The Internal Audit Lifecycle Part 2: Delivering Assurance – Executing Individual Audit Assignments.

In Part 1 of our Internal Audit Lifecycle series, we discussed the critical importance of crafting a risk-based Annual Internal Audit Plan. This plan acts as our strategic roadmap, guiding where Internal Audit (IA) focuses its valuable resources. Now, we move from the blueprint to the build – executing the individual audit assignments identified in that plan. This is where the core assurance work happens, transforming planned activities into tangible insights about how well risks are being managed within specific areas of the organisation.

The objective of each audit assignment is clear: to provide objective assurance and valuable insights to management and the Board regarding the effectiveness of governance, risk management, and control processes within the audited area. It’s about testing reality against expectations and identifying opportunities for improvement. Executing Individual Audit Assignments: Executing an audit effectively requires discipline, methodology, technical skill, and strong communication.

Setting the Stage: Assignment Planning: While the annual plan provides the 'what' and 'why', detailed planning for each specific assignment is crucial before any testing begins. This micro-planning phase ensures the audit is focused, efficient, and tailored to the specific area under review. Key steps include:

1. Defining Objectives and Scope: We revisit the rationale from the annual plan and refine the specific objectives for this audit. What questions are we trying to answer? What processes or time periods are included (and excluded)? Clear scope definition prevents 'scope creep' later and keeps the audit focused.

2. Understanding the Area: This involves a deeper dive into the specific processes, systems, personnel, risks, and existing controls relevant to the audit scope. It often includes preliminary meetings with key management and reviewing relevant documentation (policies, procedures, org charts).

3. Developing the Audit Program / Terms of Reference (TOR): This detailed document outlines the specific tests and procedures auditors will perform to gather evidence and meet the audit objectives. It translates the 'what' (objectives) into the 'how' (specific steps). A TOR often serves as a formal agreement with management on the audit's scope and approach.

4. Allocating Resources and Timelines: Based on the program, the necessary IA team members, skills, and estimated timeframes are confirmed.

5. Initial Communication: A kick-off meeting with the management team responsible for the area being audited (the 'auditees') is essential. This formally commences the audit, confirms the scope and timing, introduces the audit team, requests necessary information, and sets expectations for communication throughout the process.

Getting Down to Business: Fieldwork and Gathering Evidence: This is the core execution phase where auditors perform the tests outlined in the audit program. The goal is to gather sufficient, reliable, relevant, and useful evidence to support the audit conclusions. Common fieldwork activities include:

• Interviews: Speaking with key personnel to understand processes, roles, responsibilities, and control activities.

• Observation: Watching processes being performed to see how controls operate in practice.

• Walkthroughs: Following specific transactions through a process from start to finish to understand the flow and identify control points.

• Reperformance: Independently executing a control procedure performed by the auditee to verify its effectiveness.

• Data Analysis: Using specialised tools to analyse large datasets, identify anomalies, test entire populations (rather than just samples), and gain deeper insights into trends or control weaknesses. This is an increasingly powerful technique for enhancing audit efficiency and effectiveness.

Throughout fieldwork, meticulous documentation is paramount. Audit working papers record the tests performed, the evidence gathered, and the initial conclusions drawn. These papers form the backbone of the audit, providing the support for eventual findings and demonstrating the quality and rigor of the work performed.

Keeping the Lines Open: Communication During the Audit: Effective auditing is not done to an organisation, but with it. Maintaining open and constructive communication with auditee management throughout fieldwork is vital:

• Progress Updates: Regularly informing management about the audit's progress and any potential roadblocks.

• Discussing Potential Observations: As potential issues or exceptions are noted, auditors should discuss these informally with management promptly. This 'no surprises' approach allows for validation of facts, ensures auditors have the correct understanding and context, and often facilitates quicker agreement on the issues.

• Clarifying Information: Seeking clarification or additional information as needed to ensure a thorough understanding.

This ongoing dialogue fosters a collaborative atmosphere, builds trust, and ensures the final audit results are well-understood and factually accurate.

Identifying What Matters: Developing Observations: As fieldwork progresses, auditors analyse the evidence gathered against the expected criteria (e.g., policies, procedures, regulations, best practices). Where deviations, control weaknesses, inefficiencies, or significant risks are identified and substantiated by evidence, they are developed into audit observations or findings.

Crucially, this isn't just about pointing out problems. Effective observations clearly articulate:

• The Condition (what is happening).

• The Criteria (what it should be).

• The Cause (why it happened – root cause analysis is key here).

• The Consequence/Risk (so what? What is the impact on objectives?).

Documenting observations clearly and factually, based firmly on the evidence gathered in the working papers, is essential for the next stage: reporting.

Conclusion: Building Towards Insight: Executing an individual internal audit assignment is a methodical process involving careful planning, diligent fieldwork, robust evidence gathering, and continuous communication. By focusing on objectivity, relying on factual evidence, and engaging constructively with auditees, Internal Audit can effectively assess the state of controls and identify areas for improvement. This detailed work lays the groundwork for the critical communication phase, where these observations and insights are formally reported to drive action and provide assurance.

Stay tuned for Part 3, where we will discuss Communicating Value – Reporting Audit Findings Effectively to both auditee management and the Audit Committee.