--- name: managing-internal-audit language: en description: Structures internal audit planning and execution with risk assessment, testing, and findings documentation. Use when planning internal audits, conducting audit testing, or documenting audit findings. tags: - management - accounting - risk - audit metadata: author: casemark practice_areas: - Financial Reporting - Audit - Accounting document_types: - Management Report skill_modes: - Management - Coordination --- # Managing Internal Audit ## When To Use - Developing an annual or quarterly internal audit plan based on enterprise risk assessment - Scoping and planning a specific audit engagement (financial, operational, compliance, or IT) - Designing audit test procedures and sampling methodology for an engagement - Documenting findings, root causes, and management action plans - Preparing audit committee reports or CAE status updates - Tracking remediation of prior audit findings ## Inputs To Gather - **Risk universe and prior risk assessments** — entity-level risk register, prior year audit results, emerging risk memos - **Audit charter and mandate** — approved charter defining authority, scope, independence, and reporting lines - **Organizational structure** — business units, process owners, management hierarchy - **Regulatory and compliance landscape** — applicable regulations, recent examination findings, consent orders [VERIFY against current regulatory inventory] - **Prior audit workpapers** — previous engagement files, open findings tracker, management action plan status - **Available audit resources** — staff headcount, competencies, co-source/outsource arrangements, budget hours - **Relevant standards** — IIA Standards, COSO framework, COBIT (for IT audits), applicable PCAOB or AICPA guidance [VERIFY which standards apply based on entity type — public vs. private vs. nonprofit] ## Workflow ### 1. Risk Assessment and Annual Plan Development - Map the audit universe: identify all auditable entities, processes, and systems - Score each auditable unit on inherent risk (likelihood x impact) across categories: financial, operational, compliance, strategic, reputational - Overlay control environment maturity to derive residual risk ratings - Prioritize engagements by residual risk, time since last audit, and management/board requests - Allocate budget hours per engagement; flag resource gaps requiring co-sourcing - Present the draft annual plan to the audit committee for approval ### 2. Engagement Planning - Define engagement objectives tied to specific risks (e.g., "Assess effectiveness of revenue recognition controls over non-standard contracts") - Establish scope boundaries: in-scope processes, locations, systems, and time period under review - Identify key controls through process walkthroughs and narratives with process owners - Develop a risk-and-control matrix (RACM) mapping risks to controls to test procedures - Determine sampling approach: statistical vs. judgmental, sample sizes based on population and control frequency [VERIFY sampling methodology aligns with firm/department methodology standards] - Set engagement timeline, milestones, and fieldwork schedule ### 3. Fieldwork and Testing - Perform walkthroughs to confirm understanding of processes and control design - Execute design effectiveness testing: inspect control documentation, interview operators, observe execution - Execute operating effectiveness testing per the RACM: - **Preventive controls** — reperformance and inspection of evidence - **Detective controls** — examine exception reports, reconciliations, review sign-offs - **IT general controls** — access management, change management, backup/recovery testing - Document each test with: objective, population, sample, procedure performed, results, and conclusion - Identify control deficiencies and classify severity: - **Deficiency** — control exists but has a gap - **Significant deficiency** — reasonably possible that a material misstatement would not be prevented/detected - **Material weakness** — reasonable likelihood that a material misstatement would not be prevented/detected [VERIFY classification criteria against entity's deficiency evaluation framework] ### 4. Findings Development and Root Cause Analysis For each finding, document using the five-component structure: - **Condition** — what was observed (specific, factual, supported by evidence) - **Criteria** — what was expected (policy, regulation, standard, or best practice) - **Cause** — root cause analysis (use 5-Whys or fishbone as appropriate): people, process, technology, or governance gap - **Effect** — actual or potential impact, quantified where possible (dollar exposure, error rate, regulatory risk) - **Recommendation** — specific, actionable remediation steps with clear ownership Rate each finding: Critical / High / Medium / Low based on combined impact and likelihood. ### 5. Reporting and Communication - Draft the engagement report with executive summary, scope, methodology, findings, and ratings - Conduct exit conference with process owners to validate factual accuracy and obtain management responses - Obtain management action plans with responsible owners and target remediation dates - Issue the final report to engagement stakeholders and the audit committee - Update the open findings tracker and schedule follow-up validation testing ### 6. Follow-Up and Remediation Tracking - Monitor management action plan progress against committed dates - Perform follow-up testing to validate remediation effectiveness (not just completion) - Escalate overdue or inadequately remediated findings per the escalation policy - Report remediation status to the audit committee quarterly ## Output The deliverable set typically includes: - **Annual audit plan** — risk-ranked engagement list with resource allocation and timeline - **Engagement planning memo** — objectives, scope, RACM, sampling plan, and timeline - **Workpapers** — documented test procedures, evidence, results, and conclusions per test step - **Draft and final audit report** — executive summary, detailed findings (condition/criteria/cause/effect/recommendation), management responses, and overall engagement rating - **Open findings tracker** — consolidated view of all outstanding findings with status, owner, and target dates - **Audit committee summary** — high-level status of plan execution, significant findings, and resource utilization ## Quality Checks - [ ] Each finding is supported by documented evidence in workpapers — no finding relies solely on verbal assertions - [ ] Root causes are identified beyond surface-level symptoms (process owner validated) - [ ] Finding severity ratings are consistent with the entity's deficiency evaluation framework - [ ] Sampling methodology and sizes are documented and defensible - [ ] Report distinguishes clearly between design deficiencies and operating effectiveness failures - [ ] Management action plans include specific owners and realistic target dates (not just "management will address") - [ ] Engagement was performed in conformance with IIA Standards (independence, objectivity, proficiency, due care) [VERIFY conformance with applicable professional standards] - [ ] Prior period open findings were assessed for continued relevance and remediation progress - [ ] All scope limitations or access restrictions encountered during fieldwork are disclosed in the report