How to Carry Out an Audit
An audit is a formal procedure an audit officer carries out to see how a company is functioning and how it can improve. Different types of audits exist, such as performance and finance, but they all follow the same basic auditing procedure. The procedure usually is broken down into four major sections, including initial planning, fieldwork, reporting and follow-up with closure.
The first step is to let stakeholders know about the upcoming audit. Compose and send out a preliminary notification letter to the client or department being audited. Detail when the audit will take place, how long you expect it to take, the audit officer assignment if the officer is not you and a checklist of the type of data you will look for and need during the audit.
Next, schedule a meeting with the managers of the company or department. Define the objectives and scope of the audit with the managers and find out what resources are available. Develop an audit process flowchart to illustrate how the audit will work and who will be involved. Get in-depth information on company or department processes, as well. Allow the managers to express any concerns they have about the audit or ask questions.
Conduct a basic survey of the company or department. The purpose of the survey is to supplement what you learned in the manager meeting and help you better understand the company's objectives, operations and current control mechanisms, such as authorization procedures. A variety of data such as the company handbook and worker statements can be useful during this stage.
Formulate a basic fieldwork plan based on the information gained through the meeting and survey. The fieldwork plan outlines how you get the rest of the data you'll use. It can vary based on items such as the strength of company controls.
Talk with staff members to collect documents — these vary based on the specific audit type you are conducting — and get their perception of what is happening in the company. Ask what they think the company is doing well and what could be improved and why.
Review the documents you collected from staff members. Check for entry errors or conflicting information. Check back with the staff members to see if they have an adequate explanation for the errors or conflicts. Verify that the documentation and procedures are in accordance with company policy and other local, state or federal regulations.
Internal controls are essential for any company, and your audit may need to verify whether those controls are working. If control testing is in the scope of your audit, test the controls the company or department has. Testing just means you look at the documentation for specific transactions — usually somewhere in the neighborhood of 24 to 36 — more closely.
The more errors or discrepancies you find in the documentation and interviews, the more important this is. If documentation initially shows that controls are operating well, you may not need to do much in this step. Not all audits test controls, though. Audits that do not test controls are said to follow a substantive approach.
Before beginning your audit report, formulate some initial opinions about the company or department and how it is operating or could improve. Provide feedback to the company or department managers and ask them for a written response to your recommendations and initial findings. The response should explain how the managers intend to fix the problems you've isolated.
Next, create a rough draft of your audit report. The report must include background information and outline the scope of the audit. It also must show what you found and what your recommendations were based on those findings, as well as copies of or excerpts from the managers' responses.
Meet with managers one more time and discuss your rough report. Provide them with copies and answer any questions the managers may have. The point of this meeting is to ensure the managers understand everything you've done and what they need to do to improve. Tweak and edit your report to create a final draft. The final draft should include the results of the audit review meeting. Distribute the final draft to the managers.
Follow up with the department or company within six to 12 months to find out if the company or department has made changes to fix the problems identified during the audit.
Write a formal letter to the managers indicating what you learned during the follow-up and any additional work that will be necessary. If the company or department has met expectations, indicate this in the letter and state that having met the audit objectives that you are closing the audit.
Be prepared for some tension during the audit process. People often are nervous about errors you may find, even if the errors are innocent, because too many mistakes can mean their jobs are on the line. Reassure them that it is your job simply to investigate, not to give any rewards or punishments. Always explain the exact reason why you request specific data so the workers understand your rationale.