Internal Audit Process Flow
A. Conducting assurance engagements (audit reviews)
Assurance engagements are objective examinations of the effectiveness of risk management, control, and governance. They provide an independent opinion on the level of compliance with the rules and procedures in force and on the efficiency/effectiveness of operations.
I. AUDIT PLANNING
- IAO develops a yearly Working Program (published in the EUI’s Annual Objectives booklet) based on:
a. Services’ risk self-assessment and assessment made by IAO
b. EUI strategic objectives
c. Prior audits’ findings
Consideration is also given to requests from EUI top management, as well as to signals of suspected misconduct and fraud.
II. AUDIT EXECUTION
- Select an auditable entity from the Working Program
- Review background information/financials
- Define scope of audit
- Send out audit announcement to the audited entity/ies and the Secretary General
- Arrange opening meeting with the respective Director/s of service
- Interview staff when necessary
- Perform field work
- Validate findings with the respective service/s and solicit comments to be included in the report
- Prepare Audit Report
- Circulate the Draft Report to the audited entity/ies and the Secretary General.
Draft Report includes an Issues tracking form with recommended actions to address the issues.
The audited entity/ies are requested to indicate in this form if they commit to implement the actions or propose alternative measures. A reasonable time frame for implementing the actions must be indicated. Decisions for accepting the risk and not taking any actions must be motivated.
The Secretary General coordinates with the Management Team a discussion of the proposed actions to address the issues and solicits further inputs. The audited entity collects the inputs, finalise the actions to be taken and communicate it back to IAO.
Committed actions to address the issues are evaluated and included in the final report transmitted to the President, Secretary General, and the respective Director/s of service.
In case IAO deems level of risk accepted by the management as unreasonably high, a reservation is included in the final report.
- Customer satisfaction survey
IAO distribute a customer satisfaction survey to the auditee to solicit feedback on the overall effectiveness of the review. Suggestions for improvement of the process are welcome.
III. FOLLOW UP
Agreed upon actions are registered in the IAO Issues tracking database according to the committed time frame. Professional judgement is applied for scheduling the follow up.
- Send out an inquiry about the implementation of actions to the respective Director/s of service, the Secretary General in copy, with a request for illustrating the results
- Carry out a verification, based on the reply
- Prepare a report with follow up results and circulate it to the respective parties, including the Secretary General.
If no actions have been taken, the issues are escalated to the President.
B. Conducting consultative engagements
To further help EUI achieve its objectives and optimise the operations, IAO provides consulting services that are advisory in nature and are performed upon a specific request. The scope of the consulting engagements is generally coordinated among top management and IAO. When performing consulting services, IAO maintains its objectivity and does not assume management responsibility.
Involving Internal Audit at the beginning of new projects concerning system implementation or launch of new policies and procedures is a cost-effective way of supporting management in making informed decisions and setting up preventative controls.
Benefits from involving the IAO include:
- An objective evaluation of the potential risks from an operational or regulatory perspective
- Increased accountability
- Advising on control designs