Thank you to those who joined us for our April 29th policyIQ solution-focused session, “Internal Audit (Beyond SOX)”, which focused on developing and implementing a successful Operational Audit program. Special thanks to David Doney, Vice President of Internal Audit at Sirva, Inc., who delivered a well-rounded presentation on Operational Audit best practices from his experience. If you were not able to attend the session, we’ll try to re-present the highlights and direct you to related materials here.
If you’d like to gather more information and guidance on your Operational Audit program development, please contact us and we’ll help to connect you with the policyIQ or Resources representative to help you on your way!
Review the “Internal Audit (Beyond SOX)” Session On-Demand
We have made the recording of the session available for you to review at your leisure (note that we cannot award CPE credit for reviewing the recording). Visit our training page to see this and other solution-focused sessions or click here to launch the webinar immediately.
Recap of our Operational Audits session and related materials:
What is an Operational Audit?
- Focus on operational objectives (delivering value to customers)
- Customer Service
- Efficiency / Productivity
- Safeguarding of Assets
- Not financial reporting accuracy or Legal / Regulatory compliance; may overlap
- Tailoring to business-specific risks is necessary; there is no generic audit approach
Operational Audit Sequence: (notice the familiar Top-down Risk-based Approach)
We have added an Operational Audit chapter to the online policyIQ Help guide with guidance to support you to get started with your implementation. In addition to the slides presented in the training session, you will find definitions and guidance on the process of developing your program as well as detailed examples of Templates, Folders, Groups and Reports within Help. To launch directly to the Operational Audit section within Help, you may click on the image below.
Practice, Practice, Practice
Do you have access to the policyIQ Practice site? We have a generic “play place” for you to create sample content, forms, reports and to experience the process of moving content through the workflow. We will be adding our Operational Audit examples to the Practice Site this week. If you would like to access to the Practice site, send us an email to let us know and we’ll get you set up! Keep in mind that we will “refresh” this Practice site periodically—so any content that you create in the site will not be saved.
Attendees’ Chat Questions and our Responses
There were a handful of questions “chatted” in to our co-presenter, David Doney. We have compiled the questions and answers (some that we did not have time to share during the session) below:
Q: Do you typically perform the Operational and financial reporting tests at the same time? Do you perform a lot of continuous audit routines?
A: (David Paraphrasing) At Sirva, they work on those distinctly – because the objectives of the audit are very different. However, David does acknowledge that for some organizations it may make sense to do some of that together. (For example, if your organization has many locations and you have to test at a lot of locations, it might make sense to have the testing happen at the same time.)
Regarding “continuous auditing” – David acknowledged that there is a lot of discussion in the discipline regarding exactly what is meant by “continuous auditing”. Sirva does perform account reconciliations in policyIQ with the ability to report at any time and to know if people are compliant. This is the closest thing David has experienced to “continuous auditing”.
Q: Time-savings – how has policyIQ saved you time in Operational Audits?
A: (David, Paraphrasing) While it might take a bit more time up front to set up, the savings comes in when you can easily access the information – through reporting. If you keep the information up to date with bi-annual updates, you don’t have to go through the same difficult process of gathering the information each year.
Q: How does aging and reporting of open items (deficiencies) occur?
A: (David) We have an “Audit Report Date” field in the deficiency template that is “day zero.” We age from the date the final report was issued. We can then use the current date to age each item in Excel. We also have a “Status” field for each deficiency that indicates open, implemented or remediated. Twice per year we run reports in Policy IQ that we extract to excel that give us all the necessary inputs to generate the graphs I showed in the presentation. You need both the prior period and current period reports to complete the graphs on status, as you have essentially two snapshots and must back into the differences. It takes one person about two days to generate this reporting, do the aging in excel, and prepare the graphs for the audit committee.
Q: I just wanted to confirm that it’s still not possible to export this view to Excel (the grid view of the Detail Link report)?
A: No, it is not currently possible to export the grid view of the Detail Link report. However, you can export the Detail Link report results from the table view into Excel. The data is the same, but the format or layout is a bit different.
Q: David mentioned that first year implementation is time consuming. If one assumes that planning, systems documentation update takes approximately 25% of total project time. How much additional implementation time would be needed (e.g., twice as much, more???)? How much training is needed to get staff up to speed?
A: Answer directly from David –
a) Training: I think 12 hours of formal PIQ training for staff is appropriate. Eight hours should focus on completing the pages (building content), tailored to the template structure you want to use. I suggest building the templates and instruction guides for the fields first (management team working with PIQ consultant) so you can teach staff to add content in the format you prefer during the training class.
Reporting is more complex and would require another four hours. Not everyone needs to know how to create reports from scratch, just how to run the various key reports with slight modifications. That should be the focus of the four hours of report training for staff…modifying the key canned reports like control matrices to the process they are working on or running deficiency reports. You should have a designated admin who invests say a couple of days shadowing the PIQ consultant and creates the canned reports your department will use as templates with the PIQ consultant looking over their shoulder.
b) Daily audit time: This depends on how much additional data you want to capture in PIQ versus what you captured manually or in another tool. I would say planning for each process takes about 20% longer in the first year than it normally would, to populate the additional information. So if you budgeted 100 hours of planning time for a new project in the past, budget 120 hours during the first year to document that process in PIQ. You will save time in workpaper review, status reporting, handoffs among auditors, etc. immediately, but planning time will go up. On the second audit of the same scope, you can just send the control matrix to the client for an update, so planning time is minimal.
Additional example from policyIQ Account Manager: In a specific Operational Audit example from this year, the client spent one week planning with their Account Manager and discussing the ideal configuration for their Programs, Scope Areas, Locations, Processes, etc. In week two, the client worked through the remainder of the project plan with guidance from the policyIQ Account Manager: set up Templates and Folders in policyIQ, prepared Excel templates for importing content (populating policyIQ Pages), and reviewed relevant reports. In the following week, the client point of contact walked auditors through the policyIQ process (this client had been previously using policyIQ for Internal Audit and was expanding to Operational Audits, so internal training required was minimal).
We can help you to get on the right track!
Let us know if you have questions that we have not yet addressed—and tell us how we can support you to move forward with your Operational Audit implementation. We will absolutely respond to all inquiries and will provide you with, or direct you to, the necessary resources.