The Basics of Internal Audit Management: 4 Essential Steps
The internal audit process can be very complex, but the fundamentals are straightforward with the right internal audit management approach. This article provides some back-to-basics tips for your next internal audit.
An internal audit identifies risks that may prevent an organization from achieving its goals, whatever they may be. For example, private sector companies generally strive to generate profit while school boards seek to educate students and municipal governments try to provide cost-effective essential services.
Your audit plan will vary greatly depending on the organization, its industry and the processes you plan to review.
Consider some of the points below as you plan your next internal audit:
- Communicate the value: When planning an internal audit, ensure members of the group being audited view the audit as a benefit, not a detriment or a chore.
- Schedule diligently: Keep all parties in the loop with all key dates and document requirements.
- Define a detailed audit strategy: Agree on and document the overall audit strategy. This means defining reporting requirements, deadlines, important dates, identified issues from previous engagements, and the names and titles of the audit team members.
- Establish scope: Identify a realistic audit scope to help you avoid scope creep during fieldwork.
- Don’t be limited by the past: If you are auditing an area or process that has been audited previously, consider the results of previous audits but don’t limit yourself to examining only the areas and processes that were issues previously.
- Document communications: Document all audit team discussions. This will help to ensure appropriate communication within the audit team prior to the start of an engagement. Record the attendees, agenda items and agreed-upon action items and keep minutes.
- Assess risk: Perform a risk assessment and use its results to help you determine the areas and processes to audit.
- Gather all documents and data: Collect all required information from the internal client. For example, if your internal audit examines the organization’s financial statements, you’ll want to acquire trial balance and transactions files. If you’re auditing the organization’s policy compliance, you will need to have access to those policies, or copies of them. Request relevant documents early in the planning process, impose strict submission deadlines and underscore the importance of punctuality to your client.
Identify and test controls
In this stage of the audit, start by identifying high-risk areas and ensuring the controls established by the client are performing as intended. This step is important because controls can vary greatly from organization to organization. For example, a software development company might use Jira as their control system to ensure code check-ins are reviewed prior to submission.
It is also important to examine financial controls surrounding expenses, cheques, or procured services to ensure corporate books are well-kept and expensed items are within market rates.
After the controls are identified during the planning phase, it’s time to move on to testing the controls during the fieldwork phase.
The fieldwork phase is where you put your audit plan into action. This is the time to meet with the relevant department leads and other internal personnel to gather the required information.
- Take abundant notes during the fieldwork phase of the internal audit. These will assist greatly if you audit the same area in the future.
- Have appropriate SMEs (subject matter experts) assigned to appropriate audit areas.
- To help ensure there are no surprises, meet with internal audit clients on a regular basis during fieldwork. Communicate any concerns in a timely manner.
An audit report documents findings and recommendations from the internal audit.
Work on your audit report during fieldwork. Take notes along the way. If you wait until all the fieldwork is done to start your report, you can easily miss key information.
To avoid surprises, consider sharing preliminary audit results with internal stakeholders before the final report is due.
Keep the report simple and to-the-point and avoid the passive voice. Include any critical information in a one- or two-page executive overview.
Many practitioners continue to use simple MS Word documents and Excel files during their audits. In fact, in a recent CaseWare IDEA survey of internal audit professionals, nearly 43% of respondents said they complete audits manually using MS Word and Excel (or equivalent) and store their files on a network drive.
In the same survey, only 18% of respondents indicated they use an integrated software solution to automate and manage all aspects of an audit.
This is problematic because there are many steps in an internal audit, and manual approaches needlessly multiply the potential for error, error minimized by streamlined audit management software solutions. For example, PBC (provided by client) documentation is key during the planning stage of an audit. Storing individual Word and Excel PBC documents on a network drive can mean missing or incomplete documentation and poor version control.
Audits can benefit from a combination of best practices and the appropriate audit management software to deliver quick, efficient audits.
John Olley writes about data analytics solutions and their application in auditing with CaseWare IDEA.
CaseWare AnalyticsAI is a risk-based transaction analysis tool that auditors can use to scan transaction sets and find exceptions that might warrant further investigation. Click here for more information and to request a product brochure.