MODULE IN

OPERATIONS
AUDITING

Prepared by:
Leo C. Camacho, CPA
 MODULE 2
PHASES OF OPERATIONAL AUDITING
Like financial audits, planning, fieldwork and reporting phases are also applicable in conducting
an operational audits due to its simplicity, effectiveness , and time-tested approach in organizing,
performing, and communicating the results of the audit conducted. Each phase and the key
activities that could be occurred during the performance of operations audit are discussed below:

1. Planning – Planning an audit is very important in conducting an engagement activity. It

includes scoping, budgeting, determining the population of interest, and testing to be
performed. There is a saying that “Failing to Plan is planning to Fail” and a lot of
engagement was not successful due to poor in the planning. In our case, every time we
have an engagement, rigorous planning is conducted to determine what are the activities to
be conducted, how it will be conducted and when it will be conducted. We need also to
communicate with management with regards to the operations audit to be conducted by the
team. In this stage, the Internal Auditor must consider risk other than the risk attributed to
the presentation of the financial statements. It may include, operational, technological,
strategic and environmental risk. The internal auditor must also consider other risk, such
as legal liability, corporate image (e.g., reputation), industry specific and compliance.

Included in this activity is the Risk Assessment. Same with the assurance engagement as
we discussed in the assurance engagements, risk assessment is also vital in conducting an
operations audit. A risk assessment is a systematic and interactive process of identifying,
measuring, and analyzing risks either qualitative and quantitative inputs or factors which
is dependent on the timeframe of the assessment.

Risk Assessment covers all about measuring and prioritizing risks so that risk levels are
managed within defined tolerance thresholds without being overcontrolled or forging
desirable opportunities.1 The Majority of the companies have a Risk Management
Committee to assist the board of directors in managing the risk. It oversees the risk
management activities such as identifying risk, assessing and mitigating risk which
affected the overall organization. Risk management should be considered a four-step
process: (1) risk identification, (2) quantitative or qualitative assessment of the documented
risks, (3) risk prioritization and response planning, and (4) risk monitoring

1
https://www.coso.org/Documents/COSO-
ERM%20Risk%20Assessment%20in%20Practice%20Thought%20Paper%20October%202012.pdf

1|Page
 Process in Risk Assessment2

As discussed in the planning stage, there were four steps to be undertaken in Risk
Management as follows:

1. Risk identification - The first step is to identify the risks that the business is exposed to its
operating environment. There are many different types of risks – legal risks, environmental
risks, market risks, regulatory risks, and much more. Management must aim to identify all
possible risks that can affect the performance of the organization, varying from the high
or more significant risks down to the low major risk associated with smaller business units
or individual projects. It requires in depth analysis approach in looking at the potential
risks in every area of the organizations, specially those area who has a high or significant
risk that may impact the operation including the level of probability of occurrence.

2
https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-
management/

2|Page
 2. Risk Assessment - Once a risk has been identified it needs to be analyzed. The
management must determine the scope of the risk and must understand the link between
the risk and different factors within the organization. It is also necessary to determine the
severity and seriousness of the risk to see how many business functions affect the identified
risk.

3. Risk Prioritization – Risk management solutions have different categories of risks,

depending on the severity of the risk, thus, risks need to be ranked and prioritized based on
the likelihood of occurrence as well as the impact of risk. The likelihood of occurrence
can be categorized into rare, unlikely, possible, likely and almost while the impact measure
may include insignificant, minor, moderate, major and catastrophic.

4. Risk Monitoring –is the process which tracks and evaluates the levels of risk in an
organization and evaluates the effectiveness of risk management strategies. The findings,
which are produced by risk monitoring processes can be used to help create new strategies
and update older strategies which may have proved to be ineffective. 3

Tools in Risk Management

1. Risk Matrix - visualizes the risk together with the likelihood of occurrence and the
possible extent of damage. It is called as risk diagram.

Example of Risk Matrix

3
https://www.skillmaker.edu.au/risk-
monitoring/#:~:text=Risk%20monitoring%20is%20the%20process,effectiveness%20of%20risk%20manag
ement%20strategies.
4
https://www.microtool.de/en/knowledge-base/what-is-a-risk-matrix/

3|Page
 2. Risk Register - a record of identified risks (threats and opportunities) relating to the
project. It is a document acting as a repository for all risks identified and includes
additional information about each risk, e.g. nature of the risk, reference and
owner, mitigation measures. It can be displayed as a scatter plot or as a table. 5

The audit, conducted by the Internal auditors is a means to assess the conditions of the
client’s organization with the objective of helping the organization in improving their
structure and operation practices. Therefore, operational audit to be conducted must focus
on management practices that facilitate or hamper the accomplishment of objectives. The
7 Es provides a simple, yet effective model to keep these essential concepts in mind. 6

a. Effectiveness - is the process of evaluating the degree to which the organization,

program, or process is achieving its goals and objectives. Effectiveness consists of
comparing the planned outputs with the actual outputs. This can be expressed simply
as achieving X percent of the goal. If the number is under 100%, the goal was not fully
achieved, and conversely, if above 100%, the goal was surpassed.

b. Efficiency - relates to the use of inputs and other resources toward the achievement of
goals and objectives in any form of productive activity. Organizations must thrive to
produce goods and services at or below cost levels. The ratio between the actual

5
https://en.wikipedia.org/wiki/Risk_register
6
Operational Auditing Principles and Technique for a Changing World, Hernan Murdock

4|Page
 production (i.e., outputs) and the actual inputs (i.e., resources) constitute the degree of
efficiency of the organization’s operations. You can think of it as the burn rate, or the
rate at which the company’s resources are used during its operations.

c. Economy - refers to the price paid for organizational resources. Historically, the main
criteria to assess economy was the price of goods and services used by the
organization. While price is an important element, it has become quite apparent that
buying shoddy merchandise or tools will most likely lead to having to buy
replacements with greater frequency than if a higher quality item had been bought in
the first place. The key is to buy based on value, not merely price, so company
procedures should focus on the assessment of value when defining allowable
purchases. A better approach to assessing economy is to consider the entire value of
the item. This includes warranties, replacement or repair guarantees, speed and
reliability of delivery, expected useful life of the item, and so on. It is important to
mention that the said criteria apply to tangible goods like materials, machinery,
equipment and tools, as well as financial inputs.

d. Excellence - Another key aspect of organizational priorities is the performance of all

work with high quality. In developed economies, and increasingly so in emerging
markets as well, products and services are commoditized and differentiation based on
price is a high-risk proposition. Relying on low costs only to secure customers is a race
to the bottom, and some organizations find out that it can be a very dangerous strategy
as margins become increasingly smaller unless other activities improve results—such
as efficiency and relentless cost cutting. Quality in all everyone does is essential for
continued success. Measuring quality is essential to determine if it is being achieved
and always remember that people do what is measured, repeat what is rewarded, and
stop doing what is punished.

e. Ethics - The Merriam-Webster dictionary defines ethics as the rules of behavior based
on ideas about what is morally good and bad, it deals with what is good and bad
behavior, what is morally right or wrong, and moral duty and obligation. It is a critical
subject for internal auditors because an individual’s viewpoint regarding what is right
and wrong will drive most aspects of decision-making and corporate behavior,
including that related to the performance of control activities and treatment of others.

f. Equity - relates to the treatment of others with dignity and respect. This should be
done consistently, by everyone, always. Equity is often thought of in terms of fairness,
reciprocity, and impartiality.

5|Page
 g. Ecology - Environmental concerns have reached high levels over the past years and
will likely continue to garner much attention in the future. In addition, customers,
employees, local communities, regulators, and other stakeholders increasingly expect
organizations to act responsibly toward the environment.

2. Fieldwork - This is the second phase in the engagement’s life cycle when most of the
testing is performed. It includes interviews with management, application of testing
methodologies, documenting and managing fieldwork, and providing updates on the
status of the engagements. It is composed of two things:
a. Determination and review of the processes and programs, whether it was effectively
designed in achieving the goals and objectives of the organization.
b. Verification of the effectiveness of the controls in place.

In conducting field work, internal auditor must obtain sufficient, appropriate evidence to
support their work and persuade others that conditions are satisfactory or not. The different
types of audit evidence that auditors gather and evaluate during their reviews are as
follows:

a. Testimonial – it is an evidence which consists of verbal or written statements or

assertions given by someone as proof regarding the matter being discussed. During
the audit, it is assumed that auditees are making truthful statements about their
assertions, therefore, testimonial evidence doesn’t have to be sworn during the audit
period. There should a code of ethics wherein giving false statements to the auditor
are subject to disciplinary action.

b. Observation – the observation can be announced or unannounced. It is effective

if the auditor conduced a surprise observation because the auditor will find out the
total picture of what is happening in processing the transactions or producing a
product.

c. Document Inspection – another way of obtaining a sufficient, appropriate

evidence is by document inspection or review. This is the most common
procedures performed by auditors, examining the documents to verify the
completeness, accuracy and propriety of the transaction. Documents can obtain
within the organization (internal) or outside the organization (external).

6|Page
 Example of internal and external documents
External Documents Internal Documents Combination

Invoices received Invoices produced Contracts

Bank statements Memos

Confirmation Reports (e.g., production,

statements inventory, and time sheets)
Certificates of and time sheets)
insurance
Credit reports Policy statements

Procedures documentation

d. Recalculation/Reperformance – to check the accuracy of the amount indicated in

the documents or record, mathematical recalculation can be conducted by the
Auditor. On the other hand, the auditor may conduct a reperformance or walk-
through of the process to ascertain whether there were enough controls in place or
the controls are effective as it is designed.

e. Audit Working Papers – refers to documents obtained by the auditor to support

the procedures performed by the auditor. It may include flowcharts and internal
questionnaire prepared by the auditor.

3. Reporting – this is the third phase of the audit, communicating the results of the audit to
the management, referred as reporting phase. In our case, we will issue an Audit
Observation Memorandum addressed to the Head of the Agency, which indicate the
observation or practiced noted during the audit, criteria and the recommendations for
corrective action. Observation is the documentation of deviations from what should be
based on the criteria and best practices. The purpose of issuing an Audit Observations
Memorandum is to give management a chance to explain what is/are the reason/s why the
observations happened. The management has a chance to rebut the audit findings of the
auditor, that is why, the auditor must obtain sufficient appropriate evidence in order to
sustain the audit findings.

7|Page
 In preparing an effective audit observation, there were attributes that need to be observed
by the auditors. Audit findings must have a criteria, condition, cause, effect and
recommendations.

a. Criteria – it pertains to the standard or benchmark. Its either Manual of Operations,

ISO Standards, Laws, Rules and Regulations. This is “what should be” or “what was
expected”.
b. Condition – it explains whether the criteria or benchmark were followed based on the
interviews, analysis, verification and testing. This is “what is or has happened” or “what
actually exists”.
c. Cause – the result or reasons for the existing conditions why it is different from the
criteria. This is “how or why the condition happens”.
d. Effect – refers to the impact of the condition or it is the adverse result of the failure to
meet criteria such as inability to perform ones tasks or meet client expectations.
e. Recommendations – refers to the suggested corrective action or the action necessary
to correct the condition consistent with the criteria.

Audit observations of the internal auditors must be quantifiable in terms of amounts,

values, time when the condition occurs, the number of affected individuals or organizations
the useful life the assets involved, and so on. As such, the effect or consequence of the
findings in terms of money with regards to the audit observation is also quantifiable.

It is more persuasive and the reader will be convinced to the observation communicated by
the auditor if the observation has an attribute of criteria, condition, cause, effect, and
recommendation (CCCER).

Two Types of Deficiencies

1. Design. These refer to the deficiencies in the design of the program or process. It means
that the processes or program are poorly structured and mechanisms to avoid problems
from occurring are missing or found to be deficient. It can be recalled that the main
responsibilities of managements is to design the structures, processes, reporting
relationships, and accountability frameworks to be in control of the organization’s
operations.

2. Operating. These refer to controls that are performing poorly and not working as it is
designed. The objective of the auditor is to design an audit procedure to test whether
the control is working or not.

8|Page
 Before the issuance of an audit observation memorandum to the management or to the
Head of the Agency (Government), discussion of auditing observations be conducted to
the process owners or stakeholders, for the management to be able to comment on the said
observations. On the other hand, recommendations must address the condition and effect
and it should be doable.

4. Follow-up – After the issuance of the audit report, it is necessary for the management and
auditors to verify whether the recommendations was implemented or not. There should be
timeline to be given by management to implement the recommendations to lessen the risk
associated with the findings. The audit report prepared by the internal auditor should not
be ignored by management, rather, prompt corrective action or implementation of the
recommendations must be conducted to lessen the risk associated on the observations
raised by the auditor.

Sample Quiz

Multiple Choice: Choose the letter of the correct answer.

1. It is a document acting as a repository for all risks identified and includes additional
information about each risk, e.g. nature of the risk, reference and
owner, mitigation measures.
a. Risk Matrix b. Risk Register
c. Risk Monitoring d. Risk Identification

2. It is the process which tracks and evaluates the levels of risk in an organization and
evaluates the effectiveness of risk management strategies.
a. Risk Matrix b. Risk Register
c. Risk Monitoring d. Risk Identification

3. The first step is to identify the risks that the business is exposed to in its operating
environment.
a. Risk Matrix b. Risk Register
c. Risk Monitoring d. Risk Identification

4. It is a tool in risk management that visualizes the risk together with the likelihood of
occurrence and the possible extent of damage.
a. Risk Matrix b. Risk Register

9|Page
 c. Risk Monitoring d. Risk identification

5. It is the process of evaluating the degree to which the organization, program, or process is
achieving its goals and objectives.
a. Effectiveness b. Efficiency
c. Economy d. Excellence

6. It relates to the use of inputs and other resources toward the achievement of goals and
objectives in some form of productive activity.
a. Effectiveness b. Efficiency
c. Economy d. Excellence

7. It refers to the price paid for organizational resources.

a. Effectiveness b. Efficiency
c. Economy d. Excellence

8. It is the performance of all work with high quality

a. Effectiveness b. Efficiency
c. Economy d. Excellence

9. This is the second phase in the engagement’s life cycle when most of the testing is
performed
a. Planning b. Field Work
c. Reporting d. Document Inspection

10. It includes scoping, budgeting, determining the population of interest, and testing to be
performed.
a. Planning b. Field Work
c. Reporting d. Document Inspection

ANSWER KEY

1 B 6 B
2 C 7 C
3 D 8 D
4 A 9 B
5 A 10 A

10 | P a g e