lOMoARcPSD|13525683

be made more effective or efficient and recommending

improvements.
THREE COMMON COMPETENCIES IDENTIFIED BY IIA RESEARCH
FOUNDATION AND CORE COMPETENCIES REPORT: SOURCES OF CRITERIA

1. Historical performance

1. Communication Skills  Criteria can be based on actual results from prior

periods.
2. Problem Identification and Solution Skills
 By using these criteria, auditors can determine
3. Keeping up-to-date with industry and regulatory changes and whether things have become “better” or “worse” in
professional standards. comparison.
 ADVANTAGE: Criteria are easy to derive.
 DISADVANTAGE: They may not provide much insight
CHAPTER 3: OBJECTIVES AND PHASES OF OPERATIONAL AUDITING into how well or poor the results are compared to
what they could be.

2. Benchmarking
THREE OF THE PRIMARY OUTCOMES OF A SUCCESSFUL
OPERATIONAL AUDIT  It makes little sense to benchmark with dissimilar
organizations or those that perform at a
1. Maximize efficiency – Gain a greater understanding of how
substandard level.
future policies and procedures can boost effectiveness.
 Benchmarking data are often available through
2. Understand Risks industry groups and governmental regulatory
agencies.
3. Fine-tune internal controls – By examining each step of the
operational process, an audit can dive deeper into the impact of any 3. Engineered standards
changes to internal controls.
 These criteria are often time-consuming and costly
to develop because they require considerable
expertise, but in some cases, it may be worth the
NOTE: In operational auditing, there are no well-defined criteria. To
cost.
establish criteria for operational auditing, auditors could define the
 EXAMPLE: Auditors can use time and motion studies
objectives as determining whether some aspect of the entity could
to determine efficient production output rates.

Downloaded by Venesse ST ([email protected])

 lOMoARcPSD|13525683

4. Discussion and agreement Proper Prior Planning Prevents Poor Performance

 It is also known as 6P’s
 Sometimes objective criteria are difficult or costly to
 This expression means that it is critical to
obtain and are best developed through discussion
effectively plan engagements to ensure
and agreement.
success.
 The parties involved should include management of
the entity to be audited, the operational auditor, The key steps in planning an engagement are:
and the entity or persons to whom the findings will
be reported. 1. Determine engagement objectives and scope
The first step is to establish the objectives of the
engagement and outline the scope to articulate the
PHASES IN OPERATIONAL AUDITING time, geographical, and procedural boundaries.
1. PLANNING During planning meetings, internal auditors should
engage in participative practices, involving process
o It includes scoping, budgeting, defining the owners as much as possible to identify relevant
population of interest, how testing will be activities, systems, people and performance standards.
performed, and announcing the audit.
o “Failing to plan is planning to fail” 2. Understand the auditee (including auditee objectives)
o Planning for operational audits is similar to planning To conduct an engagement effectively, the auditor
for audits of Financial Statements. must first understand the auditee’s objectives, the
o Like auditors of Financial Statements, the tasks undertaken within the area under review to
operational auditor must determine the scope of achieve those objectives, and the ways in which
the engagement and communicate it to the performance is monitored and success is measured.
organizational unit.
o It is also necessary to: 3. Identify and assess risk
(a) Staff the engagement properly
RISK FACTOR – these are conditions and other variables
(b) Obtain background information about
that in their present or absence either exacerbate or
the organizational unit
diminish the underlying risk.
(c) Understand internal control
EXAMPLE OF RISK FACTOR: (1) Employee’s competence;
(d) Decide on the appropriate evidence to
(2) Extent of Judgment; (3) Number of transaction;
accumulate
and (4) Time.

Downloaded by Venesse ST ([email protected])

 lOMoARcPSD|13525683

4. Identify Key Controls 8. Allocate resources to the engagement

Key controls are those that, individually, or when

aggregated with other controls, mitigate the auditee’s risk
PLANNING ALSO REQUIRES EFFECTIVE DOCUMENTATION OF THE
to an acceptable level.
INFORMATION GAINED AND JUDGEMENT MADE,
5. Evaluate the adequacy of control design DOCUMENTATION CREATED DURING PLANNING PHASE MAY TAKE
INTO THE FOLLOWING FORMS:
The first key evaluation is the adequacy of control design.  Planning memorandum or checklist to document the audit
This step requires the internal auditor to evaluate whether approach and judgments made.
the controls, if they operate effectively, will mitigate the  Flowcharts or narrative write-ups describing key process
risks that could prevent the achievement of objectives. flows.
.6. Create a test plan  Risk map that depicts the judgments made regarding
process-level risks.
The test plan outlines how each of the key controls will be  Risk and Control Matrix that documents the link between
tested to help the internal auditor evaluate how risks, controls, testing approach, results of testing, and
effectively those controls are operating. testing conclusions.
7. Develop a work program  Audit plan which will be subject to reviews during the
course of audit work to ensure that the focus continues to
A formal work program outlines the key tasks in the be on the higher risk areas.
engagement process and any judgments made regarding
the objectives and scope of the engagement.
The following are covered in a typical work program: NOTE: Managing the risk of fraud and corruption is the
(a) Key administrative tasks responsibility of the MANAGEMENT.
(b) Key meetings
(c) Planning tasks
(d) Fieldwork tasks
(e) Wrap-up steps
(f) Reporting tasks

Downloaded by Venesse ST ([email protected])

 lOMoARcPSD|13525683

2. EVIDENCE ACCUMULATION AND EVALUATION  INSPECTION: This is one of the common procedures performed
(FIELDWORK) by auditors who examine documents to verify the date and
amount of transactions, agreements made between various
parties, evidence of authorizations and record of decisions
PERSUASIVENESS OF AUDIT EVIDENCE made, among others.

To be persuasive, evidence must be:

1. Relevant – Is the evidence pertinent to the audit objective? Does it
3. Documentary
logically support the internal auditor’s conclusion or advice?
2. Reliable – Did the evidence come from a credible source? Did the  This consists of created information – reliability is affected
internal auditor directly obtain the evidence? by the source.
3. Sufficient – Has the internal auditor obtained enough evidence? Do  For example, accounting records, invoices, letter contracts
different, but related, pieces of evidence corroborate each other? etc.

TYPE OF AUDIT EVIDENCE

1. Testimonial 4. Analytical
 It is consisted of verbal or written statements or assertions
given by someone as proof regarding the matter being  This is analysis or verification of information.
discussed.  ANALYTICAL PROCEDURES: It entails assessing information
 TWO TYPES: (1) TESTIMONY – it is what individual steps about obtained during an engagement by comparing the
his or her own personal knowledge about something; and (2) information with expectations identified or developed by
HEARSAY – It is the testimony based on what was heard about the internal auditor.
the topic.  RECALCULATION/REPERFORMANCE: Mathematical
recalculation is a form of audit evidence and it consists of
checking the accuracy of documents or records.
2. Physical

 It can be thru observation or inspection. WORKPAPERS – are documents created by auditors to record the
 OBSERVATION: In general, auditors visually evaluate physical work done.
facilities, conditions, and practices to verify they exist, their
condition, valuation, and protection. CHIEF AUDIT EXECUTIVE (CAE) – responsible for establishing
working paper policies and procedures.

Downloaded by Venesse ST ([email protected])

 lOMoARcPSD|13525683

METRICS – these are great tools to monitor performance and

the achievement of organizational goals.

3. REPORTING AND FOLLOW-UP

CHAPTER 4: INTERNAL CONTROL AND RISK MANAGEMENT
The third phase of the audit is the communication of
results, often referred to as REPORTING.
It consists of communicating findings, observations, The Committee of Sponsoring Organizations of the Treadway
and best practices noted during the review, and Commission (COSO) – is a joint initiative of the five private sector
developing recommendations for corrective action. organizations listed on the right and is dedicated to providing
thought leadership through the development of frameworks and
guidance on enterprise risk management, internal control and fraud
ATTRIBUTES OF EFFECTIVE AUDIT FINDINGS deterrence.

1. Criteria – What was expected? It consists of what should COSO is composed of the following organizations:
exist or occur.  American Institute of Certified Public Accountants
2. Condition – What actually exists? What the auditor  Financial Executives International
 Institute of Management Accountants
discovered as a result of the performance of audit procedures?
 Institute of Internal Auditors
3. Cause – The reason the condition exists and why it is  American Accounting Association
different from the criteria. Auditors should focus on the root
cause of the problem and avoid focusing on symptoms.
Internal control is designed and effected by an entity’s:
4. Effect – Also referred to as “consequence”. It consists of the
impact of the condition. o Board of Directors
o Management
5. Recommendations – This is the action item necessary to o Other personnel
correct the condition, so performance is consistent with the
criteria. in order to provide reasonable assurance about the
achievement of the entity’s objectives in the following categories:
 Reliability of Financing Reporting

Downloaded by Venesse ST ([email protected])