What to Expect During an Internal Audit: A Step-by-Step Guide

 Internal audits are an integral element of any organization's operations. They aid in assessing the overall performance of a company as well as identify areas that need improvement, and make sure that the company is in standards. If your business will be subject to one, it's crucial to know the procedure to ensure a pleasant audit experience. This article will talk about the things to expect when conducting an internal audit. We'll also give step-by-step instructions to assist you in preparing.

Introduction

Internal audits play a crucial function in helping organizations reach their goals. They help evaluate the effectiveness of an organization's control, risk management, and governance practices. Internal audits are performed by internal auditors who are impartial and independent people or teams within an organization.

This article we'll explain what you can expect from an internal audit. We'll also give you a step to assist you in preparing for it.

What is an Internal Audit?

Internal audits are a systematic and impartial evaluation of a company's processes control, operations, and procedures. The goal for an audit conducted internally is to give assurance that the processes of the company are running efficiently, effectively and in line with all applicable laws and regulations.

Internal audits are carried out by internal auditors who are impartial and independent members or teams within the company. Internal auditors aid the organization to attain its goals by offering assurance regarding controls, risk management, and governance procedures.

Why are Internal Audits Important?

Internal audits are crucial due to a number of reasons. They help companies find areas in need of improvements. They also provide assurance that the processes of the company are functioning efficiently, effectively and in line with all applicable legislation and rules. Thirdly, they assist companies achieve their goals through ensuring the risk management, control and governance procedures.

Types of Internal Audits:

There are many kinds of internal audits each with a distinct function. The most popular kinds of internal audits comprise:

Audits of Financials: These reviews examine the credibility of financial statements as well as ensure that they are following accounting standards as well as regulations.

Audits of Operational Quality: These audits evaluate the efficiency and effectiveness of processes in operation and pinpoint areas for improvement.

Compliance Audits The audits make sure that the business is following all applicable legislation and rules.

Audits of Information Technology: These reviews assess the technology used by an organization and verify that they are secure, reliable and comply with any applicable laws and regulations.

Preparing for an Internal Audit:

The preparation for an internal audit is crucial for ensuring a smooth audit experience. Here are some tips to assist you in preparing for internal audits:

Determine the nature of the audit: Define the areas to be inspected and the nature that the audit will cover.

Examine previous audit reports Examine audit reports from the past and find areas in need of improvements.

Conduct a self-assessment: Perform an assessment of your own procedures and controls to find the potential for problems.

Create relevant documents: Prepare all the relevant documents that an auditor might require.

Designate duties and roles as well as responsibility to staff members who are part of this auditing process.

Plan the audit: Plan the audit with the internal auditor.

Step-by-Step Guide for an Internal Audit:

Fieldwork

It is also the most crucial part of the internal audit. In this stage the auditor is required to collect evidence and details to analyse the effectiveness of the company's procedures and controls. The steps in the fieldwork stage:

Conduct interviews Auditors conduct interviews with employees to be aware of their roles and responsibilities, as well as collect information on the company's processes and procedures.

Auditor review documents Auditors review documents like financial statements as well as policies, procedures as well as other relevant documents, to collect evidence.

Audit controls Auditors will evaluate the effectiveness of an organization's controls by selecting a small sample of transactions and test the operation of the controls.

Recognize problems the auditor will highlight problems and areas of improvement based upon the data that was gathered in the fieldwork.

Closing Meeting

A closing session is the last gathering between audited and auditor. At this time the auditor will be able to present their findings and make recommendations for the auditor. The following are the steps to follow during the closing meeting:

Discuss findings Discuss findings: The auditor will share the findings with the auditor and provide any problems or areas that could be improved.

Offer suggestions Auditors will make suggestions to address the issues identified and to enhance the efficiency of the company's processes and procedures.

Adopting actions: The audited will come to an agreement on steps to address the issues identified and enhance the efficiency of the organization's procedures and controls.

After the Internal Audit

Following having completed the audit internally, it's important to take steps to address the problems identified and to improve the company's processes and controls. Here are a few steps to do following the internal audit

 

Implement the recommendations made by the auditor to address identified issues and to improve the processes and controls of the organization.

Track the progress of your work Monitoring progress is the best way to make sure that the recommended actions are being implemented and work.

Conduct follow-up audits Follow-up audits are conducted to ensure that identified issues are solved as well as the procedures and controls are improved.

Conclusion

In the end internal audits are a must for any organization to evaluate the effectiveness of its procedures and controls, effectiveness as well as efficiency and compliance with the applicable laws and regulations. It is crucial to plan the internal audit in order to make sure that the experience is smooth. This step-by-step guide in this article will assist in preparing for internal audits, and also understand what to expect throughout the process.

 

FAQs

An internal audit is what it sounds like? Internal audits are an objective and systematic assessment of an organization's procedures control, operations, and processes.

What is the importance of internal audits? Internal audits are vital to determine areas that need improvements, as well as assure that the business's procedures are functioning effectively efficiently and in line with the relevant laws and regulations, and aid organizations in reaching their goals.

What are the different types that are internal audits? The most commonly used types of internal audits comprise operational audits, financial audits, compliance audits and audits of information technology.

What can I do to make myself ready for an audit at the internal level? For internal audit preparation, you must determine what the purpose of auditing, read the audit reports from previous years, conduct self-assessment, write relevant documents, delegate the roles and responsibilities, and plan the audit.

What happens following the internal audit? Following an audit conducted internally it is crucial to implement a plan to correct the issues that were identified and improve the effectiveness of the procedures and controls through making recommendations, evaluating the progress and performing additional audits.

 Internal audit in New Delhi

 

 

 

 

 

 

 

 

Auditing Internal Controls

 

In response to the large corporate financial scandals like energy firm Enron Corp, telecommunications giant WorldCom and Tyco International, Sarbanes-Oxley Act (SOX) was introduced, in the USA, in year 2002.

Purpose of the Act was to improve accuracy of financial reporting by establishing formalized system of checks and balances and protect shareholders/ general public from fraudulent practices in the companies.

The SOX is mandatory and applies to all US-based public companies. These companies are required to maintain both good financial practices and data security standards. The Section 404 of the Act mandates rules on “management’s report on internal control over financial reporting”. The section requires all financial reports to include an Internal Control Report. The report provides assurance that the company’s financial data is accurate and adequate controls are in place to safeguard financial data.

To align with the requirements of the SOX, the PCAOB (U.S. Public Company Accounting Oversight Board) provided an updated standard AS 5, in May 2007.The Standard was about “Audit of Internal Controls over Financial Reporting integrated with Audit of Financial Statements”.

The SOX measures seek to govern financial operations and disclosures of the corporate entities. A major part of the SOX regulations is related to the information technology systems. SOX reporting involves IT departments as those departments are responsible for creating corporate records and maintaining archives.

To align with SOX regulations, companies are required to develop and implement comprehensive data security strategy. The strategy should be able to protect financial data prepared, used and stored during normal operations. IT departments must become familiar with the security, access, privilege and log management standards applicable to them.

The security teams use data classification to enforce and monitor corporate policies for data handling. Depending upon sensitivity and applicable regulations data may be encrypted, compressed or saved in a different file format. With the proper policies in place corporations can prevent unauthorized users from viewing regulated data. The security solutions have the ability to safeguard shared data.

Section 302 and 404 of the SOX prevent fraudulent agents (whether internal or external) from tampering with sensitive financial information.

Section 302: Corporate Responsibility for Financial Reports
Section 302 states that the CEO and CFO are directly responsible for documentation, accuracy and submission of all financial reports as well as the internal control structure,

to the SEC (Security Exchange Commission of U.S.A.).

The Commission requires, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934, that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed under either such section of such Act that — 

1. the signing officer has reviewed the report;

2. based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;

3. based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;

4. the signing officers–

a. are responsible for establishing and maintaining internal controls;

b. have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

c. have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and

d. have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

5. the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors or persons fulfilling the equivalent function–

a. all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and

b. any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and

6. the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

Section 404: Internal Control Report
The section 404 requires all annual financial reports to include an Internal Control Report. The report states that management is responsible for an adequate internal control structure and includes an assessment by the management of the effectiveness of the control structure. Any shortcomings in these controls must be reported. In addition, registered external auditors must attest to the accuracy of the management assertion that internal accounting controls are in place, operational and effective.

(a) Rule: The rules prescribed by the Commission, require each annual report submitted under section 13(a) or 15(d) of the Securities Exchange Act of 1934, to contain an internal control report, which shall — 

i. state responsibility of the management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

ii. contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) Internal Control Evaluation and Reporting: With respect to the internal control assessment required under subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.

An attestation under this subsection shall be made in accordance with the standards for attestation engagements issued or adopted by the Board.

SOX Documentation
While adopting rules to implement Section 404, the SEC expressly declined to prescribe scope of assessment or extent of testing and documentation required by the management. The scope and process of the assessment should be reasonable and assessment including testing should be supported by a reasonable level of evidences. Each company should use informed judgment in documenting and testing its controls to fit its operations, risks and procedures. Management should use their own experience and informed judgment in designing an assessment process that fits needs of that company. Management should not allow the goal and purpose of the internal control over financial reporting provisions which is “production of reliable financial statements”, to be overshadowed by the process.

The key business processes, material transactions and related controls are to be documented. Management should maintain sufficient documentation so that a person with reasonable knowledge can understand the process, how key controls are operating, who is performing controls, time and frequency of operating controls, evidence that the controls were performed and the reports used while applying those controls.

It’s important to establish a change management process which will ensure that the documentation is kept up-to-date as processes and controls change in a business.

The external auditor should agree on the documentation of controls.

SOX Audits
The SOX mandates companies to complete yearly audits and make the results available to stakeholders. Companies hire independent auditors to conduct SOX audit, which must be separate from any other audit, to prevent a conflict of interest.

For audit under section 404, a company must meet the following requirements:

• Management accepts responsibility for effectiveness of the controls
• Controls are suitably designed and implemented to achieve control objective i.e. reliability of financial reporting, using established criteria
• Control objectives and related controls are documented
• Management assesses effectiveness of internal control over financial reporting and reports on design & operating effectiveness of the control.

Auditors compare past financial statements with the current year and may interview personnel to verify if compliance controls are effective. The auditors check with the staff whether their duties match their job descriptions and that they have adequate training to access financial information in a secured manner.

SOX audit process involves the following steps:

1. Define Scope of audit using a Risk Assessment Approach
For performing risk assessment, a top-down approach is recommended. The auditor focuses on entity-level controls and works down to significant accounts, their disclosures and relevant assertions.

The purpose is to help auditor identify potential risks and sources, their impact on the business and whether internal controls will provide reasonable assurance that a material fraud/error will be prevented or detected.

2. Determine Risks related to Material Accounts & Processes
The auditor will:

• Identify material items in the financial statements.
• Determine locations having material account balances.
• Review financial statements of those locations.
• Verify details of the transactions in material account balances. Check how transactions occurred and how they were recorded. Auditor may also meet with the concerned persons such as process owners, financial controller etc.
• Identify financial reporting risks for material accounts and the possible impact they may have on the account balances.

3. Identify SOX Controls
During materiality analysis auditor should identify & document SOX controls which can detect or prevent transactions from incorrect recording. Those are the key controls. The auditor should differentiate key controls from non-key controls and also identify manual and automated controls.

4. Test Key Controls
Testing key controls validates design and operating effectiveness of the controls in place. Controls testing involve inspection of documentation, evaluation, observation, inquiries with process owners, walkthrough the transaction and re-performance of the process etc.

5. Perform Fraud Risk Assessment
An effective system of internal controls is in place where internal controls reduce the opportunity to commit a fraud and also help with the assessment of possible frauds. Examples of effective internal controls are segregation of duties, reconciliation of bank accounts at regular intervals, investigation of employees’ expenses reimbursements etc.

6. Manage Documentation of Processes and Controls
Key operating processes and controls should be properly documented.

7. Assessing Deficiencies
During testing auditor may come across deficiency or gap in the sample selected. The deficiency/gap should be identified & corrected. The auditor should also review whether the deficiency/gap was due to design failure or operational failure of the control.

8. Deliver Management’s Report on Controls
A large amount of data and information is collected during testing of SOX controls.

The information gathered is useful for the management’s report on internal controls.

Auditing IT Systems
During SOX audit, review of internal controls related to IT assets such as computers, network, hardware and other electronic equipment that the financial data passes through, form a major part of the audit.

While auditing IT systems auditors review following internal controls:

i. Access: Access includes both physical controls such as doors, badges, locks on file cabinets and electronic controls like login policies, least privilege access and permission audits. Least privilege access model is an excellent example of access control which means each user only has the access necessary to do his/her job. The function of the user and not his/her identity, controls assignment of access rights.

Another good control is Permission audit. Permission audits are about review of permissions e.g. who has permissions to what, basis of getting that permission and whether the person is acting in a responsible manner. Auditors examine if current permissions are recorded & any changes to the permissions are verified and recorded.

ii. Security: Security controls ensure that the company has protection against data breaches.

iii. Data Backup: Maintaining off-site backups of all financial records is a SOX compliance requirement.

iv. Change Management: is having defined processes to add and maintain users, install new software and make any changes to database or applications which manage company’s financial information.

SOX compliance checklist
SOX compliance checklist is a tool for evaluation of compliance with SOX, reinforcing information technology & security controls and to uphold legal financial practices. A SOX compliance checklist includes the following steps:

1. To prevent data tamperinga system is in place which tracks user logins and detects suspicious login attempts into the systems used for financial data.

2. To record timelines for key activities company has systems which can apply timestamps to all financial & other related data. The data is encrypted if required and stored at a remote, secure location.

3. Establish verifiable controls to track data access i.e. a system that can receive data messages from virtually unlimited number of sources including files, FTP transfers and databases and tracks who accessed or modified the data.

4. To ensure that safeguards are operational systems are implemented which can issue & distribute daily reports to selected officials in the organization, confirming that the SOX control measures are working properly.

5. Report periodically on effectiveness of safeguards implement system which generates reports periodically, on data, including report of all messages, critical messages, alerts and uses a ticketing system that archives security incidents occurred and how they were addressed.

6. To detect Security Breaches security system is in use which can analyze data in real-time, identify signs of a security breach and generate meaningful alerts, automatically updating incident management system.

7. To disclose security breaches company has a system which is capable of detecting and logging security breaches and allow security staff to record their resolution of each incident.

8. To disclose security safeguards to the auditor systems should be in place which can provide role-based access to the auditor, allowing him/her to view data and reports without making any changes.

9. A system to disclose failure of security controls to the SOX auditor. The system should enable auditor to view reports having details of the security control failure incidents, the incidents resolved successfully and the ones which could not be resolved.

Protecting the whistleblower
SOX encourages disclosure of corporate frauds by protecting employees who report fraud and testify in court against their employers. Companies are not allowed to change the terms and conditions of their employment. They can’t reprimand, fire, or blacklist the employee. Whistleblowers can report any corporate retaliation against them. SOX makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a law enforcement officer. It authorizes the Department of Justice to criminally charge those responsible for the retaliation.

Firms conducting SOX Audits
The SOX also regulates accounting firms which conduct SOX audits. The PCAOB has set standards for the audit reports. It requires all auditors of public companies to register with them. The PCAOB inspects, investigates, and enforces compliance of these firms. It prohibits accounting firms from doing business consulting with the companies they are auditing. They can still act as tax consultants but the lead audit partners must rotate off the account after five years.

Auditing Internal Controls