Module 2 – Objectives and Phases

Learning Outcomes:
 Identify and understand the objectives of operational audits
 Differentiate the different phases of audits
 Identify various types of evidence and how they are obtained
 Understand professional skepticism
 Understand the importance of workpapers and its right conditions

Core Value/Biblical Principles:

As auditors, have a wisdom to know where you can make a difference. Also, when performing audits, have
integrity to uphold what is right or wrong despite the external or internal pressures around you. In line with
this, here is a bible verse that you can reflect on regarding this lesson:

Leviticus 19:11- ”You shall not steal, neither deal falsely, neither lie one to another”

(Stop and Think):

 When do audit start? Does it start at the moment that the audit team and management meet for the first
time? What evidence should be obtained to support claims and provide recommendations? In this module,
objectives, risk factors, phases and types of evidence will be discussed. This will provide you and overview
on how audits are performed.
Introduction:
Operational audits have similar goals and phases with other audits. Despite this, operational audits must not
replicate the procedures done and render ineffective and non-value adding reports. Operational auditors must bear
in mind their objectives and follow the different phases of the audit.

Body:

OBJECTIVES OF OPERATIONAL AUDITS

Objectives of operational audits should be clearly defined, communicated and understood by the audit team as
well as the management. These objectives or goals will drive the phases of the audits and may increase the effectivity
of the procedures that will be done. Unclear objectives may bring the audit team the risk of losing track during the
engagement. It may be similar when you are in a locked dark room without any plans of getting out of it or looking for
the light switch.

Management should be involved in setting the objectives to let them know of the implications of the audit to the
business. This will help the audit to be realistic and grounded by making sure that the business can provide the
necessary information to satisfy the objectives.

The objectives of operational audits may be driven by:

1. New Rules

As discussed in the previous chapter, auditors should have knowledge of industry, regulatory and standards
changes. These changes will affect the objectives set for the audit. For example, new rules for corporate social
responsibility are being implemented, the audit should be directed to address the effect of these new rules to the
business. Also, auditors should be aware if the business is unable to comply with the new rules and make
recommendations to the management on how they can conform to them.

2. Poor Performance

Poor performance is a major concern of the management. This may be related to ineffective operations or
workforce. Poor performance will directly affect the efficiency of the operations as well as the mental position of the
workforce. As an example, having ineffective quality control on the products will instill a bad reputation for the
business. This may lead to loss of profits, and worse, bankruptcy. This is usually investigated by internal auditors
and look for and address the root cause.

3. Compliance Issues

This is related to internal control compliance. Management have put controls within the business which are also
tested during operational audits. This is done check for any non-compliance and report suggestions to the
management. This may be critical to the business operations especially when there is collusion between employees
to violate the rules/controls set by the management.
 4. Anomalous Revenues or Expenses

Per initial risk assessment by the audit team, they may notice unusual transactions. These transactions are
common especially when performance is based on the sales/income objectives. For example, bonuses provided to key
executives are directly related with the profit generated per year. The executives have the incentive or motivation to
drive the sales up and may be involved in fraudulent transactions.

Other factors may affect the objectives of the operational audits. These factors will be discovered once the
auditors understand the organization’s structure ‒ technology, policies, separation of powers, accountabilities, business
risks, internal and external changes. Focus of operational audits is reporting on the efficiency, effectiveness and
economy of operations, activities and programs. This focus is sometimes referred to as value for money or performance
auditing.

PHASES OF OPERATIONAL AUDIT

Once the audit team is engaged by the management to perform an audit, they will start on planning the scope
and objectives of the audit. This will be communicated to the management and will proceed with the procedures/testing
to be performed. After testing the relevant controls, the audit team will report on the issues noted and recommendations
to the management. In summary, operational audits follows the flow of traditional audits ‒ planning, fieldwork, and
reporting. Note that these phases may overlap as the need arises and will be discussed in the next sections.

A. Planning

In this phase, auditors perform initial risk assessments. This is usually done with the management and
board of directors. Risk assessments are done at the company level and not at the transaction level. Risk
assessments should generate two outputs: (1) strategic plan and (2) audit plan.

Moreover, scope of the audit is also finalized and discussed with the management. This is based on the
available resources and the needs and priorities of the business. As discussed earlier, objectives of operational
audits should be achievable. Audit budget and timeline is also discussed and agreed with the management.

Usually, interviews with the process controllers are done in this phase. This is done by the auditors to
understand the controls in place, identify what could go wrong (risk) for each control and identify opportunities
for the business as well.

There are several risk factors during the planning phase of audit. Some of these are competence of
employees, extent of judgement, and number of transactions. Employees’ competence and their job description
should match, otherwise, the process may be ineffective and detrimental to the organization. Judgment is
common in organizations especially on estimates (allowance for doubtful accounts, depreciation, etc.). The
higher the extent of judgment, the higher the risk identified by the audit team. This is the same instance for the
voluminous transactions since there is a higher possibility that fraudulent transactions are covered between valid
transactions.
 B. Fieldwork

After setting the goals and scope of the audit, the audit team will start on going to the client’s office for
data gathering to perform the audit. This phase is when the most of the testing is performed and it includes
interviewing, documenting, applying testing methodologies, managing fieldwork and providing status updates. It
consists primarily of two things:

1. Determining process is designed effectively so that the related goals and objectives are likely to be achieved
2. Verify that controls in place are performing as defined by management

As mentioned earlier, phases of auditing may overlap. Auditors, when performing (1) may find that their risk
assessments during the planning phase are understated, will update it to perform procedures to comply with the
updated risk assessments.

C. Reporting

In this phase, results and recommendations are communicated to the management and board of
directors. Internal auditors should quantify their findings by including amounts, values, time since when the
condition has been occurring, how many individuals or organizations are affected, etc. This will help the management
to understand the extent of the issues noted or the effects of the recommendations presented by the auditors.
Usually, deficiencies are focused during reporting. There are 2 types of deficiencies:

1. Design – Process or control structure in place is insufficient to avoid the risks (what could go
wrong?). Controls are set by the management in line with their objectives. As discussed in the
previous chapter, operational audits focus on control deficiencies that affects the company’s
objectives.

2. Operation – Controls designed by the management are not implemented as expected by the
management.

Findings should be reported in the following manner:

1. Criteria – What is expected?

Though it is suggested that auditors make recommendations, they must not spoon-feed the management,
otherwise, it may result to:

 Dependency
 Lack of ownership

After reporting the findings, the audit team should perform follow-up if the recommendations/action points are
being performed by the management, otherwise, the audit will be rendered useless and risks identified will recur in the
next audit period.
TYPES OF AUDIT EVIDENCE

During the audit teams’ fieldwork, they will gather various sets of evidence to verify whether conditions are such
that the operations or program under review is likely to achieve its objectives and procedures in place are working as
designed. In other words, auditors gather evidence to support their work and persuade others that conditions are
satisfactory or not.

The following types of evidence are usually encountered during audits:

1. Testimonial

Testimonials may be verbal (interviews) or written (email or questionnaire). Nowadays, auditors prefer having an
interview with the process owner to save time and ask the appropriate questions. Even though the person where
the information obtained is reliable, this evidence is not the most persuasive one. This should still be
corroborated with another evidence, usually by performing walkthrough, to confirm whether the testimonial is
reliable or not.

2. Recalculation/Reperformance

Auditors usually perform walkthrough of the process that they think needs to be verified. Walkthrough is a
process where the auditor reperforms a transaction from its initiation to reporting. This is done to verify and
corroborate other evidence obtained and check if controls are in place and correctly implemented.

As for recalculation, this is usually done for processes that involves estimation. Usually, the auditors understand
and make estimates using the expectations used by the management and check if the estimates by the
management are within their expectations.

3. Observation

In general, auditors visually examine physical facilities, conditions and practices to verify they exist, their
condition, valuation and protection. This may be done in 2 ways:

- Auditee knows that the auditor is observing

Evidence is more reliable when the observation is done using the first way because individuals tend to modify
their behaviors when they know that they are being observed and their actions may affect the results of the
audit. This is related to social desirability bias where the survey participants answer the questions in a manner
that it will be viewed favorably by others.

4. Document Inspection

Documents that are checked may be internal or external, financial or non-financial documents. Example of
internal documents are company newsletter, minutes of the board meetings, and invoices while external
documents may be third party confirmation, external reports by established and accredited organizations.

The main focus of auditors here is choosing the correct population and selecting appropriate samples by using
the appropriate sampling method.
PROFESSIONAL SKEPTICISM

Professional skepticism is an attitude that includes a questioning mind, being alert to conditions that may
indicate possible misstatement due to fraud or error, and a critical assessment of audit evidence. Auditors should
display healthy professional skepticism and verify the quality and reliability of the information gathered and
used. Auditors must be careful when being skeptic towards a client because too much skepticism may imply that
they do not trust the management and may be detrimental to the engagement.

Auditors do not rely on one type of evidence. Auditors always corroborate if they are unsatisfied with the
information gathered. Corroboration involves obtaining supporting documentation to substantiate claims made or
finding others to verify the accuracy of statements received.

WORKPAPERS

“It is not done if it is not documented.” This is the most common saying when performing audits. All
procedures performed should be documented in workpapers. Workpapers should consist of objective of the
procedure, procedures performed and conclusion. It should be neat, easy to read, review and appearance should
be uniform. Readers of that workpaper should be able to fully understand and can reperform the procedures
performed and arrive at the same result. Accessibility of these workpapers should limited to the members of the
audit team.

In operations audit, since the focus is internal controls, most documentations are in narrative format.
This may provide full detail of the process under review and is simple to prepare. However, this can be too
detailed and may be irrelevant if the process or control is too complex, difficult to visualize and confuse the
reader if it is too long. To resolve this, flowcharts are being widely used when auditing controls.

Flowchart is a diagram of the sequence of movements or actions of people or things involved in a process
or activity. They are easy to understand since the shapes used are simple.