1. What is Internal Auditing? The Institute of Internal Auditors defines internal auditing as follows:
a. Traditional Definition: Internal Auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost.
b. Recently Revised Definition: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
2. Are there different types of audits? Yes, there are five basic types of audits as well as other miscellaneous audits:
a. Financial Audit - This type of audit is performed in order to express an opinion on the reliability of information contained in official financial statements prior to publication. External auditors are responsible for conducting required financial audits of the organization. Internal audit may perform some work related to the financial statements that the external auditor's rely on, so our role is one of assistance.
b. Operational Audit - It is a comprehensive review of the varied functions within an organization to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives. Internal controls are reviewed from a cost-benefit standpoint.
c. Compliance Audit - A review of financial transactions and/or operating controls to determine how well they conform with established laws, standards, regulations and procedures.
d. Investigative or Fraud Audit - These audits are performed to investigate incidents of possible fraud or misappropriation of assets.
e. Information Systems Audit - This type of audit addresses the control environment of computer information systems and how they are used. This is a technical review that may include evaluating system input, processing and output controls, data and physical security, contingency planning and disaster recovery, system administration, etc.
f. Miscellaneous audits - This category includes: 1) advisory audits which are conducted at the specific request of a manager, pertaining to any function under his or her responsibility, 2) specific complaint audits or 3) random records audits.
3. What steps are involved in the audit process? Every audit is unique and the order that steps are performed may vary or overlap, however, a formal operational audit would typically include the following:
a. Engagement Memo - Prior to the beginning of an audit, appropriate administrators are notified of the pending audit and apprised of the audit objectives. Certain preliminary information may be requested at this time, such as organization charts, internal office procedure's manuals, etc.
b. Planning - During this phase of the audit, background information on the area to be audited is obtained from a number of sources in order to learn as much as possible about the area. Applicable policies and procedures are reviewed, as well as applicable laws and regulations. Any prior audits of the area are also reviewed. Employees may be interviewed and Internal Control questionnaires distributed. An audit plan is prepared.
c. Entrance Conference - This is a meeting between the managers of the area being audited and internal audit personnel. The scope of the audit will be discussed at this meeting as well as any scheduling concerns. Every reasonable attempt will be made to schedule audit procedures around busy times. We want the audit to be as least disruptive as possible to normal operations. Managers are given the opportunity to share any concerns that they may have. If there is a particular area of concern that a manager would like to have reviewed, we will include it in our audit plan.
d. Fieldwork - This phase may include interviewing employees, flow charting processes and testing transactions. Some of the work will be performed in the area under audit, and some of the work will be performed in our office. Appropriate managers are kept informed of any findings as the audit progresses.
e. Draft Report - Once fieldwork is completed, a draft of the audit report will be written which will state procedures performed, findings and observations, and any recommendations for improvement. The draft will be provided to the manager in charge of the area under audit and anyone else deemed appropriate by the manager at this stage. Management will be asked to provide written responses to our recommendations that will be included in the final report.
f. Exit Conference - This is a meeting between departmental management and internal audit personnel to discuss the results of the audit and to go over the draft report. If management discovers any factual errors or believes that we have misinterpreted anything, they should inform us at this meeting so that we can make corrections before the report is seen by anyone else. On occasion, there may be items that we don't feel are appropriate to include in the written report but need to be brought to the attention of management. We will discuss any such items during the exit conference and/or include them in a separate management letter.
4. Audit Report - Once any agreed upon changes are made to the audit report, a draft of the final report will be provided to departmental management that includes their responses to our recommendations. It may be appropriate to included other managers higher on the chain-of-command at this stage, if not included previously. Once final review and approval is obtained from departmental management, the audit report is distributed. The final report may be addressed to the Board, Audit Committee, CEO/CFO and appropriate managers of the audited area.
5. Follow Up - Audit Services will follow up on all audit findings and recommendations as time permits, to determine progress made in implementing recommendations. A written status report will be provided to the same individuals who received a copy of the Audit Report. One additional follow up may be performed if necessary, however, any items not cleared by the time the first follow-up is completed, may be referred to the Audit Committee, CEO or CFO.
6. What is included in an audit report? A formal audit report for a routine operational or compliance audit generally includes some or all of the following sections: a) Cover Sheet, b) Executive Summary, c) Table of Contents, d) Background Information, e) Audit Scope & Purpose, f) System of Internal Controls, g) Summary & Conclusions, h) Status of Prior Findings and Comments (if applicable), i) Detailed Findings, Observations & Recommendation (management responses to our recommendations will be included in the final report), and j) any attachments or appendices as appropriate.
A limited procedures audit or review where we examine one specific item or a very limited number of items, or a review done at the request of management, may be written in the form of an Audit Memorandum as opposed to a formal report and may combine or eliminate some of the above sections. It generally does not include the first three items and is not addressed to the Audit Committee or Board.
An investigative or fraud audit must be tailored to the situation, but will generally included a Background and Scope & Purpose Section. The issues or allegations under investigation will be described and details will be outlined. Any applicable rules, regulation, laws or policies are stated. If appropriate, we will state whether an allegation is founded (there is evidence to support the allegation), unfounded (there is no evidence to support the allegation), or unsubstantiated (we cannot determine, based on available information, whether the allegation is founded or unfounded). Finally, when appropriate, recommendations to management for corrective action are included. Depending on the timing of the report, it may also include disposition of the matter.
7. How do you decide what areas should be audited? An audit may be scheduled based on a formal risk assessment process, at the request of the Audit Committee, senior manager, or because potential weaknesses in an area have come to our attention, perhaps through spot-checking of transactions conducted on a random basis or through a whistle-blower complaint..
The end result of a formal risk assessment process is a ranking, from highest risk to lowest risk, of "auditable activities" within the organization. An auditable activity could be a functional unit. It could also be an information system such as a payroll system. In the risk assessment process, a number of risk factors associated with the activity are considered, such as: the audit history of the activity, the degree of regulatory compliance and public scrutiny, the degree of reliance on automated systems, the dollar volume and liquidity of assets, amount of organizational change, and so on. The risk assessment process helps us to decide where the scarce resources can best be utilized.