Annual program of internal audit at the enterprise. Carrying out internal audit activities

The internal audit process contains four stages (div. fig. 15.4), one of which is planning.

Planning is an important stage in the work of an internal auditor. The auditor should plan his work so as to complete the audit correctly and in a timely manner. Plans are made taking into account the business of the enterprise, its accounting system and the current internal control. The purpose of planning an audit is to focus the attention of the auditor on its most important areas, identifying problems that should be checked in the most detail. Planning helps the auditor properly organize his work and supervise the work of assistants who take part in the audit, as well as coordinate the work that is carried out by other auditors and specialists from other professions.

The plan may be accompanied by the necessary comments on the organization of verification and coordination of the work of the enterprise's personnel and auditors. Comments contain the purpose of the audit, a description of the main methods and techniques that will be used by auditors (survey, inspection, observation, inquiries, spot checks, testing, documentary check, analytical warehouse, etc.). Based on the plan, an audit program is composed, where work, working documents and executors of audit procedures are established.

It is necessary to carefully control the time of the audit work, which will allow it to be used most efficiently.

To implement the plan, the auditor must prepare a written audit program. Audit Program- this is a document containing: an audit task for a specific object (control systems for certain business transactions, account balances accounting, cycle of business transactions, etc.); the procedures necessary to carry out the assigned tasks; volumes and terms of their implementation.

Today in business circles, the fact of the importance of good internal audit is often emphasized for the implementation of good management of the firm as a whole. Thus, the European Commission issued in July 1996 the Green Paper (Creen Paper) "on the role, position and obligations of the auditor in the countries belonging to the European Union." It says: "Companies where there is a weak internal audit will fail to meet the responsibility of providing sufficiently significant information to the audit committee. Performance evaluations information systems management of the company and the evaluation of internal control systems should be carried out on an ongoing basis.

The quality of internal audit defines such basic concepts as professional competence and compliance with professional standards (both technical and ethical) when drawing up an opinion on the results of internal audit or when providing other services.

The first step in providing High Quality performance of work by the internal audit department is the inclusion of quality control measures in the internal audit process. Although the specific directions of each individual internal audit department for documentation, the use practical aids, consultations and reviews, as well as the ways in which they are required to be introduced, depend to a large extent on the size of organizational structure and style or philosophy of enterprise management, each of these elements must be available to one degree or another.

The quality of internal audit consists of many elements, combined depending on their content and purpose in the relevant components. Quality indicators, depending on the nature of the tasks to be solved in assessing compliance with the constituent elements and the quality of parts or the entire process, can be classified according to a number of criteria: content; sources of education; completeness of certainty; evaluating the compliance and quality of the constituents of the process being investigated; purpose and mode of expression.

The management of the internal audit service provides for the implementation of organizational and executive measures to specific model, the so-called management model of internal audit:

goal setting(achieving a certain level of resource conservation, increasing capital, etc.);

planning- selection of means to achieve the goal, determining the necessary qualifications of auditors, drawing up plans, schedules, preparation working documentation, preparation of an appropriate regulatory framework;

organization- providing the necessary resources, administrative regulation, selection, testing, training of personnel, determining the procedure for implementing control measures, generalization and implementation of the results of inspections;

personnel management- issuing orders, developing our own internal audit standards. Such standards can be the organizational status of the internal audit service, requirements for the competence of internal audit, relationships with service users, training of employees of the unit, planning and implementation of internal audit, types of final documents based on the results of internal audit, procedures for communicating the results of internal audit to interested parties and subsequent actions. internal audit departments, regulation of the rights and obligations of an internal auditor, criteria and indicators of the quality of work of internal auditors. Management also involves the introduction of modern audit methods and technologies, drawing up programs and plans for audits, determining the accounting for the work of the service, organizing documentary support for management and implementation decisions taken, control of efficient use working hours of auditors;

coordination- coordination of control measures with the divisions of the enterprise, providing them with advisory services, ensuring interaction with the external audit and other representatives for financial control, coordination of plans, programs, schedules;

control- development of methods and organization of quality control of the work of auditors, control and analysis of the effectiveness of inspections and identification of reserves to improve work, increase the effectiveness of control measures, maintain contacts with departments after an internal audit.

One of the main and significant differences in internal audit is that it must be carried out as a carefully planned process (rather than spontaneous). The preventive nature of internal audit is an important psychological factor. This means that each audit is planned, and the unit staff checks, the time, object and criteria of the check are reported in order to provide auditors with required level trust and eliminate the possibility of staff deviation from providing and demonstrating all the necessary data. The surprise of internal audits can interfere with production activities. There are two options for conducting work by internal auditors: a horizontal model and a vertical one.

Horizontal model used to check compliance separate species activity or process to the requirements of management systems and evaluate their effectiveness and efficiency.

Vertical model used to check the compliance of the activities of a particular division of the company. At the same time, it is necessary to pay attention to the fact that the horizontal model is more time-consuming and time-consuming, but also more significant, since it includes activities at the junctions of various departments and officials involved in fulfilling the requirements for the object of verification. In addition, horizontal checking breaks down communication barriers between departments and encourages participants in management systems to interact with each other.

The most important step in conducting an internal audit is planning. Planning, like every stage of the audit, is documented. Consider the documents used in the planning stage and can be developed in the enterprise. The main document used by the head of the service is the annual Program, approved by the head of the company (Table 15.1).

Table 15.1

INTERNAL AUDIT PROGRAM

The program should be designed taking into account the status and importance of activities and processes. Priority should be given to key activities and processes that have a decisive influence on the success of the company, the achievement of its goals, as well as critical activities, processes, the improper implementation of which at a certain point in time can pose a real or potential danger to the company.

Typical processes that can be attributed to the key ones are the study of demand, consumer expectations, procurement management, interaction with consumers, sales of products, training and competence of personnel.

Ranking of key processes is carried out with the help of economic or expert assessment of the impact of individual processes on the final results of the business.

critical processes are considered, the improper organization of which or non-compliance with the requirements for which may pose an actual or potential danger to the effectiveness of the activity. These processes require immediate intervention in the form of corrective or preventive actions and must be under special control. Any business process can fall into the category of critical due to various internal reasons.

Based annual program audit consists audit calendar, and a plan for each individual or complex audit. Based on the annual audit program, an Internal Audit Plan is developed for each audit, taking into account the need for resources (Table 15.2).

The plan should qualify the object of the audit both organizationally (audit of a department, group of departments, etc.) and functionally (audit of finance, marketing, etc.).

Table 15.2 INTERNAL AUDIT PLAN (for a specific site)

The head of the internal audit service must also develop a plan for the development of the internal audit service (hereinafter - SBA). Based on and taking into account the audit plan and the service development plan, a the budget of the internal audit service. It contains a list of expenses necessary to ensure the implementation of the audit plan and the development plan. The budget should also provide for the possibility of conducting unscheduled inspections and the involvement of third-party specialized specialists to conduct inspections.

When preparing for an internal audit, you must:

1. Group members: get acquainted with the plan and clearly define the boundaries of the audit, analyze all the documents and materials related to his duties in order to identify the most significant issues that are subject to qualified discussion with the personnel of the unit.

2. Chief Auditor: receive from the SBA all the documents specified in the plan, according to which the audit should be carried out, as well as documents related to the object of the audit: organizational and administrative, job descriptions, maps of processes, their detailed description, matrices of distribution of responsibility and authority, etc.; do necessary appointments in a group and draw up an audit schedule; prepare a questionnaire; provide auditors with working materials - control questionnaires, auditor logs, non-compliance protocol forms, etc.

Questionnaire- a questionnaire with a list of questions for employees of the department where the audit is being carried out. Answers are used for preliminary evaluation audit object. Questions questionnaire should be based on the audit criteria and cover their most significant parts, be formulated concisely, unambiguously, in a certain sequence, and provide an unambiguous answer.

Checklist- a pre-compiled systematized list of questions, the answers to which allow the auditor, directly during the audit, to obtain information about the degree of conformity of the state of the audit site established requirements. Questions should be formulated in such a way that the answers give the auditor a complete and correct idea of ​​the subject matter.

Auditor's log- a journal or form in which the auditor records the facts, the results of conversations and other information collected during the audit. Journal entries are the basis for making appropriate decisions (Table 15.3).

Table 15.3

EXAMPLE FORM OF THE AUDITOR'S JOURNAL

3. Regulatory references

ISO 9000:2005 - “Quality management systems. Fundamentals and vocabulary.

ISO 9001:2008 - “Quality management system. Requirements".

ISO 19011:2002 - "Guidelines for the verification of quality management systems and (or) environmental protection."

4. Terms, abbreviations and symbols

Terms and Definitions:

Audit (verification) - a systematic, independent and documented process of obtaining audit evidence and their objective evaluation in order to establish the degree of compliance with agreed criteria (ISO 9000:2005).

Auditor - a person who has demonstrated the personal qualities and competence necessary to conduct an audit (ISO 9000:2005).

Group of auditors - one or more auditors conducting the audit with the involvement (if necessary) of technical specialists.

Applied abbreviations:

DP - documented procedure

QMS - quality management system

Conventions:

Branching/Merging Process Operations

5. Description of the process

5.1 Fundamentals

QMS audit at KPMS is carried out in order to:

• determine the level of QMS compliance with the requirements of ISO 9001:2008;
• determine the level of compliance of the QMS with the requirements of internal regulatory documents.

An audit can be carried out as planned (based on the annual audit plan) and unscheduled (based on the order CEO).

The frequency of a scheduled audit should be at least once every six months.

The authorized person for quality is responsible for organizing audits.

The lead auditor is responsible for conducting audits.

The annual internal audit plan is developed and approved no later than December 20. The annual plan of internal audits is developed by the Quality Commissioner. When planning internal audits of the QMS, a mandatory check of each of the departments, each of the processes and each of the requirements of ISO 9001:2008 is provided.

Before each audit, an audit schedule is developed. The schedule is developed one week before the date of the audit.

To conduct internal audits, a lead auditor, auditors and technical specialists are appointed from among the company's employees. Candidates for the lead auditor and auditors are determined by the Quality Commissioner. The appointment of the lead auditor and auditors is carried out by order of the general director for personnel. The order may indicate the date of appointment. If the term is not specified, then the lead auditor (auditors) is considered to be appointed indefinitely and loses its status as an auditor only on the basis of the order of the general director on the appointment of a new lead auditor (auditor) or upon dismissal from the company.

Technical specialists are appointed (if necessary) for each audit on the proposal of the lead auditor. The appointment of technical specialists is carried out in the order for the organization to conduct an internal audit.

When scheduling the audit, the allocation of auditors and technicians to the objects of audit should exclude the possibility of them checking the departments in which the auditors and technicians work.

The need for internal audits has already become commonplace for medium and large organizations. Smaller companies don't always audit because of their smaller workflows, but some of them could benefit from such an audit. Read about improving the process of conducting, planning and preparing it in this article. Here you will also find information on the conduct of internal audit in the enterprise on an example.

Program and schedule of internal audit

Test planning is one of the very milestones preparation. At this time, it is necessary to evaluate the total amount of work, determine the schedule and timing of the audit, draw up a control program, select an appropriate methodology and first identify the most disadvantaged units. Also at the planning stage, it is desirable to try to take into account potential external factors of influence.

The internal audit program is drawn up together with the plan. Most often, the program has a personal form that takes into account the most important aspects subject to control in a particular company. This document describes all the nuances of the auditor's activities and includes the following items:

1. The main purpose of the internal audit.
2. Application area.
3. Definitions and abbreviations.
4. Information about additional documents.
5. List of responsible for the application.
6. Description of the audit process.
7. Schedule and frequency of control checks.
8. Training detailed plan audit.
9. Preparation of necessary documents.
10. Sequence of information collection.
11. Nuances of preparation of the final reporting.

Order on internal audit (sample)

Internal audit order - 1

Internal audit order - 2

When an internal audit is carried out by third party company an agreement must be added to the order. Only on the basis of this document is it possible to sign an agreement on conducting VA.

The rules and procedure for conducting internal audit are described below.

Holding an internal QMS audit in order to comply with ISO 9001 is shown in this video:

Rules

There are certain international and Russian standards conducting an internal audit. At the same time, it is not prohibited by law to develop your own intra-company IA rules. The bulk of federal standards relate to the activities of third-party auditors, regulating their work to ensure the quality of services provided.

At the same time, internal audit standards created by a particular company cannot contradict federal and international rules. Regardless of the level of rules, they are all divided into several blocks. Of these, 3 are mandatory:

1. Block #1 reflects the nuances of the organizational and economic activities of auditors.
2. Block #2 indicates the responsibility of the auditors, the methods of obtaining control evidence and the procedure for drawing conclusions.
3. Block #3 contains rules for the choice of methods, documentation, work instructions.

It is important to understand that in order to obtain reliable data from the results of the audit, it is necessary to have an audit structure with clear rules. Only systematic activity according to certain standards is capable of demonstrating a clear result.

step by step

At first glance, conducting an internal audit is quite simple. This procedure includes only 3 steps:

1. Preliminary preparation.
2. Collection of audit evidence.
3. Formulation of test results.

Often these stages are called so: preparatory, working and final. The abolition or neglect of any of the stages deprives internal listening of any meaning.

• At the preparation stage, it is necessary to plan and collect the necessary data, documents and various information about the object of control.
• The working stage involves the direct application of the selected control methods, conducting tests, searching for evidence and documenting the activities carried out.
• At the final stage, the results of the audit are summed up, the analysis of the conducted audit is performed and the preparation of documentation is completed.

Implementation results

• All VA results in without fail must be documented for later study. Most often, documents mean either its smaller forms. It indicates not only information about the detected shortcomings, but also the proposed ways to eliminate them. Also, the results of the internal audit necessarily reflect potential ways to improve the efficiency of work processes.
• In addition to the preparation of reports and other audit documentation, one more procedure is necessary. It is important to clarify in advance the criteria for the effectiveness of the work of inspectors and, upon completion of the internal audit, to analyze the quality of the control carried out.
• Often such criteria are compliance with the stated time frame for the audit, the presence of complete and intelligible comments on all the points studied, and an indication of potential problems in the future. It is also necessary to analyze the activities of auditors for compliance with the regulations of audits and correct use a variety of control methods. Another criterion is the availability, completeness and timeliness of the provision of documentation on the audit.

When conducting an internal audit, a large role is given to its preparation (and do not forget about it!). Without a properly conducted preparatory part, it is impossible quality work inspectors. unified system audit does not exist, each company independently combines control methods, so it is worth Special attention to give both preparation, and the verification itself, and analysis of the effectiveness of work.

Conducting an internal audit of the management system is described in this video:

Today, the concept of "internal audit" has become widespread in business. Many large enterprises and companies prefer to create their own internal audit services and departments, training their employees. In addition, the labor market is constantly growing demand for specialists who have relevant knowledge and have an international diploma.

Tasks of internal audit at the enterprise

Internal audit in an enterprise is an activity that is aimed at providing objective and independent advice and guarantees to improve the activities of an enterprise. The purpose of internal audit is to assess risks, find ways to reduce them, and also increase the profitability of business processes.

Auditor advice includes evaluation, analysis and reporting on the efficiency and reliability of processes. They are addressed directly to the administration of the organization.

The main tasks of internal audit at the enterprise:

• verification of internal control systems to determine the level of efficiency of the units;
• development of an integrated risk management system, analysis of its work, as well as the creation of measures to reduce them;
• control over compliance with the principles of corporate governance.

The need to introduce internal audit

AT recent times In Russia, there is an orientation towards the separation of the functions of management and business ownership. The owners implement one general strategy for the development of the organization and manage the main directions, and for solving small and everyday tasks, as a rule, they hire top managers. In this case, the enterprise uses a tool for monitoring the state of affairs - internal or external audit. It allows owners to get a complete and objective assessment of the activities of the entire organization.

For the implementation of internal audit in Russian companies influenced no less by the Federal Law "On Accounting" dated 06.12.2011. According to Article 19, from the beginning of 2013, absolutely all economic entities must carry out internal control economic activity.

Checklist for internal audit

Control of accounting and management accounting, as well as other areas of management, should take place absolutely at all enterprises. However, it is important to know about the features of this procedure. All processes must follow each other in an orderly manner. Since it is precisely due to the correspondence this requirement many mistakes and problems can be avoided when auditing by regulatory authorities. Completing the checklist makes the process much easier. Its role is very difficult to exaggerate.

What you need to know about the checklist

This document consists of a list of detailed audit questions. The checklist does not have a specific format established by law. However, it is necessary to follow some rules when compiling and filling it out. This will reduce the likelihood of problems in the audit process.

In fact, with the help of a checklist, you can solve a fairly large number of issues and tasks not only during the audit, but also during the ongoing activities of the enterprise. This document can be used by various organizations, regulatory agencies and their officials.

With the help of a checklist, you can solve the following tasks:

• properly plan the audit in accordance with legal regulations;
• carry out intermediate and selective control, conduct effective time management;
• ensures that important parts of the audit are not missed;
• is one of the means of memory;
• simplifies auditing;
• with its help, the audit is carried out in a complex, structured and holistic way, etc.

The legislative act that regulates the compilation of this document is Federal Law No. 307 of December 30, 2008 “On Auditing”.

An example of an internal audit checklist can be found here.

Internal audit of the QMS

QMS - quality management system - one of the parts of the entire company management system, which was created to ensure and control the stability of economic activity, high quality and minimize costs for the production of products or the provision of services.

According to the QMS, the structure of the documentation is as follows:

• quality requirements (quality manual);
• goals and policy in the field of product quality, services;
• necessary documented processes;
• regulations of procedures, work instructions;
• quality records.

The audit of quality management systems is not regulated by either federal or international legislation. Therefore, there are no mandatory legislative norms, which determine the procedure and rules for conducting an audit of quality systems at the enterprise. This is due to the voluntary desire of the organization to certify quality systems. And all the work that accompanies the construction and implementation of the quality system is also a voluntary initiative.

Consequently, organizations that are engaged in QMS audits can carry out their activities without additional licenses or other permits. And for the implementation of internal audit, and even more so, these documents are not needed. Despite this, there are special rules that govern the conduct of QMS audits. For example, ISO 19011:2011, which is called “Guidelines for auditing management systems”. It can be used for internal and external audits.

Order on internal audit

An internal audit order is an internal document drawn up by the head of the company and establishes:

• dates of the audit;
• groups of internal auditors and specialists responsible for its implementation;
• provision of conditions for internal audit;
• control over the audit.

How to Become an Internal Audit Specialist

Every day the demand for specialists who are able to carry out internal control of the enterprise is growing. But the demands on them are also rising. They must have knowledge in the financial sector, understand internal control and corporate governance know the national and international standards internal audit, as well as to understand the specifics of the activity that needs to be analyzed.

Online training comes to the rescue of always busy financial professionals. Online courses allow you to study without interruption from your main activity, at home or at work in convenient comfortable familiar conditions. Quality distance learning, is not inferior, and often exceeds full-time counterparts, by attracting highly qualified teachers, modular system course, online tests and much more.

Diplomas and certificates in internal audit

To obtain a diploma that confirms qualifications in the field of internal audit, it is worth choosing an international program of a foreign institution. To date Russian specialists programs such as IPFM, IFA, ICFM and CIA are available.

International professional standards internal audit (IASIA) require the formation of a risk-based internal audit plan, in particular, based on a formalized risk assessment conducted at least once a year.

canonical approach.

Undoubtedly, the canonical approach can be called an approach that is based on the existing risk assessment. On this site there is quite a site, on which I will show approaches to the formation of an internal audit work plan for the year.

So, there is a risk register with calculated mathematical expectations of the current and residual risk. You need to start with ranking risks for internal audit.

The first thing to determine is which of the mathematical expectations should be used to rank the risks. My opinion - you need to rank according to the current one. The logic is approximately the following: management will always insist that “yes, everything is bad with us now (well, or everything is fine), but in the near future it will “grow up” (well, or it will become “even better”)”. As practice shows, the near future does not always come quickly (after all, the duration of human life is negligible in terms of the time of the existence of the universe, and on this scale, the near future is 100 years). Therefore, the inspection plan is drawn up based on the current mathematical expectation. But theoretically, I admit a situation where the audit plan is drawn up based on both the mathematical expectation of residual risks and the change in the delta between the expectation of the current and residual risks. The logic of the latter is an audit of the effectiveness of the efforts made by management

When determining the complexity, it is not necessary to take into account the speed of decision-making by management. If a particular manager took a break for three weeks due to a vacation, the person from the internal audit unit needs to be loaded with something else. Yes, there are different psychotypes, and among internal auditors too. I feel like the more things I have, the more I get done. Perhaps this is just my peculiarity: stress helps someone, interferes with someone. But stress resistance seems to be required for all vacancies.

Calendar planning.

Some obvious scheduling tips.

Council number 1. If large changes in process curves are planned during the year, it is advisable to schedule the audit for January-February (an unambiguous example from the program above is the audit of the current procurement system).

Council number 2. If management has indicated a due date of March 33, then it is advisable to start the process execution audit on March 34.

Council number 3. Do not plan field trips for July-August. Of course, in summer, excursions are much more interesting than in winter (although for me it’s more comfortable in winter, because you don’t sweat). But tickets and other accommodation are much cheaper in February or November. We are not talking about unscheduled tasks - here, if something is needed, then it is immediately needed.

If you find an error, please highlight a piece of text and click Ctrl+Enter.