casemark/managing-internal-audit

Managing Internal Audit

When To Use

• Developing an annual or quarterly internal audit plan based on enterprise risk assessment
• Scoping and planning a specific audit engagement (financial, operational, compliance, or IT)
• Designing audit test procedures and sampling methodology for an engagement
• Documenting findings, root causes, and management action plans
• Preparing audit committee reports or CAE status updates
• Tracking remediation of prior audit findings

Inputs To Gather

• Risk universe and prior risk assessments — entity-level risk register, prior year audit results, emerging risk memos
• Audit charter and mandate — approved charter defining authority, scope, independence, and reporting lines
• Organizational structure — business units, process owners, management hierarchy
• Regulatory and compliance landscape — applicable regulations, recent examination findings, consent orders [VERIFY against current regulatory inventory]
• Prior audit workpapers — previous engagement files, open findings tracker, management action plan status
• Available audit resources — staff headcount, competencies, co-source/outsource arrangements, budget hours
• Relevant standards — IIA Standards, COSO framework, COBIT (for IT audits), applicable PCAOB or AICPA guidance [VERIFY which standards apply based on entity type — public vs. private vs. nonprofit]

Workflow

1. Risk Assessment and Annual Plan Development

• Map the audit universe: identify all auditable entities, processes, and systems
• Score each auditable unit on inherent risk (likelihood x impact) across categories: financial, operational, compliance, strategic, reputational
• Overlay control environment maturity to derive residual risk ratings
• Prioritize engagements by residual risk, time since last audit, and management/board requests
• Allocate budget hours per engagement; flag resource gaps requiring co-sourcing
• Present the draft annual plan to the audit committee for approval

2. Engagement Planning

• Define engagement objectives tied to specific risks (e.g., "Assess effectiveness of revenue recognition controls over non-standard contracts")
• Establish scope boundaries: in-scope processes, locations, systems, and time period under review
• Identify key controls through process walkthroughs and narratives with process owners
• Develop a risk-and-control matrix (RACM) mapping risks to controls to test procedures
• Determine sampling approach: statistical vs. judgmental, sample sizes based on population and control frequency [VERIFY sampling methodology aligns with firm/department methodology standards]
• Set engagement timeline, milestones, and fieldwork schedule

3. Fieldwork and Testing

• Perform walkthroughs to confirm understanding of processes and control design
• Execute design effectiveness testing: inspect control documentation, interview operators, observe execution
• Execute operating effectiveness testing per the RACM:
  • Preventive controls — reperformance and inspection of evidence
  • Detective controls — examine exception reports, reconciliations, review sign-offs
  • IT general controls — access management, change management, backup/recovery testing
• Document each test with: objective, population, sample, procedure performed, results, and conclusion
• Identify control deficiencies and classify severity:
  • Deficiency — control exists but has a gap
  • Significant deficiency — reasonably possible that a material misstatement would not be prevented/detected
  • Material weakness — reasonable likelihood that a material misstatement would not be prevented/detected [VERIFY classification criteria against entity's deficiency evaluation framework]

4. Findings Development and Root Cause Analysis

For each finding, document using the five-component structure:

• Condition — what was observed (specific, factual, supported by evidence)
• Criteria — what was expected (policy, regulation, standard, or best practice)
• Cause — root cause analysis (use 5-Whys or fishbone as appropriate): people, process, technology, or governance gap
• Effect — actual or potential impact, quantified where possible (dollar exposure, error rate, regulatory risk)
• Recommendation — specific, actionable remediation steps with clear ownership

Rate each finding: Critical / High / Medium / Low based on combined impact and likelihood.

5. Reporting and Communication

• Draft the engagement report with executive summary, scope, methodology, findings, and ratings
• Conduct exit conference with process owners to validate factual accuracy and obtain management responses
• Obtain management action plans with responsible owners and target remediation dates
• Issue the final report to engagement stakeholders and the audit committee
• Update the open findings tracker and schedule follow-up validation testing

6. Follow-Up and Remediation Tracking

• Monitor management action plan progress against committed dates
• Perform follow-up testing to validate remediation effectiveness (not just completion)
• Escalate overdue or inadequately remediated findings per the escalation policy
• Report remediation status to the audit committee quarterly

Output

The deliverable set typically includes:

• Annual audit plan — risk-ranked engagement list with resource allocation and timeline
• Engagement planning memo — objectives, scope, RACM, sampling plan, and timeline
• Workpapers — documented test procedures, evidence, results, and conclusions per test step
• Draft and final audit report — executive summary, detailed findings (condition/criteria/cause/effect/recommendation), management responses, and overall engagement rating
• Open findings tracker — consolidated view of all outstanding findings with status, owner, and target dates
• Audit committee summary — high-level status of plan execution, significant findings, and resource utilization

Quality Checks

• [ ] Each finding is supported by documented evidence in workpapers — no finding relies solely on verbal assertions
• [ ] Root causes are identified beyond surface-level symptoms (process owner validated)
• [ ] Finding severity ratings are consistent with the entity's deficiency evaluation framework
• [ ] Sampling methodology and sizes are documented and defensible
• [ ] Report distinguishes clearly between design deficiencies and operating effectiveness failures
• [ ] Management action plans include specific owners and realistic target dates (not just "management will address")
• [ ] Engagement was performed in conformance with IIA Standards (independence, objectivity, proficiency, due care) [VERIFY conformance with applicable professional standards]
• [ ] Prior period open findings were assessed for continued relevance and remediation progress
• [ ] All scope limitations or access restrictions encountered during fieldwork are disclosed in the report