CHAPTER 1

1. What is operational auditing and how can it add value to the organization?

Operational Auditing is a systematic process of assessing and examining the operational

activities to increase effectiveness and efficiency of an organization in accomplishing its objectives
(Murdock 2016 p. 3). It is designed to add value and enhance an organization’s operations and
effectiveness of risk management and control. It adds value to the organization when it offers
procedures and advices to improve governance, control processes and risk management. Operational
auditing activities add value when it is performed or executed in line with the organization’s objectives
and strategies.

2. Explain the importance of independence and objectivity and how having unfettered access within the
organization impacts the internal auditors’ ability to review any program, process, system, record, at any
time and perform operational reviews.

The internal auditor’s independence is important to objectively examine the organization’s

procedures or activities. To maintain independence, the internal auditor should report directly to the
audit committee or its equivalent.

It is also important to maintain objectivity. Internal auditors should have no personal association
with the personnel and even the organization being audited. Objectivity as defined by Murdock (2016
page 6) is a mental attitude that internal auditors should possess. Meaning, internal auditors should
maintain an unbiased attitude while performing their jobs and avoid conflict of interest situations.

The internal auditors should have access to records, personnel, and any other important
information as needed so that they can come up with the right decisions applicable to whatever
situations. With this information, internal auditors can review files of information and resolves conflicts
with this.

3. Describe the difference between retrospective reviews that focus on past events and prospective
engagements. List some of the future threats that internal auditors should include in their assessments.

Retrospective reviews refer to the activity of reviewing claims that have already been passed.
The goal of this is to dig deeper on the internal claims process and look for possible problems based on
the result. On the other hand, prospective reviews occur prior to claim submission. Its goal is to catch
any billing or errors in coding before claim is to be passed (Nassiopoulos, 2019).

The future threats that internal auditors should include in their assessments are operational,
technological, strategic, and environmental. Operational, like maintaining operational capacity, speed of
execution, staffing levels, employee motivation, knowledge transfer, system development, and
implementation Technological, like including protection of intellectual property and personally
identifiable information, denial of service attacks, business continuity due to staff turnover, and system
development. Strategic, like referring to concerns related to strong customer and vendor relations,
customer loyalty, building effective business partnerships, outsourcing arrangements, and mergers and
acquisitions. Environmental, like reliable supply of water and electricity, achieving a lower carbon
footprint, and reducing the amount of natural resources used during business activities. (Murdock, 2016
p. 17-18)

4. What are five of the skills of internal auditors that have been identified as essential for success in the
future? What can your internal audit department do to develop those skills among its staff?

Some of the skills that internal auditors should possess that is identified as essential for success
in the future are communication skills, such as oral, written, report writing, and presentation skills,
problem identification and solution skills, such as conceptual and analytical thinking, ability to promote the
value of internal audit, knowledge of industry, regulatory, and standards change and organization skills.
(Murdock 2016 p. 18)

Asides from internal auditors having skills mention above. I believe, to be effective, an internal
auditor should also possess traits like strong interpersonal skills, good oral and communication skills, ability
to influence and the like. Internal audit department should try to maintain a healthy relationship with its
internal auditors and other personnel. In achieving that, continuous training should be observed to develop
and to know each other very well. Also, the internal audit department should evaluate the skills of its
personnel and promote self-development to enhance knowledge, skills, and other traits in all possible area.

5. Explain the five stages in the IA-CM and its implications for operational auditing.

Level 1 (Initial) performs isolated single audits or reviews of transactions and documents for
accuracy and compliance. Level 2 (Infrastructure) focuses on compliance audits and functions to carry
out an audit of conformity and adherence with contracts, laws, policies and regulations of a particular
area, process, or system. While on level 3 (Integrated) provides guidance and advice to management.
These services are directed toward facilitation rather than assurance and include training,
system development reviews, performance and control self-assessment and counseling. On the
other hand, the purpose of level 4 (Managed) is to conduct sufficient work to provide an opinion on the
overall adequacy and effectiveness of the organization’s governance, risk management, and control
processes. It has coordinated its audit services to be sufficiently comprehensive that it can provide
reasonable assurance at a corporate level that these processes are adequate and functioning as
intended to meet the organization’s objectives. Last but not the least, level 5 (Optimizing). Internal
audit is recognized as a key change agent, continuously improving its professional
practices, integrating performance data, global leading practices, and feedback to
continuously strengthen the unit and the organization. It plans its workforce needs
strategically and maintains effective ongoing relationships with other units within the
organization to understand the organization’s strategic directions, emerging issues, and
risks (Murdock, 2016, p. 21-22).

6. Explain integrated auditing.

Integrated audits are defined by Murdock (2016) as designed to address IT questions while
simultaneously examining the business dynamics (p. 20). In simpler words, Integrated auditing combines an audit of
financial statements and an audit to internal controls. An audit is to be considered as integrated audit when
auditors, besides from giving an opinion on the assessment of financial statements, must also states an opinion on
the effectiveness on an organization’s internal control over financial reporting. Integrated audits are designed to
deal with IT questions as well as examining the business dynamics. There are also auditors who have deeper
knowledge to both accounting or financial and IT aspects of business operations (Murdock, 2016, p. 22).

7. Describe the difference between controls-based and risk-based auditing.

Control-based auditing, also called as traditional-based look for the controls within the process or
program of their review, then check them to see if they are present and operating as expected (Murdock, 2016, p.
8). It pertains to the process of identifying and evaluating internal controls without enough regard to their value
to the process. On the other hand, a risk-based auditing focuses on identifying what uncertainties have
the highest potential to prevent the organization from meeting its objectives. Activities performed in
risk-based auditing needed more brainstorming, frequent interactions with the owners, more in-depth
understanding of the organization’s business and a mechanism to address past, present, and future
vulnerabilities and scenarios that threaten the achievement of business objectives (Murdock, 2016, p.
12).

8. Explain the importance of using business objectives while planning and performing operational audits,
and how to use them when communicating the results of the audit.

In planning and performing operational audits, the auditor needs to acquire an insight and
understanding about the operation of the business. Meaning, internal auditors should dig deeper into
available information, identify possible risks, and connect those risk to the business objectives. Internal
auditors must do their work in ways that help the organization achieve its objectives by properly
responding to the risks that threaten these objectives (Murdock, 2016, p. 8).

Internal auditor’s activities include assessing whether planning and performing operational
audits as well as risk controls are consistent to the organization’s objectives, mission, vision, and
strategies. It is important to use business objectives in line with auditing activities so that when
communicating the result of audit, it will provide an understanding of risk management procedures, as
well as the effectiveness and efficiency of it in achieving the objectives of an organization.
9. What are the attributes of effective audit evidence outlines in Standard 2310 and what the
implications for operational audits?

The job of the internal auditors includes the communication of their findings in the assessment
of the organization. To be persuasive, communications must meet the attributes of effective audit stated
in Standard 2310 which are sufficiency, reliability, relevance, and usefulness. Sufficiency refers to the
needs of sufficient information that includes quantifiable facts and figures. Reliability, in the sense that
information must be trustworthy and free from distortion. Relevance relates to the information being
consistent with the objectives and scope of the review while usefulness relates to the information
helping the organization accomplish its objectives (Murdock, 2016, p. 28).

10. Explain how an organization could meet its compliance requirements but still fail over the medium
and long term.

An organization can meet its compliance requirements and at the same time, fail over the
medium and long term. According to Murdock (2016 p. 13), this occurs when there is poor management
decisions and practices. These decisions and practices include ineffective hiring or poorly
supervised/trained employees, not enough environmental health, and safety practices as well as issues
arising in corporate social responsibility. Computer systems designed with inaccurate insights of the
business needs, insufficient data collection and inadequate reporting mechanisms are also the cause of
failure in the long run. Poor operation management and weak marketing strategies can also be the
source of failing over the medium and long term.

Another is when the organization fails to consult the opinions of the internal auditor about their
operational activities and objectives. Internal auditors identify different problems and suggest
adjustments or improvements for the betterment of the company. Since the organization did not ask or
consult the internal auditor regarding this matter, it can be a cause for the company to fail because they
did not adopt to those changes which is essential in the success of all businesses.
References:

Nassiopoulos, Vasilios. (2019, June 13). Prospective vs. Retrospective Audits? Our View: You Need Both.
Retrieved from https://www.hayesmanagement.com/prospective-vs-retrospective-audits-our-view-you-
need-both/

Murdock, Hernan. (2016). Operational auditing: Principles and techniques for a changing world. Boca
Raton, FL: CRC Press.