of Suitable Criteria (CURNeR)

Characteristics Explanation
Relevant criteria contribute to conclusions that assist decision
Relevance
making by the intended users.
Criteria are sufficiently complete when relevant factors that could
affect the conclusions in the context of the engagement
Completeness
circumstances are not omitted. Complete criteria include, where
relevant, benchmarks for presentation and disclosure.
Reliable criteria allow reasonable consistent evaluation or
measurement of the subject matter including, where relevant
Reliability presentation and disclosure, when use in similar circumstances by
similarly qualified practitioners.
Neutrality Neutral criteria contribute to conclusions that are free from bias.
Understandable criteria contribute to conclusions that are clear,
Understandability comprehensive, and not subject to significantly different
interpretations.

Established criteria and specifically developed criteria o Established criteria are those
embodied in laws or regualations, or issued by authorized or recognized bodies of experts
that follow a transparent due process. o Specifically developed criteria are those designed
for the purpose of the engagement. Whether criteria are established or specifically
developed affects the work that practitioner carries out to assess their suitability for
particular engagement.

4. Sufficient appropriate evidence; and

4|Page
Audit evidence is the documentation or other information that auditors gather as a result of audit
procedures. Furthermore, audit evidence is a vital part of any audit as it allows auditors to reach are 8
types of audit evidence that auditors can obtain. Sometimes, auditors may also face limitations in
gathering audit evidence and must use their professional judgment to act accordingly.

Audit Procedures to obtain Audit Evidence:

• Inspection
• Observation
• External Confirmation
• Recalculation
• Reperformance
• Analytical Procedures
• Inquiry

 Sufficiency is the measure of the quantity of evidence. Appropriateness is the measure of the
quality of evidence; that is, its relevance and its reliability. The quantity of such evidence needed
is affected by the risk of the subject matter information being materially misstated

 The practitioner plans and performs an assurance engagement with an attitude of professional
skepticism to obtain sufficient appropriate evidence about whether the subject matter
information is free of material misstatement. The practitioner considers materiality, assurance
engagement risk, and quantity and quality of available evidence when planning the nature,
timing and extent of evidence-gathering procedures.

Generalizations about the reliability of evidence

Generalizations about the reliability of various kinds of evidence can be made; however, such
subject to important exceptions. Even when evidence is obtained from sources external to the
entity, circumstances may exist that could affect the reliability of the information obtained. For
example, evidence if the source is not knowledgeable. While recognizing that exceptions may
exist, the following generalizations about the reliability of evidence may be useful:
1. Evidence is more reliable when it is obtained from independent sources outside the entity.
2. Evidence that is generated internally is more reliable when the related controls are
effective.
3. Evidence obtained directly by the practitioner (for example, observation of the application
of a control) is more reliable than evidence obtained indirectly or by inference (for
example, inquiry about the application of a control).
4. Evidence is more reliable when it exists in documentary form, whether paper, electronic,
or other media (for example, a contemporaneously written record of a meeting is more
reliable than a subsequent oral representation of what was discussed).
5. Evidence provided by original documents is more reliable than evidence provided by
photocopies or facsimiles.

Considerations in gathering evidences:

5|Page
 1. Cost-Benefit principle - The practitioner considers the relationship between the cost of
obtaining evidence and the usefulness of the information obtained. However, the matter
of difficulty or expense involved is not in itself a valid basis for omitting an evidence
gathering procedure for which there is no alternative.
2. Materiality - Materiality is relevant when the practitioner determines the nature, timing
and extent of evidence –gathering procedures, and when assessing whether the subject
matter information is free of misstatement.
3. Assurance engagement risk - is the risk that the practitioner expresses an inappropriate
conclusion when the subject matter information materially misstated. It is considered
when determining the nature, timing and extent of evidence- gathering procedures.

5. A written assurance report in the form appropriate to a reasonable assurance engagement or a limited
assurance engagement.
 The practitioner provide a written report containing a conclusion that conveys the assurance
obtained about the subject matter information.

Not all conclusions are unqualified conclusions. There are situations which may lead the practitioner
to express a different type of conclusion

Nature of the Matter Material but not pervasive Material and Pervasive
Unable to obtain sufficient appropriate
Qualified Opinion Disclaimer of Opinion
evidence (Scope Limitation)
Subject matter or assertion is materially
Qualified Opinion Adverse Opinion
misstated
Criteria are unsuitable or inappropriate,
Qualified Opinion Adverse Opinion
thus misleading users of information

6|Page