What is an internal audit engagement?

After discussing what an internal audit is and providing all the advice to conduct this audit, the time has come to talk about internal audit methodology and tools.

The internal audit methodology is complex and requires an impeccable organization. The collection of contributions, the compilation of reports, the communication around this audit require certain documents, sometimes some software solutions, which offer the enormous advantage of guiding you, and generally facilitating these missions.

Related topic : How to use a chatbot?

These tools can be used at different times depending on the phase of the audit in which you are operating, from preparation to communication to completion. Here are three examples of the many tools that rely on the 2000 series of MPA operating standards (Terms and Conditions of Application Practices 2200, 2300 and 2400) as defined in IFACI , the French Institute of Internal Auditors and Controllers.

Interview as a fundamental element of the internal audit methodology

Maintenance is the central brick of your audit. Without him, no collection of information. Without a well-defined method, point of analysis possible. His goal ? Collect information in order to become aware of the activities of the audited area and possibly constitute audit evidence to achieve the objectives of the audit engagement.

Read also : How does an audit engagement take place?

What are the prerequisites for completing an interview? Begin, for the listener, by respecting the interviewees and speaking their language, on the one hand, and not starting the interview with preconceived ideas. Know-how that is accompanied by know-how about the preparation of this exchange. Here is the checklist of a good interview Prepared:

  • Define the objectives of the maintenance.
  • Define the topics that need to be addressed.
  • Identify the interlocutor (s).
  • Collect information about the area involved in the interview and on the contact (s)
  • List questions and organize them by theme and template: Who, What, Where, How, Why, When.
  • Define a maintenance plan.
  • Organize the appointment (date, time, place, duration).

After this preparatory phase comes then the time for the realization . How to conduct an interview effectively? Following the following points:

    • Establish a relationship of trust with the interlocutor (s) to encourage transparency.
    • Review the objectives of the interview, the place of the interview in the mission, the themes to be addressed, the planned plan.
    • Framing

    • Ask open questions (they give the voice to the interlocutor and do not influence the answers), rebound (they aim to refocus exchanges on the objectives of the interview and give the interlocutor an opportunity to deepen his speech in this direction), factual (they allow us to quickly collect information and clarification), multiple choice or closed.
    • Listening and reformulating are of course essential to ensure on the one hand that you have collected the best possible information, and on the other hand to ensure that all technical terms are well understood by your interlocutor and that the answer is validated by your interlocutor.
    • The swaps

Finally, once the maintenance is carried out, comes the time of looping and synthesis, that is, the time of communication. Here again, a few obliged passages:

  • When “looping”, summarize and validate the key points of the interview, list the documents listed during the interview (and define the deadlines for transmission), present the next steps and possible future exchanges, before finishing by thanking your contact person.
  • Finally, the report of the interview must be prepared promptly after the end of the interview and recorded in the audit engagement file. The formal validation of this document by the participant will give evidence to the information collected.

The flow chart, to map your processes

The purpose of the flow chart is to graphically represent the flow of a process , that is, a set of activities correlated or interactive that transforms input elements into output elements (as defined in ISO 9000:2000).

This graphic representation may be useful to the internal auditor in identifying the risks associated with each activity in the process and the key controls that should enable them to be controlled.

To complete this diagram, you must follow the following steps :

  1. Identification of the process to be represented.
  2. Identification of activities.
  3. Identification of actors; each identified actor will be the subject of a column in the diagram.
  4. Identification of documents.
  5. Identification of flows (information in and out of each activity); the input elements of an activity are usually the output elements of other activities.

Some instructions usually given to produce a readable and efficient document :

  • The implementation of the activities on the diagram is carried out according to the actors who carry them out and their position in the process; the direction of the arrows gives the direction of reading.
  • An activity is usually triggered by the receipt of information.
  • The meaning of the symbols used to develop a flow chart must be understood in common.
  • There is an ISO standard that defines the main symbols used in a flow diagram (ISO 5807).
  • A legend specifying the meaning of the symbols can be associated with the diagram.
  • Developing a flowchart is an iterative process.

The Audit Process Approach and Repository

This approach consists in a methodical description of the activities of the audited field in order to identify their objectives, risks and control mechanisms that should enable them to be controlled. Like any modeling approach, it gives a partial and incomplete representation of reality. It can therefore be used to complement other tools.

To conduct an audit using this approach, you must follow the following procedure:

  1. Identify and describe the processes of implementation, those that produce products or services.
  2. Identify and describe management processes, those that produce decisions.
  3. Identify and describe support processes, those that produce resources.
  4. Identify and describe the measurement processes, those that produce measurements.
  5. Identify key processes, those whose smooth running is critical to achieving the objectives of the audited area.
  6. Identify the events that may have a negative impact on the progress of key processes.

This approach is part of the drafting of the audit repository , an indispensable tool if any. The latter identifies the objectives of each of the processes/subprocesses and for each of them the risks to which they are exposed and the controls that are expected to reduce these risks. The controls identified will be the reference from which the evaluation of the system of internal control will be carried out.

This repository begins with the identification of objectives as described in the process approach. It then proposes the identification of risks , identifying internal and external events likely to have a significant impact on the achievement of objectives. This risk identification must take into account the work of Mapping of pre-existing risks within the audited domain.

The last element specific to the audit repository is the identification of internal controls . Define a relevant control framework based on external control frameworks disseminated by professional bodies recognized for their expertise in this area, and from internal control frameworks that may be present in the organization.

The control framework (s) selected by the internal auditor will enable the internal auditor to structure the controls identified. Control activities integrated into the audited entity’s processes may include:

  • Assignment of approvals for transaction approval.
  • Separation of incompatible tasks.
  • Supervisory actions of operations.
  • The inability to carry out non-operations allowed.
  • Verifications of existence, accuracy and processing over time of operations.
  • Formalization of the operations carried out.
  • Retention and protection of supporting documents.

Numerous and sometimes complex tools

These three examples show the scope of the task that awaits the audit leader and his auditors. Especially since many other tools have not been discussed here:

  • Task Analysis Grid
  • Path Test
  • Risk Prioritization
  • Diagram Cause/Effect
  • Internal Control Questionnaire
  • Analytical Audit Procedure
  • Statistical Sampling
  • CAATs (for Computerized Assisted Audit Tools)

In this complex and highly structured framework, the contribution of software integrating the entire audit methodology internal is undeniable. Pyx4, through its Improver solution, allows you to:

  • To plan your audits,
  • to build the teams of auditors,
  • To supervise the achievement of this mission
  • Conduct your gap analyses
  • To prepare your audit reports
  • To manage the resolution of non-conformances
  • To follow the improvement actions resulting from your audit.

The Pyx4 teams are at your disposal to present its tools and the gains they could bring to your organization.