Audit procedures, while not directly related to profit growth, can greatly improve operations. The internal audit program of any institution should maintain a user friendly and centrally located set of policies and procedures that govern internal audit functions.
Smaller institutions do not require the level of formality required in larger institutions regarding audit procedures; however, all procedures should contain a mission or purpose statement outlining objectives. Also, provide objectives and principal responsibilities of the audit staff, audit management and audit committee (board). There should also be a section outlining audit procedures for each line of business.
There are two formal risk assessment methodologies used by both government and industry; they are maintained by the Internal Organization for Standardization (ISO; see Resources) and International Association of Auditors (IAA). Both systems provide examples of audit procedures. These boilerplate procedures are specific to the industry.
The audit plan is detailed within the procedures and includes audit goals, schedules, staffing needs, accountability and reporting. In general, audit plans are written every 12 months and formally approved by an audit committee. Internal auditors report the plan against the actual audit results and changes are made.
Update the risk assessment at least annually or more, depending on the nature of risks within your industry. This is particularly relevant on a year with major shifts in political cycles. Updates should also reflect any changes to internal control or work processes. Requirements for documentation of all work performed and the follow-up process to determine next steps on significant deficiencies should be outlined in procedures.