How to conduct an Audit? Part 2 - Preparing for the Audit

In the previous article, I discussed the first phase of any audit process, which is planning. Following the completion of the planning process, the evaluation phase, often known as field work, is an important step.

The field work phase comprises examining the adequacy of internal controls, compliance testing of transaction records, resources, and obtaining evidence, as well as completing other processes required to meet the audit's goals and objectives. During this phase, the audit team will collect evidence from the auditee's (client's) location where the audit is being performed.

To better understand the field work phase, I have divided it into the following parts.

• Preparing for the audit.
• Conducting the audit.
• Concluding the audit.

This article will be focusing on the first point that is preparing for the audit.

It is critical to have the audit plan in place before we begin the actual audit operations. In addition, the audit manager should delegate audit duty to the lead auditor, as established in the audit program or audit canvas. In addition, the audit manager should send the relevant information to the lead auditor and delegate responsibility for executing the audit.

It is crucial to note that the following procedures may alter based on the client, kind of audit, processes, specific conditions, and client nature. This article will provide an outline of the audit's second phase.

Contacting the Auditee/Client

The squad leader or lead auditor should initiate formal contact with the customer. The goal of this engagement is to create communication channels with auditee representatives and confirm audit authority. It is critical to formally document every process since it serves as evidence in the audit process. In addition, information on the audit scope, methodologies, and team structure must be shared. One of the most crucial steps to take before beginning the audit is to ensure the client's agreement on the scope of the disclosure and treatment of sensitive information. Along with that, before the audit team obtains evidence, it is critical to grasp the auditee's expectations and the audit requirements.

Reviewing the Audit Plan

The audit plan is an essential document for any type of audit. The audit plan should include the identification of the client's representative for the audit, the audit's working and reporting language, the relevant audit report areas, and logistical and other communication arrangements, including specific arrangements for the audited sites. In addition, the audit plan should include any specific measures taken to address risk and the impact of uncertainty on audit goals. The audit strategy should also include information about confidentiality and information security.

Important: The audit plan should be reviewed and accepted by the audit client, and presented to the auditee, before the audit activities begin.

Assigning roles and responsibilities

The squad leader or lead auditor, in consultation with the rest of the team members, should delegate responsibility for auditing certain processes, functions, sites, and areas to each team member. The lead auditor should hold regular audit team meetings to give work assignments and make decisions on possible adjustments. For example, if the audit team is operating in an agile environment, a daily standup meeting where the squad leader and audit team members review the tasks that were completed and any barriers encountered while performing the audit activities is an important element of the audit activity.

Preparing Work Documents

Members of the audit team should evaluate material relevant to their audit assignments and produce work papers such as checklists and audit sampling plans, which are required to collect audit evidences. It is critical to remember that the audit workpapers should be kept at least until the client accepts the audit report on the last day of the audit. In some circumstances, these work papers must be kept for a longer period of time due to regulatory and legal requirements.

Reviewing prior audit documentation

The paperwork should be reviewed before beginning the actual audit evidence gathering actions. Documents and records from the management system, as well as past audit reports, may be included in the documentation review. The audit team should consider the client's systems and organization's size, nature, and complexity.

Conducting an opening meeting

An audit opening meeting's principal objective is to confirm the audit plan and preceding arrangements. It's also a great opportunity to introduce the other team members and explain the audit process. It is critical to highlight that an initial meeting with the client's management and individuals responsible for the functions or processes to be audited should take place. The lead auditor or squad leader should chair over this meeting.

The first meeting should include an introduction of all participants as well as a description of their roles in the audit. It should also reaffirm the audit's objectives, scope, and criteria. One of the most significant aspects of any initial meeting is ensuring that the client understands the procedures that will be utilized during the audit and the introduction of the approaches that will be used to control the risks to the organization's assets. Communication is critical throughout the audit process, which is why it is critical to obtain official approval and confirmation of all communication routes between the audit team and the client.

The following items should be covered in the opening meeting.

• Confirmation of availability of resources.
• Confirmation of the matters relating to confidentiality and information security.
• Information on method of reporting the audit findings.
• Information about the conditions under which the audit may be terminated and information about the closing meeting.
• Information about how to deal with the possible findings during the audit.
• Information about the communication channels that the audit team will use in case of any discrepancies.

The aforementioned activities must be completed before we begin obtaining actual proof. As previously said, these activities would undoubtedly differ based on the type of audit, whether it is a forensics audit, information audit, security audit, financial audit, or system audit. What matters is that the audit team completes all of these stages before obtaining evidence.

Preparing for the audit gives the auditee the impression that the audit team is capable of executing the audit. In the next week's article, we will look at the stages involved in obtaining evidence and how to proceed with the audit report and documentation.

I hope you found this information interesting! I'd love to hear your opinions on this article, and if there's anything else I might be missing, please don't hesitate to get in touch me.