The audit process involves several steps, detailed below.
Internal Audit notifies the client in writing when their area is selected for an audit. An engagement letter is sent to the client that describes the general objectives of the engagement.
The Internal Auditor in charge schedules a meeting with the client and appropriate personnel to discuss the objective of the audit, scope, audit process, timeline, and information the client may need to supply. Clients are encouraged to present any questions or concerns they have about the audit process. Clients may also request specific functions be examined in the audit.
The Internal Auditor gains an understanding of the client’s operation or area being reviewed. The Internal Auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client’s operation. Internal controls may be reviewed and documented.
During the Fieldwork phase, the Internal Auditor reviews, tests and evaluates internal controls to determine if they are operating effectively and assess risk management.
During the audit, the Internal Auditor will attempt to keep the client informed of findings and/or concerns. This communication serves two purposes:
- It provides the client an opportunity to clarify the Internal Auditor's understanding of the facts and circumstances surrounding the findings and to correct misunderstandings and inaccuracies;
- and to provide the client with notice of areas where improvements may be needed so they can take corrective action as soon as possible.
The Draft Report includes Background of area being audited, Comment and Recommendations. Client and appropriate parties are able to review the Draft Report before the Exit Conference.
Internal Auditor, Client and appropriate parties meet to discuss the Draft Audit Report and clarify any ambiguities.
Client responds, in writing, to each audit finding and Recommendation. In the response, the client should explain how report finding/recommendations will be resolved and include an implementation timetable.
After receipt of the Management Responses, by the Internal Auditor, a Final Audit Report is prepared. The Final Audit Report contains Background, Comment, Recommendation and Management Response. It is distributed to senior level management, Client, audit committee and appropriate parties.
A Follow-up may be applicable. The follow-up may be examination of corrective action or a subsequent audit. The nature of the follow-up depends on the seriousness and complexity of the deficiency. Once the corrective action has been implemented, the audit finding will be closed. The Follow-up can be conducted by an Internal Auditor and/or MAS.