Professional Documents
Culture Documents
The essential difference between internal audits and compliance audits, sometimes referred to as
external audits, is who performs the audit. Internal audits, as the name indicates, are performed
by internal auditors who are employed by the business. Compliance audits are performed by
independent, third-party, or external auditors, often certified in the audit that is being performed.
Internal audits provide many benefits to an organization, giving management and leadership
another lens through which to look at the organization. While external compliance audits are
essential, they often have a specific scope and aim — PCI DSS, for example, zooms in on credit
cardholder data. Internal audits have the benefit of a looser scope, allowing an organization to
focus on those areas that are a priority, or areas that may not be looked at in a formal compliance
audit.
Internal audits give advantages to organizations pursuing external audits as well as preparing
stakeholders and process owners for future audits. Findings from internal audits can be addressed
quickly; observations can give management greater insight into the business, people, technology,
and processes. Impetus from internal audit reports can encourage optimization, saving the
organization in costs and ultimately improving the customer’s experience.
So, how can an organization plan for a successful internal audit? Read on for our checklist!
All internal audit projects should begin with the team clearly understanding why a given project
is part of the internal audit program. The following questions should be answered and approved
before fieldwork begins:
Why was the audit project approved to be on the internal audit plan?
How does the process support the organization in achieving its goals and objectives?
What is the overall audit schedule, and how does this project fit into the plan?
Was this process audited in the past, and if so, what were the results of the previous
audit(s)?
Were audit findings or nonconformities investigated and remediated according to the action
plan?
Have there been significant changes in the process recently or since the previous audit?
What is the scope of the project, and what specific requirements need to be met for a
successful outcome?
Additionally, participants in the project should review the audit report and audit results to refresh
their understanding of the environment, scope, and project parameters. The team may also want
to review any standards, frameworks, and regulatory requirements relevant to the project or
program. Reporting on internal audit objectives should be delivered to top management
periodically — quarterly or biannually is common depending on the size and complexity of the
business.
Organizations can employ Subject Matter Experts (SMEs) from the Big 4 (Deloitte, EY, PwC, and
KPMG) and other consulting providers to supplement risk management and internal audit
programs. These consultants can provide additional guidance, insight, and clarity on specific
regulatory requirements, information security, and business processes. When contracting with
consultants, be sure to disclose any other consulting relationships you may have with that firm or
company, as there may be independence considerations that the consulting firm has to take into
account.
In terms of fostering talent, skills, and development, internal audit professionals should stay
abreast of current trends, topics, and themes in their industry. The following resources can help
audit professionals understand the present landscape and augment their knowledge:
Newsletters and updates from the AICPA, ISACA, ISO, NIST, and other similar organizations
Relevant blog posts from Deloitte Insights, EY Insights, The Protiviti View,RSM’s Blog, or
The IIA’s blogs
Image: The Institute of Internal Audit (IIA) Competency Framework for Internal Audit
Professionals
Source: The IIA Competency Framework for Internal Audit Professionals
All of these resources can be leveraged to identify relevant risks, inform internal audit
procedures, and encourage continuous improvement in your internal audit program. Having the
right people and talent in place to perform the necessary audit activities is critical to your
program’s success, and pulling in additional resources in the midst of an audit can be tough. By
lining up your SMEs ahead of time, you can smooth out your audit workflow and reduce friction.
Collating guidance from the Institute of Internal Auditors (IIA), the International Professional
Practices Framework (IPPF) contains both mandatory and best practice recommendations. The
IPPF aims to support the overall mission, “To enhance and protect organizational value by
providing risk-based and objective assurance, advice, and insight.” The core elements of the IPPF
are the: Core Principles for the Professional Practice of Internal Auditing, Definition of Internal
Auditing, Code of Ethics, and International Standards for the Professional Practice of Internal
Auditing.
In addition to the IIA, organizations like ISACA can also provide guidance around internal audit
processes.
Although a risk-based approach to internal auditing can and should result in a bespoke internal
audit program for each organization, taking advantage of existing frameworks like the Committee
of Sponsoring Organizations of the Treadway Commission’s (COSO) 2013 Internal Control —
Integrated Framework to inform your program can be a win for your internal audit team and avoid
reinventing the wheel. Before applying a certain framework, the internal audit team and
leadership should evaluate the suitability of that framework as they map to the business.
While used extensively for Sarbanes-Oxley (SOX) statutory compliance purposes, internal
auditors can also leverage COSO’s 2013 Internal Control — Integrated Framework (ICIF) to create
a more comprehensive audit program. COSO’s ICIF focuses on fraud, internal controls, and
financial reporting, while covering subjects like the overall Control Environment of the
organization, Information, and Communication, and Risk Management. Since COSO’s ICIF was
designed to address SOX, which is a U.S. statute, publicly traded companies based in the US may
benefit the most from employing this framework as part of their internal audit program.
Review COSO’s 2013 Internal Control components, principles, and points of focus here.
The Document Request List or Evidence Request List, often abbreviated to “Request List” or “RL”
is one of the central documents of any audit. The Request List is an evolving list of requests which
may cover everything from interview scheduling, evidence requests, policy and procedures,
reports, supporting documentation, diagrams, and more with the purpose of providing auditors
with the information and documents they need to complete the audit program for the designated
projects or processes.
Requesting and obtaining documentation on how processes workis an obvious next step in
preparing for an audit. These requests should be delivered to stakeholders as soon as possible in
the audit planning process to give stakeholders (with day jobs!) time to provide the right
evidence. As requests come in, the internal audit team should be reviewing documented
information for any follow-ups, and periodically updating the request list as items get closed out.
The following requests should be made in order to gain an understanding of processes, relevant
applications, and key reports:
Key reports used to manage the effectiveness, efficiency, and process success
Description and listing of master data for the processes being audited, including all data
fields and attributes
From the listings received of master data, auditors can then make detailed sampling selections to
test that processes and controls are being performed effectively, as designed, every time.
Before meeting with business stakeholders, the internal audit committee should hold a meeting
in order to confirm a high-level understanding of the objectives of the audit plan and program(s),
key processes and departments, and the fundamental roadmap for the audit..
Then, after aligning some ducks internally, the audit team should also schedule and conduct a
planning meeting with business stakeholders for the scoped processes. This keeps everyone on
the same page, and gives business personnel the time and opportunity to coordinate audit efforts
with their business units. The following steps should be performed to prepare for a planning
meeting with business stakeholders:
Outline key process steps by narrative, flowchart, or both, highlighting information inflows,
outflows, and internal control components.
Validate draft narratives and flowcharts with subject matter experts and stakeholders (if
possible).
Preparing the questionnaire after performing the initial research sets a positive tone for the audit,
and demonstrates that internal audit is informed and prepared. Planning, preparedness, and
cooperation are critical to achieving audit objectives and gleaning deeper insights from the audit.
7. Preparing the Audit Program
Once the internal audit team has completed initial planning, consulted with SMEs, and
researched the applicable frameworks, they will be prepared to create an audit program. Audit
teams can leverage past audit programs to better design present and future procedures. An audit
program should detail the following information:
Since internal audit reports are usually designed for the consumption of leadership and
management, providing an executive summary of the audit program and outcomes gives the
audience a snapshot of the audit and results.
When completing the audit program, documenting the process objectives and tying each process
to owners designates accountability.
Process Risks
Along with the process objectives and owners, the risks associated with the process should also be
noted.
Once details about the process, including risks, are documented, the audit team should identify
and map the mitigating controls to the risks that they address. Compensating controls can also be
noted here.
Control Attributes
Control attributes are the components and characteristics of the control activity that are critical
to the effective execution of that control. Asking the following questions and documenting the
results are a good starting point — though some controls may have unique or uncommon
attributes as well.
Is the control preventive or detective? If the control is detective, are there corrective actions
required as part of completing the control?
How frequently does the control occur (e.g. many times a day, daily, weekly, monthly,
quarterly, annually, etc.)?
What type of risk does the control mitigate (fraud, operational, security, etc.)?
How likely is the risk to be realized (e.g. Highly Likely, Likely, Unlikely)?
How impactful would the risk be if it were realized (e.g. High Impact, Medium Impact, Low
Impact)?
What evidence does the audit team need to complete audit testing procedures?
Testing Procedures and Methods for Controls to be Tested During the Audit
There are four ways to test controls as part of an audit. Many times, these methods must be
combined to fully and completely test a control. These four methods are as follows:
A comprehensive audit program contains sensitive information about the business. Access to the
full audit program(s) should be restricted to appropriate personnel only, and only shared when
approved.
Audit programs, especially those for processes that have never been audited before, should have
multiple levels of review and buy-in before being finalized and allowing fieldwork to begin. The
following individuals should review and approve the initial audit program and internal audit
planning procedures before the start of fieldwork:
Management’s Main Point of Contact for the Audit (i.e. Audit Customer)
Internal auditors who take a risk-based approach, create and document audit programs from
scratch — and do not rely on template audit programs — will be more capable and equipped to
perform audits over areas not routinely audited. When internal audit teams can spend more of
their time and resources aligned to their organization’s key objectives, internal auditor job
satisfaction increases as they take on more interesting projects and have an effect on the
organization. The Audit Committee and C-suite may become more engaged with internal audit’s
work in strategic areas. Perhaps most importantly, recommendations made by internal audit will
have a more dramatic impact to enable positive change in their organizations.
Internal Audit Checklist
[Insert classification]
AUDIT
AUDIT SCOPE
AUDITOR(S)
DATE Of AUDIT
Internal Audit Checklist
[Insert classification]
2. How is it defined?
3. Is it reasonable?
5 Leadership
5.2 Policy
6 Planning
4. Does it identify a
reasonable set of risks and
specify owners?
7 Support
7.1 Resources
7.2 Competence
1. Have the
necessary
competences been
determined?
2. How has the competence of
the people involved in the
ISMS been established?
7.3 Awareness
7.4 Communication
2. ls the approach to
communication
documented?
8 Operation
2. Do they cover
requirements, objectives
and risk treatments?
3. What planned changes
have taken place
recently and how were
they controlled?
9 Performance evaluation
2. Review evidence of
monitoring and
measurement.
10 Improvement
3. What evidence of
continual improvement
can be demonstrated?
1. Where is segregation of
duties used within the
organization?
6. Is there a teleworking
policy?
1. What background
verification checks are
carried out on employment
candidates?
2. How is information
security covered in
employment contracts?
A8 Asset management
1. ls there an asset
inventory?
6. How is information
labelled with its
classification?
A9 Access control
3. Is there a formal
registration and de-
registration process?
A10 Cryptography
8. Is important cabling
protected?
9. Review equipment
maintenance logs.
4. Is network segregation
used and if so how?
5. What information
transfers take place?
6. Are there policies,
procedures and controls
in place to protect
them?
7. Are controls documented
in formal agreements?
8. How is electronic
messaging protected?
9. Are there non-
disclosureagreements in
place with key parties?
Internal Audit Checklist
[Insert classification]
3. Do agreements with
suppliers require them to
address security risks?
1. Is there an information
security incident
procedure?
2. Are incident management
responsibilities
understood?
3. How are information
security events and
weaknesses reported?
2. Do business continuity
procedures provide for the
required level of information
security?
4. Are availability
requirements identified
and is enough
redundancy in place to
meet them?
3. Is an approach to meet
these requirements in
place?
4. Are procedures
implemented to ensure
compliance with
intellectual property
rights?
5. Are records protected in
line with the understood
requirements?
9. How often do
managers check their
areas comply with
information security
policies and
standards?
10. Review the most recent
report on compliance of
information systems with
agreed information security
policies.