Every successful internal audit is based on sound planning and an atmosphere of constructive involvement and communication between the client and the auditor. I see quite a few audit organizations that include a Web-based explanation to their clients how the audit process works. The purpose of providing this page is for those audit organizations that have not explained to their clients how, in general, the audit process works. It also is designed to provide a resource for sharing tools and techniques for each of the distinct phases of the audit process.
Internal Audit Process
Although every audit project is unique, the audit process is similar for most engagements and normally consists of four stages: Planning, Fieldwork, Audit Report, and Follow-up Review. Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from your department’s usual routine. One of the key objectives is to minimize this time and avoid disrupting ongoing activities. Following are some sample flowcharts of the process from other organizations that you may find helpful:
During the planning portion of the audit, the auditor notifies the client of the audit, discusses the scope and objectives of the examination in a formal meeting with organization management, gathers information on important processes, evaluates existing controls, and plans the remaining audit steps.
The client is informed of the audit through an announcement or engagement letter from the Internal Audit Director. This letter communicates the scope and objectives of the audit, the auditors assigned to the project and other relevant information.
During this opening conference meeting, the client describes the unit or system to be reviewed, the organization, available resources (personnel, facilities, equipment, funds), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members s/he wishes to include. It is important that the client identify issues or areas of special concern that should be addressed.
The opening conference should be held to gather information about the mission, critical processes, and control procedures of the unit to be used in the preliminary survey process. The auditor uses this information to determine an appropriate objective and scope for the audit. The auditor should prepare an opening conference e-mail confirming the appointment. The e-mail should briefly state the announcement of the audit; the date, time, and place of the opening conference; the purpose of the opening conference; and the desire to resolve any questions regarding the tentative draft objective and scope.
Audits with a surprise component, such as investigative audits, cash counts, etc., may not have opening conferences. If a considerable amount of fieldwork will be completed after the surprise component, an opening conference should be conducted after the surprise work is finished.
The opening conference is an important step in a regular audit. It is an opportunity to establish the proper tone and to begin building good relationships. Explain the who, what, where, when, why, and how for those who have not been exposed to the audit process.
During the opening conference:
- Provide and discuss the Office brochure.
- Explain that our audit will focus on evaluating their business and financial procedures in regard to internal controls and good business practices.
- Emphasize that the purpose of an audit is to help improve controls and operations, not to find something wrong.
- Review the objective(s) and scope of the audit, encouraging management to discuss any aspect of the audit.
- Ask for suggestions of potential client problem areas within the audit scope. This communicates an intention of being helpful rather than critical.
- Determine what assistance from personnel other than those attending the opening conference is needed to answer detailed questions concerning the functions being performed. Contact should be made via the “Chain of Command” until an understanding with the appropriate manager is established.
- Explain how audit concerns (observations) are handled. Explain that concerns will be reviewed with the designated client at the time they arise and identify who will be responsible for reviewing the audit concerns. Explain the purpose of discussing each audit concern is to verify that both the facts defined in the concern and the impact of the concern are accurate. Some findings may be resolved orally.
- Establish how frequently the department head/director wants to be updated on audit progress and findings.
- Explain we will review the draft audit report in detail at the exit conference. Explain to the client that Internal Audit will request a formal response from management to the audit report within approximately 30 days after issuance of the final report if concurrence with the audit comments or the implementation dates are missing.
- Explain that a copy of the final audit report will be sent to the Audit Committee (or other appropriate staff) (this list will be reviewed at the exit conference).
- Explain that any information obtained during the audit is considered confidential.
- Inquire about working hours, working area, access to records, and any other information that details the office routines. This information may have considerable influence on the cooperation extended to the audit staff.
- Identify information needed to complete the audit procedures.
- Establish a tentative schedule for the draft report based on the budgeted project hours. The purpose is to establish a goal to work toward and to provide the client an estimate of the time we will be in the client area.
- Ask if there are any questions concerning anything discussed at the opening conference or any questions in general about the auditor or audit approach that will assist the clients in their understanding of the audit project.
In this phase the auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/He talks with key personnel and reviews reports, files, and other sources of information.
Internal Control Review
The auditor will review the unit’s internal control structure, a process which is usually time-consuming. In doing this, the auditor uses a variety of tools and techniques to gather and analyze information about the operation. The review of internal controls helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section.
Internal Audit Program
Preparation of the internal audit program concludes the preliminary review phase. This program outlines the fieldwork necessary to achieve the audit objectives.
The fieldwork concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client. The fieldwork stage concludes with a list of significant findings from which the auditor will prepare a draft of the audit report.
After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions. Various techniques including sampling are used during the fieldwork phase.
Advice & Informal Communications
As the fieldwork progresses, the auditor discusses any significant findings with the client. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the finding. Usually these communications are oral. However, in more complex situations, memos and/or e-mails are written in order to ensure full understanding by the client and the auditor. Our goal: No surprises.
Upon completion of the fieldwork, the auditor summarizes the audit findings, conclusions, and recommendations necessary for the audit report discussion draft.
Working papers are a vital tool of the audit profession. They are the support of the audit opinion. They connect the client’s accounting records and financials to the auditor’s opinion. They are comprehensive and serve many functions.
Internal Audit Report
Our principal product is the final report in which we express our opinions, present the audit findings, and discuss recommendations for improvements. To facilitate communication and ensure that the recommendations presented in the final report are practical, Internal Audit discusses the rough draft with the client prior to issuing the final report.
At the conclusion of fieldwork, the auditor drafts the report. Audit management thoroughly reviews the audit working papers and the discussion draft before it is presented to the client for comment. This discussion draft is prepared for the unit’s operating management and is submitted for the client’s review before the exit conference.
When audit management has approved the discussion draft, Internal Audit meets with the unit’s management team to discuss the findings, recommendations, and text of the draft. At this meeting, the client comments on the draft and the group works to reach an agreement on the audit findings.
The auditor then prepares a formal draft, taking into account any revisions resulting from the exit conference and other discussions. When the changes have been reviewed by audit management and the client, the final report is issued.
Internal Audit prints and distributes the final report to the unit’s operating management, the unit’s reporting supervisor, the Vice President for Administration, the University Chief Accountant, and other appropriate members of senior University management. This report is primarily for internal University management use. The approval of the Internal Audit Director is required for release of the report outside of the University.
The client has the opportunity to respond to the audit findings prior to issuance of the final report which can be included or attached to our final report. However, if the client decides to respond after we issue the report, the first page of the final report is a letter requesting the client’s written response to the report recommendations.
In the response, the client should explain how report findings will be resolved and include an implementation timetable. In some cases, managers may choose to respond with a decision not to implement an audit recommendation and to accept the risks associated with an audit finding. The client should copy the response to all recipients of the final report if s/he decides not to have their response included/attached to Internal Audit’s final report.
Finally, as part of Internal Audit’s self-evaluation program, we ask clients to comment on Internal Audit’s performance. This feedback has proven to be very beneficial to us, and we have made changes in our procedures as a result of clients’ suggestions.
Within approximately one year of the final report, Internal Audit will perform a follow-up review to verify the resolution of the report findings.
The client response letter is reviewed and the actions taken to resolve the audit report findings may be tested to ensure that the desired results were achieved. All unresolved findings will be discussed in the follow-up report.
The review will conclude with a follow-up report which lists the actions taken by the client to resolve the original report findings. Unresolved findings will also appear in the follow-up report and will include a brief description of the finding, the original audit recommendation, the client response, the current condition, and the continued exposure to Indiana University. A discussion draft of each report with unresolved findings is circulated to the client before the report is issued. The follow-up review results will be circulated to the original report recipients and other University officials as deemed appropriate.
Internal Audit Annual Report to the Board
In addition to the distribution discussed earlier, the contents of the audit report, client response, and follow-up report may also communicated to the Audit Committee of the Board as part of the Internal Audit Annual Report.
The Process: A Collaborative Effort
As pointed out, during each stage in the audit process–preliminary review, field work, audit reports, and follow-up–clients have the opportunity to participate. There is no doubt that the process works best when client management and Internal Audit have a solid working relationship based on clear and continuing communication.
Many clients extend this working relationship beyond the particular audit. Once the audit department has worked with management on a project, we have an understanding of the unique characteristics of your unit’s operations. As a result, we can help evaluate the feasibility of making further changes or modifications in your operations.