I received a message from one of our club member and she was keen to learn internal audit process & reporting and requested for some sample audit report. I replied her to develop her own audit report and send me for review, after reviewing the report prepared by her I noticed that most of the students or new auditors in profession are lacking in the most important area of internal audit i.e. Internal Audit Reporting. The internal audit reporting is obviously the last step of the overall audit process and it is essential to learn the cycle of internal audit before proceeding to the internal audit reporting.
The internal audit process can be divided into three main sections, these sections are planning of the internal audit, execution of the field work and internal audit reporting. Every step is then completed by performing different tasks in various steps. This article has been focused exclusively on the internal audit process and reporting and an effort has been made to cover all these tasks required to complete the internal audit assignment.
Internal audits are normally conducted on basis of Risk Based Internal Audit Plan prepared for every year by the chief internal audit. The risk based internal audit plan is an important step and we have discussed in detail in earlier articles (please refer to my article Risk based internal audit plan – A practical approach). The risk based internal audit plan highlight the areas with potential risk and these may include financial and non financial areas. The financial areas covers all those business operations involving accounting and financial transactions such as accounts payables, accounts receivables, sales, procurement, accruals and provisions, inventories and petty cash etc. Whereas, the non financial areas covers those operations which do not involve direct accounting and financial transactions such as Bidding and estimations, production, recruitment, fleet management, health safety and security and workshop management in the manufacturing organizations. The internal audit is normally conducted on module basis and each module of financial and non financial areas are covered in the internal audit on periodical basis at the organizational or group level.
Internal audit process:
We assume that the internal audit has been planned as per risk based audit plan and module has been selected for audit activity. The audit cycle will be completed in the following steps:
This is the first step of the internal audit and the auditor / chief auditor is required to issue audit notification addressing to the higher management of the organization and process owner, the process owner is an official who is overall in charge of the module selected for the audit activity. The notification includes the information such as name of the module under audit, period of audit, name of the auditor assigned, tentative audit time and resources required from the organization.
The second step is resource planning where the chief auditor is required to assess the resources required such as the number of audit staff, support staff, technical assistance e.g. computer, software, technical knowledge need of expert (if required) etc.
Schedule an opening meeting with the management of the organization and invite the process owner and all other related officials to participate in the opening meeting of the audit. The agenda of meeting is normally based on the nature of the business and role of the module and its officials in the smooth operations. Invite the process owner to deliver a presentation on his role, objectives of the module, activities executed to achieve the objectives, internal controls, documentation involved in the process, approval, command and control authorities, financial powers of the officials involved in the process and monthly reporting and management information flow etc etc.
Understanding the policies and procedure:
Obtain the company’s policies and procedures related to the particular module under the audit. Establish a proper understanding of the policies and procedures and in case of absence of the policies and procedures you may consider the best business practices or COSO standards. Once policies and procedures are understood conduct a walkthrough test to ensure the compliance of the procedures and assess the internal control weaknesses and other inherent risks associated with the module under audit.
Execution of the internal audit:
Once understood the company policies and procedures and transactional system of the module under audit, prepare a self assessment control questionnaire containing a set of questions under general information category, internal controls over the activities executed to operate the module, accounting category and reporting category. Circulate the questionnaire to the concerned officials for their feedback and assess the internal control risks at low, medium or high level and design the audit procedures on the basis of the resulted conclusion in the self assessment questionnaire.
Send a request for the collection of financial or numerical data relating to the module under audit and after receiving the information conduct a digital analysis as we discussed in our previous articles (please refer to my article How to detect a fraud during the audit). Select a sample of transactions for auditing procedures. The audit samples and sample selection techniques will be discussed in our next article.
Based on the sample selected for the audit prepare an audit program and identify the analytical, substantive and control test procedures. The designing of the audit programs and selection of analytical, substantive and controls procedures will be addressed in the upcoming articles. For substantive procedures design an audit vouching checklist covering all the steps mentioned in the business system of the company.
Conduct the detailed audit field work covering all the steps as identified in the audit program, audit procedures, vouching checklist and documents involved in the operational activities of the module. During the audit field work identify the internal control weaknesses, non compliances and overriding of the policies and procedures, overriding of financial and approving authority limits, potential risks, internal controls weaknesses, evaluate the cost of the procedure, analyze the cost of the procedure with the benefits associated with that particular procedures, operational weaknesses and areas requiring immediate management’s intentions for improvements etc.
Based on your above noted points draft the preliminary audit findings and call for a closing meeting with the management and process owners and the officials invited in the opening meeting. The agenda of meeting is to discuss the preliminary audit findings. It is better practice to circulate the preliminary findings to process owners and other related officials excluding the higher management of the organizations and request them to settle the preliminary audit findings. During the meeting discuss all details and try to get on one page with the process owners relating to the audit findings. In case the process owner disagrees with the noted audit finding request them to provide appropriate and sufficient audit evidence in support of their claim. In case the process owner is unable to provide documentary evidence and only provide justification of any of the irregularity in the process evaluate the explanation with due professional care and judgment and if it seems reasonable drop the audit finding or make it as reportable audit finding if it is otherwise.
In house internal audit review:
Once the internal audit field work is completed, the chief internal auditor is required to review the internal audit field work and files thoroughly. The auditor is required to prepare the file with professional due care and cross refer the audit file. The audit file must contain the self assessment control questionnaire, management feedback, policies and procedure, detail of audit sample, audit program, details of audit field work and draft audit finding. Each audit finding must be supported by the documentary evidence and the chief auditor should correlate all audit findings with the supporting documents and ask for further audit work and more explanation where the audit finding is not sufficiently supported by the documents.
Internal Audit Reporting:
It is the most important and sensitive audit step to close the internal audit activity. The internal audit report should be prepared with utmost care and high degree of accuracy. The internal audit report should be written in plain English avoiding too many jargons, and wherever necessary explain the technical terminology because the user of the audit report may not well acquainted with the audit and financial terms. The report should be in active voice sentences and in full block format.
The following should be the contents of the internal audit report:
· Cover page
· Table of content
· Executive summary
· Background of the audit
· Purpose and scope of the audit
· Scope limitation (if any)
· Summary of Auditing observations
· Detail of audit observations and recommendations
· Vote of thanks
The cover page should be designed to ensure the title of report, name of the company under audit, module under audit, period of audit, name of audit in charge, name of issuer of the report and date of report.
Table of contents:
Table contents should ensure inclusion of all elements of the report.
Executive summary should contain a brief of the report, module under audit, in case of financial module the opening balances additions and adjustments with closing balances should be given whereas in case of non financial module give a quantitative information for example in case of estimation and bidding process give number of total estimations done during the period, bids won by the company, bids in negotiation process, failed bids and reason for failure to capture the business along with the success percentage etc.
In the executive summary also include a brief description of the impediments faced during the audit field work along with the brief of major audit observations.
Background of the Module & Audit
The background of the module/ process and audit should not be more than two paragraphs, give a brief introduction of the process under audit, define the process properly and describe its role in the organization and flash the importance of the process in overall business and organizational function.
In second paragraph give brief detail of the audit whether the audit has been based on the risk based internal audit plan or undertaken at the behest of the management or special request of the process owner. In case, the audit activity has been started on the whistle blower at occurrence of some unwanted episode in the business function, capture the complete background, nature of doubtful activity and whistle blowing process.
In this section give a brief note of the audit techniques used during the audit, review of process flow, detail of documents such as policies and procedures, accounting and auditing standards or the best business practices used to design the audit program and audit assertions considered during the audit field work.
Purpose and scope of the audit:
In this section define the purpose of the audit, explain the basic information used to plan the audit and also give brief note of the dubious activity if the audit was started on whistle blowing. Define the scope of audit by considering the audit assertions, professional scepticism and assumptions. For example in case of audit of accounts receivable the scope of audit may include:
· Accuracy of balances
· Accuracy and completeness of transactions
· Accuracy of supplier’s account balances
· Validity and authenticity of the payments
· Assurance of internal control over the double payments
· Verification of revenue booked during the period
· Verification and authenticity of unbilled revenue
· Account reconciliations
· Compliance of policies and procedure etc.
The scope limitation section should be part of the report only where the auditor failed to obtain the sufficient and appropriate audit evidence due to any reason. The failure to obtain the evidence or the record may be due to management’s intentional act or the force majeure. Give a complete description of the situation and circumstances that why auditor failed to obtain the sufficient and appropriate evidence and also explain the impact on the business if measurable.
Summary of audit observations:
In this section give the title of all audit observations in bullet points without any explanation.
Detail of audit observations:
The audit observations should be presented in the report as per risk level i.e. the audit observations attracting the high risk should be presented first then those observations having medium risk and then the audit observations with low risk. The audit observation has three parts:
· Audit observation
The audit finding should be reported in four paragraphs as per the guidelines illustrated hereunder:
A criterion is the first paragraph of the audit observation. It is the basic parameter to evaluate the transaction, the company’s policies and procedure, accounting standards, COSO standards or the best business practices can be the criterion of the transaction. For example in audit of sales activity Para 14 of International Accounting Standard 18 – Revenue can be the criterion of the revenue recognition.
Condition is the second paragraph and actual text of the audit observation. Give a detailed note of the audit finding observed during the audit field work against, and non compliance, of the criterion. For example in sales activity if the revenue has been recognized without delivering the goods to the customer constitutes an audit observation as it is against the criterion as referred above.
Cause is the third paragraph of the audit finding and requires mentioning the root cause and circumstances led to the non compliance of the criterion and resulted in a reportable audit finding. The root cause may be the unintentional error, poor understanding of the policies & procedure or management’s intentional act. The root cause should be evaluated carefully after discussion with the management or the process owner. The effective evaluation of the root cause will also be helpful to determine the risk at high, medium or low.
Impact is the last paragraph of the audit observation and need appropriate evaluation of the process and audit finding. The auditor requires measuring the financial or non financial impact of the transaction and audit finding on the business. For example, in case of audit of procurement function if the auditor noted that the suppliers are not being paid in timely manner may lead to negative impact on organizational repute in the market.
In this section immediately after the presentation of audit finding describe the risks associated with the audit finding. The risk may include financial, non financial risks, manipulation risk and misinformation and inaccurate reporting risks. Mention all risks associated with the audit finding in the points or paragraphs.
In this section design the recommendations in the points covering the audit observations and risks associated with the transaction or the findings. Recommend the rectification and remedial procedure and describe how to improve the internal controls and the process itself. Guide the management to take appropriate action against the audit recommendations.
At the end of the each observation mention the risk level as high, medium or low, define the responsibility of official to take remedial actions and determine the target dates to implement the auditor’s recommendation.
It refers to the end of the audit report and gives your concluding remarks over the process under audit. Briefly describe either the process is effective, underdeveloped, needs improvement, officials need training etc.
Vote of thanks:
Thank all the management, process owners and other officials who assisted the audit activity and supported in smoothly carrying out the audit function.
Points to be noted during the audit and reporting process:
While conducting an audit and drafting the audit report always remember:
· Auditor is a watch dog not a blood hound
· You are team member and part of the organization
· Convince the auditee that you intend to support them in improvement of their function
· Be independent and exhibit your integrity
· Report should be drafted in plain English remember it is a report not the dictionary
· Try to use active voice and small sentences
· Present only the major and reportable audit findings, avoid the beating about the bushes
· Prepare the time sheet for audit activity and note all delays caused by the auditee
· The purpose of the audit is to safe guarding the organizational resources but not to catch someone’s neck.
I trust that this article will be helpful for the students and new auditors in the profession. The reader’s comments and recommendations are always welcomed. Any member of our club may request for some particular topic to be addressed in the article and I will try my level best to cover the practical issues which can enhance the student’s and new auditor’s professional competence.