Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Incorporating Operational and Performance Auditing into Compliance and Financial Auditing

Auditing Best Practice

Incorporating Operational and Performance Auditing into Compliance and Financial Auditing

by Andrew Cox

What Management Wants

Although there are many internal auditors who still believe their job is to tell management what is wrong but not how to fix it, many more enlightened internal auditors have worked out what management is really seeking. This includes such things as:

  • help in reducing risk;

  • help in improving the business;

  • assurance that appropriate governance is in place and working properly;

  • internal audits that are relevant and timely;

  • internal audits that genuinely add value;

  • more value for the money spent on internal audits.

The Steps in Performing an Operational or Performance Audit

The sequence of an operational or performance audit is likely to be:

  • establish what should be done;

  • establish what is being done;

  • compare “what should” with “what is”;

  • investigate significant differences;

  • assess the effects of the differences;

  • determine the cause of the differences;

  • develop audit findings and value-adding options and recommendations.

While the initial steps may not be very different from a compliance or financial audit, the crucial and value-adding steps are: determining the cause of the differences; and developing audit findings and value-adding options and recommendations.

These are the difficult parts. Most compliance or financial auditors can work out an effect, but trying to isolate the cause can be much harder. Hence, many internal auditors find it easier just to report on what is wrong and avoid trying to identify the root cause of a problem.

Often an internal audit recommendation will be something like “Employees should follow the procedures.” This is lazy internal audit work and not a particularly enlightened recommendation—it is more of a throwaway line. There may be many reasons why an employee is not following procedures. But not many employees will deliberately disobey a procedure unless it is a bad procedure, or something else is preventing them from complying with it.

Partnering with Management

There are a number of ways in which internal auditors can promote their services—in particular the benefits of operational and performance auditing. These may include:

  • Develop an engagement model and get management buy-in.

  • Closely align your internal auditing with the business.

  • Plan a risk-based internal audit program developed with management.

  • Aim to become an integral part of the organization and to help management improve the business.

  • Plan each internal audit with management.

  • Facilitate a frank risk assessment with management and stakeholders for each internal audit.

  • Formulate insightful objectives for each internal audit, not just “throwaway lines.”

  • Ask management to agree and sign off the terms of reference for each internal audit.

  • Consider using technical experts where internal auditors may not have all the necessary skills for an internal audit.

  • Facilitate a workshop with management and stakeholders at the conclusion of an audit to discuss and agree possible improvement options.


As mentioned previously, the real value in an internal audit report is in determining the cause of the differences between “what is” and “what should be,” and developing audit findings and value-adding options and recommendations. This is the essence of what operational and performance auditing is all about.

By working closely with management and stakeholders at the conclusion of the audit to discuss improvement options, possibly using a facilitated workshop approach, a much better outcome can be achieved. After all, the people doing the job know a lot more about it than the internal auditor!

Case Study

It is not difficult to turn a compliance audit into a performance audit. In fact, almost every audit can also be an operational or performance audit. And, by being creative, internal auditors can make their internal audit work more interesting and satisfying.

This case study comes from an internal audit conducted in a utilities company that provides electricity, gas, and water to the community. In this company, field staff work overtime. (Overtime is time worked beyond an established limit: i.e, hours worked in excess of the working hours prescribed in the employment agreement.)

The objectives of the audit were to:

  • determine who had responsibility for overtime and assess whether this arrangement was working effectively;

  • identify the key risks involved with overtime and the mitigation strategies and controls currently in place to manage those risks;

  • identify the extent of overtime worked and test whether the key controls were working effectively to manage the identified risks;

  • ascertain whether overtime requirements were being effectively communicated to managers and staff;

  • review whether management regularly received and acted on feedback on the need for overtime and periodically examined cost-effective alternatives.

The audit covered all the regular auditing matters such as compliance with policy and procedures, sampling and testing overtime calculations, etc., as you would expect in a compliance audit. Since it found that overtime payments were being made correctly in accordance with policies and procedures, the audit was a nonevent. But, with some extra work, analysis of the data showed that:

  • most overtime was worked in the electricity division;

  • overtime was being worked by around a third of employees, with the number of employees who worked overtime increasing;

  • the overall amount of overtime had been steadily increasing in absolute and payroll percentage terms across the organization over the previous four years;

  • the electricity and water divisions had overtime budgets for the next year that were below the budgets for the current year (almost certainly optimistically).

Analysis of the causes revealed that:

  • there was a countrywide shortage of line workers, resulting in the electricity division being unable to recruit sufficient numbers of people with these skills;

  • the electricity division pole replacement program was difficult to run with the number of line workers currently employed by the organization;

  • a serious wildfire had destroyed substantial electricity assets.

Once the causes had been identified, the audit recommendations suggested that the organization consider such things as:

  • developing a longer-term perspective when formulating future industrial plans for the workforce;

  • extending human resources employee self-service to the field employees;

  • extending mobile computing to the field for human resources activities and job costing;

  • further annualizing salaries to include an overtime component;

  • changing the rostering of work crews to true shift work arrangements over 24/7/365.

This added real value to the audit, rather than being a simple compliance audit approach—which would have merely reported that overtime calculations were being made correctly.

Back to Table of contents

Further reading


  • Reding, K. F., P. J. Sobel, U. L. Anderson, M. J. Head, S. Ramamoorti, and M. Salamasick, with C. Riddle. Internal Auditing: Assurance and Consulting Services. Orlando, FL: IIA Research Foundation, 2007.
  • Sawyer, L. B., M. A. Dittenhofer, J. H. Scheiner, and Lawrence B. Sawyer, with A. Graham, and P. Makosz. Sawyer’s Internal Auditing. 5th ed. Orlando, FL: IIA Research Foundation, 2003.


  • Institute of Internal Auditors (IIA). “International standards for the professional practice of internal auditing.” Orlando, FL: IIA. Available from:


Training Courses and Postgraduate Qualifications:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share