Audit Process: How to Successfully

Plan Audit

What is an Internal Audit?

As defined by the Institute of Internal Auditors (IIA), internal

audit is an independent, objective assurance and consulting
activity designed to add value and improve an organization's
operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control,
and governance processes.

Types of Audits
First-Party Audits: These are performed within an organization to measure its
strengths and weaknesses against its own procedures or methods and/or
external standards. Internal audits are first-party audits and are conducted by
auditors who are employed by the company being audited, but have no vested
interest in the audit results of the area(s) being audited.
Second-Party Audits: These are external audits performed on a supplier by a
customer or by a contracted firm (consulting firm) on behalf of a customer.
Third-Party Audits: These are external audit performed on a supplier or
regulated entity by an external participant other than a customer. They are
conducted for recognition or registration purposes are performed either by
Extrinsic Regulatory (FDA, FAA, NRC, USDA) or Registrars (ISO9001, AIB, JCAHCO
).

Phases of Audit Program

Plan

Do

Check

Act

Establishing the Audit Program

Objectives and extent of audit
Responsibilities, resources, and procedures related to the audit program

Implementing the Audit Program

Scheduling audits and selecting the audit team
Directing audit activities and maintaining records

Monitoring the Audit Program

Monitoring and reviewing the audit program
Identifying needs for corrective and preventive actions

Improvement
Improving the Audit Program
Identifying needs for continual improvement

Plan Audit Properly

During the planning phase, the following has to be done:

The purpose of the audit

A complete description of the GRC program. This should include
details such as the entity which is to be audited and the key measures
of the program
The scope of the audit and the scope exclusions
The objective of the audit and the approach to be taken
A high level schedule of the audit and a detailed timeline
The necessary skills needed to complete the audit
The selection of members of the internal audit team
Any other resources required for successful completion of the audit
Document management and archival/ retention policies and processes

Define Audit Scope and Objectives

Defining the scope of the audit and its objectives is an important

part of planning the process, ensuring that the audit is carried
out successfully.
In order to conduct a successful GRC program audit, the auditors
need to have a thorough understanding of the following:
The organizations culture, business, strategic goals and objectives
Key risks that the program and the organization face
The organization and structure of the GRC program and its future
evolution

Auditors must determine the following:

The major operational processes
Various initiatives being implemented within the organization
The IT systems that support the operation of the GRC program

Audit Objectives
An audit of a GRC program should have the following objectives:

Evaluate the tone at the top Is it proper and effective in promoting a culture that
is ethical and compliant?
Check if the program provides reasonable assurance of compliance with
organizational policies and all applicable laws and regulations.
Determine if the motivation/incentive/reward system is well planned and structured.
Determine if the GRC program has a robust management framework that is well
documented and has enough resources to carry out its tasks.
Check whether the GRC program has been implemented and if the programs
performance reporting system accurately represented the end results of the
programs efforts.
Conduct a cost-benefit analysis of the GRC program.
Determine whether the program is up-to-date with prevailing industry practices and
is adequate for the size and complexity of the organization.
Include other audit objectives that the board or management has requested.

Want to learn more about audit, its process and

best practices for auditing? ComplianceOnline
webinars and seminars are a great training
resource. Check out the following links:
Risk Based Internal Auditing (RBIA)
Internal Auditing Essentials for Medical
Device Manufacturers
How to Audit GRC Programs?
Role of the Audit Committee in Corporate
Governance
Internal Audit's Role in Enterprise Risk
Management
OCEG Approved GRC (Governance, Risk and
Compliance) Professional Seminar
Auditing Technology and IT Investment