![]()
Part I:
Understanding Operational Auditing
![]()
Chapter 1
Approaches to Operational Auditing
DEFINITIONS OF āOPERATIONAL AUDITINGā
Business processes often step across the frontiers between sections within a business, requiring high standards of coordination between different organisational parts. Control is often weaker where coordination is required between sections that are organisationally separate. Internal auditors are likely to be more productive if they focus considerable attention to the points of interface between organisational parts where coordination is required but is more difficult to achieve than within a single section of the business. Furthermore, internal auditors are likely to be more productive if a significant proportion of the audit engagements they perform are of natural business processes that step across the businessās organisational frontiers. We state this up front as it is so important, and we shall explore this innovative audit approach in detail in Chapter 2 when we have established some fundamentals in this chapter.
The term āoperational auditingā conjures up different images for internal auditors. It may be used to mean any of the following:
The audit of operating units such as manufacturing plants, depots, subsidiaries, overseas operating units, and so on. While the audit scope may cover only accounting, financial and administrative controls it may be broadened in scope to cover the administrative and operational controls, risk management and governance processes of the operating unit under review. To impose general scope limitations for internal audit activities is inconsistent with the global Standards of The Institute of Internal Auditors (www.theiia.org).
The audit is how the functional areas of a business (such as sales, marketing, production, distribution, HR, etc.) account for their activities and exercise financial control over them. This meaning of operational auditing acknowledges that the internal auditing activity should review all the operational areas of the business, but too narrowly specialises in the audit of accounting and financial controls. It is likely to imply that the internal auditing activity is representing only the finance director or the chief accountant in providing assurance about accounting and financial control across the business.
The audit of any part of the business (operating unit, functional area, section, department or even business process, etc.) where the audit objective is to review the effectiveness, efficiency and economy with which management is achieving its own objectives. Depending upon how broadly one defines internal control, the approach to operational auditing goes further than a review of detailed internal control procedures since managementās objectives are not achieved merely by adhering to satisfactory systems of internal control.
The classic management writers, Koontz, OāDonnell and Weihrich, endorsed this approach to operational auditing:
An effective tool of managerial control is the internal audit, or, as it is now coming to be called, the operational audit ā¦ Although often limited to the auditing of accounts, in its most useful aspect operational auditing involves appraisal of operations generally ā¦ Thus operational auditors, in addition to assuring themselves that accounts properly reflect the facts, also appraise policies, procedures, use of authority, quality of management, effectiveness of methods, special problems, and other phases of operations.
There is no persuasive reason why the concept of internal auditing should not be broadened in practice. Perhaps the only limiting factors are the ability of an enterprise to afford so broad an audit, the difficulty of obtaining people who can do a broad type of audit, and the very practical consideration that individuals may not like to be reported upon. While persons responsible for accounts and for the safeguarding of company assets have learned to accept audit, those who are responsible for far more valuable thingsāthe execution of the plans, policies and procedures of a companyāhave not so readily learned to accept the idea.1
SCOPE
A key issue for a business and its internal audit function to decide upon is whether the scope of internal audit work in an operational area of the business should be restricted to a review of the appropriateness of, and extent of compliance with, key internal controls or should be a more comprehensive review of the operation generally.
The Committee of Sponsoring Organizations (COSO) view of internal control rightly sees one of the three objectives of internal control as being to give āreasonable assuranceā of āeffectiveness and efficiency of operationsā:
Internal control is broadly defined as a process, effected by the entityās board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.2
So COSOās broad view of internal control is that internal control (i.e. management control) is everything that management does in order that there is reasonable assurance the business will achieve all of its objectives. A narrower view of internal control is that it is only one of a number of facets of managementāamong others being planning, organising, staffing and leading. It is true that these facets overlap and an internal audit which intends to focus more narrowly on key internal controls is likely to need to address planning, organising, staffing and/or leadership issues to some extent, since deficiencies in these may weaken control. But there will be many aspects of planning, organising, staffing and leading which are neutral in their effect on the functioning of key controls but which contribute to providing reasonable assurance of the achievement of efficient and effective operations.
The important issue is whether internal audit may legitimately draw managementās attention to deficiencies in planning, organising, staffing and leading which, while not weakening the design and operation of key controls, nevertheless impede the achievement of objectives more generally. In the past internal audit was often defined as the independent appraisal of the effectiveness of internal control. The Institute of Internal Auditorsā current (2009) definition of internal auditing, subscribed to globally, is that:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizationās operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.3
So, should an enlightened enterprise restrict internal audit to narrow internal control matters, or should internal audit be encouraged to review and report on any matters which may be unsound? Differing positions are adopted in different enterprises. The middle-of-the-road approach is to encourage internal audit to interpret its mission as being the appraisal of internal control (in all its component parts,4 in all operational areas of the business and at all levels of management). If during the course of audit work, other matters are noted which should be of management concern but do not directly have a control dimension, internal audit should be encouraged to report on them.
Beyond the consideration of the point of focus for audit reviews of operational areas, the audit function will have to define those aspects of the organisation which are to be subject to review. In practice, of course, this will vary considerably between organisations, and will be related directly to the nature of the business and the way the organisation is structured. For example, a multinational pharmaceutical company may have its principal manufacturing bases and research and development activities in only those few countries where the economic and commercial environments are most suitable, whereas sales and marketing operations (of varying scale) may exist in every country where there is a proven market for the products.
Although the focus of operational auditing is likely to be on those activities which are most strongly as...
