To improve how well your company deals with risks…
Internal auditors must keep abreast of what’s happening in the organization’s environment. We suggest that a framework be established in which internal auditors attend executive committee meetings, obtain important management reports and identify and meet with key department heads throughout the year.
Evaluate quality control, security, physical asset review and credit administration processes so that the work of other departments may be leveraged where possible. Review the scope of their activity and consider their results in developing an internal audit plan. Rather than just using independently drawn samples for testing, examine internal quality control efforts throughout the company and selectively validate the results. Coordinate the timing of internal audits with each department’s internal quality control efforts, draw on internal department findings to determine where problems occurred and suggest process improvements.
Rather than scheduling audits according to a standard cycle of one-, two- or three-year rotations, base the frequency of audits on a business area’s risk factors, such as previous poor audit ratings or significant changes in personnel. This allows a focus on the highest risk priorities within the company and devotion of appropriate resources to new and changing areas. Also train line managers to update their own risk assessment systems and methodologies—for example, by showing them how to implement steps to monitor quality control and review segregation of duties.
Internal auditors should be involved in activities such as systems development and conversions, process reengineering, new products and services, mergers and acquisitions and the analysis of new IT policies. Look at controls before technology teams implement them and take steps to address IT risks rather than reacting to problems after they occur. Before management installs a major new system, identify supporting applications that would affect operational processes, business resumption plan requirements and network security issues, such as controlling user access and ensuring that supporting applications interacting with existing systems had proper controls.
Coordinate with management to develop a formal internal audit report to provide management and the reviewed business unit with conclusions and a balanced perspective. An executive summary, following an opinion on whether the three COSO internal control objectives have been met, should provide a review of the business area’s purpose, major systems initiatives, key accomplishments and successes as well as the auditors’ observations. To follow up, the auditors track their observations and local management’s responses and report monthly to executive management and quarterly to the audit committee.
ABC Company Audit Report |