10 Steps of the Internal Audit Process
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Audits serve the needs of the business by verifying that company policies are being followed, that information is presented fairly and accurately and by reducing the potential for fraudulent activity. Internal Audits follow specific procedures using nearly similar steps in any organization. The audit process is generally a ten-step procedure as outlined below.
The 10 steps of the audit process begins with notification. The notification process alerts the unit of the organization to be audited of the date and time of the process. The auditor will send a preliminary checklist highlighting the documents that the auditor wishes to review in order to understand the unit of the company. This is the list of documents (e.g. unit’s organization charts, related documentation) that will help the auditor learn more about the unit before planning the audit.
After reviewing the information, the auditor will plan the review, conduct a risk workshop primarily, to identify key areas of risk and areas of concern and draft an audit plan. This step is usually accomplished in a series of meetings with auditing staff. This leads up to the opening meeting between the auditing staff and senior management of the targeted unit. The auditors will describe the process they will undertake. Management will describe areas of concern to them and the schedule of the employees that must be consulted.
The opening meeting should include senior management and any administrative staff of the concern unit that may be involved in the audit. During this meeting, the scope of the audit will be discussed. The time frame of the audit will be determined, and you should discuss any potential timing issues (e.g. vacations, deadlines) that could impact the audit. It doesn't take as much of your time as you might expect!
After the opening meeting, the auditor will finalize the audit plan and begin fieldwork. Fieldwork typically consists of interviewing key staff, reviewing procedure manuals, learning about an the unit’s business processes, testing for compliance with applicable policies, procedures, laws and regulations for reasonableness, testing current business practices by sampling and assessing the adequacy of internal controls related to that particular unit of the organization under audit.
Communication is the next step. The audit team should consistently be in contact with the people concern to clarify processes, gain access to documents and clarify procedures. Throughout the process, the auditor will keep management informed and give them an opportunity to discuss issues noted and the possible solutions.
At the completion of the audit, the next step, the draft audit, is prepared. The draft audit will detail a distribution list of parties to receive preliminary results follow-up date, a general overview of your unit, the scope of the audit, any major audit concerns, the overall conclusion, and detailed commentary describing the findings and recommended solutions. The draft is given to staff in charge of a unit to review, edit and suggest changes, probe areas of concern and correct errors. Upon making final corrections, the report is given to management.
Once the report is finalized the management response will be sought. Management is requested to answer the report. The response consists of 3 components: whether they agree or disagree with the problem, their action plan to correct the problem, and the expected completion date.
The final meeting is designed to close loose ends, discuss the management response and address the scope of the audit. A closing meeting will be held so that everyone can discuss the audit report and review management responses. This is an opportunity to discuss how the audit went and any remaining issues.
The ninth step is the report distribution, where the final report is sent to appropriate officials inside and outside the audit area. The report is distributed to appropriate senior administrators; Distribution of an audit survey to the audited unit of the organization to solicit feedback about the audit is also done at this step. Feedback is important since it helps improve the way audit is to be done in future.
The purpose of the follow-up is to verify that you have implemented the agreed-upon corrective actions. The auditor will interview staff, perform tests, or review new procedures to perform the verification. The unit will then receive a letter from the auditor indicating whether it has satisfactorily corrected all problems or whether further actions are necessary. If further corrective action is required, there will need to write a management response. Otherwise, the issue will be reported as resolved and the next audit cycle begins.