Hellow. Kindly assist here. How can Internal Audit proceed to audit an area in the company where there are no processess or controls at all. Or Rather, what should the Internal Audit do in an area in the company that does not have processes or has outdated policies and processes.
Thank you soo much I appreciate that
Hello! Thanks for joining the forum! In our opinion, where there are no processes or controls, and a lack of documented policies, the design of the process does not appear adequate. You ultimately have two options here: 1. Internal Audit acts as a consultant / trusted advisor. You will begin by helping the business area document their processes in a process map and identify any existing controls or risks. You will then help the business area document their policies, design new controls and implement a new way of working. You will then need to come back in a year and have another auditor review the area and assess if the controls are design, implemented and operating effectively. 2. Internal Audit takes a full substantive approach. Obtain data, agree the data back to supporting information and ensure there has been no fraudulent activity. Option 2 will provide you with assurance that the numbers or data is correct for a period of time, however Option 1 is necessary if you want to implement good governance and good ways of working within a business. For some basic controls for Finance, IT and Entity Level controls, you can view our templates here. Let us know how you go with it!