https://sygnvs.

com/pre-audit-planning-what-to-do-now/

Pre-Audit Planning – What To Do Now

by sygnvs / Tuesday, 22 December 2015 / Published in Audit Planning, Management

As the New Year approaches, your organization is likely preparing for new opportunities,
resolutions and goals. This season is the perfect time to lay the groundwork for a 2016
full of success.

And of course, auditing time is just around the corner. Wait, where’d you go?

Seriously though, just the mere mention of auditing is enough to ignite a sense of panic in
most offices. While not exactly professional, the reaction is perfectly reasonable as it is a
stressful time of year for accountants and executives alike.

However, the right pre-audit planning can set you and your team on the course to smooth
sailing. If you’re looking for calmer seas, follow these expert tips for successful
navigation.

About Pre-Audit Planning

The Merriam-Webster dictionary defines an audit as: “a formal examination of an
organization’s or individual’s accounts or financial situation.”

Notice that nowhere in that definition did they reference a “gotcha!” situation. But for
many accountants, it can sure feel that way. The fear of making a career-ending mistake
can paralyze many professionals in the pre-auditing planning process.

But the truth is the real purpose of auditing is simply to make sure your financial
information, internal operations and business practices are all in order.

While people may joke about underwear selections, most auditors only come to review
your year-end bank statements, charitable contributions, and other professional records
that may give an insight into your organization’s health.

Making the Process a Success

When your documents are all in good shape, you’ll need to organize them into a digital
folder for easy review. Don’t forget to make copies of any physical documents.

Make sure you have copies of your grant awards, related contracts, payroll taxes, W-2
and 1099s. Next, appoint someone to organize the visit.

1
You’ll want to take a look at the schedule during this time and make sure you have a
quiet, comfortable place for auditors to review. Any important meetings or events should
be scheduled off-site or postponed.

When you’re pre-audit planning, you’ll likely come across many ways to improve your
organization’s accounting system. Take time to note areas you’d like to streamline and
workflows you’d like to put in place.

A nonprofit-friendly financial management solution can take the fear out of pre-audit
planning for your team. Imagine having the files and documents you need at the tip of
your fingertips instead of stored across multiple systems (or, shudder, filing cabinets).

Abila MIP Fund Accounting is used by many nonprofit organizations to make reporting,
budgeting and managing more successful.

It goes beyond traditional commercial accounting software to meet your organization’s

needs including ACA reporting compliance, multiple fund management, and the tracking
of individual funds from multiple sources.

You’ll avoid auditing nightmares like inconsistent financial statements, lack of internal
control and multiple allocations. It’s truly a comprehensive solution for improving
existing process and optimizing new procedures. Best of all, Abila offers customization
for a more flexible approach that grows with your organization.

At SYGNVS we offer personalized IT solutions, including Abila MIP Fund Accounting,

designed to meet the needs of every nonprofit organization. Further, our team provides
training and support to make integrating new software a seamless and painless process.
For a free demo of Abila and to learn more about our other IT services, contact the
SYGNVS team today!

https://smallbusiness.chron.com/preaudit-30494.html (14 April, 2019)

What Is a Pre-Audit?
by Forest Time

Related Articles

 1 Six-Step Audit Process

 2 What Is a Random Audit?
 3 Process Audit Checklist
 4 What Does the Process of Performing an External Audit Include?

2
The term audit describes the process in which the financial records of a business or
individual are examined for accuracy. This is often a high-stakes process; for example, an
audit by the Internal Revenue System that finds a business not paying enough taxes can
have serious financial and legal repercussions. A pre-audit is the first part of the auditing
process.

Basic Definition
A pre-audit is the first step in the process of an audit. During a pre-audit, a company or
individual's financial documents are examined to ensure that all information is correct
before the company or individual undergoes an official audit. The pre-audit process may
be undertaken by employees of the company being pre-audited, or the company may hire
an independent organization to examine its finances. Pre-auditing may be used to
describe both a single instance of review directly preceding an official audit as well as the
continuous process of monitoring finances throughout the year.

Segregation of Duties
According to the Nebraska Department of Administrative Services, one of the most
important aspects of a general pre-auditing process is the segregation of duties when it
comes to finances. For instance, payroll checks should be issued by a different employee
than the one who approves time cards and cash should not be deposited by the same
employee who balances bank statements. In small organizations where this is not
possible, finances should be routinely checked by the management. Proper oversight or
segregation of duties will lessen the likelihood of intentional or unintentional abuse or
misconduct.

Types of Transactions
The types of transactions that should be examined in a pre-audit vary according the type
of business conducting the review and the state and federal statutes to which a business is
subject. For example, the pre-audit manual of the University of Wisconsin system
suggests that pre-auditors review such transactions as travel expenses, meeting expenses,
payments for personal services, invoices, checks and taxes paid. The Nebraska
Department of Administrative Services stipulates that all transactions marked "sensitive"
or valued at greater than $1,500 must be reviewed as part of a pre-audit.

Why Pre-Audit?
Most importantly, pre-auditing gives companies a chance to catch and correct accounting
errors on their own before they are caught by an independent auditing agency, such as the
IRS. This may lessen the likelihood that an auditing agency will assume that accounting
errors are intentional and illegal instead of honest mistakes. In addition, engaging in pre-

3
 auditing practices throughout the year helps companies to have a clear picture of their
financial situation at any given time.

Audit Checklist
Audit Sample
Audit Program
Internal Audit Process
Financial Audit

https://searchsecurity.techtarget.com/tip/Pre-audit-planning-Four-keys-to-a-successful-
IT-security-audit

Pre-audit planning: Four keys to a successful

IT security audit
One QSA offers pre-audit planning advice to ensure a
smooth, successful enterprise IT security audit for both the
organization and the auditor.

Steven Weil

Point B

For many information security professionals, a visit from an auditor is perceived as something to
be feared or...

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.




o I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my

information to the United States for processing to provide me with relevant information
as described in our Privacy Policy.


o I agree to my information being processed by TechTarget and its Partners to contact

me via phone, email, or other means regarding information relevant to my professional
interests. I may unsubscribe at any time.

4
 

endured. However, an experienced auditor can offer many benefits, such as a neutral and honest
review of an organization's security posture, validation and support of the company's efforts, and
useful advice on how to mitigate gaps and meet requirements.

If a requirement can't be implemented, it shouldn't be in a policy or standard.

That being said, based on my many years of experience as a senior auditor and after assessing a
wide variety of organizations, I want to share some real-world, useful tips on how infosec pros
can collaborate with auditors to make an IT audit -- such as with the Health Insurance Portability
and Accountability Act or the Payment Card Industry Data Security Standard (PCI DSS) -- as
useful, painless and efficient as possible for both the auditor and the organization being audited.

Below are four tips organizations can use to ensure successful organization-auditor collaboration.

Advance preparation

Before they come on-site, most auditors will request a variety of information -- e.g., network
diagrams, system inventories, control descriptions – and infosec pros should provide as much of
this as possible. The more an auditor understands about an organization's environment before he
starts, the more efficient and timely the audit will be. If an auditor does not receive adequate
information in advance, he must learn about the organization from scratch upon arrival, which
not only makes for a longer audit, but may also lead to auditor misunderstandings or confusion.

In advance of an auditor's visit, an organization should also ask the auditor which experts (e.g.,
developers, system administrators, network administrators) he will need to meet with. The
organization must ensure its experts come to the formally scheduled meetings with equipment
(such as laptops) and passwords that enable them to access the systems the auditor needs to see.
It is important to note that auditors have a schedule and budget, and therefore appreciate not
standing around or finding out last minute that a key employee is not available.

An information security team should also learn the basics of the standard the organization will be
audited against, and be cognizant of the unique attributes of the environment that is to be
assessed. For example, if an organization is being audited against the PCI DSS, it is important to
know what the organization's cardholder data environment (CDE) is, because not only does the
CDE determine what will be assessed during a PCI audit, but it can also vary significantly from
one organization to the next. This knowledge will help infosec pros understand what systems and
processes are likely to be assessed when the auditor arrives.

Scoping

Once on-site, one of the first and most important tasks for an auditor is to determine what
systems and processes are in scope for the audit. Infosec pros can help the auditor accurately and
efficiently do this by clearly identifying and documenting how sensitive information (such as

5
credit card information or medical data) flows through the organization -- auditors love data flow
diagrams!

After the first day on-site, an organization should ask the auditor to clearly explain what he
considers to be in scope for the audit. If they disagree with the scoping or don't fully understand
it, the organization should calmly discuss the scoping with the auditor until they reach an
agreement.

Avoid red flags

Certain actions by an organization will make an auditor nervous, which will likely result in
increased scrutiny and time on-site. More specifically, it is critical to never lie or make up
information during an audit; this is a major red flag. If an auditor thinks he is being lied to or
misled, he will perceive this as a significant risk to himself and his employer, and therefore dig
deeper in order to reduce the risk. Never assume auditors aren't technical and won’t understand
your systems. Many auditors have significant "hands on" technical experience and have assessed
many different environments and technologies. It's OK to tell an auditor, "I don't have an answer
for you right now, but I will get you one as soon as possible."

Another red flag for an auditor is if an organization is not confident in knowing where sensitive
information is stored and/or how it moves throughout the organization. From an auditor's
perspective, the implementation of security controls is highly dependent on an enterprise's
understanding of where its sensitive data is. If an auditor believes a company is not fully aware
of its sensitive data, he will likely assume the measures used to protect the data are not correctly
or fully implemented, and will therefore further scrutinize the controls. Security pros can prevent
this by clearly identifying and documenting how the sensitive information subject to the audit
flows through the organization.

A final red flag to be aware of is if controls are mentioned in policies and standards but are not
consistently implemented. For example, if an organization's policy states systems must have
strong passwords and the auditor's hands-on assessment reveals many systems have weak
passwords, he may doubt the organization's capabilities, causing him to inspect the controls more
thoroughly than usual. Security pros can prevent this from happening by verifying that all
requirements in their organization's policies and standards have been implemented; if a
requirement can't be implemented, it shouldn't be in a policy or standard.

Gaps

At the beginning of an audit, I highly encourage those being audited to request that the auditor
report any significant gaps as soon as they are determined. This will minimize surprises for the
organization and allow for prompt remediation -- something all auditors like to see. And,
depending on the circumstances, an auditor may allow certain gaps to be fixed on the spot (e.g.
removing an unnecessary software program from a server or enhancing the password policy on a
server).

6
If a security manager doesn't understand why an auditor thinks there is a gap, he should ask for
an explanation; perhaps the auditor misunderstood something. A good auditor will always clearly
explain why there is a gap and the intent of a specific requirement. If there's a strong technical or
business reason why a gap can't be mitigated, the organization should ask if a compensating
control is possible.

Conclusion

The ultimate goal of an auditor is to collaborate with and improve the security of the
organizations he assesses. It's much better for an organization to have an auditor find a gap and
help fix it than to have a malicious person find it and exploit it.

By following the advice in this piece, information security professionals can significantly help
their organizations have a useful, painless and efficient information technology-focused audit --
and learn a few things in the process.

More on audit planning and preparation

 Audit management: Five strategies to streamline the PCI audit process

 Ensure audit success with sound security audit procedures
 How to select a set of network security audit guidelines
 IT security auditing: Best practices for conducting audits

About the author:

Steven Weil, CISSP, CISA, CISM, CRISC, QSA, is a senior security auditor at Coalfire Systems.
He has 17 years of experience in information security design, implementation and assessment.
He has audited complex, challenging organizations such as universities, government agencies
and large payment processors.

Editor's note: The views and opinions expressed in this article are those of the author and do not
necessarily reflect the opinions or practices of the author's employer.

This was last published in January 2014

Dig Deeper on IT security audits and audit frameworks

https://cpahalltalk.com/audit-planning-analytics/

Audit Planning Analytics

The auditing standards provide four risk assessment procedures:

1. Inquiry
2. Observation
3. Inspection

7
 4. Analytical procedures

I previously provided you with information about the first three risk assessment procedures.
Today, I provide you with the fourth, analytical procedures.

While analytical procedures should occur at the beginning and the end of an audit, this post
focuses on planning analytics.

Below I provide the quickest and best way to develop audit planning analytics.

What are Analytics?

If you're not an auditor, you may be wondering, "what are analytics?" Think of analytics as the
use of numbers to determine reasonableness. For example, if a company's cash balance at
December 31, 2017, was $100 million, is it reasonable for the account to be $5 million at
December 31, 2018? Comparisons such as this one assist auditors in their search for errors and
fraud.

Overview of this Post

We'll cover the following:

 The purpose of planning analytics

 When to create planning analytics (at what stage of the audit)
 Developing expectations
 The best types of planning analytics
 How to document planning analytics
 Developing conclusions
 Linkage to the audit plan

Purpose of Planning Analytics

The purpose of planning analytics is to identify risks of material misstatement. Your goal as
an auditor is to render an opinion regarding the fairness of the financial statements. So, like a
good sleuth, you are surveying the accounting landscape to see if material misstatements exist.

A detective investigates a crime scene using various tools: fingerprints, forensic tests, interviews,
timelines. Auditors have their own tools: inquiry, observation, inspection, analytical procedures.
Sherlock Holmes looks for the culprit. The auditor (and I know this isn't as sexy) looks for
material misstatements.

The detective and the auditor are both looking for the same thing: evidence. And the deft use of
tools can lead to success. A key instrument (procedure) available to auditors is planning
analytics.

8
When to Create Planning Analytics
Create your preliminary analytics after gaining an understanding of the entity. Why? Context
determines reasonableness of numbers. And without context (your understanding of the
entity), changes in numbers from one year to the next may not look like a red flag--though
maybe they should.

Therefore, learn about the entity first. Are there competitive pressures? What are the company's
objectives? Are there cash flow issues? What is the normal profit margin percentage? Does the
organization have debt? Context creates meaning.

Additionally, create your comparisons of numbers prior to creating your risk assessments.
After all, the purpose of the analytical comparisons is to identify risk.

But before creating your planning analytics, you first need to know what to expect.

Developing Expectations
Knowing what to expect provides a basis for understanding the changes in numbers from
year to year.

Expectations can include:

 Increases in numbers
 Decrease in numbers
 Stable numbers (no significant change)

In other words, you can have reasons to believe payroll (for example) will increase or decrease.
Or you might anticipate that salaries will remain similar to last year.

Examples of Expectations Not Met

Do you expect sales to decrease 5% based on decreases in the last two years? If yes, then an
increase of 15% is a flashing light.

Or maybe you expect sales to remain about the same as last year? Then a 19% increase might be
an indication of financial statement fraud.

But where does an auditor obtain expectations?

Sources of Expectations

Expectations of changes can come from (for example):

 Past changes in numbers

9
  Discussions with management about current year operations
 Reading the company minutes
 Staffing reductions
 Non-financial statistics (e.g., decrease the number of widgets sold)
 A major construction project

While you'll seldom know about all potential changes (and that's not the goal), information--such
as that above--will help you intuit whether change (or a lack of change) in an account balance is
a risk indicator.

Now, let's discuss the best types of planning analytics.

The Best Types of Planning Analytics

Auditing standards don't specify what types of planning analytics to use. But some, in my
opinion, are better than others. Here's my suggested approach (for most engagements).

First, create your planning analytics at the financial statement reporting level. Why? Well,
that's what the financial statement reader sees. So, why not use this level (if you can)? (There is
one exception in regard to revenues. See Analytics for Fraudulent Revenue Recognition below.)

The purpose of planning analytics is to ferret out unexpected change. Using more granular
information (e.g., trial balance) muddies the water. Why? There's too much information. You
might have three hundred accounts in the trial balance and only fifty at the financial statement
level. Chasing down trial-balance-level changes can be a waste of time. At least, that's the way I
look at it.

10
Second, add any key industry ratios tracked by management and those charged with
governance. Often, you include these numbers in your exit conference with the board (maybe in
a slide presentation). If those ratios are important at the end of an audit, then they're probably
important in the beginning.

Examples of key industry ratios include:

 Inventory turnover
 Return on equity
 Days cash on hand
 Gross profit
 Debt/Equity

Okay, so we know what analytics to create, but how should we document them?

Analytics for Fraudulent Revenue Recognition

AU-C 240.22 says, "the auditor should evaluate whether unusual or unexpected relationships that
have been identified indicate risks of material misstatement due to fraud. To the extent not
already included, the analytical procedures, and evaluation thereof, should include procedures
relating to revenue accounts."

The auditing standards suggest a more detailed form of analytics for revenues. AU-C 240.A25
offers the following:

 a comparison of sales volume, as determined from recorded revenue amounts, with production
capacity. An excess of sales volume over production capacity may be indicative of recording
fictitious sales.
 a trend analysis of revenues by month and sales returns by month, during and shortly after the
reporting period. This may indicate the existence of undisclosed side agreements with
customers involving the return of goods, which, if known, would preclude revenue recognition.
 a trend analysis of sales by month compared with units shipped. This may identify a material
misstatement of recorded revenues.

In light of these suggested procedures, it may be prudent to create revenue analytics at a more
granular level than that shown in the financial statements.

How to Document Planning Analytics

Here are my suggestions for documenting your planning analytics.

1. Document overall expectations.

2. Include comparisons of prior-year/current-year numbers at the financial statement level. (You
might also include multiple prior year comparisons if you have that information.)
3. Document key industry ratio comparisons.

11
 4. Summarize your conclusions. Are there indicators of increased risks of material misstatement? Is
yes, say so. If no, say so.

Once you create your conclusions, place any identified risks on your summary risk assessment
work paper (where you assess risk at the transaction level--e.g., inventory).

Use Filtered Analytical Reports with Caution (if at all)

Some auditors use filtered trial balance reports for their analytics. For instance, all accounts with
changes of greater than $30,000. There is a danger in using such thresholds.

What if you expect a change in sales of 20% (approximately $200,000) but your filters include:

 all accounts with changes greater than $50,000, and

 all accounts with changes of more than 15%

If sales remain constant, then this risk of material misstatement (you expected change of 20%,
but it did not happen) fails to appear in the filtered report. The filters remove the sales account
because the change was minimal. Now, the risk may go undetected.

Developing Conclusions
I am a believer in documenting conclusions on key work papers. So, how do I develop those
conclusions? And what does a conclusion look like on a planning analytics work paper?

First, develop your conclusions. How? Scan the comparisons of prior year/current year
numbers and ratios. We use our expectations to make judgments concerning the
appropriateness of changes and of numbers that remain stable. Remember this is a judgment, so,
there's no formula for this.

No Risk Identified

Now, you'll document your conclusions. But what if there are no unexpected changes? You
expected the numbers to move in the manner they did. Then no identified risk is present. Your
conclusion will read, (for example):

Conclusion: I reviewed the changes in the accounts and noted no unexpected changes. Based on
the planning analytics, no risks of material misstatement were noted.

Risk Identified

Alternatively, you might see unexpected changes. You thought certain numbers would remain
constant, but they moved significantly. Or you expected material changes to occur, but they did
not. Again, document your conclusion. For example:

12
Conclusion: I expected payroll to remain constant since the company's workforce stayed at
approximately 425 people. Payroll expenses increased, however, by 15% (almost $3.8 million). I
am placing this risk of material misstatement on the summary risk assessment work paper at
0360 and will create audit steps to address the risk.

Now, it's time to place the identified risks (if there are any) on your summary risk assessment
form.

Linkage to the Audit Plan

I summarize all risks of material misstatements on my summary risk assessment form. These
risks might come from walkthroughs, planning analytics or other risk assessment procedures.
Regardless, I want all of the identified risks--those discovered in the risk assessment
process--in one place.

The final step in the audit risk assessment process is to link your identified risks to your audit
program.

Overview of Risk Assessment and Linkage

Now, I tailor my audit program to address the risks. Tailoring the audit program to
respond to identified risks is known as linkage.

Audit standards call for the following risk assessment process:

 Risk assessment procedures (e.g., planning analytics)

 Identification of the risks of material misstatement
 Creation of audit steps to respond to the identified risks (linkage)

Summary of Planning Analytics Considerations

So, now you know how to use planning analytics to search for risks of material misstatement--
and how this powerful tool impacts your audit plan.

Let's summarize what we've covered:

1. Planning analytics are created for the purpose of identifying risks of material misstatement
2. Develop your expectations before creating your planning analytics (learn about the entity's
operations and objectives; review past changes in numbers for context--assuming you've
performed the audit in prior years)
3. Create analytics at the financial statement level, if possible
4. Use key industry ratios
5. Conclude about whether risks of material misstatement are present
6. Link your identified risks of material misstatement to your audit program

13
If you have thoughts or questions about this post, please let me know below in the comments
box. Thanks for reading.

First-Year Businesses and Planning Analytics

You may be wondering, "but what if I my client is new?" New entities don't have prior numbers.
So, how can you create planning analytics?

First Option

One option is to compute expected numbersng non-financial information. Then compare the
calculated numbers to the general ledger to

So, yes, it is possible to create useful risk assessment analytics–even for a first-year company.

Learn from my CPA Hall Talk newsletter!

Get my free weekly accounting and auditing digest with the latest content.

https://internalaudit.ku.edu/project-process

The Audit Process

There are five phases of our audit process: Selection, Planning, Execution, Reporting,
and Follow-Up.

Selection Phase

Internal Audit conducts a University-wide risk assessment near the end of each calendar
year. We develop the audit plan for the subsequent year based on the results of this
assessment and the department’s available resources. The Chancellor and the Fiscal
Affairs and Audit Committee of the Kansas Board of Regents review the audit plan
before it is executed.

Planning Phase

During the planning phase of each project, the Internal Audit staff gather relevant
background information and initiate contact with the client. Auditors meet with

14
 University leadership and clients to identify risks and determine the objectives and scope
of the audit as well as the timing of fieldwork and the report distribution.

Execution Phase

Once the audit is planned, fieldwork is executed by the Internal Audit staff. Clients are
kept informed of the audit process through regular status meetings. We discuss audit
observations, potential findings, and recommendations with the client as they are
identified.

Reporting Phase

A summary of the audit findings, conclusions, and specific recommendations are

officially communicated to the client through a draft report. Clients have the opportunity
to respond to the report and submit an action plan and time frame. These responses
become part of the final report which is distributed to the appropriate level of
administration.

Follow-Up

Internal Audit follows up on all audit findings within one year of when the report was
issued.

https://smallbusiness.chron.com/sixstep-audit-process-17816.html

Six-Step Audit Process

by Sharon Penn; Updated February 04, 2019

Related Articles

 1 What Are the 4 Types of Audit Reports?

 2 What Does the Process of Performing an External Audit Include?
 3 Phases of the Audit Process
 4 Conduct a Financial Audit

An audit is a formal check of financial accounts of an individual, business or organization.

An internal audit is conducted by members of the same organization or business, and an

15
external audit may be conducted by a regulatory agency or governmental agency. There are
six specific steps in the audit process that should be followed to ensure a successful audit.

Requesting Financial Documents

After notifying the organization of the upcoming audit, the auditor typically requests
documents listed on an audit preliminary checklist. These documents may include a copy of
the previous audit report, original bank statements, receipts and ledgers. In addition, the
auditor may request organizational charts, along with copies of board and committee minutes
and copies of bylaws and standing rules.

Preparing an Audit Plan

The auditor looks over the information contained in the documents and plans out how the
audit will be conducted. A risk workshop may be conducted to identify possible problems.
An audit plan is then drafted.

Scheduling an Open Meeting

Senior management and key administrative staff are then invited to an open meeting during
which the scope of the audit is presented by the auditor. A time frame for the audit is
determined, and any timing issues such as scheduled vacations are discussed and handled.
Department heads may be asked to inform staff of possible interviews with the auditor.

Conducting Onsite Fieldwork

The auditor takes information gathered from the open meeting and uses it to finalize the audit
plan. Fieldwork is then conducted by speaking to staff members and reviewing procedures
and processes. The auditor tests for compliance with policies and procedures. Internal
controls are evaluated to make sure they're adequate. The auditor may discuss problems as
they arise to give the organization an opportunity to respond.

Drafting a Report
The auditor prepares a report detailing the findings of the audit. Included in the report are
mathematical errors, posting problems, payments authorized but not paid and other
discrepancies; other audit concerns are also listed. The auditor then writes up a commentary
describing the findings of the audit and recommended solutions to any problems.

Setting Up a Closing Meeting

The auditor solicits a response from management that indicates whether it agrees or disagrees
with problems in the report, a description of management's action plan to address the

16
problem and a projected completion date. At the closing meeting, all parties involved discuss
the report and management responses. If there are any remaining issues, they're resolved at
this point.

References (3)

 10 Steps of the Audit Process

 The Basics of External Audit
 Internal and External Audits: Understanding Their Impact on Small Businesses

About the Author

Sharon Penn is a writer based in South Florida. A professional writer since 1981, she has
created numerous materials for a Princeton advertising agency. Her articles have appeared in
"Golf Journal" and on industry blogs. Penn has traveled extensively, is an avid golfer and is
eager to share her interests with her readers. She holds a Master of Science in Education.

https://bizfluent.com/how-does-5296119-steps-audit-process.html

10 Steps of the Audit Process

Reviewed by: Michelle Seidel, B.Sc., LL.B., MBA
Written by: Annie Sisk Updated November 21, 2018

An audit is an objective analysis and examination of some aspect of a company’s

operations to confirm the extent to which the organization is in compliance with expected
standards. Audits can have different purposes. A financial audit looks at a company’s
financial records to make sure they’re correct. A compliance audit is designed to ensure
the company is complying with applicable regulations or laws. In most cases, an audit
consists of several steps or phases that are designed to ensure the most accurate, objective
and reliable results. The process for a specific audit will depend on what type of audit is
being performed, as well as what set of standards govern the auditor’s work.

Notification

Audits begin with the issuance of some kind of notification to the company or
organization being audited. The notification letter generally will specify the purpose of
the audit, when it will be conducted and the date and time of an initial meeting the
auditors would like to schedule with the company’s leaders.

17
The notification will also list what documents the auditor wants to examine. For a
corporation, this can include articles of incorporation, the recorded minutes of any board
meetings, an organizational chart, correspondence, sales records and more.

Planning Process

After the notification is sent, the auditor will take some time to plan the audit. This is
done before meeting with the organizational leadership in order to craft the appropriate
strategy for that meeting and the fieldwork that follows. Auditors also need to identify the
key areas of inquiry and concern and the specific information they wish to examine in
order to analyze those areas. This also gives the company time to gather the requested
documents.

Video of the Day

Brought to you by Techwalla

Brought to you by Techwalla

Initial Meeting

The planning stage usually leads to an initial meeting between the senior management of
the company and the auditors. Administrative staff may also be present. The purpose of
the meeting is to give the auditors an opportunity to explain the process, as well as to give
the organization a chance to express any practical, strategic or scheduling concerns they
may have.

Fieldwork

Fieldwork is the first active auditing stage. A more detailed schedule is usually drawn up
so that the auditor’s presence isn’t too disruptive to business. Interviews with key
employees may take place to investigate business procedures and practices. Auditors may
also perform sample document checks, to make sure the company’s document creation
and retention practices are sound.

The fieldwork may be conducted by a few auditors or a larger team, depending on the
size and scope of the audit.

Communication

While the fieldwork is carried out by the auditing team on-site at the company’s
premises, the team should be in regular contact with the corporate auditor in order to
clarify procedures and ensure proper access to needed documents.

18
Draft Audit

When the auditing team completes the fieldwork and document review, the auditors
prepare a draft audit report. This document details the purpose of the audit, the
procedures the auditors used, the documents reviewed and the audit’s findings. It will
also likely include a preliminary list of unresolved issues. The draft report is circulated
among the team for review and suggested revisions.

Management Response

After the auditing team makes the last revisions to the audit report, the final document is
given to management for its review and response. The audit document usually asks
management to respond to each of the audit’s findings and conclusions by stating
whether it agrees or disagrees with the problems cited, the plan to correct any observed
problems or deficiencies and the expected date by which all issues will have been
addressed.

Exit Meeting

Following the management response, which may be formally attached to the final audit
report, a formal exit meeting may be scheduled with the company being audited to close
any existing loose ends or answer questions, discuss the management response and
address the scope of the audit.

Distribution of Audit Report

The finalized audit report is distributed to all necessary stakeholders, including inside and
outside the area audited, if applicable.

Feedback

Finally, the audited company implements the changes recommended in the audit report,
then the auditors review and test how well those changes solve the identified problems or
issues. The feedback between the company and the auditors continues until all issues are
resolved and the next audit cycle begins.

References

 AuditNet: The Internal Audit Process From A to Z - How it Works

 AccountingEdu: What Is Auditing?
 Investopedia: Definition - Audit
 The Economist: What Is an Audit For?

19
About the Author

Annie Sisk is a freelance writer who lives in upstate New York. She holds a B.A. in
Speech from Catawba College and a J.D. from USC. She has written extensively for
publications and websites in the business, management and legal fields.

https://www.bm-sms.co.jp/eng/ir/corporate-governance/audit/

Auditing Structure

The Internal Audit Department (four persons), which is under the direct supervision of
the CEO, implements internal audits of the operations of all departments based on the
rules and regulations of internal audits and the Internal Audit Plan determined each term.
The results of these audits are reported to directors and Audit & Supervisory Committee
members. The CEO issues instructions for improvement to each relevant department
based on audit results, and the efficacy of internal audits is secured by requiring written
reports on the status of improvements.

Audits by the Audit & Supervisory Committee

The Audit & Supervisory Committee comprises three outside directors. The Company
appoints Audit & Supervisory Committee members who have a deep understanding and
knowledge of the business environment and who are experts in various fields, including
legal and accounting/tax experts. These members also do not present any conflict of
interest with general shareholders. Based on the Audit Policy and Audit Plan determined
by the Audit & Supervisory Committee, Audit & Supervisory Committee members
conduct audits of the business execution of directors by investigating matters such as the
status of operations and financial assets. Also, Audit & Supervisory Committee members
attend other important meetings, including meetings of the Executive Committee, sharing
opinions and inspecting important documents circulated for approval and other related
materials. In these ways, Audit & Supervisory Committee members carry out their audits.
As a general rule, the Audit & Supervisory Committee Meeting is held once a month.
Through mutual contact and cooperation performed in an appropriate manner, the Audit
& Supervisory Committee conducts audits on the various risks that are difficult to
visualize within organizational management in a manner that is independent from
business execution.

20
Accounting Audits

As for accounting audits, the Company has concluded an audit contract with Ernst &
Young ShinNihon LLC. Ten certified public accountants assist with accounting audit
work, in addition to twenty-nine other members.

Mutual Cooperation between the Audits by Audit & Supervisory Committee, Internal
Audit Department, and Accounting Auditors as well as the Relationship of Audits with
the Internal Control Department

The Audit & Supervisory Committee cooperates with the Internal Audit Department to
conduct audits. The Audit & Supervisory Committee also receives quarterly reports from
the accounting auditors on the results of accounting audits. Moreover, the Committee
holds meetings with the accounting auditors on a timely basis to exchange opinions and
information, thereby working to realize mutual cooperation. In addition to assisting in the
duties of the Audit & Supervisory Committee, the Internal Audit Department holds
monthly meetings with the Audit & Supervisory Committee, where reports are made on
the results and progress of audits, including the Audit Plan, and opinions and information
are exchanged. The Internal Audit Department also reports on the operational status of
the Company’s internal reporting system. In these ways, the department aims to achieve
mutual cooperation with the Audit & Supervisory Committee. Moreover, the department
exchanges opinions and information related to internal controls and governance based on
the Financial Instruments and Exchange Act with accounting auditors. In doing so, the
department facilitates close cooperation in order to improve the efficacy and efficiency of
audits. Also, the Internal Control Department evaluates issues raised by these various
types of audits and makes efforts to implement the necessary response.

21