Operational Auditing--Fall Today’s Session n BPO selection n Engagement planning n Emphasis on risk related testing
Operational Auditing--Fall BPO Selection n 6 R’s n General methodology n Resource planning
Operational Auditing--Fall Selecting an Auditee “The 6 R’s” n Risk n Resources n Reward n Requests n Requirements n Revisions in operations or mgt.
Operational Auditing--Fall Method of Selection n Set selection strategy n Identify potential BPOs n Rank by risk n Choose entities
Operational Auditing--Fall Sample Selection Strategies n Location n Financial exposure n Operational complexity n Staffing n Mgt. Interest n Functional type n Process type n Decision center
Operational Auditing--Fall Risk Factors n Quality of control system n Mgt. Competence n Mgt. Integrity n Size & liquidity of assets n System changes n Complexity n Personnel changes n Economic performance n Growth rate n Systems use A bit of chicken and the egg, here!
Operational Auditing--Fall Risk Factors, cont. n Time since last audit n Performance pressure n Government regulation n Employee morale n Politics & publicity n Geographic location n External audit plans
Operational Auditing--Fall Risk Analysis Methodology n Select top 5 risk factors n ID risk on scale of 1 to 5 n Total the risk score n Rank in order of risk
Operational Auditing--Fall Project Prioritization & Selection n Rank by risk n Rank by hours n Compare to resources n Re-prioritize as necessary
Operational Auditing--Fall Audit Planning n Establish purpose, objective & scope n KTT--Gather background info n Understand the BPO n Assess risk and related control n Identify and assess potential risks n Identify key controls n Prepare preliminary program that addresses risks and controls n Select resources n Report planning n Contact BPO n Logistics approval
Operational Auditing--Fall Type of Engagement n Financial n Control n Information technology n Compliance n Operations n All or any of the above
Operational Auditing--Fall Nature of Objectives n Purpose of the engagement n Recall the 6 R’s
Operational Auditing--Fall Scope n Degree of coverage n Scope can be based on: n Adequacy of controls n Effectiveness of controls n Quality of performance
Operational Auditing--Fall Understanding the BPO n Know the BPO’s processes n Flow charting n Review routine reports n Identify relevant metrics n Potential for fraud n Quickly analyze the processes before assessing risk n Consider the “O’Brien 7”
Operational Auditing--Fall BPO Analysis—the O’Brien 7 n Mission statement n Objectives and goals n Organization chart n Management recap n Major processes n Resources n Constraints
Operational Auditing--Fall BPO Process Review n Identify the processes n Identify the process objectives or desired outcomes n Identify the related risks n Identify the controls mitigating the risks* n Identify the exception reporting process* n Ensure that overall monitoring of the process exists* *Test these items!
Operational Auditing--Fall Risk and Related Controls n Brainstorm nature and nature of risk n Risk = anything that gets in the way of the BPO’s objectives n Risk of likelihood: RL n Risk of impact: RI n Ascertain any related controls n Design testing based on the results n See pps thru Low, medium or high
Operational Auditing--Fall Resources n Business skills n Assurance skills n Language/cultural skills n Technical skills n Consider SME’s and virtual BPP’s
Operational Auditing--Fall Program Preparation n General segments—see sample workpapers on web site n Audit preparation n Initial survey n Systems review n Detailed operations review (TBD) n Reporting issues n Wrap-up procedures n Use Risk Control Testing approach
Operational Auditing--Fall Expected Outcomes and Reporting n Anticipate findings n Financial misstatements n Control weaknesses n BPO objective issues n Inefficiencies n Compliance failure n Type of report n Report distribution