Chapter 5: Comprehensive Internal Auditing Process

The structure of audit manuals and the way audits are planned and conducted must follow
the internal auditing standards.
After each audit, Key information should be gathered and stored for each unit audited in
the organization. This should be maintained in a constant format to allow for
comparability in some cases and consolidation in others.

A computerized

system

allows internal auditors to quickly retrieve this information in the same format. As the
comprehensive framework (e.g. categorized in to mandate and objectives, policies and
procedures budgets, results and work plans, organizational structure, human dynamics
and management Information system (MIS).

When the audit information is stored as

described above it provides internal auditors with a quick understanding of each unit in
the organization and the opportunity to consolidates information on particular issues to
come up with a corporate overview.
Internal audit process main focuses on the following points:
1. Auditing to ensure results are achieved
2. Auditing for compliance with laws and regulations.
3. Auditing human resources management
Steps in the audit process: The comprehensive audit process helps auditors structure
audit information, carefully select what to audit, and analyze and interpret findings. This
saves time and leads to better results. For example, consider that an audit was given the
assignment to research and obtain background information of an entity. After a three
volumes of information and arranged it in chronological order.

The auditor was then

assigned to another project in mid-stream and the information was give to another
auditor to complete the audit. Because there was no predetermined structure, the second
auditor had to review the entire three volumes to determine the key issues. Eventually
an audit manager restructured the audit information into all sections of the comprehensive

audit framework and proceeded to conduct the audit.

Had the first auditor properly

arranged the data, it would have saved the record auditor from having to rearrange the
information from a chronological to a management structure. It would have also saved
the audit manager from having to restructure the information into the management
framework before identify the key issues.
Deciding what to audit means understanding the various layers of information and
activities that lie below the surface of original information

for example, during audit of

job descriptions, auditors may find that job descriptions tell the employee exactly what
has to be done. But if the employees are not told how well to do the job, the job
description may not be useful to the employee or the organizations as it could be.

Internal auditors therefore, need to go beyond the obvious during the comprehensive
audit process.
The comprehensive audit process follows the following steps:1. Planning
2. Frame work
3. analysis

4.

i)

phase I

ii)

phase II

Debriefing

5. reporting
6. Analysis
i)

phase III

The first step in the comprehensive audit process is planning the audit assignment. There
three key results expected after the planning phase is completed.
For example, the results from the strategic document are used to determine the extent of
audit effort needed in the preliminary survey. Similarly, most the extent of audit effort
needed in the preliminary survey. Similarly, most information gathered while preparing
the strategic document can be used
4.1 Planning the audit
The plan of an audit should contain two distinct sets of information , one detailing the
audit process and the activities, functions, units, programs and issued in the corporate
organization, and the other outlining how the audit group will be managed within the
overall time frame.
Under three steps given as follows:
a. preparing the strategy document
b. Conduct preliminary survey
c. Prepare audit plan
a) preparing the strategy document
The firs step in the planning process using the comprehensive approach is the
development of a strategy for each audit. This strategy is not an audit plan, rather a guide
outlining the focus of the audit, how to obtain information for the preliminary survey,
what should be in the audit plan, a determination of the ways to use the audit results and
how to communicate with the senior executives of the organization to ensure that

this

audit fits into the emerging management issues in the organization. It is a macro-level
document and therefore dose not contain the type of detail usually found in the
preliminary survey or other reports.

The strategy document precedes the preliminary. It can be prepared at any time after the
long rage audit plan has been approved when internal auditors present senior
management with a strategy document they should explain the comprehensive approach
and provide senior-management with and provide senior- management with a frame
work. When senior management sees that the framework includes

management

practices as well as compliance, financial and administrative issues, it might respond by

offering valuable insight.
The firs step in preparing strategy document is to gain an initial understanding of the
body to be audited by reviewing information form internal cooperative documents,
correspondence, annual reports and those from prior audits and any other information
available in the audit organization. The auditor would then be knowledgeable. The audit
manger should also be acquainted with outside units, personnel, divisions or organization
that could tie in with the audit.
Questions answered by strategy document

(The final interview related to the strategy document are with the

Senior Management of the organization. These interviews are

importance because both senior and audit department management
must have the same perception of key results and performance goals)
Q1. Who will use or be interested in the audit results.
A) Senior management
C) program evaluators
E) Other units

b) External auditors
d) government agencies
f) others

Q2. What key areas of the following framework should this audit focus
on in the audit scope and why?
a) Mandate and objectives

b) policies and procedures

c) budgets, results and work plans

d) organizational structure

(system and controls)

e) organizational structure
f) MIS

Q3. Which financial results or in what form should the financial

Information. be in to satisfy the objectives of the external or
legislative auditors?
Q4. What information should be gleaned from this audit for use in
Future audits?
5. What emerging organizational issues should be addressed in the
audit?
6. What kind of special expertise will be needed for the audit.
7. What are expected from preliminary survey?
8. What are some o the more important pre-determined goals and
performance standards set by management for this unit?
9. Is this unit subjected to some other audit by other group or outside group?
10. In what ways will the audit result be used for multiple purpose?
11. what does management consider

to be the key factors for success in the

organization and in the unit?

12. What are the key government and department laws and regulations with which
the unit should be complying?
13. Who uses the services of the unit and what do they expect or need from this unit?
Although the answer to most of these questions may be answered in the
preliminary

survey

report,

the

strategy

document

plays

an

important

role

because it allows internal auditors to understand what is acceptable and what is not,
according to management standards. It is designed to obtain the participation and cooperation of senior management at an early stage of audit.
The information in the strategy document is provided to the senior corporate management
so that they and the audit department management have the same perception of the

important issues and factors that constitute good management practices, as well as
important issues of internal control
b) Conducting preliminary survey
In planning a preliminary survey auditor must consider the following

purpose of the survey;

Result expected;

What information to obtain

List of audit models to prepare

Schedule of key personnel to be interviewed.

Topics to be discussed during the interviews

Predetermined management controls

Outline of preliminary survey report,

The purpose of preliminary survey is to become thoroughly familiar with audit entry is
collect information and categorize it is to the framework; analyze the linkage use the
framework; to develop the audit program for the audit, understand the true objectives
and the results the unit should accomplish; identity risks and pinpoint controls and their
linkages; obtain management concerns; and prepare a preliminary survey report.
The results expected from the preliminary survey are:
A summarized version of key corporate aspects of the unit for the database files in each
of the Six comprehensive audit categories
Preliminary findings in each of the six categories;
Working paper files of essential information;
Focus of the audit Objectives
- Scope
- Locations
- Timing and
- Staff.

Management concerns and view of interested parties

Notes on items to follow up from the strategy document; and

Preliminary survey report.

There are many method and approaches that are available for use in the
preliminary survey.

However, one of the most important factors is the way the audit

information structured.
C. preparing Audit plan
Audit plan should include the following

Objectives of the audit

Scope

Audit methodology

Audit schedule

Reporting the audit results

Objective of the audit: -are to assess the management controls and operations of the
unit to determine;
i)

Whether established objectives

of the unit and established corporate

objectives are being achieved;

ii)

The extent of compliance to laws, regulations and policies;

iii)

The reliability of the data used in the unit;

iv)

Whether assets (financial, personal and physical) are being safeguarded

v)

Whether resources are used economically and efficiently; and

vi)

The use made of EDP systems

Scope- of the audit can cover either one unit (that is , one location) or a region with
reversal locations with the same six-item scope structure for each location.
Methodology- section of the audit plan explain how the audit will be conducted. It
explains that audit programs will be prepared to cover the audit objectives. The following

are examples of audit scope items and the areas for audit concentrations that apply to
each.
Mandate and objectives
Policies and procedures
Budgets, results and work plans
Organizational structure (systems and controls)
Human dynamics
MIS
Audit schedule:- provides details on the locations where the audit will be conducted and
the estimated start and completion dates.
Reporting audit results:- section explains that the draft report will be issued after the
fieldwork and analysis stages of the audit are completed and after each
management has been briefed.

level of

Management responses will be requested and

incorporated in to a final report for each unit audited.

Certain key information from each audit will be selected and consolidated to provide a
detailed corporate overview for top management
4.2

Fieldwork

The fieldwork in the comprehensive internal audit differs mainly in the type
of evidence obtained. In financial and compliance audits the evidence is
normally

hard

indisputable

figures

or

legislation

and

rules,

but

both

quantitative hard indisputable evidence form a part of comprehensive audit. The evidence
gathered using audit techniques similar to those used in operational audits.. The man
difference is that more time is spent on analyzing the observations.
In comprehensive internal auditing, auditors take a more detailed look at internal controls
and consider them from both corporate and unit points of view.

Internal control- according to 114 internal auditing standards, the objectives of internal
controls are
1. The reliability and integrity of information
2. Compliance with policies and plans and procedures, laws and regulations
3. Safeguarding of assets
4. The economical and efficient use of resources; and
5. The accomplishment of established objectives and goals for operations and
programs. 20
The comprehensive approach considers that the testing of controls begins at a higher
level in the organization and works down to the more detailed financial controls.
Internal controls begin when top management establishes a mission statement or provides
the direction or the vision of the organization (through the corporate objectives) in a
written format. When there are strategic objectives, (unit objectives) established in the
organization to support the mission statement, therefore the translation of these into dayto-day operations & should be the first level of review by internal fragmentation
An organization could be at risk of going in a direction other than what top management
intended if the strategic objectives are not translated properly and followed accordingly.
New managers may be keen on following through on a new idea that they believe will
revolutionize the way things are done even if it conflicts with the objectives of the rest of
the organization.

Because internal auditors are involved in the details of the daily

operations in most of the units in the organization, they are in the best position to
determine whether there are benefits or risks to the organization as a whole when one unit
deviates form established objectives. There may be valid reasons for such deviation and it
should not be the job of internal auditors to judge whether the deviation is good or bad. It
is also part of their job, however, to identify and report on internal fragmentation and to
make an assessment of the extent of perceived risks to the organization.

The process of guiding these objectives into reality is more important than the actual
document itself. Internal auditors need to be aware that there is constant change in the
process and must remain focused on the original itself. Internal auditors need to assist top
management in ensuring that the corporate organization as a whole and each unit
separately follow the established objective regarding result to be achieved or services to
be provided
It is with this in mind that the system of internal control should begin to incorporate the
higher level issues associated with good management practices.
Walkthrough
Walk through It is the process of following the movement of a transaction from
initiation to final disposition. It is a tool used by auditors to determine the linkages
between the processes through which transaction passes.

In comprehensive auditing a

walk through can be used to trace issues in the higher-level activities of management
practices. Human dynamics deals with the effectiveness of management controls in the
management of staff. One way internal auditors can assess a situation and gain a better
understanding of the linkages in the management controls is to conduct walk through.
Preventive auditing
The walkthrough can be used as a preventive measure in the conduct of management
practices in an organization. It can help identify risks in areas
transactions.

other than financial

For example, the following steps could be completed during the walk

through of the employees complaint?

Trace the problem to the employees performance appraisal and determine
whether proper procedures were followed in preparing.
T\race the appropriate documentation to determine whether the employee was
provided proper positive counseling during the appraisal meeting.

10

 Trace the appraisal form or other documentation to determine

whether the

employee new what was expected of him or her , the is whether there were
result indicators agreed upon by the employee;
Trace the appraisal form to determine whether the established steps in the
appraisal process were followed; and
Determine the extern of training that the manager or supervisor received in
managing people with in the last few years.
There are a few of the steps internal auditors can take to test one of the areas of
management practices that affect employees morale. This approach can be used as an
initial test for other areas of management practices.
Once the fieldwork is finished the audit team goes into the analysis phase. The auditor is
not briefed, however, until the findings have been analyzed.
4.3

Analysis

The analysis phase of the audit could be considered the most important because the
success of the entire audit depends on how the information gathered during the audit is
interpreted and reported and what management does with it. Following are the of the
analysis phase:Phase I
Phase I is the traditional analysis of looking at each observation as a singular concern by
identifying a topic sentence to paraphrase the problem found, identifying a cause if the
problem, the effect of the problem has on the unit, stating the audit criteria or standard
used to measure good practices, or adequate, Control and by recommending a course of

11

action. Phase I is to be completed by each member of the audit team and usually
concentrate on the cause and effect of each observation
Phase II
Phase II is the analysis of how the stand-alone observations are related to each other. It is
vitally important because of the connections between various parts of the organization;
without it, internal auditors run the risk of recommending action to solve symptom rather
than underlying problem in the organization.

Or they run the risk of exposing minor

irritations rather than deep rooted problems.

This type of analytical information can be used to write a more detective report; conduct
a more structured de-breeding; focus on management issues; focus on compliance issue
and how they are linked with management practices; and identify areas such as
productivity improvement, value for money or morale. The information can be
consolidation will all other audits conducted in this format to give management a
corporate overview.

It could help control agencies get a consolidated reading of

department wide problems in a logical format and pin point where accountability problem
are occurring.
This ideal of recommending action that will solve linked problems rather than first their
symptoms has been a nemesis for internal auditors who have not been exposed to the
inter connections of management practices. It is also a challenge for these who have only
conducted financial audit. The analysis phase in financial audits is straight forward
compared to analysis in comprehensive auditing.
Finally the consolidating the observation from each Audit is the key tool used to build
internal audit report under this phase.
This phase must be completed by most senior or experienced members of the audit team
taking full responsibility.
4.4

Debriefing

12

The debriefing of findings in the comprehensive approach mostly follows the traditional
approach as described in most internal audit texts. The difference is that several new
areas, such as the way human resources are managed and the interrelationships of
observations among the units of the organization are also covered. Before entering the
debriefing meeting the audit director manager and team members must be a ware of the
issue to braised
4.5

Reporting and further analysis

Comprehensive internal auditing should be geared to help management bring about

change in the corporate organization, but internal auditors must be aware that their,
reports are not the only tool that management uses one of the traits that makes an audit or
audit report successful is the extent of use extent of use management makes of the
results. There are certain key factors in the reporting stage of the audit process that can
help internal audit organizations produce the kind of reports that produce results. These
factors are covered in the internal Auditing standards.
Following items should be covered in the final internal audit report.
Adequacy of management controls.
Adequacy organizational framework
Effectiveness and efficiency of the reporting system
Measurement of efficiency and
Function direction.
Because some internal audit reports tend to be quite long, important information is
sometimes left of. Auditor should test to determine whether all issues have been followed
up .Fours steps to doing this are:1. Count the number of items in the scope statement
2. Trace them to methodology section to whether they have been covered or a
statement has been made of how each item will be covered.
3. Trace the original scope items to the audit objective and determine whether the
objective statement could logically cover all the scope items; and
13

4. Trace the scope item to the audit observations to determine it each scope item loss
covered in the audit and, if not determine whether there is an explanations.

14