To improve how well your company deals with risks…

Monitor business activities and key performance indicators continuously -

Internal auditors must keep abreast of what’s happening in the organization’s environment. We suggest that a framework be established in which internal auditors attend executive committee meetings, obtain important management reports and identify and meet with key department heads throughout the year.

Coordinate process evaluations among all risk management functions -

Evaluate quality control, security, physical asset review and credit administration processes so that the work of other departments may be leveraged where possible.  Review the scope of their activity and consider their results in developing an internal audit plan.  Rather than just using independently drawn samples for testing, examine internal quality control efforts throughout the company and selectively validate the results. Coordinate the timing of internal audits with each department’s internal quality control efforts, draw on internal department findings to determine where problems occurred and suggest process improvements.

Develop an internal audit plan based on risk priorities -

Rather than scheduling audits according to a standard cycle of one-, two- or three-year rotations, base the frequency of audits on a business area’s risk factors, such as previous poor audit ratings or significant changes in personnel. This allows a focus on the highest risk priorities within the company and devotion of appropriate resources to new and changing areas. Also train line managers to update their own risk assessment systems and methodologies—for example, by showing them how to implement steps to monitor quality control and review segregation of duties.

Get involved in technology projects -

Internal auditors should be involved in activities such as systems development and conversions, process reengineering, new products and services, mergers and acquisitions and the analysis of new IT policies. Look at controls before technology teams implement them and take steps to address IT risks rather than reacting to problems after they occur. Before management installs a major new system, identify supporting applications that would affect operational processes, business resumption plan requirements and network security issues, such as controlling user access and ensuring that supporting applications interacting with existing systems had proper controls.

Develop effective reporting -

Coordinate with management to develop a formal internal audit report to provide management and the reviewed business unit with conclusions and a balanced perspective. An executive summary, following an opinion on whether the three COSO internal control objectives have been met, should provide a review of the business area’s purpose, major systems initiatives, key accomplishments and successes as well as the auditors’ observations.  To follow up, the auditors track their observations and local management’s responses and report monthly to executive management and quarterly to the audit committee.

Sample Audit Report

ABC Company Audit Report

Sample Audit Report