Performing Effective Internal Audits

8.1 INITIATING AND LAUNCHING AN INTERNAL AUDIT

The justifications for initiating and launching an internal audit are:
1. Corporate reorganizations, including legal or physical threat events.
2. Audit committee formal requests.
3. A request to schedule an audit by senior management or the external auditors.
4. Need for a follow‐up audit based on the results of a prior audit.
5. A special audit performed at the request of local or unit management.
6. Other auditable areas identified in the audit universe as described in Chapter 15 but not in
the regular, approved annual internal audit plan.

8.2 ORGANIZING AND PLANNING INTERNAL AUDITS

The entire stage and process for organizing and planning an internal audit requires an
understanding of the IIA International Standards for the Professional Practice of Internal
Auditing. Internal audit requires broad skills and knowledge that cannot be described in a certain
stage but includes all activities. Before the internal audit function begins, a means is needed to
build an effective internal audit function, namely:
 An effective plan or organization and a charter for launching internal audit activities.
 A long‐range annual audit plan.
 Standard and effective approaches for performing all internal audits.

8.3 INTERNAL AUDIT PREPARATORY ACTIVITIES

An internal audit must plan every activity carefully before they are carried out. The audit process
should start from elements in planning through to the annual internal audit risk assessment
process, through management or a special request from the audit committee, or in an unplanned
event; such as the discovery of fraud, new regulations, or unforeseen economic events. Although
small elements of preparation can be undertaken concurrently with the audit itself, it should
generally be done before visiting the audit site. An important preparation activity is determining
the objectives, scope, and procedures of the audit program
will be used in individual audits. The image below shows the document photo files that explain
the upcoming audit plan. This document will be prepared by the internal audit manager.
 Determine the Audit Objectives
 The statement of the internal audit objectives will initiate the internal audit. As long as
planned examinations are approved, the statement of purpose should always be viewed as
a big picture that illustrates the internal audit objectives for a given review.
 Audit Schedule and Time Estimates
The audit schedule and the estimated audit time depend on the nature of the audit and the
size of the audit being carried out.
 Internal Audit Preliminary Surveys
When conducting an audit in an area that has previously been audited, the first step is to
conduct a survey, gathering background material on the entity to be audited. The
following items should be reviewed, during the Preliminary Surveys internal audit:
o Review of prior workpapers.
o Knowing the amount of time from the prior audit.
o Review of prior audit reports.
o Significant recommended corrective actions.
o Organization of the entity.
o Other related audit materials.

8.4 STARTING THE INTERNAL AUDIT

The first step in starting an internal audit is to inform the organization that will be audited that
they will be audited on a predetermined schedule even though the internal audit has prepared a
planning memo as shown above as documentation. Notification from the internal audit party in
the form of an Engagement Letter. This letter should notify auditee management of the
following:
 Addressee.
The communication should be addressed to the manager directly responsible for the unit
being audited.
 Objectives and scope of the planned audit.
The auditee should be clearly advised of the purpose of the planned internal audit and the
areas it will cover.
 Expected start date and planned duration of the audit.
As much as possible, the engagement letter should give the auditee some understanding
of the timing of the audit.
 Persons responsible for performing the review.
At a minimum, the in‐charge auditor should be identified for this planned audit
 Advance preparation needs.
Any requirements needed in advance of the field visit or at the audit site should be
outlined.
 Engagement letter copies.
Although the term carbon copy or CC is outdated today, copies of the engagement letter
should be directed to appropriate persons in the enterprise with a need to know.
Internal Audit Field Surveys
Field survey is an important phase, in this phase it will determine the objectives, coverage, and
improve the results of the audit. The following is the information that must be collected by
auditors in charge in the survey fields:
 Organization.
 Manuals and directives.
 Reports.
 Personal observations.
 Discussions with key personnel.
Documenting the Internal Audit Field Survey
Work performed, and a summary of the data collected through the field survey is documented on
audit working papers. Copies of important reports and published procedures should be obtained,
summary notes and observations recorded from all interviews and visits, with flowcharts
prepared for all systems or processes.
Field Survey Auditor Conclusions
The purpose of the internal audit field survey is to confirm the assumptions obtained from the
initial audit planning, in order to develop an understanding of the importance of systems and
processes. This document is particularly important if the in‐charge auditor feels there is a need to
change audit scope or planned procedures.

8.5 DEVELOPING AND PREPARING AUDIT PROGRAMS

An audit program is a tool for planning, leading, and controlling audit work by specifying the
steps that must be taken to fulfill the audit objectives. Effective internal auditors are those with a
generalized audit program that is prepared for most of the audit activities that are performed on a
recurring basis.
Audit Program Formats and Their Preparation
The audit program must be final after completing the preliminary and field surveys, and also
before starting the actual audit activity. Program audits should be able to identify areas for
further inspection and sensitive areas for need emphasis Audit. Depending on the type of planned
audit, programs usually follow one of three general formats: (1) a set of general audit procedures,
(2) audit procedures with detailed instructions for the auditor, or (3) a checklist for compliance
reviews.
Types of Audit Evidence
Internal auditors must collect audit evidence to support audit evaluation. Audit evidence must be
sufficient, competent, relevant, and useful.

8.6 PERFORMING THE INTERNAL AUDIT

Internal Audit Fieldwork Initial Procedures
The internal audit process may disrupt the routine business operations of the auditee, so the
auditor needs to communicate the schedule and objectives of implementing this internal audit
with the auditee. In addition, the auditors must also obtain a commitment from the auditee for the
implementation of the said internal audit, especially in terms of providing data and reports
required by the internal auditor. If in practice there is a key person who is not cooperative, then
the auditor may discuss it with the authorized party of the auditee, or revise the audit strategy,
among others:
 Revising audit procedures to perform additional tests in other areas.
  Completing the audit without the missing data file.
 Completing other portions of the audit and rescheduling a later visit to perform tests.
Audit Fieldwork Technical Assistance
In fieldwork audits, problems of a technical nature can arise, where internal auditors are not
competent in the technical field concerned, must be overcome by providing assistance from
people who have competence in the intended field. All additional costs and time on the matter
must also be documented in the audit working paper so that it can be used as supporting material
for the preparation of the next audit plan.
Audit Management Fieldwork Monitoring
If the internal audit is conducted over a long period of time or the required level of resources is
broad, internal audit management should frequently review the progress of this audit and provide
technical direction through visits and communications. The purpose of this visit is to review
work in progress and to help resolve problems at hand.
Potential Audit Findings
preliminary audit findings typically have the following elements:
 Identification of the findings.
 The conditions of the completed audit.
 References to the documented audit work.
 Auditor’s preliminary recommendations.
 Results of discussing the findings with management.
 Recommended disposition of the matter.
Audit Program and Schedule Modifications
The most common need for modification of the audit program is required when internal auditors
have developed a general audit program for use in the same but not identical review units. For
example, for the internal control of the purchasing function where the audit program in one area
can be carried out well, but in other specific areas it cannot be applied even though both are in
the purchasing unit or function. During the field audit, unforeseen problems may arise requiring
modification of the audit program. Proper approval by management's internal audit is required to
modify these changes.
Reporting Preliminary Audit Findings to Management
The findings when conducting an audit should be reviewed. The in-charge auditor must set aside
a schedule for meetings with the management unit to communicate findings before leaving the
site / field.

8.7 WRAPPING UP THE FIELD ENGAGEMENT INTERNAL AUDIT

The final result of the internal auditing activity is the Internal Audit Department Report to the
Board and the Audit Committee. The report contains the audit findings during field work and the
recommendations given to make the organization's business processes effective and efficient. To
provide a valid report it is necessary to plan internal audit fieldwork. The Internal Audit
Department must make careful calculations so that the objectives of the internal audit can be
achieved and in line with the planned budget. The Internal Audit Department must take into
account how many personnel are needed, who are the personnel, how long it will take, and how
much it will cost in detail.
Planning that has been made beforehand must be compared with the budget provided. This is
important to do to measure the performance of internal audit personnel and to find out the
variances that occur between budget and field implementation, for that each internal auditor
personnel must have a report on the progress of their field work. This report contains information
in the form of a budget, estimated time compared to the actual time needed to complete
fieldwork, a description of the development of the audit compared to the audit program. The in-
charge auditor must be able to explain the variance that occurs between budget and reality.

8.1 PERFORMING AN INDIVIDUAL INTERNAL AUDIT

The concept behind the CBOK theme is to highlight areas of knowledge that are important to
every internal auditor. While internal audit reports are an important product of work, the ability
to plan and carry out individual internal audits is a key knowledge requirement. Whether a senior
member of the internal audit staff, or a member of the internal audit management team, must
have a professional understanding of the internal audit risk assessment and plan, to prepare
working papers, to document audit activities, and to summarize results in preparation for
concluding internal audit reports.
Because so many types of internal audits are conducted, we do not try to outline the steps
required to perform one generic internal audit. However, internal auditors must have a good
understanding of International Standards for the Professional Practice of Internal Auditing, as
well as international audit planning and performance.

PLANNING AUDITS AND UNDERSTANDING PROJECT MANAGEMENT

 Internal auditors will need to assess the effectiveness of project management internal
controls in many of their operational reviews, as well as use good project management
techniques in many of their internal audit activities. Internal audit should have a common
body of knowledge (CBOK) understanding of project management best practices.

THE PROJECT MANAGEMENT PROCESS

  A project is a temporary effort made to create a unique product, service or result. The
temporary nature of a project means that a project has a definite start time and end time.
The end of the project has been achieved when the objectives of the project have been
obtained or when the project is terminated because the objectives cannot or will never be
achieved, or also when there is no longer a need for the project. A project can also be
terminated if the client (customer, sponsor or auction winner) wishes to terminate the
project.
 Each project creates a unique product, service or outcome. The results of the project can
be tangible or not. Even though there are the same elements that are continuously present
in a project that is being worked on, repeating the same elements will not change the
basic meaning of the project, namely the unique characteristics of the project work.
Examples of office buildings can be constructed with the same material by different
teams. Every building project is unique if its location, design, situation, stakeholders and
other factors differ.
 A project can also involve one individual or many individuals, one unit organization or
many units from one organization, as well as many organizations.

PMBOK: THE PROJECT MANAGEMENT BOOK OF KNOWLEDGE

 PMBOK® Guide is a Project Management Body of Knowledge which is generally

recognized as good practice. The term "generally known" means that the knowledge and
practice described are applicable to most projects and there is consensus on their value
and usefulness. "Good knowledge" means that there is general agreement that the use of
knowledge, skills, tools, techniques can increase the chance of success in many projects.

 These five basic project management process groups are:

o Initiating. There should be formal processes in place to launch any project effort,
including a description of the project’s objectives, estimated budgeting, and
appropriate approvals. From an internal audit perspective.
 o Planning. Every project requires planning in terms of its time and resource
estimates as well as for the linkages between components and other projects that
require coordination.
o Executing. These are the actual project activities—what needs to be done to
accomplish project goals. From an internal audit perspective, these activities may
range from individual reviews to executing an ongoing program of internal audit
activities.
o Controlling. An ongoing set of processes should be in place to monitor the
appropriate completion of project elements, determining that budgets and
objectives are being met. This is an important component in overall internal audit
management.
o Closing. The final process requires wrapping up the project effort and both
delivering the project components as well as summarizing and reporting the
project results. For many internal audit activities.
 PMBOK has defined the project management process in a consistent and well-controlled
manner. In addition to the five basic project management process groups, as discussed,
the PMBOK guidance material defines nine of what are called project management
knowledge areas:
o Project integration management
o Project scope management
o Project time management
o Project cost management
o Project quality management
o Project human resources management
o Project communications management
o Project risk management
o Project procurement management
 PMBOK guidance describes each of these knowledge areas, in terms of their inputs,
tools, and outputs, with a considerable level of detail. For example, Exhibit 16.2 shows
the summarized inputs, tools, and techniques and the outputs for PMBOK’s project risk
management, and Exhibit 16.3 shows the data flow for PMI’s risk management
components.
 In addition to guidance on general management, the PMBOK contains a fair degree of
detail on the project management tools and processes needed in each of these knowledge
areas. Exhibit 16.4 summarizes these PMBOK processes and knowledge areas. The
 purpose of this chapter is not to provide a detailed overview of all of PMBOK’s process
and knowledge areas but to emphasize the role of this tool for planning and implementing
effective project management processes for internal auditors. PMBOK is widely
recognized today as the standard for managing a project.

PMBOK PROGRAM AND PORTFOLIO MANAGEMENT

 The PMBOK guidance focuses on individual projects and is useful for performing single
internal audits. However, just as an internal audit function or department will be
responsible for a series of internal audits over a period of time, any function managing a
series of projects needs to think of them as a series of program projects as well as their
relationships with other similar or related projects. Programs generally consist of related
work that may be outside the scope of the individual projects.
 If internal audit groups existed for two units of a corporation, perhaps one covering
internal audits in European Union countries and the other for the United States, the
internal audit activities for each could be considered an internal audit portfolio with both
of these classified under a higher-level portfolio at the corporate headquarters. This
portfolio and program approach to project management is described in Exhibit 16.6. The
idea is that reporting relationships should be established when necessary to promote
efficiency and achieve overall objectives.
 The PMI Standard for Program Management is a set of best practices for the management
of multiple, related projects that are measured and evaluated as a program. PMI has a
similar standard for portfolio management. This guidance is also useful to internal audit
where multiple but similar internal audit projects can be managed as a program or
considered as a portfolio. Exhibit 16.7 shows this interaction between projects and
program.
 The relationship between project, program, and portfolio management practices in terms
of such factors as their scope, change management considerations, planning, success
factors, management, and monitoring.

PLANNING AN INTERNAL AUDIT

  The overall PMBOK guidance is important for internal auditors in the understanding and
use of good project management practices. Its concepts are particularly useful when
internal audit is reviewing virtually any enterprise project-related activity.
 The internal auditor involved in reviewing any such area should ask if the project is
following PMBOK standards and should ask to see evidence of the project’s adherence to
PMBOK, an effective project plan, and time and expense records. If such compliance
records are not in place, there may be a solid internal finding here.
 Although our discussion of PMBOK standards paints an environment that may not be
typical for many internal auditors, these concepts provide excellent guidance for
managing individual internal audits. All internal auditors must have a strong CBOK
understanding if not hands-on experience in this process of planning and performing an
individual internal audit.

UNDERSTANDING THE ENVIRONMENT: PLANNING AND LAUNCHING AN

INTERNAL AUDIT

 The idea of such an audit universe document is not to describe everything where internal
audit might launch an internal audit during a current period but to describe the scope of
internal audit’s planned activities.
 Exhibit 16.9 is an example of the type of preliminary plan that might be developed for
such a review of these Muddville purchasing and receiving operations. Because the
information here is only very preliminary, the plan does not use specific dates but
assumes that two internal audit staff members will be assigned to do the work. The
preliminary plan shown only uses approximate estimated hours at this time, but care
should always be given to not seal such preliminary plans “in cement,” as more
information may force all planned estimates up or down.

AUDIT PLANNING: DOCUMENTING AND UNDERSTANDING THE INTERNAL

CONTROL ENVIRONMENT

 We have stated that our example internal audit function has never performed a review of
purchasing and receiving operations at its Muddville facility but that it has audit
 programs and experience in performing similar reviews at other Global Computer
Products facilities.
 The documentation may be sparse, out of date, or non-existent. Internal audit may want
to ask some questions to gather more information about these processes.

PERFORMING APPROPRIATE INTERNAL AUDIT PROCEDURES AND WRAPPING UP

THE AUDIT

 internal audit needs to identify key internal control areas here and then to develop audit
tests to verify that those controls are working. The size and type of these tests depends
very much on the nature and criticality of the processes reviewed. However, it is usually
not sufficient to select one item to walk through the process, and then to say that
everything is okay as long as those items met this audit test.
 After the on-site internal audit team has completed its audit tests and performed other
internal audit procedures, there is a need to wrap up the audit fieldwork before departing
from the audit site. Although the final audit report and even a final draft report may not
be complete prior to internal audit’s completion of their fieldwork, it is almost essential
that the on-site internal auditors provide local management with at least a summary of
their audit observations and potential finding and recommendations as discussed in
Chapter 18 on the importance of internal audit reports.
  Exhibit 16.11 is an example of such a point sheet. This would essentially be a discussion-
level document. If management has some significant areas of dispute, internal audit can
document and agree to re-review draft findings or to make potential changes to clear up
any management areas of concern.

 Internal audit’s objectives here are not to come home with a dazzling audit report filled
with findings and recommendations but to review an area and to make recommendations
to improve the overall internal control environment there.

PROJECT MANAGEMENT BEST PRACTICES AND INTERNAL AUDIT

 Internal auditors should think of virtually every internal audit they plan and perform as a
project similar to the best management practices that we have described on a high level
here and that can be found in the PMBOK standard.
 These translate to the process of planning and performing an internal audit, using
PMBOK terminology but from an internal audit perspective, as follows:
o Project integration management. Detailed plans need to be prepared for every
internal audit, including processes to implement changes and alter that audit plan
in light of new findings or other developments during the course of the audit.
 o Internal audit project scope management. Every internal audit needs to establish
and document a clear statement of the audit’s scope at the beginning of the
review. This scope will become a baseline for measuring internal audit progress,
accomplishment of the scope’s objectives, and any necessary change control.
o Internal audit project time management. The time and activities of all internal
auditors involved in a review need to be budgeted, recorded, monitored, and
assessed.
o Internal audit project cost management. Internal audit costs need to be budgeted,
collected, and controlled.
o Internal audit project quality management. Every internal audit project needs to
include appropriate quality planning, assurance, and control processes. These
measures assess a particular audit as well as the overall internal audit function.
o Internal audit project human resources management. Proper attention must be
given to all members of the team performing the internal audit, including audit
team organization planning and all levels of staff development and training.
o Internal audit project communications management. Communications factors are
important elements in any internal audit, whether in documenting results in
workpapers, reporting status and results to both enterprise and audit management,
and development of the final audit report.
o Internal audit project risk management. Every internal audit faces a variety of
risks, and the internal audit team needs to have processes in place to formally
identify and quantify those risks as well as to have procedures in place to respond
to and control any risks associated with an internal audit.
o Internal audit project procurement management. Although they are perhaps the
least significant of the PMBOK knowledge areas when compared to other aspects
of an internal audit, processes should be in place during any audit contract for any
outside services and goods as necessary.
 Effective project management best practices, as defi ned in PMBOK, are an important
CBOK skill requirement for all internal auditors, both in developing internal audit
projects and in assessing the maturity of project management practices in the course of
their reviews.