BALIUAG UNIVERSITY

College of Business Administration and Accountancy

Operations Auditing

Lesson 1: Fundamental Principles of Operations Audit LVC

I. Basics of Operations Audit

 Three common types of audit
Type Purpose Audit Standard
Financial Examine whether the financial statements are in Philippine Standards of Auditing (PSAs)
statement audit accordance with financial reporting standards
(i.e. PFRS)
Compliance audit Assess if an organization has complied with Philippine Public Sector Auditing and
applicable laws, rules and regulations. Assurance Standards (PPSAASs)
Operations Audit Evaluate the effectiveness and efficiency of an International Professional Practices
entity’s operations. Framework (IPPF)

 Introduction to operational audit

 The Institute of Internal Auditors’ (IIA) definition of an operational audit: A systematic process of evaluating
an organization's effectiveness, efficiency and economy of operations under management's control and
reporting to appropriate persons the results of the evaluation along with recommendations for
improvement.
 Operational audits typically evaluate the effectiveness and efficiency of various operational processes. As
such they are similar to performance audits.
 While an audit is usually associated with financial matters, operational audits are more comprehensive and
go beyond financial data (although that type of reporting is often included). The primary information
sources are policies and achievements related to the objectives of the organization.
 Operational audits are a ‘deep dive’ into every facet of management. As a result, start-to-finish time frames
can vary from a few weeks to many months, depending on scope, complexity, and size of the organization,
and whether the audit is for the entire entity or a particular business unit. Unlike financial audits, which are
conducted by external entities, operational audits are often carried out by an internal auditor.
 Key features of operations audit
Management Established
Audit Report Auditor
Assertion Criteria
•That the •Objectives set by •Recommendations •Generally
organization's the board of on how to improve performed by
operations are directors operations internal auditors
conducted
effectively and
efficiently

 Objectives and benefits of operations audit

 The first step in the audit process is to establish its objectives. Objectives can vary depending on the type of
organization and its key performance indicators (KPIs), or whether the audit is being conducted to answer a
specific concern from challenges arising in areas like human resources, customer relations, or manufacturing
slow-downs. There may also be government compliance issues to consider such as consumer safety.
 The audit supply a fresh perspective on the good and not-so-good aspects of organizational practices and
processes. The final report should make management aware of problems they might not have otherwise
understood, and gives them a knowledge-base for making improvements. Executives can also use
organizational audit results to motivate team members and emphasize existing or new goals. Subsequent
actions can then lead to greater profitability, legal compliance, and employee satisfaction in the long term.
 Organizations can expect to achieve five primary goals or main advantages by performing any operational
audit:
a) Influence Positive Change: Understand how future processes, policies, procedures, and other types of
management are producing maximum effectiveness and efficiency.

Lesson 1 Page 1 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
b) Review Internal Controls: Establish the potential impact of successes and failures in the specialized
functional areas of operation.
c) Understand Risks: The type of risks associated with business and operational risk range from business
interruption, employee omissions or errors, IT system failure, product failure, safety and health issues,
loss of key employees, fraud, loss of suppliers, and litigation.
d) Identify Improvement Opportunities: As a result of understanding risks, auditors can determine where
to make improvements and how to mitigate risks and improve opportunities. The broad categories of
risk - and where improvements should occur - are operational risk, financial risk, environmental risk, and
reputational risk.
e) Inform Senior Management: The results of the audit should appear in a clear report that provides
objective analysis, appraisals, recommendations, and pertinent comments concerning the activities
reviewed.

 PRACTICE PROBLEM 1: Identify the different types of internal/operational audits. Refer to the word box below.
a) __________________________ - focuses on financial controls as they relate to reporting to internal and
external governing bodies. This is the expertise of external auditors. Internal audits complement the work of
operational audits, which includes some form of budget, or a financial review.
b) __________________________ - periodic analysis of various divisions to assess the adequacy of controls,
how well assets are safeguarded, how resources are used, and if there is compliance with applicable laws.
c) __________________________ - investigate overall infrastructure and networks, technical operations, data
center operation, project management, and review security status and procedures.
d) __________________________ - often conducted when a company suspects a risk of security breach, or
when one has occurred on the part of an individual or department to understand causes and additional
background information and research.
e) __________________________ - review the level of adherence or agreement with external regulatory
requirements or internal policies.
f) __________________________ - a broad, precise, and autonomous probe into the marketing of a company
or a business. An audit holds both an external situation analysis and a thorough review of internal marketing
goals, strategies, capabilities, processes, and systems.
g) __________________________: after an operational audit report has been issued, it is standard practice to
monitor and evaluate corrective actions, usually within a six month period.
Compliance Audit Follow-up audit Investigative audit
Department review Information System audit Marketing audit
Financial audit/review

 Management of audit program

Lesson 1 Page 2 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
 Audit program is the document that lists the procedures to be followed during an audit engagement,
designed to achieve the audit plan.
 Establishing Objectives: Base objectives on management goals and priorities. Consider the characteristics of
products, projects, processes, and any changes to them. Take into account management system
requirements, contractual and legal requirements, and other requirements. Evaluate suppliers and the
needs and expectations of interested parties, including customers. Take into account the auditee’s level of
performance, risks, previous audit results, and the maturity of the management system being audited.
 Establishing the Audit Program: Identify the responsibilities of the audit program manager and establish his
or her competence of the person. Determine the scope and potential risks, then set procedures and identify
resources.
 Implementing the Audit Program: Define the objectives, scope, and criteria, and select the audit team
members and assign responsibility to the audit team leader. Manage the outcome and records.
 Monitoring the Audit Program: Assess conformity with the program, schedule, and objectives, and then
assess the performance of the audit team members and the ability of the audit teams to implement the
plan. Evaluate feedback of all stakeholders. Some factors can determine the need to modify the program,
including audit findings, the demonstrated level of management system effectiveness, and changes to the
auditee’s management system, standards, and other requirements.
 Reviewing and Improving the Audit Program: Evaluate if objectives have been achieved. Use lessons
learned as inputs for continual improvement. The review should consider results and trends, conformity
with procedures, the evolving needs and expectations of interested parties, records, alternative or new
auditing methods, the effectiveness of the measures to address associated risks, and confidentiality and
information security issues relating to the audit program.

 Operational Audit Activities

 Initiating the Audit: Establish initial contact with the auditee and any designated leaders. Determine the
feasibility of the audit and review the assignment to ensure the objectives are achievable.
 Preparing Audit Activities: Review pertinent documents. Prepare the audit plan, assign work as needed, and
organize necessary action plans and documents.
 Conducting Audit Activities: Conduct a meeting to confirm that all parties agree to the proposed plan.
Introduce team members to management and each other. Double check that you can perform the audit
actions defined in the plan as intended. Review documents as needed throughout the process. The team
should regularly meet to review and exchange information, assess progress, and reassign work if necessary.

Lesson 1 Page 3 of 9
 Lesson 1: Fundamental Principles of Operations Audit LVC
- Collecting and Verifying Information: After you receive the audit documents, review the information
sources. Audit the evidence and evaluate it against the audit criteria. Review conclusions.
- Generating Audit Findings: The findings will conform or not conform with audit criteria. For a non-
conforming finding, record the supporting evidence. Review the information with the auditee to
ascertain if the evidence is correct. The team should meet to review findings at designated and/or
appropriate audit stages.
- Conducting the closing meeting: Before the closing meeting to review findings, the audit team should
confer and collect information against objectives. The team should agree on conclusions, prepare
recommendations, and discuss follow-up. Have a closing meeting facilitated by the team leader to
present the findings and conclusions.
 Preparing and Distributing the Audit Report: The team leader reports the results with a complete, accurate,
concise, and clear audit record, and delivers it within the agreed period. In case of a delay, auditee and
program manager should discuss why it happened. The report must be dated, reviewed, and approved
based on agreed upon procedures. Distribute the report as defined in the plan to the appropriate recipients.
 Completing the Audit: Work is complete when all planned audit activities are accomplished. Documents are
kept or destroyed based on the procedures and applicable requirements set at the beginning of the audit. If
disclosure is necessary, inform the audit client and auditee as soon as possible. Add lessons learned from the
audit to the continual improvement process.

II. International Professional Practices Framework (IPPF)

 IPPF is the conceptual framework that organizes authoritative guidance promulgated by The Institute of Internal
Auditors (IIA).
 A trustworthy, global, guidance-setting body, The IIA provides internal audit professionals worldwide with
authoritative guidance organized in the IPPF as mandatory guidance and recommended guidance.

A. Mandatory Guidance
Mandatory guidance is developed following an established due diligence process, which includes a period of
public exposure for stakeholder input. The mandatory elements of the IPPF are:
1. Core Principles for the Professional Practice of Internal Auditing
2. Definition of Internal Auditing
3. Code of Ethics
4. International Standards for the Professional Practice of Internal Auditing

B. Recommended Guidance
Recommended guidance is endorsed by The IIA through a formal approval process. It describes practices for
effective implementation of The IIA's Core Principles, Definition of Internal Auditing, Code of Ethics, and
Standards. The recommended elements of the IPPF are:
1. Implementation Guidance
2. Supplemental Guidance

III. The Mission and the Definition of Internal Audit

 Mission
 The Mission of Internal Audit articulates what internal audit aspires to accomplish within an organization. Its
place in the New IPPF is deliberate, demonstrating how practitioners should leverage the entire framework
to facilitate their ability to achieve the Mission.
 The mission of internal audit: To enhance and protect organizational value by providing risk-based and
objective assurance, advice, and insight.

 Definition
 The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.
 Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization's operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.

Lesson 1 Page 4 of 9
 Lesson 1: Fundamental Principles of Operations Audit LVC
IV. Core Principles for the Professional Practice of Internal Auditing and The Institute of Internal Auditors’ Code of
Ethics

 Core Principles for the Professional Practice of Internal Auditing

 The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function
to be considered effective, all Principles should be present and operating effectively.
 How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core
Principles may be quite different from organization to organization, but failure to achieve any of the
Principles would imply that an internal audit activity was not as effective as it could be in achieving internal
audit’s mission.
 PRACTICE PROBLEM 2. Enumerate the ten core principles for the professional practice of internal auditing.
1. __________________________________________
2. __________________________________________
3. __________________________________________
4. __________________________________________
5. __________________________________________
6. __________________________________________
7. __________________________________________
8. __________________________________________
9. __________________________________________
10. __________________________________________

 The Institute’s (IAA) Code of Ethics

 A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the
trust placed in its objective assurance about governance, risk management, and control. The Institute’s Code
of Ethics extends beyond the Definition of Internal Auditing to include two essential components:
1) Principles that are relevant to the profession and practice of internal auditing.
2) Rules of Conduct that describe behavior norms expected of internal auditors.
 These rules are an aid to interpreting the Principles into practical applications and are intended to guide the
ethical conduct of internal auditors.

 Applicability and Enforcement of the Code of Ethics

 This Code of Ethics applies to both entities and individuals that perform internal audit services.
 For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of
Ethics will be evaluated and administered according to The IIA’s Bylaws, the Process for Disposition of Code
of Ethics Violation, and the Process for Disposition of Certification Violation. The fact that a particular
conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or
discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary
action.

 Code of Ethics - Principles

 PRACTICE PROBLEM 3. Identify the following principles that internal auditors/operational auditors must
uphold:
1. ___________________ – This principle establishes trust and thus provides the basis for reliance on the
auditor’s judgment.
2. ___________________ – Internal auditors exhibit the highest level of this principle in gathering,
evaluating, and communicating information about the activity or process being examined. Internal
auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgments.
3. ___________________ – Internal auditors respect the value and ownership of information they receive
and do not disclose information without appropriate authority unless there is a legal or professional
obligation to do so.
4. ___________________ – Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.

Lesson 1 Page 5 of 9
 Lesson 1: Fundamental Principles of Operations Audit LVC
 Rules of Conduct
1. Integrity – Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

2. Objectivity – Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in conflict
with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
activities under review.

3. Confidentiality – Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or
detrimental to the legitimate and ethical objectives of the organization.

4. Competency – Internal auditors:

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience
4.2. Shall perform internal audit services in accordance with the International Standards for the Professional
Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.

V. International Standards for the Professional Practice of Internal Auditing (Standards)

 The purpose of the Standards
1. Guide adherence with the mandatory elements of the International Professional Practices Framework.
2. Provide a framework for performing and promoting a broad range of value-added internal auditing services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.

 PRACTICE PROBLEM 4. Identify the following terminologies. (Please refer to International Standards for the
Professional Practice of Internal Auditing)
a) An objective examination of evidence for the purpose of providing an independent assessment on
governance, risk management, and control processes for the organization. Examples may include financial,
performance, compliance, system security, and due diligence engagements. __________________________
b) A formal document that defines the internal audit activity’s purpose, authority, and responsibility.
__________________________________.
c) The role of a person in a senior position responsible for effectively managing the internal audit activity in
accordance with the internal audit charter and the mandatory elements of the International Professional
Practices Framework. ______________________________________
d) Any relationship that is, or appears to be, not in the best interest of the organization. This would prejudice
an individual’s ability to perform his or her duties and responsibilities objectively. ___________________
e) Advisory and related client service activities, the nature and scope of which are agreed with the client, are
intended to add value and improve an organization’s governance, risk management, and control processes
without the internal auditor assuming management responsibility. ________________________________
f) Any action taken by management, the board, and other parties to manage risk and increase the likelihood
that established objectives and goals will be achieved. _____________________
g) The policies, procedures (both manual and automated), and activities that are part of a control framework,
designed and operated to ensure that risks are contained within the level that an organization is willing to
accept. ____________________________
h) A document that lists the procedures to be followed during an engagement, designed to achieve the
engagement plan. ____________________________________
i) Any illegal act characterized by deceit, concealment, or violation of trust. ______________________

Lesson 1 Page 6 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC
j) The combination of processes and structures implemented by the board to inform, direct, manage, and
monitor the activities of the organization toward the achievement of its objectives. ___________________
k) Consists of the leadership, organizational structures, and processes that ensure that the enterprise’s
information technology supports the organization’s strategies and objectives. ________________________
l) A department, division, team of consultants, or other practitioner(s) that provides independent, objective
assurance and consulting services designed to add value and improve an organization’s operations.
____________________________
m) An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that
they believe in their work product and that no quality compromises are made. _______________________
n) The possibility of an event occurring that will have an impact on the achievement of objectives. __________
o) Any automated audit tool, such as generalized audit software, test data generators, computerized audit
programs, specialized audit utilities, and computer-assisted audit techniques (CAATs).
_____________________________________

 Categories of the Standards

1. Attribute Standards address the attributes of organizations and individuals performing internal auditing.
2. Performance Standards describe the nature of internal auditing and provide quality criteria against which
the performance of these services can be measured.

 Assurance and consulting services

 Implementation Standards expand upon the Attribute and Performance Standards by providing the
requirements applicable to assurance or consulting services.
 Assurance services involve the internal auditor’s objective assessment of evidence to provide opinions or
conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature
and scope of an assurance engagement are determined by the internal auditor.
- Three parties in assurance services:
1. Process owner – the person or group directly involved with the entity, operation, function, process,
system, or other subject matter.
2. Internal auditor – the person or group making the assessment.
3. User – the person or group using the assessment.
 Consulting services are advisory in nature and are generally performed at the specific request of an
engagement client. The nature and scope of the consulting engagement are subject to agreement with the
engagement client. When performing consulting services the internal auditor should maintain objectivity
and not assume management responsibility.
- Two parties involved in consulting services:
1. Internal auditor – the person or group offering the advice.
2. Engagement client – the person or group seeking and receiving the advice.

 Application of the Standards

 The Standards apply to individual internal auditors and the internal audit activity.
 All internal auditors are accountable for conforming with the standards related to individual objectivity,
proficiency, and due professional care and the standards relevant to the performance of their job
responsibilities.
 Chief audit executives are additionally accountable for the internal audit activity’s overall conformance with
the Standards.
 If internal auditors or the internal audit activity is prohibited by law or regulation from conformance with
certain parts of the Standards, conformance with all other parts of the Standards and appropriate
disclosures are needed.
 If the Standards are used in conjunction with requirements issued by other authoritative bodies, internal
audit communications may also cite the use of other requirements, as appropriate.
 In such a case, if the internal audit activity indicates conformance with the Standards and inconsistencies
exist between the Standards and other requirements, internal auditors and the internal audit activity must
conform with the Standards and may conform with the other requirements if such requirements are more
restrictive.

Lesson 1 Page 7 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC

 PRACTICE PROBLEM 5. Identify the following internal auditing standards based on the International Standards
for the Professional Practice of Internal Auditing (Please refer to International Standards for the Professional
Practice of Internal Auditing)
A. Attribute Standards
1000 – __________________________________
1010 – __________________________________
1100 – __________________________________
1110 – __________________________________
1111 – __________________________________
1112 – __________________________________
1120 – __________________________________
1130 – __________________________________
1200 – __________________________________
1210 – __________________________________
1220 – __________________________________
1230 – __________________________________
1300 – __________________________________
1310 – __________________________________
1311 – __________________________________
1312 – __________________________________
1320 – __________________________________
1321 – __________________________________

B. Performance Standards (Please refer to International Standards for the Professional Practice of Internal
Auditing)
2000 – __________________________________
2010 – __________________________________
2020 – __________________________________
2030 – __________________________________
2040 – __________________________________
2050 – __________________________________
2060 – __________________________________
2070 – __________________________________
2100 – __________________________________
2110 – __________________________________
2120 – __________________________________
2130 – __________________________________
2200 – __________________________________
2201 – __________________________________
2210 – __________________________________
2220 – __________________________________
2230 – __________________________________
2240 – __________________________________
2300 – __________________________________
2310 – __________________________________
2320 – __________________________________
2330 – __________________________________
2340 – __________________________________
2400 – __________________________________
2410 – __________________________________
2420 – __________________________________
2421 – __________________________________
2430 – __________________________________
2431 – __________________________________
2440 – __________________________________
2450 – __________________________________
2500 – __________________________________
2600 – __________________________________

Lesson 1 Page 8 of 9
Lesson 1: Fundamental Principles of Operations Audit LVC

References
Kandarpa, S. (2015). How to conduct an effective internal quality audit? [Infographic on audit program, audit activities
and conducting audit activities]. https://www.slideshare.net/ramu9682/how-to-conduct-an-effective-internal-
quality-audit-52730666

Salosagcol, J. G., Tiu, M. F., & Hermosilla, R. E. (2009). Auditing Theory: A Guide in Understanding the AASC
Pronouncements. GIC Enterprises & Co., Inc.

Smartsheet. (n.d.). Operational Audits 101: Processes, Examples, and Checklists. https://www.smartsheet.com/
operational-audit-process#:~:text=The%20Operational%20Auditing%20Handbook%20borrows,the%20results
%20of%20the%20evaluation

The Institute of Internal Auditors. (2016). International Standards for the Professional Practice of Internal Auditing
(Standards). na.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf

The Institute of Internal Auditors. (2013). The Institute of Internal Auditors’ Code of Ethics. na.theiia.org/special-
promotion/PublicDocuments/Code%20of%20Ethics.pdf

The Institute of Internal Auditors. (n.d.). Standards & Guidance — International Professional Practices Framework (IPPF).
https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx

- End of lesson 1

“Be joyful in hope, patient in affliction, faithful in prayer.” Romans 12:12

“Help yourself and God will help you.” St Joan of Arc.

Lesson 1 Page 9 of 9