Internal audit is a process of obtaining and evaluating data and appraisal of requirements fulfilment level. It's the first party audit. The internal audit should be run on the same principles as other types of audit. However, it doesn't require external auditors.
It is important, that audit is "searching for conformity", and non-conformity should be only the side effect. Finding non-conformity is not an objective of the auditor. However, if he spots one, he's required to describe it in the report.
Internal auditor is usually an employee. There is however possible to hire external consultant as internal auditor. To become auditor, the person has to fulfil following requirements:
- to have enough training and expertise in the area being audited,
- to be trained in audit process,
- to be appointed by top management.
Internal auditors are responsible to perform audits according to internal procedures and external legislation.
Internal audit procedure
Internal audit procedure should include several elements:
- programming audits,
- planning audit,
- performing audit,
- reporting audit,
- analysing series of audits.
ISO 19011 standard can be a good guide for internal auditors. Sections below discuss listed elements.
Internal audits program
Manager responsible for audits (e.g. Quality manager) should prepare program of audits which covers all requirements, e.g. all chapters of standard, all processes, etc. The program should be prepared for a longer period, usually a year. Certification bodies often require to cover with internal audit all requirements during time between supervision audits (third party).
Internal audit planning
Appointed auditor should prepare for the audit:
- establish date of audit,
- become acquainted with documentation,
- prepare list of questions or issues (check-list).
Plan / Charter
The plan/charter includes usually:
- date of the audit
- information about independence of auditor, accountability and responsibility
- access and authority
- relationship with other functions not being audited
- the basis of the audit (procedures, regulations, operating standards, etc.)
- requirements regarding reporting and publication
Auditor's check-list (List of audit questions) is a set of audit questions and required checks. Using the audit check-list allows:
- Maintain the logical order of research,
- Remind not to miss an item,
- Facilitate the preparation of report,
- Evidence of the audit - is part of the documentation.
There is no standard list of questions, each auditor makes himself his own (customized to his needs) depending on experience and scope of the audit. The list must be kept updated on changing regulations and adapt to the situation.
Questions on the list can be divided into ten groups:
- Decision about starting audit (e.g. Do I know who is my customer?)
- Getting information from person requesting audit (e.g. Did the customer described the purpose of the audit?)
- The first contact with the audited entity (e.g. Do I know how to behave in relation to the auditee?)
- Preparation of the audit (e.g. Had I set the term of the audit?)
- Meeting beginning the audit (e.g. Do I know what I want to pass on the opening meeting?)
- The visit in the audited company (e.g. Does the caller answers about?)
- Meeting auditors (e.g. Do I have all the information we need?)
- The meeting ending audit (e.g. Do you all understand my speech?)
- The audit report (e.g. Are the conclusions of the audit not superficial?)
- After the audit (e.g. Am I satisfied with the audit?)
The list of audit questions should be treated as a set of guidelines to facilitate the work of the auditor, and not as a rigid frame. The auditor has to use it intelligently, maintaining professionalism and flexibility to signals from the outside.
Performing internal audit
Performing audit consists of following steps:
- opening meeting - presentation of audit aims and plan.
- interviews with audited managers and employees,
- analysis of documents,
- observation of processes,
- other methods,
- closing meeting - summary, presentation of results.
During the audit, auditor should avoid checking all the data. That behaviour is typical to inspection. In case of audit, auditor should take a sample and judge on basis of its evaluation. The sample usually doesn't exceed 10% of the population. There are several methods of sampling, e.g.:
- pick newest data
- pick one from each month
- pick one every 10 records
- pick randomly
The auditor should avoid letting the employee to pick the sample, as he/she can pick only proper records.
Internal audit report
After performing audit, auditor should prepare written report. The scope of report depends on enterprise requirements. Report should be accepted by manager responsible for audits and then sent to units that were audited. Usually report consists of:
- data from audit plan
- information about conformity
- information about non-conformity
- possibility of improvement
Analysis of series of internal audits
After each programming period, manager responsible for audits should perform analysis and present its results to top managers. The results should be also an input for next programming period.
Concepts using internal audit
- Management systems
- Financial management
- Risk management
- ISO 19011 - Guidelines for auditing management systems
- Douglas F. Prawitt, Jason L. Smith, and David A. Wood (2009) Internal Audit Quality and Earnings Management. The Accounting Review: July 2009, Vol. 84, No. 4, p. 1255-1280.
- Gramling, Audrey A; Maletta, Mario J; Schneider, Arnold; Church, Bryan K. The role of the internal audit function in corporate governance. Journal of Accounting Literature23 (2004): 194.
- Meigs, Walter B., Principles of Auditing, IRWIN, Boston 1989.
- Taylor D. H., Glezen G. W., Auditing. An assertions approach, John Wiley & Sons, New York 1997
Author: Slawomir Wawak