Robust Audit Tools and Best Practices

Check out the 25 most frequently viewed audit tools and publications on KnowledgeLeader in 2024.

1. Internal Audit Department Key Performance Indicators (KPIs)

This benchmarking tool provides a comprehensive framework for evaluating the performance of an internal audit department using different metrics and indicators. Key concepts discussed include developing effective communication strategies to drive management and employees to action. Metrics include monitoring the percentage of implemented recommendations within agreed-upon timelines, the frequency of surprises at exit meetings, report cycle times, and more. The concept of positioning internal audit as a change agent is also introduced with metrics like issues identified using facilitated sessions compared to traditional audit approaches. The document also emphasizes integrating technology into the audit process to enhance efficiency and effectiveness. This can be measured by tracking factors such as average hours of EDP auditing training, utilization of standardized/automated tools, or ratio of microcomputers to auditors. 

2. Entity-Level Controls: The Importance of Setting the Tone

An effective organization of consequence, whether public or private, attempts to strike a balance between its mission (usually but not always profit) and its responsibilities to employees, the community, the government (laws and regulations), and society at large. This is accomplished through “corporate governance,” or what was once known as “business ethics.” Most experts believe that to be truly effective, corporate governance must start at the top with a set of policies called entity-level controls. Entity-level controls are policies, rules, procedures and standards of behavior that apply to members of the board of directors, senior company officers, top management, and rank-and-file employees. It’s a well-established fact that the behavior of upper management tends to “set the tone” for the subsequent behavior of everyone else down an organization's chain of command. This is why entity-level controls are often called “tone at the top controls.”

3. Process Classification Scheme (PCS)

The Process Classification Scheme (PCS) document, powered by Protiviti's KnowledgeLeader platform, provides a framework for businesses looking to categorize and understand their core functions and processes. This scheme delineates business activities into two primary categories: operating processes and managing and supporting processes, thereby providing a structured approach to analyze and optimize organizational performance. It is instrumental in identifying strategic, operational and tactical levels of business functions, promoting a common language for better communication and alignment within the company. The PCS acts as a road map and guides organizations in recognizing essential activities that drive value creation and efficiency.

4. Process Documentation Narrative and Flow Chart Guide

Documenting the understanding of a process, related controls, and key roles and responsibilities can be achieved through process narratives and flow charts. Both of these documentation techniques assist internal audit teams and those responsible for the processes with establishing a common understanding of a process. Once these documents are confirmed as accurate, they provide a baseline for performing risk analysis, testing internal controls and implementing process improvements as necessary. Discover the essential elements of process documentation narratives and flow charts with our comprehensive guide, including a process flow example.

5. Internal Audit Feedback Questionnaire

This tool includes 10 sample questionnaires that can be used by internal audit functions to gather client feedback and measure client satisfaction. Sample questions include: What is your overall evaluation of internal audit’s performance for this project? How much value do you believe the audit provided to your group/department? How likely are you to use internal audit for future projects? How much would you be willing to recommend internal audit to other members of management? Would you ask internal audit for help in a situation warranting their attention? Does internal audit perform work efficiently and effectively in an acceptable amount of time? 

6. Management Response to Internal Audit Reports Memo

This tool includes 10 sample questionnaires that can be used by internal audit functions to gather client feedback and measure client satisfaction. Sample questions include: What is your overall evaluation of internal audit’s performance for this project? How much value do you believe the audit provided to your group/department? How likely are you to use internal audit for future projects? How much would you be willing to recommend internal audit to other members of management? Would you ask internal audit for help in a situation warranting their attention? Does internal audit perform work efficiently and effectively in an acceptable amount of time? 

7. Treasury and Cash Management Audit Work Program

This document includes two sample treasury and cash management work programs that focus on adequacy of controls, overall efficiency and effectiveness of processes, and compliance with policies and procedures. Specific areas of review include wire transfers, investments, cash management, foreign exchange exposure, interest rate swaps and check issuance practices. Project work steps include: conduct project planning, scope setting and client requests/coordination; coordinate meetings with key process personnel; review best practices for cash management, cash flow, treasury operations and financial risk management; obtain data for testing (see test descriptions in each section); etc.

8. Payroll Audit Work Program

A payroll audit can help a company provide an evaluation of the internal and business environment to ensure that the internal controls are in place and operating effectively, evaluate the effectiveness and efficiency of the payroll cycle process, and develop recommendations to effect meaningful change. By conducting regular payroll audits, companies can protect themselves from errors, fraud and financial losses. The two sample work programs included in this document were designed to help you design a comprehensive and systematic approach to auditing your payroll processes. The steps included in these samples allow auditors to gather sufficient evidence to support their audit findings and recommendations.

9. Accounts Payable RCM

A successful risk management strategy requires a strong internal control environment. The RCM format emphasizes that strong and risk-oriented internal control environments are often optimized with automated/manual controls, depending on the situation. An RCM provides an overview of different control objectives that organizations should take into consideration and the corresponding controls to safeguard the company against risks that may arise if not checked timely. Once customized to an organization, this document can help the user in assessing each control. The control assessment can then also be summarized to develop an action plan.

10. Physical Inventory Count Memo

Organizations can use the physical inventory instructions in this sample memo to compare counted quantities to on-hand quantities in order to identify discrepancies. Sample steps covered in this memo include leading the count team in the physical counts for each designated area; assigning sheets to count team members; collecting all completed count sheets and deliver to area coordinator; ensuring that all counters are properly maintaining count sheets, legibly recording counts on sheets and initialing the count; ensuring that all items are physically marked with colored labels after counting; and communicating directly with the war room on issues regarding inventory counts for each designated area.

11. Procurement Internal Controls Audit Work Program

This sample audit work program reviews the internal controls in an organization’s procurement process. Sample questions to consider include: Are purchase orders based on authorized requisitions? Are purchase orders properly coded to identify the cost objective (direct, indirect or inventory)? Are purchase orders serially controlled and accounted for? Is the use of standardized purchase orders required? Are effective numerical document controls or status reports maintained to record the receipt of purchase requisitions? Does the purchasing department maintain specifications for all materials and services used by the contractor? Are requirements combined where appropriate? Are the receiving and inspection functions separate from the purchasing function?

12. Inventory Management Questionnaire

The Inventory Management Questionnaire allows auditors to gain valuable insights into the organization's inventory management processes. The attached sample questionnaire is structured around key areas such as forecasting, inventory accuracy, supplier base optimization and tactical management. By utilizing this tool, auditors can better understand how the organization strategizes its inventory management to meet market demands while maintaining high customer satisfaction. In addition to providing an overview of the company's current practices, the questionnaire probes potential weaknesses and areas for improvement in its systems. Questions concerning electronic and automated inventory management tools, frequency of physical counting, and performance measure computation offer auditors a clear picture of where the company stands. This will aid in identifying gaps and recommending improvements in the system.

13. Control Self-Assessment Questionnaire

Strengthen your financial reporting and general ledger controls with our specialized self-assessment questionnaire. Sample questions include: Are the policies and procedures in your area documented? Are the policies and procedures in your area up to date? Which risks do you see that threaten the business objectives of your area? How do you control the major activities, output, etc., in your area? What are the key information systems utilized in your area? Do senior and line management executives demonstrate that they accept control responsibility, not just delegate that responsibility to financial and audit staff? 

14. Financial Due Diligence Report

Our Financial Due Diligence Report serves as a comprehensive tool for auditors to meticulously examine the financial health and operational efficiency of a target company. It aids in identifying and analyzing key financial metrics such as profitability, asset valuation, liabilities, cash flow and working capital requirements. The report also delves into contractual obligations, contingent liabilities, related-party transactions and revenue recognition policies to ensure that all aspects are thoroughly vetted. Additionally, it evaluates projections and assumptions made by management regarding future performance while providing an in-depth review of human resources, IT systems and internal controls. The Financial Due Diligence Report is an essential document utilized primarily to evaluate the financial stability and business viability of a company before a potential acquisition, merger or investment. 

15. IT Disaster Recovery Plan Assessment Checklist

This comprehensive tool is designed to help organizations evaluate their existing IT disaster recovery plans. It provides two sample assessment checklists, each with a series of best-practice questions tailored for both regulated entities, like banking or SEC-regulated firms, and non-regulated entities. The first sample focuses on pre-planning, plan development, plan testing and plan maintenance. Questions in this section assess whether the organization has followed an industry-standard disaster recovery methodology, performed a business impact assessment (BIA), consulted business process owners during BIA, carried out a risk management review, prepared a recovery options list approved by management, among others.

16. IT General Controls Questionnaire

IT general controls are critical and central to business processes. They typically impact multiple applications in the technology environment and prevent certain events from impacting the integrity of processing data. Computer operations, physical and logical security, program changes, systems development, and business continuity are examples of processes where general IT controls reside. The objective of these controls is to mitigate risks associated with their pervasive effect on the reliability, integrity and availability of processing relevant data. In this questionnaire, you can determine whether the control exists, whether it was designed properly, related test procedures and management's action plan for deficiencies.

17. Director of Internal Audit Job Description

This job description sample outlines the responsibilities, key selection criteria and general information for the director of internal audit role. The director of internal audit is responsible for preparing and implementing a risk-based audit plan to assess, report on, and make suggestions for improving the company’s key operational and finance activities and internal controls. Additionally, the position is responsible for identifying and assisting in documenting existing internal finance and disclosure controls, implementing and documenting new internal controls, and establishing an internal monitoring function to audit the company’s compliance with such internal controls.

18. Enterprise Risk Management Questionnaire

The ultimate goal of enterprise risk management is to evaluate total returns relative to total risks, leading to more informed business decisions. Many ask questions about its value proposition. This questionnaire can be used when analyzing an organization’s enterprise risk management strategy. Sample questions include: What is the overall risk appetite of the organization? How well are strategic and related objectives defined? How do internal and external forces impact the risk profile? Are you aware of any instances of fraud within the company? How are risks monitored and reported within the organization? What communication barriers are present within the organization?

19. Sarbanes-Oxley Roles and Responsibilities Guide

Understand the roles and responsibilities of Sarbanes-Oxley (SOX) team members with our comprehensive guide. Team members include the process/control owner, risk control specialist (RCS), project management office (PMO) and internal controls steering committee (ICSC). Process/Control owners have the primary responsibility of updating control descriptions for those controls in which they have been identified as the control owner. The RCS has a primary responsibility of assisting the PMO and process and control owners with all requirements for SOX. The PMO has the primary responsibility of managing the company’s SOX compliance program.

20. Developing Budgets Key Performance Indicators (KPIs)

This tool provides strategies on enhancing the budget development process with key performance indicators (KPIs). It emphasizes the importance of integrating strategy with budgeting, suggesting that clear strategic goals should be set before initiating the budgeting process. It also highlights effective communication across all levels of management for better information flow. With the two samples included in this budgeting benchmarking tool, you can evaluate different review procedures for evaluating proposals. For instance, some companies might foster competition among business units while others might employ negotiation or portfolio-management techniques to make resource allocation decisions. The use of cross-functional teams is encouraged for balanced evaluation of major proposals.

21. Internal Audit Engagement Memo

This internal audit engagement memo informs an auditee of an upcoming audit and includes the objectives of the audit, proposed timetable and audit team members. In this sample, internal audit solicits a meeting with the department head to discuss audit objectives and seek input. The team will audit results and potential recommendations of the audited area with management before scheduling an exit conference with the department head. The department head will receive a draft audit report prior to the exit conference and a final audit report after the exit conference.

22. Project Management Office (PMO) Questionnaire

The Project Management Office (PMO) Questionnaire is a strategic tool designed to assist organizations with evaluating the effectiveness and comprehensiveness of their project management practices. This document includes two sample questionnaires that can be used to gather critical insights from various stakeholders involved in project management, including executives, project managers and team members. Through detailed questions covering areas such as program goals, governance structures, scope management and performance metrics, this questionnaire helps identify strengths and pinpoint areas that require improvement within a PMO framework. This tool includes multiple sections, each focusing on different aspects of project management, such as risk and issue management, financial management, staffing, communications, and quality control.

23. Audit Planning Memo

This tool provides three sample planning memos, which serve as a report of an internal audit function’s high-level assessment of the company’s audit planning process and outline what should be included in an audit planning memorandum. The audit planning memo can be used for reviewing the effectiveness of the function and confirming that the scope and direction of the group are aligned with industry best practices. In these memos, internal audit evaluated the effectiveness of any existing controls that, based on sample testing, have consistently been in operation during the audit sample period. Memo sections include background, scope and approach, baseline description, and recommendations.

24. Accounts Receivable Internal Controls Questionnaire

The accounts receivable internal controls assessment process aims to ensure compliance with regulatory requirements, specifically the Sarbanes-Oxley Act. This sample Accounts Receivable Internal Controls Questionnaire is a comprehensive tool developed to allow owners of core functions and processes within a company to perform a self-assessment of their operations' controls. The aim is to provide completed questionnaires to executive management, aiding them in supporting their certifications on the annual report on internal and disclosure controls as required by Sections 302 and 404 of the act. The document contains two different samples of questionnaires focusing on various areas including system changes, responsibilities assessment, adequacy of controls related to specific processes, accounts receivables processing systems, customer database access restrictions, credit limit establishment procedures, and more. Detailed tables are present where respondents can mark their responses alongside providing explanations for each answer. 

0 Comments