Operations

Auditing

Robert Rubin, CPA

BULSU Professor
Agenda
• Definition and Characteristics of Operational
Auditing
• The Risk-Based Audit
• Auditing Beyond Accounting, Financial, and
Regulatory Requirements
• Identifying Operational Threats and Vulnerabilities
• The Skills Required for Effective Operational Audits
• Integrated Auditing
• The Standards
What is
Operational
Auditing
Key Language for Operations Audit

Independence

Objectivity

Assurance

Consulting
Key Language for Operations Audit (cont’d)
Designed to add value.

Improve an organization’s operations

Help an organization accomplish its objectives

By bringing a systematic, disciplined approach

To evaluate and improve the effectiveness

Independence
Objectivity
Assurance
Consulting
Design to add value
Improve an organization’s
operations
Help an organization
accomplish its objectives
By bringing a systematic,
disciplined approach.
To evaluate and improve the
effectiveness.
The Risk-Based Audit

• the technique that auditors use in

performing the audit, in which they focus
on analyzing and managing different types
of risks that could lead to material
misstatement.
 Audit Risk
Risk of Material Misstatement/Client Risks

INHERENT RISK CONTROL RISK DETECTION RISK

Auditing Beyond
Accounting,
Financial,
and Regulatory
Requirements
Business Operations management

failures Human resources

caused by IT

poor
Marketing
management
decisions and CSR

practices. Environmental Health and Safety (EHS) practices and

conditions
 The Value
Auditors Provide
 Figure 1.1
Primary
(economic)
stakeholders
 Figure 1.2
Secondary
(noneconomic)
stakeholders.
Stakeholder
Analysis
 Table 1.1
Primary
Stakeholders,
Nature of
Interest, and
Power
 Table 1.2
Secondary
Stakeholders,
Nature of
Interest, and
Power
Identifying • Operational
Operational • Technological
Threats and • Strategic
Vulnerabilities • Environmental
 1. Communication skills, such as oral, written, report writing,
and presentation skills
2. Problem identification and solution skills, such as
The Skills 3.
conceptual and analytical thinking
Ability to promote the value of internal audit
Required for 4. Knowledge of industry, regulatory, and standards changes

Effective 5.
6.
Organization skills
Conflict resolution/negotiation skills
Operational 7. Staff training and development

Audits 8.
9.
Accounting frameworks, tools, and techniques
Change management skills
10. IT/CT* framework, tools, and techniques
11. Cultural fluency and foreign language skills
 1. Reflect on their present competencies,
identify their job needs, and perform a gap
How to analysis to meet their current skill
requirements
acquire this
skills 2. Define their career ambitions and chart a
roadmap to acquire the skills and
competencies needed in the future
Integrated Auditing
• involves both the audit by an
outside auditor of a client's
financial statements and its
system of controls over financial
reporting
• include an extensive examination
of the controls associated with a
firm's transaction processing
systems
Figure 1.3
Integrated
auditing
 The
Standards
1210—Proficiency Internal auditors must possess
the knowledge, skills, and other competencies
needed to perform their individual responsibilities.
The internal audit activity collectively must possess
or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.
1210.A3—Internal auditors must have sufficient
knowledge of key IT risks and controls and available
technology-based audit techniques to perform their
assigned work. However, not all internal auditors are
expected to have the expertise of an internal auditor
whose primary responsibility is IT auditing.
1220.A2—In exercising due professional
care internal auditors must consider the use
of technologybased audit and other data
analysis techniques
1220.A3—Internal auditors must be alert to the
significant risks that might affect objectives,
operations, or resources. However, assurance
procedures alone, even when performed with due
professional care, do not guarantee that all
significant risks will be identified.
 2010—Planning. The CAE must
establish a risk-based plan to
determine the priorities of the internal
audit activity, consistent with the
organization’s goals.
2120—Risk management. The internal
audit activity must evaluate the
effectiveness and contribute to the
improvement of risk management
processes.
2120.A1—The internal audit activity must evaluate risk exposures relating to
the organization’s governance, operations, and information systems
regarding the:
◾ Achievement of the organization’s strategic objectives
◾ Reliability and integrity of financial and operational information
◾ Effectiveness and efficiency of operations and programs
◾ Safeguarding of assets
◾ Compliance with laws, regulations, policies, procedures, and contract
 2130.A1—The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the organization’s
governance, operations, and information systems regarding the:
◾ Achievement of the organization’s strategic objectives
◾ Reliability and integrity of financial and operational information
◾ Effectiveness and efficiency of operations and programs
◾ Safeguarding of assets
◾ Compliance with laws, regulations, policies, procedures, and contract
2130—Control. The internal audit activity
must assist the organization in maintaining
effective controls by evaluating their
effectiveness and efficiency and by
promoting continuous improve
2201—Planning considerations In planning the engagement,
internal auditors must consider:
◾ The objectives of the activity being reviewed and the
means by which the activity controls its performance
◾ The significant risks to the activity, its objectives,
resources, and operations and the means by which the
potential impact of risk is kept to an acceptable level
2220.A1—The scope of the engagement
must include consideration of relevant
systems, records, personnel, and physical
properties, including those under the
control of third parties.
2310—Identifying information Internal
auditors must identify sufficient,
reliable, relevant, and useful
information to achieve the
engagement’s objectives.
 2330—Documenting information.
Internal auditors must document
relevant information to support the
conclusions and engagement results
2410.A2—Internal auditors are
encouraged to acknowledge
satisfactory performance in
engagement communications.
2420—Quality of communications.
Communications must be
accurate, objective, clear, concise,
constructive, complete, and timely.
Questions
& feedback

46
Assessment
Test