CHAPTER 1:

DEFINITION,
CHARACTERISTICS
AND GUIDANCE
OPERATIONS AUDIT
“Be a product of the product”

 What does it mean to be a product of the product? It’s quite

simple, be a living example of what you sell, recommend or
advise others. Personify what you preach. Show, don’t tell.
Lead by example.
PRODUCT OF OPERATIONS
AUDIT
 The product of operations audit is the advise we make.
The recommendations we propose.
DEFINITION OF OPERATIONAL
AUDITING

A future-oriented, systematic, and independent evaluation of
organizational activities. Financial data may be used, but the primary
sources of evidence are the operational policies and achievements
related to organizational objectives. Internal controls and efficiencies
may be evaluated during this type of review.”
 Business dictionary: A review of how an organization’s management
and its operating procedures are functioning with respect to their
effectiveness and efficiency in meeting stated objectives.
 Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control and
governance.
INDEPENDENCE
 Has to do primarily with the position of internal audit within
the organization’s hierarchy. Internal audit should report to
the audit committee (or its equivalent) on the board of
directors so it receives advice and support to perform its
duties.
 This direct reporting line to the highest authority within the
organization will help internal audit reach its full potential
and also get the attention from those whose influence,
recognition and respect can compel corrective actions of
any anomalies identified by the auditors.
OBJECTIVITY
 Is related to the auditors’ frame of mind and their ability to
examine documents, processes, and programs without bias,
without agenda, with no other motive than to find the truth
and communicate it accurately and promptly.
 Conflicts of interest are one of the biggest threats to
objectivity, so internal auditors must be careful to balance
maintaining healthy professional and social relationships
with others in the organization without becoming too cozy
with them.
 ASSURANCE
 Refers to the auditors’ ability to give confidence and make statements
regarding the condition of matters within the organization.
 It is often considered a synonym to “Compliance” as has been the
traditional focus of internal auditors for millennia. Compliance audits
focus on verifying conformity and adherence of a particular area,
process or system with policies, plans, procedures, laws, regulations,
contracts or other requirements that govern the conduct and actions
of that area, process or system.
 Internal auditors provide reasonable assurance, not absolute
assurance, because there are numerous variables to contend with
constantly, because there are no certainties in life. However, this does
not mean that internal auditors do a substandard work knowing that
they can’t guarantee results. Internal auditors are expected to display
competence, knowledge and act with due professional care in all they
do to provide the best assurance possible
CONSULTING
 Means giving advice to management and the board, and engaging
in activities that helps the organization resolve nagging business
issues.
 These engagements address performance, how to improve
organizational programs, processes and activities, and how to
become more flexible, nimble and responsive to business
challenges.
 Consulting also relates to the way auditors do their work suggesting
that the traditional mindset and role of the auditor as the corporate
cop is being redefined and replaced by a more business-minded
professional whose goal is to be respected more so than being
feared
DESIGNED TO ADD VALUE
 If you ask a gathering of internal auditors if they add value
in their organizations, they unanimously raise their hands in
agreement. If you pose the same question to non-auditors,
the response is often far less enthusiastic. In fact, some may
even argue that internal auditors are a necessary evil and
an expense they can’t do without because regulations, the
board of directors, or other stakeholders demand the
existence of an internal audit function.
 One of the goals of this book is to show how this goal of
adding value can be achieved, and do so convincingly.
IMPROVE AN ORGANIZATION’S
OPERATION
This is a very interesting statement because many auditors see their role as that
of checking things and verifying the accuracy of various items and activities
within the organization. But improve an organization’s operations? Some would
argue that this is a rather broad subject, a tall order, a complex goal, a
challenging aspiration, and an insurmountable target. I believe it is not only a
matter of being achievable, but also expected of modern internal auditors.
 In some cases, internal auditors have become part of the problem: creating
bureaucracy within organizations by recommending a never ending list of
controls to mitigate risks, some of which are miniscule in their theoretical
assessment and smaller yet if they are to materialize.
 Some audit teams operate under the mindset that they have to find something
so they can produce a report, which inevitably will result in a series of
recommendations for additional control procedures.
 In this book, we will examine ways in which internal auditors can help to improve
operations to enhance efficiency, effectiveness, speed and reduce errors
HELP AN ORGANIZATION ACCOMPLISH ITS
OBJECTIVES
 Many auditors practice what has been commonly referred to as
controls-based auditing. In essence, they look for the controls
within the process or program of their review, then check them to
see if they are present and operating as expected. While this is
important, they often forget to link those controls to the relevant
risks, and link these risks to the business objectives that those risks
threaten.
 All of this to say that the starting point for everything auditors do
should be the identification of the relevant business objectives. With
that in mind, then, internal auditors must do their work in ways that
help the organization achieve its objectives by properly responding
to the risks that threaten these objectives. By focusing on this,
internal auditors can add value and the possibilities are almost
endless.
HELP ACCOMPLISH
OBJECTIVES
 During my early years in internal audit, one of my internal
audit managers told me, “Think of yourself as running this
department. Now, how would you then run it so it is
successful?” With this in mind, I was told to prepare the
audit program that would guide me and my team’s work
checking on the elements that should be there to improve
their likelihood of success, and the road blocks that could
get in their way. Very wise words!

 Hernan Murdock
BY BRINGING A
SYSTEMATIC, DISCIPLINED
APPROACH

This refers to the approach followed when performing the
work. This is encapsulated in the Standards. The Practice
guide and Practice Advisories, which provide a great deal of
guidance on how to plan, execute and communicate the
results of the work done.
 Our methodology is quite extensive, and it provides enough
direction and flexibility as a framework to examine virtually
any aspect of an organization’s operations.
TO EVALUATE AND IMPROVE
EFFECTIVENESS

Our role as auditors goes beyond evaluating business dynamics and
writing reports that merely lists the problems identified. The
definition indicates that we evaluate, but also help to improve the
organization’s ability to achieve the goals and objectives related to:
 Risk management – this refers to identification, measurement,
assessment and response to risks.
 Control – this refers to those activities that mitigate relevant risks and
helps the organization avoid surprises.
 Governance processes – corporate governance is a wide subject that
includes matters related to organizational structure, reporting lines, span
of control, resource allocation, accountability measures, discipline and
rewards mechanism. Auditors provide independent, objective
assessments on the appropriateness of the organization’s governance
structures and operating effectiveness of specific governance activities.
They are catalysts for change, advising, advocating improvements to
enhance the organization’s governance structure and practices.
If you look at the definition,
Internal auditing and
Operations auding are quite
similar
WHAT IS OPERATIONS
AUDITING?
 Operational auditing is a future-oriented, independent,
systematic, and business-focused evaluation of
management, and the organization’s activities controlled by
management, and third parties.
 This is done to benefit the organization’s stakeholders, who
trust internal auditors to identify anomalies, verify that
resources are handled responsibly, and that the organization
is structured and operating in ways that it is likely to
succeed.
OPERATIONAL AUDITING: IMPROVE
ORGANIZATIONAL PROFITABILITY AND
THE ATTAINMENT OF
ORGANIZATIONAL
 These go beyond a review ofOBJECTIVES
internal control issues since
management does not achieve its objectives simply by
adhering to satisfactory systems of internal control. Instead,
management must define its goals, set appropriate
strategies, staff the organization with enough and
competent workers, and execute effectively.
OPERATIONAL AUDITING:
EVALUATING
MANAGEMENT’S
PERFORMANCE

Management have a fiduciary responsibility toward the
organization’s owners and other relevant stakeholders.
 Over the past decade, the expectations of stakeholders
have increased monumentally creating a more challenging
environment for managers and auditors. These expectations
range from CSR, to acting ethically, safeguarding key
information, and maintaining a positive reputation.
OPERATIONAL AUDITING:
VERIFICATION OF DOCUMENTS
 Another aspect of operational auditing is that rather than
merely verifying that employees are performing their duties
according to established policies and procedures, internal
auditors also verify a variety of qualitative aspects of the
organization and its activities.
 Regarding procedures documentation, internal auditors are
expected to verify that these documents are up to date, that
they are relevant, that they reflect the best way to perform
the work with regards to efficiency and effectiveness, that
these documents are safe from unauthorized change, they
are understood by employees, and that their location is
known by employees so that they can refer to them for
guidance when there are questions.
OPERATIONAL AUDIT:
CONCERNED WITH
STRUCTURE OF THE
ORGANIZATION

Poorly structured organization, or one where information
does not flow accurately and promptly jeopardizes efforts to
achieve objectives. Instead, poorly structured organizations
tend to be disorganized, inefficient, have high employee,
customer and vendor turnover, and become wasteful.
 All of these manifestations of dysfunction erode ingredients
for success and an auditor who brings a fresh and objective
perspective to the review can identify these weaknesses.
IN THE END, OPERATIONAL
AUDITING IS DESIGNED
TO…
Operational auditing is designed to evaluate the
effectiveness and efficiency of business activities,
processes, programs, functions and units.
KEYWORDS ON OPERATIONAL AUDIT AND
INTERNAL AUDIT
Internal Audit Operations Audit
Independence Future- oriented
Objectivity Independent
Assurance Systematic
Consulting Business-focused
Designed to add value Evaluation of management and activities
Improve and organization’s operations Improve organizational profitability and
attainment of organizational objectives
Help an organization accomplish its Evaluating of management performance
objectives
Systematic and disciplined approach Verification of documents and activities
To evaluate and improve effectiveness Concerned with the structure of the
organization
Evaluate the effectiveness and efficiency
of activities, process, programs, functions
and units
HOW CAN INTERNAL AUDITORS
ADD VALUE? *Internal Auditors
can add value by
recommending
steps on how to
Structure mitigate risks that
Implementatio
(Department, Units
Business n threaten business
and functions, objectives. The
Objectives (Processes,
management and anchor of
Activities)
employees) operational audit
are risks. No risks
identified means
no audit. We do
not just go testing
Internal controls, processes and policies the design and
implementation of
internal controls,
but our aim is to
Risks reduce the risks.
(Operational, Technological, Strategic,
Environmental, Legal and Financial)
RISK-BASED AUDIT
 Engaging risk-based auditing means that internal auditors
must exercise and apply a broader view of organizational
risks. Accounting and financial risks are only a limited
number of the many risks organizations face. Other
examples include the risk of delays, waste, inefficiency, poor
customer service, excessive customer and employee
turnover, poor quality data, and systems failure.
RISK-BASED AUDIT IS WHAT THE
STANDARDS REQUIRE
 Institute of Internal Auditors (IIA) is the governing body of
internal auditors worldwide. It has issued guidance for
internal auditors in the form of the Standards for the
Professional Practice of Internal Auditing (the Standards),
Practice Advisories, Practice Guides, and Position Papers.
These documents provide guidance on what internal
auditors should do and how.
RISK-BASED AUDIT VS. CONTROL-
BASED AUDIT
 This concept of risk-based auditing is in contrast to what has been
dubbed control-based auditing. The latter is defined as audits that
focus on identifying and evaluating internal controls without
enough regard to their value to the process.
 This can happen because auditors take a pre-existing work
program without researching the nuances of the present audit
scope sufficiently,
 Or even when they perform planning activities, their interviews
and other research only focuses on identifying existing controls
without fully understanding the key risks and objectives of the
process under review
WHAT RISK-BASED AUDIT
REQUIRES
 Performing risk-based audits require more brainstorming, more
interaction with process owners, a more in-depth understanding of
the organization’s business, and a mechanism to address past,
present, and future vulnerabilities and scenarios that threaten the
achievement of business objectives.
 Since internal auditors are being asked to do more with less, they
can’t afford to review controls just because they are there. Internal
auditors need to assess whether those controls are key to the
achievement of objectives and only focus on those that are.
IIA’S PUBLICATION ON 2015 COMMON
BODY OF KNOWLEDGE
 The report advises internal auditors to anticipate the needs
of stakeholders, develop forward-looking risk management
practices, and support the business objectives, identify,
monitor and deal with emerging technology risks and
enhance audit findings through the greater use of data
analytics.
AUDITING BEYOND FINANCIAL,
ACCOUNTING AND REGULATORY
REQUIREMENTS
 In the past, internal auditors predominantly had accounting
degrees, graduated from university accounting programs. As such,
their focus and experience was acquired in the accounting field and
saw most audit matters through the prism of accounting matters.
 The other key focus area was compliance with regulatory
requirements. Auditors attempts to understand the rules and
regulations affecting a program or process, they then would apply a
very effective methodology: are they doing what the rulebook
says? If “Yes”, the result were satisfactory. If “No”, the results were
documented and communicated as findings. In essence, a very
predictable pass/fail approach to auditing.
COMPLIANCE AUDITS STILL
IMPORTANT
 I am not suggesting that compliance is a failed effort, or that
it does not provide some benefits. It does. Some of the
benefits are process improvement, better controlled
operations, greater reliability and protection of information,
more stable and predictable process.
 The idea is that, internal auditors should not just contain our
efforts to compliance checking. We are expected to do more
than that. We are expected to help clients achieve their
business objectives. Minimize business failures by helping
clients avoid poor management
BUSINESS FAILURE DUE TO POOR MANAGEMENT.
POOR MANAGEMENT REFERS TO
 Operations management. Some issues are waste, inefficiencies, supplies that arrive
late, poor customer satisfaction, and limited capacity to grow as opportunities arise or
customers’ demand change.
 Human resources. As evidenced by poorly supervised, trained, and evaluated
employees who sometimes become unmotivated and unproductive.
 IT. computer systems designed with an inaccurate understanding of the business needs
and uses of these systems, poor data capture, inadequate reporting mechanisms.
 Marketing. mass marketing of products and services at a time when customers prefer
to feel unique, or wasteful campaigns because they target the wrong audience.
 CSR. Issues range from child labor, sweatshop conditions, abusive management, and
inappropriate waste disposal.
 Environmental health and safety practices and conditions. Related to poor
ventilation, excessive heat, extreme noise levels, workplace hazards caused by
chemicals, machineries, etc.
 In the light of these dynamics, internal auditors have risen
to the challenge by embracing a methodology that goes
beyond accounting and more closely aligns itself with the
recurring business risks and practices.
THE VALUE AUDITORS PROVIDE
 Internal auditors are unfortunately not always regarded as highly as they
should be. Seen as an obstacle, too many managers and employees fail to
recognize that internal auditors provide a very valuable services to their clients
– whether they are employees of the firm, or hired externally to provide
internal audit services. (see next page)
 Internal auditors promote the efficient and effective use of resources. Since
organizations operate with the funding received or authorized by their owners
or contributors, it is imperative that the organization operates with this
principle of financial fiduciary responsibility.
 A fiduciary duty is a legal duty to act solely in another party’s interests. Parties
owing this duty are called Fiduciaries. The individuals to whom they owe a duty
are called Principals. Fiduciaries may not profit from their relationship with
their principals unless they have the principals’ express informed consent.
They also have the duty to avoid any conflicts of interest between themselves
and their principals or between their principals and the fiduciaries’ other
clients. (Cornell University Law School Legal Information Institute)
BUSINESS FAILURE DUE TO POOR MANAGEMENT.
POOR MANAGEMENT REFERS TO
 Operations management. Some issues are waste, inefficiencies, supplies that arrive
late, poor customer satisfaction, and limited capacity to grow as opportunities arise or
customers’ demand change.
 Human resources. As evidenced by poorly supervised, trained, and evaluated
employees who sometimes become unmotivated and unproductive.
 IT. computer systems designed with an inaccurate understanding of the business needs
and uses of these systems, poor data capture, inadequate reporting mechanisms.
 Marketing. mass marketing of products and services at a time when customers prefer
to feel unique, or wasteful campaigns because they target the wrong audience.
 CSR. Issues range from child labor, sweatshop conditions, abusive management, and
inappropriate waste disposal.
 Environmental health and safety practices and conditions. Related to poor
ventilation, excessive heat, extreme noise levels, workplace hazards caused by
chemicals, machineries, etc.
FIDUCIARY RELATIONSHIP
Principal Fiduciary

• Stakeholder • Manageme
s nt
• Primary
• Secondary
In order to ensure that the fiduciary (management) acts in the interest of
the principal (not in the interest of themselves or of others), the BOD
requires the services of internal auditors. BOD wants to ensure that the
objectives of the organizations are being achieved efficiently and effectively.
This is the value that the auditor provides.
SHORT STORY OF STEWARDSHIP
A man who was going on a journey called his servants and entrusted them his
property. To one, he gave five talents, to another two, to another one, to each according to
his ability. Then he went away. He who had received five talents went at once and traded
with them, and he made five talents more. So also he who had the two talents made two
talents more. But he who had received the one talent went and dug in the ground and his
master’s money.
Now, after a long time the master of those servants came and settled accounts with
them. And he who received the five talents came forward, bringing five talents more, saying,
‘Master, you delivered to me five talents; here I have made five talents more.’ His master said
to him, ‘Well done, good and faithful servant. You have been faithful over a little; I
will set you over much. Enter the joy of your master.’ So also he who had the two talents
made two talents came forward saying, ‘Master, you delivered to me two talents; here I have
made two talents more.’ His master said to him, ‘Well done, good and faithful servant.
You have been faithful over a little; I will set you over much. Enter the joy of your
master.’ He also who had received the one talent came forward, saying, ‘Master, I knew you to
be a hard man, reaping where you did not sow, and gathering where you scattered no seed, so
I was afraid, and I went and hid your talent in the ground. Here you have what is yours.’ But
his master answered him, ‘You wicked and slothful servant! You knew that I reap where I
have not sown and gathered where I scattered no seed? Then you ought to have invested my
money with the bankers, and at my coming I should have received what was my own with
interest. So take the talent from him and give it to him who has the ten talents. For
everyone who has will more be given, and he will have an abundance. But from the one who
has not, even what he has will be taken away.
MATERIALITY CONCEPT – USER PERSPECTIVE

Materiality
(The ability to change one’s decision)

Nature Amount
We look at the things which
We look at the amount,
are important to
then we compare it with
stakeholders, regardless of
our materiality threshold
amount
MATERIALITY CONCEPT – EXAMPLE
Nature Amount

In the course of your audit,

Example: ABC company, client,
borrowed P10 million from XYZ you have found out that the
company. The agreement was that summary of misstatements
ABC company should maintain a debt due to error is P50,000.
ratio of 50%. The total amount of debt
and assets before audit was P20 your materiality threshold
million and P42 million, respectively. was set at P100,000. Is the
As per audit, you have found out that misstatement material?
there was an unrecognized liability
equal to P3 million. You have set the What if the cause of the
materiality threshold to be 10% of misstatement is due to
total assets. Is the adjustment fraud, would that change
material?
your answer?
When we conduct audit, put
yourself in the shoes of the
stakeholders.
 Putting yourself in the shoes of
another is another level of
understanding. That is what is meant
by understanding by heart. the
standard says that we should obtain
understanding of the entity. When we
put ourself in the shoes of the
stakeholders, we are already
observing that mandate.
TO STAKEHOLDERS

WHOM Primary
stakeholders
Secondary stakeholders

DO WE Investors
Communities and
general public

SERVE? Creditors
Business support
groups

WHAT RISKS ARE Customer

Activists groups
SIGNIFICANT TO s
EACH
STAKEHOLDERS? Suppliers Media
FOR THOSE RISKS
WILL BE OUR BASIS Employee
Government
FOR OUR AUDIT. s
 Recognition of the duties that all employees The reason why employees do not
have to the principals is central to the proper recognize their duty to their
discharge of their responsibilities as principals is that their personal
employees, who should always act in the goals may not be in line with the
interests of the main stakeholders of the organizational goals.
organization. This is called Accountability.
It is not prohibited to have personal
goals, only that, it should be in line
 To this effect, internal auditors contribute to with the organization you are in.
this process by making sure that the duties As an employee, you are a part of
are defined, that the structures are set to the organization. Being part of the
ensure behaviors are aligned with these organization means aligning your
objectives*, and making recommendations to goals to the organizational goals,
the board and senior management when there otherwise there will be division or
are discrepancies jeopardizing the success of faction in the organization. If a
these arrangements. house is divided against itself, that
house will not be able to stand.
*Governance process
*internal audit helps an organization … improve
the effectiveness of risk management, control
and governance
 In the aggregate, internal auditors serve the Serving common
interests:
public and common interests by making sure 1. Owners receive the
that the owners receive the return on their return on their
investments that
investments that they are entitled to, and
they are entitled to.
that the means of generating those profits 2. The means of
generating profits
are within the confined of law.
are within the
 Beyond shareholders, internal auditors help confines of law.
3. Interests of all
the process of making sure that the interests relevant
stakeholders are
of all relevant stakeholders are met.
met.
 STAKEHOLDER ANALYSIS: REQUIRED

FROM THE AUDITORS
An important aspect of the modern manager and auditor’s job is
to identify stakeholders and to understand their interests. It is
also important to understand the power they have to assert
those interests. This process is called stakeholder analysis,
which asks three fundamental questions:

1. Who are the relevant stakeholders?

2. What are the interests of each stakeholder?
3. What is the power of each stakeholder?
PRIMARY STAKEHOLDERS
Stakeholde Interests Powers
rs
Employees • Maintain stable • Bargaining power
employment • Work actions, strikes,
• Receive fair pay lawsuits
• Work in a safe, comfortable • publicity
environment
Suppliers • Receive regular orders for • Refusing to meet
goods/ services orders
• Be paid promptly • Supplying to
competitors
Customers • Receive value and quality • Purchasing from
for money competitors
• Receive safe, reliable • Boycotting
products • Refusing to pay
Creditors • Receive repayments for • Calling loans
loans • Use legal authorities
 Stakeholders Interests Powers
Investors • Receive a • Exercise voting
satisfactory rights
return on • Ability to inspect
investments company records
• Realize an and reports
appreciation in
value
SHORT CASE: SAFE AND COMFORTABLE WORK ENVIRONMENT

Gerald was a 60-year-old man working as a sales person in a hardware

store with several younger coworkers, a few of whom consistently treated him
with disrespect, making nasty comments about his being old, slow and
“computer illiterate” because he was not very good with the online inventory
system. At first, Gerald ignored the comments, but he rapidly grew tired of them.
He politely and privately spoke to the most vocal of the younger employees,
asking him to stop the needling, but the younger man told Gerald that he was
being too sensitive and the bullying grew worst.
Gerald eventually approached the store owner about the situation. The
owner likes Gerald, but was unwilling to get involved with what he called
“employee issues”. Gerald noted that since many insults reference Gerald’s age,
they could constitute illegal workplace harassment. The store owner became
defensive and continued to do nothing about the situation.
eventually, the bullying began to affect Gerald’s health. He quit his job and
then applied for unemployment benefits, arguing that his employer’s failure to
address the age-based harassment created a hostile work environment. Gerald
won unemployment benefits but is now involved in a lawsuit against his former
employer.
SHORT CASE: PERFORMANCE ISSUES
Hazel has been working as a copywriter for the past thee years at a boutique
marketing agency. While her performance reviews are generally positive, lately
she’s been struggling with assignments for several new clients in the legal industry.
Up until recently, Hazel’s work has focused primarily on writing for healthcare
companies. She is unfamiliar with legal matters, and yet she is expected to produce
web copy and blog posts for these businesses. The new clients have already sent
back several projects for revisions, and Hazel’s supervisor is upset with her.
Hazel points out to her supervisor that she is being required to write on topics
that she knows nothing about. She also notes that when the company was pitching
these law firms, Hazel suggested that the company pay for Hazel to take some
courses on legal research and writing. Instead, Hazel’s supervisor told her that the
company couldn’t afford to pay for additional training, and advised Hazel to get
ideas by reading other legal blogs.
after taking some time to listen to Hazel express her frustrations, the
supervisor realizes that she made a mistake in not insisting that the company enroll
Hazel in a legal writing course. The supervisor apologizes to Hazel, puts a note to
Hazel’s HR file noting the error, and requests addition to the department
budget so that Hazel can get the training needs to perform her job properly.
LAINIE PETERSON, EXAMPLES OF EMPLOYER &
EMPLOYEE CONFLICTS, SMALLBUSINESS.CHRON.COM

Many experts in workplace and organizational psychology note

that workplace conflict isn’t always negative. Conflict, when
handled in a healthy way, can lead to growth for everyone
involved. It can also lead to new ideas and the evolution
of processes within your business. In addition, a
willingness to address conflict often prevents small annoyances
from becoming larger problems that can harm morale.
PROCUREMENT STANDARDS – THE
UNIVERSITY OF IOWA

The University is committed to complying with applicable

procurement laws and regulations, including requirements that
apply to conflicts of interest, as provided by the following:
University of Iowa Operations Manual
Iowa Administrative Code
Regents Policy Manual
PROCUREMENT STANDARDS – THE
UNIVERSITY OF IOWA
General Policy
1. A conflict of interest arises when a faculty or staff member is or may be in the
position to influence the university’s business, research or other decisions in
ways that could lead to any form of personal gain for the faculty staff member
or others closely associated with that university employee.
2. Except as part of official state duties, and official, a state employee, a
member of the general assembly, or a legislative employee shall not sell, in
any one occurrence, any goods or services having a value in excess of two
thousand dollars unless the sale is made pursuant to an award or contract let
after public notice and competitive bidding.
3. Vendors must be reviewed and approved by the Director of Purchasing when
there is a disclosure or indication of a conflict of interest.
4. University faculty or staff members cannot be interested, directly or
indirectly, in any contract to furnish material of any kind to or for the
University. In addition, participation in direct sales (pyramiding) ventures is
considered a direct or indirect interest in a contract and is encompassed by
this policy.
DEFINITION OF BUSINESS POLICY
Business Policy defines the scope or spheres within which
decisions can be taken by the subordinates in an organization. It
permits lower level management to deal with the problems and
issues without consulting top level management everytime for
decisions.

Business policies are the guidelines developed by an organization

to govern its actions. They define the limits within which decisions
must be made. Business policy also deals with acquisition of
resources with which organizational goals can be achieved.
Business Policy is the study of the roles and responsibilities of top
level management, the significant issues affecting organizational
success and the decisions affecting organization in long-run.
 SECONDARY
STAKEHOLDERS
Stakeholde Interests Powers
rs
Government • Promote economic • Adopt regulations and
s development laws
• Raise revenues through • Issuing licenses and
taxes permits
Media • Keep public informed • Publicizing events that
• Monitor company actions affect the public.
Activist • Monitor company actions • Lobbying (influencing)
groups for ethical and legal government for
behavior regulations
• Gaining public support
Business • Provide research and • Using staff/resources
support information to improve to help companies
groups competitiveness • Providing legal
political support
 Stakeholders Interests Powers
Communities • Employ local • Issuing / restricting
residents operating license
• Ensure local • Lobbying
development governments for
regulations
General public • Minimize risks • Supporting activists
• Achieve prosperity • Pressing
for society government to act
• Praising or
condemning
companies
 IDENTIFYING OPERATIONAL THREATS
AND VULNERABILITIES
 The traditional approach to internal auditing was to perform postmortem

reviews to verify that what was done was done appropriately. This was a
practice that followed in the footsteps of public accounting firms, which
inspect transactions that occurred during the preceding fiscal year.

 Internal auditors need to go beyond inspecting transactions long after

they were performed because the focus now leans toward an examination
of future threats and vulnerabilities that can derail the organization’s
goals and objectives in the short, medium, even the long-term.
In fact, focusing on future events and the future implications
of present events would add more value to their
organizations than reporting primarily on past events.

Value auditors provide:

• Avoiding poor management
• Ensuring that the resources are used
in an efficient and effective manner in
abiding with the fiduciary relationship
between stakeholders and
management
• Identifying threats and recommending
actions on how organizations can
respond to those risks, thereby helping
them to achieve their goals and
THE FUTURE THREATS AND
VULNERABILITIES CAN BE:
Operational Technological Strategic Environmental
• Maintaining • Protection of • Refer to • Reliable supply
Operational intellectual concerns of water and
capacity property and relating to: electricity
• Speed of information Strong • Achieving lower
execution (cycle • Denial of service customer and carbon foot print
time) attacks vendor • Reducing the
• Staffing levels • Business relations amount of
• Employee continuity due to Customer natural
motivation staff turnover loyalty resources used
• Knowledge • System Building during business
transfer development effective activities
• System (define, design, business
development test, implement partnerships
and software Outsourcing
implementation program) arrangements
Mergers and
acquisition
FUTURE THREATS AND
VULNERABILITIES:
 Future threats and vulnerabilities can also exist because of
possible failure to satisfy the interests of stakeholders.
THE SKILLS REQUIRED FOR
EFFECTIVE OPERATIONAL
AUDIT
The following are the top general competencies of internal auditors:
1. Communications skills, such as oral, written, report writing, and presentation skills
2. Problem identification and solution skills, such as conceptual and analytical thinking
3. Ability to promote the value of internal audit
4. Knowledge of industry, regulatory and standards changes
5. Organizational skills
6. Conflict resolution/ negotiation skills
7. Staff training and development
8. Accounting frameworks, tools and techniques
9. Change management skills
10. IT/ CT framework, tools and techniques
11. Cultural fluency and foreign language skills
THREE COMMON CORE
COMPETENCIES
 Communication skills
 Problem identification and solution skills
 Keeping up to date with industry and regulatory changes
and professional standards
 BEHAVIORAL SKILLS INTERNAL AUDITORS SHOULD
POSSESS
1. Confidentiality
2. Objectivity
3. Communication
4. Judgment
5. Work well with all management levels
6. Possess governance and ethics sensitivity
7. Be team players
8. Relationship building
9. Work independently
10. Team building
11. Leadership
12. Influence
13. Facilitation
14. Staff management
15. Change catalyst skills
HOW TO ACQUIRE THESE
SKILLS?
Two dimensions:
 Individual level
 Internal audit unit level
INDIVIDUAL LEVEL
 Internal auditors are expected to take ownership of their own
training and development and not leave its employers to decide
and implement.
 In the past, it was common for employees to take a passive
approach, waiting for their employers to tell them when, what and
why training should occur, today’s auditors should take a more
active and engaged approach to their training needs. They should:
1. Reflect on their present competencies, identify their job needs, and
perform gap analysis to meet their current skill requirements.
2. Define their career ambitions, and chart a roadmap to acquire the
skills and competencies needed in the future.
WHAT MY JOB REQUIRES
 Instruction
 Communication skills (written and oral)
 Technical skills (Audit, Tax, Financial Management)

 Extension
 Communication skills (written and oral)
 Leadership, influence, change catalyst

 Research
 Communication skills (written and oral)
 Problem solving skills, change catalyst, influence, governance skills and ethics
sensitivity
 Production
 Book writing skills
 Technical skills
WHAT COMPETENCIES DO I
HAVE
 Fair technical skills
 Fair communication skills
GAP ANALYSIS
 Fair technical skills vs. proficient technical skills
 Fair communication skills vs. excellent communication skills (oral
and written, English language)
 Poor leadership, influence and change catalyst skills. Poor
persuasion skills.
 Poor problem solving skills (inexperienced)
 Governance skills, ethics sensitivity – fair
 No book writing skills
 Poor research skills
 No computer programming literacy
STRATEGIES
 Be active in PICPA trainings, if means permits to do so, once
a week training.
 Attend research webinars, training and seminars
 Attend book writing webinars, training and seminars
 When ready, accept ad hoc responsibilities or administrative
functions such as in accounting and internal auditing.
 Get a masters and doctoral degree.
CAREER AMBITION
 Be a nationally recognized professor and practitioner,
improving the lives and profession of students and clients,
professionals and community through instruction, extension
(community) services, research and production
ROAD MAP

MASTER’S
CPA DOCTORAL CIA, CMA
DEGREE

ATTEND TRAININGS, WEBINARS, SEMINARS

 They should:
1. Reflect on their present competencies, identify their job
needs, and perform gap analysis to meet their current skill
requirements.
2. Define their career ambitions, and chart a roadmap to acquire
the skills and competencies needed in the future.
ACQUISITION OF
COMPETENCIES – INTERNAL
AUDIT
 UNIT LEVEL
At the internal audit unit level, department should perform a
skills analysis to identify their present skill repertoire (skills
inventory), and those needed to perform audit and other
reviews competently in the next 3 – 7 years.
INTEGRATED AUDITING
 Integrated auditing is characterized by the simultaneous
inclusion of business and IT subjects in the review. In the
past, traditional auditors would perform a review of
accounting/ financial controls, and IT auditors would perform
assessment of IT risks and controls separately.
 These reviews require coordination so that auditors work
from a single Risk Matrix that identifies all relevant
objectives, risks, controls, and audit steps, the related
documentation crosses over smoothly and the resulting
report is comprehensive in its coverage of operational,
financial and IT subject areas
 FORMAT OF RISK MATRIX
RISKS Control 1 Control 2 Control 3 Control 4
Operational risks
1. OR1  
2. OR2 
IT risks
1. ITR1 
2. ITR2 
Technological risks
1. TR1 
2. TR2 
Environmental
risks 
1. ER1 
2. ER2
Strategic risks:
1. SR1  
2. SR2 
 REASON FOR INTEGRATING IT AUDIT TO
OPERATIONS AUDIT AND FINANCIAL
STATEMENTS AUDIT
Key IT risk that concerns IT Controls Operations auditor
Internal auditors need to evaluate
Data base configuration and Physical security and
security environmental controls and Back-
up procedures
User authentication User, authorization
Operating systems reliability Reconciliations
Network perimeter security Exception reporting
THE STANDARDS
 International Standards for the “I have found these
Professional Practice of Internal documents quite
Auditing (ISPPIA) – guidance for insightful and
internal auditors on: following their
1. What should be done directives has enabled
2. How it should be done me perform numerous
3. Why should it be done audits over the years
with very positive
Adherence to ISPPIA is mandatory. client feedback.”
-Hernan Murdock
1210 - PROFICIENCY
 Internal auditors must possess knowledge, skills and other
competencies needed to perform their individual
responsibilities. The internal audit activity collectively must
possess or obtain the knowledge, skills and other
competencies needed to perform its responsibilities.
“Being qualified upon hire is one thing, internal auditors must make

sure they remain qualified throughout their career. They should

remain proficient in terms of knowledge and skills to perform their

duties effectively. Internal auditors must adopt a learning mindset,

continue to educate themselves, and stay up to date.”

“Being qualified upon hire is one thing, internal auditors must make

sure they remain qualified throughout their career. They should

remain proficient in terms of knowledge and skills to perform their

duties effectively. Internal auditors must adopt a learning mindset,

continue to educate themselves, and stay up to date.”

“one of the greatest assets auditor have Updated Knowledge of
business, industry and
regulatory environment.
is credibility. Credibility cannot be

achieved if the auditor lacks knowledge

about the organization and the linkages Problem Identification and

Solution Skills

between the issues noted, the root

causes of these issues and an Judgment.

(identification of which
matter or risks are relevant
appreciation for the priorities and and significant to
stakeholders)
challenges of the organization.”
 1210.A3 1220.A2
Internal auditors must have In exercising due professional
sufficient knowledge of key IT care, internal auditors must
risks and controls and consider the use of
available technology based technology-based audit and
techniques to perform their
other data analysis techniques
assigned work. However, not
all internal auditors are
expected to have the
expertise of an internal auditor
whose primary responsibility is
IT Auditing.
 Key IT risk that concerns IT Controls Operations auditor
Internal auditors need to evaluate

Data base configuration and Physical security and

security environmental controls and Back-
up procedures

User authentication User authorization

Operating systems reliability Reconciliations

Network perimeter security Exception reporting

TECHNOLOGY-BASED AUDIT
TECHNIQUES
 Internal auditors must also know how to use technology based
audit techniques to better understand and evaluate large
volumes of data collected, how it is manipulated and how the
resulting information is disseminated to relevant stakeholders.
 Using technology-based audit techniques allows auditors to
examine very large amounts of data that would be impossible or
unfeasible to do manually. This is often referred to as computer-
assisted audit tools and techniques (CAATT’s)
 Examples of CAATT’s are ACL, IDEA, Minitab, SAS, and many more
 Microsoft Excel and Access are also very capable tools for a wide
variety of tests.
 Acquiring these skills should commence upon hire and it applies
to auditors of all specialties, not only IT auditors.
1220A3
Internal auditors must be alert to significant risks that might

affect objectives, operations, or resources. However,

assurance procedures alone, even when performed with due

professional care, do not guarantee that all significant risks

will be identified.
1220A3
Internal auditors must be alert to significant risks that might

affect objectives, operations, or resources. However,

assurance procedures alone, even when performed with due

professional care, do not guarantee that all significant risks

will be identified.
THE FUTURE THREATS AND
VULNERABILITIES CAN BE:
Operational Technological Strategic Environmental
• Maintaining • Protection of • Refer to • Reliable supply
Operational intellectual concerns of water and
capacity property and relating to: electricity
• Speed of information Strong • Achieving lower
execution (cycle • Denial of service customer and carbon foot print
time) attacks vendor • Reducing the
• Staffing levels • Business relations amount of
• Employee continuity due to Customer natural
motivation staff turnover loyalty resources used
• Knowledge • System Building during business
transfer development effective activities
• System (define, design, business
development test, implement partnerships
and software Outsourcing
implementation program) arrangements
Mergers and
acquisition
 2120.A1 2130.A1

The internal audit activity must The internal audit activity must evaluate the
evaluate risk exposures relating to adequacy and effectiveness of controls in responding
organization’s governance, and to risks within the organization’s governance,
information system regarding the:
operations, and information systems regarding the:
 Achievement of the organization’s
 Achievement of the organization’s strategic
strategic objectives
objectives
 Reliability and integrity of financial
 Reliability and integrity of financial operational
operational information
information
 Effectiveness and efficiency of
 Effectiveness and efficiency of operations and
operations and programs programs
 Safeguarding of assets  Safeguarding of assets
 Compliance with laws, regulations,  Compliance with laws, regulations, policies,
policies, procedures and contracts procedures and contracts
2130 - CONTROL
 The internal audit activity must assist the organization in
maintaining effective controls by evaluating their
effectiveness and efficiency and by promoting
continuous improvement.
 Keywords What it means
Evaluating internal control Verifying whether controls are
effectiveness able to identify, prevent, correct,
mitigate or eliminate risks and
failure
Efficiency Avoid wasted resources, time or
effort while performing the control
activity
Promoting continuous Always search for faster, cheaper
improvement and better ways of performing
control activities.
2201-PLANNING
CONSIDERATIONS
In planning the engagement, internal auditor must consider:
1. The objectives of the activity being reviewed and the
means by which the activity controls its performance
2. The significant risks to the activity, its objectives,
resources and operations and the means by which the
potential impact of risk is kept to an acceptable level.
COMMENTARY
The standard is one of my favorites, it states that while planning the
engagements, we must consider the objectives of the entity, program, or
process being audited and how management controls its performance, as
well as the risk management procedures in place. Over the years, I have
found that:
 A large number of employees have unclear or unknown objectives
 The programs and processes they work in also lack clear objectives
 When there are objectives, there are often few metrics in place to gauge
the achievement of these objectives
 Risk identification, assessment and management procedures are limited
or nonexistent, so there is no clear mechanisms to ascertain what the
organization does to keep these risks at an acceptable level
“Given these gaps, internal auditors have many opportunities to
add value to their organization while they work on meeting the
requirements of this standard”
2220.A1-SCOPE OF THE
ENGAGEMENT
The scope of the engagement must include consideration of
relevant systems, records, personnel and physical
properties, including those under the control of third
parties.
2310-IDENTIFYING
INFORMATION
 Internal auditors must identify sufficient, reliable, relevant
and useful information to achieve the engagement’s
objectives
 Requirement Description
Sufficiency This means that the auditor needs
enough information, including
quantifiable facts and figures
Reliability The information must be trustworthy
and free from distortion
Relevance This relates to the information being
consistent with the objectives and
scope of the review
Usefulness This relates to the information helping
the organization accomplish its
objectives
Quite often, when clients express confusion, disagreement or
skepticism about the internal auditor’s communication, it is because
the auditor has not met one or more of these four attributes.
2330-DOCUMENTING
INFORMATION
Internal auditors must document relevant information to
support the conclusions and engagement results.

*Internal auditors must make sure that in all aspects of their work, they
base their conclusions and support their communications based on
facts.

*the rigor of their data collection activities, the sophistication of their

analysis, and the maintenance of detailed records of the items
examined and procedures performed, will increase the likelihood that
management will accept the observations presented and be more
inclined to accept the recommendations made.
2410.A2 2420-QUALITY
 Internal auditors are
COMMUNICATO
encouraged to
acknowledge
INS
Communications must be
accurate, objective,
satisfactory
clear, concise,
performance in
engagement constructive, complete
communication. and timely.
EFFECTIVE QUALITY
COMMUNICATIONS
Attributes Meaning
Accurate There are no mistakes or errors in the information
presented
Objective The auditor’s work is focused on facts and informed
judgment, there is no bias involved, the results are
neither inflated nor understated
Clear Easy to understand and interpret.
Concise Brief by using only as many words as necessary
Constructive Serves the purpose of helping the organization
improve its activities and promote advancement
through excellence
Complete Nothing relevant or important is missing
Timely Issued promptly because the value of the message
decreases with time
“Our product is the audit report,
so it must impress the client.”
Psalms 37:4 Matthew 6:33

Delight  But seek first

yourself in the the kingdom of
Lord, and he God and his
will give you righteousness,
the desires of and all these
your heart. things will be
added to you.
END.

Thank you… Thanks be to God