8 Steps To Performing An Internal Audit
8 Steps To Performing An Internal Audit
8 Steps To Performing An Internal Audit
Internal Audit
MAY 27, 2015 BY PATRICIA LOTICH
5. Be Prepared
The auditor should come prepared with an understanding of
policies and procedures and a list of items that will be
reviewed. For example, an HR audit may focus on employee
files and I-9 compliance. The more prepared the auditor is the
more efficient the process will be and the less down time there
will be for the area being reviewed.
6. Interview Users
The auditor should interview employees and ask them to
explain their work process. Compare the process, as the
employee explained it, to what the written policy says. This
step is to gain an understanding of employee competence and
identify areas that need additional training.
7. Document Results
Document the results and any differences in practice to how
the policies are written, when policies are complied with and
when they are not. This may also include other information
that is gathered from the interview process. Again, the goal is
to identify gaps in compliance and to figure out a way to bridge
that gap.
8. Report Findings
Create an easy to read audit report. These reports should be
reviewed with senior management and an improvement plan
should be developed for areas that have gaps in practice
compliance. Using a FOCUS PDCA model can help facilitate a
structured process for implementing this type of improvement.
Planning Phase
In the planning phase, the audit staff reviews any past audit work, looks over
literature on the area being reviewed, and makes a preliminary review of the unit
budgeted and actual revenues and expenses. The auditors also formulate the audit
scope and objectives on which they base the fieldwork phase. The planning phase
also includes an introductory meeting to discuss objectives, timelines, and other
important information that can ease the internal audit process. At this time, the
audit staff may request few pieces of information, such as an organization chart, a
contact list and literature describing the unit’s procedures, if available.
Fieldwork Phase
In the fieldwork phase, typically the lengthiest part of the audit, the audit staff
gathers information about the auditee's operations, gains an understanding of the
unit's functions, and identifies both strengths and weaknesses. This work includes
reviewing financial activity, administrative and business procedures, overall unit
functions, and other activities specific to each section in the unit. The audit staff
interviews key personnel, observes unit procedures, and periodically reviews the
audit progress with the unit's heads and personnel. Ultimately, this phase allows the
audit staff to identify areas of risk and concern in the unit's internal controls and
procedures, all of which are discussed with the auditee before or at the conclusion
of the fieldwork.
Reporting Phase
In this phase, all fieldwork results are compiled, presented and discussed with the
client. The client must provide action plans with timeframes that address all
recommendations. A final summary report then goes to Senior Management and the
Audit Committee for review.
Follow-up Phase
Based on timeframes in the action plans, a follow-up is performed to ensure that the
required measures have indeed been implemented.
Audit Procedures & Techniques for an Internal Audit
by Jackie Lohrey, studioD
Recalculating completed financial transactions is an assessment technique during most internal audits.
Related Articles
How Does Independent Internal Verification Work in Accounting?
An Internal Audit Vs. a Consulting Role
Contingency Theory in Auditing
What Are Internal Accounting Controls?
What Does the Process of Performing an External Audit Include?
A semi-annual or annual internal audit is a common method used to assess the effectiveness of a business’s internal
control system. Unlike an external audit, which focuses on determining whether financial statements conform to
generally accepted accounting principles, an internal audit focuses on uncovering internal control weaknesses and
evidence of fraud, waste or abuse. Internal audit procedures and techniques are essential to effective risk-
management implementation.
Audit Procedures and Objectives
The main objective of an internal audit is to assess and, when necessary, improve the effectiveness of internal
business controls, risk-management plans and overall business processes. Audit procedures typically start by
assessing current processes and procedures. Auditors then analyze and compare results against internal control
objectives to determine whether audit results comply with internal policies and procedures as well as federal and
state rules and regulations. As a final step, auditors compile an audit report to present to the business owner.
Assessment Techniques
Assessment techniques are designed to ensure internal auditors fully understand internal control procedures and
determine whether employees are complying with internal control directives. Auditors try to avoid disrupting the
daily workflow by starting the internal audit process using indirect assessment technique. These include reviewing
existing documentation such as flowcharts, manuals and departmental control policies. Creating audit trails that
trace specific processes from start to finish are another common assessment technique. Techniques in the second
phase, including one-on-one interviews and process observations, are techniques internal auditors use if audit trails
or document reviews don’t fully answer auditors questions.
Analysis Techniques
Internal audit analysis techniques include substantive procedures that are designed to determine whether work
products contain data entry errors or whether financial statements contain misstatements. Analysis techniques can be
used to test random data or target specific data if an internal auditor feels an internal control process is at risk.
Substantive procedures include, but aren’t limited to, transaction matching, a physical inventory count, audit trail
calculations and recalculating already-reconciled financial statements such as a monthly bank reconciliation.
Reporting Procedures
A final internal audit report marks the end of the internal auditing process. Although reporting always includes a
formal report, it can also include a preliminary or memo-style interim report. An interim report generally includes
sensitive or significant results the auditor feels are necessary to share immediately with the business owner. A final
report is significantly more formal and includes a summary of the procedures and techniques used in completing the
audit, a description of audit findings and suggestions for changes or improvements to internal controls and control
procedures.
References (4)
About the Author
Based in Green Bay, Wisc., Jackie Lohrey has been writing professionally since 2009. In addition to writing web
content and training manuals for small business clients and nonprofit organizations, including ERA Realtors and the
Bay Area Humane Society, Lohrey also works as a finance data analyst for a global business outsourcing company.
Photo Credits
Medioimages/Photodisc/Photodisc/Getty Images
I have been reviewing the trends for how people find my website, and a large number of you appear
to be very interested in my auditing schedules and other audit-related topics. Therefore, this week’s
blog is dedicated to training auditors on the process approach.
First, the process approach is just a different way of organizing audits. Instead of auditing by clause,
or by procedure, instead you audit each process. Typical processes include:
1. Design & Development
2. Purchasing
3. Incoming inspection
4. Assembly
5. Final Inspection
6. Packaging
7. Sterilization
8. Customer Service
9. Shipping
10. Management Review
11. CAPA
12. Internal Auditing
There are two reasons why the process approach is recommended. First, the process
approach identifies linkages between processes as inputs and outputs. Therefore, if there is
a problem with communication between departments the process approach will catch it. If
only a procedural audit is performed, the lack of communication to the next process is often
overlooked. Second, the process approach is a more efficient way to cover all the clauses of
the ISO Standard than auditing each clause (i.e. – the element approach).
My rationale for the claim of greater efficiency is simple: there are 19 required procedures in
the ISO 13485 Standard, but there are only 12 processes identified above. The “missing”
procedures are actually incorporated into each process audit. For example, each process
audit requires a review of records as input and outputs. In addition, training records should
be sampled for each employee interviewed during an audit. Finally, nonconforming
materials can be identified and sampled at incoming inspection, in assembly processes,
during final inspection, during packaging, and even during shipment.
The tool that BSI uses to teach the process approach is the “Turtle Diagram”. The following
picture illustrates where the name came from.
Process Auditing – “Turtle Diagram”
The first skill to teach a new auditor is the interview. Each process audit should begin with
an interview of the process owner. The process owner and the name of the process are
typically documented in the center of the turtle diagram. Next most auditors will ask, “Do
you have a procedure for ‘x process’?” This is a weak auditing technique, because it is an
“closed-ended” or yes/no. This type of question does little to help the auditor gather
objective evidence. Therefore I prefer to start with the question, “Could you please describe
the process?” This should give you a general overview of the process if you are unfamiliar
with it.
After getting a general overview of the process, I like to ask the question: “How do you know
how to start the process.” For example, inspectors know that there is material for incoming
inspection, because raw materials are in the quarantine area. I have seen visual systems,
electronic and paper-based systems for notifying QC inspectors of product to inspect. If
there is a record indicating that material needs to be inspected—that is the ideal scenario. A
follow-up question is, “What are the outputs of the inspection process?” Once again, the
auditor should be looking for paperwork. Sampling these records and other supporting
records is how the process approach addresses Clause 4.2.4—control of records.
The next step of the process approach is to “determine what resources are used by incoming
inspection.” This includes gages used for measurement, cleanliness of the work
environment, etc. This portion of the process approach is where an auditor can review
calibration, gowning procedures, and software validation. After “With What Resources,” the
auditor then needs to identify all the incoming inspectors on all shifts. From this list the
auditor should select people to interview and follow-up with a request for training records.
The sixth step of the process is to request procedures and forms. Many auditors believe that
they need to read the procedure. However, if a company has long procedures this could
potentially waste valuable time. Instead, I like to ask the inspector to show me where I can
find various regulatory requirements in the procedures. This approach has the added benefit
of forcing the inspector to demonstrate they are trained in the procedures—a more effective
assessment of competency than reviewing a training record.
The seventh and final step of the turtle diagram seems to challenge process owners the
most. This is where the auditor should be looking for department Quality Objectives and
assessing if the department objectives are linked with company Quality Objectives.
Manufacturing often measures first pass yield and reject rates, but every process can be
measured. If the process owner doesn’t measure performance, how does the process owner
know that all the required work is getting done? The seventh step also is where the auditor
can sample and review monitoring and measurement of processes, and the trend analysis
can be verified to be an input into the CAPA process.
In my brief description of the process approach I used the incoming inspection process. I
typically choose this process for training new auditors, because it is a process that is quite
similar in almost every company and it is easy to understand. More importantly, however,
the incoming inspection process does a great job of covering more clauses of the Standard
than most audits. Therefore, new auditors get a great appreciation for how almost all the
clauses can be addressed in one process audit.
If you have questions, or you would like a copy of the turtle diagram I use for documentation
of audits, please submit a request on my website contact us page.
Share this:
Six Steps to an Effective Continuous Audit
Process
Establishing priority areas and determining the process' frequency are two of the six steps
that internal auditors and senior managers need to take into consideration before making
the switch to continuous auditing.
Carlos Elder de AquinoFebruary 01, 20088 Comments
Meta Control
Continuous auditing also tends to be dynamic in nature (i.e., the auditor can turn continuous audit processes on and
off based on current system loads by reconfiguring these activities according to the internal audit plan). Therefore, by
monitoring particular configurable items, continuous auditing provides an additional level of controls and acts as a
metal control.
For example, a bank can issue an alarm under pre-specified circumstances to the bank manager's supervisor
whenever loans reach a pre-authorized level. This activity then increases the level of controls that can be configured,
such as by including the choice to have an alarm issued and under which circumstances.
Identify the critical business processes that need to be audited by breaking down and rating risk areas.
Understand the availability of continuous audit data for those risk areas.
Evaluate the costs and benefits of implementing a continuous audit process for a particular risk area.
Consider the corporate ramifications of continuously auditing the particular area or function.
Choose early applications to audit where rapid demonstration of results might be of great value to the
organization. Long extended efforts tend to decrease support for continuous auditing.
Once a demonstration project is successfully completed, negotiate with different auditees and internal audit
areas, if needed, so that a longer term implementation plan is implemented.
When performing the actions listed above, auditors need to consider the key objectives from each audit procedure.
Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and
compliance. A particular audit priority area may satisfy any one of these four objectives. For instance, it is not
uncommon for an audit procedure that is put in place for preventive purposes to be reconfigured as a detective
control once the audited activity's incidence of compliance failure decreases.
5. Following Up
Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive
the alarm (e.g., line managers, internal auditors, or both ― usually the alarm is sent to the process manager, the
manager's immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be
completed, need to be addressed when establishing the continuous audit process.
Additional follow-up procedures that should be performed as part of the continuous audit activity include reconciling
the alarm prior to following up by looking at alternate sources of data and waiting for similar alarms to occur before
following up or performing established escalation guidelines. For instance, the person receiving the alarm might wait
to follow up on the issue if the alarm is purely educational (i.e., the alarm verifies compliance but has no adverse
economic implications), there are no resources available for evaluation, or the area identified is a low benefit area
that is mainly targeted for deterrence.
6. Communicating Results
A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit
activity results, it is important for the exchange to be independent and consistent. For instance, if multiple system
alarms are issued and distributed to several auditees, it is crucial that steps 1-5 take place prior to the communication
exchange and that detailed guidelines for individual factor considerations exist. In addition, the development and
implementation of communication guidelines and follow-up procedures must consider the risk of collusion. Much of
the work on fraud indicates that the majority of fraud is collusive and can be performed by an internal or external
party. For example, in the case of dormant accounts, both the clerk that moves money and the manager that receives
the follow-up money may be in collusion since the manager's key may have to be used for certain transactions.
Additional Considerations
Besides the six steps described in the previous section, two additional issues that emerge when implementing
continuous auditing are the infrastructure needed for the process to work and its impact on the workplace.
Organizational Infrastructure
Because continuous auditing is a part of the company's audit function, it must be kept independent of management.
Therefore, during the planning stages, auditors need to keep in mind the process' independence when designing its
structure. For instance, a typical internal audit department is structured so that areas of the department focus on
different cycles or business activities. In addition, the department may be divided into financial and IT audit functions.
Sometimes, however, IT audit activities are incorporated as part of existing IT operations. In organizations such as
these, the development of continuous auditing is usually delayed because the activity may not get the necessary
development priority. Regardless of whether IT audit activities are part of the organization's IT or internal audit
department, the organization must maintain the process' independence as well as allocate resources in support of
continuous audit activities.
Impact on Personnel
In addition, the audit manager in charge of the continuous audit process should have a more technical understanding
of IT as well as extensive experience on the activities being audited. However, hiring, training, and retaining auditors
who can implement and monitor continuous audit activities might be challenging due to the scarcity of internal
auditors with knowledge in the area. Furthermore, the continuous audit process might create a daily stream of issues
that need to be resolved, which might prove stressful given current personnel resources, and might require the
continuous audit manager to exert adequate authority in moments of exceptions.
Final Thoughts
While more organizations are progressively implementing continuous auditing ― and, along the way, improving the
quality of the data gathered during each audit ― auditors and managers that are looking to implement a continuous
audit approach need to be willing to move beyond their traditional yearly audit activities. Although not a lot of
guidance exists today about the best ways to implement a continuous audit process, as with any major change, the
evolution toward continuous auditing will take time and substantial attention from senior management.