PROFESSIONAL ELECTIVE 1

a. Risk management. This refers to the identification,

CHAPTER 1 measurement, assessment, and response to risks.

b. Control. This refers to those activities that mitigate relevant

risks and helps the organization avoid surprises.
Operational Auditing is defined as “A future-oriented,
systematic, and independent evaluation of organizational activities. c. Governance processes. Corporate governance is a wide
Financial data may be used, but the primary sources of evidence subject that includes matters related to organizational structure,
are the operational policies and achievements related to reporting lines, span of control, resource allocation, accountability
organizational objectives, Internal controls and efficiencies may be measures, discipline, and rewards mechanisms. Corporate
evaluated during this type of review.” governance relates to ethical behavior by directors and others
charged with the creation and preservation of wealth for all
Internal Auditing is an independent, objective assurance and stakeholders.
consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to The Other Parts of the Definition
evaluate and improve the effectiveness of risk management,
control, and governance processes. Another aspect of the definition is “… improve an organization’s
operations”. These word speak volumes about the importance of
Internal Auditing definition contains some key language that is not only checking processes to make sure that control activities are
important to note: performed according to procedures documentation, but also
looking at the risk of bottlenecks, slowdowns, rework, and other
1. Independence – Internal audit should not be under the operational dysfunctions that are the result of what consider “the
control of those they audit. other types of risks”.

2. Objectivity – is related to the auditors’ frame of mind and Internal auditors have focused disproportionately on
their ability to examine documents, processes, and programs accounting and financial risks, the risk of poor recordkeeping
without a bias, without an agenda, with no other motive than to and classification, financial abuse, theft.
find the truth and communicate it accurately and promptly.
The purpose of operational auditing is to improve
3. Assurance – relates to the auditors’ ability to give confidence organizational profitability and the attainment of
and make statements regarding the condition of matters within the organizational objectives.
organization. It is often considered a synonym to “compliance” as
has been the traditional focus of internal auditors for millennia. Operational auditing also involves evaluating management
performance, since they have a fiduciary responsibility toward the
4. Consulting – means giving advice to management and the organization’s owners and other relevant stakeholders.
board, and engaging in activities that helps the organization resolve
nagging business issues. Another important aspect of operational auditing is that rather than
merely verifying that employees are performing their duties
5. Designed to add value – Some may even argue that internal according to established policies and procedures, internal auditors
auditors are a necessary evil and an expense they can’t do without also verify a variety of qualitative aspects of the organization and
because regulations, the board of directors, or other stakeholders its activities.
demand the existence of an internal audit function.
Operational audits may also be concerned with the structure of the
6. Improve an organization’s operations – is a very interesting organization, since a poorly structured organization, or one where
statement because many auditors see their role as that of checking information does not flow accurately and promptly jeopardizes
things and verifying the accuracy of various items and activities efforts to achieve objectives. Poorly structured organizations tend
within the organization. to be disorganized, inefficient, have high employee, customer and
vendor turnover, and become wasteful.
7. Help an organization accomplish its objectives. Many
auditors practice what has been commonly referred to as controls- Operational auditing is designed to evaluate the effectiveness
based auditing. In essence, they look for the controls within the and efficiency of business activities, processes, programs,
process or program of their review, then check them to see if they functions, and units
are present and operating as expected.

8. By bringing a systematic, disciplined approach. This refers The Risk-Based Audit

to the approach followed when performing the work. This is
encapsulated in the Standards, the Practice Guides and Practice Engaging in risk-based auditing means that internal auditors must
Advisories, which provide a great deal guidance on how to plan, exercise and apply a broader view of organizational risks.
execute, and communicate the results of the work done. Accounting and financial risks are only a limited number of the
many risks organizations face. Other examples include the risk of
9. To evaluate and improve the effectiveness. Our role as delays, waste, inefficiency, poor customer service, excessive
auditors goes beyond evaluating business dynamics and writing customer and employee turnover, poor quality data, and system
reports that merely lists the problems identified failures.

The definition indicates that we evaluate, but also help to improve Controls-based auditing is defined as audits that focus on
the organization’s ability to achieve the goals and objectives identifying and evaluating internal controls without enough regard
related to: to their value to the process. This can happen because auditors take
a preexisting work program without researching the nuances of the
present audit scope sufficiently or even when they perform 2. What are the interests of each stakeholder?
planning activities, their interviews and other research only focuses
on identifying existing controls without fully understanding the key 3. What is the power of each stakeholder?
risks and objectives of the process under review.

Performing risk-based audits requires more brainstorming, more

interactions with process owners, a more in-depth understanding of Stakeholders refer to persons or group that affect, or are affected
the organization’s business, and a mechanism to address past, by an organization’s decisions, policies, and operations, it is
present, and future vulnerabilities and scenarios that threaten the important to identify those parties and document their interests.
achievement of business objectives.
Conducting a stakeholder analysis is an important aspect of modern
internal auditing, because it gives the auditor an appreciation for
Auditing Beyond Accounting, Financial, and Regulatory the various parties interested in the outputs and outcomes of the
Requirements organization, its programs and processes.

Over time, business leaders and managers witnessed business Table 1.1 Primary Stakeholders, Nature of Interest, and Power
failures caused by poor management decisions and practices. By
poor management, it is referring to inadequate:

· Operations management. Some of the related issues are waste,

inefficiencies, supplies that arrive late, poor customer satisfaction,
and limited capacity to grow as opportunities arise or customers’
demands change.

· Human resources. As evidenced by poorly supervised,

trained, and evaluated employees who sometimes become
unmotivated and unproductive.

· IT. Computer systems designed with an inaccurate

understanding of the business needs and uses of these systems,
poor data capture, and inadequate reporting mechanisms.

· Marketing. Mass marketing of products and services at a time Table 1.2 Secondary Stakeholders, Nature of Interest, Power
when customers prefer to feel unique, or wasteful campaigns
because they target the wrong audience.

· CSR. Issuer range from child labor, sweatshop conditions,

abusive management, and inappropriate waste disposal.

· Environmental Health and Safety (EHS) practices and

conditions related to poor ventilation, excessive heat, extreme
noise levels, and workplace hazards caused by chemicals,
machinery, and workplace configurations, among others.

The Value Auditors Provide

Internal auditors are unfortunately not always regarded as highly as

they should be. Seen as an obstacle, too many managers and
employees fail to recognized that internal auditors provide a very
valuable service to their clients-whether they are employees of the
firm, or hired externally to provide internal audit services.

The Cornell University Law School Legal Information Institute

defines fiduciary responsibility as follows:

A fiduciary duty is a legal duty to act solely in another party’s Identifying Operational Threats and Vulnerabilities
interests. Parties owing this duty are called fiduciaries. The
individuals to whom they own a duty are called principals. The traditional approach to internal auditing was to perform
Fiduciaries may not profit from their relationship with their postmortem reviews to verify that what was done was done
principals unless they have the principals’ express informed appropriately. Internal auditors need to go beyond inspecting
consent. They also have a duty to avoid any conflicts of interest transactions long after they were performed because they focus
between themselves and their principals or between their principals now leans toward an examination of future threats and
and the fiduciaries’ other clients. vulnerabilities that can derail the organization’s goal and objectives
in the short, medium, and even the long term.
An important aspect of the modern manager and auditor’s job is to
identify relevant stakeholders and to understand their interests. It is These future-oriented threats and vulnerabilities can be
also important to understand the power they have to assert these
interests. This process is called stakeholder analysis, which asks Operational, such as maintaining operational capacity, speed of
three fundamental questions: execution (i.e., cycle time) staffing levels, employee motivation,
knowledge transfer, system development, and implementation.
1. Who are the relevant stakeholders?
PROFESSIONAL ELECTIVE 1
Technological, including protection of intellectual property and · Relationship building
personally identifiable information, denial of service attacks,
business continuity due to staff turnover, and system development · Work independently

· Team building
Strategic, referring to concerns related to strong customer and
vendor relations, customer loyalty, building effective business · Leadership
partnerships, outsourcing arrangements, and mergers and
acquisitions. · Influence

Environmental, which may include reliable supply of water and · Facilitation

electricity, achieving a lower carbon footprint, and reducing the
· Staff management
amount of natural resources used during business activities.
· Change catalyst skills
The Skills Required for Effective Operational Audits
How to acquire these skills should be done along two dimensions.
The paradigm in the work of internal auditing from being controls- One at the individual level and the other at the internal audit unit
based to risk based means that internal auditors must acquire and level.
apply different skills to their trade from what they did in the past.
Auditor must examine risk exposures and the measures in place to At the individual level, internal auditors, like most professionals
address more than accounting and financial risks. today, are expected to take ownership of their own training and
development and not leave it to their employers to decide and
According to the IIA Research Foundation Core Competencies implement. Whereas, in the past, it was common for employees to
Report, the following are the top general competencies of internal take a passive approach, waiting for their employers to tell them
auditors: when, what, and why training would occur, today’s auditors should
take a more active and engaged approach to their training needs.
1. Communication skills, such as oral, written, report writing, They should
and presentation skills.
1. Reflect on their present competencies, identify their job
2. Problem identification and solution skills, such as conceptual needs, and perform a gap analysis to meet their current skill
and analytical thinking. requirements.
3. Ability to promote the value of internal audit 2. Define their career ambitions and chart a roadmap to acquire
the skills and competencies needed in the future.
4. Knowledge of industry, regulatory, and standards changes
At the internal audit level, the department should perform a skills
5. Organization skills analysis to identify their present skill repertoire, and those needed
to perform audit and other reviews competently in the next 3-7
6. Conflict resolution/negotiation skills years.
7. Staff training and development The IIA Research Foundation Internal Audit Capability Model (IA-
CM) can be used to assess the internal audit department’s current
8. Accounting frameworks, tools, and techniques conditions and also as a visioning tool, helping to draft the course
and expectations for the internal audit function.
9. Change management skills
The 5-level framework identifies conditions and practices that
10. IT/CT framework, tools, and techniques internal auditors should review, and use as a roadmap for
continuous improvement from Level 1-Ad Hoc/Initial to Level 5-
11. Cultural fluency and foreign language skills Optomizing/Change Agent (Table 1.3)
The three common core competencies identified in the report are
communication skills, problem identification and solution skills,
and keeping up to date with industry and regulatory changes and
professional standards.

In terms of behavioral skills, internal auditors should possess the

following skills:

· Confidentiality

· Objectivity

· Communication

· Judgment

· Work well with all management levels

· Possess governance and ethics sensitivity

· Be team players
The Standards

The Institute of Internal Auditors (IIA), which is the governing

body of internal auditors worldwide, provides guidance for internal
auditors on what should be done, how it should be done, and why.

Adhering to the International Standards for Professional Practice of

Internal Auditing (Standards) is mandatory, while following the
guidance provided in the Practice Advisories and Practice Guides
is highly recommended and encouraged.

CHAPTER 2
The planning phase includes scoping, budgeting, defining the
population of interest, how testing will be performed, and
announcing the audit. Planning is arguably the most important part
of an audit.
 This enterprise risk assessment should be done
collaboratively with senior management and the board of
directors.
 This risk assessment should then generate two key
outputs: (1) a strategic plan impacting company
operations for management use and (2) an audit plan.

When performing each of the audits in the audit plan, the auditor in
charge must perform a
number of tasks. These include communicating with the
corresponding process owner about the
timing of the review, requesting needed financial and operational
reports and documents, coordinating staff availability, identifying
the systems in use, and defining the scope, objectives, work
schedule, and budget for the engagement.

This risk assessment should identify auditable activities, relevant

risk factors, and the relative significance/consequence,
likelihood/probability of those risks.

Risk factors play an important role during planning, and in

particular, during risk assessments.
 Risk factors are conditions and other variables that in
their present, or absence, as the case may be, either
exacerbate or diminish the underlying risk.
 Another risk factor is the extent of judgement that can be
exercised when performing relevant operational and
control activities.
 An example of a risk factor that moves in the same
direction as the underlying risk is the number of
transactions. As the number of transactions of interest
increases, the risks of errors and omissions increases.