1. What is Internal Auditing?

The Institute of Internal Auditors defines internal

auditing as follows:

a. Traditional Definition: Internal Auditing is an independent appraisal function

established within an organization to examine and evaluate its activities as a service to
the organization. The objective of internal auditing is to assist members of the
organization in the effective discharge of their responsibilities. To this end, internal
auditing furnishes them with analyses, appraisals, recommendations, counsel, and
information concerning the activities reviewed. The audit objective includes promoting
effective control at reasonable cost.

b. Recently Revised Definition: Internal auditing is an independent, objective assurance

and consulting activity designed to add value and improve an organization's operations. It
helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control and
governance processes.

2. Are there different types of audits? Yes, there are five basic types of audits as well
as other miscellaneous audits:

a. Financial Audit - This type of audit is performed in order to express an opinion on the
reliability of information contained in official financial statements prior to publication.
External auditors are responsible for conducting required financial audits of the
organization. Internal audit may perform some work related to the financial statements
that the external auditor's rely on, so our role is one of assistance.

b. Operational Audit - It is a comprehensive review of the varied functions within an

organization to appraise the efficiency and economy of operations and the effectiveness
with which those functions achieve their objectives. Internal controls are reviewed from a
cost-benefit standpoint.

c. Compliance Audit - A review of financial transactions and/or operating controls to

determine how well they conform with established laws, standards, regulations and
procedures.

d. Investigative or Fraud Audit - These audits are performed to investigate incidents of

possible fraud or misappropriation of assets.

e. Information Systems Audit - This type of audit addresses the control environment of
computer information systems and how they are used. This is a technical review that may
include evaluating system input, processing and output controls, data and physical
security, contingency planning and disaster recovery, system administration, etc.
f. Miscellaneous audits - This category includes: 1) advisory audits which are conducted
at the specific request of a manager, pertaining to any function under his or her
responsibility, 2) specific complaint audits or 3) random records audits.

3. What steps are involved in the audit process? Every audit is unique and the order
that steps are performed may vary or overlap, however, a formal operational audit would
typically include the following:

a. Engagement Memo - Prior to the beginning of an audit, appropriate administrators are

notified of the pending audit and apprised of the audit objectives. Certain preliminary
information may be requested at this time, such as organization charts, internal office
procedure's manuals, etc.

b. Planning - During this phase of the audit, background information on the area to be
audited is obtained from a number of sources in order to learn as much as possible about
the area. Applicable policies and procedures are reviewed, as well as applicable laws and
regulations. Any prior audits of the area are also reviewed. Employees may be
interviewed and Internal Control questionnaires distributed. An audit plan is prepared.

c. Entrance Conference - This is a meeting between the managers of the area being
audited and internal audit personnel. The scope of the audit will be discussed at this
meeting as well as any scheduling concerns. Every reasonable attempt will be made to
schedule audit procedures around busy times. We want the audit to be as least disruptive
as possible to normal operations. Managers are given the opportunity to share any
concerns that they may have. If there is a particular area of concern that a manager would
like to have reviewed, we will include it in our audit plan.

d. Fieldwork - This phase may include interviewing employees, flow charting processes
and testing transactions. Some of the work will be performed in the area under audit, and
some of the work will be performed in our office. Appropriate managers are kept
informed of any findings as the audit progresses.

e. Draft Report - Once fieldwork is completed, a draft of the audit report will be written
which will state procedures performed, findings and observations, and any
recommendations for improvement. The draft will be provided to the manager in charge
of the area under audit and anyone else deemed appropriate by the manager at this stage.
Management will be asked to provide written responses to our recommendations that will
be included in the final report.

f. Exit Conference - This is a meeting between departmental management and internal

audit personnel to discuss the results of the audit and to go over the draft report. If
management discovers any factual errors or believes that we have misinterpreted
anything, they should inform us at this meeting so that we can make corrections before
the report is seen by anyone else. On occasion, there may be items that we don't feel are
appropriate to include in the written report but need to be brought to the attention of
management. We will discuss any such items during the exit conference and/or include
them in a separate management letter.

4. Audit Report - Once any agreed upon changes are made to the audit report, a draft of
the final report will be provided to departmental management that includes their
responses to our recommendations. It may be appropriate to included other managers
higher on the chain-of-command at this stage, if not included previously. Once final
review and approval is obtained from departmental management, the audit report is
distributed. The final report may be addressed to the Board, Audit Committee,
CEO/CFO and appropriate managers of the audited area.

5. Follow Up - Audit Services will follow up on all audit findings and recommendations
as time permits, to determine progress made in implementing recommendations. A
written status report will be provided to the same individuals who received a copy of the
Audit Report. One additional follow up may be performed if necessary, however, any
items not cleared by the time the first follow-up is completed, may be referred to the
Audit Committee, CEO or CFO.

6. What is included in an audit report? A formal audit report for a routine

operational or compliance audit generally includes some or all of the following sections:
a) Cover Sheet, b) Executive Summary, c) Table of Contents, d) Background
Information, e) Audit Scope & Purpose, f) System of Internal Controls, g) Summary &
Conclusions, h) Status of Prior Findings and Comments (if applicable), i) Detailed
Findings, Observations & Recommendation (management responses to our
recommendations will be included in the final report), and j) any attachments or
appendices as appropriate.

A limited procedures audit or review where we examine one specific item or a very
limited number of items, or a review done at the request of management, may be written
in the form of an Audit Memorandum as opposed to a formal report and may combine or
eliminate some of the above sections. It generally does not include the first three items
and is not addressed to the Audit Committee or Board.

An investigative or fraud audit must be tailored to the situation, but will generally
included a Background and Scope & Purpose Section. The issues or allegations under
investigation will be described and details will be outlined. Any applicable rules,
regulation, laws or policies are stated. If appropriate, we will state whether an allegation
is founded (there is evidence to support the allegation), unfounded (there is no evidence
to support the allegation), or unsubstantiated (we cannot determine, based on available
information, whether the allegation is founded or unfounded). Finally, when appropriate,
recommendations to management for corrective action are included. Depending on the
timing of the report, it may also include disposition of the matter.
7. How do you decide what areas should be audited? An audit may be scheduled
based on a formal risk assessment process, at the request of the Audit Committee, senior
manager, or because potential weaknesses in an area have come to our attention, perhaps
through spot-checking of transactions conducted on a random basis or through a whistle-
blower complaint..

The end result of a formal risk assessment process is a ranking, from highest risk to
lowest risk, of "auditable activities" within the organization. An auditable activity could
be a functional unit. It could also be an information system such as a payroll system. In
the risk assessment process, a number of risk factors associated with the activity are
considered, such as: the audit history of the activity, the degree of regulatory compliance
and public scrutiny, the degree of reliance on automated systems, the dollar volume and
liquidity of assets, amount of organizational change, and so on. The risk assessment
process helps us to decide where the scarce resources can best be utilized.

What Is Cost Audit?

It is an audit process for verifying the cost of manufacture or production of any article, on
the basis of accounts as regards utilisation of material or labour or other items of costs,
maintained by the company.

In simple words the term cost audit means a systematic and accurate verification of the
cost accounts and records and checking of adherence to the objectives of the cost
accounting.

As per ICWA London’ “cost audit is the verification of the correctness of cost accounts
and of the adherence to the cost accounting plan.”

How many types of Audit

INTERNAL AUDIT
EXTERNAL AUDIT
STATUTORY AUDIT
TAX AUDIT
FINANCE AUDIT
Correspondence Audit
Office Audit
Field Audit
Continuous Audit
Interim Audit
Final Audit
Partial Audit
CONTINENTAL AUDIT
SPECIAL AUDIT
social audit
performance Audit
Statutory Audit
Nonstatutory Audit

benefits of an internal audit

Internal audit can be beneficial to most organizations because, if planned properly, it
provides management with a methodology to identify those risks that may prevent the
organization from meeting its objectives. For example, if a company has a strategic
objective to raise $20 million in loans to build a new facility there are a number of risks
that may prevent that from occurring. One risk may be the external factor of increased
interest rates. Another risk may be internal risk that management does not qualify for
credit because of covenants they will not be able to meet.

Financial costs of internal audit will vary based upon the size and goal of the internal
audit function. Additionally, the cost will be based upon the resources used to perform
the work (outsource, co-source, in-house). The most significant non-financial cost may be
a negative reputation of the internal audit role throughout the organization. If the function
is not properly established, socialized and executed then the validity of the function could
be jeopardized.

Internal audit can be a value-add activity but often times it is strictly a policing function,
which is sadly an example when the cost of internal audit usually does not exceed its
benefit.