What is an Internal Audit?
An internal audit is a periodic examination of a management system conducted by a second or third party to ensure that an organization's concepts, principles, and procedures are properly maintained. Generally the internal audit is done by in-house personnel that are independent of the area being audited.
An internal audit is aimed at helping organizations achieve their stated objectives by using a specific methodology for analyzing business processes and management systems, procedures and activities with the goal of highlighting organizational non-conformities and recommending internal corrective actions.
Why do you need an Internal Audit?
The primary reason for an Internal Audit is to provide an objective assessment of the adequacy and effectiveness of Management's internal control systems.
An organization typically sets out a long term strategy and defines business objectives to meet that strategy. Management is responsible for driving the business and for identifying and dealing with risks which may threaten the achievement of its objectives. Management does this by setting up a system of internal controls, and the Internal Audit's prime function is to assess the adequacy and effectiveness of these controls.
How can eFortresses assist?
eFortresses engagement will include planning any interviews of key contacts, and review of applicable controls. During the internal audit, the auditor evaluates all applicable management systems elements for approach, implementation, effectiveness and the amount of evidence available. These are described in a written internal audit report. There will be formal internal corrective actions issued as an outcome if applicable.
The audit team shall review all of their findings whether they are to be reported as non-conformities (NC) or as opportunities for improvement (OFI). Audit finding will likewise be supported by objective evidence.
eFortresses Internal Audit Methodology
During this phase, the auditor determines the main area/s of focus for the audit and any areas that are explicitly out-of-scope, based normally on an initial risk-based assessment plus discussion with appropriate stakeholders and management.
The overall audit scope is broken down into greater detail, typically by generating an audit work plan.
During the fieldwork phase, audit evidence is gathered by the auditor/s working methodically through the audit plan, for example interviewing staff, managers and other stakeholders, reviewing relevant documents, printouts and data (including records of activities such as security log reviews), observing ISMS processes in action and checking system security configurations etc. Audit tests are performed to validate the evidence as it is gathered. Audit work papers are prepared, documenting the tests performed.
The accumulated audit evidence is sorted out and filed, reviewed and examined in relation to the risks and control objectives. Sometimes additional analysis identifies gaps in the evidence or indicates the need for additional audit tests, in which case further analysis may be performed unless scheduled time and resources have been exhausted. However, we prioritize audit activities by risk, which implies that the most important areas should have been covered already.
Detailed audit findings and analysis, sometimes with extracts from the supporting evidence in the audit files where this aides comprehension. The audit conclusions and recommendations, perhaps initially presented as tentative proposals to be discussed with management and eventually incorporated as agreed action plans depending on standard practices;
A formal statement by the auditors of any reservations, qualifications, scope limitations or other caveats with respect to the audit.We ensure that there is sufficient, appropriate audit evidence to support the results reported. Therefore ensuring that everything reportable is reported and everything reported is potentially reportable by the 3rd party.
For more information, please contact us by filling out this form