How to Conduct an Effective Internal Audit: Step-by-Step Guide
By Prabh Nair · 2024-03-11
Internal audits play a critical role in ensuring the effectiveness, efficiency, and compliance within an organization. The internal audit process involves several key steps and procedures to identify gaps, assess risks, and improve operations. Let's explore the detailed step-by-step guide to conducting an internal audit.
Internal Audit Process and Procedures
- Internal auditing is an independent, objective assurance consulting activity designed to add value and improve an organization's operations.
- In every organization, there are three layers of defense: first line, second line, and third line. Internal audit represents the third line of defense and reports directly to the board of directors.
- The primary objective of internal audit is to identify gaps, risks, and proactively notify the board of directors. They audit various processes such as change management, data centers, and information security with a focus on effectiveness, efficiency, and compliance.
- Internal audit ensures the effectiveness and efficiency of operations, the reliability of financial and management reporting, compliance with laws and regulations, and the safeguarding of assets. It also audits departments such as information security and assurance to ensure alignment with business objectives and stakeholder interests.
- Audit is not just about inspection, but also about providing an independent opinion to bring positive outcomes in the organization. It is a constructive process aimed at improving operations and ensuring alignment with the board of director's perspective.
- The first step in the internal audit process is the announcement letter, which is initiated by the audit management team. The audit management team plans the audits for the year and releases the audit schedules to the audit teams.
- The internal audit department directly reports to the board of directors. When conducting audits in different locations, such as India in the example provided, the audit team members include financial auditors, process auditors, infosec auditors, and IT auditors.
- At the beginning of each year, the internal audit team receives the audit schedule, outlining the audits planned for the year. This schedule includes details of the processes and locations to be audited. This initial communication sets the stage for the entire audit process.
Internal Audit Process and Procedures
Auditing Process: Announcement Letter and Pre-Audit Meeting
- The first step in the auditing process is the issuance of an announcement letter which informs the organization about the upcoming internal audit.
- The announcement letter includes crucial details such as the scope of the audit, the date and time it will commence, the names of the auditors involved, and the specific areas of the organization that will be reviewed.
- Upon receiving the announcement letter, the auditee is required to provide an acknowledgment, indicating their agreement with the audit scope and their readiness to begin the audit process.
- Following the acknowledgment, a pre-audit meeting is scheduled where the audit manager and auditors meet with the department personnel to discuss the internal audit process and gain a thorough understanding of the operations and processes being audited.
- During the pre-audit meeting, the auditors request for relevant documents such as policies, standard operating procedures (SOP), procedure manuals, organization charts, and other necessary documentation related to the audit.
Auditing Process: Announcement Letter and Pre-Audit Meeting
Understanding the Audit Plan Memorandum (APM) and Risk Control Matrix (RCM)
- The purpose of the Audit Plan Memorandum (APM) is to document the entire process of change management, identify possible risks, and explain the change management process and audit steps.
- The APM is an internal document used for audit preparation and provides visibility to the audit committee if they want to review the organization's work.
- It includes the scope of the audit, timeline, scope of the audit, and a list of possible risks identified during the review of standard operating procedure (SOP) documentation.
- The APM does not get shared with the auditors but serves as a reference for internal use within the organization.
- The Risk Control Matrix (RCM) is prepared based on the risks identified in the APM and includes possible controls associated with the risks and steps for conducting the audit of these controls.
- The Pre-RCM serves as the primary document for conducting a detailed audit and involves discussions with team members and audit managers to finalize the controls for the audit.
- Field work is then conducted based on the Pre-RCM, involving the review of SOP documentation and the sampling of change request forms (RFC) to ensure compliance with mandatory parameters.
- Sampling is used to select a representative number of change request forms for review, based on internal sampling calculations such as quantitative or statistical sampling, to present an opinion based on the sampled data.
- The findings from the audit, such as non-compliance with mandatory checks in change request forms, are documented for further action.
Understanding the Audit Plan Memorandum (APM) and Risk Control Matrix (RCM)
Audit Procedure Overview
- During the audit process, several key checks and validations are carried out to ensure compliance with standard operating procedures (SOP) and governance principles.
- One important aspect is to ensure that the recovery plan is in place after the closure of an RFC (Request for Change). This includes trail checking to verify the implementation of the plan.
- Another critical check is to verify if the SOP has been signed off by the relevant personnel during the audit. Failure to have SOPs signed off poses a risk of lack of governance and accountability.
- Personnel changes within the organization are also reviewed, including resignations and new hires. It's essential to ensure that access rights are updated and revoked accordingly when individuals move to different departments or leave the organization.
- Furthermore, the audit extends beyond SOPs to encompass the entire change management process. This includes a thorough review of change management tools, such as ensuring segregation of duties, proper approval, and documentation of change management deliverables.
- In cases where critical issues are identified during the audit, such as unauthorized access to sensitive data, it is mandatory to notify the appropriate parties immediately and document the findings in the audit report.
- When initial sampling does not yield conclusive results, the auditors may choose to extend the sample size to gather more data for analysis.
- If unresolved RFCs are identified, the auditors seek exceptions and business approvals before raising formal findings. Business justifications are also thoroughly reviewed as part of these findings.
- All findings and evidence collected during the fieldwork are meticulously documented and reviewed. Verbal communications are also transcribed for comprehensive documentation and review.
- After the fieldwork, a collaborative review is conducted with peers to compare and analyze the evidence collected and identify key concerns or findings that need to be addressed.
- Following the review, a post-RCA (Root Cause Analysis) is prepared, outlining confirmed risks, audit steps taken, and evidence identified for control effectiveness.
- From the post-RCA, a draft audit report is prepared, summarizing the findings, conclusions, recommendations, and action plan requirements. The draft is then reviewed internally before being shared with relevant stakeholders for further discussion and action planning.
- The draft report marks a critical point in the audit process, where collaboration and consensus with the auditee are essential for addressing the identified issues and moving towards resolution.
Audit Procedure Overview
Overview of the Audit Process
- The audit process involves a series of important steps that are crucial for ensuring compliance with legal and regulatory requirements.
- The process begins with an audit announcement letter released by the internal audit, followed by a kickoff meeting to discuss the scope, purpose, and engagement of the audit.
- The engagement session includes a pre-audit plan meeting where the audit team thoroughly reviews the regulations, SOPs, and other relevant documents to prepare for the fieldwork.
- Internal to the organization is the Audit Planning Memorandum (APM) checklist which outlines the scope, process statement, possible risks, and the name of the auditor.
- A Risk Control Matrix is prepared to address possible risks, controls, and audit steps for the assessment.
- The field work involves meetings, assessments, and notification of critical findings, if any.
- After the field work, a draft report is prepared and shared with the audit management for review and feedback.
- Upon receiving feedback, action plans and recommendations are provided, and once approved, a final report is released to the audited team and relevant stakeholders.
- Follow-up on the audit findings is done to ensure closure with proper evidence, as internal audit also involves administrative tasks beyond the auditing process.
Overview of the Audit Process
Conclusion:
Conducting an internal audit is a detailed and meticulous process that adds value to an organization's operations. By following the step-by-step guide to internal audit, organizations can proactively identify and address risks, enhance compliance, and improve overall efficiency. With a thorough understanding of the internal audit process and procedures, organizations can ensure effective governance and accountability.