Topic 3

The scope of Operational Audit

The Operational Audit can concern the whole organization or it can be limited to cover only certain
functions within the organizations.

However, a full scope examination of a company may be impracticable owing to:

(a) the size of the company;

(b) the time and cost of the service;
(c) the potential disruption to normal operations.

In determining the scope of operational audit, many engagements are limited to stipulated functions
of an organization. The Internal Auditor should consider the following:

(a) Potential impact of any limitation placed on the scope of his work
(b) Ability to satisfy the purpose or objective of the engagement.

Importance of preliminary review:

(a) The resources of the audit team can thus be focused on those functions of the organization.
(b) Identify the critical functions to future performance or which are likely to yield the best returns
for the audit expense.

Organizations that exercise operational audit may be any industrial, commercial or government
organization.

The scope of Operational Audit typically rely on the audit objective.

Key Objectives of Operational Audits

Defining the objectives of any engagement is essential as an initial step to put it on the right footing
for success. Without clearly defined, communicated, and understood objectives, all involved are likely
to drift during the course of the review by asking for irrelevant documentation, interviewing people
unnecessarily, examining transactions, and analyzing process characteristics that are alien to the
priorities embraced by the sponsors of the engagement. In the end, the auditors will communicate
recommendations for improvement regarding topics of little importance to audit clients. In essence,
not having clearly defined objectives will result in wasted time and money, frustration for all involved,
and damage to the reputation of the internal audit function.
The objectives of the review will depend on several factors. First of all, we must determine whose
objectives the engagement is intending to address. Internal audit should be careful not to define the
objectives unilaterally. While this may be necessary in certain occasions, this should not be the
prevailing practice, but rather, internal auditors should get management involvement as much as
possible to make sure that the review will meet their needs.

The objectives for the review could be driven by

1. New rules. Rules can be established internally (e.g., policies and procedures) or externally (e.g.,
new or updated laws and regulations), or a combination (e.g., a contract signed by the
organization and one or more external parties). Note that the new rule can also be the result
of voluntary adoption like what we have observed with many aspects of CSR. While some
argue that CSR is beyond the scope of internal audit, and highly regarded economists like
Milton Friedman objected to business leaders spending time and resources on CSR initiatives,
the growing consensus is that CSR is here to stay, and stakeholders are increasingly demanding
greater involvement as it relates to the triple bottom line. Furthermore, as Deborah L. Rhode
stated in the introduction to Warren Benis’ book Moral Leadership, multiple studies have
compared the social performance of companies with financial returns. Although results vary,
a meta study (study of multiple surveys) of 95 surveys found that only 4 found a negative
relationship, 55 found a positive relationship, 22 found no relationship, and 18 found a mixed
relationship.

A reputation for ethical conduct by organizations attracts customers, employees, and investors, and
builds good relationships with government regulators. Evidence of the financial importance of ethical
reputation is that in the year 2000, fewer than 75 socially screened funds existed. By July 2010, more
than 150 traditional, open-end funds and 17 exchange-traded funds employed various social screens.
The Social Investment Forum says that in the United States, socially screened portfolios, which include
pension funds, endowments, and foundations, as well as mutual funds, held $2.7 trillion at the end of
2007.*

The 2014 Report on US Sustainable, Responsible and Impact Investing Trends states that assets in
socially screened portfolios climbed from $3.74 trillion at the start of 2012 to $6.57 trillion at the start
of 2014, an increase of 76%. These assets now account for more than one out of every $6 under
professional management in the United States.

Many of these investors are engaged activists, making demands on the companies they invested in.
Notable institutional investors include Ariel Investments, Parnassus, Pax World, Calvert Funds,
Domini, Gabelli, and Praxis.

2. Poor performance. Inefficiencies, waste, rework, or complaints from customers and vendors may
trigger management involvement, resulting in their request to have the matter reviewed by
internal audit.
3. Compliance issues. These can be the result of internal quality control initiatives that identify
anomalies. In the case of regulators and inspector reviews that identify instances of
noncompliance at other organizations, the internal audit department may investigate
conditions at their organization to determine if a similar problem exists at home, help to
monitor the situation, and verify that follow-through on corrective actions take place in
anticipation of future additional compliance reviews by external parties, such as regulators.
4. Anomalous revenues or expenses. While increases in sales is always welcome news, if these figures
appear dubious, internal audit may review the related transactions to verify they are all
legitimate, they have been recorded in the correct amount, and posted during the correct
period. Similarly, unusually high or low, or otherwise questionable expenses, are likely to result
in the request for a thorough review.

When defining the objectives, effective internal auditors examine the organization’s infrastructure.
The Merriam-Webster dictionary defines infrastructure as the underlying foundation or basic
framework of a system or organization and the resources, such as personnel, buildings, or equipment
required for an activity. As such, the objectives of an operational audit could include examining the
collection of resources allocated to a program or process for it to accomplish its objectives. This may
also include the entity’s planning, budget, and technological systems.

The infrastructure could also include management reports because the extent, accuracy, proper
distribution, and amount of detail contained in it weigh heavily on management’s ability to per- form
its duties. Lastly, this infrastructure may also include the organizational structure and the assignment
of responsibility and accountabilities. Placing responsibility in the hands of people without
accountability, geographically disconnected, or burdened by cripplingly low staff, would impair
performance.

Concerns over business risks, internal and external changes in the internal and/or external
environment and dynamics affecting the organization’s governance may also influence the objectives
of an operational review. Among these governance and compliance elements are concerns over ethics,
EHS, operational consistency in relation to existing policies and procedures as well as CSR
expectations set by relevant stakeholders.

In general, the focus is on assessing and reporting on the efficiency, effectiveness, and economy of
operations, activities, and programs; and conducting engagements on governance, risk management,
and control. These are sometimes referred to as performance or value for money auditing, which
cover the full spectrum of operating and business processes, the related management controls, and
the results and outcomes achieved.

Technology may also influence the definition of objectives. Generally speaking, an organization or a
program is comprised of processes designed to support the organization’s program, processes, and
units. To the extent that those systems are designed effectively, and operate as expected, they will
support the achievement of objectives. Conversely, other conditions would work contrary to these
ideals and become the focus of review.

Working with Management

The real value in an internal audit is determining the cause of the differences between ‘what is’ and
‘what should be’ and identifying value-adding options and improvement actions. This is the essence
of operational auditing.

The management and staff of an area know a lot more about the audit topic than the internal auditor.
By working closely with management and stakeholders at the conclusion of the audit to identify root
causes and discuss improvement options, a much better outcome can be achieved.

A facilitated workshop at the end of an audit that involves the internal audit team and a key group
from business areas can be very productive to decide the most appropriate improvement actions from
the audit.