What can internal auditors do to prepare a more comprehensive scope for their internal audit projects? And where can internal auditors find the subject matter expertise needed to create an audit program “from scratch”? AuditBoard’s “Planning an Audit: A How-To Guide” details how to build an effective internal audit plan from the ground up through best practices, resources, and insights, rather than relying on templated audit programs.
One of the guide’s highlights is a comprehensive checklist of audit steps and considerations to keep in mind as you plan any audit project. Use the checklist below to get started planning an audit, and download our full “Planning an Audit: A How-To Guide” for tips to help you create a flexible, risk-based audit program.
What is an Internal Audit?
An internal audit is a fundamentally independent function that evaluates an organization’s operations, internal controls, and risk management processes with the aim of improving the organization’s effectiveness and efficiency. Internal auditors will conduct interviews, inspect evidence, test controls, and read policies to understand the environment and validate that controls and processes are working — and working well.
The Difference Between Internal and External Audits
The essential difference between internal audits and compliance audits, sometimes referred to as external audits, is who performs the audit. Internal audits, as the name indicates, are performed by internal auditors who are employed by the business. Compliance audits are performed by independent, third-party, or external auditors, often certified in the audit that is being performed.
The Benefits of an Effective Internal Audit
Internal audits provide many benefits to an organization, giving management and leadership another lens through which to look at the organization. While external compliance audits are essential, they often have a specific scope and aim — PCI DSS, for example, zooms in on credit cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to focus on those areas that are a priority, or areas that may not be looked at in a formal compliance audit.
Internal audits give advantages to organizations pursuing external audits as well as preparing stakeholders and process owners for future audits. Findings from internal audits can be addressed quickly; observations can give management greater insight into the business, people, technology, and processes. Impetus from internal audit reports can encourage optimization, saving the organization in costs and ultimately improving the customer’s experience.
So, how can an organization plan for a successful internal audit? Read on for our checklist!
Internal Audit Checklist
The steps to preparing for an internal audit are 1) initial audit planning, 2) involve risk and process subject matter experts, 3) frameworks for internal audit processes, 4) initial document request list, 5) preparing for a planning meeting with business stakeholders, 6) preparing the audit program, and 7) audit program and planning review.
1. Initial Audit Planning
All internal audit projects should begin with the team clearly understanding why a given project is part of the internal audit program. The following questions should be answered and approved before fieldwork begins:
- Why was the audit project approved to be on the internal audit plan?
- How does the process support the organization in achieving its goals and objectives?
- What enterprise risk(s) does the audit address?
- What is the overall audit schedule, and how does this project fit into the plan?
- Was this process audited in the past, and if so, what were the results of the previous audit(s)?
- Were audit findings or nonconformities investigated and remediated according to the action plan?
- Have there been significant changes in the process recently or since the previous audit?
- What is the scope of the project, and what specific requirements need to be met for a successful outcome?
Additionally, participants in the project should review the audit report and audit results to refresh their understanding of the environment, scope, and project parameters. The team may also want to review any standards, frameworks, and regulatory requirements relevant to the project or program. Reporting on internal audit objectives should be delivered to top management periodically — quarterly or biannually is common depending on the size and complexity of the business.
2. Involve Risk and Process Subject Matter Experts
Performing an audit based on internal company information is helpful to assess the operating effectiveness of the process’s controls. However, for internal audits to keep pace with the business’s changing landscape, and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice, even when a formal external audit is not required.
Organizations can employ Subject Matter Experts (SMEs) from the Big 4 (Deloitte, EY, PwC, and KPMG) and other consulting providers to supplement risk management and internal audit programs. These consultants can provide additional guidance, insight, and clarity on specific regulatory requirements, information security, and business processes. When contracting with consultants, be sure to disclose any other consulting relationships you may have with that firm or company, as there may be independence considerations that the consulting firm has to take into account.
In terms of fostering talent, skills, and development, internal audit professionals should stay abreast of current trends, topics, and themes in their industry. The following resources can help audit professionals understand the present landscape and augment their knowledge:
- Recent articles from WSJ.com,HBR.org, or other leading business periodicals
- Newsletters and updates from the AICPA, ISACA, ISO, NIST, and other similar organizations
- Relevant blog posts from Deloitte Insights, EY Insights, The Protiviti View,RSM’s Blog, or The IIA’s blogs
All of these resources can be leveraged to identify relevant risks, inform internal audit procedures, and encourage continuous improvement in your internal audit program. Having the right people and talent in place to perform the necessary audit activities is critical to your program’s success, and pulling in additional resources in the midst of an audit can be tough. By lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.
3. Frameworks for Internal Audit: The International Professional Practices Framework (IPPF)
Collating guidance from the Institute of Internal Auditors (IIA), the International Professional Practices Framework (IPPF) contains both mandatory and best practice recommendations. The IPPF aims to support the overall mission, “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF are the: Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, Code of Ethics, and International Standards for the Professional Practice of Internal Auditing.
4. Frameworks for Internal Audit Processes: COSO ICIF
Although a risk-based approach to internal auditing can and should result in a bespoke internal audit program for each organization, taking advantage of existing frameworks like the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2013 Internal Control — Integrated Framework to inform your program can be a win for your internal audit team and avoid reinventing the wheel. Before applying a certain framework, the internal audit team and leadership should evaluate the suitability of that framework as they map to the business.
While used extensively for Sarbanes-Oxley (SOX) statutory compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control — Integrated Framework (ICIF) to create a more comprehensive audit program. COSO’s ICIF focuses on fraud, internal controls, and financial reporting, while covering subjects like the overall Control Environment of the organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was designed to address SOX, which is a U.S. statute, publicly traded companies based in the US may benefit the most from employing this framework as part of their internal audit program.
- Review COSO’s 2013 Internal Control components, principles, and points of focus here.
5. Initial Document Request List
The Document Request List or Evidence Request List, often abbreviated to “Request List” or “RL” is one of the central documents of any audit. The Request List is an evolving list of requests which may cover everything from interview scheduling, evidence requests, policy and procedures, reports, supporting documentation, diagrams, and more with the purpose of providing auditors with the information and documents they need to complete the audit program for the designated projects or processes.
Requesting and obtaining documentation on how processes workis an obvious next step in preparing for an audit. These requests should be delivered to stakeholders as soon as possible in the audit planning process to give stakeholders (with day jobs!) time to provide the right evidence. As requests come in, the internal audit team should be reviewing documented information for any follow-ups, and periodically updating the request list as items get closed out. The following requests should be made in order to gain an understanding of processes, relevant applications, and key reports:
- All policies, procedure documents, workflow diagrams, and organization charts
- Key reports used to manage the effectiveness, efficiency, and process success
- Access to key applications used in the process; read-only if possible
- Description and listing of master data for the processes being audited, including all data fields and attributes
From the listings received of master data, auditors can then make detailed sampling selections to test that processes and controls are being performed effectively, as designed, every time.
6. Preparing for a Planning Meeting With Business Stakeholders
Before meeting with business stakeholders, the internal audit committee should hold a meeting in order to confirm a high-level understanding of the objectives of the audit plan and program(s), key processes and departments, and the fundamental roadmap for the audit..
Then, after aligning some ducks internally, the audit team should also schedule and conduct a planning meeting with business stakeholders for the scoped processes. This keeps everyone on the same page, and gives business personnel the time and opportunity to coordinate audit efforts with their business units. The following steps should be performed to prepare for a planning meeting with business stakeholders:
- Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows, and internal control components.
- Validate draft narratives and flowcharts with subject matter experts and stakeholders (if possible).
- Develop an agenda or questionnaire for all meetings internally or with business stakeholders.
Preparing the questionnaire after performing the initial research sets a positive tone for the audit, and demonstrates that internal audit is informed and prepared. Planning, preparedness, and cooperation are critical to achieving audit objectives and gleaning deeper insights from the audit.
7. Preparing the Audit Program
Once the internal audit team has completed initial planning, consulted with SMEs, and researched the applicable frameworks, they will be prepared to create an audit program. Audit teams can leverage past audit programs to better design present and future procedures. An audit program should detail the following information:
Summary and Purpose of the Audit Program
Since internal audit reports are usually designed for the consumption of leadership and management, providing an executive summary of the audit program and outcomes gives the audience a snapshot of the audit and results.
Process Objectives and Owners
When completing the audit program, documenting the process objectives and tying each process to owners designates accountability.
Along with the process objectives and owners, the risks associated with the process should also be noted.
Controls Mitigating Process Risks
Once details about the process, including risks, are documented, the audit team should identify and map the mitigating controls to the risks that they address. Compensating controls can also be noted here.
Control attributes are the components and characteristics of the control activity that are critical to the effective execution of that control. Asking the following questions and documenting the results are a good starting point — though some controls may have unique or uncommon attributes as well.
- Is the control preventive or detective? If the control is detective, are there corrective actions required as part of completing the control?
- How frequently does the control occur (e.g. many times a day, daily, weekly, monthly, quarterly, annually, etc.)?
- What type of risk does the control mitigate (fraud, operational, security, etc.)?
- Is the control manually performed, performed by an application, or a combination?
- How likely is the risk to be realized (e.g. Highly Likely, Likely, Unlikely)?
- How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low Impact)?
- What evidence does the audit team need to complete audit testing procedures?
Testing Procedures and Methods for Controls to be Tested During the Audit
There are four ways to test controls as part of an audit. Many times, these methods must be combined to fully and completely test a control. These four methods are as follows:
- Inquiry, or asking how the control is performed
- Observation, or viewing the control be performed, typically in real-time
- Inspection, or reviewing documentation evidencing the control was performed
- Re-performance, or independently performing the control to validate outcomes
A comprehensive audit program contains sensitive information about the business. Access to the full audit program(s) should be restricted to appropriate personnel only, and only shared when approved.
8. Audit Program and Planning Review
Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:
- Internal Audit Manager or Senior Manager
- Chief Audit Executive
- Subject Matter Expert(s)
- Management’s Main Point of Contact for the Audit (i.e. Audit Customer)
Internal auditors who take a risk-based approach, create and document audit programs from scratch — and do not rely on template audit programs — will be more capable and equipped to perform audits over areas not routinely audited. When internal audit teams can spend more of their time and resources aligned to their organization’s key objectives, internal auditor job satisfaction increases as they take on more interesting projects and have an effect on the organization. The Audit Committee and C-suite may become more engaged with internal audit‘s work in strategic areas. Perhaps most importantly, recommendations made by internal audit will have a more dramatic impact to enable positive change in their organizations.
Complete the form to get your free copy of Planning an Audit From Scratch: A How-To Guide.
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.