Standards like ISO demand some amount of internal auditing. But the management can decide how much more internal auditing is required depending on how much is at stake for the organization. It is possible for you to engage an external, third party auditor to step in if you do not have a competent team of internal auditors. However, having an internal team that can serve as a trusted consultant is always an upside. When internal audit performs an objective analysis of departments, the end result is fewer threats and more savings in compliance costs.
Below is a step-by-step guide that can be followed for an audit.
Step 1: Plan for and create an audit program
Identify what needs auditing and how often:
Depending on the risks you face, the control systems in place, and the requirements on governance, you can have more or fewer audits. If the threats are many or costly, you typically want to audit those risks more often. If you are a finance company, you could audit cash handling and credit card usage fairly frequently, while also auditing cybersecurity, cost saving opportunities, and customer service routinely.
Schedule the audit and notify teams:
It is very helpful to create an audit calendar as this ensures fruitful auditing. Your teams will have more documentation and records to bring to the table, if they know well in advance that they are expected to keep their material ready for a review. Surprise auditing might be helpful, but they may also sow distrust. It is customary to alert teams of scheduled audits with a notification.
Gather information and define the scope:
Part of this step involves gaining sufficient subject matter expertise. If you handle a lot of personal data, for example, you want your auditors to be thorough with the likes of SOX, PCI DSS, HIPAA,FISMA, FedRAMP, as well as business best practices that have a bearing on risk management and control systems. External auditors can be of help, depending on the level of expertise required.
Another part of this step is risk assessment. The inputs and concerns of the leadership are essential here and depending on your business, you want to know your inherent risks and the impact recent regulatory changes have on your operations.
Outlining the objectives and scope of the audit in an entrance meeting is also important. In general, the main objectives of internal audit pertain to the evaluation of risk management systems and internal controls. But specific objectives, such as a 6-month review of financial activity, a vendor assessment for conflict of interest, and a review of company data security, can help clarify the scope and purpose of the audit.
Draft an audit program:
With risk assessment done and the objectives laid out, you can proceed to planning for a fruitful yet cost-effective audit. The program should list out practical elements, such as:
● Audit methodology
● Deliverables like audit report
● Controls to be tested
● Deadlines and timetable
● Modes of communication
Step 2: Focus on fieldwork
On-site fieldwork comprises the evaluation stage of the audit. Internal audit will seek to gather audit evidence through different modes. These include:
- Interviewing staff: Formal and informal questions are asked to key employees and department personnel
- Observing processes and controls: Auditors examine based on what can be touched, seen, and heard to gain reliable evidence
- Reviewing documents: Scanning through records and practices gives auditors an idea of how the internal processes line up with policy requirements
- Performing testing: System tests on physical equipment or management systems help auditors unearth threats and errors
Depending on the scope of the audit, the on-site fieldwork could stretch for days to months. Nevertheless, care must be taken to ensure that disruptions to regular activity is minimized. Further, internal audits may bring up issues as they surface and provide preliminary evaluations. This is beneficial, as informal communication can help the organization adopt recommendations on the go. Proper communication is a vital component of an internal audit. In fact, many rue the fact that poor communication lessens the value of critical information.
It can be helpful to have internal audits categorized risks into high, moderate, low, for instance, and provide audit status updates, in case the audit is long. Once internal audit has satisfactorily gathered audit evidence and all necessary information, it should proceed to documenting results. Systematic recording of findings makes for a better audit report.
Step 3: Issue an audit report
The most important deliverable of the audit is the audit report. The format of the reporting may differ from one organization to another, but the goal of the report is to present the audit findings in a formal manner.
The reporting phase may include these 3 elements:
- Draft report: A promptly prepared draft report provides an opportunity for a collaborative review of the findings with the management or leadership
- Exit meeting: A discussion of the audit issues and recommendations is helpful as it helps incorporate the management response in the final report and also makes the endeavor more actionable
- Final report: A factual, concise, well-organized report with an action plan serves as the vehicle for recommendations being well-received
The reporting step is of great importance and efforts should be taken to ensure that it receives adequate budgeting. The audit report stands as evidence of the audit being conducted and must be signed by senior management.
Step 4: Follow-up after the audit
Many organizations today have a structured process to verify whether the action plan is being implemented or not. If the corrective measures require time, monitoring and follow-ups become necessary. The ISO PCDA (Plan, Do, Check, Act) model supports an ongoing cycle for the improvement of processes and systems. Internal audit can adopt this method to improve upon areas where gaps have been identified.
Organizations also use GRC tools such as VComply to foster a healthy environment of compliance and adequate risk management. The advantage of such a tool is that you can monitor and improve upon control systems and areas of risk in an ongoing manner and in real time too. Moreover, you govern your business better as you are no longer working in silos and with spreadsheets, but organization-wide, with customized software. VComply, for instance, allows you to schedule tests, classify incidents, track progress and more.
Now that you are aware of the basics of conducting an internal audit, venture forth to create a robust and consistent business processes!