When Audit Criteria Are Not Established: Internal Auditor’s Next Steps
Internal auditing is a critical component of any organization's internal control system. However, there are situations where audit criteria are not established. In such circumstances, the internal auditor needs to take proactive measures to ensure that the audit can be thorough, effective, and insightful. This article will guide you through the steps an internal auditor should take when no audit criteria have been set and the importance of such actions.
Identify and Develop Criteria
When faced with the lack of established audit criteria, the first and most crucial step for an internal auditor is to identify and develop appropriate criteria.
1. Collaborate with Management and Stakeholders
The auditor must engage in collaborative efforts with management and relevant stakeholders to define and develop audit criteria. This collaboration ensures that the criteria align with the organization's goals and objectives and that they reflect the stakeholders' perspectives.
2. Review Internal Policies and Procedures
A valuable starting point is to review the organization's internal policies and procedures. These documents often contain the foundational elements that can serve as a basis for developing audit criteria. By examining these documents, the auditor can identify existing standards, guidelines, and protocols that align with the organization's needs.
3. Refer to Industry Standards
Industry standards can provide a framework for audit criteria, helping ensure that the audit is comprehensive and covers all relevant areas. ISO standards, legal regulations, and best practices are particularly useful. These standards often provide specific requirements and benchmarks that can be adapted to fit the organization's context.
4. Utilize Risk Management Frameworks
Risk management frameworks play a crucial role in defining audit criteria. These frameworks help identify potential risks and controls, which can be used as criteria for evaluating the organization's processes and operations. By considering these frameworks, the auditor can ensure that the audit covers all critical risk areas.
Communicate with the Client
Once the auditor has developed or identified the audit criteria, the next step is to communicate with the client or relevant parties.
1. Inform the Client of the Need to Establish Criteria
The auditor should inform the client that creating clear, established, and documented criteria for all activities, processes, and functions is necessary before any audit can take place. This communication is essential to set expectations and ensure that the client is aware of the importance of defining audit criteria.
2. Explain the Importance of Criteria
The auditor should explain the rationale behind the need for established criteria. Clear criteria provide a benchmark for the audit, allowing for a structured and objective evaluation. This can also help in identifying areas for improvement and in making informed recommendations.
3. Seek Client Input and Approval
Gather input from the client to further refine and finalize the audit criteria. This collaborative approach ensures that the criteria are relevant and acceptable to all parties involved. After the criteria are established, it is important to obtain client approval to ensure that everyone is on the same page.
Conclusion
When audit criteria are not established, the internal auditor plays a crucial role in ensuring the integrity and effectiveness of the audit process. By collaborating with management and stakeholders, utilizing internal policies and procedures, industry standards, and risk management frameworks, the auditor can develop or identify appropriate criteria. Effective communication with the client is also essential to ensure that all parties are aligned and prepared for the audit.