The Eighteen Points that Guarantee the Success Of An Internal Audit Mission
The internal audit function is carried out in most companies and development organizations by experienced managers. The success of an internal audit mission requires mastery of the auditor’s approach and tools preparing his audit mission well from a methodological point of view is a prerequisite for success. We will see together the eighteen points that must be adopted by the internal auditor in order to achieve his mission.
FIRST POINT: THE ORDER OF MISSION
The mission order is the mandate given by the competent authority to the audit structure to carry out an audit mission on such an entity and which specifies the origin of the mission and its scope.
The mission order meets three essential principles:
- The audit structure cannot take charge of its missions itself. The decision to carry out an audit engagement in such or such entity does not belong to him. However, the audit structure can, if necessary, offer to carry out a mission to the General Management which will take the decision.
- The mission order must come from General Management.
- The mission order makes it possible to disseminate information to all the managers concerned. It is addressed not only to the audit structure but also to all those who will be affected by the audit mission (structure of the entity to be audited, etc.).
Missions Provided For In The Audit Program
The audit program in itself constitutes a collective mission order.The audit structure must therefore not wait to receive a specific mission order to start a mission which is provided for in the audit program. In this case, the audit manager on his own initiative writes a mission order according to a pre-established model and submits it for signature by the CEO, with the company’s accounts.
The specific audit assignments are assignments not provided for in the audit program and which emanate from the Chief Executive Officer or the Board of Directors.
When the request comes from the management of an entity, the auditors formalize it in the form of a mission order in a written document (pre-established model) and submit it for signature by the Chief Executive Officer
SECOND POINT: MEETING WITH THE AUDITER STRUCTURE
After receiving the mission order and before starting any work in the entity to be audited, the audit structure organizes a meeting with the structure in order to determine different points:
- Mission Objectives
- Feasibility Of The Audit Mission (Sufficient Resources, Deadlines, Etc.)
- Scope Of The Mission: The Entity (Ies) Concerned Or The Processes Concerned
- Nature Of The Audit Mission (Human Resources, Technological Resources, Organization, Communication, …)
- Mission Deadlines
- Auditors Responsible For The Assignment
- Description Of The Mission Process
- Organization Or Not Of An Opening Meeting With All Staff
- Audit Report: Addressees Of The Report, Interim Report, …
- Action Plan
THIRD POINT: REPORT OF THE MEETING WITH THE AUDITED STRUCTURE
Following the meeting with the audited structure, the audit manager drafts a report of this meeting. The minutes of the meeting are sent to those present at the meeting; which have a deadline to communicate to the audit service their possible modifications and / or comments. The audit structure introduces the modifications and transmits the final report by internal note to the same people.
FOURTH POINT: OPEN MEETING
The purpose of the opening meeting is to establish the first contacts with all the people involved in the audit before starting work.
The opening meeting is optional: the auditors and the audited structure decide on the organization of an opening meeting. For missions that would require the presence of many people, it may be easier to send an explanatory note. However, when possible, organizing an opening meeting is always preferable.
People present at this presentation:
- The Head Of The Audit Structure Or His Delegate
- Auditors Responsible For The Assignment
- The Manager Of The Audited Entity (Ies)
- All Staff Of The Audited Entity (Ies) Or Those Responsible For The Audited Processes
This is an oral presentation made by the listeners.
Content of the presentation:
- Context and objectives of the mission
Context = the reason for the mission (execution of the audit program, specific request due to acute problems, …)
Objectives = the goal of the mission
- Scope of the mission: entity (ies) concerned or process concerned (s)
- Course of the mission
- Presentation of the methodology.
- Action plan and mission monitoring
After the presentation, the auditors answer the auditees’ questions.
FIFTH POINT: GATHERING INFORMATION (GETTING TO KNOW THE AUDI TE AREA )
This stage is one of the most important of an audit mission.
The duration of the awareness varies according to different elements: complexity of the subject, profile of the auditor, existence of previous audits.
The auditor must be aware of the area to be audited in order to be able to build the internal control reference system and define the audit objectives.
This awareness is organized around several objectives:
- Have A Good Overview Of Internal Controls From The Start
- Identify Essential Problems
- Avoid Omitting Important Questions And Concerns
- Do Not Fall Into Abstract Considerations
- Allow The Organization Of Audit Operations
Information gathering must be organized. The auditor must plan his knowledge and plan the most appropriate means or means to acquire it.
The information to be collected can be grouped into different themes:
- Structural Context Of The Audited Entity
- Internal Structure And Organization Of The Audited Entity
- Organization Chart And Power Relations
- It Environment
- Regulatory Context
- Processes And Procedures
- Information System: Internal And External Communication
- Past Or Ongoing Problems
- Ongoing Or Planned Reforms
Auditors use different tools (means) to acquire knowledge:
- Examination of the results of the risk analysis.
It is important to first of all review the results of the risk analysis concerning the entity or process audited. These results serve as a basis for the auditors and can be submitted to agents during interviews for updating or validation.
- Interviews with the highest level managers in the activity audited.
Interviews with high-level agents provide clear and general information about the objectives of the organization.
- Analysis of basic documents.
The flow charts allow you to learn about the processes. If they do not exist, they must be created on the basis of the information collected and have them validated by the auditee.
Task analysis grids provide a good understanding of the distribution of work between agents. The examination of the reports of any previous audits, makes it possible to identify the risks present.The auditor can also make reconciliations on various statistics.
POINT SIX: DETERMINATION OF THE INTERNAL CONTROL STANDARDS
The internal control reference system enables the auditor to determine the audit objectives, which will be found in the work program. The approach must allow the auditor to organize his mission by identifying the points he will have to deepen and on the contrary those on which he can quickly pass or even ignore.
The internal control reference system must be as complete as possible and aim for completeness:
- Objectives Of An Audited Process
- Risks Associated With These Objectives
- Consequences Associated With These Risks
- Internal Control Systems
We use a different repository per process.
How to complete the internal control reference system?
– Split the process into elementary activities or operations
-Indicate in front of each activity what is its goal (what is it for?)
The risks involved must be determined, that is to say any event that prevents the achievement of the objectives. It is not a question of identifying precisely all the risks likely to appear; it would be impossible. It is a question of taking up the essential risks attached to the activity.
Determination of the causes of the risks.
Determining the consequences of risks.
Indicate what is (are) the internal control device (s) that one should normally find in good logic to defeat the identified risk (example: supervision, standard, procedure, qualified personnel, adequate equipment, .. .).
The auditor merely indicates whether the internal control system identified exists (yes) or does not exist (no). We only look at the existence of the device and not its operation.
The internal control reference system must be validated by the manager of the audited entity.
SEVENTH POINT: DETERMINING THE OBJECTIVES
Restrict the field covered by the internal control reference system.
Prioritize the risks of the benchmark: measurement of the probability (cause) and impact (consequences) of the risks by the auditees.
How to assign the ratings?
Both for probability and for impact, the rating scale goes from 1 to 4:
1 = very weak
2 = low to medium
3 = medium to large
4 = very important
The rating is carried out by the auditees, but the auditors can, depending on their risk assessment, change the rating (upwards or downwards).
EIGHTH POINT: ION GUIDANCE REPORT
The orientation report makes it possible to define and formalize the lines of investigation of the mission and its limits; it expresses them in objectives to be achieved by the audit. The purpose of this document is not to describe the specific works or techniques but to specify the points that will be analyzed during the mission.
The orientation report is a kind of service contract between the auditees and the audit service; a compromise between expectations (of Management, the applicant and the auditees) and the time and skills of the auditors.
- Take up the determined audit objectives by formulating them as follows: “ensure that …”, “assess if…”.
- Take into account the entity’s current priorities and concerns
- Take into account the essential objectives of the audit service
- Determine the resources, human and material, necessary to carry out the mission
- Establish a mission execution schedule
The orientation report will be subject to validation by the audited entity, in order to channel their positive and active support for the work of the audit structure.
NINTH POINT: THE IL WORK PROGRAM
The work program forms the basis of the implementation phase.
It is an internal document within the structure in which the tasks are determined, distributed and planned, which will enable the auditors to achieve the objectives of the orientation report.
The work program includes 2 essential points:
– The audit work to be done to achieve the audit objectives.
– The techniques, tools which should be considered for use: traffic diagram, statistical survey, interview.
TENTH POINT: THE INTERNAL CONTROL QUESTIONNAIRE (QC I)
The QCI is an internal document used by auditors.
The QCI is the auditor’s guide to carrying out his work program and it must therefore make it possible to carry out the most complete observation possible. The objective is to assess the internal control system for each “risky” operation.
The QCI includes questions aimed at analyzing “risky” operations and verifying the existence and effectiveness of the controls defined in the internal control framework. These are not questions that the auditor asks but the questions that he will ask himself and for which he will determine the tools that will make it possible to answer them such as interviews, document analysis…
The QCI includes 5 fundamental questions which allow to group together all the questions concerning the checkpoints: who – what – where – when – how
Who? brings together the questions relating to the operator which must be precisely identified and what are their powers. To answer these questions, we use hierarchical and functional organizational charts, job analyzes, etc.
What? brings together questions relating to the object of the operation, what is the nature of the task, what is the nature of the product produced, of the control.
Where? concerns the places where the operation takes place.
When? brings together questions relating to time: start, end, duration, frequency, …
How? ‘Or’ What ? brings together questions relating to the description of the operating mode, how the task is carried out.
For each operation cataloged as “at risk”, a QCI is developed on the basis of the 5 fundamental questions which make it possible to identify the elementary tasks from which the internal control questions are deduced.
For each question, the auditor determines the tools to be used to answer them, when and by whom.
ELEVENTH POINT: THE FIELD WORK
During this phase, the auditor must answer questions from the QCI. The tools to be implemented are determined in the QCI but it may be that during the field phase one tool turns out to be inappropriate and that it is necessary to choose another.
The tools range from observations to different kinds of tests: document analysis, data reconciliation, interviews.
The auditor can never base his findings on hypotheses or intuitions; he must have evidence of what he claims. There are 4 quality of evidence criteria: for a finding to be considered proven and valid, the evidence must be:
RELEVANT = in relation to the audit objectives
SUFFICIENT = functional, appropriate and convincing, presenting enough information
CONCLUDING = reliable, it must lead to a conclusion as precise as possible and certainty of the quality of the source
USEFUL = meeting the objectives of the organization
Evidence can be classified into 4 categories:
- Physical proof: this is what we see, notes = observation.
- Testimonial evidence: testimonies. This is very fragile evidence which must always be cross-checked and validated by other evidence
- Documentary proof: accounting documents, written procedures, reports, notes,… pay attention to the quality of the document and the analysis that is made of it
- Analytical proof: results from calculations, reconciliations, deductions and various comparisons. The hazards here are cumulative: those related to documents, testimonies from which we will carry out the analysis as well as errors in calculations and deductions from the listener himself.
TWELFTH POINT: LA FRAP = Revelation and Problem Analysis Sheet
During the field phase, for each dysfunction found, the auditor writes a FRAP.
FRAP is a standardized document that will guide and structure the auditor’s reasoning until the recommendation is formulated. The FRAPs will also serve as the basis for writing the report.
FRAP reproduces the different phases of reasoning in their chronological and logical order. The auditor completes a FRAP each time an observation reveals a problem. In fact, the auditor uses FRAP to carry out his reasoning.
THIRTEENTH POINT: THE FIN AL REPORT
The final report is the oral presentation, by the mission manager (s) to the main manager of the audited entity, of the most important observations. The goal is to quickly and first inform the manager of the audited entity of the results of the audit work and the conclusions reached.
This presentation is made at the end of the fieldwork and before the draft report is written. It is a kind of general “pre-validation”. This report requires the audit team to have complete control over its conclusions and engages its credibility. Questions or disputes from the head of the entity can lead the auditors to carry out additional work.
FOURTEENTH POINT: APPRECIATION OF INTERNAL CONTROL
Three key elements must be taken into account for the evaluation of the IC:
- Did the audit work reveal any significant anomalies or weaknesses?
- In the event of a positive response, have any corrections or improvements been made after finding anomalies or weaknesses?
- Are these anomalies or weaknesses and their consequences likely to be generalized and therefore cause an unacceptable level of risk?
However, the temporary existence of a significant anomaly or weakness does not necessarily mean that this anomaly or weakness is generalized and that it involves an unacceptable residual risk. The nature of the anomalies / weaknesses, their restricted or generalized nature, as well as the seriousness of the consequences and risks, are all factors to be taken into account to determine whether the effectiveness of the entire system is called into question and is there are unacceptable risks.
FIFTEENTH POINT: THE RAPPO RT PROJECT
The auditor based on the FRAPs and the working papers to conclude my audit assignment.
The draft report is not the final report for three reasons:
- The absence of general validation: the observations noted by the auditors were not officially validated by the auditees. They cannot be considered as definitive.
- The lack of response by the auditees to the recommendations: each recommendation made by the audit structure must be the subject of an auditee response.
- The absence of an action plan: two practices coexist in this area: either the submission of the final report without waiting for the action plan, or the association of the action plan with the final report.
The draft report can be presented in two distinct forms: either a simple statement of the FRAPs classified in a logical manner and in order of importance presenting no effort of writing, introduction, synthesis and conclusions; either according to the format of the final report.
The second option is the one that is preferred within the audit structure. The first can be used with the agreement of the Audit Manager in the event of an emergency in the mission.
SIXTEENTH POINT: VALIDATION AND CLÔTU RE MEETING
This meeting has several objectives:
- Present and validate the findings;
- Explain the recommendations;
- Set the practical arrangements for the action plan and monitoring of the mission.
All the elements discovered during the audit must be presented and validated by the auditee. The final report must not contain elements that have not been presented to the auditee. Everything must be understood and the auditees must recognize the findings as accurate.
- The choice of participants from the audited entity: logically, we will find during the closing meeting the people who participated in the mission start meeting. However, care must be taken to ensure that the necessary people participate in a full and detailed exchange of the “technical” points described in the general statement of the report.
- The representation of the audit structure: the presence or absence of the head of the Audit, his role in the meeting can play during the presentation in order to mark the entity audited on the importance of the Audit.
Course Of The Closing And Validation Meeting
The agenda for this meeting is the examination of the draft report which was given to each participant, at least 5 working days before the meeting.
Presentation Of The Project By The Auditors
The auditor presents the essential points which will be raised and will illustrate them with precise observations. The auditor will start if necessary with a brief explanation of the processes in place. Then, it will address the strong or satisfactory points which were not the subject of FRAP and will end up dysfunctions according to their importance.
In order to allow the auditees to participate in the audit process, they have the right to reply to the draft report. This can be informal and oral during the closing meeting. It can also be written and formal.
During the meeting, two types of challenges can arise to the auditor:
- Disputes relating to the findings: two possible situations: either the auditor provides an item of evidence and the dispute disappears, or he is unable to provide this item and it is preferable to abandon the point in dispute.
- Disputes relating to the recommendations: as this is a Project, the auditee may possibly suggest something else. The auditee remains the specialist in the subject audited. His proposal may include aspects that have been overlooked or not seen by the auditor. In this case, the listener can modify or even cancel the content of his text on a point if the auditee convinces him. This should not prevent him from maintaining his text if he is not convinced. Let us not forget that the auditee always has the right to refuse a recommendation when they reply in writing. In fact, the auditee may still react to the recommendations during their written comments and / or during the development of their action plan.
Terms Relating To The Action Plan And Monitoring
The auditors will specify, during this meeting, the date for delivery of the written comments (if necessary) on the findings and recommendations and the procedures relating to the action plan (date of delivery, inclusion or not in the report, name of the person in charge). The follow-up process will also be briefly presented.
The validation meeting must be the subject of a report integrating all the remarks on the findings and recommendations. This report is sent to the auditee for approval.
SEVENTEENTH POINT: THE FIN AL AUDIT REPORT
The final audit report can only be drawn up when the auditees have submitted their written comments, if planned during the validation meeting.
General Principles Of The Audit Report:
- The report must be complete, constructive, objective and clear. The signature of the report by the manager gives the example of responsibility: the audit manager personally assumes all the consequences of the work of his subordinates. Even in the event of positive conclusions, a report must be drawn up.
- The report must contain only elements which have been presented to the audited managers. The audit report should not come as a surprise to the auditees. It is for this purpose that the validation and closing meeting is organized. It makes the facts, the findings and, if possible, the conclusions indisputable.
- The report should be structured for different readers. This is why it includes a general presentation and a summary. The general presentation must be complete and technical and provide all the information useful to the audited officials and those responsible for the actions to be undertaken. The summary is intended for people who must be informed and made aware, but who do not have to resolve the dysfunctions noted.
- The report must be objective, clear, concise, useful and as convincing as possible.
- The report must be reviewed by at least one person from the audit structure who was not involved in its preparation.
The Audit Report Has Two Distinct Objectives:
- It is an information document for the hierarchy. The audit gives the latter an assurance on the mastery of the area audited. The document to be provided contains only general information. It clearly includes an identification of the risks identified and indicates the measures to be taken;
- It is a working tool for the auditees. It is from the report that the auditee takes corrective measures. To do this, the document must include analysis and details of the findings and observations, as well as specific recommendations.
EIGHTEENTH AND FINAL POINT: ACTI ON PLAN
As the audit structure has neither the authority nor the responsibility for implementing the recommendations it has made in the audited entities, the heads of these entities are asked to draw up action plans aimed at putting in place implement the recommendations, that is, take action to manage the risks.
The audit structure transmits an information note on how to prepare the action plans.
The action plan drawn up by the auditee is:
- Be inserted in the report;
- Be postponed to a later date as agreed during the closing and validation meeting.
In both cases, the final audit report must contain either the action plan or the procedures for its future submission.
For each recommendation, the auditee must clearly express their position on the recommendations:
- Partial Acceptance
In the first two cases, he mentions who will do what and when. Each recommendation is numbered and opposite it, you will find the name of the person responsible for implementation, the date of completion of the implementation and the operation to be carried out. In the event of partial acceptance, the auditee must explain why the acceptance is not total.
In case of refusal, the auditee must also explain the reasons. There can be no dispute of the finding since it was validated at the closing meeting. A refusal may reflect a lack of quality or realism of the recommendation.
The action plan must be validated by the audit structure. The latter must make observations if he considers the action plan partially or totally insufficient. The manager of the audited structure then makes the necessary modifications.