Courtesy: ISO 9001lead auditor training
Audit project selection or “annual audit plan”
Based on the risk assessment of the organization, internal auditors, management and oversight boards determine where to focus internal auditing efforts. This focus or prioritization is part of the annual/ multi-year annual audit plan. The audit plan is typically proposed by the CAE (sometimes with several options or alternatives) for the review and approval of the audit committee or the board of directors. Internal auditing activity is generally conducted as one or more discrete assignments.
It should be adapted to the specific purpose of audit, and the selection of audit method must be adapted to its specific purpose. Otherwise, it will deviate from the purpose of the audit.
Internal audit execution
A typical internal audit assignment involves the following steps:
- Establishing and communicating the scope and objectives of the audit to appropriate members of management.
- Developing an understanding of the business area under review – this includes objectives, measurements & key transaction types and involves interviews and a review of documents – flowcharts and narratives may be created, if necessary.
- Describing the key risks facing the business activities within the scope of the audit.
- Identifying management practices in the five components of control used to ensure that each key risk is properly controlled and monitored. An internal audit checklist can be a helpful tool to identify common risks and desired controls in the specific process or specific industry being audited.
- Developing and executing a risk-based sampling and testing approach to determine whether the most important management controls are operating as intended.
- Reporting issues and challenges identified and negotiating action plans with the management to address these problems.
- Following-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose.
Audit assignment length varies based on the complexity of the activity being audited and internal audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.
In addition to assessing business processes, specialists called information technology (IT) auditors review information technology controls.
Internal audit reports
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary – a body that includes the specific issues or findings identified and related recommendations or action plans, and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the “5 C’s”:
- Condition: What is the particular problem identified?
- Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.
- Cause: Why did the problem occur?
- Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?
- Corrective action: What should management do about the finding? What have they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization achieve effective and efficient governance, risk and control processes associated with operations objectives, financial and management reporting objectives; and legal/regulatory compliance objectives.
Audit findings and recommendations may also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.
Following are the steps about how continuous improvement can be achieved through audit findings.
- Develop CAPAs to address quality issues.
- Train users or employees to develop effective audit processes or procedures.
- Maintain steady and healthy relation with suppliers, vendors, users, auditors and audit bodies.
Under the IIA standards, a critical component of the audit process is the preparation of a balanced report that provides executives and the board with the opportunity to evaluate and weigh the issues being reported in the proper context and perspective. In providing perspective, analysis and workable recommendations for business improvements in critical areas, auditors help the organization meet its objectives.
Quality of internal audit report
- Objectivity – The comments and opinions expressed in the report should be objective and unbiased.
- Clarity – The language used should be simple and straightforward.
- Accuracy – The information contained in the report should be accurate.
- Brevity – The report should be concise.
- Timeliness – The report should be released promptly immediately after the audit is concluded, within a month.