Before starting the process, a general analysis is performed on the organization to be audited. This way, the audit team can have a better understanding of how processes work and what the entity's objectives are.
The following aspects should be taken into account here:
Legal framework: this is the legal context that regulates the company, its actions and the way in which it establishes relations with other organizations.
Internal regulation: this includes the information generated by the entity itself as a self-regulation mechanism. For example, regulations, agreements, board minutes, resolutions, etc.
Organizational structure: each of the elements that help align all the levels of the organization, such as guiding ideas, mission, principles, values, objectives, goals, processes, methods, technology, finance, etc.
After analyzing this company information, it is classified as follows:
Position of the audited entity.
- Organizational objectives.
- Activities performed.
- Company structure.
- Resources available.
- Industry context.
- Budget.
Audit planning
In this phase of the internal audit, the data collected in the previous stage are used to create an audit plan, which must be agreed with the customer. The audit plan must contain the following information:
- Objectives, scope and criteria of the audit.
- Units and areas to be audited within the company.
- Staff members in charge of the quality of the processes.
- Priority aspects.
- Time and duration of inspections: dates and locations.
- Meeting schedule.
- Confidential requirements.
- Structure and delivery of the final report.
Assignment of the audit team
The lead auditor must define the staff members who will be responsible for performing each of the audit activities. To make the process as objective as possible, team members must be free from conflict of interest and must not be involved in the activities they are auditing.
Lead auditor: ensures that the audit plan is followed, that activities are effective, and that the previously defined scope is maintained.
Auditors: are in charge of planning and carrying out the assigned tasks. They collect and analyze evidence and draw conclusions. They document the results and write the reports.
Conducting the audit
This phase of the internal audit begins with an opening meeting, where team members introduce themselves and the plan is reviewed. The methodologies and procedures to be used are also proposed, the necessary resources are defined and the security and emergency procedures are reviewed.
After that, the information collected by the audit team is gathered and analyzed, and it is assessed whether the criteria of the audit plan are being fully complied with.
Once all the evidence is collected, the auditors meet with management and those responsible for the audited functions. At this meeting, the results are presented, disagreements are resolved, and conclusions are discussed.
And to ensure good management of operational risks and include them in the audit, for example, it is advisable to have a technological tool such as our risk management software Pirani, which allows you to associate risks to processes and create controls in a simple way to avoid the materialization of risks or mitigate their impact.
Preparing the report
The ultimate objective of an internal audit is to disclose the results obtained. In this phase of the audit, the audit report is prepared, which must contain the predetermined information of the initial audit plan, such as customer information, the objectives and scope, the agreed criteria, audit times, the identification of the audit team, the summary of the process, the conclusions, the confidentiality statement and the report distribution list.
Distribution of the report
Once the final report has been prepared and approved, a copy of it should be sent to the person responsible for the corresponding section. The report and documents are delivered to the company's quality manager and Board of Directors for subsequent archiving.
Follow-up of actions
When the final report contains non-conformities, corrective actions are to be proposed and recorded. They must be reported to the quality manager in order to take the corresponding steps and solve them within the stipulated time.
It is also a good practice to include a checklist in the audit process to help identify the most critical aspects.
Planning is part of internal auditing’s systematic, disciplined, and risk-based approach and is mandated by the International Standards for the Professional Practice of Internal Auditing. Planning internal audit engagements involves considering the strategies and objectives of the area or process under review, prioritizing the risks relevant to the engagement, determining the engagement objectives and scope, and documenting the approach. This practice guide contains the engagement planning steps necessary to fulfill Standard 2200 – Engagement Planning through Standard 2220 – Engagement Scope and related assurance (.A) and consulting (.C) implementation standards.
Engagement planning generally includes the following steps:
- Understand the context and purpose of the engagement.
- Gather information to understand the area or process under review.
- Conduct a preliminary risk assessment of the area or process under review.
- Form engagement objectives.
- Establish engagement scope.
- Allocate resources.
- Document the plan.
Engagement Planning: Establishing Objectives and Scope also offers guidance on how internal auditors can use a risk and control matrix and heat map to prioritize the risks, then use the results to form the engagement objectives and scope, in conformance with the Standards. Established engagement objectives and scope enable internal auditors to focus efforts on the significant risks in the area or process under review, develop the engagement work program, and communicate clearly with management and the board. Access the new supplemental guidance now.