Internal AIMS Audit Process Guidelines

Enhancing Internal Audit Programs through Risk-Based Auditing: A Strategic Approach Integrating Risk-Based Auditing (RBA) into internal audit programs enhances effectiveness and efficiency. Learn how to achieve this strategic approach: Understanding Risk-Based Auditing - Risk-Based Auditing (RBA) identifies and assesses key risks to an organization's objectives, allocating resources to high-risk areas for more relevant and timely insights. Key Steps to Integrate RBA - 1. Understand the Organization: Understand the organization's objectives, strategies, and risk landscape by reviewing key documents and consulting with stakeholders to identify critical risk areas. 2. Risk Assessment: Conduct a thorough risk assessment to identify and prioritize risks using tools like risk matrices and heat maps, forming the foundation of the RBA approach. 3. Develop the Audit Plan: Develop a dynamic risk-based audit plan that aligns with the organization's risk profile, allowing for adjustments as risks evolve. 4. Allocate Resources: Allocate audit resources based on risk assessment, prioritizing high-risk areas and adjusting resource allocation accordingly. 5. Coordinate with Other Assurance Providers: Collaborate with other assurance providers to avoid duplication and ensure comprehensive risk coverage. 6. Communicate the Plan: Communicate the risk-based audit plan to stakeholders to gain support and understanding of audit focus and priorities. 7. Continuous Monitoring and Updating: Regularly review and update the risk-based audit plan to reflect changes in the organization's risk environment and ensure ongoing effectiveness. Benefits of Risk-Based Auditing - i. Enhanced Focus: RBA focuses on high-risk areas, addressing critical issues and leading to more impactful audit outcomes. ii. Proactive Risk Management: RBA promotes a proactive approach to risk management, helping organizations to anticipate and mitigate risks before they materialize. iii. Improved Resource Allocation: Efficient use of audit resources by focusing on areas that matter the most, thereby increasing the overall efficiency of the audit process. iv. Better Stakeholder Communication: Clear communication of the audit plan and its focus areas enhances transparency and builds trust with stakeholders. Conclusion - Integrating Risk-Based Auditing into internal audit programs is not just a best practice but a necessity in today’s dynamic business environment. It enables organizations to stay ahead of potential risks, ensuring robust risk management and sustained success.

Dear AI Auditors, How to frame audit objectives for AI systems You set the tone of an AI audit in the first five minutes. Leaders want clarity. They want to know what you will assess, why it matters, and how the results support business decisions. Strong objectives keep your work focused and help you avoid scope drift. You define AI audit objectives with precision. You anchor them in risk, data, governance, and system behavior. You avoid vague language. You aim for outcomes leaders understand. 📌 Start with the business purpose You identify the decision that the AI system supports. You ask what the model influences in the business. You connect your audit to revenue, compliance, or customer impact. You confirm the system’s purpose before you define your procedures. 📌 Identify the key risk categories You frame your objectives around model accuracy, bias, data quality, security, privacy, and operational reliability. You select only the risks that matter to the system. You write clear statements that point to specific outcomes to test. 📌 Map the lifecycle You set objectives across design, development, testing, deployment, monitoring, and retirement. You focus on how the organization manages the model from end to end. You look for gaps where controls break down. 📌 Keep objectives measurable You write objectives that leaders can evaluate. You define what success looks like. You define what failure looks like. You create a path for objective evidence instead of opinion. 📌 Align with regulatory and internal expectations You map each objective to internal standards and legal requirements. You confirm nothing important is left out. You help leadership see how the audit supports compliance. 📌 Close with expected outcomes You explain what leaders will gain from the audit. You describe how the results will support decisions. You make your work relevant and timely. #AIAudit #CyberVerge #ITAudit #InternalAudit #ModelRisk #AICompliance #GRC #CybersecurityAudit #RiskManagement #DataGovernance #TechLeadership

Internal Audit Process: 1. Planning Phase Objective: Establish a clear understanding of the audit subject and develop a roadmap (audit program) for executing the audit effectively. Key Activities: > Initial Contact & Information Gathering: Understand the size, responsibilities, and procedures of the audited unit. > Risk Assessment: Performed to identify high-risk areas for focus. > Audit Objectives & Methodology: Defined and documented through the audit program. > Notification Letter: Sent to leadership to inform them of the audit. May include a pre-audit questionnaire or document request list. > Entrance Meeting: Discuss audit scope and objectives. Explain methodology and timeline. Identify scheduling concerns (e.g., staff availability). Encourage input on known risks and areas of concern. 2. Fieldwork Phase Objective: Evaluate internal controls, compliance, and operational effectiveness through testing and inquiry. Key Activities: > Testing & Documentation Review: Examine transactions, records, and procedures. > Staff Interviews: Conducted to gain deeper insights into practices and control execution. > Disruption Minimization: Work is coordinated to limit interference with operations. > Ongoing Communication: Frequent updates and discussions with audit clients. > Collaborative Analysis: Observations and issues are discussed with management to identify root causes and explore solutions. 3. Reporting Phase Objective: Present audit findings, recommendations, and management’s corrective action plans in a formal written report. Key Activities: > Draft Report: Initially shared with local management for review. > Management Response: Required for each recommendation, including: Action plan. Responsible person. Implementation date. > Exit Meeting: Held if needed to address concerns and clarify findings before finalizing the report. > Final Distribution: The final report is sent to Management and Boards. 4. Follow-Up Phase Objective: Ensure that corrective actions are implemented effectively and that issues are resolved. Key Activities: > Verification Procedures: May involve document review, staff interviews, or re-auditing specific processes. > Ongoing Tracking: Open findings are tracked and presented at each Institutional Audit Committee (IAC) meeting. > Escalation for Delays: If action plans miss deadlines, the responsible party must submit a written explanation. Repeated delays require in-person explanation to the IAC.

The 7-Step Audit Process (Detailed) A structured audit ensures accuracy, compliance, transparency, and trust within an organization. It provides assurance that financial, operational, and regulatory processes are functioning as intended. 1️⃣ Planning – Set Objectives & Identify Risks ▫️Purpose: To establish the foundation of the audit. ▫️Key Activities: Define the scope, objectives, and type of audit (financial, compliance, operational, etc.). Identify key risks and areas of concern. Develop a comprehensive audit plan, including timelines and resource allocation. Review past audits and organizational policies. ▫️Outcome: A clear and approved audit plan. 2️⃣ Risk Assessment – Evaluate Controls ▫️Purpose: To understand and evaluate the internal control environment. ▫️Key Activities: Identify potential risk areas (financial misstatements, process inefficiencies, compliance gaps). Evaluate existing control systems and their effectiveness. Prioritize high-risk areas for detailed testing. ▫️Outcome: A risk-based audit approach focusing on critical processes. 3️⃣ Substantive Testing – Verify Records ▫️Purpose: To gather evidence supporting the accuracy of financial and operational data. ▫️Key Activities: Perform test of details (checking invoices, receipts, and documents). Conduct analytical procedures (comparing data trends, ratios, and variances). Verify transactions, balances, and entries. ▫️Outcome: Verified and reliable audit evidence. 4️⃣ Analysis – Investigate Variances ▫️Purpose: To analyze results and identify discrepancies or inconsistencies. ▫️Key Activities: Compare actual results with budgets, standards, or prior periods. Investigate unusual trends or deviations. Identify the root cause of errors or inefficiencies. ▫️Outcome: Insight into operational weaknesses and areas for improvement. 5️⃣ Review – Validate Findings ▫️Purpose: To ensure that audit evidence supports conclusions. ▫️Key Activities: Reassess findings for accuracy and completeness. Conduct peer reviews or managerial reviews for validation. Prepare a summary of key observations and recommendations. ▫️Outcome: A validated and quality-checked audit result. 6️⃣ Reporting – Communicate Results ▫️Purpose: To present audit findings clearly to management and stakeholders. ▫️Key Activities: Draft the audit report, including findings, risks, and recommendations. Highlight areas of non-compliance, inefficiency, or control weakness. Suggest corrective actions and assign responsibilities. ▫️Outcome: A professional audit report that drives organizational improvement. 7️⃣ Completion – Follow Up on Actions ▫️Purpose: To ensure corrective measures are implemented effectively. ✅ Benefits of a Well-Executed Audit Promotes accountability and transparency. Enhances operational efficiency. Reduces fraud, error, and compliance risks. Strengthens governance and decision-making. Builds stakeholder confidence.

NEW GUIDANCE RELEASED: GTAG – Auditing Business Applications (2nd Edition) In today’s technology-driven world, business applications power efficiency, compliance, and strategy. Boards and executives rely on internal audit to ensure these systems — and their controls — perform as intended. The Institute of Internal Auditors’ updated Global Technology Audit Guide (GTAG): Auditing Business Applications, 2nd Edition, aligned with the Global Internal Audit Standards™, provides practical guidance for auditing application-related risks and controls. This new edition: • Highlights key questions for risk assessment and planning • Aligns with major IT frameworks across governance, SDLC, and security • Addresses production support, vendor management, and data reporting • Considers data integrity and accuracy in AI-driven systems IIA members can download it at no cost at the link below. https://lnkd.in/eNBBMymQ #TheIIA #InternalAudit #IIAGuidance #GlobalStandards

KEY QUALITY AUDIT PARAMETERS: 1. Audit Information: Basic details like audit ID, date, auditor, department audited, and audit type (internal/external). 2. Audit Criteria/Checklist: A series of questions or criteria that guide the audit process. These questions typically cover areas like: Documentation and procedure compliance Employee training records Process adherence Equipment maintenance Non-conformance management Customer feedback handling Corrective actions 3. Findings and Comments: A section to record observations, identify any non-compliance, and make notes on potential improvements. 4. Audit Summary: Includes an overall evaluation of compliance, non-conformities, and recommendations for improvement. 5. Follow-up Actions: Specifies if corrective actions are needed and who is responsible for them.

IT internal audit controls: 1. Access Controls: Control: Implement measures to ensure only authorized personnel have access to systems and data. Audit Point: Review user access logs, permissions settings, and authentication mechanisms. Check for instances of unauthorized or inappropriate access. 2. Change Management: Control: All changes to IT systems, especially production environments, should follow a formal change management process. Audit Point: Examine documentation related to system changes. Ensure approvals were obtained and testing was performed before deployment. 3. Backup and Recovery: Control: Regular backups of critical data and systems should be performed. Recovery processes should also be established. Audit Point: Validate the frequency and success rate of backups. Test the recovery process for effectiveness. 4. Network Security: Control: Secure the organization's network through firewalls,intrusion detection systems, and regular vulnerability assessments. Audit Point: Review network security logs and assess the efficacy of security devices. 5. Physical Security: Control: Implement security measures to prevent unauthorized physical access to critical IT infrastructure (e.g., data centers). Audit Point: Inspect physical access logs and security measures in place at data centers and server rooms. 6. Data Encryption: Control: Ensure that sersitive data, especially during transmission, is encrypted. Audit Point: Check encryption standards employed and assess their adequacy based on the sensitivity of the data. 7. Incident Management: Control: Establish a process for identifying, responding to,and reporting security incidents. Audit Point: Review incident logs and assess the organization's response to past incidents. 8. Vendor Management: Control: Vendors with access to the organization's IT systems should adhere to the same security standards. Audit Point: Examine contracts and agreements with vendors. Check for clauses related to IT security and assess vendor compliance. 9. Application Controls: Control: Controls within specific applications to ensure the integrity and accuracy of transactions and data. Audit Point: Test critical transaction flows within applications for any anomalies. 10. Patching and Up-dates: Control: Regularly update and patch IT systems to protect against known vulnerabilities. Audit Point: Review the patch management process. Check for outdated systems. 11. Disaster Recovery and Business Continuity: Control: Develop and maintain a disaster recovery plan. Ensure business continuity even in the face of major IT disruptions. Audit Point: Evaluate the disaster recovery plan's comprehensiveness. Conduct or review results from periodic disaster recovery drills. 12. User Training and Awareness: Control: Regularly train users on IT security best practices and raise awareness about potential threats. Audit Point: Assess the frequency and content of training programs. Check for user awareness and adherence.

Internal Audit Checklist 1. Planning and Preparation ✅ Define audit objectives and scope ✅ Identify applicable policies, procedures, and regulations ✅ Gather previous audit reports and risk assessments ✅ Notify relevant stakeholders about the audit 2. Governance and Compliance ✅ Review corporate governance policies and structures ✅ Verify compliance with applicable laws and regulations ✅ Ensure adherence to company policies and procedures ✅ Assess the effectiveness of internal controls 3. Financial Controls ✅ Review financial statements for accuracy and completeness ✅ Ensure proper authorization of transactions ✅ Verify segregation of duties in financial processes ✅ Check for compliance with accounting standards 4. Operational Efficiency ✅ Evaluate key business processes for efficiency ✅ Assess resource utilization and cost-effectiveness ✅ Identify bottlenecks and areas for improvement ✅ Review quality control measures 5. Risk Management ✅ Identify key risks faced by the organization ✅ Assess the effectiveness of risk mitigation strategies ✅ Verify the existence of a risk management framework ✅ Ensure timely reporting and resolution of identified risks 6. Information Technology (IT) and Security ✅ Assess IT security policies and procedures ✅ Review access controls and data protection measures ✅ Verify cybersecurity protocols and response plans ✅ Check for compliance with IT governance frameworks 7. Human Resources and Payroll ✅ Verify employee records and contracts ✅ Ensure compliance with labor laws and employment policies ✅ Assess payroll processing for accuracy and fraud risks ✅ Review employee training and development programs 8. Procurement and Vendor Management ✅ Ensure vendor selection follows approved procedures ✅ Verify contract compliance and performance monitoring ✅ Assess procurement processes for fraud risks ✅ Check inventory management and supply chain controls 9. Ethical and Fraud Controls ✅ Assess whistleblower policies and reporting mechanisms ✅ Review past fraud incidents and preventive measures ✅ Check compliance with the organization’s code of conduct ✅ Identify potential conflicts of interest 10. Management Team Review ✅ Evaluate leadership effectiveness and decision-making processes ✅ Review management’s response to past audit findings ✅ Assess strategic planning and goal-setting effectiveness ✅ Ensure accountability for business performance and risk management ✅ Verify communication and transparency within the organization ✅ Evaluate management’s support for ethical practices and corporate culture 11. Audit Reporting and Follow-up ✅ Document audit findings and observations ✅ Rate the severity of identified issues ✅ Provide recommendations for corrective actions ✅ Establish a follow-up process to ensure implementation ✅ Conduct post-audit review with management and key stakeholders

Internal Audit Sampling is the process auditors use to select and test a portion of transactions, balances, or data rather than reviewing all available information. It helps auditors form conclusions about the entire population efficiently and effectively. Here’s a clear breakdown 👇 🔹 1. Purpose of Sampling in Internal Audit To evaluate controls and substantive procedures without testing every transaction. To save time and resources while maintaining a reasonable level of assurance. To identify trends, errors, or control weaknesses that may exist in the broader population. 🔹 2. Types of Sampling A. Statistical Sampling Uses probability theory to select samples, allowing for measurable confidence levels. Random sampling: Every item has an equal chance of being selected. Systematic sampling: Every nth item is selected. Stratified sampling: The population is divided into groups (strata), and samples are taken from each group. B. Non-Statistical (Judgmental) Sampling Based on the auditor’s professional judgment. Haphazard sampling: Items selected without structured technique. Block sampling: A contiguous block (e.g., one month’s transactions). Judgmental sampling: Auditor focuses on high-risk, large, or unusual items. 🔹 3. Steps in Audit Sampling Define audit objective (e.g., test approval of purchase orders). Identify population (e.g., all purchase orders in Q2 2025). Determine sampling method (statistical or judgmental). Decide sample size (based on risk, control effectiveness, materiality). Select sample items. Perform testing on the selected sample. Evaluate results — extrapolate findings to the population and determine if controls are effective or errors are material. 🔹 4. Factors Influencing Sample Size Audit risk (higher risk → larger sample). Expected error rate. Tolerable error. Population size. Nature of control (manual vs. automated). 🔹 5. Example If an auditor wants to test whether all purchase orders above $10,000 are approved by the procurement manager, they might: Define population: all POs > $10,000 during Q2. Choose systematic sampling: every 10th PO. Test selected POs for approval signatures. If 2 out of 25 lack approval, assess control deficiency and estimate potential error rate in the full population. 🔹 6. Documentation Internal auditors should document: Sampling objective and population. Sampling technique and rationale. Sample size determination. Results of testing and evaluation of errors.