What is an Internal Audit? A Detailed Explanation With Examples.

/ By
What is an Internal Audit?

Imagine a big bank in a country that maintains deposits of a large portion of its population going bankrupt. It will spell disaster not only for that country’s public and government but also for its overall economy and reputation. Or take the example of a large publicly traded manufacturing company. Any instance of fraud can shake investors’ confidence and consequently, an entire stock market. Or imagine a company that has become so inefficient that it is not profitable anymore. Therefore, an organization puts certain processes in place to prevent various risks it faces, such as fraud risks, risks of non-compliance with regulatory laws, IT risks, and operational risks. An internal audit is an independent and objective assessment of these processes for the following purposes:

  • Test the overall effectiveness of these processes in addressing the risks they are trying to prevent.
  • Identify improvement areas in processes.
  • Identify any unaddressed risks.

These processes comprise three main categories as follows:

  • Internal Control Processes
  • Governance Processes
  • Risk Management Processes

What are Internal Control Processes?

One of the common areas that are subject to the internal audit is Internal Control Processes. Let’s understand Internal Controls with the help of an example. A bank has to comply with anti-money laundering regulations to prevent illicit money from entering its accounts. Therefore, a bank implements various internal checks and balances to prevent money laundering activities. For instance, a bank may set up the following processes to address this risk:

  • Requiring government-issued IDs at the time of account opening.
  • Identifying and investigating accounts with large cash deposits.

In this case, the role of an internal audit department is to examine the following:

  • Whether the above processes are effectively designed, and
  • Whether the bank’s staff follow these processes appropriately.

For instance, an internal auditor may check the following:

  • Is there independent oversight to ensure that the government-issued IDs are actually on file?
  • Is the identification process effective in spotting all large cash deposits?
  • Is the threshold used for defining large cash deposits appropriate?
  • Is the internal staff following the policies and procedures?
  • Is the staff appropriately trained on these processes?

Additionally, the audit team also needs to identify any unaddressed risks in the area under audit due to missing control processes or gaps in the existing control processes.

Another Example:

Another example could be a large manufacturing company generating billions in revenue. Such a company might have to implement various internal control processes to prevent fraud and theft by its internal employees. One of the common processes to prevent this risk is the segregation of duties. A company might implement processes such as the following:

  • Assigning different personnel to handle different aspects of a process. For instance, different persons in a company record sales and cash receipts to prevent any fraudulent activity.
  • Performing the bank reconciliation every month.

These are just a few examples. In reality, there are myriad processes based on an organization’s nature of business and internal factors specific to a company.

What are Governance Processes?

Large publicly listed organizations have a defined organizational structure with well-established corporate governance processes. Various committees, such as the Board of Directors, Audit Committee, and Compensation Committee, follow these governance processes to carry out their responsibilities. These committees provide high-level oversight of various aspects of a company’s business.

For instance, the Board of Directors follows various governance processes to carry out their mandate, such as the following:

  • The approval process for a company’s code of conduct
  • The approval process for a company’s strategic plan, capital plan, and financial plan.
  • The oversight process of a company’s risk management and internal control activities.

An internal audit involves the examination of these governance processes for efficiency, transparency, appropriateness, compliance, and adherence to the policies and procedures. Furthermore, the internal audit team also identifies any unaddressed risks due to missing governance processes or gaps in the existing governance processes.

What are Risk Management Processes?

Many companies have risk management functions or roles that monitor their risk within their defined risk appetite.

For instance, ABC Bank defines a risk tolerance of 5% for customer defaults on credit card debts. This means anything above this 5% threshold is a risk for ABC Bank. The risk management department at the bank proactively monitors credit card defaults against this defined risk tolerance threshold. These monitoring processes at ABC Bank are known as Risk Management Processes.

An internal audit will evaluate these risk management processes for the following:

  • Evaluate the overall effectiveness of these processes in addressing the risks they are trying to prevent.
  • Identify any unaddressed risks due to missing processes or gaps in the existing processes.
Objectives of the Internal Audit

The objectives of the Internal Audit include the following:

  • Ensure that internal control, governance, and risk management processes are designed and operating effectively.
  • Identify any areas of improvement in these processes.
  • Identify any unaddressed risks that require control processes to address them.

Types of Internal Audits

1. Financial Audit

Every organization implements certain control processes to ensure the accuracy of the following:

  • Financial Statement Numbers
  • General Ledger Numbers
  • Accounting Policy
  • Financial Statement Disclosures
Example:

For instance, the senior management team, such as the controller and VP, typically review the financial statements prepared by an accountant. This review ensures that the financial statements are accurate and follow applicable accounting standards.

A financial audit involves the following:

  • Examination of internal controls over financial reporting.
  • Identification of unaddressed risks of misstatement in the financial information due to missing control processes or gaps in the existing control process.

It is worth noting that these audits are primarily concerned with accounting standards, which are not laws. This implies if a company does not follow them, it may not necessarily result in a legal issue. However, the regulatory body enforcing these accounting standards can impose steep fines for non-adherence. Therefore, the failure of these control processes involves the risk of financial loss and reputational damage to a company.

2. Compliance Audit

A compliance audit is the examination of processes that are implemented in an organization to ensure compliance with laws and regulations. Additionally, it involves the identification of unaddressed compliance risks that require control processes to address them.

Example:

For instance, big financial institutions offer financial advisory services for a fee. Regulatory bodies generally regulate the conduct of financial advisors to ensure that their financial advice is in the best interest of their clients and is not guided by any profit motive. If a financial advisor does not follow these regulations, it can result in legal repercussions for a bank. Therefore, a bank implements various internal control processes to ensure financial advisors follow these regulations. In this case, an internal audit will involve the following:

  • Examination of the overall effectiveness of these processes in addressing the risks of non-compliance by financial advisors.
  • Identification of any unaddressed non-compliance risks due to missing control processes or gaps in the existing control processes.

For instance, one of the regulation’s requirements requires financial advisors to document their client interaction and rationale for their investment advice. Suppose a bank has no oversight control process to ensure that financial advisors follow these documentation requirements. In that case, it is an unaddressed compliance risk due to a missing process.

3. IT Audit

An organization might rely on its technology infrastructure for storing and processing financial and non-financial data. Generally, these IT infrastructures have built-in control processes to ensure the protection and accuracy of the stored information. An IT audit involves the following:

  • Evaluation of control processes in addressing the IT risks
  • Identification of any unaddressed IT risks due to missing control processes or gaps in the existing control processes.
Example:

For instance, there are built-in control processes in a company’s IT system to address the following risks:

  • Risk of Unauthorized Access
  • Cybersecurity threats
  • Data breaches

An IT audit will involve the examination of the following:

  • Whether these IT control processes effectively address the risks they are trying to prevent.
  • Whether there are any unaddressed risks due to missing control processes or gaps in the existing control processes.

4. Operational Audit

An operational audit involves the examination of internal control processes related to the day-to-day operations of a business. Common areas that are the focus of an operational audit include the following:

  • Adherence to Policies and Procedures:

An organization typically establishes internal policies and procedures that their employees have to comply with. An internal audit will involve an independent examination of the adherence to these policies and procedures.

Examples:

All new hires at ABC Company must complete certain mandatory training courses within 30 days of joining as per the company’s HR policy. In this case, an internal audit team will examine the employees’s adherence to the company’s learning policy.

ABC bank’s policy requires that all Branch Managers ensure that a customer complaint box is installed at their branches. The bank also prescribes a standard procedure on how a Branch Manager must address these complaints. In this case, a branch internal audit will examine the adherence to the policy and procedure for handling customer complaints.

  • Efficiency:

Efficiency is another common area that is the focus of the Operational Audit in an organization. An organization might implement a number of control processes to ensure effective and efficient utilization of its resources.

Example:

ABC Company has implemented a budgetary monitoring process that requires each departmental head to perform the following activities:

  • Monitor their department’s actual expenses against the budgets every month, and
  • Investigate over-budget expenses.

An internal audit will involve evaluation of the overall effectiveness of these processes in addressing the risk of financial mismanagement.

5. Governance and Structure Audit

Every organization has an organizational structure with established levels of authority and defined roles and responsibilities for each position. Furthermore, it has various governance committees, such as the Audit Committee, Executive Committee, and Compensation Committee. A Governance and Structure Audit involves an independent evaluation of these governance processes for the following:

  • Design
  • Effectiveness
  • Efficiency
  • Transparency
  • Compliance with laws
  • Adherence to the policies and procedures.
Example:

For instance, a Governance Internal Audit might examine the following:

  • Whether the roles and responsibilities of a Governance Committee are clearly defined.
  • Whether the delegation of authority in an organizational structure has been properly defined.
  • Whether the composition of a Governance Committee complies with relevant regulations.
6. Risk Management Audit

Many organizations, especially large publicly listed companies, have risk management functions to manage and monitor their business risks. For instance, a bank has the risk management function to monitor the risk of customer defaults on credit card debts and mortgage loans. A risk management audit involves an independent evaluation of the design and effectiveness of these risk management processes.

Internal Audit Process

The Internal Audit process typically consists of the following phases:

A. PLANNING

Audit planning involves the following steps:

1. Determining the Objective
  • The internal audit team determines the objective of an audit. This involves asking questions such as:
    • What is this audit trying to accomplish?
    • What is the purpose of this audit?
2. Determining the Scope

This involves the following considerations:

• Identifying relevant areas:

This step involves identifying business areas that must be included within the scope of an audit.

Example:

Suppose there is an internal audit at a bank to examine the control processes around regulatory requirements for financial advisors. In that case, the bank’s financial advisory business area needs to be included within the scope of that audit.

Identifying relevant divisions or business units:

The audit team needs to identify divisions that must be included within the scope of an audit.

Example:

A bank has many divisions, such as the Wealth Management Division, Capital Markets Division, and Personal Banking Division. Suppose there is an audit to examine some processes in the financial advisory business. In that case, only the Wealth Management Division is included within the scope of that audit. This is because other divisions do not have a financial advisory business. It is possible that an area subject to the internal audit is present in multiple divisions. In that case, the audit team includes all the impacted divisions within the scope of the audit.

Identifying relevant functions:

There can be only one department or multiple departments that are included within the scope of an audit.

Example:

Suppose there is an internal audit at ABC Bank to test control processes around new regulatory requirements for financial advisors. In that case, there can be multiple departments that should be within the scope of that audit. This is because various departments of a bank offer financial advisory services that are impacted by these new regulations.

Another example relates to an internal audit to test control processes around new financial statement disclosure requirements. In that case, the internal audit team will only include the financial reporting department within the scope of that audit. This is because this new requirement does not impact other departments. This step is also important for identifying the relevant points of contact the audit team needs to communicate with throughout the audit.

Identifying relevant geographical locations:

Suppose there is an internal audit at a company with multiple geographical locations. In that case, the audit team may consider the location’s materiality to determine its inclusion within the scope of that audit.

Determining the appropriate audit period:

The audit team must determine the appropriate time period that should be subject to the internal audit. It is generally a one-year period and close to the audit start date. However, this period can vary depending on the circumstances.

Example:

Suppose there is an audit to test processes around new regulatory requirements that came into effect only six months ago. In that case, the appropriate audit time period will only be six months. This is because any period prior to the regulation’s effective date is irrelevant to the purpose of that audit.

Identifying relevant processes:

The audit team needs to identify the relevant processes that must be included within the scope of an audit.

Example:

A manufacturing department in ABC Company has various control processes in place, such as the following:

  • Inventory Management Processes
  • Quality Control Processes
  • Cost Control Processes, and
  • Workers’ Safety Control Processes.

Suppose there is an internal audit to test the control processes around inventory management. In that case, only inventory management control processes should be within the scope of that audit.

Overall, determining the scope of an audit is necessary to ensure that no area is missed in an audit.

3. Risk Assessment
Identifying risks associated with in-scope processes:

The audit team must identify the type of risks associated with in-scope processes. Examples of common risk types are as follows:

  • Fraud Risk: Is there a risk of fraud if the process fails? For instance, every organization performs bank reconciliation to ensure the bank balance reconciles to its internal records. If the process is not performed appropriately, there is a risk of misappropriation of cash by an internal employee.
  • Legal or Compliance Risk: Is there a risk of legal liabilities and penalties if the process fails? For instance, the conduct of a bank’s financial advisors is regulated by a regulatory body. If there is no appropriate process at a bank for the oversight of financial advisors’ conduct, then it can pose a legal risk. This is because clients can sue the bank over alleged mismanagement of their funds by financial advisors.
  • Third-Party Risk: Is there any involvement of a third party on which the process depends? For instance, a company might use third-party cloud computing software, such as accounting software, which generates financial information. Is the software reliable? Is the data stored in this accounting software on a third-party server secure? Is the generated financial information accurate? Another example could be a manufacturer sourcing raw materials from a third-party supplier. Is the supplier reliable? Is there any risk of supply chain disruptions?
  • IT Risk: Is there any involvement of IT software in the process? Is there a risk of a data breach and unauthorized access to the technology infrastructure on which the process depends?
  • Operational Risk: Is there a risk of disruption to the normal operations of a company if the process fails? For instance, suppose there is a cyberattack that takes down the website of an e-commerce company. This can cause significant disruptions to the operations of that company. This is because an e-commerce company is highly dependent on its website for its business.
  • Reputational Risk: Is there a risk of damage to the reputation of a business if the process fails? For instance, at a pharmaceutical company, there are internal quality control checks on the production process of medicines. If these processes fail, they can have an impact on patients’ health. This can cause huge damage to the reputation of a pharma company among the general public.
Information Sources for Risk Assessment

The internal audit team must gather and analyze as much information as possible for the purpose of the risk assessment of the area under audit. The audit team needs to understand the area in detail, including its environment and the processes involved. There are various sources of information to conduct a risk assessment, including the following:

  • Previous audit documentation.
  • Internal Policies and Procedures.
  • Inquiry with the auditee.
  • Online search.
  • Internal website search.
  • Board Minutes.
  • Internal compliance records.
  • Internal incident reports, such as IT incident reports.
Examples:

Suppose there is an internal audit to evaluate the inventory management area of a company. In that case, the internal audit team needs to identify the type of risks associated with this area. Common risk types associated with the inventory management area are as follows:

  • Fraud risks due to theft by internal employees.
  • Third-party risks due to an unreliable supplier.
  • Obsolescence risks due to innovation and technological advancement.
Determination of the Risk Level of Each Process

It is worth noting that there are typically multiple in-scope processes related to the area under audit.

Example:

For instance, financial advisors working at banks must comply with different requirements of regulation while dealing with their clients. A bank typically implements a control process for each requirement of the regulation to prevent the risk of non-compliance. Suppose there is an audit to examine the regulatory compliance of financial advisors. In that case, the audit team needs to test all these processes as part of the audit.

The audit team has to determine the risk level, also known as risk significance, for each process. The overall risk level can be defined in scores, such as 1-5, or categories, such as High, Medium, and Low. In order to determine the risk level associated with a process, two factors are typically analyzed: Impact and Likelihood.

  • Impact: Impact means the severity of the risk if a process fails. Some of the common factors used for analyzing the overall risk impact associated with a process include the following:
    • Financial Impact: The magnitude of financial loss in terms of revenue losses, thefts, and property damage if a process fails.
      • For instance, a company selling meat can suffer significant revenue losses if a government recalls its products due to a reported contamination. This failure of the quality control process not only leads to lost sales but also erodes consumer trust in that company.
    • Operational Impact: The magnitude of disruption to a company’s business operations if a process fails.
      • For instance, an e-commerce company’s website is hacked. This failure of cybersecurity control processes can cause significant disruption to the company’s normal business operations.
    • Legal Impact: The extent of legal fines, penalties, and costs associated with a lawsuit if a process fails.
      • For instance, a bank may face steep legal fines due to the failure of its anti-money laundering compliance control processes.
    • Reputational Impact: The extent of damage to a company’s reputation if a process fails.
      • For instance, a lack of oversight over customer support services at a bank resulted in customer dissatisfaction. This can lead to significant damage to the bank’s reputation and, consequently, revenue losses.
  • Likelihood: The likelihood means the probability of a risk event if a process fails. Some of the common factors considered to assess the likelihood are as follows:
    • Complexity: A higher degree of complexity in a process increases the likelihood of the associated risk and vice versa.
    • Historical Data: If there is a history of similar risk events, then it increases the likelihood of that risk.
    • Industry Events: If a company’s competitors have faced similar risk events, then it increases the likelihood of that risk.
    • Objectivity: If a process is highly subjective, then it increases the likelihood of the risk the process is trying to prevent and vice versa.
    • Degree of Automation: If a process is highly manual, then it increases the likelihood of the risk the process is trying to prevent. This is because a highly manual process involves a higher probability of human errors.

Identifying Unaddressed Risks

The internal audit team must identify unaddressed risks due to the following:

  • Missing processes.
  • Gaps in the existing processes.

The audit team must identify all risks in the area under audit and must ensure that each of them is addressed by a process.

For instance, a new regulatory requirement has come into effect; however, the impacted department at ABC Company has not yet implemented any process to ensure compliance with this new regulation. In this case, the audit team must identify this risk of non-compliance with the new regulatory requirement as an unaddressed risk due to a missing control process.

What is the Significance of the Risk Assessment?

The purpose of risk assessment is to prioritize high-risk areas in an audit. Additionally, a high-risk area will be subject to more extensive testing than a low-risk area. For instance, more samples are tested for high-risk areas compared to low-risk areas.

B. FIELDWORK

After the initial risk assessment, the audit testing commences. The steps are as follows:

1. Scheduling and Conducting Process Walkthroughs

The first step in the internal audit fieldwork is to conduct process walkthroughs with the auditee. During walkthrough meetings, the audit team asks the person who performs the process, also known as the Process Owner, to give a live presentation of that entire process.

For instance, a company’s accountant generally performs the bank reconciliation. During the walkthrough meeting, the accountant reperforms the entire process with a sample in front of the audit team. During this meeting, the audit team asks the Process Owner questions related to the process. The audit team documents the walkthrough in real time. The audit team can also ask for any internal documentation, such as policies, procedures, and guides related to the process being discussed.

2. Performing the Testing
Designing the Testing Steps

An Internal Audit Team designs testing steps based on its own risk assessment and relevant documentation obtained from the auditee. Generally, a process is tested for two aspects: Design Effectiveness and Operating Effectiveness.

Testing the Design Effectiveness

Post-meeting, the audit team leverages the walkthrough documentation to test the process design by examining the following:

  • Whether the process design appropriately addresses the risk it is trying to prevent and/or.
  • Whether the process design is in line with the official policies and procedures.
Example:

Let’s understand this with an example. Every organization has a financial statement review process that involves the top management’s review of the financial statements prepared by the company’s accountant. This review is performed before these statements are finalized and released to the general public. The control process generally focuses on the accuracy of numbers and disclosures in financial statements. A reviewer from the top management, such as the controller or VP, typically performs this control process by reconciling the financial statement numbers to the company’s internal records.

During the walkthrough meeting of this process at ABC company, the audit team noted the following:

  • The reviewer did not reconcile financial statement numbers to internal records, and
  • The reviewer was only flipping through the pages to ensure financial statements were good.

In this case, the audit team can conclude that the control is not designed effectively. This is because the review did not address the risk of misstatement in the financial statements due to a lack of reconciliation procedure. Therefore, there is no effective review process in place to examine the accountant’s work.

Another Example:

Another example relates to the policies and procedures. Generally, every bank has formal customer complaints handling procedures. Branch Managers are usually responsible for handling customer complaints. In order to test the design effectiveness of this process, the audit team will perform the following steps:

  • Conduct a walkthrough meeting with the Branch Manager to know his customer complaints handling process.
  • Check if the Branch Manager’s customer complaints handling process aligns with the stated policies and procedures.

Generally, the official policies and procedures are the authoritative source that must be followed because the top management of a company approves them after due diligence. If the customer complaints handling process does not align with the official procedures, then the audit team can conclude that the process is not designed effectively.

Testing the Operating Effectiveness
  • If the process design is concluded to be ineffective, the audit team marks this as a finding and does not perform further testing. This is because it does not make sense to test the operating effectiveness of a process if the design in itself is ineffective.
  • If the process design is concluded to be effective, then the audit team proceeds with testing the operating effectiveness of that process. The audit team tests the operating effectiveness of a process by examining the actual performance of that process. Testing the operating effectiveness addresses the following questions:
  • Does the performance of a process cover all the required steps as in the design of that process?
  • Does the performance of a process result in a successful identification and remediation of any issue, if it existed?
Example:

For instance, the conduct of financial advisors in a bank is regulated by a regulatory body. Various processes are put in place at a bank to ensure these financial advisors adhere to the relevant regulations while providing investment advice to their clients. Usually, managers oversee the executed trades to examine financial advisors’ compliance with relevant regulations. When the Internal Audit team tested the executed trades, they found instances of non-compliance that were not identified by the management team performing the oversight. As such, this control process overseeing the financial advisors is not operating effectively because it failed to identify instances of non-compliance.

This failure to identify issues can be due to various reasons, such as the following:

  • The incompetence of the staff performing the process.
  • Not performing the process as designed.
  • Insufficient coverage, i.e., not testing enough.
How is the Operating Effectiveness Testing Performed?

An internal auditor generally follows the sampling approach to test the operating effectiveness of a process. Under the sampling approach, the audit team obtains samples from a population and tests these samples. A population is the entire group of data on which the audit team has to form a conclusion. For instance, if an internal audit team is testing the employees’ training compliance in a department, then the population is all the employees of that department. This testing approach saves time and resources as the audit team does not need to test 100% of a population. This testing approach is suitable when a population is homogeneous and samples represent the characteristics of that population.

An audit team can also go for testing 100% of a population if it is reasonable to do so. If a population is small, then this approach can be suitable. However, if a population is large, it is not possible to test 100% of the population. In that, the sampling approach is more reasonable.

3. Validating the Potential Audit Findings:

Before we jump into understanding this step, we must first understand what a potential audit finding means.

What does a Potential Audit Finding mean?

A potential audit finding means any initial evidence noted during an audit that implies the following:

  • A process may not be designed effectively or,
  • A process may not be operating effectively.

For instance, during the testing of the training compliance oversight process, the audit team noted that one of the samples, i.e., one of the employees, did not complete the mandatory training courses. The audit team can conclude this instance as a potential audit finding because it indicates that one of the employees did not go through the mandatory learning courses as per the firm requirements. This indicates that the oversight process to ensure training compliance may not be operating effectively.

Discussing the Potential Audit Findings with the Auditee

After the internal audit team notes the potential audit findings, the next step is to validate them with the auditee. It is important to note that a potential audit finding does not necessarily indicate actual issues in a process. The internal audit team needs to discuss these potential audit findings with the auditee to know the reasons behind them. There can be many reasons as to why a potential audit finding may not indicate an actual issue.

Let’s go to the previous example where an audit team noted that one of the employees did not complete the mandatory training courses. During the discussion of this potential audit finding with the auditee, the auditee informed the internal audit team that the employee was on long-term leave. Therefore, this anomaly in sample testing did not confirm any actual problem with the effectiveness of the control process itself. It is important to note that a mere inquiry with the auditee is not sufficient. The audit team needs to obtain further evidence to support the auditee’s justification. In this case, the audit team needs to obtain the official documentation related to long-term leave approval of that employee. The audit team will examine key details in the documentation obtained, such as the employee’s name and the duration of absence, to reach a reasonable conclusion.

C. REPORTING

1. Finalization of Audit Findings

After validating the potential audit findings, the audit team communicates the final audit findings to the auditee. The audit team and the auditee should agree on the final audit findings. There can be instances where disagreements can arise between the audit team and auditee as to whether a potential audit finding is a valid finding or not. In these instances, the higher management from both sides typically establish an agreement through detailed discussions.

2. Evaluation of the Final Audit Findings:

After the auditor and the auditee have agreed to the final audit findings, the audit team needs to evaluate each finding for the following:

Risk Level:

The audit team has to assess the level of risk associated with each finding. Risk levels can be categorized, such as High, Medium, and Low, or ranked, such as 1-5. The risk rating criteria can vary from company to company and are dependent on the company’s internal audit methodology. However, the general approach to determining the risk level of a finding is to analyze the associated impact and likelihood.

a. Impact: Impact refers to the severity of the risk associated with a finding. Some of the common factors that are considered to determine the impact are as follows:

  • Financial Impact: What is the magnitude of financial loss a company can suffer due to a noted finding?
  • Legal Impact: What is the magnitude of legal fines and penalties a company can face due to a noted finding?
  • Operational Impact: What is the degree of disruptions to business operations a company can experience due to a noted finding?
  • Reputational Impact: What is the extent of reputational damage a company can witness due to a noted finding?

b. Likelihood: Likelihood refers to how probable the adverse event associated with a noted finding is. Some of the common factors that are analyzed to determine the likelihood are as follows:

  • Historical Data: If a finding relates to a risk event that has occurred in the past, then it increases the likelihood of that risk.
Example:

A finding relating to non-compliance with the AML regulation was noted during an audit at ABC Bank. The bank has faced a high-profile AML non-compliance lawsuit in the past. In this case, it increases the likelihood of the legal risk associated with the finding.

  • Complexity: If a finding relates to a complex process, then it increases the likelihood of the associated risk.
Example:

A finding related to the consolidated financial statement review process was noted during an internal audit at ABC Company, a large multinational firm with several global locations. The VP of Accounting at ABC Company reviews the consolidated financial statements, which include all of its global subsidiaries. This is a highly complex control due to multiple foreign exchange adjustments and a large number of reconciling items. Therefore, this high complexity increases the likelihood of errors in the financial statement review process.

  • Industry Events: If a finding relates to a risk event that a company’s competitor has already experienced, then it increases the likelihood of that risk event.
Example:

ABC and XYZ Banks are competitors. ABC Bank has recently been fined by a court for non-compliance with the Anti-Money Laundering Regulation. After this event, an AML audit takes place at the competitor XYZ Bank. During this audit, a finding related to non-compliance with AML regulations was noted. The internal audit team at XYZ Bank must take into account ABC Bank’s lawsuit to determine the likelihood of the legal risk associated with the noted finding.

  • Objectivity: If a finding relates to a highly subjective process, it increases the likelihood of the risk associated with that finding.
Example:

A finding relates to the private investment valuation review process at ABC Company. The Director of Valuation at ABC Company reviews the valuation analysis of private investments held by the firm. Since this type of investment is not publicly traded, the price can not be easily determined. A valuation model that incorporates a lot of subjective variables has been used to value this investment. The Director has to use his professional judgment to review the valuation model due to a lack of an objective criterion. Since this review process is highly subjective, it increases the likelihood of the risk of inaccuracy in the valuation model.

  • Fraud Risk: If a finding relates to fraud, it increases the likelihood of the risk associated with that finding.
Example:

An internal audit team noted a finding related to a fake invoice submitted for payment at ABC Company. This finding relates to a fraudulent activity in the Accounts Payable Department due to a lack of segregation of duties. This increases the likelihood that there can be more fraud cases due to the absence of a key control process, i.e., segregation of duties.

  • Degree of automation: If a finding relates to a highly manual process, then it increases the likelihood of the associated risk.
Example:

At ABC Company, the Senior Accountant manually reviews the company’s financial statements prepared in an Excel spreadsheet by the junior accountant without assistance from any accounting software. During the audit of this process, the audit team noted a finding related to the misstatement in the financial statements. This lack of automation increases the likelihood of the risk of misstatement in the financial statements. This is because of the high probability of human errors in the manual review process.

Root Cause:

The audit team must identify a finding’s underlying root cause to determine the appropriate action for remediation.

Example:

An audit of the financial advisory business at ABC Bank noted many instances of non-compliance by financial advisors. In this case, the root cause of the finding is that financial advisors are not following the regulatory requirements.

Possible Impact:

An internal audit team needs to analyze what possible impacts a finding can have.

Example:

Suppose the audit team at ABC Bank notes a finding related to financial advisors’ non-compliance with regulatory requirements. In that case, possible impacts may include the following:

  • Increased regulatory scrutiny
  • Legal fines and penalties
  • Loss of public trust
• Corrective Action:

Based on the identified root cause, the audit team needs to come up with a corrective action required to remediate the finding. A corrective action, also known as a recommendation, is a suggestion for the management on what needs to be corrected or improved in order to remediate the finding.

Example:

During an audit, the audit team concludes that a finding’s root cause is that the financial advisors are not following the regulatory requirements. In this case, the recommendation or corrective action may include the following:

  • Increased compliance monitoring of financial advisors.
  • Comprehensive mandatory training for financial advisors.
3. Determining the Management Action Plan

After an audit team has determined the corrective action, the next step is to devise a management action plan. Typically, the internal audit team presents their findings and corrective action to the management. Based on the corrective action, the management determines an appropriate management action plan to remediate the findings.

For instance, an audit team’s corrective action recommends that there should be increased compliance monitoring of financial advisors. In this case, the management can create a detailed Management Action Plan spelling out the specifics of new processes such as the following:

  • Daily compliance monitoring of financial advisors.
  • Implementation of a new software solution that detects non-compliance in real-time.
  • Implementation of mandatory comprehensive training modules for financial advisors.

It is important to note that the Internal Audit Team has to approve the Management Action Plan. There can be instances where disagreements regarding the Management Action Plan can arise between the internal auditor and the auditee. In that case, the top management from both sides typically hold detailed discussions to resolve these disagreements.

4. Deciding the Plan Owner and Implementation Date

After the finalization of the Management Action Plan, the auditee management has to determine the following:

  • The person responsible for implementing the action plan and
  • Implementation date.

Generally, the internal audit function establishes policies regarding the implementation dates for management action plans based on the associated risk. For instance, an internal audit policy may require the auditee to implement the management action plans for high-risk findings within 3 months, medium-risk findings within 6 months, and low-risk findings within a year of the audit report date.

5. Issuing the Audit Report

After the finalization of the Management Action Plan for each finding, the audit team prepares and distributes the final audit report to relevant parties involved in the audit. A final audit report contains the following key details:

  • Executive Summary
  • Audit Scope
  • Audit Objectives
  • Audit Approach
  • Audit Procedures
  • Overall Audit Rating, for example, Satisfactory, Needs Some Improvement, Unsatisfactory
  • Summary of Findings, and their Risk Levels, Action Plan Owners, and Implementation Dates
  • Details of each Finding that include the following:
    • A detailed description of the finding
    • Risk rating of the finding, for example, high, medium, and low.
    • Root Cause
    • Possible Impact
    • Management Action Plan
    • Accountable Person
    • Due Date

D. FOLLOW-UP

After the audit, the internal audit team tracks each finding noted in the audit report until its closure. The audit team follows up with the action plan’s responsible person by the plan’s due date for the evidence to examine the implementation of the management action plan. After obtaining the relevant evidence, the audit team conducts the testing to confirm if the effective resolution of the finding.

A. When the results are satisfactory, the finding is closed.

B. If the results are unsatisfactory, the audit team performs the following steps:

  • Follows up with the action plan’s responsible person regarding the unsatisfactory test results.
  • Coordinates with the accountable person until the agreed action plan has been appropriately implemented.
  • Performs further testing by obtaining the relevant evidence to confirm that the finding has been remediated.

If the subsequent test results are satisfactory, the finding is closed by the audit team; otherwise, the audit team continues to follow up with the responsible person till the effective resolution of the finding.

The writer has served within the Internal Audit function at prominent Canadian financial institutions. He also holds CPA certification from the US.

Leave a Comment

Your email address will not be published. Required fields are marked *