Once a company forms an internal audit function, completes the risk assessment process and develops an internal audit plan that is responsive to the risk assessment, it can initiate individual internal audit assignments.
A framework for initiating and executing internal audit projects should include the following actions:
- Confirm the audit assignment (e.g., timing, purpose, scope) with the area or process to be audited (in some cases, it may be appropriate to not announce the audit, but to perform the work on a surprise or unannounced basis).
- Complete appropriate planning for the audit assignment. This includes the following:
- Assess the risks of the specific area to be reviewed.
- Develop a written work program.
- Agree on scope, locations, sample sizes and period under review.
- Develop a report format that will be effective.
- Request and receive certain advance information from the area to be reviewed.
- Access operating information, performance measures, etc., on the area to be reviewed.
- Review any prior audits of this area by internal audit or other parties, such as regulators, external auditors and consultants.
- Hold joint planning discussions with management and the process owners of the area to be reviewed.
- Consider whether self-assessment activities would be helpful.
- Gather outside information on best practices.
- Identify the internal audit resources to be assigned to the audit and ensure that they have an appropriate level of experience and competency.
- Determine if outside resources or guest auditors should be utilized, including information technology resources.
- Consider formal entrance and closing conferences.
- Execute actual internal audit work, including an evaluation of the process and control design as well as testing methods to determine control operating effectiveness such as inquiry, observation, examination and reperformance. Discuss and clear items noted and potential findings with management and process owners. For consulting engagements, perform agreed-upon work steps to meet the objectives of the assignment.
- Develop a report or other appropriate communication methods responsive to the work completed and findings made. Areas to consider include:
- An executive summary of major issues and findings
- Background, objectives and scope
- Audit findings, including management’s action plan for addressing these findings
- Other analysis and information, including appendices
The format of internal audit reports varies by company. What is most important is to create an approach that is effective at communicating key issues and achieving positive change and resolution to the issues reported. For example, some companies might find that single-page reports are effective. Others may find that management should respond separately and apart from the audit report itself.
In addition, the circulation of a draft report for discussion is often an appropriate and effective way to refine work and ensure the accuracy of all information in the report.
- Develop an effective method for tracking and following up on the audit findings and agreed-upon actions by management. This may include recording all findings in a database, scheduling follow-up audits or conference calls, or requesting status from the auditee. It may even include having management of the audited area report to senior management and the audit committee. Internal audit should also determine the extent to which the resolution of audit findings should be validated independently.
There is no one-size-fits-all approach to the execution and completion of internal audit work. Internal audit leadership, management and the audit committee should work together to create an approach that is most effective for their respective organizations. The IIA can also provide guidance and a framework to follow.
You can read more on this topic in Protiviti’s Guide to Internal Audit and explore these tools on KnowledgeLeader: