Internal Audit Process (Step by Step)
Although every audit project is unique, the audit process is similar for most engagements and normally consists of four stages: Planning (sometimes called Survey or Preliminary Review), Fieldwork, Audit Report, and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from your department's usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities.
During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, and plans the remaining audit steps.
The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.
During this opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment, funds), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed.
In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/He talks with key personnel and reviews reports, files, and other sources of information.
Internal Control Review
The auditor will review the unit's internal control structure, a process which is usually time-consuming. In doing this, the auditor uses a variety of tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section.
Preparation of the audit program concludes the preliminary review phase. This program outlines the fieldwork necessary to achieve the audit objectives.
The fieldwork concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft of the audit report.
After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during the fieldwork phase.
Advice & Informal Communications
As the fieldwork progresses, the auditor discusses any significant findings with the client. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Our goal: No surprises.
Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report discussion draft.
Working papers are a vital tool of the audit profession. They are the support of the audit opinion. They connect the client’s accounting records and financials to the auditor’s opinion. They are comprehensive and serve many functions.
Our principal product is the final report in which we express our opinions, present the audit findings, and discuss recommendations for improvements. To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit discusses the rough draft with the client prior to issuing the final report
At the conclusion of fieldwork, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This discussion draft is prepared for the unit's operating management and is submitted for the client's review before the exit conference.
When audit management has approved the discussion draft, Internal Audit meets with the unit's management team to discuss the findings, recommendations, and text of the draft. At this meeting, the client comments on the draft and the group works to reach an agreement on the audit findings.
The auditor then prepares a formal draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is issued.
Internal Audit prints and distributes the final report to the unit's operating management, the unit's reporting supervisor. This report is primarily for internal management use. The approval of the Internal Audit Director is required for release of the report outside the firm.
The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after we issue the report, the first page of the final report is a letter requesting the client's written response to the report recommendations.
In the response, the client should explain how report findings will be resolved and include an implementation timetable. In some cases, managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit's final report.
Finally, as part of Internal Audit's self-evaluation program, we ask clients to comment on Internal Audit's performance. This feedback has proven to be very beneficial to us, and we have made changes in our procedures as a result of clients' suggestions.
Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings.
The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.
The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure to the firm. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients and other company officials as deemed appropriate.
Internal Audit Annual Report to the Board
In addition to the distribution discussed earlier, the contents of the audit report, client response, and follow-up report may also communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.
The Process: A Collaborative Effort
As pointed out, during each stage in the audit process--preliminary review, field work, audit reports, and follow-up--clients have the opportunity to participate. There is no doubt that the process works best when client management and Internal Audit have a solid working relationship based on clear and continuing communication.
Many clients extend this working relationship beyond the particular audit. Once the audit department has worked with management on a project, we have an understanding of the unique characteristics of your unit's operations. As a result, we can help evaluate the feasibility of making further changes or modifications in your operations.