THE INTERNAL AUDIT PROCESS
A COLLABORATIVE EFFORT
Every successful audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and the audit team.
There is no doubt that the process works best when client management and the Internal audit team have a solid working relationship based on clear and continuing communication. We are seeing a strong progression towards using technology to make the internal audit process more effective as these platforms facilitate communications and the flow of information during the course of the audit process.
Although every internal audit is unique, the audit process is similar for most audits and normally consists of four stages:
Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from the unit’s usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities. However, at an organizational level, it is hoped that the benefits of the audit will outweigh the various costs.
PLANNING
The internal audit planning process is a critical part of the process.
The internal audit group will typically develop an annual audit plan identifying which units to review over the next 12 months. The annual audit plan is based on:
During the planning portion of the audit for a particular unit, the auditor reviews past internal audit files to identify the critical key risk issues and implications for the business. They also identify the audit personnel with the most relevant skill sets to conduct the audit. Finally, they discuss the scope and objectives of examining the unit in a formal meeting with senior management.
FIELDWORK
Announcement Letter
The client is informed of the audit through an announcement or engagement letter from the internal audit director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.
Initial Meeting
The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. During the initial meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, etc.), and other relevant information. The auditor must identify issues or areas of special concern that will be addressed during the audit so that the client does not get surprised during the audit.
Preliminary Survey
In this phase, the auditor gathers high-level information about the unit to obtain a general overview of operations and risk issues. Information is collected through discussions with key personnel, reports, reviews, and other information sources.
Internal Control Review
The auditor will review the unit’s internal control structure, a process which is usually time-consuming. In doing this, the auditor uses various tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section.
The audit program is then developed for the audit. For many organizations there is a pre-existing generic internal audit programme for the unit, but this will be refined and focused based on the initial information gathered.
During this phase, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls. Various techniques, including sampling are used during the fieldwork phase. The auditor uses the test results to determine whether the controls identified during the preliminary review exist and operate in the manner described by the client. The fieldwork stage concludes with developing a list of major and minor findings.
Advice & Informal Communications
As the fieldwork progresses, the auditor discusses any significant findings with the client. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor of the risk issues and the agreed resolutions. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding.
Audit Summary
Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report.
REPORTING
Draft Report
After the fieldwork is concluded, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This draft report is prepared for the unit’s operating management and is submitted for the client’s review before the exit conference.
Exit Conference
During the exit conference, the internal audit team representatives meet with the unit’s management team to discuss the findings, recommendations, and text of the draft report. At this meeting, the client comments on the draft and the group works to agree on the wording of the draft report.
Final Report
The auditor then prepares a final report, considering any revisions resulting from the exit conference and other discussions. The final report is issued when the changes have been reviewed by audit management and the client.
Internal audit prints and distributes the final report to the unit’s management team and to senior management.
Internal audit usually reports to the Board of Directors in most organizations. Accordingly, the Board of Directors typically receives final audit reports, at least in summary form.
Client Response
The client has the opportunity to respond to the audit findings prior to the issuance of the final report. That response is generallty included or attached to the final report. However, if the client is unable to respond prior to the issuance of the final report, the first page of the final report is a letter requesting the client’s written response to the report recommendations. In either case, the client explains how report findings will be resolved and include an implementation timetable.
Client responses to audit reports are usually reported to the Board of Directors at least in summary form.
FOLLOW UP REVIEW
Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings. The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.
The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure.
A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients.
Follow-up review reports are usually reported to the Board of Directors at least in summary form.
CONCLUSION
Given the steps required to complete and report on an audit, and the volume of material reviewed during the process, leveraging technology to improve communications and the flow of information can help streamline and simplify the audit process. Using a standardized process gives transparency and control over the process. A clear plan and collaborative team approach enable a more constructive internal audit process and outcome.
Click on the button below to download this white paper.
You can find more articles on our website, at Phundex Knowledge Hub, on LinkedIn at Phundex LinkedIn, or for other questions, please email us at: hello@phundex.com.
To book a demo or do a trial, you can either use the link on our website or email support@phundex.com, and they will be happy to set it up for you.
Get a one-to-one demo
Discover how Phundex can streamline your transactions and processes
Copyright Phundex 2024
PHUNDEX UK LIMITED
Registered Office :
128 City Road, London, UK, EC1V 2NX
Trading Office :
68 Summers Road, Godalming, Surrey, UK, GU7 3BE
Phundex Limited is registered in Jersey, Channel Islands, No 131447, Registered with the Information Commissioner’s Office in the UK in compliance with the Data Protection (Charges and Information) Regulations 2018 under registration ZA839762 and in Jersey in compliance with Regulation 4(1) of the Data Protection (Registration and Charges) (Jersey) Regulations 2018 under registration 68186
Phundex UK Ltd is registered in England & Wales No. 12207772, Registered with the Information Commissioner’s Office in the UK in compliance with the Data Protection (Charges and Information) Regulations 2018 under registration ZB285669
Cookie | Duration | Description |
---|---|---|
_GRECAPTCHA | 5 months 27 days | This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
CookieLawInfoConsent | 1 year | Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie. |
elementor | never | This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
ajs_anonymous_id | 1 year | This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before. |
ajs_user_id | never | This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
Cookie | Duration | Description |
---|---|---|
__tld__ | session | No description |