Stages and phases of internal audit

Learn about the phases of an internal audit process and discover the step-by-step process here.

Pre-audit phase

Before starting the process, a general analysis is performed on the organization to be audited. This way, the audit team can have a better understanding of how processes work and what the entity's objectives are.

The following aspects should be taken into account here:

Legal framework: this is the legal context that regulates the company, its actions and the way in which it establishes relations with other organizations.

Internal regulation: this includes the information generated by the entity itself as a self-regulation mechanism. For example, regulations, agreements, board minutes, resolutions, etc.

Organizational structure: each of the elements that help align all the levels of the organization, such as guiding ideas, mission, principles, values, objectives, goals, processes, methods, technology, finance, etc.

After analyzing this company information, it is classified as follows:

Position of the audited entity.

• Organizational objectives.
• Activities performed.
• Company structure.
• Resources available.
• Industry context.
• Budget.

Audit planning

In this phase of the internal audit, the data collected in the previous stage are used to create an audit plan, which must be agreed with the customer. The audit plan must contain the following information:

• Objectives, scope and criteria of the audit.
• Units and areas to be audited within the company.
• Staff members in charge of the quality of the processes.
• Priority aspects.
• Time and duration of inspections: dates and locations.
• Meeting schedule.
• Confidential requirements.
• Structure and delivery of the final report.

Assignment of the audit team

The lead auditor must define the staff members who will be responsible for performing each of the audit activities. To make the process as objective as possible, team members must be free from conflict of interest and must not be involved in the activities they are auditing.

Lead auditor: ensures that the audit plan is followed, that activities are effective, and that the previously defined scope is maintained.

Auditors: are in charge of planning and carrying out the assigned tasks. They collect and analyze evidence and draw conclusions. They document the results and write the reports.

Conducting the audit

This phase of the internal audit begins with an opening meeting, where team members introduce themselves and the plan is reviewed. The methodologies and procedures to be used are also proposed, the necessary resources are defined and the security and emergency procedures are reviewed.

After that, the information collected by the audit team is gathered and analyzed, and it is assessed whether the criteria of the audit plan are being fully complied with.

Once all the evidence is collected, the auditors meet with management and those responsible for the audited functions. At this meeting, the results are presented, disagreements are resolved, and conclusions are discussed.

And to ensure good management of operational risks and include them in the audit, for example, it is advisable to have a technological tool such as our risk management software Pirani, which allows you to associate risks to processes and create controls in a simple way to avoid the materialization of risks or mitigate their impact.

Preparing the report

The ultimate objective of an internal audit is to disclose the results obtained. In this phase of the audit, the audit report is prepared, which must contain the predetermined information of the initial audit plan, such as customer information, the objectives and scope, the agreed criteria, audit times, the identification of the audit team, the summary of the process, the conclusions, the confidentiality statement and the report distribution list.

Distribution of the report

Once the final report has been prepared and approved, a copy of it should be sent to the person responsible for the corresponding section. The report and documents are delivered to the company's quality manager and Board of Directors for subsequent archiving.

Follow-up of actions

When the final report contains non-conformities, corrective actions are to be proposed and recorded. They must be reported to the quality manager in order to take the corresponding steps and solve them within the stipulated time.  

It is also a good practice to include a checklist in the audit process to help identify the most critical aspects.