Operational risk management

Easily identify, measure, control and monitor the operational risks of your organization→


security risks

Ensures the confidentiality, integrity and availability of your information assets →



Keep track of all regulations and regulations that your organization must comply with →


Money laundering risk management

Easily identify, establish controls and monitor AML risks→
Piraní Academy

Stages and phases of internal audit

Por Juan Pablo Calle, en April 28, 2020


Learn about the phases of an internal audit process and discover the step-by-step process here.

Pre-audit phase

Before starting the process, a general analysis is performed on the organization to be audited. This way, the audit team can have a better understanding of how processes work and what the entity's objectives are.

The following aspects should be taken into account here:

Legal framework: this is the legal context that regulates the company, its actions and the way in which it establishes relations with other organizations.

Internal regulation: this includes the information generated by the entity itself as a self-regulation mechanism. For example, regulations, agreements, board minutes, resolutions, etc.

Organizational structure: each of the elements that help align all the levels of the organization, such as guiding ideas, mission, principles, values, objectives, goals, processes, methods, technology, finance, etc.

After analyzing this company information, it is classified as follows:

Position of the audited entity.

  • Organizational objectives.
  • Activities performed.
  • Company structure.
  • Resources available.
  • Industry context.
  • Budget.

Audit planning

In this phase of the internal audit, the data collected in the previous stage are used to create an audit plan, which must be agreed with the customer. The audit plan must contain the following information:

  • Objectives, scope and criteria of the audit.
  • Units and areas to be audited within the company.
  • Staff members in charge of the quality of the processes.
  • Priority aspects.
  • Time and duration of inspections: dates and locations.
  • Meeting schedule.
  • Confidential requirements.
  • Structure and delivery of the final report.

Assignment of the audit team

The lead auditor must define the staff members who will be responsible for performing each of the audit activities. To make the process as objective as possible, team members must be free from conflict of interest and must not be involved in the activities they are auditing.

Lead auditor: ensures that the audit plan is followed, that activities are effective, and that the previously defined scope is maintained.

Auditors: are in charge of planning and carrying out the assigned tasks. They collect and analyze evidence and draw conclusions. They document the results and write the reports.

Conducting the audit

This phase of the internal audit begins with an opening meeting, where team members introduce themselves and the plan is reviewed. The methodologies and procedures to be used are also proposed, the necessary resources are defined and the security and emergency procedures are reviewed.

After that, the information collected by the audit team is gathered and analyzed, and it is assessed whether the criteria of the audit plan are being fully complied with.

Once all the evidence is collected, the auditors meet with management and those responsible for the audited functions. At this meeting, the results are presented, disagreements are resolved, and conclusions are discussed.

Preparing the report

The ultimate objective of an internal audit is to disclose the results obtained. In this phase of the audit, the audit report is prepared, which must contain the predetermined information of the initial audit plan, such as customer information, the objectives and scope, the agreed criteria, audit times, the identification of the audit team, the summary of the process, the conclusions, the confidentiality statement and the report distribution list.

Distribution of the report

Once the final report has been prepared and approved, a copy of it should be sent to the person responsible for the corresponding section. The report and documents are delivered to the company's quality manager and Board of Directors for subsequent archiving.

Follow-up of actions

When the final report contains non-conformities, corrective actions are to be proposed and recorded. They must be reported to the quality manager in order to take the corresponding steps and solve them within the stipulated time.  

It is also a good practice to include a checklist in the audit process to help identify the most critical aspects. 

Download a free complete list of indicators and metrics

Nueva llamada a la acción

También te puede interesar

Otros artículos de Riskment

Escribe tu comentario