Professional Documents
Culture Documents
Lesson 1 Page 1 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
b) Review Internal Controls: Establish the potential impact of successes and failures in the specialized
functional areas of operation.
c) Understand Risks: The type of risks associated with business and operational risk range from business
interruption, employee omissions or errors, IT system failure, product failure, safety and health issues,
loss of key employees, fraud, loss of suppliers, and litigation.
d) Identify Improvement Opportunities: As a result of understanding risks, auditors can determine where
to make improvements and how to mitigate risks and improve opportunities. The broad categories of
risk - and where improvements should occur - are operational risk, financial risk, environmental risk, and
reputational risk.
e) Inform Senior Management: The results of the audit should appear in a clear report that provides
objective analysis, appraisals, recommendations, and pertinent comments concerning the activities
reviewed.
PRACTICE PROBLEM 1: Identify the different types of internal/operational audits. Refer to the word box below.
a) __________________________ - focuses on financial controls as they relate to reporting to internal and
external governing bodies. This is the expertise of external auditors. Internal audits complement the work of
operational audits, which includes some form of budget, or a financial review.
b) __________________________ - periodic analysis of various divisions to assess the adequacy of controls,
how well assets are safeguarded, how resources are used, and if there is compliance with applicable laws.
c) __________________________ - investigate overall infrastructure and networks, technical operations, data
center operation, project management, and review security status and procedures.
d) __________________________ - often conducted when a company suspects a risk of security breach, or
when one has occurred on the part of an individual or department to understand causes and additional
background information and research.
e) __________________________ - review the level of adherence or agreement with external regulatory
requirements or internal policies.
f) __________________________ - a broad, precise, and autonomous probe into the marketing of a company
or a business. An audit holds both an external situation analysis and a thorough review of internal marketing
goals, strategies, capabilities, processes, and systems.
g) __________________________: after an operational audit report has been issued, it is standard practice to
monitor and evaluate corrective actions, usually within a six month period.
Compliance Audit Follow-up audit Investigative audit
Department review Information System audit Marketing audit
Financial audit/review
Lesson 1 Page 2 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
Audit program is the document that lists the procedures to be followed during an audit engagement,
designed to achieve the audit plan.
Establishing Objectives: Base objectives on management goals and priorities. Consider the characteristics of
products, projects, processes, and any changes to them. Take into account management system
requirements, contractual and legal requirements, and other requirements. Evaluate suppliers and the
needs and expectations of interested parties, including customers. Take into account the auditee’s level of
performance, risks, previous audit results, and the maturity of the management system being audited.
Establishing the Audit Program: Identify the responsibilities of the audit program manager and establish his
or her competence of the person. Determine the scope and potential risks, then set procedures and identify
resources.
Implementing the Audit Program: Define the objectives, scope, and criteria, and select the audit team
members and assign responsibility to the audit team leader. Manage the outcome and records.
Monitoring the Audit Program: Assess conformity with the program, schedule, and objectives, and then
assess the performance of the audit team members and the ability of the audit teams to implement the
plan. Evaluate feedback of all stakeholders. Some factors can determine the need to modify the program,
including audit findings, the demonstrated level of management system effectiveness, and changes to the
auditee’s management system, standards, and other requirements.
Reviewing and Improving the Audit Program: Evaluate if objectives have been achieved. Use lessons
learned as inputs for continual improvement. The review should consider results and trends, conformity
with procedures, the evolving needs and expectations of interested parties, records, alternative or new
auditing methods, the effectiveness of the measures to address associated risks, and confidentiality and
information security issues relating to the audit program.
Initiating the Audit: Establish initial contact with the auditee and any designated leaders. Determine the
feasibility of the audit and review the assignment to ensure the objectives are achievable.
Preparing Audit Activities: Review pertinent documents. Prepare the audit plan, assign work as needed, and
organize necessary action plans and documents.
Conducting Audit Activities: Conduct a meeting to confirm that all parties agree to the proposed plan.
Introduce team members to management and each other. Double check that you can perform the audit
actions defined in the plan as intended. Review documents as needed throughout the process. The team
should regularly meet to review and exchange information, assess progress, and reassign work if necessary.
Lesson 1 Page 3 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
- Collecting and Verifying Information: After you receive the audit documents, review the information
sources. Audit the evidence and evaluate it against the audit criteria. Review conclusions.
- Generating Audit Findings: The findings will conform or not conform with audit criteria. For a non-
conforming finding, record the supporting evidence. Review the information with the auditee to
ascertain if the evidence is correct. The team should meet to review findings at designated and/or
appropriate audit stages.
- Conducting the closing meeting: Before the closing meeting to review findings, the audit team should
confer and collect information against objectives. The team should agree on conclusions, prepare
recommendations, and discuss follow-up. Have a closing meeting facilitated by the team leader to
present the findings and conclusions.
Preparing and Distributing the Audit Report: The team leader reports the results with a complete, accurate,
concise, and clear audit record, and delivers it within the agreed period. In case of a delay, auditee and
program manager should discuss why it happened. The report must be dated, reviewed, and approved
based on agreed upon procedures. Distribute the report as defined in the plan to the appropriate recipients.
Completing the Audit: Work is complete when all planned audit activities are accomplished. Documents are
kept or destroyed based on the procedures and applicable requirements set at the beginning of the audit. If
disclosure is necessary, inform the audit client and auditee as soon as possible. Add lessons learned from the
audit to the continual improvement process.
A. Mandatory Guidance
Mandatory guidance is developed following an established due diligence process, which includes a period of
public exposure for stakeholder input. The mandatory elements of the IPPF are:
1. Core Principles for the Professional Practice of Internal Auditing
2. Definition of Internal Auditing
3. Code of Ethics
4. International Standards for the Professional Practice of Internal Auditing
B. Recommended Guidance
Recommended guidance is endorsed by The IIA through a formal approval process. It describes practices for
effective implementation of The IIA's Core Principles, Definition of Internal Auditing, Code of Ethics, and
Standards. The recommended elements of the IPPF are:
1. Implementation Guidance
2. Supplemental Guidance
Definition
The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
Lesson 1 Page 4 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
IV. Core Principles for the Professional Practice of Internal Auditing and The Institute of Internal Auditors’ Code of
Ethics
Lesson 1 Page 5 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
Rules of Conduct
1. Integrity – Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.
PRACTICE PROBLEM 4. Identify the following terminologies. (Please refer to International Standards for the
Professional Practice of Internal Auditing)
a) An objective examination of evidence for the purpose of providing an independent assessment on
governance, risk management, and control processes for the organization. Examples may include financial,
performance, compliance, system security, and due diligence engagements. __________________________
b) A formal document that defines the internal audit activity’s purpose, authority, and responsibility.
__________________________________.
c) The role of a person in a senior position responsible for effectively managing the internal audit activity in
accordance with the internal audit charter and the mandatory elements of the International Professional
Practices Framework. ______________________________________
d) Any relationship that is, or appears to be, not in the best interest of the organization. This would prejudice
an individual’s ability to perform his or her duties and responsibilities objectively. ___________________
e) Advisory and related client service activities, the nature and scope of which are agreed with the client, are
intended to add value and improve an organization’s governance, risk management, and control processes
without the internal auditor assuming management responsibility. ________________________________
f) Any action taken by management, the board, and other parties to manage risk and increase the likelihood
that established objectives and goals will be achieved. _____________________
g) The policies, procedures (both manual and automated), and activities that are part of a control framework,
designed and operated to ensure that risks are contained within the level that an organization is willing to
accept. ____________________________
h) A document that lists the procedures to be followed during an engagement, designed to achieve the
engagement plan. ____________________________________
i) Any illegal act characterized by deceit, concealment, or violation of trust. ______________________
Lesson 1 Page 6 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
j) The combination of processes and structures implemented by the board to inform, direct, manage, and
monitor the activities of the organization toward the achievement of its objectives. ___________________
k) Consists of the leadership, organizational structures, and processes that ensure that the enterprise’s
information technology supports the organization’s strategies and objectives. ________________________
l) A department, division, team of consultants, or other practitioner(s) that provides independent, objective
assurance and consulting services designed to add value and improve an organization’s operations.
____________________________
m) An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that
they believe in their work product and that no quality compromises are made. _______________________
n) The possibility of an event occurring that will have an impact on the achievement of objectives. __________
o) Any automated audit tool, such as generalized audit software, test data generators, computerized audit
programs, specialized audit utilities, and computer-assisted audit techniques (CAATs).
_____________________________________
Lesson 1 Page 7 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
PRACTICE PROBLEM 5. Identify the following internal auditing standards based on the International Standards
for the Professional Practice of Internal Auditing (Please refer to International Standards for the Professional
Practice of Internal Auditing)
A. Attribute Standards
1000 – __________________________________
1010 – __________________________________
1100 – __________________________________
1110 – __________________________________
1111 – __________________________________
1112 – __________________________________
1120 – __________________________________
1130 – __________________________________
1200 – __________________________________
1210 – __________________________________
1220 – __________________________________
1230 – __________________________________
1300 – __________________________________
1310 – __________________________________
1311 – __________________________________
1312 – __________________________________
1320 – __________________________________
1321 – __________________________________
B. Performance Standards (Please refer to International Standards for the Professional Practice of Internal
Auditing)
2000 – __________________________________
2010 – __________________________________
2020 – __________________________________
2030 – __________________________________
2040 – __________________________________
2050 – __________________________________
2060 – __________________________________
2070 – __________________________________
2100 – __________________________________
2110 – __________________________________
2120 – __________________________________
2130 – __________________________________
2200 – __________________________________
2201 – __________________________________
2210 – __________________________________
2220 – __________________________________
2230 – __________________________________
2240 – __________________________________
2300 – __________________________________
2310 – __________________________________
2320 – __________________________________
2330 – __________________________________
2340 – __________________________________
2400 – __________________________________
2410 – __________________________________
2420 – __________________________________
2421 – __________________________________
2430 – __________________________________
2431 – __________________________________
2440 – __________________________________
2450 – __________________________________
2500 – __________________________________
2600 – __________________________________
Lesson 1 Page 8 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
References
Kandarpa, S. (2015). How to conduct an effective internal quality audit? [Infographic on audit program, audit activities
and conducting audit activities]. https://www.slideshare.net/ramu9682/how-to-conduct-an-effective-internal-
quality-audit-52730666
Salosagcol, J. G., Tiu, M. F., & Hermosilla, R. E. (2009). Auditing Theory: A Guide in Understanding the AASC
Pronouncements. GIC Enterprises & Co., Inc.
Smartsheet. (n.d.). Operational Audits 101: Processes, Examples, and Checklists. https://www.smartsheet.com/
operational-audit-process#:~:text=The%20Operational%20Auditing%20Handbook%20borrows,the%20results
%20of%20the%20evaluation
The Institute of Internal Auditors. (2016). International Standards for the Professional Practice of Internal Auditing
(Standards). na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf
The Institute of Internal Auditors. (2013). The Institute of Internal Auditors’ Code of Ethics. na.theiia.org/special-
promotion/PublicDocuments/Code%20of%20Ethics.pdf
The Institute of Internal Auditors. (n.d.). Standards & Guidance — International Professional Practices Framework (IPPF).
https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx
- End of lesson 1
Lesson 1 Page 9 of 9