1) A plan once prepared should be continuously reviewed by the internal auditor to identify any modifications required to bring the same in line with the changes, if any, in the audit environment. However, any major modification to the internal audit plan should be done in consultation with those charged with governance. Further, the internal auditor should also document the changes to the internal audit plan.
2) The internal audit plan should be based on the knowledge of the entity’s business. While developing the internal audit plan, the internal auditor should have regard to the objectives of the internal audit engagement as well as the time and resources required for conducting the engagement. In addition, the internal audit plan should also reflect the risk management strategy of the entity.
3) The internal auditor should, based on his professional judgment, obtain sufficient appropriate evidence to enable him to draw reasonable conclusions therefrom on which to base his opinion or findings.
4) The internal auditor should document matters, which are important in providing evidence that the audit was carried out in accordance with the Standards on Internal Audit and support his findings or the report submitted by him.
5) The internal auditor’s report should contain a clear written expression of significant observations, suggestions/recommendations based on the policies, processes, risks, controls and transaction processing taken as a whole and managements’ responses.
The different stages of communication and discussion should be as under:
Discussion Draft - At the conclusion of fieldwork, the internal auditor should draft the report after thoroughly reviewing his working papers and the discussion draft before it is presented to the entity’s management for auditee’s comments. This discussion draft should be submitted to the entity management for their review before the exit meeting.
Exit Meeting - The internal auditor should discuss with the management of the entity regarding the findings, observations, recommendations, and text of the discussion draft. At this meeting, the entity’s management should comment on the draft and the internal audit team should work to achieve consensus and reach an agreement on the internal audit findings.
Formal Draft - The internal auditor should then prepare a formal draft, taking into account any revision or modification resulting from the exit meeting and other discussions. When the changes have been reviewed by the internal auditor and the entity management, the final report should be issued.
Final Report - The internal auditor should submit the final report to the appointing authority or such members of management, as directed. The periodicity of the Report should be as agreed in the scope of the internal audit engagement. The internal auditor should mention in the Report, the dates of discussion draft, exit meeting, Formal Draft and Final Report.”