Internal Audit Steps

 

The Internal Audit process begins with agreement of a three year Strategic Internal Audit Plan and an annual Operational Internal Audit Plan.  These documents are agreed with institutional senior management and approved by the Audit Committee.  The Operational Internal Audit Plan will include a number of separate audit assignments for delivery throughout the year that will allow Internal Audit to deliver an audit opinion in each area. 

An Internal Audit assignment can generally be broken down into four key stages:

 

Stage 1 - Planning

 

Near the agreed start date of an audit, our Internal Audit team will arrange a meeting to discuss the scope and objectives of the audit. Institutional management input at this stage is important to us, as it helps us establish areas of materiality and risk that can be covered. This is also an opportunity to raise any issues or areas of particular concern that could be covered as part of the audit. We use this meeting to establish information about the area being reviewed and this typically includes organisational structures and management arrangements, planning arrangements, IT arrangements, staffing, financial management, and other relevant information. One specific aspect of this meeting is identifying the audit area's objectives. From this, we can determine the possible risks that exist within the process or system under review that may affect the achievement of objectives and how best the institution can manage them through the use of internal controls.

 

It is helpful to us at this point to identify relevant staff who can assist us in our work and any information that we are likely to need access to. We have found that a nominated audit contact is a useful way of managing the audit jointly so that issues can be raised and cleared on an ongoing basis as the audit progresses. This also allows the institution to pick up early indications of the sort of areas we will be reporting on.

 

The information we have gained from our initial planning meeting (above) is used in conjunction with other relevant information about the area under review in order to obtain a general overview of operations. This may include information on budgets and strategic plans as well as past audit reports.

 

All of this information is then used to make a preliminary assessment of the risks and controls for the area. We will then issue a draft Terms of Reference which sets out the background, audit objectives, audit scope, timing of the audit, reporting arrangements and key personnel involved in the auidt. Formal acceptance of the Terms of Reference will be required.

 

We use this preparatory work to produce an Audit Programme. This is an internal document that specifies detailed work that needs to be undertaken as part of the fieldwork.

Stage 2 - Fieldwork

 

Our fieldwork concentrates on determining how well the area under review is managing the risks identified at the planning stage and what controls are operating to help this. This can take a variety of forms that includes interviews and detailed testing / analysis of documents or transactions. When we have completed the fieldwork stage, we usually have a list of significant findings that we use to prepare a draft audit report.

 

However, prior to this we will have arranged to discuss any key issues with our audit contact before completion of the fieldwork (see above). We encourage this aspect of the audit as our contact can offer insights and work with us to determine the best method of resolving any issues that arise. Usually these communications are oral. However, sometimes, they are written in order to ensure full understanding by management and our auditors - we aim for a no surprises approach!

 

Stage 3 - Reporting

 

When we have finished our fieldwork, we draft a report. The Head of Internal Audit reviews the fieldwork and the draft report in line with professional internal auditing standards. Once this stage has been completed, we hold a feedback/ closuremeeting to summarise the audit findings, conclusions, and recommendations necessary for us to produce a discussion draft of the report. We use this meeting to listen to any comments on our findings and to reach an agreement on any recommendations that we have identified.

 

We then produce a formal draft report, taking into account any revisions resulting from the feedback meeting and any other subsequent work we have done in light of it. The Head of Internal Audit also reviews this work. The formal draft report is then distributed for management responses to the audit findings prior to the final report being published. We use the response to include any further, relevant observations that management has into our final report. Any response should include how the recommendation will be implemented, by whom and within what time scale. We ask for responses within two weeks of receiving the draft report. This is because we do not want the audit review process to become drawn-out and protracted and need a timely response so that we can finalise the report as quickly as possible.

 

We distribute copies of the final report in line with agreed distribution protocol for the institution and in accordance with the Terms of Reference for the audit. This will always include the relevant operational managers for the reviewed area and typically the head of Institution (ie Vice Chancellor, Director, Warden etc or nominated individual), the Finance Director, etc. The institution's Audit Committee also receives summary reports of our work for each audit undertaken.

Stage 4 - Follow-up

 

Each year, we carry out a full follow-up of all previous year's audit recommendations. The purpose of the follow up is to monitor management's progress with the implementation of agreed audit recommendations made from the last audit. In addition, whenever we start a planned audit review from our agreed Operational Internal Audit Plan, we will also review any agreed audit recommendations from past audits as part of our programme of work.

 

There is often the perception that contact with Internal Audit need not be maintained until the next audit. However, having worked with managers on audits, we are in a position to gain a good understanding of the unit/ department's operations. To this end, we encourage an ongoing dialogue of advice and consultancy in the periods between audits to ensure that institutional staff are in a better position to manage the risks associated with their activities.