Audit process
Each year our team prepares a risk-based three year rolling audit plan, which is presented to the audit committee at its September meeting. Approval is sought for projects scheduled for Year 1, with proposed projects for Years 2 and 3 provided to the committee for information only. The 3-year rolling plan is revisited each year to validate risk rankings and identify emerging risk areas, so that these are considered when annually updating the 3-year plan.
The internal audit process involves the following four key phases: planning, fieldwork (detailed examination and analysis), reporting and follow-up.
Phase 1: Planning
We undertake a detailed analysis of the scope, objectives and approach for each internal audit project in the approved audit plan. The scope specifies what will be examined and the engagement objectives define the purpose of the engagement and why each area is being examined. Audit engagements also require that detailed audit criteria be developed for each objective. These predetermined criteria are used as the basis for assessing actual performance.
Phase 2: Fieldwork
The fieldwork phase involves gathering sufficient, relevant, and reliable information on performance for those activities included in the scope of the engagement, and reaching conclusions relative to the engagement objectives.
For audit engagements, this information is the evidence of actual performance and it must be sufficient to allow audit staff to reach conclusions on whether the engagement objectives and audit criteria have been met.
The conclusions reached by internal auditors are their professional opinions, based on evidence collected and analysis performed. Internal auditors also provide recommendations to help management resolve any significant weaknesses identified through the course of the fieldwork that would help improve performance.
Phase 3: Reporting
Reports of progress are provided to management throughout both assurance and advisory engagements. The style of report used for each internal audit may involve a written report.
Phase 4: Follow-up
Internal auditors are expected to monitor actions taken in response to recommendations for improvement and report on the status of the client’s follow-up actions to the Audit Committee. This work can range from evaluating the auditee's response to the report, to a more comprehensive follow-up audit. The extent of follow-up work necessary will vary depending on the risk profile of the audit observation and the related recommendations the nature of the engagement.