The Internal Audit Process
The most successful audit projects are those in which the client and Internal Audit have a constructive, collaborative working relationship. Our objective is to have client involvement at every stage so our audits meet the client’s expectations and add value to operations.
Although every audit project is unique, the audit process is similar for most engagements. Most audits have four phases:
Once an audit is assigned, the client is notified via a Notification Letter. The purpose of the Notification Letter is to make the client aware that an audit will be occurring and to give a broad objective.
The first step of client involvement is the Entrance Conference. During the entrance conference, we work with the client to refine the audit objective and we discuss the timing and scope of the project. This initial contact with the client is important because it is at this time that the general course of the audit is set. Clients are encouraged to discuss any concerns they have related to the audit objective. We will attempt to address the client’s concerns during the audit. Either before or during the entrance conference, requests are made for department or functional unit information (i.e., organization charts, relevant policies, etc). Finally, we will ask operating management to identify a point of contact to work with the assigned auditors.
Setting the scope of the review is the next step. A walk-through or preliminary assessment of operations is usually a component of the planning process. At this time, we obtain an overall understanding of operations, and the scope and audit program are set based on risks identified during the planning phase. The audit program outlines the audit steps that will be used to achieve the audit objective. Fieldwork begins once the audit program is written.
Fieldwork usually encompasses testing of transactions, interviews, and observations. We will communicate areas noted for improvement during fieldwork. During this phase, the auditor tests the controls identified during the planning phase to determine if they are operating properly. Generally, we do not hold comments until the end of the review; in fact, discussion should occur with the audit clients to determine the most practical and workable means to address deficiencies or areas of non-compliance identified throughout the review. By the time we draft the report, nothing should be a surprise to the department.
Once fieldwork is completed, a report is drafted, and we will have an Exit Conference with the unit's management to explain observations and discuss an agreed upon corrective action plan that will become part of the final audit report. These management corrective actions will be specific and actionable and will include target dates for implementation. During the Exit Conference, it is important that the department and Internal Audit agree on a reasonable corrective action and the time line for implementation. Once agreed upon, we issue and distribute the final report to appropriate operating management, executive management, and the Board of Trustees. The Audit Committee of the Board of Trustees reviews all audit reports during Committee meetings.
The Follow-up Process
After the final report is issued, we track action plans for each comment in our audit system. Within a reasonable time of the implementation date, the department will receive a request to provide an update and possibly substantiating evidence to Internal Audit regarding their progress on implementing the action. Spreadsheets, narratives, system implementation progress reports, etc, are usually good resources to support corrective actions taken. Some actions can be closed by providing documentation, some will require a meeting with Internal Audit, and others may require testing of the new process.
Based on the information received or results of additional transaction testing, the auditor assigns one of the following statuses to each comment:
Implemented - the comment has been addressed by implementing the original corrective action, or the comment has been addressed by implementing an alternate corrective action,
In Progress - the corrective action has been initiated but is not complete, or the comment has not been addressed but the auditor believes that the department fully intends to address the concern,
Not Implemented – management has assumed the risk of not addressing the comment, or
Withdrawn - the comment no longer exists because of changes in the department’s processes.
Internal Audit will continue to follow-up on audit recommendations with a status of In Progress. Executive management and the Board of Trustees receive semi-annual follow-up reports.
What is internal control or “internal controls?"
Internal control are processes established by management designed to provide reasonable assurance that the organization achieves its objectives regarding effectiveness and efficiency of their operations; reliability of financial reporting; and compliance with applicable laws and regulations.
Examples of “internal controls:”
- Providing written policies and procedures
- Requiring proper management review and approvals
- Separating incompatible duties
- Conducting reconciliations and verifications
- Maintaining adequate documents and records
- Physically controlling assets and documents
- Providing independent checks on performance
Internal controls are tools that help ensure that operations are conducted according to plan. Management should be attuned to changes that may cause the effectiveness of a control to be diminished. When this occurs, management should consider altering existing controls or creating additional controls to protect against loss.