managing-internal-audit

# Managing Internal Audit

## When To Use

- Developing an annual or quarterly internal audit plan based on enterprise risk assessment
- Scoping and planning a specific audit engagement (financial, operational, compliance, or IT)
- Designing audit test procedures and sampling methodology for an engagement
- Documenting findings, root causes, and management action plans
- Preparing audit committee reports or CAE status updates
- Tracking remediation of prior audit findings

## Inputs To Gather

- **Risk universe and prior risk assessments** — entity-level risk register, prior year audit results, emerging risk memos
- **Audit charter and mandate** — approved charter defining authority, scope, independence, and reporting lines
- **Organizational structure** — business units, process owners, management hierarchy
- **Regulatory and compliance landscape** — applicable regulations, recent examination findings, consent orders [VERIFY against current regulatory inventory]
- **Prior audit workpapers** — previous engagement files, open findings tracker, management action plan status
- **Available audit resources** — staff headcount, competencies, co-source/outsource arrangements, budget hours
- **Relevant standards** — IIA Standards, COSO framework, COBIT (for IT audits), applicable PCAOB or AICPA guidance [VERIFY which standards apply based on entity type — public vs. private vs. nonprofit]

## Workflow

### 1. Risk Assessment and Annual Plan Development

- Map the audit universe: identify all auditable entities, processes, and systems
- Score each auditable unit on inherent risk (likelihood x impact) across categories: financial, operational, compliance, strategic, reputational
- Overlay control environment maturity to derive residual risk ratings
- Prioritize engagements by residual risk, time since last audit, and management/board requests
- Allocate budget hours per engagement; flag resource gaps requiring co-sourcing
- Present the draft annual plan to the audit committee for approval

### 2. Engagement Planning

- Define engagement objectives tied to specific risks (e.g., "Assess effectiveness of revenue recognition controls over non-standard contracts")
- Establish scope boundaries: in-scope processes, locations, systems, and time period under review
- Identify key controls through process walkthroughs and narratives with process owners
- Develop a risk-and-control matrix (RACM) mapping risks to controls to test procedures
- Determine sampling approach: statistical vs. judgmental, sample sizes based on population and control frequency [VERIFY sampling methodology aligns with firm/department methodology standards]
- Set engagement timeline, milestones, and fieldwork schedule

### 3. Fieldwork and Testing

- Perform walkthroughs to confirm understanding of processes and control design
- Execute design effectiveness testing: inspect control documentation, interview operators, observe execution
- Execute operating effectiveness testing per the RACM:
  - **Preventive controls** — reperformance and inspection of evidence
  - **Detective controls** — examine exception reports, reconciliations, review sign-offs
  - **IT general controls** — access management, change management, backup/recovery testing
- Document each test with: objective, population, sample, procedure performed, results, and conclusion
- Identify control deficiencies and classify severity:
  - **Deficiency** — control exists but has a gap
  - **Significant deficiency** — reasonably possible that a material misstatement would not be prevented/detected
  - **Material weakness** — reasonable likelihood that a material misstatement would not be prevented/detected [VERIFY classification criteria against entity's deficiency evaluation framework]

### 4. Findings Development and Root Cause Analysis

For each finding, document using the five-component structure:

- **Condition** — what was observed (specific, factual, supported by evidence)
- **Criteria** — what was expected (policy, regulation, standard, or best practice)
- **Cause** — root cause analysis (use 5-Whys or fishbone as appropriate): people, process, technology, or governance gap
- **Effect** — actual or potential impact, quantified where possible (dollar exposure, error rate, regulatory risk)
- **Recommendation** — specific, actionable remediation steps with clear ownership

Rate each finding: Critical / High / Medium / Low based on combined impact and likelihood.

### 5. Reporting and Communication

- Draft the engagement report with executive summary, scope, methodology, findings, and ratings
- Conduct exit conference with process owners to validate factual accuracy and obtain management responses
- Obtain management action plans with responsible owners and target remediation dates
- Issue the final report to engagement stakeholders and the audit committee
- Update the open findings tracker and schedule follow-up validation testing

### 6. Follow-Up and Remediation Tracking

- Monitor management action plan progress against committed dates
- Perform follow-up testing to validate remediation effectiveness (not just completion)
- Escalate overdue or inadequately remediated findings per the escalation policy
- Report remediation status to the audit committee quarterly

## Output

The deliverable set typically includes:

- **Annual audit plan** — risk-ranked engagement list with resource allocation and timeline
- **Engagement planning memo** — objectives, scope, RACM, sampling plan, and timeline
- **Workpapers** — documented test procedures, evidence, results, and conclusions per test step
- **Draft and final audit report** — executive summary, detailed findings (condition/criteria/cause/effect/recommendation), management responses, and overall engagement rating
- **Open findings tracker** — consolidated view of all outstanding findings with status, owner, and target dates
- **Audit committee summary** — high-level status of plan execution, significant findings, and resource utilization

## Quality Checks

- [ ] Each finding is supported by documented evidence in workpapers — no finding relies solely on verbal assertions
- [ ] Root causes are identified beyond surface-level symptoms (process owner validated)
- [ ] Finding severity ratings are consistent with the entity's deficiency evaluation framework
- [ ] Sampling methodology and sizes are documented and defensible
- [ ] Report distinguishes clearly between design deficiencies and operating effectiveness failures
- [ ] Management action plans include specific owners and realistic target dates (not just "management will address")
- [ ] Engagement was performed in conformance with IIA Standards (independence, objectivity, proficiency, due care) [VERIFY conformance with applicable professional standards]
- [ ] Prior period open findings were assessed for continued relevance and remediation progress
- [ ] All scope limitations or access restrictions encountered during fieldwork are disclosed in the report