Operational Auditing Internal Audit and IT Audit Series Editor: Dan Swanson PUBLISHED Operational Auditing, Second Edition Managing IoT Systems for Institutions and Principles and Techniques for a Changing World Cities By Hernan Murdock By Chuck Benson ISBN: 9780367562366 ISBN: 9781138590489 The Complete Guide for CISA Examination Fraud Auditing Using CAATT Preparation A Manual for Auditors and Forensic Accountants to By Richard E. Cascarino Detect Organizational Fraud ISBN: 9780367551742 By Shaun Aghili ISBN: 9780367145613 Blockchain for Cybersecurity and Privacy Architectures, Challenges, and Applications How to Build a Cyber-Resilient By Yassine Maleh, Mohammad Shojafar, Organization Mamoun Alazab, and Imed Romdhani By Dan Shoemaker, Anne Kohnke, ISBN: 9780367343101 and Ken Sigler ISBN: 9781138558199 The Cybersecurity Body of Knowledge The ACM/IEEE/AIS/IFIP Recommendations for a Auditor Essentials Complete Curriculum in Cybersecurity 100 Concepts, Tips, Tools, and Techniques for By Daniel Shoemaker, Anne Kohnke, Success and Ken Sigler By Hernan Murdock ISBN: 9780367900946 ISBN: 9781138036918 Corporate Governance Project Management Capability A Pragmatic Guide for Auditors, Directors, Investors, Assessment and Accountants Performing ISO 33000-Based Capability Assessments By Vasant Raval of Project Management ISBN: 9780367862756 By Peter T. Davis, Barry D. Lewis ISBN: 9781138298521 Why CISOs Fail The Missing Link in Security Management--and How A Guide to the National Initiative for to Fix It Cybersecurity Education (NICE) By Barak Engel Cybersecurity Workforce Framework (2.0) ISBN: 9781138197893 By Dan Shoemaker, Anne Kohnke, and Ken Sigler The Audit Value Factor ISBN: 9781498739962 By Daniel Samson ISBN: 9781138198128 Operational Auditing Principles and Techniques for a Changing World Second Edition Hernan Murdock Second edition published 2022 by CRC Press 6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742 and by CRC Press 2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN © 2022 Taylor & Francis Group, LLC First edition published by CRC Press 2017 CRC Press is an imprint of Taylor & Francis Group, LLC Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750- 8400. For works that are not available on CCC please contact [email protected] Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe. ISBN: 978-0-367-56236-6 (hbk) ISBN: 978-0-367-77142-3 (pbk) ISBN: 978-1-003-09693-1 (ebk) Typeset in Garamond by MPS Limited, Dehradun Contents Author.......................................................................................................................................xv 1 Definition, Characteristics, and Guidance.....................................................................1 Introduction.......................................................................................................................1 Definition and Characteristics of Operational Auditing....................................................3 The Other Parts of the Definition...............................................................................9 The Risk-Based Audit......................................................................................................10 Auditing Beyond Accounting, Financial, and Regulatory Requirements.........................12 The Value Auditors Provide.......................................................................................13 Identifying Operational Threats and Vulnerabilities.......................................................17 The Skills Required for Effective Operational Audits.....................................................18 Integrated Auditing..........................................................................................................19 The Standards..................................................................................................................22 Summary..........................................................................................................................29 Questions.........................................................................................................................31 2 Objectives and Phases of Operational Audits.............................................................33 Introduction.....................................................................................................................33 Key Objectives of Operational Audits.............................................................................33 Phases of the Operational Audit......................................................................................35 Planning...........................................................................................................................36 What Must Go Right for Them to Succeed?.............................................................37 Risk Factors................................................................................................................38 Fieldwork.........................................................................................................................40 Types of Audit Evidence.................................................................................................41 Testimonial.................................................................................................................41 Observation................................................................................................................42 Document Inspection.................................................................................................43 Recalculation/Reperformance......................................................................................43 Professional Skepticism...............................................................................................46 Workpapers.................................................................................................................47 Flowcharts...................................................................................................................48 Internal Control Questionnaire..................................................................................50 Condition of Workpapers...........................................................................................51 Electronic Workpapers................................................................................................53 v vi ▪ Contents Reporting.........................................................................................................................55 Follow-Up........................................................................................................................57 Metrics........................................................................................................................58 People, Processes, and Technology..................................................................................61 Summary..........................................................................................................................62 Questions.........................................................................................................................62 3 Risk Assessments...........................................................................................................65 Introduction.....................................................................................................................65 Risk Assessments..............................................................................................................66 Identification of Risks.................................................................................................66 Measurement of Risks.....................................................................................................68 The Risk Matrix.........................................................................................................71 Assessing Risk and Control Types...................................................................................71 The Importance of CSAs.................................................................................................77 Business Activities and Their Risk Implications..............................................................78 Future Challenges and Risk Implications........................................................................82 Summary..........................................................................................................................86 Questions.........................................................................................................................86 4 The 8 Es.........................................................................................................................89 Introduction....................................................................................................................89 The 8 Es..........................................................................................................................90 Effectiveness................................................................................................................90 Efficiency....................................................................................................................91 Economy.....................................................................................................................92 Excellence...................................................................................................................92 Ethics..........................................................................................................................93 Equity.........................................................................................................................96 Ecology.......................................................................................................................98 Emotion....................................................................................................................101 Implications for Internal Auditors.................................................................................102 Summary........................................................................................................................102 Questions.......................................................................................................................103 5 Control Frameworks...................................................................................................105 Introduction...................................................................................................................105 Control Frameworks......................................................................................................106 The COSO Frameworks: ICF and ERM.................................................................106 Control Environment....................................................................................................106 Communication, Consistency, and Belief in the Message........................................109 Form over Substance................................................................................................110 Entity Level Controls...............................................................................................111 Tone in the Middle..................................................................................................115 Risk Assessment.............................................................................................................115 Business and Process Risk.........................................................................................117 Contents ▪ vii Technological and Information Technology Risks...................................................119 Financial Risks..........................................................................................................120 Control Activities...........................................................................................................128 Information and Communication.................................................................................131 Monitoring Activities.....................................................................................................137 IT and Its Impact on Organizational Success...............................................................138 Global Technology Audit Guides (GTAGs).............................................................138 COBIT..........................................................................................................................139 ISO................................................................................................................................140 ITIL...............................................................................................................................141 CMMI...........................................................................................................................143 Summary........................................................................................................................145 Questions.......................................................................................................................146 6 Tools.............................................................................................................................149 Introduction...................................................................................................................149 Histograms.....................................................................................................................150 Control Chart................................................................................................................151 Pareto Chart..................................................................................................................153 Cause and Effect (Fishbone, Ishikawa) Diagram...........................................................157 Force Field Analysis.......................................................................................................161 Flowchart/Process Flow Map/Value Stream Map..........................................................164 Common Process Improvement Areas...........................................................................171 Takt Time.....................................................................................................................172 Eight Areas of Waste.....................................................................................................175 Affinity Diagram/KJ Analysis........................................................................................177 Check Sheet...................................................................................................................178 Scatter Diagram.............................................................................................................181 5S...................................................................................................................................183 Seiton........................................................................................................................183 Seiri...........................................................................................................................183 Seiso..........................................................................................................................184 Seiketsu.....................................................................................................................184 Shitsuke....................................................................................................................184 RACI Diagram..............................................................................................................185 Responsible...............................................................................................................185 Accountable (Also Approver)....................................................................................186 Consulted.................................................................................................................186 Informed...................................................................................................................186 How to Construct a RACI Chart............................................................................186 Communications Plan...................................................................................................187 Communications Matrix................................................................................................188 Suppliers, Inputs, Process, Outputs, and Customers Map............................................188 Poka Yoke/Mistake Proofing.........................................................................................190 Benchmarking................................................................................................................192 Five Whys......................................................................................................................194 Work Breakdown Structure...........................................................................................195 viii ▪ Contents Summary........................................................................................................................196 Questions.......................................................................................................................197 7 Eight Areas of Waste...................................................................................................199 Introduction...................................................................................................................199 Eight Areas of Waste.....................................................................................................199 Overproduction........................................................................................................200 Waiting.....................................................................................................................201 Transporting.............................................................................................................202 Unnecessary Paperwork or Processing......................................................................203 Unnecessary Inventory..............................................................................................204 Excess Motion..........................................................................................................204 Defects......................................................................................................................205 Underutilized Employees..........................................................................................207 Identifying, Assessing, and Preventing the Occurrence of Muda..................................208 Summary........................................................................................................................210 Questions.......................................................................................................................212 8 Quality Control...........................................................................................................213 Introduction...................................................................................................................213 Understanding Assertions and Using Quality Improvement Methodologies.................213 The Link between Process Weaknesses and Internal Control.......................................219 Six Sigma and Lean Six Sigma......................................................................................220 ISO 9000 and ISO 31000............................................................................................224 Summary........................................................................................................................229 Questions.......................................................................................................................229 9 Documenting Issues....................................................................................................231 Introduction...................................................................................................................231 Using the CCCER/5C Model to Document Findings.................................................231 Criteria......................................................................................................................232 Condition.................................................................................................................232 Cause........................................................................................................................233 Effect.........................................................................................................................233 Recommendation......................................................................................................234 Making Findings and Recommendations Persuasive.....................................................235 Using Quantitative Methods to Improve the Quality and Impact of Audit Findings..........................................................................................................237 Persuasion and Diversion...............................................................................................238 Developing Useful, Pragmatic, and Effective Recommendations for Corrective Action.....................................................................................................239 Summary........................................................................................................................239 Questions.......................................................................................................................240 10 Continuous Monitoring..............................................................................................241 Introduction...................................................................................................................241 Continuous Auditing of High-Risk Activities...............................................................241 Contents ▪ ix Data Analysis Software Applications..............................................................................244 Using CAATTs to Achieve Operational Excellence......................................................248 CCM and CCA.............................................................................................................250 Robotic Process Automation, Artificial Intelligence, and Machine Learning................251 Summary........................................................................................................................252 Questions.......................................................................................................................253 11 Change Management...................................................................................................255 Introduction...................................................................................................................255 Identifying and Introducing Adaptive and Innovative Changes....................................255 Eight-Step Model..........................................................................................................256 Unfreeze, Change, and Refreeze....................................................................................257 Plan-Do-Check-Act.......................................................................................................259 Project Risk Assessment and the Risk of Failure...........................................................260 Understanding and Managing Resistance to Change....................................................263 The Big Three: People, Process, and Technology.........................................................267 Dysfunctions.............................................................................................................270 Summary........................................................................................................................271 Questions.......................................................................................................................272 12 Project Management...................................................................................................273 Introduction...................................................................................................................273 Project Management......................................................................................................273 Unique......................................................................................................................274 Temporary................................................................................................................274 Project Phases................................................................................................................274 Initiation...................................................................................................................275 Planning....................................................................................................................279 The Critical Path Method and the Program Evaluation and Review Technique (PERT)...................................................................................280 Executing..................................................................................................................282 Closing......................................................................................................................283 Monitoring and Controlling.....................................................................................283 Keys to Success and Reasons IT Projects Fail...............................................................284 Project Selection............................................................................................................289 Project Metrics...............................................................................................................293 Project Software.............................................................................................................293 Summary........................................................................................................................294 Questions.......................................................................................................................294 13 Auditing Business Functions and Activities..............................................................295 Introduction...................................................................................................................295 Project Management......................................................................................................295 Overview...................................................................................................................295 Important Documents..............................................................................................296 Key Objectives..........................................................................................................296 Key Risks..................................................................................................................296