Internal audit evaluate a company’s internal controls, including its corporate governance and accounting processes. These audits ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. Internal audit also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.
♦ An internal audit offers risk management and evaluates the effectiveness of a company’s internal controls, corporate governance, and accounting process.
♦ Internal audit provide management and board of directors with a value-added service where flaws in a process may be caught and corrected prior to external audits.
♦ The Sarbanes-Oxley Act of 2002 holds management responsible for their financial statements by requiring senior corporate officers to certify in writing that the financials are accurately presented.
Internal Auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.
Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing
documentation. If documented procedures are not being followed, direct discussion with department staff may be necessary.
Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.
Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. The final report includes a summary of the procedures and techniques used for completing the audit.
♦ The scope of the internal audit is defined by management or the Board (not an outside agency or adversarial entity)
♦ Internal Audit “reports” directly to management or the Board (not an outside agency or adversarial entity)
♦ Ultimately increases accountability within the organization.
♦ Improves the “control environment” of the organization
♦ Makes the organization process-dependent instead of person-dependent
♦ Identifies redundancies in operational and control procedures and provides recommendations to improve the efficiency and effectiveness of procedures
♦ Serves as an Early Warning System, enabling deficiencies to be identified and remediated on a timely basis (i.e. prior to external, regulatory or compliance audits)
So with a properly staffed internal audit function, management would have, at its fingertips: an advocate, a risk manager, a controls expert, an efficiency specialist, a problem-solving partner and a safety net.
♦ Risk assessment – Assisting management with identifying and prioritizing areas or processes that require attention and audit focus
♦ Process walkthroughs and documentation – Gaining an understanding of the processes and procedures as they currently exist, especially with respect to the IT systems utilized in the processing of high volumes of policyholder/claims data
♦ Control assessment – Identifying gaps, also known as “trouble spots,” where procedures and controls are not properly designed
♦ Testing – Performing tests of controls to verify whether controls are working as designed
♦ Reporting – Providing observations and recommendations to improve processes and controls.
All internal audit projects should begin with the team clearly understanding why the project was put on the audit plan. The following questions should be answered and approved before fieldwork begins:
♦ Why was the audit project approved to be on the internal audit plan?
♦ How does the process support the organization in achieving its goals and objectives?
♦ What enterprise risk(s) does the audit address?
♦ Was this process audited in the past, and if so, what were the results of the previous audit(s)?
♦ Have there been significant changes in the process recently or since the previous audit?
Performing an audit based on internal company information is helpful to assess the operating effectiveness of the process’s controls. However, for internal audit to keep pace with the business’s changing landscape and to ensure key processes and controls are also designed correctly, seeking out external expertise is increasingly becoming a best practice.
While used extensively for Sarbanes-Oxley (SOX) compliance purposes, internal auditors can also leverage COSO’s 2013 Internal Control – Integrated Framework to create a more comprehensive audit program. In addition to identifying and testing control activities, Internal audit should seek to identify and test the other components of a well controlled process.
Requesting and obtaining documentation on how the process works is an obvious next step in preparing for an audit. The following requests should be made before the start of audit planning in order to gain an understanding of the process, relevant applications, and key reports:
♦ All policies, procedure documents, and organization charts
♦ Key reports used to manage the effectiveness, efficiency, and process success
♦ Access to key applications used in the process
♦ Description and listing of master data for the processes being audited, including all data fields and attributes
Before meeting with business stakeholders, internal audit should hold an internal meeting in order to confirm the high-level understanding of the objectives of the process or department and the key steps to the process. The following steps should be performed to prepare for a planning meeting with business stakeholders:
♦ Outline key process steps by narrative, flowchart, or both, highlighting information inflows, outflows, and internal control components
♦ Validate draft narratives and flowcharts with subject matter experts (if any)
♦ Create an initial pre-planning questionnaire to facilitate a pre-planning meeting with key audit customers
Once internal audit has confirmed their understanding of the process and risks within the process, they will be prepared to create and audit programme. An audit program should detail the following information:
♦ Process Objectives
♦ Process Risks
♦ Controls Mitigating Process Risks
♦ Control Attributes, including:
♦ Is the control preventing or detecting a risk event?
♦ Control frequency (e.g. daily, weekly, monthly, quarterly, etc.)
♦ Does the control mitigate a fraud risk?
♦ Is the control manually performed, performed by an application, or both?
♦ An initial assessment of the risk event (e.g. high, medium, or low)
♦ Testing Procedures for Controls to be Tested During the Audit, including:
♦ Inquiry, or asking how the control is performed
♦ Observation, or physically seeing the control be performed
♦ Inspection, or reviewing documentation evidencing the control was performed
♦ Re-performance, or independently performing the control to validate outcomes
Audit programs, especially those for processes that have never been audited before, should have multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The following individuals should review and approve the initial audit program and internal audit planning procedures before the start of fieldwork:
♦ Internal Audit Manager or Senior Manager
♦ Chief Audit Executive
♦ Subject Matter Expert
♦ Management’s Main Point of Contact for the Audit (i.e. Audit Customer)