Overview of the Internal Audit Process
During this phase, we meet with client management and discuss what they can expect during the audit. We then review information to become knowledgeable about operations. Next, we request materials and meet with team members to learn about:
- The control environment
- Challenges faced by the operations (what can go wrong)
- Any specific operations or concerns they want reviewed
- Control activities in place to address and mitigate those challenges
- Communication and reporting functions
- Monitoring functions
We then meet with our own team members to analyze risks and controls based on the information we learned during discussions with client’s team members. As a group, we determine completeness of the risks, and rate each risk as high, medium or low for probability of occurrence and for potential impact.
We focus our efforts on the areas that present the highest risk to the achievement of organizational objectives. The product of the planning phase is the definition of the specific audit scope and risk-based objectives, which we communicate to the client prior to beginning the audit fieldwork.
We develop a program of audit steps and tests (audit procedures) tailored to assess those objectives developed in the planning phase. We then execute these audit procedures to determine whether controls and processes are operating effectively. As we perform these procedures, we discuss our progress with the clients and inform them of any potential business issues we identify.
Upon conclusion of our audit work, we draft an audit report. The draft report is reviewed extensively within our own department, and then we send the final draft to the client. The client has an opportunity to review the draft and provide comments or additional information, which may be incorporated into the draft. We also obtain the client’s action plans, designation of responsible parties and anticipated completion dates for corrective action for inclusion in the report. The draft, including action plans, is then reviewed by each level of the client’s management. After all reviews are completed, the final audit report is issued.
Once the report is issued, we send the audit contact(s) a confidential survey, so the client can provide us with valuable feedback on our services.
Follow-up on Action Plans
Once target dates for corrective action have passed, we follow up with the client for the status of any corrective action. If corrective action is complete, we will retest, and upon positive test results, we will close out the audit finding record.