8 Steps to Performing an Internal Audit

MAY 27, 2015 BY PATRICIA LOTICH

Internal audits help organizations achieve corporate objectives by keeping a

pulse on the consistency of internal business practices.

The goal of an internal audit is to ensure organizational policies and

procedures are followed and to alert management of gaps in policy
compliance.

The internal audit process can be done with internal resources or can be
outsourced to an external third party vendor. There are advantages and
disadvantages to outsourcing the function. However, making sure that the
audit practice is done consistently can help organizations manage
performance and product quality.

Performing an internal audit can be time consuming and resources need to be

allocated to the process. An audit can be done daily, weekly, monthly or
annually. Some departments may need to be audited more often than others.

8 Steps to Performing an Internal Audit

1. Identify Areas that Need Auditing
 Identify departments that operate by
usingpolicies and procedures written by the organization or by regulatory
agencies. This can include areas as complex as manufacturing processes or
as simplistic as accounting procedures. Make a list of each area and the
functions of the area that require review.

2. Determine How Often Auditing Needs to be Done

Some areas may only need to be audited annually while some departments
may require more frequent audits. For example, a manufacturing process may
require daily audits for quality control purposes while theHR function may only
require an annual audit of records and processes.

3. Create Audit Calendar

A structured and systematic approach to the auditing process can help ensure
the function gets completed. And, like any other lbusiness goal, audits should
be integrated into corporate objectives. Scheduling audits on the business
calendar ensures that it is done consistently.

4. Alert Departments of Scheduled Audits

It is simply common courtesy to give departments notice of an audit so they
can have the necessary documents and materials ready and available for the
reviewer. A surprise audit should only be done if there is suspicion of unethical
or illegal activity. Department managers should not feel threatened by an
auditor but view them as a valued resource to help them better manage their
area.

5. Be Prepared
The auditor should come prepared with an understanding of policies and
procedures and a list of items that will be reviewed. For example, an HR
audit may focus on employee files and I-9 compliance. The more prepared the
auditor is the more efficient the process will be and the less down time there
will be for the area being reviewed.

6. Interview Users
The auditor should interview employees and ask them to explain their work
process. Compare the process, as the employee explained it, to what the
written policy says. This step is to gain an understanding of employee
competence and identify areas that need additional training.

7. Document Results
Document the results and any differences in practice to how the policies are
written, when policies are complied with and when they are not. This may also
include other information that is gathered from the interview process. Again,
the goal is to identify gaps in compliance and to figure out a way to bridge that
gap.

8. Report Findings
Create an easy to read audit report. These reports should be reviewed with
senior management and an improvement plan should be developed for areas
that have gaps in practice compliance. Using a FOCUS PDCA model can help
facilitate a structured process for implementing this type of improvement.

Other things to think about

When reviewing policies and procedures, it is important to think about

whether they are meeting the needs of customers and adding value to
the organization.

Policies and procedures should focus on continuous improvement as it

relates to how work is performed.

Is there a strong team environment that supports compliance with

policies and procedures? A dysfunctional team can impact procedural
compliance.

Policies and procedures should be reviewed on an annual basis to

ensure policies reflect the changing business environment.

Businesses are only as successful as their ability to create products and

services that meet the needs of their customers and their ability to deliver
these products and services accurately, seamlessly and without error. Policies
and procedures are how organizations maintain efficient and effective
practices that support quality products and services. Internal audits are one
tool that organizations use to ensure that their products and services are
delivered the right way, the first time and every time.

How often do you audit your internal business practices?

Photo provided by: GotCredit

Article originally published November, 2010, updated May, 2015

Internal Audit Process

Risk Based Audit Plan

The internal audit process begins with the Risk Based Audit Plan, which is updated annually and
approved by the Audit Committee of the Board of Governors. Once approved, the Plan becomes a
guideline for conducting audits in the coming year. In addition to the audits performed under the Plan,
Internal Audit also conducts special audits and consulting work on demand.

Planning Phase

In the planning phase, the audit staff reviews any past audit work, looks over literature on the area being
reviewed, and makes a preliminary review of the unit budgeted and actual revenues and expenses. The
auditors also formulate the audit scope and objectives on which they base the fieldwork phase. The
planning phase also includes an introductory meeting to discuss objectives, timelines, and other important
information that can ease the internal audit process. At this time, the audit staff may request few pieces of
information, such as an organization chart, a contact list and literature describing the units procedures, if
available.

Fieldwork Phase

In the fieldwork phase, typically the lengthiest part of the audit, the audit staff gathers information about
the auditee's operations, gains an understanding of the unit's functions, and identifies both strengths and
weaknesses. This work includes reviewing financial activity, administrative and business procedures,
overall unit functions, and other activities specific to each section in the unit. The audit staff interviews key
personnel, observes unit procedures, and periodically reviews the audit progress with the unit's heads
and personnel. Ultimately, this phase allows the audit staff to identify areas of risk and concern in the
unit's internal controls and procedures, all of which are discussed with the auditee before or at the
conclusion of the fieldwork.

Reporting Phase

In this phase, all fieldwork results are compiled, presented and discussed with the client. The client must
provide action plans with timeframes that address all recommendations. A final summary report then goes
to Senior Management and the Audit Committee for review.

Follow-up Phase

Based on timeframes in the action plans, a follow-up is performed to ensure that the required measures
have indeed been implemented.

Audit Procedures & Techniques for an Internal Audit

by Jackie Lohrey, studioD
 Recalculating completed financial transactions is an assessment technique during most internal audits.

Related Articles

How Does Independent Internal Verification Work in Accounting?

An Internal Audit Vs. a Consulting Role
Contingency Theory in Auditing
What Are Internal Accounting Controls?
What Does the Process of Performing an External Audit Include?

A semi-annual or annual internal audit is a common method used to assess the effectiveness
of a businesss internal control system. Unlike an external audit, which focuses on
determining whether financial statements conform to generally accepted accounting
principles, an internal audit focuses on uncovering internal control weaknesses and evidence
of fraud, waste or abuse. Internal audit procedures and techniques are essential to effective
risk-management implementation.

Audit Procedures and Objectives

The main objective of an internal audit is to assess and, when necessary, improve the
effectiveness of internal business controls, risk-management plans and overall business
processes. Audit procedures typically start by assessing current processes and procedures.
Auditors then analyze and compare results against internal control objectives to determine
whether audit results comply with internal policies and procedures as well as federal and
state rules and regulations. As a final step, auditors compile an audit report to present to the
business owner.

Assessment Techniques

Assessment techniques are designed to ensure internal auditors fully understand internal
control procedures and determine whether employees are complying with internal control
directives. Auditors try to avoid disrupting the daily workflow by starting the internal audit
 process using indirect assessment technique. These include reviewing existing
documentation such as flowcharts, manuals and departmental control policies. Creating
audit trails that trace specific processes from start to finish are another common assessment
technique. Techniques in the second phase, including one-on-one interviews and process
observations, are techniques internal auditors use if audit trails or document reviews dont
fully answer auditors questions.

Analysis Techniques

Internal audit analysis techniques include substantive procedures that are designed to
determine whether work products contain data entry errors or whether financial statements
contain misstatements. Analysis techniques can be used to test random data or target
specific data if an internal auditor feels an internal control process is at risk. Substantive
procedures include, but arent limited to, transaction matching, a physical inventory count,
audit trail calculations and recalculating already-reconciled financial statements such as a
monthly bank reconciliation.

Reporting Procedures

A final internal audit report marks the end of the internal auditing process. Although
reporting always includes a formal report, it can also include a preliminary or memo-style
interim report. An interim report generally includes sensitive or significant results the auditor
feels are necessary to share immediately with the business owner. A final report is
significantly more formal and includes a summary of the procedures and techniques used in
completing the audit, a description of audit findings and suggestions for changes or
improvements to internal controls and control procedures.

References (4)
About the Author

Based in Green Bay, Wisc., Jackie Lohrey has been writing professionally since 2009. In
addition to writing web content and training manuals for small business clients and nonprofit
organizations, including ERA Realtors and the Bay Area Humane Society, Lohrey also works
as a finance data analyst for a global business outsourcing company.

Photo Credits
Medioimages/Photodisc/Photodisc/Getty Images
I have been reviewing the trends for how people find my website, and a large
number of you appear to be very interested in my auditing schedules and other
audit-related topics. Therefore, this weeks blog is dedicated to
training auditors on the process approach.
First, the process approach is just a different way of organizing audits. Instead of
auditing by clause, or by procedure, instead you audit each process. Typical
processes include:
1. Design & Development
2. Purchasing
3. Incoming inspection
4. Assembly
5. Final Inspection
6. Packaging
7. Sterilization
8. Customer Service
9. Shipping
10. Management Review
11. CAPA
12. Internal Auditing
There are two reasons why the process approach is recommended. First, the process
approach identifies linkages between processes as inputs and outputs. Therefore, if there is
a problem with communication between departments the process approach will catch it. If
only a procedural audit is performed, the lack of communication to the next process is often
overlooked. Second, the process approach is a more efficient way to cover all the clauses of
the ISO Standard than auditing each clause (i.e. the element approach).
My rationale for the claim of greater efficiency is simple: there are 19 required procedures in
the ISO 13485 Standard, but there are only 12 processes identified above. The missing
procedures are actually incorporated into each process audit. For example, each process
audit requires a review of records as input and outputs. In addition, training records should
be sampled for each employee interviewed during an audit. Finally, nonconforming
materials can be identified and sampled at incoming inspection, in assembly processes,
during final inspection, during packaging, and even during shipment.
The tool that BSI uses to teach the process approach is the Turtle Diagram. The following
picture illustrates where the name came from.
 Process Auditing Turtle Diagram

The first skill to teach a new auditor is the interview. Each process audit should begin with
an interview of the process owner. The process owner and the name of the process are
typically documented in the center of the turtle diagram. Next most auditors will ask, Do
you have a procedure for x process? This is a weak auditing technique, because it is an
closed-ended or yes/no. This type of question does little to help the auditor gather
objective evidence. Therefore I prefer to start with the question, Could you please describe
the process? This should give you a general overview of the process if you are unfamiliar
with it.
After getting a general overview of the process, I like to ask the question: How do you know
how to start the process. For example, inspectors know that there is material for incoming
inspection, because raw materials are in the quarantine area. I have seen visual systems,
electronic and paper-based systems for notifying QC inspectors of product to inspect. If
there is a record indicating that material needs to be inspectedthat is the ideal scenario. A
follow-up question is, What are the outputs of the inspection process? Once again, the
auditor should be looking for paperwork. Sampling these records and other supporting
records is how the process approach addresses Clause 4.2.4control of records.
The next step of the process approach is to determine what resources are used by incoming
inspection. This includes gages used for measurement, cleanliness of the work
environment, etc. This portion of the process approach is where an auditor can review
calibration, gowning procedures, and software validation. After With What Resources, the
auditor then needs to identify all the incoming inspectors on all shifts. From this list the
auditor should select people to interview and follow-up with a request for training records.

The sixth step of the process is to request procedures and forms. Many auditors believe that
they need to read the procedure. However, if a company has long procedures this could
potentially waste valuable time. Instead, I like to ask the inspector to show me where I can
find various regulatory requirements in the procedures. This approach has the added benefit
of forcing the inspector to demonstrate they are trained in the proceduresa more effective
assessment of competency than reviewing a training record.

The seventh and final step of the turtle diagram seems to challenge process owners the
most. This is where the auditor should be looking for department Quality Objectives and
assessing if the department objectives are linked with company Quality Objectives.
Manufacturing often measures first pass yield and reject rates, but every process can be
measured. If the process owner doesnt measure performance, how does the process owner
know that all the required work is getting done? The seventh step also is where the auditor
can sample and review monitoring and measurement of processes, and the trend analysis
can be verified to be an input into the CAPA process.
In my brief description of the process approach I used the incoming inspection process. I
typically choose this process for training new auditors, because it is a process that is quite
similar in almost every company and it is easy to understand. More importantly, however,
the incoming inspection process does a great job of covering more clauses of the Standard
than most audits. Therefore, new auditors get a great appreciation for how almost all the
clauses can be addressed in one process audit.

If you have questions, or you would like a copy of the turtle diagram I use for documentation
of audits, please submit a request on my website contact us page.
Share this:
Six Steps to an Effective Continuous Audit Process

Establishing priority areas and determining the process' frequency are two of the six steps
that internal auditors and senior managers need to take into consideration before making
the switch to continuous auditing.

Carlos Elder de AquinoFebruary 01, 20088 Comments

The need to improve and accelerate audit activities has led in part to the increased adoption of continuous auditing as
a vital monitoring tool. Initially recorded at AT&T Corp. by its Bell Laboratories research center during the late 1980s
and early 1990s, continuous audit efforts are now under way in organizations including Siemens, HCA Inc., Unibanco,
the New York Federal Reserve, and IBM. Additionally, legislation such as Section 404 of the U.S. Sarbanes-Oxley Act
of 2002 and audit software vendors, including ACL, IDEA, Approva, and Oversight, are molding and giving large
momentum to the continuous audit field. Consequently, as continuous auditing continues to grow around the world,
internal auditors and senior managers need to understand the necessary actions required to support an effective
continuous audit process, including establishing audit priority areas and determining the process' frequency.

Before Pitching the Idea

When organizations begin evaluating the adoption of continuous auditing, three common issues usually arise that if
expected can be managed effectively. First, is the confusion among auditors and senior management regarding the
differences between continuous auditing and continuous monitoring. Second, is the need for auditors to understand
the role of continuous auditing as a meta control (i.e., a control of controls). And third, is the concern that implementin
g continuous auditing will lead to a loss of independence and objectivity as audit professionals become operationally
involved in the process. While the way in which companies address these challenges will be unique to their
organization, the following best practices can help them prepare for these issues.
 What is Continuous
Auditing?
Continuous Monitoring Vs. According to The IIA's Global
Continuous Auditing Technology Audit Guide
(GTAG) Continuous Auditing:
Typically, continuous monitoring is a management
function to ensure that company policies, procedures, Implications for Assurance, Monitoring,
and business processes are operating effectively and and Risk Assessment, continuous auditing
addresses management's responsibility to assess the
is defined as the automatic method used
adequacy and effectiveness of internal controls. In
addition, continuous monitoring usually involves the to perform control and risk assessments
automated testing of all transactions and system on a more frequent basis. As the guide
activities within a given business process area against
states, technology plays a key role in
control rules. Monitoring may occur on a daily, weekly,
or monthly basis based on the nature of the underlying continuous audit activities by helping to
business cycle. automate the identification of exceptions
or anomalies, analyze patterns within the
Although many of the continuous monitoring
techniques used by management are similar to those
digits of key numeric fields, review
performed by internal auditors during continuous audit trends, and test controls, among other
activities, continuous auditing usually enables auditors activities. Other organizations, such as the
to evaluate the adequacy of management's monitoring
function and identify and assess risk areas. In
American Institute of Certified
addition, clearly communicating the differences Public Accountants and the Canadian
between the two will aid in avoiding confusion or Institute of Chartered Accountants have
resistance to continuous auditing as a redundant
effort. (For more information about the differences
further defined continuous auditing and
between continuous monitoring and continuous provided guidance on the subject.
auditing, please refer to The IIA's GTAG on
continuous auditing.) For additional basic information on
continuous auditing,
Meta Control read "Recommendations for an Effective
Continuous auditing also tends to be dynamic in
Continuous Audit Process."
nature (i.e., the auditor can turn continuous audit
processes on and off based on current system loads
by reconfiguring these activities according to the
internal audit plan). Therefore, by monitoring particular configurable items, continuous auditing provides an additional
level of controls and acts as a metal control.

For example, a bank can issue an alarm under pre-specified circumstances to the bank manager's supervisor
whenever loans reach a pre-authorized level. This activity then increases the level of controls that can be configured,
such as by including the choice to have an alarm issued and under which circumstances.
Figure 1. Illustration of the continuous audit process' dynamic nature

Independence and Objectivity

Finally, because continuous audit activities are different from those taking place during a more traditional audit, audit
principles need to be re-conceptualized. This is because continuous auditing often places the auditor in the middle of
the transaction flow. For instance, at a major US-based electronic brokerage firm that monitors its client's electronic
transactions, auditors are notified when a transaction is blocked after certain analytical parameters are met. The
auditor then deals directly with the client. As this example illustrates, it is important for internal auditors to make sure
that the continuous audit process has a system of checks and balances to maintain the independence and objectivity
of their work throughout the audit.

Key Steps to Implementing Continuous Auditing

Once the issues above are understood by managers and auditors alike, the organization will be in a better position to
begin using continuous auditing. Generally, the implementation of continuous auditing consists of six procedural
steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors
to better monitor the continuous audit process and provide recommendations for its improvement, if needed. These
steps include:

1. Establishing priority areas.

2. Identifying monitoring and continuous audit rules.

3. Determining the process' frequency.

4. Configuring continuous audit parameters.

5. Following up.
 6. Communicating results.

Below is a description of each.

Figure 2. Continuous audit implementation steps

1. Establishing Priority Areas

The activity of choosing which organizational areas to audit should be integrated as part of the internal audit annual
plan and the company's risk management program. Many internal audit departments also integrate and coordinate
with other compliance plans and activities, if applicable. (Steps 2-6 below are applicable to all of the priority areas and
processes being monitoring as part of the continuous audit program.)

Typically, when deciding priority areas to continuously audit, internal auditors and managers should:

Identify the critical business processes that need to be audited by breaking down and rating risk areas.

Understand the availability of continuous audit data for those risk areas.

Evaluate the costs and benefits of implementing a continuous audit process for a particular risk area.

Consider the corporate ramifications of continuously auditing the particular area or function.

Choose early applications to audit where rapid demonstration of results might be of great value to the
organization. Long extended efforts tend to decrease support for continuous auditing.

Once a demonstration project is successfully completed, negotiate with different auditees and internal audit
areas, if needed, so that a longer term implementation plan is implemented.
When performing the actions listed above, auditors need to consider the key objectives from each audit procedure.
Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and
compliance. A particular audit priority area may satisfy any one of these four objectives. For instance, it is not
uncommon for an audit procedure that is put in place for preventive purposes to be reconfigured as a detective
control once the audited activity's incidence of compliance failure decreases.

2. Monitoring and Continuous Audit Rules

The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need
to be programmed, repeated frequently, and reconfigured when needed. For example, banks can monitor all checking
accounts nightly by extracting files that meet the criterion of having a debt balance that is 20 percent larger than the
loan threshold and in which the balance is more than US $1,000.

In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the
objectives of the particular process. For instance, how quickly a management response is provided once an activity is
flagged may depend on the speed of the clearance process (i.e., the environment) while the activity's overall
monitoring approach may depend on the enforceability of legal actions and existing compliance requirements.

3. Determining the Process' Frequency

Although the process is called continuous auditing, the word continuous is in the eye of the beholder. Auditors need to
consider the natural rhythm of the process being audited, including the timing of computer and business processes as
well as the timing and availability of auditors trained or with experience in continuous auditing. For instance, although
increased testing frequency has substantial benefits, extracting, processing, and following up on testing results might
increase the costs of the continuous audit activity. Therefore, the cost-benefit ratio of continuously auditing a
particular area must be considered prior to its monitoring.

Furthermore, other tools used by the manager of the continuous audit function include an audit control panel in which
frequency and parameter variations can be activated. Hence, the nature of other continuous audit objectives, such as
deterrence or prevention, may determine their frequency and variation.

4. Configuring Continuous Audit Parameters

Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In
addition, the frequency of each parameter might need to be changed after its initial setup based on changes
stemming from the activity being audited. Hence, rules, initial parameters, and the activity's frequency also a
special type of parameter should be defined before the continuous audit process begins and reconfigured based
on the activity's monitoring results.

When defining a CAP, auditors should consider the cost benefits of error detection and audit and management follow-
up activities. For instance, in the example of the bank described earlier, the excess threshold of US $1,000 could lead
to a number of false negatives (e.g., values that were ignored when the balance was smaller than US $1,000 but
were identified as representing a problem) and a number of false positives (e.g., values with balances above US
$1,000 that were flagged but were accurate). If the threshold is increased to US $2,000, there will be an increase in
false negatives and a decrease in false positives. Because follow up costs would go up as the number of false
positives increases and the presence of false negatives may lead to high operational costs for the organization,
internal auditors should regularly reevaluate if error detection and follow-up activities need to be continued,
reconfigured, temporarily halted, or used on an ad hoc basis.

Furthermore, the stratification of audited data into sub-groups allows organizations to better monitor the activity and
reconfigure any parameters (e.g., auditors will be notified when balances larger than 20 percent of the debt remain
that are also larger than US $5,000). However, the more complex the rule and its conditional components, the more
parameters that must be examined, monitored, and sometimes reconfigured.

5. Following Up

Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive
the alarm (e.g., line managers, internal auditors, or both usually the alarm is sent to the process manager, the
manager's immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be
completed, need to be addressed when establishing the continuous audit process.

Additional follow-up procedures that should be performed as part of the continuous audit activity include reconciling
the alarm prior to following up by looking at alternate sources of data and waiting for similar alarms to occur before
following up or performing established escalation guidelines. For instance, the person receiving the alarm might wait
to follow up on the issue if the alarm is purely educational (i.e., the alarm verifies compliance but has no adverse
economic implications), there are no resources available for evaluation, or the area identified is a low benefit area
that is mainly targeted for deterrence.

6. Communicating Results

A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit
activity results, it is important for the exchange to be independent and consistent. For instance, if multiple system
alarms are issued and distributed to several auditees, it is crucial that steps 1-5 take place prior to the communication
exchange and that detailed guidelines for individual factor considerations exist. In addition, the development and
implementation of communication guidelines and follow-up procedures must consider the risk of collusion. Much of
the work on fraud indicates that the majority of fraud is collusive and can be performed by an internal or external
party. For example, in the case of dormant accounts, both the clerk that moves money and the manager that receives
the follow-up money may be in collusion since the manager's key may have to be used for certain transactions.

Additional Considerations

Besides the six steps described in the previous section, two additional issues that emerge when implementing
continuous auditing are the infrastructure needed for the process to work and its impact on the workplace.

Organizational Infrastructure

Because continuous auditing is a part of the company's audit function, it must be kept independent of management.
Therefore, during the planning stages, auditors need to keep in mind the process' independence when designing its
structure. For instance, a typical internal audit department is structured so that areas of the department focus on
different cycles or business activities. In addition, the department may be divided into financial and IT audit functions.

Sometimes, however, IT audit activities are incorporated as part of existing IT operations. In organizations such as
these, the development of continuous auditing is usually delayed because the activity may not get the necessary
development priority. Regardless of whether IT audit activities are part of the organization's IT or internal audit
department, the organization must maintain the process' independence as well as allocate resources in support of
continuous audit activities.

Impact on Personnel

In addition, the audit manager in charge of the continuous audit process should have a more technical understanding
of IT as well as extensive experience on the activities being audited. However, hiring, training, and retaining auditors
who can implement and monitor continuous audit activities might be challenging due to the scarcity of internal
auditors with knowledge in the area. Furthermore, the continuous audit process might create a daily stream of issues
that need to be resolved, which might prove stressful given current personnel resources, and might require the
continuous audit manager to exert adequate authority in moments of exceptions.

Final Thoughts

While more organizations are progressively implementing continuous auditing and, along the way, improving the
quality of the data gathered during each audit auditors and managers that are looking to implement a continuous
audit approach need to be willing to move beyond their traditional yearly audit activities. Although not a lot of
guidance exists today about the best ways to implement a continuous audit process, as with any major change, the
evolution toward continuous auditing will take time and substantial attention from senior management.