From customer feedback we know that, for those unfamiliar with the internal audit process, a call on a Monday morning saying “we would like to audit you in three weeks time” can be a stressful experience.
An internal audit is an independent way of providing assurance to management that risks are being mitigated and that systems and processes are working effectively; it is not designed to “catch you out” or pick you up on lots of petty issues that you already know about.
We set out below the key steps in the audit process and what you should expect of us. If, after reading this document, you are still a little anxious about the audit, please do contact one of the team. Our contact numbers can be found at https://www.devonaudit.gov.uk/contact-us/
Planning the audit
Our Annual Audit plan
Each year we agree with management (and the Audit committee) a plan of work for the coming financial year. This gives a “high level” overview of the key risks facing the organisation and where it is felt that internal audit can be of assistance.
This high level plan usually refers only to the subject area (e.g. Creditor payments) but will give you an idea if your service area is likely to be reviewed in that year. The audit plan is a public document and can be found on your organisations website, usually as part of the agenda pack for the February or March audit committee.
Our auditors then try to divide this annual plan into quarters – this tries to reflect when will be a good time in the year to complete work. For example, it is best to review grounds maintenance arrangements during the summer when most activity is taking place.
One of our audit team will contact your section manager to discuss and agree an outline audit brief and the timing for the audit.
The auditor will make arrangements to meet with the section manager to discuss how we can best assist the service and prepare the audit brief. This brief will set out:-
- The key areas for review
- The audit team assigned to the work
- Expected start and end date and the first date that we will be on site.
At this stage we would be very interested in any particular customer needs that you may have. We can adjust our service to meet your requirements, and ensure that you get the most out of our service
Our auditors are experienced in completing audit engagements and appreciate that this can be a stressful time for staff and that you still have the day job to complete.
Generally, we like to spend an hour or so with key staff understanding your processes and how this helps mitigate risks. It is very helpful if you have system notes to hand as this will help the team identify the key elements (controls) within your process.
At this stage please feel free to tell the auditor of any proposed changes – e.g. if a process is not working that well, but you are looking to change it, please do tell us. We can help in the development of controls that can prevent issues occurring at a future time
Once we have agreed the key controls with you we generally aim to test how the controls actually work in practice. The auditor may need to select a sample to work from; if you can provide an extract of transactions that occurred in, say, the last 6 months then this will assist. Any data you provide us will be treated with the utmost confidentiality; however please try to de-personalise any data you give us (e.g. use reference numbers rather than names) as we would rather hold non-sensitive data.
The auditor will try to complete their testing “in the background” allowing you to get on with your work. It is likely that they will need to clarify issues as they occur, but we do try to minimise our impact on you. If you would rather have an agreed time (say mid afternoon) to run through issues in a batch please do let us know.
Once most of our testing has been completed the audit team on site will provide you with a verbal feedback on their work – this will include any major concerns identified and suggestions on how these could be addressed.
If the audit will require more time, then the auditor will also let you know this.
All of our work is subject to strict quality control arrangements. The work completed by the audit team will need to be reviewed by a senior auditor before a draft report is prepared.
We aim to provide this draft report to you within 5 days of the completion of our fieldwork.
The draft report sets out our findings and audit opinions and, if appropriate, our recommendations for improving controls. Our recommendations will be prioritised into “high, medium or low” categories.
We ask that you consider the draft report and let us know of any factual errors or omissions. We would be happy to meet with you to discuss our findings.
We ask that management provide responses to any recommendations made, the time frame for implementing these actions, and this will form an action plan.
Once you have had a chance to comment and respond to our draft report we will issue our final report. We aim to issue the final report within 2 days of receiving your responses.
We aim to follow up recommendations that are of a high or medium priority. This will be at least 6 months after the end of the audit, giving you time to implement changes. We generally ask for written confirmation that recommendations have been put into practice, but may also arrange to re-visit you to check new arrangements are working effectively.
We are very keen to ensure we provide an excellent, customer focused service for you. When we issue our final report we shall also issue our customer satisfaction form. We shall be very grateful if you could find the time to complete and return this to us.
We trust that this brief summary takes you through the key stages of an audit, but please do feel free to contact one of the team if you wish to discuss further.