AUDIT CHECKLIST: How to Conduct an Audit Step by

Step

One of the guide’s highlights is a comprehensive checklist of audit steps and

considerations to keep in mind as you plan any audit project. Use the checklist below to
get started planning an audit, and download our full “Planning an Audit from Scratch: A
How-To Guide” for tips to help you create a flexible, risk-based audit program. 

Internal Audit Planning Checklist

1. Initial Audit Planning

All internal audit projects should begin with the team clearly understanding why the
project was put on the audit plan. The following questions should be answered and
approved before fieldwork begins:

 Why was the audit project approved to be on the internal audit plan?
 How does the process support the organization in achieving its goals and
objectives?
 What enterprise risk(s) does the audit address?
 Was this process audited in the past, and if so, what were the results of the
previous audit(s)? 
 Have there been significant changes in the process recently or since the previous
audit?

2. Risk and Process Subject Matter Expertise

Performing an audit based on internal company information is helpful to assess the

operating effectiveness of the process’s controls. However, for internal audit to keep
pace with the business’s changing landscape and to ensure key processes and controls
are also designed correctly, seeking out external expertise is increasingly becoming a
best practice.

At least one of the following should be used to evaluate the design of the process
audited:

 Subject Matter Expert (SME) from a Big 4 or other consulting firm

 Recent articles from WSJ.com, HBR.org, or other leading business periodicals
 Relevant blog posts from The Protiviti View, RSM’s Blog, or the IIA’s blogs

Once you have leveraged internal and external resources to identify relevant risks, you
will want to build an audit program that tests for these risks.

3. COSO’S 2013 Internal Control – Integrated Framework

While used extensively for Sarbanes-Oxley (SOX) compliance purposes, internal

auditors can also leverage COSO’s 2013 Internal Control – Integrated Framework to
create a more comprehensive audit program. In addition to identifying and testing
control activities, Internal audit should seek to identify and test the other components of
a well controlled process.

 Review COSO’s 2013 Internal Control components, principles, and points of

focus here.

4. Initial Document Request List

Requesting and obtaining documentation on how the process works is an obvious next
step in preparing for an audit. The following requests should be made before the start of
audit planning in order to gain an understanding of the process, relevant applications,
and key reports:

 All policies, procedure documents, and organization charts

  Key reports used to manage the effectiveness, efficiency, and process success
 Access to key applications used in the process
 Description and listing of master data for the processes being audited, including
all data fields and attributes

After gaining an understanding of the process to be audited through the initial document
request, you should request access to master data for the processes being audited to
analyze for trends and to aid in making detailed sampling selections.

5. Preparing for a Planning Meeting with Business Stakeholders

Before meeting with business stakeholders, internal audit should hold an internal
meeting in order to confirm the high-level understanding of the objectives of the process
or department and the key steps to the process. The following steps should be
performed to prepare for a planning meeting with business stakeholders:

 Outline key process steps by narrative, flowchart, or both, highlighting

information inflows, outflows, and internal control components
 Validate draft narratives and flowcharts with subject matter experts (if any)
 Create an initial pre-planning questionnaire to facilitate a pre-planning meeting
with key audit customers

Preparing the questionnaire after performing the initial research sets a positive tone for
the audit, and illustrates that internal audit is informed and prepared. Once this research
is completed, internal audit should meet with their business stakeholders to confirm their
understanding of the process.

6. Preparing the Audit Program

Once internal audit has confirmed their understanding of the process and risks within
the process, they will be prepared to create an audit program. An audit program should
detail the following information:
  Process Objectives
 Process Risks
 Controls Mitigating Process Risks
 Control Attributes, including:
o Is the control preventing or detecting a risk event?
o Control frequency (e.g. daily, weekly, monthly, quarterly, etc.)
o Does the control mitigate a fraud risk?
o Is the control manually performed, performed by an application, or both?
o An initial assessment of the risk event (e.g. high, medium, or low)
 Testing Procedures for Controls to be Tested During the Audit, including:
o Inquiry, or asking how the control is performed
o Observation, or physically seeing the control be performed
o Inspection, or reviewing documentation evidencing the control was
performed
o Re-performance, or independently performing the control to validate
outcomes

7. Audit Program and Planning Review

Audit programs, especially those for processes that have never been audited before,
should have multiple levels of review and buy-in before being finalized and allowing
fieldwork to begin. The following individuals should review and approve the initial audit
program and internal audit planning procedures before the start of fieldwork:

 Internal Audit Manager or Senior Manager

 Chief Audit Executive
 Subject Matter Expert
 Management’s Main Point of Contact for the Audit (i.e. Audit Customer)

Internal auditors who can create and document audit programs from scratch — and do
not rely on template audit programs — will be more capable and equipped to perform
audits over areas not routinely audited. When internal audit can spend more of their
time and resources aligned to their organization’s key objectives, internal auditor job
satisfaction will increase because they’ll be taking on more interesting projects. The
Audit Committee and C-suite may become more engaged with internal audit’s work in
strategic areas. Perhaps most importantly, recommendations made by internal audit will
have a more dramatic impact to enable positive change in their organizations.