The business process known as internal audit is a method of tracking and testing procedures and practices in order to evaluate them against pre-determined standards in areas such as accounting compliance and integrity, statutory and regulatory compliance, quality control, delivery of services, environmental impact and customer satisfaction. An internal audit delves behind the screen presented by balance sheets, profit statements, procedures manuals and annual reports, to find out what is really happening in an organization. Its practitioners may belong to their national branch of the Institute of Internal Auditors.
The United Kingdom branch, known as the Chartered Institute of Internal Auditors, has a web page devoted to explaining the internal audit process, and it identifies four steps: Research, Planning, Providing Assurance and Action. Before the audit can begin the auditors themselves must be identified and engaged. Unlike an external audit, which is usually confined to issues of financial compliance and fraud, an internal audit may be conducted by employees of the organization or its parent company or group. Outside specialists may also be engaged to carry out the internal audit process. Regardless of the origin of the auditors or the type of transaction to be audited, the process will generally follow the four steps listed above.
At this stage of the audit, the internal auditors turn their attention to finding out everything they need to know about the client organization and the activities to be audited. They will determine what the objectives of the audit are, for example ‘To observe, document and test internal quality control procedures to test compliance with international quality standard ISO 9001’. Typically they would then obtain a copy of the organization’s Quality Procedures Manual and examine the procedures in detail to find out what they are, who performs them and how. They would also identify the areas of greatest risk of non-compliance by reviewing external information on quality control and general reports about difficulties experienced by other parties, as well as looking at any previous problems during the organization’s initial quality accreditation procedure.
In the next stage of the audit, the most senior auditor to be involved in the audit process will analyze the information obtained so far and then meet with his or her own manager, and with the senior manager of the organization to be audited, in order to agree on the aims of the audit and the most important areas to be covered. The objective stated at the research stage may be modified or expanded as a result of these meetings.
During this meeting targets and deadlines will be established, and resources, in terms of people and equipment, will be allocated. This will allow a program to be drawn up, detailing the exact nature of the work to be undertaken. It will contain entries such as: February 12 – February 13 2017: Test and document product dispatch procedures; Auditors J. Smith and S. Jones; Location, Warehouse B, 10 First Street, Newtown; Equipment required, 1 x laptop with transaction testing spreadsheet, 1 x dispatch procedures manual, 1 x digital camera. The total of these detailed entries, including the processes of drawing conclusions and making reports, will show the entire scope of the audit.
Although the name of this stage is couched in positive terms by the Institute of Internal Auditors, a more accurate terminology would be ‘Providing Feedback’, since if things are not going according to plan the results are sometimes quite the contrary of reassuring. What is assured is that the auditors will find out what is actually happening in the organization, as opposed to what is supposed to be happening according to procedures manuals.
The auditors observe the processes, document them, test the results against the stated standards, arrive at conclusions and communicate the results in the form of a written report. For example, they may observe how a product is packed for dispatch, how long it takes before it is in the transport vehicle and ready to go and whether documentation is accurate. They would record the delivery docket number, the names of the staff involved and the delivery vehicle identification number. They might seek information from the receiver of the goods to ascertain the length of time elapsing before receipt, the condition of the goods on arrival, and whether a receiver’s signature was asked for and obtained. Observations from this and every other part of the audit process would be collected and summarized in a report, including any necessary tables and statistics.
The internal audit report is usually presented in a draft format at first, until it has been reviewed in conjunction with the senior management of the client organization and any necessary changes to the wording and conclusions agreed on. The final report will not only summarize the results of the observations but will also make recommendations for future improvements in the processes. Such a recommendation might be: Introduce a method of obtaining and storing goods receipt signatures using electronic signature pads; responsible manager F. Taylor; completion date April 15 2017; audit follow-up date July 15 2017.
It can clearly be seen that this kind of four step process – research, plan, observe and provide feedback, recommend action and follow it up – can be applied to an internal audit of any kind of process in any kind of organization. The auditors’ objective view allows managers and stakeholders to find out what is really happening inside their establishment on a day-to-day basis, and to take any corrective action necessary to ensure compliance with chosen or obligatory standards, as well as improving the outcomes for both employees and customers.