Risk-based Operational Audits

Background of Operational Audit:

Operational audit concentrates on seeking out aspects of operations in which waste, inefficiency and
excessive costs would be subject to reduction by the introduction of improvement of operating controls. It
is audit of the performance at mainly operating level i.e. supervisory level. It is also termed as micro level
management audit.

An operational audit (or value-for-money audit) has been defined as an organized search for ways of
improving efficiency and effectiveness.

Objectives of Operational Audit:

The objective is to assist the organization in performing functions more effectively and economically with
focus on the efficiency and effectiveness of operations, it is also stated to be an early warning system for
the detection of potentially destructive problems.

An operational audit can lead to better management of all aspects of business organization whether it is
production area or service area. Traditionally, operational audits have been conducted by means of a
questionnaire interview of departmental employees. Virtually all large companies conduct operational
audits in their major production and service departments. The financial audit tells where the entity was and
where it is on the date of the balance-sheet. However, an operational audit tends to answer the questions
as to why the entity is where it is and how it got there. It means the evaluation of management’s
performance and efficiency. Therefore, Operations Audit is a process to determine ways to improve
production.

It falls into the category of a management service by evaluating the four functions of management: (1)
planning, (2) organizing, (3) directing, and (4) controlling. The operational audit can also be broken down
further as a functional review; for example, Purchasing as a department versus the overall Procurement
operation in coordination with production scheduling and market forecasting. The following table
highlights the salient features of the traditional form of internal audit and operational audit:

Operational Audits Process:

1. Understand the responsibilities and risks faced by the divisions;

2. Assess the level of control exercised by management;
3. Identify, with management participation, opportunities for improving control;
4. Provide senior management with an understanding of the degree to which management has
achieved its responsibilities and mitigated the risks associated with its operations. It includes
 Reliability and integrity of financial and operational information;
 Effectiveness and efficiency of operations;
 Safeguarding of assets;
 Compliance with laws, regulations, and contracts.

Six Phases of Operational Audit:

1. Pre-audit process
  Audit Notification – Inform the units senior management;
 Gather the information using various sources to identify possible components and
concerns.
2. Risk Assessment meeting with auditee
 Meeting with the key managers of the division to be audited;
 Objective of the meeting :
- To obtain confirmation of the components;
- To understand and confirm major concerns of the division;
- Assessment of the importance of each concern (low, medium or high) for each
component by division managers.
- Comparing & Ranking the components and concerns.
- Risk template
- High-risk areas identified by management will be the focus of the audit.
3. Control matrix
- Meet with the division managers to identify the key management objectives and the
key control activities performed;
- Discuss the lack of identification of key controls (control design issues) and document
it;
- Send back the control matrix for confirmation and validation;
- Key controls identified represent the controls to be tested in the next phase.
4. Test Design
- Design the test procedures for the identified key controls;
- Prepare and Document the testing plan;
- Conduct interviews, examine documents and obtain explanations;
- Document the results of the tests, the conclusion, and other proposals;
- Discuss preliminary findings with the division managers.
- The test results become the basis for the first draft of the audit report.
5. Report Drafting
- Produce a draft report and discuss with the management;
- Draft report consists of
a. Memo
b. Conclusion
c. Background information
d. Scope
e. Objectives
f. Proposals
g. Risk template and key controls as an appendix
h. Other appendices
- Discuss & review the report and arrive at an agreed action plans to resolve identified
issues;
- Any management acceptance of risks and differences of opinion are also reported;
6. Final audit report
- Distributed to the manager of an audited unit, to the relevant members of senior
management & Chair of the Audit Committee;
- Components – Represent the principal deliverables of the unit (products, services or
processes);
- Concerns – Represent the events that could prevent the audited unit from achieving its
objectives;
- Controls – Any action taken by management, the board, and other parties to enhance
risk management and increase the likelihood that established objectives and goals will
be achieved. Management plans, organizes, and directs the performance of sufficient
actions to provide reasonable assurance that objectives and goals will be achieved.