Meycauayan College

Meycauayan, Bulacan

Course: BSA

AC413
Operations Auditing (Elective 4)

Course Coverage:

1. Overview of auditing
2. Types of audit
3. Operational audit in details
4. Why perform operational audit?
5. Operational audit process
6. Operational audit checklist
7. Operational audit benefits
8. Operational audit challenges
9. Audit process in details (planning, fieldwork, reporting, and follow-up)
10. Supplemental readings/ information

Output: Application of operational audit (groupings, auditee- Meycauayan

College)

1|Page
AC413
Operations Auditing (Elective 4)

What is Auditing?

Auditing is the process of assessment and ascertaining of financial, operational,

and strategic goals and processes in organizations to determine whether they are in
compliance with the stated principles in addition to them being in conformity with
organizational and more importantly, regulatory requirements.

2|Page
Indeed, among the objectives of auditing as mentioned above, conformance with
regulatory norms and rules and regulations is indeed one of the drivers behind
auditing and historically and traditionally, has been the main reason why
organizations get their financial statements, operational process, and strategic
imperatives audited.

Auditing is a systematic process by which a competent, independent person

objectively obtains and evaluates evidence regarding assertions about economic
actions and events to ascertain the degree of correspondence between those
assertions and established criteria and communicating the results to interested
users.

(Cited from auditing definition by Balatbat Cabrera -auditing book)

Types of Audits

Among the various types of audits, financial audits are the most popular
followed by operational and strategic audits and in addition to the emerging
practice of IT (Information Technology) audits. Moreover, auditing as a
process has now become so routine and compulsory worldwide that
organizations spend quite some time getting their books of accounts and
processes audited by both internal and external auditors.

1. Internal Audits

Internal audits refer to the audits done by employees and

stakeholders within the organizations with a view to evaluate and

3|Page
 assess whether the organization is following the internal processes,
norms, rules, and regulations in addition to determining whether it is
in compliance with the regulatory norms.

Indeed, internal audits are sometimes the first checkpoints for

organizations to determine whether their books of accounts,
operational processes, and IT infrastructure and security protocols
are in order with both the internal objectives, strategic imperatives,
and external regulatory requirements.

Having said that, it must be noted that the reason why internal audits
are not accorded more importance over external audits is that since
they are being performed by employees and individuals within the
organizations, the apparent lack of objectivity and thoroughness apart
from a tendency to “cover things up” means that often, external audits
are considered more trustworthy.

2. External Audits

External audits are done by independent and third party agencies and
companies that are especially tasked with assessing and evaluating
an organizations’ compliance with the regulatory norms.

Further, some organizations also hire external auditors to “hold a

mirror to themselves” in the sense that any deficiencies and
irregularities can be found that are otherwise not “visible” to the
senior leadership and management during the course of conducting
the everyday operational business.

4|Page
 Moreover, external audits are also mandatory due to regulatory and
compliance reasons as well as due to the shareholder requirements
which mandate that external audits need to be done annually,
quarterly, and half yearly to be presented in the Annual General
Meetings, and meetings of the Board of Directors.

In addition, external audits might also be required in case of

contingencies wherein the regulators who suspect that “something is
amiss” in the companies might mandate those companies to be
audited by independent and third party auditors to ascertain the “true
picture” of the finances and operational details of those companies.

3. Financial Audits

As mentioned earlier, financial audits are the most common form of

audits for various reasons including the fact that businesses exist to
make money and return profits and generate wealth for their
shareholders. This means that investors and other stakeholders must
know whether the businesses are being run properly so that their
capital is safe and generating the stated returns.

Moreover, financial audits are also the most common forms of audits
since any discrepancies in the books of accounts reflects the
mismanagement of the companies in addition to finance affecting
almost all operational and strategic areas of the companies’ and their
businesses.

In addition, financial audits are also the first point of evaluation as to

whether the companies are stating the truth and whether they are

5|Page
 hiding or covering up some aspect that can be uncovered and
revealed in a forensic audit.

4. Strategic, Operational, and IT Audits

Having said that, there are other types of audits such as operational,
strategic, and IT audits that have become popular in recent years
mainly due to the increasing complexity of organizational processes
as well as the IT infrastructure and the fast paced external
marketplace which needs an evaluation of whether the organizations
are aligning their internal processes and strategies with that of the
external strategic drivers and imperatives.

In addition, IT audits are being sought to assess and evaluate the

readiness of the organizations’ IT infrastructure and systems and IT
processes to meet the stated goals and objectives in addition to being
able to withstand IT risks and security breaches. Indeed, with the
increase in the nature, type, and variety of IT risks as well as the
increasing complexity of the IT infrastructure, IT audits have now
become as commonplace as financial and operational audits because
both internal and external stakeholders need to know whether the
organization’s IT infrastructure is up to the mark and whether it is
capable of meeting the stated goals and objectives.

6|Page
Some Issues with Auditing and Auditors

In recent years, there have been concerns about audits being used to
cover up and hide internal deficiencies and weaknesses thereby defeating
the very purpose for which such audits are needed. Indeed, even external
auditors have been found to be colluding with the organizations in this
regard and hence, regulators worldwide have turned their gaze and
tightened the controls and the requirements for such audits. This has been
revealed in the way the United States passed several landmark laws such
as Sarbanes Oxley in the wake of the Enron scandal wherein the auditors,
Arthur Anderson, was found to be “in cahoots” with the management of
Enron in cooking the books and covering up the malpractices.

Source: https://www.managementstudyguide.com/what-is-auditing-its-
types-and-purposes.htm

7|Page
 What is an operational audit?

An operational audit refers to the process of evaluating a company's

operating activities – both on a day-to-day level and a broader scale.
While other types of audits might look solely at a single department or the
company's finances, an operational audit delves deeper. It serves as a
detailed look at all of the internal departments and processes that make up
a business's operations. Whereas a regular audit evaluates financial
statements, an operational audit examines how a company conducts its
business, with the aim of increasing overall effectiveness.
Operational audits could be conducted by outside specialists or an internal
audit team.

Reasons to perform an operational audit

The aim of an operational audit is ultimately to optimize efficiency. By

auditing the business's internal policies and procedures, the company can
identify trouble spots and operate more effectively. The outcomes gleaned
from the audit are most useful to the management team, who can take these
recommendations on board to streamline future processes. Here are three
of the primary outcomes of a successful operational audit:

1. Maximize efficiency: Gain a greater understanding of how future

policies and procedures can boost effectiveness. 

8|Page
2. Understand risks: Businesses run many operational risks, ranging

from health and safety issues to cyber threats. A full operational audit

identifies risks like these, as well as potential problems related to fraud and

compliance.

3. Fine tune internal controls: By examining each step of the

operational process, an audit can dive deeper into the impact of any

changes to internal controls.

Operational Audit Process

A pre-audit meeting lays the foundation for the operational audit process.
At this preliminary stage, the auditor sits down with the management team
to gather relevant information. Collecting background information about
the business helps identify any areas of concern or industry-specific
challenges that need to be addressed. At this preliminary stage, the auditor
will also thoroughly explain the auditing process to the managers.

The auditor can then conduct interviews with managers in control of

potentially risky areas. Objectives and activities are documented, with risks
highlighted and sent back to managers for confirmation. Using the
operational trouble spots, the auditor can design testing procedures at the

9|Page
 control level. Tests are conducted, with results meticulously documented, to
show which new processes or goals can improve the organization's
efficiency.

Finally, the auditor writes up a comprehensive audit report. Follow-up

visits with management can help to fine tune any ongoing issues with new
systems or controls. 

Operational Audit Checklist

The specific areas of scrutiny in an operational audit will depend on the

type of business being audited. We've outlined the general process above,
but here is a quick operational audit checklist of procedures for better flow:

1. Select and screen auditors

2. Define audit plans and scope
3. Pull together reference documents
4. Identify administrative support
5. Research operational procedures
6. Collect statistical evidence
7. Audit evidence from all sources
8. Evaluate evidence
9. Compile audit findings
10. Share audit conclusions
11. Give actionable advice
12. Follow up with questions and concerns

10 | P a g e
Operational Auditing Benefits

There are many reasons to consider an operational audit. When performed

by an outside party, it provides a business with an objective overview of
company operations. These can yield new insights leading to improved
sales, quicker production processes, and streamlined systems. Identifying
risks ahead of time can future-proof the business against damages.

Operational Auditing Challenges

One factor to consider before ordering an operational audit is that it does

cost both time and money. When managers and employees are engaged
with the audit, they will be pulled away from their usual activities. For
complex organizations, an operational audit can be relatively time-
consuming because each step of the process must be analyzed.

Business owners should also be aware that operational audits can turn up
unexpected problems that take time to repair. This might involve a
complete overhaul of existing systems, requiring new training for
employees. In the long run, these disruptions can be worth the trouble,
should the operational audit lead to a more efficient method of doing
business.

Source: https://gocardless.com/en-us/guides/posts/what-is-an-
operational-audit/

11 | P a g e
Audit Process in Detail

Audit planning is a vital area of the audit primarily conducted at the

beginning of audit process to ensure that appropriate attention is devoted
to important areas, potential problems are promptly identified, work is
completed expeditiously and work is properly coordinated. "Audit planning"
means developing a general strategy and a detailed approach for the
expected nature, timing and extent of the audit. The auditor plans to
perform the audit in an efficient and timely manner.

12 | P a g e
An audit plan is the specific guideline to be followed when conducting
an audit. it helps the auditor obtain sufficient appropriate evidence for the
circumstances, helps keep audit costs at a reasonable level, and helps
avoid misunderstandings with the client.

It addresses the specifics of what, where, who, when and how:

 What are the audit objectives?

 Where will the audit be done? (i.e. scope)
 When will the audit occur? (how long?)
 Who are the auditors?
 How will the audit be done?

Benefits of audit plan

 It helps the auditor obtain sufficient appropriate evidence for the

circumstances.
 It helps to keep audit costs at a reasonable level.
 It helps to avoid misunderstandings with the client.
 It helps to ensure that potential problems are promptly identified.
 It helps to know the scope of audit program by an auditor.
 It helps to carry out the audit work smoothly and in a well-defined
manner.

13 | P a g e
Process of audit planning

It includes following procedures

 Knowledge of client's business, which includes financing, legal

framework, government norms, investments, accounting policies,
business risk and financial risk
 Development of audit strategies or overall plan (who, when and how)
 Preparation of audit programme
Source: https://en.wikipedia.org/wiki/Audit_plan

14 | P a g e
Audit Opening Meeting

Checklist to cover during your audit opening meeting

Shown below is a recommended checklist of items to cover if you are doing

a formal external audit of a medical device manufacturer or supplier
(sample company). If you are doing an internal audit in a smaller medical
device company, that’s obviously a less formal situation so you may not
need to cover all of the items noted below.

 Introduce yourself and the team members, as needed

Take care to note each person’s responsibilities during the audit and ask
your auditees to do the same. At this time, all participants should identify
“communication links” between the teams and clarify all lines of
communication and what type of communication should be used based
on time of day, urgency, etc.

 Record names of all participants

It is best to use a pre-printed attendance form. Have everyone print their
name, title, and sign the form. Your opening meeting should not include
all potential auditees. Rather, you should only invite the auditee
management, and where appropriate, those responsible for the functions
or processes to be audited.

15 | P a g e
 Confirm purpose and scope of the audit
The lead auditor and auditee should revisit the scope and objective of
the audit, even if it has not changed. Discuss and solve differences and
areas of conflict as they arise during the meeting.

 Discuss the role of each team member

Make sure everyone knows who is doing what, at what time and where
they should be.

 Confirm the auditee’s working hours

Find out when your auditees end their day and when they wish to take a
lunch break. Confirm that the appropriate subject matter experts will be
available at the time indicated on the audit plan This is important
because you need flexibility to change the schedule on the fly if needed.

 Get the names of guides and contacts for the areas being audited
Assigned guides should be available immediately after the opening
meeting so the audit can begin on time.

 Indicate the criteria upon which the audit is based

This seems obvious to you but may not be to others. Remind participants
that you will be auditing against ISO 13485:2016, 21 CFR Part 820.30,
procedure QAP101, etc.

 Emphasize the audit objectives and take a positive approach

It’s important that you set a tone of positivity and indicate that you are not

16 | P a g e
 trying to uncover nonconformities but instead are searching for evidence
of compliance. Semantics matter.

 Present and confirm the audit plan

Ensure that the sequence, times and appropriate people are available as
scheduled. However, be prepared to change the sequence of audit
activities.

 Discuss how the audit will be conducted (note- include the estimated
timeline)
The lead auditor should provide a summary of methods and procedures
to be used to conduct the audit, confirm the audit plan and remind that
auditee that the schedule may change as needed.

 Review how audit findings will be documented

How you will use of NCs, Concerns, OFIs, etc. or the grading
methodology. Also, make sure everyone understands how possible
findings can be addressing during the audit and under what
circumstances the audit would be terminated early.

 Discuss the responsibilities of auditee management

This applies if nonconformities, opportunities for improvement or
concerns are found. Note that even if there are no nonconformities, an
audit is only a sampling and may not uncover all issues.

17 | P a g e
 Indicate that your team will try not to upset operations
You don’t want to create animosity by keeping someone from doing their
job longer than necessary. Be sensitive to the fact that while you are
interviewing people, their normal workload does not disappear. Reassure
people that you will try to be as efficient as possible so they can get back
to their jobs as soon as possible.

 Confirm the timing of daily debriefings

Try to be as punctual as possible but also notify everyone that they
should be somewhat flexible on start and end times.

 Confirm the logistics for the audit as needed

If auditing in an unfamiliar location, confirm the area assigned for you to
work, availability of printers/copiers, the guest wireless password, how to
access to display monitor in the debriefing meeting room, meeting times,
how to contact auditee counterparts during the day. Texting is the most
immediate and effective method followed by phone, email or contact via
their assistant.

 Confirm the time and day of the closing meeting

During multiday audits, the lead auditor and auditee should have daily
debriefings to discuss progress and nonconformities to date. These are
good opportunities to discuss and resolve situations not anticipated by
either group.

18 | P a g e
 Note when the audit report will be forthcoming
Especially with external audits, your auditees will be apprehensive about
this so be clear about when they can expect the final report. You can
provide a short range “between December 13-15” but don’t say
“sometime in the next few weeks.”

 Conclude the opening meeting

Discuss and resolve any issues of the audit plan and make sure there
are no lingering uncertainties. Be polite and thank all participants in
advance for their cooperation. Also, don’t take a “15-minute bathroom
break” after the opening meeting ends. Start the audit immediately to
maintain momentum and convey a sense of urgency.

Some common open meeting pitfalls and how to handle them

Any experienced auditor will tell you that things do not often go as planned.
Here are some common situations that arise during the opening meeting
and how to handle them.

 Management does not attend the opening meeting

This happens quite often. Executives double book themselves or get
trapped in meetings or conference calls that run long. If this occurs,
make sure you capture this information in the audit report using the
opening meeting attendance record. Also, follow up with them post-audit
to give them a personal rundown on findings.

19 | P a g e
 The auditee tells you that the agreed upon schedule no longer works
Taking a hard line rarely works and sets a poor tone for the rest of the
audit. In this case, work with the audit representative to adjust the
schedule.

 The auditee tells you that critical documented information will not be
available for review
This is indeed a problem. In this case you will need to find out why and
confer with the audit manager to decide on whether to continue or delay
the audit.

Source: https://www.orielstat.com/blog/medical-device-audit-opening-
meeting-checklist/

20 | P a g e
21 | P a g e
Planning

During the planning phase, contact with audit clients is initiated and
relevant background information is gathered to gain an understanding of
the audited area’s size, responsibilities, and procedures in place.  Also in
this phase, audit objectives are defined and audit methodology is
determined through the creation of an audit program, which is the blueprint
for conducting the audit and accomplishing the audit objectives.  In most
cases, a risk assessment of the department and/or function will be
performed to help ensure appropriate areas are included. 

Notification Letter – With few exceptions, audit clients are notified in writing
when their area is selected for an audit; however, due to the nature of
some audit work, little or no advance notice may be given.  This letter is

22 | P a g e
sent to the executive officer of the area being audited as well as the
appropriate individuals, such as the Dean, Chairperson, or Director.  
Occasionally, a preliminary questionnaire and/or a list of documents that
will help the audit team gain an understanding of the unit or function will be
provided at this time.

Entrance Meeting – Depending on the type of audit and the amount of audit
work planned, an entrance meeting may be scheduled with the head of the
unit and any administrative staff that may be involved in the audit.  In-
person meetings are preferred, but this may be accomplished via telephone
or other ways if necessary. 

At the Entrance Meeting, the following will take place:

 The objective(s) and scope of the audit will be discussed

 Audit methodology and the reporting process will be explained
 Estimated timing and resource requirements are identified – any
potential issues (vacations, deadlines, etc.) that could impact the
audit should be brought up at this time
 Any questions about the audit or process will be answered

Input regarding risks and concerns that should be included in the audit is
encouraged and is an important part of this meeting and the planning
phase.

23 | P a g e
Fieldwork

The evaluation phase of the audit is referred to as fieldwork.  This phase

includes assessing the adequacy of internal controls and compliance,
testing of transactions, records, and resources, and performing other
procedures necessary to accomplish the objectives of the audit.

It may be necessary for the audit team to conduct interviews with

departmental personnel and to review departmental records and practices;
however, efforts will be made to minimize disruptions and cooperate with
audit clients to make the audit process as smooth as possible.

The duration of an audit varies depending upon its scope; limited scope
audits may take only a week or two while broad scope audits may take
several months.  In addition, access to personnel and records and the
timeliness of responses to audit requests may also affect the duration of
the audit.

Throughout the audit, audit clients will be informed of the audit process
through regular status meetings and/or communications.  The audit team
makes every effort to discuss audit observations, potential issues, and
proposed recommendations as they are identified.  In some instances, it is
necessary to work directly with audit clients to determine or validate the
root cause and discuss ways to eliminate the root cause.

24 | P a g e
Reporting

The final result of every audit is a written report that details the audit scope
and objectives, results, recommendations for improvement, and the audit
client’s responses and corrective action plans.

Draft Report – Audit reports are typically prepared in draft form and
distribution is initially limited to the immediate manager of the area so it can
be reviewed prior to further distribution of the audit report. 

If recommendations are made, written responses detailing the following are

requested of the audit client:

 A corrective action plan to resolve the problem and its root cause,
 The person responsible for implementing the corrective action, and
 An expected implementation date. 

These responses will be included when the final audit report is distributed
to the appropriate level of University administration.  Priority level issues
and recommendations are reported to and tracked by UT System until
implemented.

Exit Meeting – If necessary, an exit meeting will be held to provide an

opportunity to resolve any questions or concerns the audit client may have
about the audit results and to resolve any other issues before the final audit
report is released.  Those attending usually include the audit team,
management of the audited entity such as the Dean, Chairperson, and
Director, as well as others that the audit client wishes to invite.

25 | P a g e
After the exit meeting and once the audit client has provided responses and
comments, the draft report is distributed to the Vice President, Dean, and
other levels of executive management responsible for the department or
function for review and comment before the final report is issued.

Final Audit Report – The final audit report is addressed to the University
President and copies are provided to appropriate levels of University
management, the Board of Regents, the UT System Audit Office, and
required state agencies.

Follow-up

There will be occasions when corrective actions to resolve an audit issue

will not be accomplished until after the audit report has been finalized.  In
these cases, follow-up will be performed on the previously reported
recommendations to determine whether corrective action plans have been
effectively implemented and that expected results are being achieved. 
Depending on the severity of the audit issue, follow-up activities could
include interviewing staff, reviewing updated procedures or documentation,
or re-auditing the processes that originally led to the audit issue.

A summary of the status of all open findings is presented at each quarterly

Institutional Audit Committee (IAC) meeting.  If actions plans are not
completed by the expected date of implementation, a letter must be sent by
the responsible individual to the IAC explaining why the date was not met
and when the action will in fact be completed.  If the date is missed a

26 | P a g e
second time, the responsible individual must provide an explanation to the
IAC in person.

Source: https://audit.utexas.edu/audit-process

27 | P a g e
SUPPLEMENTAL READINGS/ INFORMATION

What is audit execution phase?

The execution phase of an audit engagement is an intense period of

activity. Managing teams, analyzing information, executing testing, making
judgements, documenting work, and interacting with clients. In busy
periods, effective audit execution becomes critical to client satisfaction,
profitability, and team morale.

Source: https://tax.thomsonreuters.com/content/dam/ewp-
m/documents/tax/en/pdf/brochures/effective-audit-execution-guide.pdf

What are the 5 phases of an audit?

Internal audit conducts assurance audits through a five-phase process

which includes selection, planning, conducting fieldwork, reporting
results, and following up on corrective action plans.

Source: https://internalaudit.uoregon.edu/report/audit-process

What is audit checklist?

The term audit checklist is used to describe a document that is created

during the audit planning stage. This document is essentially a list of the
tasks that must be completed as part of the audit.

28 | P a g e
Source: https://www.infobloom.com/what-is-an-audit-checklist.htm

END

Prepared by:

Rowena Pineda-Tan, CPA

Meycauayan College

Meycauayan, Bulacan

29 | P a g e