Internal Audit main phases Print
  1. The preliminary survey and Risk Assessment – Determining the nature of the operation / systems to be audited. Who does what, why is it done, how it is done, how it is administered. How much it costs, what are its objectives, goals and standards. Assessing IT Internal Control enviroment. Determining the inherent risks. Assessing what controls have been designed to maximize attainment of goals and minimize risk.
  2. The Audit Program – specifying in writing which activities will be reviewed and setting the boundaries to set management expectation; which applications / systems to examine, what audit resources are required, audit procedures to follow, time required, standard to measure against, and which controls to focus on. A long term Audit plan is elaborated (3 years).
  3. Field work – carrying out the audit procedures called for in the program, performing tests, comparisons and verifications. Obtaining evidence for audit conclusions. Determining the validity of the objectives, goals and standards. Assessing the effectiveness of controls. :earning how risks are dealt with.
  4. Preparation of working papers – documenting the results of the review, describing the audit findings, preparing a record of what was done in the audit and of the evidence gathered, demonstrating the scope of the examination
  5. Developing deficiency findings – determining in specific instances what controls should have been in place, assessing the significance of the variances, isolating the causes, obtaining management concurrence of the findings, making recommendations (with management), promoting corrective action.
  6. Reporting on the audit – reviewing draft reports with audit clients, presenting results orally and in writing, expressing audit opinions, communication the audit purpose, scope, findings and recommendations; acknowledging any corrective action taken.
  7. Reviews – examining replies to audit reports, assessing the adequacy of any proposed or completed corrective action, following up on the time bound implementation schedule to ensure the corrective action has been implemented and reporting on this to management.