Your organization may incur the situation where an internal review needs to be conducted to support external auditors, an operation audit to ensure the effectiveness of the operations, a compliance audit to make sure your organization is in compliance with policies or regulations, or a fraud investigation that needs to be confidential.
An internal audit could be conducted by the internal audit department or a third party. But how do you conduct an internal audit? What are the process and procedures?
The first step is planning. A good start has half the battle won. Whether an internal audit is carried out effectively, depends on the planning. What should be done in the planning phase?
- Obtain the background information. In the planning phase, it is important to obtain the background information about the audit. For example, if the audit is a fraud investigation, you should know what happened? Who is under suspicion? What causes are there? If the audit is a compliance audit, you should review the applicable laws and regulations and relevant policies and procedures of the organization.
- Perform a risk assessment. Each audit should have a risk assessment. An effective risk assessment can help to determine which areas with greater risks should be focused on in the audit.
- Plan the audit schedule. An audit schedule is important because it provides the audit team the deadlines for each audit step and lets the clients (auditees) know the timeline within which they are expected to collaborate. Some people argue that a surprise audit, i.e. a fraud investigation, does not need a schedule. Timing is more important in a surprise audit. You still need a schedule to conduct a surprise audit but the schedule is less formal and more confidential.
- Select you audit team. Appropriate audit staff with proper knowledge can help to carry out the audit effectively and efficiently.
- Meet with your clients. In the planning phase, you should have initial contact with the clients to gain their input to finalize the scope and the objectives of the audit. Except for a surprise audit, any audit planning should get the clients involved to ensure the audit will provide them value.
- Develop the audit program. Once the scope, objectives and risk areas of the audit have been determined, the audit program should be drafted. You may tweak the audit program in the next phase but do not wait!
The second step is conducting audit. In this phase, the audit team officially starts the audit by conducting a kick-off meeting with the clients to discuss the audit scope, the schedule and the reporting, and introduce the audit team. The meeting also gives the clients a chance to share their thoughts and concerns, which may require the audit team to tweak the audit program.
After the kick-off meeting, the audit team starts the fieldwork. Fieldwork includes interviewing clients, observing and/or walking through processes, obtaining documents, reviewing and testing documents. For example, if the audit is a compliance audit on reimbursement, the audit team will review the reimbursement policy and procedures then require samples of reimbursements to ensure that they are in compliance with the policy.
The third step is reporting. All findings from the fieldwork should be formally documented in a report. The report should briefly state the background of the audit with the scope and objectives, then present the findings with internal audit’s recommendations to mitigate the risks. The order of findings presented should start with findings with high risk, then medium risk to low risk. The report needs to be communicated with clients with a proper deadline for clients to respond to the report.
Once receiving the responses from the clients, the audit team can finalize the report incorporated with their responses. We will provide more details about how management responds to findings in a download file.
In the reporting phase, a closing meeting with clients is conducted to discuss comments if any and close the audit.
The fourth step is follow-up. The follow-up is a critical step but often gets ignored. Follow-up usually starts after six months or one year of the audit to ensure the findings have been corrected. The follow-up phase may include certain level of fieldwork, i.e. reviewing new processes or testing documents. A follow-up memo needs to be issued to describe the status of findings and indicate if any further action is needed.
In this brief article, we only can provide the structure of the process of an internal audit. If you want to further discuss each phase, please feel free to contact us.
Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.