Internal Audit step by step guide.

Preparing for an audit announcement letter. Step -1

● The audit management team will make decisions on audit plans and share the audit announcement letter. The
announcement letter should include the following details:
○ Date and location of the audit.
○ Name of the Auditor.
○ Scope of the audit.
● After the letter is shared and acknowledgment is received from the auditee, further steps can be taken.

Pre-Audit Meeting. Step -2

● After acknowledgment by the auditee, a pre-audit meeting will be scheduled with the SPOC.
● In this meeting, an introduction to the internal audit process will be provided along with an understanding of the
basics and structure of the department.
● After understanding, any doubts about the processes can be addressed. Passive observation of possible risks by
asking queries about the department's processes will also take place.
● Documents such as department charts, SOPs, procedure manuals, and goals & objectives will be requested (copies
of these documents will be collected via email for accountability).
● An audit plan memorandum document for internal use will be prepared.

Prepare an audit plan memorandum document for internal use. Step -3

● After completing the pre-audit, a document known as the Audit Plan Memorandum (APM) will be prepared for
internal use. The APM should include the following details:
○ Start date of the Audit (Timeline).
○ Scope of the audit.
○ Processes of the department.
○ Identified possible risks.
○ Explanation of the audit process conducted
● This document will be useful for audits of our department and will demonstrate the effectiveness of the audit.

Prepare Pre-RCM(Risk Control Matrix). Step -4

● Identified risks from the APM should be noted down in a column of the Pre-RCM document. Associated controls
should be added to the possible risks. Based on the Pre-RCM document, a detailed audit can be conducted.

Fieldwork. Step -5
● Sampling tests for possible risks from the Pre-RCM document should be conducted to confirm the risks.
Confirmed risks should be added to the RCM document.
● All necessary information and evidence associated with the confirmed risks should be collected. Risks should be
discussed with the co-auditor, and a Final RCM document and Draft audit report should be prepared.
● These documents should be shared with the internal audit manager, and working papers should be collected to
provide supporting evidence to convince the auditee. Acknowledgment from the auditee about the risks in the
RCM should be obtained.
Post- Audit Step -6
● Follow-up with the auditee every month until the due date and close the audit findings by collecting evidence from
the auditee according to those findings.
● Check the effectiveness of the control evidence applied to the findings and confirm whether they are closed.

Key points to Takeaway:

Audit Announcement Letter:
○ Clearly state the audit details: date, location, and auditor's name.
○ Define the audit scope for clarity.

Pre-Audit Meeting:
○ Schedule a meeting with the SPOC after receiving acknowledgment.
○ Introduce internal audit processes, understand department structure, and request necessary documents.

Audit Plan Memorandum (APM):

○ Document audit timeline, scope, processes, identified risks, and audit procedures.
○ Use APM as an internal reference and to demonstrate audit effectiveness.

Pre-RCM Preparation:
○ Note identified risks and associated controls in the Pre-RCM document.
○ Use Pre-RCM for detailed audit planning and risk assessment.

Fieldwork:
○ Conduct sampling tests to confirm identified risks.
○ Add confirmed risks to the RCM document with supporting evidence.
○ Prepare a Final RCM document and Draft audit report for review.

Post-Audit Follow-Up:
○ Follow up with the auditee regularly until findings are closed.
○ Collect evidence and assess control effectiveness for closure.