Risk-based audit plan
The internal audit process begins with the Risk Based Audit Plan, which is updated annually and approved by the Audit Committee of the Board of Governors. Once approved, the Plan becomes a guideline for conducting audits in the coming year. In addition to the audits performed under the Plan, Internal Audit also conducts special audits and consulting work on demand.
In the planning phase, the audit staff reviews any past audit work, looks over literature on the area being reviewed, and makes a preliminary review of the unit budgeted and actual revenues and expenses. The auditors also formulate the audit scope and objectives on which they base the fieldwork phase. The planning phase also includes an introductory meeting to discuss objectives, timelines, and other important information that can ease the internal audit process. At this time, the audit staff may request few pieces of information, such as an organization chart, a contact list and literature describing the unit’s procedures, if available.
In the fieldwork phase, typically the lengthiest part of the audit, the audit staff gathers information about the auditee's operations, gains an understanding of the unit's functions, and identifies both strengths and weaknesses. This work includes reviewing financial activity, administrative and business procedures, overall unit functions, and other activities specific to each section in the unit. The audit staff interviews key personnel, observes unit procedures, and periodically reviews the audit progress with the unit's heads and personnel. Ultimately, this phase allows the audit staff to identify areas of risk and concern in the unit's internal controls and procedures, all of which are discussed with the auditee before or at the conclusion of the fieldwork.
In this phase, all fieldwork results are compiled, presented and discussed with the client. The client must provide action plans with timeframes that address all recommendations. A final summary report then goes to Senior Management and the Audit Committee for review.
Based on timeframes in the action plans, a follow-up is performed to ensure that the required measures have indeed been implemented.