How to do an internal audit

An internal audit can be carried out by the company's internal team or by contracting an outside consultant to carry out the review procedure. Its goal is to make sure that the organization's governance, risk management, and internal controls are operating efficiently. Management can increase operational efficiencies and pinpoint areas for improvement with the help of internal audits.  Check out this blog to read the difference

Internal audit is different from Statutory Audit. Check out this blog to read the difference. 

October 27, 2024

Step by  Step to do an Internal Audit

1. Initial Preparation and Appointment

First, ensure that the appointment of the Internal Auditor is approved by the board. Once approved, secure the engagement letter signed by both the Auditor and the Management team, detailing the terms of engagement. For new clients, begin with a basic understanding of the client's business processes, typically facilitated by a senior partner or manager.

2. Resource Planning

Plan the resources required for the engagement, including the team’s size and roles. Conduct a kick-off meeting with the team, the manager, and the partner. Here, the partner and manager guide the team on the audit objectives, timeline, and essential client details.

3. Defining the Audit Scope

Define the audit scope by identifying critical areas, such as Order to Cash or Procurement to Pay processes, based on initial discussions and risk assessments. Share the planned scope with the client for clarity and agreement.

4. Data Requests and Process Understanding

Prepare initial data requests related to the scoped areas, then share these with the client. Conduct process understanding sessions with process owners (e.g., meeting the Sales Head for Order to Cash), which helps in understanding the end-to-end process and potential risk areas.

5. Conducting Walkthroughs

Create a walkthrough document that outlines one sample from each process in an end-to-end manner. This phase, often termed as design testing, provides insights into the process flow and potential control points.

6. Review of the Risk Control Matrix (RCM)

Request the Risk Control Matrix (RCM) from the client, which defines risks and corresponding controls across various processes. This will be key for understanding the client’s risk profile and existing controls.

7. Testing Controls

Using the RCM and process understanding, test the controls within each scoped area. Request any additional data if necessary to ensure thorough testing.

8. Data Scrutiny and Issue Identification

Examine detailed data such as the sales register, purchase register, employee master data, vendor data, etc., to identify any discrepancies or areas of concern. Verify a few samples from each audit area in an end-to-end process to ensure accuracy.

9. Discuss Findings and Observations

Discuss preliminary findings and issues with the client, particularly those identified from data scrutiny. Unresolved issues are then categorized as observations and are documented for final reporting.

10. Preparing the Internal Audit Report

Draft the Internal Audit Report in a presentation format (PPT), summarizing observations, risks, and control recommendations. Review the report with the client’s management team and partner for validation and feedback.

11. Presentation to the Board

Present the finalized Internal Audit Report to the board or audit committee, detailing key observations and action items for improved compliance and governance.

If you're looking to kickstart your career in internal or statutory audit with a Big 4 firm, or want to gain expertise in these fields, check out our Master Blaster courses. These comprehensive programs are designed to equip you with the skills and knowledge you need to excel in the world of auditing. Don’t miss this opportunity to advance your career—enroll today


Frequently Asked Questions

Q: What is the role of an internal audit in an organization?
A: An internal audit helps to assess and improve risk management, controls, and governance processes within an organization.

Q: How often should internal audits be conducted?
A: Internal audits are generally conducted on monthly or quarterly depending on the requirement of the management , though more frequent like real time audits may be beneficial for high-risk areas.

CA Tushar Makkar
Author - Auditing in real life | Consulting in India, US, Europe and Middle East | Content creator | Ex-PwC | CA AIR 47 Nov' 17 | YouTuber 40k+ | Expertise in manage accounts and Audit | Investor