Traditionally, internal auditing includes several, mutually connected elements. These elements are described below:
Audit charter
The central element of the internal audit function and the starting point of all its activities is the audit charter. In this charter the internal audit function’s purpose, authority, and responsibility is documented. It also describes the function’s mission and scope of work and explains how independence is ensured. Therefore, an essential aspect of the charter is to state how far the internal audit function should engage in consulting activities or support functional units in any other form. The charter is initially approved and regularly reviewed by the supervisory board (ACA Compliance Group, 2020).
Audit universe
With the charter setting the boundaries, the internal audit function subsequently sets up an audit universe. The audit universe is a collection of potential audit engagements. It is updated regu-larly by the CAE and his staff. Input for the audit universe comes from internal sources (e.g.
senior management, supervisory board, risk management function) or external sources (tax au-thorities, external auditor). While the former also includes documentation prepared internally (e.g. discussion notes or minutes of management board meetings, controlling reports, risk re-ports, budget plans, strategic plans, sustainability reports), the latter contains information pro-vided externally (e.g. external audit reports, filings by stock exchanges, suppliers’ and compet-itors’ annual reports, relevant market research) (Kagermann, 2006, pp. 103-106).
Audit plan
Based on the charter and the audit universe, the internal audit function develops an audit plan which covers all audit engagements planned for a specific time frame (e.g. a year) in a priori-tised form. Therefore, the audit plan links specific audit engagements to the company’s strategic objectives accounted for in the audit charter (Auditnet, 2021).
The selection of audit engagement from the audit universe is based on a risk-oriented evalua-tion. For this evaluation, appropriate criteria by which each audit engagement is analysed needs to be defined. The exact choice of criteria lies in the discretion of the CAE. According to Peemöller and Kregel (2014, pp. 215-217), these criteria include the following:
• Financial impact of audit subjects covered in the audit engagement
• Strategic relevance of audit subjects covered in the audit engagement
• Functional stability of audit subjects
• Vulnerability of audit subjects covered in the audit engagement to changes in the com-pany’s internal environment
• Degree of coverage of audit subjects in previous audit engagements
• Complexity of audit engagement
• Other drivers (e.g. explicit proposal by management)
The audit plan must be as precise as possible and account for the availability of necessary per-sonnel and costs as well as for time limitations (Auditnet, 2021).
Setting up a sound audit plan is a challenging task. The audit plan serves the internal audit function as guideline throughout the chosen time frame. Also, it provides a benchmark which the internal audit function is evaluated against. As a result, the plan must not be too vague and superfluous on the one hand as to avoid overseeing essential risks. On the other hand, the plan must not be too extensive and leave room for unscheduled engagements called for spontane-ously or other forms of disruption (e.g. holiday season, sick leaves) (Kagermann, 2006, pp. 213-216).
Policies and procedures
Alongside the audit plan, the internal audit function makes use of general audit policies and procedures which auditors apply to a range of audit engagements. These documents provide guidance to internal auditors and include general information as sampling procedures, docu-mentation requirements, communication formats, follow-up procedures, approval activities, re-quirements for communication with auditees, etc. For quality assurance purposes, audit policies and procedures are reviewed by the CAE at regular intervals (Amling, Bantleon, 2007, pp. 254-258).
Audit engagements
Audit engagements can take various forms. Beeck (2018) differentiates between financial audit engagements and operational audit engagement. While the former aim at evaluating the effec-tiveness of structures and processes linked to financial reporting (e.g. accounting or IT pro-cesses), the latter focuses on analysing compliance with internal regulations and evaluates how far action taken by management is appropriate and purposeful.
Peemöller and Kregel (2014, pp. 20-32) go a bit further by mentioning four different kinds of audit engagements. Alongside effectiveness-focussed and appropriateness-focussed audit en-gagements (similar to Beeck’s financial audit enen-gagements and operating audit enen-gagements respectively), they also consider security-focussed and efficiency-focussed audit engagements as two further audit engagement categories. Security audit engagements relate to the verifica-tion of how far measures are in place to safeguard physical assets. Efficiency audit engagements analyse current practices and aim to identify potential savings in structures and processes.
Irrespective of their form, audit engagements are carried out in a standardised, multi-phase pro-cedure. This procedure includes, but is not limited to the following phases (Auditnet, 2015):
Planning
The first phase covers detailed planning of the audit engagement in terms of content, time, and personnel. Audit subjects covered in the audit engagement are vaguely analysed, relevant in-formation is gathered, and specific audit procedures are decided upon. Special requirements, e.g. the need for analytical tools, are evaluated and, if necessary, special preparations are per-formed accordingly. Furthermore, objectives and milestones of the audit engagement are de-fined. This task not only includes a decision on the type and extent of audit activities, but also defines the limits of the audit engagement and determines which elements are not covered (In-stitute of Internal Auditors, 2012).
Risks associated with the execution of the audit engagement are identified and evaluated. If necessary, appropriate countermeasures are taken. An audit engagement organisation needs to be built which includes the appointment of an engagement leader and the allocation of appro-priate personnel resources to single audit activities. Additionally, the internal audit function prepares engagement-specific work programs for internal purposes. These documents serve as guidelines and workings aids. They detail procedures for identifying, analysing, evaluating, and documenting information relevant for all kinds of audit engagements. A standardised work pro-gram can be used for similar or repeating audit engagements. If, however, single engagements turn out to be complex, individual work programs need to be established. Work programs are reviewed and approved by the CAE before audit engagements begin (Kagermann, 2006, pp.
204-237).
As part of the planning, the audit engagement is announced to the auditee with an appropriate lead time. This is done in form of an engagement letter which is provided to the auditee in writing. This engagement letter serves as a kind of contract between the internal audit function and the auditee and covers important information about the engagement (e.g. nature, scope and objectives of audit engagement, background and motivation, planned activities and timeline, auditors’ and auditees’ responsibilities, framework to be used as a benchmark, as well as form of reporting of results). Under special circumstances (e.g. in case of a fraud detection audit engagement), the audit function can refrain from announcing the audit engagement to the audi-tee (Pratum, 2021).
Conduction
In this phase, the audit engagement is carried out in accordance with the audit engagement plan.
Deviations from the audit program throughout the conduction of the audit engagement need to well-reasoned and documented in the audit engagement documentation. Before any audit ac-tivities are conducted, a kick-off meeting is held with the responsible personnel of the audited entity. During this meeting, all major audit activities are explained and framework conditions are agreed upon. Also, the contact persons of the audited entity are agreed upon (Institute of Internal Auditors, 2012).
According to the IIA (2012), the specific audit activities vary widely and depend on a range of factors. The audit engagement can focus on effectiveness, efficiency, security, compliance, or any other objective. Audit methods can comprise the following:
• Control tests to verify the design and/or the operating effectiveness of processes or sys-tems
• Analytical procedures (e.g. trend analyses, correlation analyses, or benchmarking/best practice comparisons)
• Substantive tests (e.g. reconciliations of specific accounts, tests of details)
• A combination of these methods
Internal auditors apply one or several audit procedures such as inspections, observations, in-quiries, or re-performances/recalculations. The audit engagement can be carried out on site or from a remote site. Furthermore, the auditor can choose between ex-ante and ex-post audit en-gagements. Yet, audit teams and the competencies they bring together via their team members have an influence on the design of single audit activities. Sources for audit activities come from internal sources or external sources, from information provided orally or in writing (PCAOB, 2021).
During the audit engagement, checklists are used to ensure that all planned audit activities are completed. Based on collected information, the internal auditor determines a current state (as is) of the respective audit subjects and compares this current state with a target state (as should be), represented by his expectations. Deviations between current and target states will be con-sidered as findings. These comparisons can turn out to be a challenging task as they include
in-depth evaluations or analyses and require extensive auditors’ judgement (Amling, Bantleon, 2007, pp. 278-302).
By the end of the execution phase, audit results are presented to the auditee and agreement is established among all parties regarding findings. This can be done in a closing meeting (and, if feasible, in an additional pre-closing meeting). Results and findings are presented as explicitly as possible to enable any third party to come to the same opinion within a reasonable time frame (Kagermann, 2006, pp. 238-266).
Follow-up
All audit activities as well as audit results and findings need to be documented in a consistent and appropriate manner. For each finding, the internal auditor establishes recommendations and advises the auditee on how to mitigate identified deficiencies. All results, findings, and recom-mendations are assembled in an audit report which is handed over to the auditee after the con-duction of the audit engagement (Amling, Bantleon, 2007, pp. 303-326).
Before the final issuance of the audit report, the auditor also seeks confirmation from the auditee about results and findings. In a best case scenario, the auditor obtains a written response from the auditee on each finding as well as remediation steps, assigned responsibilities and deadlines.
The final report and the auditee’s response are sent to senior management and the supervisory board as well as to the initiator of the audit engagement, if applicable (Auditnet, 2015).
The final report and all working papers are archived in a permanent file, along with any evi-dence collected from the auditee. A follow-up list is prepared from the findings which will serve the internal auditor as a starting point for any follow-up engagements at a future point in time and/or as input for other audit engagements. The engagement leader also assembles the audit team to identify lessons learnt from the audit engagement. These lessons are reported to the CAE, so he can draw corresponding conclusions for future audit engagements (e.g. change of audit team’s size, audit time frame, or audit methods) (Kagermann, 2006, pp. 267-306).