Internal Audit Process

Andi Focht-Williams, Internal Audit Manager

Internal Audit Process

2
01: Planning Phase
• Send written engagement notice of audit start
Notice

• Hold Entrance Conference, the initial meeting with applicable TMRS

personnel about conduct of the audit
Client Meeting

• Gain an understanding of the audit topic by researching laws and

policies/procedures, reviewing previous audit reports and documents, and
Research conducting preliminary interviews

• Conduct engagement-level risk assessment to identify objectives, scope,

Risk Assessment and methodology

• Develop audit procedures for accomplishing audit objectives and document in

an audit program
Audit Program

3
Planning: Terms and Definitions
OBJECTIVES – what the audit is intended to accomplish or
the question the auditor seeks to answer
SCOPE – boundary of the audit, including subject matter,
period of time reviewed, and locations to be included
METHODOLOGY – nature and extent of audit procedures for
gathering and analyzing evidence to address objectives
AUDIT PROCEDURES – specific steps and tests auditors
perform to address the objectives

4
02: Fieldwork Phase
• Request data and information
Data Request

Perform audit procedures from audit program

Audit Procedures

• Develop findings and preliminary recommendations

Conclusions

• Obtain client feedback on findings and recommendations

Client Meeting

• Review additional client information and update findings and

Audit Procedures
recommendations

5
Fieldwork: Terms and Definitions
WORKING PAPERS OR AUDIT DOCUMENTATION – records
all audit evidence and supports audit work done to
demonstrate work was performed in accordance with
relevant auditing standards
Observation – physical inspection, walk-throughs
Inquiry – interviews with auditee and related parties
Verification – establish the accuracy, reliability, or
validity of something (e.g., count, compare, confirm,
examine, reconcile, recompute, trace)
Analysis – qualitative and quantitative calculations,
tests, and surveys
6
Fieldwork: Terms and Definitions
FINDING – the results of the evaluation of the collected audit
evidence against audit criteria. A finding may indicate strengths
and deficiencies in internal controls; compliance or noncompliance
with laws, regulations, or contracts;

Elements of a finding:
Criteria – What should be.
Condition – What is.
Cause – Why the condition differs from criteria.
Effect – The consequence or opportunity foregone of difference
between condition and criteria.
Recommendation – Actions to remedy the cause.
7
03: Reporting Phase
• Auditor drafts report that is accurate, objective, clear, concise, constructive,
Preliminary complete, and timely
Draft Report

Experienced auditor reviews draft report and key supporting documentation

Supervisory Review

• Management reviews the draft report and provides feedback and

management response
Management
Review

Hold Exit Conference to obtain client feedback on draft audit report and
answer questions about implementing recommendations
Client Meeting

• Compile management’s response and incorporate any other suggestions into

updated report draft
Report Draft

8
03: Reporting Phase

• Present draft audit report to Audit Committee for review and comment

Audit Committee Feedback

• Incorporate Committee feedback and finalize audit report

Finalize Audit Report

• Distribute audit results to Board

Report Distribution

9
Reporting: Terms and Definitions
MANAGEMENT RESPONSE – written response to audit findings. The
response should indicate:
Whether management agrees with finding and agrees to
implement recommendation
A brief description of the corrective action plan
The person responsible for implementing the action plan
Timeframe for completing the action plan

NON-REPORTABLE COMMENT OR NON-SIGNIFICANT DEFICIENCIES

– issues generally minor in nature or scope communicated only to
management

10
Reporting Phase
General Report Content
§ Audit report title
§ Objectives, scope, and methodology
§ Background
§ Recognition
§ Engagement rating, conclusions, and observations (also
referred to as findings)
§ Perspective in terms of nature and extent of the issues
§ Limitations on reliability or validity of evidence
§ Management’s response (corrective action, activity owner,
target date for completion)
§ Statement about compliance with auditing standards
§ Distribution list
11
04: Follow-up Phase

• Log findings, recommendations, and corrective action plans.

Log Prior
Audits

Request status updates on corrective action plans from Senior Management

Management
Update

• Verify management assertions for high/moderate priority level findings

Follow-up Work

Report on status of implementing prior-year recommendations to Senior

Management and the Board, including management’s acceptance of risk
Closed: Fully Implemented, Alternative Action Taken, Do Not Intend to Implement,
Report Results No Longer Applicable
Active: Partially Implemented, Not Implemented

12
Follow-up: Terms and Definitions
MANAGEMENT ASSERTION – claims made by members of management
regarding certain aspects of business
COMMUNICATING THE ACCEPTANCE OF RISK– if the auditor becomes
aware that management has accepted a level of risk that is unacceptable to
the organization, the risk must be communicated to the Board.

Highly significant risks that the auditor may judge goes beyond TMRS’
tolerance level include:
Those that may harm TMRS’ reputation
Those that could harm people
Those that would result in significant fines, limitations on business
conduct, or other financial/contractual penalties
Material misstatements
Fraud or other illegal acts
Significant impediments to achieving strategic objectives
13