Audit performance is the activity of carrying out audit procedures to collect audit evidence. Once a company forms an internal audit function, completes the risk assessment process and develops an internal audit plan that is responsive to the risk assessment, it can now initiate individual internal audit assignments.
A framework for audit performance of internal audit projects should include the following actions:
Confirm the audit assignment :(e.g., timing, purpose, scope) with the area or process to be audited (in some cases, it may be appropriate to carry out audit performance on a surprise or unannounced basis).
Complete appropriate planning: for the audit assignment. This can include the following:
• Assess the risks of the specific area to be reviewed.
• Develop a written work program.
• Agree on scope, locations, sample sizes and period under review.
• Develop a report format that will be effective.
• Request and receive certain advance information from the area to be reviewed.
• Access operating information, audit performance measures, etc., on the area to be reviewed.
• Review any prior audits of this area by internal audit or other parties, such as regulators, external auditors and consultants.
• Hold joint planning discussions with management and process owners of the area to be reviewed to learn their areas of interest and concern.
• Consider whether self-assessment activities would be helpful.
• Gather outside information on best practices.
• Identify the internal audit resources to be assigned to the audit and ensure they have an appropriate level of experience and competency.
• Determine if outside resources or guest auditors should be utilized, including information technology resources.
• Consider formal entrance and closing conferences.
Execute actual internal audit work, including evaluation of process and control design, as well as testing methods to determine control operating effectiveness such as inquiry, observation, examination and re-performance.
Discuss and clear items noted and potential findings with management and process owners. For consulting engagements, perform agreed-upon work steps to meet the objectives of the assignment.
Develop a report: or other appropriate communication method responsive to the work completed and findings made. Areas that might be considered include:
• Executive summary of major issues and findings
• Background, objectives and scope
• Audit findings, including management’s action plan for addressing these findings
• Other analysis and information, including appendices
The format of internal audit reports varies by company. What is most important is to create an approach that is effective at communicating key issues and achieving positive change and resolution to the issues re- ported. For example, some companies may find that single-page reports are effective.
Others may find that management should respond separately and apart from the audit report itself. In addition, the circulation of a draft report for discussion is often an appropriate and effective way to refine wording and ensure the accuracy of all information in the report.
Develop an effective method for tracking and following up on audit findings as agreed-upon actions by management. This may include recording all findings in a database, scheduling follow-up audits or conference calls, or requesting status from the auditee.
It may even include having management of the audited area report to senior management and the audit committee. Internal audit should also determine the extent to which resolution of auditing findings should be validated independently.
There is no one-size-fits-all approach to the execution and completion of internal audit work. Internal audit leadership, management and the audit committee should work together to create an approach that is most effective for their respective organizations.
The IIA Standards and Practice Advisories can also provide guidance and a frame- work to follow.
Audit performance requires well motivated team with the right skills for an effective audit to be carried out.