Key takeaways
- Internal auditors should work to professional standards
- Audits should be risk-based, helping to ensure value to the organisation
- Auditors should act professionally
- Good communication skills help to secure buy in from management for the results of the audit
What should we audit?
Internal audits should be based on risks to the organisation’s objectives. Usually a plan is prepared annually identifying areas that are a priority for that year, but it is important that this is kept up to date. Within the area to be audited some preliminary work will be required to determine the most appropriate scope for the audit. This will take into account objectives, risks and an assessment of resources required. It should be clear to both auditor and client what the planned scope and objectives for the audit are.
How should I plan the audit?
Internal auditors should work to an agreed methodology that includes arrangements for supervision and quality assurance of the audit. Having a consistent approach, guidance and templates will help auditors work more efficiently and will help ensure that the audit is performed in accordance with professional standards. You should aim to obtain information that is sufficient, reliable, relevant and useful during the audit and then plan how you will analyse and evaluate this information.
How should I report findings?
At the end of the audit the results need to be communicated to the management responsible for that area. There are many different formats for audit reporting, from a narrative report to a table of key findings, or a presentation direct to management. It is helpful to discuss and agree the format of the report with the audit client so it is user-friendly. Again a consistent approach across all audit reports should be established as part of quality processes.
To have impact the report should identify key findings, conclusions and recommendations for improvement or areas for action. Often the report will include an overall opinion on the level of assurance the auditor is able to provide.
How can I ensure the internal audit report is taken seriously?
Part of the skill of the internal auditor is developing good working relationships with audit clients while maintaining the auditor’s objectivity and independence. Sometimes an audit means that difficult messages have to be conveyed and serious weaknesses identified. A professional approach from the auditor is essential, ensuring that the focus is on supporting improvement rather than casting blame.
But internal auditors must not be afraid to report their findings. Providing regular updates to management as the audit progresses will help to build trust in the audit process. If the audit is respected and management can see the benefit of making improvements then it is more likely that action will be taken as a result.
Questions for you
- Are you clear about the professional internal audit standards that apply for your jurisdiction?
- Does the internal audit team have a risk-based plan?
- Is there an ‘audit manual’ for internal auditors to use when conducting an audit?
Further information
The Public Sector Internal Audit Standards can be downloaded from the CIPFA website.
