THE INTERNAL AUDIT PROCESS
A COLLABORATIVE EFFORT
Every successful audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and the audit team.
There is no doubt that the process works best when client management and the Internal audit team have a solid working relationship based on clear and continuing communication. We are seeing a strong progression towards using technology to make the internal audit process more effective as these platforms facilitate communications and the flow of information during the course of the audit process.
Although every internal audit is unique, the audit process is similar for most audits and normally consists of four stages:
- reporting, and
- follow-up review.
- Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from the unit’s usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities. However, at an organizational level, it is hoped that the benefits of the audit will outweigh the various costs.
The internal audit planning process is a critical part of the process.
The internal audit group will typically develop an annual audit plan identifying which units to review over the next 12 months. The annual audit plan is based on:
- assessment of risk and control of the various units;
- the relative importance of the various units;
- the need to visit all units on a regular basis;
- availability of resources;
- special projects that may require internal audit involvement.
- During the planning portion of the audit for a particular unit, the auditor reviews past internal audit files to identify the critical key risk issues and implications for the business. They also identify the audit personnel with the most relevant skill sets to conduct the audit. Finally, they discuss the scope and objectives of examining the unit in a formal meeting with senior management.
The client is informed of the audit through an announcement or engagement letter from the internal audit director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.
The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. During the initial meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, etc.), and other relevant information. The auditor must identify issues or areas of special concern that will be addressed during the audit so that the client does not get surprised during the audit.
In this phase, the auditor gathers high-level information about the unit to obtain a general overview of operations and risk issues. Information is collected through discussions with key personnel, reports, reviews, and other information sources.
Internal Control Review
The auditor will review the unit’s internal control structure, a process which is usually time-consuming. In doing this, the auditor uses various tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section.
The audit program is then developed for the audit. For many organizations there is a pre-existing generic internal audit programme for the unit, but this will be refined and focused based on the initial information gathered.
During this phase, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls. Various techniques, including sampling are used during the fieldwork phase. The auditor uses the test results to determine whether the controls identified during the preliminary review exist and operate in the manner described by the client. The fieldwork stage concludes with developing a list of major and minor findings.
Advice & Informal Communications
As the fieldwork progresses, the auditor discusses any significant findings with the client. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor of the risk issues and the agreed resolutions. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding.
Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report.
After the fieldwork is concluded, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This draft report is prepared for the unit’s operating management and is submitted for the client’s review before the exit conference.
During the exit conference, the internal audit team representatives meet with the unit’s management team to discuss the findings, recommendations, and text of the draft report. At this meeting, the client comments on the draft and the group works to agree on the wording of the draft report.
The auditor then prepares a final report, considering any revisions resulting from the exit conference and other discussions. The final report is issued when the changes have been reviewed by audit management and the client.
Internal audit prints and distributes the final report to the unit’s management team and to senior management.
Internal audit usually reports to the Board of Directors in most organizations. Accordingly, the Board of Directors typically receives final audit reports, at least in summary form.
The client has the opportunity to respond to the audit findings prior to the issuance of the final report. That response is generallty included or attached to the final report. However, if the client is unable to respond prior to the issuance of the final report, the first page of the final report is a letter requesting the client’s written response to the report recommendations. In either case, the client explains how report findings will be resolved and include an implementation timetable.
Client responses to audit reports are usually reported to the Board of Directors at least in summary form.
FOLLOW UP REVIEW
Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings. The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.
The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure.
A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients.
Follow-up review reports are usually reported to the Board of Directors at least in summary form.
Given the steps required to complete and report on an audit, and the volume of material reviewed during the process, leveraging technology to improve communications and the flow of information can help streamline and simplify the audit process. Using a standardized process gives transparency and control over the process. A clear plan and collaborative team approach enable a more constructive internal audit process and outcome.
You can find more articles on our website, at Phundex Resources, on LinkedIn at Phundex LinkedIn, or for other questions, please email us at: email@example.com.
To book a demo or do a trial, you can either use the link on our website or email firstname.lastname@example.org and they will be happy to set it up for you.