Chapter 3 Understanding Operations Auditing

Introduction

Internal audit is undergoing a massive transformation. While its traditional role of providing independent, objective
assurance & consulting services to organizations in ways that improve operations has remained unchanged for decades,
how this role is being accomplished is changing over time.

Internal auditors are expected to perform risk-based audits, but do so partially because they focus on financial and
compliance risks at the expense of operational, strategic and technological risks. Hence, this limits their ability to evaluate
critical risks and processes.

To assess its current processes and procedures, a company may conduct an operational audit. This type of audit identifies
areas where a company can improve its operations, allowing it to make changes that make its processes more efficient or
productive. Understanding how to conduct this audit properly can help your company run better and meet organizational
goals. An operational audit refers to a method of examining how an organization conducts business. It requires analyzing
the processes, procedures and systems used within the company. This type of audit looks beyond the organization's
financial circumstances and examines its management practices. An operational audit aims to find areas in need of
improvement to make the organization's operations more efficient, productive and effective.

Traditional internal audit concepts and practices are merged with contemporary quality control methodologies, tips, tools
and techniques to help internal auditors perform value-added operational audits that result in meaningful findings and useful
recommendations to help organizations meet objectives and improve the perception of internal auditors as high-value
contributors, appropriate change agents and trusted advisors.

What Are Operational Audits?

The Institute of Internal Auditors (IIA) defines Operational Audit as a systematic process of evaluating an organization's
effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the
results of the evaluation along with recommendations for improvement. Note that the definition includes both financial and
operational areas.

Mentioning the word audit can conjure up thoughts of financial audits that are often done to assure stakeholders that
financial statements are accurate and complete. However, that’s not the only type of auditing that’s useful to a business.
Organizations of every type — government, universities, hospitals, manufacturers, banks, and others — need to understand
where they are doing well, and where they need to improve to achieve sustainable growth.

Many companies are now looking to operational audits to create greater value by improving operational performance
including dimensions of quality, speed, agility, efficiency, environment, customer value, and cost. Operational audits are a
forward-looking process, and are part of many organizations’ ongoing business improvement process toolkit. The findings of
operational audits are intended to diagnose which areas need attention and to safeguard assets by averting potential future
risks. Operational audits are audits that focus on the effectiveness, productivity, and cost efficiency of the operations of the
business.

Operational Audits Are Continuous Improvement Tools

To meet the challenges of a rapidly changing marketplace and regulatory environment, companies must continually reinvent
the way they do business. “The most widely used improvement tools are the (plan-do-study/check-act) or Deming Cycle,
which the auditor uses in their own auditing activities.” The Deming Cycle is a systematic process for gaining valuable
learning and knowledge for the continual improvement of a product or process. Organizations should conduct audits
regularly to support continuous improvement and to check the progress of quality measures recommended in previous
audits. The internal audit isn’t immune to the pressures that an organization can experience, so auditors need to find
innovative means to help their company succeed. Many companies or specific departments (such as IT) focus on
incremental improvement to improve processes, products, and services, or all three.

Operational Audit Challenges

Internal auditors are tasked with bringing objectivity to the assurance functions they perform within an enterprise. They are
also increasingly called upon to provide a wide range of advisory services, stretching from managing risk to enhancing
company performance. Some of the most challenging areas for an internal auditor are the following:

 Support - The biggest challenges to conducting operational audits is to get top management support for the
auditing program. Support can sometimes be difficult to obtain, since, by its nature, the process highlights
management issues.” “There needs to be effective management processes in place to handle conflict management
which may arise due to the audit, and a systems approach to linking organizational goals and objectives.”

 Change Management - The results of operations audit will likely lead to multiple changes in the way things are
done. Team members and managers may have difficulty adjusting to changes in expectations, processes,
personnel, or budgets. Change can also affect teamwork. Hence, it is important to know how to manage and build
strong teams who can deal with change. Those issues can be mitigated by a well-handled change management
program. A helpful tool to manage change is to use RACI (Responsible, Accountable, Consulted, Informed) to
achieve change that may result from an operations audit. The RACI matrix or linear responsibility chart is a
responsibility assignment matrix that describes the participation by various roles in completing tasks or deliverables
for a project or business process.

 Operational Auditing Expenses - There are costs involved during and after an audit. If the auditor is a consultant, of
course, there will be fees for their engagement. There is also the cost of having projects or production slow
temporarily when managers and employees are working with the auditor. If the auditor usually holds another
position within the company, there may be a slowdown in his or her regular job responsibilities. As mentioned, there
may be costs associated with necessary changes.

 Auditor Evaluation - Considering the major responsibility of the auditing position (whether the auditor or auditors are
operating internally or externally), the competence of the auditor or auditors should be determined based on explicit
evaluation criteria.”

The Increasing Demand for Internal Auditing Experts

As proof that the number of operational audits is increasing, the need for internal auditing experts is on the rise. Robert Half
International has found that the demand for internal auditors in the United States is going strong and that the need for
internal auditors is growing faster than the average for all occupations through 2024. Demand for the profession is also
mounting in Europe and Asia. Certifications can offer internal auditors an advantage in the job market since they show
professional competence and dedication. There are several different certifications available for internal auditors to help them
expand their knowledge and improve their chances of being hired by an employer:

 Certified Public Accountant - Many employers require a CPA for internal auditor candidates. This certification
requires passing a national exam while meeting other requirements.
  Certified Internal Auditor - The Institute of Internal Auditors offers the CIA certification for professionals with an
associate degree or higher from an accredited program. To earn the CIA certification, candidates must pass a four-
part exam and meet the minimum work-experience requirements — one year for a master’s degree, two years for a
bachelor’s degree and five years for an associate degree.

 Certified Government Auditing Professional - The IAA also offers the CGAP certification for professionals who want
to work as internal auditors for a government organization. This certification requires professionals to have at least
an associate degree from an accredited institution. After passing the exam, candidates qualify for the certification
after meeting the requirements for work experience.

 Certified Fraud Examiner - The Association of Certified Fraud Examiners offers the Certified Fraud Examiner
credential for professional internal auditors that possess expertise in preventing and detecting fraud. This
certification requires candidates to pass an examination while obtaining a minimum of 20 hours of continuing
professional education credits each year and maintaining annual membership.

 Certified Information Systems Auditor - The ISACA offers the CISA certification for professionals who audit, control,
monitor and assess an organization’s information technology and business systems. Candidates for this certification
must pass the exam and demonstrate five years of experience auditing information systems.

Entities Benefited by Operational Audits

Conducted by an internal or external auditor, audits are objective. They supply a fresh perspective on the good and not-so-
good aspects of organizational practices and processes. The final report should make management aware of problems they
might not have otherwise understood, and gives them a knowledge-base for making improvements. Executives can also
use organizational audit results to motivate team members and emphasize existing or new goals. Subsequent actions can
then lead to greater profitability, legal compliance, and employee satisfaction in the long term.

While an audit is usually associated with financial matters, operational audits are more comprehensive and go beyond
financial data (although that type of reporting is often included). The primary information sources are policies and
achievements related to the objectives of the organization.

Operational audits are a ‘deep dive’ into every facet of management. As a result, start-to-finish time frames can vary from a
few weeks to many months, depending on scope, complexity, and size of the organization, and whether the audit is for the
entire entity or a particular business unit. Unlike financial audits, which are conducted by external entities, operational audits
are often carried out by an internal auditor. From an overarching perspective, operational audit programs benefit the
following entities:
 The Organization can achieve its aims by applying disciplined, systematic methods to assess and advance the
effectiveness of control, risk management, and governance processes.
 The Individual can continuously improve their ability to apply knowledge and skills to deliver the intended results.,
 The End User or Consumer receives more cost efficient and high-quality products or services.
 The World benefits from a better, more sustainable future.

Advantages of an Operational Audit

Organizations can expect to achieve five primary goals or main advantages by performing any operational audit.
Conducting an operational audit within an organization can bring numerous benefits, such as:

 Influence Positive Change: The audit can offer objective or new views. Understand how future processes, policies,
procedures, and other types of management are producing maximum effectiveness and efficiency. An auditor can
 help managers gain a fresh perspective on their business operations. If the auditor has no regular involvement with
the identified processes or procedures, they can provide insights that someone who regularly performs them may
not see. Because they base their assessment of the processes on business goals, it serves as an objective
evaluation method. It is not about whether the auditor likes the process, but whether it meets the required goals.

 Review Internal Controls: the audit provides a check on the effectiveness of establish internal controls on the
potential impact of successes and failures in the specialized functional areas of operation.

 Understand Risks: The audit identifies opportunities and risks. The type of risks associated with business and
operational risk range from business interruption, employee omissions or errors, IT system failure, product failure,
safety and health issues, loss of key employees, fraud, loss of suppliers, and litigation. The operations of a
business may run smoothly, but an audit can identify areas for improvement. These changes can make processes
faster, less costly or improved in other ways that support profitability and business goals. Through an audit,
managers may also discover risks or issues within their processes that they were not aware of previously. The
auditor helps identify these risks and provides methods of resolving them. Now that staff understands the risks
associated with their business, they can better identify and evaluate future risks.

 Identify Improvement Opportunities: The audit can improve business effectiveness. As a result of understanding
risks, auditors can determine where to make improvements and how to mitigate risks and improve opportunities.
The broad categories of risk - and where improvements should occur - are operational risk, financial risk,
environmental risk, and reputational risk. An operational audit requires taking an in-depth look at the processes and
procedures involved with business operations. The purpose of the audit is to ensure the business completes
processes effectively and efficiently. Therefore, any changes made serve that goal and result in improvements to
company operations and profitability. Sometimes, an auditor may identify an area of the business that works
efficiently and use it as an example to help boost another team's efficiency.

 Inform Senior Management: The audit can provide motivation. The results of the audit should appear in a clear
report that provides objective analysis, appraisals, recommendations, and pertinent comments concerning the
activities reviewed. During an audit, the auditor and management develop objectives they need to achieve. These
goals aim to help the business perform better by making improvements to specific processes and procedures.
Management staff can use these goals to motivate their employees by giving them a standard to work toward. The
goals also provide clear guidelines for employees, ensuring that they understand their employer's expectations and
know what constitutes good work.

Disadvantages of an Operational Audit

An operational audit aims to improve the processes and procedures within a company, but it may come with some
disadvantages. However, these disadvantages may not matter in the long run due to the advantages of the improvements
made. Some of those disadvantages may include:

 The audit may require making changes (change management) - Improving the processes and procedures within a
company often requires changing elements of them. Employees may need time to adjust to these changes and
become more comfortable with them. Some changes may even require training staff on how to conduct the new
and improved processes. As a result, companies implementing changes due to an operational audit need to
consider developing a change management plan to help employees ease into the transition.

 The audit comes with monetary costs - Like any other audit, an operational audit brings costs to the organization.
While typically handled by an internal auditor, a company may sometimes hire an external auditor who charges a
fee for their services. The audit may also deem certain changes necessary to improve specific processes and
 procedures in the business. The implementation of those improvements or training employees on them could add
costs to the company.

 The audit can affect productivity - An operational audit could impact the productivity of the participating employees
participating. If the internal auditor typically performs other duties at the company, conducting the audit takes them
away from those responsibilities during its duration. Similarly, the employees whose department or business area is
being audited need to spend time working with the auditor and going over their processes and procedures. This
task could slow down progress on their projects or take time from day-to-day responsibilities. The processes
highlighted for improvements may be put on hold as the company implements any necessary changes.

 The audit can be time-consuming - It can take significant time for an auditor to review the business operations of a
company. They must examine every step of the processes they audit, and the more complex the processes, the
more time-consuming they can be. The task of implementing solutions or improvements can also take time to
complete. The company may need to perform tests to ensure the solutions or improvements make the processes
more effective. If employees require training to learn how to conduct changed processes, that can also take time
away from their usual responsibilities