Elisabeth Jane C.

Henanger
Sec 7

1. List three reasons management may ask for an operational audit to be performed, and explain
how the audit program would be impacted by each of them.

- Management may ask for an operational audit to improve departmental effectiveness.

Doing an operational audit allows management to compare and rank the effectiveness of
different departments or teams within the organization. This is a fantastic way of finding
the best practices for completing a process. Management simply has to see every team’s
performance for each process and then select the teams which perform the process most
effectively. Second reason is for discovering opportunities for improvement. Operational
audit programs are much more in-depth than normal internal audits. They do not look at
how things are, they also look at how things could be. This means that in an operational
audit the auditors do not simply audit the performance of the organization, they also look
for better ways of accomplishing the same tasks outside of the organization

- Last is to increase the efficiency of operational audits. If operational audits can provide
such benefits, why aren’t they more common in businesses? The answer to this is very
simple, operational audits take a lot of time and resources. Normal internal audits
themselves take a lot of resources and operational audits are even more intense.
Businesses want to improve efficiency and the last thing they want is to start a process
that decreases efficiency. Operational audits require a lot of collaboration with employees
– employees that have other important job roles to fulfill. If the auditor keeps calling
people into meetings and taking follow-ups with people, it can have a negative effect on
the very processes the auditor is trying to improve

2. Explain the importance of identifying risk factors and using them during the planning phase.

- The risk assessment process should initially be performed in the planning of the audit,
then continually challenged and reevaluated as procedures are performed and more
evidence is gained. This is truly what can drive a quality audit. Sadly, it can also doom
those who fail to focus appropriate attention and thoughtfulness on risk assessment,
leading to a less effective audit that could be subject to significant challenge by
regulators. The presence of some factors increases the likelihood or impact of the
underlying risks. On the other hand, the presence of some factors actually decreases the
likelihood or impact of the underlying risks. Risk factors are conditions and other
variables that in their present, or absence either exacerbate or diminish the underlying
risk.
3. Give two examples where document inspection is a useful technique to examine operational
risks and related controls.

First example is to inspect the amount of each payment to compare it to the invoice received, and
the name of the person who approved the payment to make sure the approver is authorized to do
so. Second is inspecting the quantity of materials in a stockroom if it matches the quantity
purchased, received, and disbursed to factory for production.

4. Explain professional skepticism and why it is important for all auditors.

Professional skepticism has always been used to validate information through probing questions,
critical assessment of evidence, and attention to red flags and inconsistencies. The auditor’s use
of professional skepticism will need to evolve with the use of technological advancements by the
profession and by clients. Skepticism will need to be applied to all stages of the audit process,
and the auditor will need to be trained to find risks and potential errors that technology-based
tools have missed.

Internal auditors should be sufficiently suspicious of data received and reasonably verify that the
information is free from manipulation or modification in ways that can compromise its quality.
When there are doubts, the auditor must determine if those conditions make the evidentiary
matter too unreliable for use. Similarly, internal auditors should approach interviews and
meetings with sufficient skepticism, always attempting to verify the information provided,
corroborate the testimony received, and observing behavioral changes that could indicate deceit.

5. Explain the acronym CCCER.

- CCCER stands for Criteria, Condition, Cause, Effect, and Recommendation. Criteria
answers the question “What was expected?” It consists of what should exist or occur.
Condition answers the question “What actually exists?” What the auditor discovered as a
result of the performance of audit procedures. Cause is the reason the condition exists and
why it is different from the criteria. Auditors should focus on the root cause of the
problem and avoid focusing on symptoms. Effect is also referred to as the consequence. It
consists of the impact of the condition. Lastly, recommendation is the action item
necessary to correct the condition so performance is consistent with the criteria

6. What are the defining characteristics of persuasive audit evidence?

 - The defining characteristics of persuasive evidence are relevance, reliability, and
sufficiency. 

7. What are the key characteristics of well-prepared working papers?

- The Key characteristics of well-prepared working papers include: Working paper formats,
working paper files, at the end of an engagement, the files should contain only the final versions
of the working papers completed during the engagement, each individual working paper should
stand on its own merits.

8.  What do internal auditors mean when they refer to the nature, extent, and timing of audit
procedures?

- The nature of audit procedures relates to the types of tests the internal auditor performs to
achieve his or her objectives. One-to-one relationships between audit objectives and audit
procedures are rare. Individual audit procedures often provide evidence that is pertinent to more
than one audit objective, and more than one audit procedure often is required to meet a particular
audit objective.

he extent of audit procedures pertains to how much audit evidence the internal auditor must
obtain to achieve his or her objectives (sufficiency). An internal auditor must, for example,
determine the appropriate combination of procedures to apply.

The timing of audit procedures pertains to when the tests are conducted and the period of time
covered by the tests.

9.    What information should be included in a well-designed final assurance engagement

communication?

- Condition (facts) - Factual evidence and description of controls as they exist (what is).
What was found through testing.
Criteria - Standards, measures, expectations, policy, or procedures used in making the
evaluation (what should exist).
Cause - What allowed or caused the condition to exist (the why).
Effect - Risk or exposure encountered because the condition is not consistent with the
criteria (what could go wrong, both past and possible future impact). Considers both the
impact (financial, reputational, safety, etc.) and the likelihood.
Compensating controls - Other controls in place to mitigate the observation. Includes
monitoring.
Conclusion - Detailed analysis, assessment, and justification for evaluation classifications
and final conclusions.
Detailed recommendation - What the internal audit function recommends. This
 recommendation must reconcile with management's solution as discussed during the
preliminary communication process. Management solution - What management will do
to fix the existing condition or prevent the problem from happening again.
-
10.    What actions regarding assurance engagement observations must the internal audit
function take after the final engagement communication is disseminated?

The internal audit function must have a process in place to monitor and follow up on agreed-
upon actions to ensure management has done what they intended.
If management chooses to accept the risk associated with making no changes to the control
activity, the CAE must
make a judgment regarding the prudence of that decision discuss the matter with senior
management.
If the decision regarding residual risk is not resolved, the chief audit executive must report the
matter to the board for resolution"
If management accepts responsibility for implementing changes to remediate the observations,
the internal audit function must monitor the progress management makes relative to the
remediation of the observations.
Regular follow-up procedures should ensure that agreed-upon actions are taken on schedule with
the time frame outlined in the final engagement communication.
Follow-up actions should be documented and retained in the internal audit function's working
papers of the next assurance engagement relating to the area that was subject to the original
audit.