home · Tool · Planning of internal audit activities. Carrying out internal audit activities

Planning of internal audit activities. Carrying out internal audit activities

Today, the concept of “internal audit” has become widespread in business. Many large enterprises and companies prefer to create their own internal audit services and departments, training their employees. In addition, in the labor market there is a constantly growing demand for specialists who have the relevant knowledge and have an international diploma.

Tasks of internal audit at the enterprise

Internal audit at an enterprise is an activity that is aimed at providing objective and independent advice and guarantees to improve the activities of the enterprise. The purpose of internal audit is to assess risks, find ways to reduce them, and also increase the profitability of business processes.

Auditor consultations include assessing, analyzing and reporting on the productivity and reliability of processes. They are addressed directly to the administration of the organization.

The main tasks of internal audit at the enterprise:

  • checking internal control systems to determine the level of efficiency of departments;
  • development of an integrated risk management system, analysis of its operation, as well as creation of measures to reduce them;
  • control over compliance with corporate governance principles.

The need to introduce internal audit

IN Lately In Russia, there is a focus on separating the functions of management and business ownership. The owners implement one general strategy for the development of the organization and manage the main directions, and, as a rule, hire top managers to solve small and everyday problems. In this case, the enterprise uses a tool to monitor the state of affairs - internal or external audit. It allows owners to obtain a complete and objective assessment of the activities of the entire organization.

To implement internal audit in Russian companies influenced no less the federal law“On accounting” dated 06.12.2011. According to Article 19, from the beginning of 2013, absolutely all economic entities must conduct internal control economic activity.

Checklist for internal audit

Control of accounting and management accounting, as well as other areas of business, should occur in absolutely all enterprises. However, it is important to know about the features of this procedure. All processes must follow each other in an orderly manner. Because it is precisely thanks to compliance with this requirement that many mistakes and problems can be avoided when conducting an audit by regulatory authorities. Filling out a checklist greatly simplifies the process. It is very difficult to exaggerate his role.

What you need to know about the checklist

This document consists of a list of detailed questions regarding the audit being conducted. The checklist does not have a specific format established by law. However, it is necessary to follow some rules when drawing up and filling it out. This is what will reduce the likelihood of problems during the audit process.

In fact, with the help of a checklist, you can solve a fairly large number of issues and tasks not only during the audit, but also during the ongoing activities of the enterprise. This document may be used various organizations, regulatory institutions and their officials.

Using the checklist you can solve the following problems:

  • correctly plan the audit in accordance with legal regulations;
  • carry out intermediate and selective control, conduct effective time management;
  • ensures that important parts of the audit are not missed;
  • is one of the means of memory;
  • simplifies auditing;
  • with its help, the audit is comprehensive, structured and holistic, etc.

Legislative act that regulates the preparation of this document, is Federal Law No. 307 of December 30, 2008 “On Auditing Activities”.

An example of a checklist for internal audit can be found.

Internal audit of QMS

QMS - quality management system - one of the parts of the entire company management system, which was created to ensure and control the stability of economic activity, High Quality and minimizing the costs of producing products or providing services.

According to the QMS, the structure of the documentation is as follows:

  • quality requirements (quality manual);
  • goals and policies in the field of quality of products and services;
  • required documented processes;
  • regulations of procedures, work instructions;
  • quality records.

The audit of quality management systems is not regulated by either federal or international legislation. Therefore there are no mandatory legislative norms, which determine the procedure and rules for conducting an audit of quality systems at the enterprise. This is explained by the organization’s voluntary desire to certify quality systems. And all the work that accompanies the construction and implementation of a quality system is also a voluntary initiative.

Consequently, organizations that carry out QMS audits can carry out their activities without additional licenses or other permits. And even more so, these documents are not needed to carry out internal audit. Despite this there are special rules, which regulate the conduct of QMS audits. For example, ISO 19011:2011, which is called “Guidelines for auditing management systems.” It can be used for internal and external auditing.

Order on conducting an internal audit

An order to conduct an internal audit is an internal document that is drawn up by the head of the company and establishes:

  • dates of the audit;
  • a group of internal auditors and specialists responsible for its implementation;
  • providing conditions for conducting internal audit;
  • control over the audit.

How to become an internal audit specialist

Every day the demand for specialists who are able to carry out internal control of an enterprise is growing. But the requirements for them are also increasing. They must have knowledge in financial sector, understand internal controls and corporate governance, know national and international standards internal audit, as well as understand the specifics of the activities that need to be analyzed.

Online training comes to the rescue of always-busy financial professionals. Online courses allow you to study without interrupting your main activity, at home or at work in a convenient, comfortable familiar conditions. Quality distance learning, is not inferior to, and often exceeds, its full-time counterparts, due to the involvement of highly qualified teachers, modular system course, online tests and much more.

Diplomas and certificates in internal auditing

To obtain a diploma that confirms qualifications in the field of internal audit, you should choose international program foreign institute. Today, Russian specialists have access to such programs as IPFM, IFA, ICFM and CIA.

The internal audit process contains four stages (div. Fig. 15.4), one of which is planning.

Planning is an important stage of the internal auditor's work. The auditor must plan his work to complete the audit correctly and in a timely manner. Plans are drawn up taking into account the enterprise’s business, its accounting system and existing internal controls. The purpose of planning an audit is to concentrate the auditor’s attention on its most important areas and identify problems that should be checked in more detail. Planning helps the auditor to properly organize his work and supervise the work of assistants who take part in the audit, as well as to coordinate the work that is carried out by other auditors and specialists of other professions.

The plan may be accompanied by the necessary comments on the organization of inspection and coordination of the work of enterprise personnel and auditors. The comments contain the purpose of the audit, a description of the main methods and techniques that will be used by auditors (survey, inspection, observation, inquiries, custom scan, testing, documentary verification, analytical warehouse, etc.). The audit program is based on the plan, where the work, working documents and performers of audit procedures are established.

It is necessary to carefully monitor the time spent on audit work to ensure that it is used most effectively.

To carry out the plan, the auditor must prepare a written audit program. Audit program- this is a document containing: an audit task for a specific object (control systems for certain business transactions, balances on accounting accounts, cycle of business operations, etc.); procedures necessary to perform assigned tasks; volumes and timing of their implementation.

Today in business circles the importance of high-quality internal audit for the implementation of high-quality management of the company as a whole is often emphasized. Thus, the European Commission issued in July 1996 a Green Paper "on the role, position and obligations of the auditor in countries belonging to the European Union." It says: “Companies with weak internal audit will fail to meet the responsibility of providing sufficiently significant information to the audit committee. Performance Evaluations information systems management of the company and assessment of internal control systems should be carried out on an ongoing basis.

The quality of internal audit defines such basic concepts as professional competence and compliance with professional standards (both technical and ethical) when reporting internal audit findings or providing other services.

The first step in ensuring the high quality of work performed by the internal audit department is the inclusion of quality control activities in the internal audit process. Although the specific directions of each individual internal audit department according to documentation, the use practical aids, consultation and review, as well as how they are required to be implemented, largely depend on the size organizational structure and the style or philosophy of business management, each of these elements must be present to one degree or another.

The quality of internal audit consists of many elements, combined depending on their content and purpose in the corresponding components. Quality indicators, depending on the nature of the tasks being solved in assessing compliance with the constituent elements and the quality of parts or the entire process, can be classified according to a number of characteristics: content; sources of education; completeness of certainty; assessment of compliance and quality of process components is examined; purpose and method of expression.

Management of the internal audit service provides for the implementation of organizational and executive measures according to a certain model, the so-called management model of internal audit:

goal setting(achieving a certain level of conservation of resources, increasing capital, etc.);

planning- selection of means to achieve the goal, determination of the necessary qualifications of auditors, drawing up plans, schedules, preparation of working documentation, preparation of the appropriate regulatory framework;

organization- provision of necessary resources, administrative regulation, selection, testing, training of personnel, determination of the procedure for carrying out control activities, generalization and implementation of inspection results;

personnel management- provision of orders, development of own internal audit standards. Such standards may be the organizational status of the internal audit service, requirements for the competence of internal audit, relationships with service users, training of department employees, planning and implementation of internal audit, types of final documents based on the results of internal audit, procedures for communicating internal audit results to stakeholders and subsequent actions internal audit department, regulation of the rights and responsibilities of the internal auditor, criteria and indicators of the quality of work of internal auditors. Management also involves the implementation modern techniques and audit technologies, drawing up programs and plans for conducting audits, determining the accounting of the work of the service, organizing documentary support for management and implementation decisions taken, control for effective use working hours of auditors;

coordination- coordination of control activities with the divisions of the enterprise, provision of consulting services to them, ensuring interaction with external audit and other representatives for financial control, coordination of plans, programs, schedules;

control- development of methods and organization of quality control of auditors’ work, monitoring and analysis of the effectiveness of inspections and identifying reserves to improve work, increase the effectiveness of control activities, maintain contacts with departments after an internal audit.

One of the main and significant differences between internal auditing is that it must be carried out as a carefully pre-planned process (and not spontaneous). The preventive nature of internal audit is an important psychological factor. This means that each audit is planned, and the department staff audits, communicates the time, object and criteria of the audit in order to provide the auditors with the necessary level of confidence and eliminate the possibility of staff deviating from providing and demonstrating all the necessary data. Unexpected internal audits can hamper production activities. There are two options for carrying out work by internal auditors: a horizontal model and a vertical model.

Horizontal model used to check compliance a separate type activity or process requirements of management systems and evaluation of their effectiveness and efficiency.

Vertical model used to check the compliance of the activities of an individual division of the company. At the same time, it is necessary to pay attention to the fact that the horizontal model is more labor-intensive and time-consuming, but also more significant, since it includes in the field of view the activities at the interfaces of various departments and officials involved in fulfilling the requirements for the object of inspection. In addition, horizontal review “breaks down” communication barriers between departments and encourages management system participants to interact with each other.

The most important stage in conducting an internal audit is planning. Planning, like each stage of the audit, is documented. Let's consider the documents used at the planning stage and can be developed at the enterprise. The main document used by the head of the service is the annual Program, approved by the head of the company (Table 15.1).

Table 15.1

INTERNAL AUDIT PROGRAM

The program should be developed taking into account the status and significance of activities and processes. Primary importance should be given to key activities and processes that have a decisive impact on the success of the company and the achievement of its goals, as well as critical activities and processes, the improper implementation of which at a certain stage of time may pose a real or potential danger to the company.

Typical processes that can be classified as key are studying demand, consumer expectations, purchasing management, interaction with consumers, product sales, training and competence of personnel.

Key processes are ranked using economic or expert assessment influence individual processes on final results business.

Critical processes are considered, the improper organization of which or non-compliance with the requirements for which may pose an actual or potential danger to the efficiency of activities. These processes require immediate intervention in the form of corrective or preventive actions and must be under special control. Any business process can fall into the category of critical due to various internal reasons.

Based annual program audit consists calendar schedule of audits, and a plan for each individual or complex audit. Based on the annual audit program, an Internal Audit Plan is developed for each audit, taking into account the need for resources (Table 15.2).

The plan must qualify the audit object both organizationally (audit of a department, group of departments, etc.) and functionally (audit of finance, marketing, etc.).

Table 15.2 INTERNAL AUDIT PLAN (for a specific facility)

The head of the internal audit service must also develop a development plan for the internal audit service (hereinafter - SBA). Based on and taking into account the audit plan and service development plan, a budget of the internal audit service. It contains a list of expenses necessary to ensure the implementation of the audit plan and development plan. The budget should also provide for the possibility of conducting unscheduled inspections and engaging third-party subject matter experts to conduct inspections.

When preparing for an internal audit, you must:

1. Group members: familiarize yourself with the plan and clearly define the boundaries of the inspection, analyze all documents and materials regarding his responsibilities in order to identify the most significant issues that are subject to qualified discussion with the personnel of the unit.

2. To the Chief Auditor: receive from the SBA all the documents specified in the plan, according to which the inspection should be carried out, as well as documents related to the object of the inspection: organizational and administrative, job descriptions, process maps, their detailed descriptions, matrices for the distribution of responsibilities and powers, etc.; make the necessary group assignments and schedule the audit; prepare a questionnaire; provide auditors with working materials - control questionnaires, auditor logs, non-compliance protocol forms, etc.

Questionnaire- a questionnaire with a list of questions for employees of the department where the audit is being conducted. The responses are used to make a preliminary assessment of the audited subject. Questions on the questionnaire should be based on the audit criteria and cover their most significant parts, be formulated concisely, unambiguously, in a certain sequence, and provide for an unambiguous answer.

Checklist- a pre-compiled, systematized list of questions, the answers to which allow the auditor, directly during the audit, to obtain information about the degree of compliance of the state of the audit site with the established requirements. Questions should be posed in such a way that the answers enable the auditor to comprehensively and correct presentation about the object.

Auditor's Journal- a journal or form in which the auditor records the facts, results of interviews and other information collected during the audit. Journal entries are the basis for making appropriate decisions (Table 15.3).

Table 15.3

EXAMPLE FORM OF AN AUDITOR'S JOURNAL

Criteria

List of questions

Actual condition

The International Standards for the Professional Practice of Internal Auditing (IPSIA) require the development of a risk-based internal audit plan, in particular, based on a formal risk assessment conducted at least once a year.

Canonical approach.

Of course, the canonical approach can be called an approach that is based on an existing risk assessment. There is quite a website on this site where I will show approaches to creating an internal audit work plan for the year.

So, there is a risk register with calculated mathematical expectations of the current and residual risk. You need to start by ranking the risks for internal audit.

The first thing that needs to be determined is which mathematical expectation should be used to rank the risks. My opinion is that you need to rank according to the current one. The logic is roughly as follows: management will always insist that “yes, everything is bad with us now (or, well, everything is good), but in the near future it will get worse (well, or it will become even better).” As practice shows, the near future does not always arrive quickly (after all, the duration human life is insignificant in terms of the time of existence of the universe, and on this scale the near future is 100 years). Therefore, the inspection plan was drawn up based on the current mathematical expectation. But theoretically, I allow a situation where the audit plan is drawn up based on both the mathematical expectation of residual risks and the change in the delta between the mathematical expectation of the current and residual risk. The logic of the latter is to audit the effectiveness of the efforts made by management

When determining labor intensity, there is no need to take into account the speed of decision-making by management. If a particular manager took a break for three weeks due to vacation, the person from the internal audit department needs to be busy with something else. Yes, there are different psychological types, and among internal auditors too. I feel like the more things I have to do, the more I get done. Perhaps this is just my peculiarity: stress helps some people, and hinders others. But resistance to stress seems to be required for all vacancies.

Scheduling.

Some obvious scheduling tips.

Tip #1. If large changes in process curves are planned during the year, it is advisable to schedule the audit for January-February (a clear example from the program above is the audit current system procurement).

Tip #2. If management indicated the execution date of March 33, then it is advisable to begin the process execution audit on March 34.

Tip #3. Do not plan business trips for July-August. Of course, excursions in summer are much more interesting than in winter (although for me it’s more comfortable in winter because you don’t get wet with sweat). But tickets and other accommodations are much cheaper in February or November. We are not talking about unscheduled tasks - here, if something is needed, it is needed immediately.

If you find an error, please highlight a piece of text and click Ctrl+Enter.

3. Normative references

ISO 9000:2005 – “Quality management systems. Fundamentals and vocabulary."

ISO 9001:2008 – “Quality management system. Requirements".

ISO 19011:2002 – “Guidelines for the audit of quality and/or environmental management systems.”

4. Terms, abbreviations and symbols

Terms and Definitions:

Audit (verification) is a systematic, independent and documented process of obtaining audit evidence and evaluating it objectively in order to determine the degree of fulfillment of agreed criteria (ISO 9000:2005).

An auditor is a person who has demonstrated the personal qualities and competence required to conduct an audit (ISO 9000:2005).

Group of auditors - one or more auditors conducting the audit with the assistance (if necessary) of technical specialists.

Abbreviations used:

DP – documented procedure

QMS – quality management system

Legend:

Forking/merging process operations

5. Process description

5.1 Fundamentals

The QMS audit at KPMS is carried out with the aim of:

  • determine the level of compliance of the QMS with the requirements of the ISO 9001:2008 standard;
  • determine the level of compliance of the QMS with the requirements of internal regulatory documents.

The audit can be carried out scheduled (based on the annual audit plan) and unscheduled (based on the order general director).

The frequency of scheduled audits should be at least once every six months.

The quality officer is responsible for organizing audits.

The lead auditor is responsible for conducting audits.

The annual internal audit plan is developed and approved no later than December 20. The annual internal audit plan is developed by the quality officer. When planning internal audits of the QMS, it is provided mandatory check each of the departments, each of the processes and each of the requirements of ISO 9001:2008.

Before the start of each audit, an audit schedule is developed. The schedule is developed one week before the audit date.

To conduct internal audits, a leading auditor, auditors and technical specialists are appointed from among the company's employees. The candidacies of the lead auditor and auditors are determined by the Quality Commissioner. The appointment of the lead auditor and auditors is carried out by order of the General Director for Personnel. The order may indicate the duration of the appointment. If the period is not specified, then the lead auditor (auditors) are considered to be appointed for an indefinite period and lose their status as an auditor only on the basis of an order from the general director to appoint a new lead auditor (auditor) or upon dismissal from the company.

Technical specialists are assigned (if necessary) to each audit upon the recommendation of the lead auditor. The appointment of technical specialists is carried out in an order for the organization to conduct an internal audit.

When drawing up an audit schedule, the distribution of auditors and technical specialists among the objects of inspection should exclude the possibility of them inspecting the units in which auditors and technical specialists work.

The need for internal audits has already become commonplace for medium and large organizations. Small companies do not always conduct audits due to the smaller volume of work processes, but for some of them such control could bring a lot of benefits. Read about improving the process, planning and preparation in this article. Here you will also find information about conducting an internal audit at an enterprise, using an example.

Internal audit program and schedule

Planning an inspection is one of the very important stages preparation. At this time, it is necessary to assess the total scope of work, determine the schedule and timing of the audit, draw up a control program, select an appropriate methodology and first identify the most problematic units. Also, at the planning stage, it is advisable to try to take into account potential external factors impact.

The internal audit program is drawn up together with the plan. Most often, the program has a personal form that takes into account the most important aspects subject to control in a particular company. This document describes all the nuances of the auditor’s activities and includes the following points:

  1. The main purpose of conducting an internal audit.
  2. Application area.
  3. Definitions and abbreviations.
  4. Information about additional documents.
  5. List of those responsible for the application.
  6. Description of the audit process.
  7. Schedule and frequency of control checks.
  8. Preparation detailed plan audit.
  9. Preparation of necessary documents.
  10. Sequence of information collection.
  11. Nuances of preparing final reports.

Order to conduct an internal audit (sample)

Order to conduct internal audit - 1

Order to conduct internal audit - 2

When an internal audit is carried out by a third-party company, an agreement must be added to the order. Only on the basis of this document is it possible to sign a contract for conducting a VA.

The rules and procedure for conducting internal audit are described below.

Conducting an internal audit of the QMS in order to comply with ISO 9001 is shown in this video:

Rules

There are certain international and Russian standards for conducting internal audits. At the same time, it is not legally prohibited to develop your own internal VA rules. Main part federal standards concerns the activities of third-party auditors, regulating their work to ensure the quality of the services provided.

At the same time, internal auditing standards created by a particular company cannot contradict federal and international rules. Regardless of the level of rules, they are all divided into several blocks. Of these, 3 are mandatory:

  1. Block No. 1 reflects the nuances of the organizational and economic activities of auditors.
  2. Block No. 2 specifies the responsibilities of auditors, how to obtain audit evidence and the procedure for drawing conclusions.
  3. Block No. 3 contains rules for the selection of methods, documentation, and work instructions.

It is important to understand that in order to obtain reliable data from an audit, it is necessary to have an audit structure with clear rules. Only systematized activities according to certain standards can demonstrate clear results.

Step by step steps

At first glance, conducting an internal audit is quite simple. This procedure includes only 3 steps:

  1. Preliminary preparation.
  2. Collection of audit evidence.
  3. Registration of inspection results.

Often these stages are called: preparatory, working and final. Elimination or neglect of any of the stages deprives internal listening of any meaning.

  • At the preparation stage, it is necessary to plan and collect the necessary data, documents and various information about the object of control.
  • The working stage involves the direct application of selected control methods, conducting tests, searching for evidence and documenting the activities carried out.
  • On final stage the results of the audit are summed up, an analysis of the audit is carried out and the preparation of documentation is completed.

Implementation results

  • All VA results must be in documented form for subsequent study. Most often, documents mean smaller forms. It indicates not only information about the detected shortcomings, but also the proposed ways to eliminate them. Also, the results of the internal audit necessarily reflect potential ways to improve the efficiency of work processes.
  • In addition to drawing up reports and other audit documentation, another procedure is necessary. It is important to clarify in advance the criteria for the effectiveness of the work of inspectors and, upon completion of the internal audit, to analyze the quality of the control performed.
  • Often these criteria include compliance with the stated inspection time frame, the presence of complete and clear comments on all points studied, and an indication of potential problems in the future. It is also necessary to analyze the activities of auditors for compliance with inspection regulations and correct use various control methods. Another criterion is the availability, completeness and timeliness of providing documentation on the inspection performed.

When conducting an internal audit, a large role is played by its preparation (and don’t forget about!). Without properly carried out preparatory part it is impossible quality work inspectors. Unified system there is no audit, each company independently combines control methods, so it is worth Special attention pay attention to preparation, the inspection itself, and analysis of work efficiency.

Conducting an internal audit of the management system is described in this video: