Principles and Techniques for a Changing World. Hernan Murdock

Transcription

1 Operational Auditing Principles and Techniques for a Changing World Hernan Murdock CRC Press Taylor & Francis Group Boca Raton London New Vörie CRC Press is an imprint of the Taylor Sc Francis Croup, an informa business AN AUERBACH BOOK

2 Contents Author xi 1 Definition, Characteristics, and Guidance 1 Introduction 1 Definition and Characteristics of Operational Auditing 3 The Other Parts of the Definition 9 The Risk-Based Audit 11 Auditing Beyond Accounting, Financial, and Regulatory Requirements 12 The Value Auditors Provide 14 Identifying Operational Threats and Vulnerabilities 17 The Skills Required for Effective Operational Audits 18 Integra ted Auditing 20 The Standards 22 Summary 30 Questions 31 2 Objectives and Phases of Operational Audits 33 Introduction 33 Key Objectives of Operational Audits 34 Phases of the Operational Audit 36 Flanning 36 What Must Go Right for Them to Succeed? 37 Risk Factors 38 Fieldwork 41 Types of Audit Evidence 41 Testimonial 41 Observation 42 Document Inspection 43 Recalculation/Reperformance 44 Professional Skepticism 46 Workpapers 47 Flowcharts 48 Internal Control Questionnaire 50 Condition of Workpapers 51 Electronic Workpapers 53 Reporting 54 v

3 vi Contents Follow-Up 57 Mernes 58 People, Processes, and Technology 60 Summary 61 Questions 62 3 Risk Assessments 63 Introduction 63 Risk Assessments 64 Identification of Risks 64 Measurement of Risks 66 The Risk Matrix 70 Assessing Risk and Control Types 70 The Importance of CSAs 75 Business Activities and Their Risk Implications 76 Future Challenges and Risk Implications 79 Summary 83 Questions 84 4 The 7 Es 85 Introduction 85 The 7 Es 86 Effectiveness 86 Efficiency 87 Economy 88 Excellence 88 Ethics 89 Equity 92 Ecology 94 Implications for Internal Auditors 95 Summary 97 Questions 98 5 Control Frameworks 101 Introduction 101 Control Frameworks 101 The COSO Frameworks: ICF and ERM 101 Control Environment 103 Communication, Consistency, and Belief in the Message 105 Form over Substance 106 Entity Level Controls 107 Tone in the Middle 111 Risk Assessment 111 Business and Process Risk 113 Technological and Information Technology Risks 114 Control Activities 123 Information and Communication 127 Monitoring Activities 132

4 Contents vii IT and Its Impact ort Organizational Success 133 COBIT and GTAG 133 ISO 134 ITIL 135 CMMI 137 Summary 139 Questions Tools 141 Introduction 141 Histograms 143 Control Chart 143 Pareto Chart 145 Cause and Effect (Fishbone, Ishikawa) Diagram 149 Force Field Analysis 153 Flowchart/Process Flow Map/Value Stream Map 156 Common Process Improvement Areas 163 Takt Time 164 Eight Areas of Waste 166 AfSnity Diagram/KJ Analysis 169 Check Sheet 170 Scatter Diagram 171 5S 174 Seiton 175 Seiri 175 Seiso 175 Seiketsu 176 Shitsuke 176 RACI Diagram 176 Responsible 177 Accountable (Also Approver) 177 Consulted 177 Informed 177 How to Construct a RACI Chart 178 Communications Plan 178 Communications Matrix 179 Suppliers, Inputs, Process, Outputs, and Customers Map 181 Poka Yoke/Mistake Proofing 182 Benchmarking 184 FiveWhys 185 Work Breakdown Structure 187 Summary 188 Questions Eight Areas of Waste 189 Introduction 189 Eight Areas of Waste 189 Overproduction 190

5 viii Contents Waiting 191 Transporting 192 Unnecessary Paperwork or Processing 193 Unnecessary Inventory 194 Excess Motion 194 Defects 195 Underutilized Employees 198 Idendfying, Assessing, and Preventing the Occurrence ofmuda 199 Summary 202 Questions Quality Control 203 Introduction 203 Understanding Assertions and Using Quality Improvement Methodologies 203 The Link between Process Weaknesses and Internal Control 208 Six Sigma and Lean Six Sigma 210 ISO 9000 and ISO Summary 216 Questions Documenting Issues 221 Introduction 221 Using the CCCER/5C Model to Document Findings 221 Criteria 222 Condition 222 Cause 223 Effect 223 Recommendation 224 Making Findings and Recommendations Persuasive 225 Using Quantitative Methods to Improve the Quality and Impact of Audit Findings 227 Persuasion and Diversion 228 Developing Useful, Pragmatic, and Effective Recommendations for Corrective Action 229 Summary 229 Questions Continuous Monitoring 231 Introduction 231 Continuous Auditing of High-Risk Activities 231 Data Analysis Software Applications 235 Using CAATTs to Achieve Operational Excellence 238 CCM and CCA 239 Summary 240 Questions Change Management. 243 Introduction 243 Identifying and Introducing Adaptive and Innovative Changes 243 Eight-Step Model 244

6 Contents ix Unfreeze, Change, and Refreeze 245 Plan-Do-Check-Act 247 Project Risk Assessment and the Risk of Failure 248 Understanding and Managing Resistance to Change 252 The Big Three: People, Process, and Technology 256 Dysfunctions 258 Summary 259 Questions Project Management 261 Introduction 261 Project Management 261 Unique 262 Temporary 262 Project Phases 262 Initiation 263 Flanning 267 Executing 270 Closing 270 Monitoring and Controlling 271 Keys to Success and Reasons IT Projects Fall 272 Project Selection 277 Project Metrics 280 Project Software 280 Summary 281 Questions Auditing Business Functions and Activities 283 Introduction 283 Project Management 283 Contracts and Contracting 287 Purchasing, Vendor Selection, and Management 288 Bidding 291 Pricing 293 Product Receipt (Quality) 295 Human Resources 296 Recruitment 298 Training and Development 299 Employee Benefits 300 Employee Termination 300 Employee Evaluations 301 Accounting, Finance, and Treasury Operations 302 Treasury 302 Payroll 303 Accounts Payable 304 Accounts Receivable 305 Fixed Assets 306 Inventory 306

7 x Contents Information Technology 307 IT Processing Operations 308 Backups and Storage 310 IT Access 310 Personal Devices 311 Systems Development 312 Foundations 313 Auditing Management 314 Ethics Hotlines 316 Production Hie Toyota Production System 319 Introduction 319 The 14 Principles 320 Conclusion 322 Questions Conclusion 323 Using Operational Audits to Help Reposition the Internal Audit Function 323 Developing Operational Talent 324 Transformation: Becoming Trusted Advisors 324 Applying Consulting Skills Effectively during Operational Audits 325 Operational Excellence and Cultural Transformation: Role of Internal Audit 326 Bibliography 327 Index 329