Definition of Internal Audit
Institute of Internal Auditors (IIA) Standard effective January 2002. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The audit process is generally a ten-step procedure as outlined below. Please click through the steps in order to better understand the process.
- 1. Notification
- 2. Planning
- 3. Opening Meeting
- 4. Fieldwork
- 5. Communication
- 6. Report Drafting
- 7. Management Response
- 8. Closing Meeting
- 9. Report Distribution
- 10. Follow-up
First, you will receive a letter to inform you of an upcoming audit. The auditor will send you a preliminary checklist. This is a list of documents (e.g. organization charts, financial statements) that will help the auditor learn about your unit before planning the audit.
After reviewing the information, the auditor will plan the review, conduct a risk workshop primarily to identify key risks and raise risk awareness, draft an audit plan, and schedule an opening meeting.
The opening meeting should include senior management and any administrative staff that may be involved in the audit. During this meeting, the scope of the audit will be discussed. You should feel free to ask the auditors to review areas that you are concerned about. The time frame of the audit will be determined, and you should discuss any potential timing issues (e.g. vacations, deadlines) that could impact the audit. It doesn't take as much of your time as you might expect!
After the opening meeting, the auditor will finalize the audit plan and begin fieldwork. Fieldwork typically consists of talking with staff, reviewing procedure manuals, learning about your business processes, testing for compliance with applicable university policies and procedures and laws and regulations, and assessing the adequacy of internal controls. You should make your staff aware that the auditor will be scheduling meetings with them.
Throughout the process, the auditor will keep you informed, and you will have an opportunity to discuss issues noted and the possible solutions.
After the fieldwork is completed, the auditor will draft a report. The report consists of several sections and includes: the distribution list, the follow-up date, a general overview of your unit, the scope of the audit, any major audit concerns, the overall conclusion, and detailed commentary describing the findings and recommended solutions. You should read the draft report carefully to make sure there are no errors. If you find a mistake, inform the auditor right away so that it can be corrected before the final report is issued.
Once the report is finalized, we will request your management responses. The response consists of 3 components: whether you agree or disagree with the problem, your action plan to correct the problem, and the expected completion date.
A closing meeting will be held so that everyone can discuss the audit report and review your management responses. This is an opportunity to discuss how the audit went and any remaining issues.
The report is then distributed to you, your manager(s), senior university administrators, internal audit, and the university's external auditors. We also distribute an audit survey to the audited unit to solicit feedback about the audit. Feedback is important to us, since it can help us improve the audit process.
Follow-up reviews are performed on an issue-by-issue basis and typically occur shortly after the expected completion date, so that agreed-upon corrective actions can be implemented. The purpose of the follow-up is to verify that you have implemented the agreed-upon corrective actions. The auditor will interview staff, perform tests, or review new procedures to perform the verification. You will then receive a letter from the auditor indicating whether you have satisfactorily corrected all problems or whether further actions are necessary. If further corrective action is required, you will need to write a management response. Otherwise, the issue will be reported as resolved.