Professional Documents
Culture Documents
OPERATIONS
AUDITING
Prepared by:
Leo C. Camacho, CPA
MODULE 2
PHASES OF OPERATIONAL AUDITING
Like financial audits, planning, fieldwork and reporting phases are also applicable in conducting
an operational audits due to its simplicity, effectiveness , and time-tested approach in organizing,
performing, and communicating the results of the audit conducted. Each phase and the key
activities that could be occurred during the performance of operations audit are discussed below:
Included in this activity is the Risk Assessment. Same with the assurance engagement as
we discussed in the assurance engagements, risk assessment is also vital in conducting an
operations audit. A risk assessment is a systematic and interactive process of identifying,
measuring, and analyzing risks either qualitative and quantitative inputs or factors which
is dependent on the timeframe of the assessment.
Risk Assessment covers all about measuring and prioritizing risks so that risk levels are
managed within defined tolerance thresholds without being overcontrolled or forging
desirable opportunities.1 The Majority of the companies have a Risk Management
Committee to assist the board of directors in managing the risk. It oversees the risk
management activities such as identifying risk, assessing and mitigating risk which
affected the overall organization. Risk management should be considered a four-step
process: (1) risk identification, (2) quantitative or qualitative assessment of the documented
risks, (3) risk prioritization and response planning, and (4) risk monitoring
1
https://www.coso.org/Documents/COSO-
ERM%20Risk%20Assessment%20in%20Practice%20Thought%20Paper%20October%202012.pdf
1|Page
Process in Risk Assessment2
As discussed in the planning stage, there were four steps to be undertaken in Risk
Management as follows:
1. Risk identification - The first step is to identify the risks that the business is exposed to its
operating environment. There are many different types of risks – legal risks, environmental
risks, market risks, regulatory risks, and much more. Management must aim to identify all
possible risks that can affect the performance of the organization, varying from the high
or more significant risks down to the low major risk associated with smaller business units
or individual projects. It requires in depth analysis approach in looking at the potential
risks in every area of the organizations, specially those area who has a high or significant
risk that may impact the operation including the level of probability of occurrence.
2
https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-
management/
2|Page
2. Risk Assessment - Once a risk has been identified it needs to be analyzed. The
management must determine the scope of the risk and must understand the link between
the risk and different factors within the organization. It is also necessary to determine the
severity and seriousness of the risk to see how many business functions affect the identified
risk.
4. Risk Monitoring –is the process which tracks and evaluates the levels of risk in an
organization and evaluates the effectiveness of risk management strategies. The findings,
which are produced by risk monitoring processes can be used to help create new strategies
and update older strategies which may have proved to be ineffective. 3
1. Risk Matrix - visualizes the risk together with the likelihood of occurrence and the
possible extent of damage. It is called as risk diagram.
3
https://www.skillmaker.edu.au/risk-
monitoring/#:~:text=Risk%20monitoring%20is%20the%20process,effectiveness%20of%20risk%20manag
ement%20strategies.
4
https://www.microtool.de/en/knowledge-base/what-is-a-risk-matrix/
3|Page
2. Risk Register - a record of identified risks (threats and opportunities) relating to the
project. It is a document acting as a repository for all risks identified and includes
additional information about each risk, e.g. nature of the risk, reference and
owner, mitigation measures. It can be displayed as a scatter plot or as a table. 5
The audit, conducted by the Internal auditors is a means to assess the conditions of the
client’s organization with the objective of helping the organization in improving their
structure and operation practices. Therefore, operational audit to be conducted must focus
on management practices that facilitate or hamper the accomplishment of objectives. The
7 Es provides a simple, yet effective model to keep these essential concepts in mind. 6
b. Efficiency - relates to the use of inputs and other resources toward the achievement of
goals and objectives in any form of productive activity. Organizations must thrive to
produce goods and services at or below cost levels. The ratio between the actual
5
https://en.wikipedia.org/wiki/Risk_register
6
Operational Auditing Principles and Technique for a Changing World, Hernan Murdock
4|Page
production (i.e., outputs) and the actual inputs (i.e., resources) constitute the degree of
efficiency of the organization’s operations. You can think of it as the burn rate, or the
rate at which the company’s resources are used during its operations.
c. Economy - refers to the price paid for organizational resources. Historically, the main
criteria to assess economy was the price of goods and services used by the
organization. While price is an important element, it has become quite apparent that
buying shoddy merchandise or tools will most likely lead to having to buy
replacements with greater frequency than if a higher quality item had been bought in
the first place. The key is to buy based on value, not merely price, so company
procedures should focus on the assessment of value when defining allowable
purchases. A better approach to assessing economy is to consider the entire value of
the item. This includes warranties, replacement or repair guarantees, speed and
reliability of delivery, expected useful life of the item, and so on. It is important to
mention that the said criteria apply to tangible goods like materials, machinery,
equipment and tools, as well as financial inputs.
e. Ethics - The Merriam-Webster dictionary defines ethics as the rules of behavior based
on ideas about what is morally good and bad, it deals with what is good and bad
behavior, what is morally right or wrong, and moral duty and obligation. It is a critical
subject for internal auditors because an individual’s viewpoint regarding what is right
and wrong will drive most aspects of decision-making and corporate behavior,
including that related to the performance of control activities and treatment of others.
f. Equity - relates to the treatment of others with dignity and respect. This should be
done consistently, by everyone, always. Equity is often thought of in terms of fairness,
reciprocity, and impartiality.
5|Page
g. Ecology - Environmental concerns have reached high levels over the past years and
will likely continue to garner much attention in the future. In addition, customers,
employees, local communities, regulators, and other stakeholders increasingly expect
organizations to act responsibly toward the environment.
2. Fieldwork - This is the second phase in the engagement’s life cycle when most of the
testing is performed. It includes interviews with management, application of testing
methodologies, documenting and managing fieldwork, and providing updates on the
status of the engagements. It is composed of two things:
a. Determination and review of the processes and programs, whether it was effectively
designed in achieving the goals and objectives of the organization.
b. Verification of the effectiveness of the controls in place.
In conducting field work, internal auditor must obtain sufficient, appropriate evidence to
support their work and persuade others that conditions are satisfactory or not. The different
types of audit evidence that auditors gather and evaluate during their reviews are as
follows:
6|Page
Example of internal and external documents
External Documents Internal Documents Combination
Procedures documentation
3. Reporting – this is the third phase of the audit, communicating the results of the audit to
the management, referred as reporting phase. In our case, we will issue an Audit
Observation Memorandum addressed to the Head of the Agency, which indicate the
observation or practiced noted during the audit, criteria and the recommendations for
corrective action. Observation is the documentation of deviations from what should be
based on the criteria and best practices. The purpose of issuing an Audit Observations
Memorandum is to give management a chance to explain what is/are the reason/s why the
observations happened. The management has a chance to rebut the audit findings of the
auditor, that is why, the auditor must obtain sufficient appropriate evidence in order to
sustain the audit findings.
7|Page
In preparing an effective audit observation, there were attributes that need to be observed
by the auditors. Audit findings must have a criteria, condition, cause, effect and
recommendations.
It is more persuasive and the reader will be convinced to the observation communicated by
the auditor if the observation has an attribute of criteria, condition, cause, effect, and
recommendation (CCCER).
1. Design. These refer to the deficiencies in the design of the program or process. It means
that the processes or program are poorly structured and mechanisms to avoid problems
from occurring are missing or found to be deficient. It can be recalled that the main
responsibilities of managements is to design the structures, processes, reporting
relationships, and accountability frameworks to be in control of the organization’s
operations.
2. Operating. These refer to controls that are performing poorly and not working as it is
designed. The objective of the auditor is to design an audit procedure to test whether
the control is working or not.
8|Page
Before the issuance of an audit observation memorandum to the management or to the
Head of the Agency (Government), discussion of auditing observations be conducted to
the process owners or stakeholders, for the management to be able to comment on the said
observations. On the other hand, recommendations must address the condition and effect
and it should be doable.
4. Follow-up – After the issuance of the audit report, it is necessary for the management and
auditors to verify whether the recommendations was implemented or not. There should be
timeline to be given by management to implement the recommendations to lessen the risk
associated with the findings. The audit report prepared by the internal auditor should not
be ignored by management, rather, prompt corrective action or implementation of the
recommendations must be conducted to lessen the risk associated on the observations
raised by the auditor.
Sample Quiz
1. It is a document acting as a repository for all risks identified and includes additional
information about each risk, e.g. nature of the risk, reference and
owner, mitigation measures.
a. Risk Matrix b. Risk Register
c. Risk Monitoring d. Risk Identification
2. It is the process which tracks and evaluates the levels of risk in an organization and
evaluates the effectiveness of risk management strategies.
a. Risk Matrix b. Risk Register
c. Risk Monitoring d. Risk Identification
3. The first step is to identify the risks that the business is exposed to in its operating
environment.
a. Risk Matrix b. Risk Register
c. Risk Monitoring d. Risk Identification
4. It is a tool in risk management that visualizes the risk together with the likelihood of
occurrence and the possible extent of damage.
a. Risk Matrix b. Risk Register
9|Page
c. Risk Monitoring d. Risk identification
5. It is the process of evaluating the degree to which the organization, program, or process is
achieving its goals and objectives.
a. Effectiveness b. Efficiency
c. Economy d. Excellence
6. It relates to the use of inputs and other resources toward the achievement of goals and
objectives in some form of productive activity.
a. Effectiveness b. Efficiency
c. Economy d. Excellence
9. This is the second phase in the engagement’s life cycle when most of the testing is
performed
a. Planning b. Field Work
c. Reporting d. Document Inspection
10. It includes scoping, budgeting, determining the population of interest, and testing to be
performed.
a. Planning b. Field Work
c. Reporting d. Document Inspection
ANSWER KEY
1 B 6 B
2 C 7 C
3 D 8 D
4 A 9 B
5 A 10 A
10 | P a g e