The internal audit process
What is an audit?
-
An examination to verify the correctness of representations.
To audit is an action: to set up a list of criteria which you see as acceptable (what should be in
place), measure the reality/condition against these criteria (what is in place), and obtain
evidence to support your findings.
What is an engagement?
-
A specific internal audit assignment, task, or review activity.
Understanding the business environment.
-
Strategic e.g., reputation of the business.
Business unit e.g., human resource division.
Business process e.g., payroll process.
Organisational objectives.
-
Setting of objectives can vary from a formal, structured process to an informal process.
Process starts with developing of vision and mission statements.
A vision statement is a statement about what the organisation wants to become, thus
something the organisation aspires to.
A mission statement defines the purpose of the organisation, thus what the organisation does. A
mission statement is broken down into strategic objectives.
Organisational risk.
-
-
The process that management uses to identify, analyse, measure, and manage risks is referred to
as enterprise risk management (ERM).
The outcome of the ERM identified by management threatening the achievement of the
strategic objectives of the organisation, is used by the internal audit activity to plan the audit
engagements to be performed annually.
During each audit engagement, a risk-based approach is followed by referring to the operational
risks identified.
Engagement objectives.
-
The broad statements developed by internal auditors that define intended engagement
accomplishments.
Should address the risks associated the business unit or process under review.
The internal audit process.
-
Standard 2200 Engagement Planning.
 Internal auditors must develop and document a plan for each engagement including the
engagement’s objectives, scope, timing, and resource allocation. The plan must consider
the organisation's strategies, objectives, and risks relevant to the engagement. Should be
documented in an engagement work programme.
-
Standard 2300 Performing the engagement.
 Internal auditors must identify, analyse, evaluate, and record sufficient information to
achieve the engagement’s objectives. Measure evidence against acceptable criteria.
Must be monitored so that reasonable assurance is obtained.
-
Standard 2400 Communicating results (reporting)
 Internal auditors should communicate the engagement results promptly. The findings or
engagement observations are then communicated to the relevant parties in the form of
an internal audit report, and the highlight, amongst other things, any weaknesses in the
processes, risks associated with these weaknesses, and recommendations for
improvement.
-
Standard 2500 Monitoring progress (follow-up)
 The chief audit executive should establish and maintain a system to monitor the
disposition of results communicated to management.