What Are Operational Audits?

“A systematic process of evaluating an organization's effectiveness, efficiency and economy of operations under management's control and reporting to appropriate persons the results of the evaluation along with recommendations for improvement.”

While an audit is usually associated with financial matters, operational audits are more comprehensive and go beyond financial data (although that type of reporting is often included). The primary information sources are policies and achievements related to the objectives of the organization.  

 

Operational audits are a ‘deep dive’ into every facet of management. As a result, start-to-finish time frames can vary from a few weeks to many months, depending on scope, complexity, and size of the organization, and whether the audit is for the entire entity or a particular business unit. Unlike financial audits, which are conducted by external entities, operational audits are often carried out by an internal auditor.

What Is the Objective of an Operational Audit?

1. Integrity: Withstand pressures that may be exerted and take care to comply with any legal requirements.  
   
2. Fair Presentation: Present all results fairly and report significant concerns.
   
3. Due Professional Care: Use diligence, due care, and reasoned judgements in every situation.
   
4. Confidentiality: Keep information secure, and protect confidential or sensitive information.
   
5. Independence: Maintain impartiality and keep actions and reporting bias-free.
   
6. Evidence-Based: Depend on a fact-based approach to reach reliable conclusions.
   

Benefits of Organizational Audits

1. The Individual can continuously improve their ability to apply knowledge and skills to deliver the intended results.
   
2. The End User or Consumer receives more cost efficient and high-quality products or services.
   
3. The World benefits from a better, more sustainable future.
   

1. Influence Positive Change: Understand how future processes, policies, procedures, and other types of management are producing maximum effectiveness and efficiency.
   
2. Review Internal Controls: Establish the potential impact of successes and failures in the specialized functional areas of operation.
   
3. Understand Risks: The type of risks associated with business and operational risk range from business interruption, employee omissions or errors, IT system failure, product failure, safety and health issues, loss of key employees, fraud, loss of suppliers, and litigation.
   
4. Identify Improvement Opportunities: As a result of understanding risks, auditors can determine where to make improvements and how to mitigate risks and improve opportunities. The broad categories of risk - and where improvements should occur - are operational risk, financial risk, environmental risk, and reputational risk.
   
5. Inform Senior Management: The results of the audit should appear in a clear report that provides objective analysis, appraisals, recommendations, and pertinent comments concerning the activities reviewed.
   

Operational Audit Challenges

Different Types of Operational Audits

1. Financial Audits or Review: Financial audits focus on financial controls as they relate to reporting to internal and external governing bodies. Financial statement auditing is the bailiwick of external auditors. Internal audits complement the work of operational audits, which includes some form of budget, or a financial review.
   
2. Operational Audits: As noted, operational audits focus on the review and assessment of single or multiple business processes.
   
3. Department Reviews: Different departments or divisions may run a periodic analysis to assess the adequacy of controls, how well assets are safeguarded, how resources are used, and if there is compliance with applicable laws.  
   
4. Information System (IT) Audits: Information systems audits investigate overall infrastructure and networks, technical operations, data center operation, project management, and review security status and procedures.
   
5. Investigative Audits: When a company suspects a risk of security breach, or when one has occurred on the part of an individual or department, there is often an investigative audit to understand causes and additional background information and research.
   
6. Compliance Audits: Compliance audits review the level of compliance with external regulatory requirements or internal policies.
   
7. Marketing Audits: A marketing audit is a broad, precise, and autonomous probe into the marketing of a company or a business. An audit holds both an external situation analysis and a thorough review of internal marketing goals, strategies, capabilities, processes, and systems. The result is actionable recommendations to improve progress toward stated goals. 
   
8. Follow-Up Audits: After an operational audit report has been issued, it is standard practice to follow up to evaluate corrective actions, usually within a six month period.
   

Operational Audit Process and Checklist

1. Establishing Objectives: Base objectives on management goals and priorities. Consider the characteristics of products, projects, processes, and any changes to them. Take into account management system requirements, contractual and legal requirements, and other requirements. Evaluate suppliers and the needs and expectations of interested parties, including customers. Take into account the auditee’s level of performance, risks, previous audit results, and the maturity of the management system being audited.
   
2. Establishing the Audit Program: Identify the responsibilities of the audit program manager and establish his or her competence of the person. Determine the scope and potential risks, then set procedures and identify resources.
   
3. Implementing the Audit Program: Define the objectives, scope, and criteria, and select the audit team members and assign responsibility to the audit team leader. Manage the outcome and records.
   
4. Monitoring the Audit Program: Assess conformity with the program, schedule, and objectives, and then assess the performance of the audit team members and the ability of the audit teams to implement the plan. Evaluate feedback of all stakeholders. Some factors can determine the need to modify the program, including audit findings, the demonstrated level of management system effectiveness, and changes to the auditee’s management system, standards, and other requirements.
   
5. Reviewing and Improving the Audit Program: Evaluate if objectives have been achieved. Use lessons learned as inputs for continual improvement. The review should consider results and trends, conformity with procedures, the evolving needs and expectations of interested parties, records, alternative or new auditing methods, the effectiveness of the measures to address associated risks, and confidentiality and information security issues relating to the audit program.
   

1. Initiating the Audit: Establish initial contact with the auditee and any designated leaders. Determine the feasibility of the audit and review the assignment to ensure the objectives are achievable.
   
2. Preparing Audit Activities: Review pertinent documents. Prepare the audit plan, assign work as needed, and organize necessary action plans and documents.
   
3. Conducting Audit Activities: Conduct a meeting to confirm that all parties agree to the proposed plan. Introduce team members to management and each other. Double check that you can perform the audit actions defined in the plan as intended. Review documents as needed throughout the process. The team should regularly meet to review and exchange information, assess progress, and reassign work if necessary. 
   

1. Collecting and Verifying Information: After you receive the audit documents, review the information sources. Audit the evidence and evaluate it against the audit criteria. Review conclusions.
   
2. Generating Audit Findings: The findings will conform or not conform with audit criteria. For a non-conforming finding, record the supporting evidence. Review the information with the auditee to ascertain if the evidence is correct. The team should meet to review findings at designated and/or appropriate audit stages.
   
3. Conducting the Audit Activities: Before the closing meeting to review findings, the audit team should confer and collect information against objectives. The team should agree on conclusions, prepare recommendations, and discuss follow-up. Have a closing meeting facilitated by the team leader to present the findings and conclusions.
   
4. Preparing and Distributing the Audit Report: The team leader reports the results with a complete, accurate, concise, and clear audit record, and delivers it within the agreed period. In case of a delay, auditee and program manager should discuss why it happened. The report must be dated, reviewed, and approved based on agreed upon procedures. Distribute the report as defined in the plan to the appropriate recipients.
   
5. Completing the Audit: Work is complete when all planned audit activities are accomplished. Documents are kept or destroyed based on the procedures and applicable requirements set at the beginning of the audit. If disclosure is necessary, inform the audit client and auditee as soon as possible. Add lessons learned from the audit to the continual improvement process.