FLOWCHARTS

Definition:​
A flowchart is a visual diagram that shows the sequence of steps in a business process or
activity. It's commonly used in audits to document workflows.

Why It's Used:

●​ To understand and communicate how a process works.

●​ To spot inefficiencies like delays, handoffs, or redundancies.
●​ Easy to understand, especially for visual learners.

Key Symbols to Know:

●​ Oval – Start or End of the process

●​ Rectangle – A step in the process
●​ Diamond – Decision point
●​ Arrow – Direction or flow

Best Practices:

●​ Define start & end points clearly.

●​ Walk through the process chronologically.
●​ Get team consensus and approval.
●​ Combine with narratives for better detail.

Pros:

●​ Visual and easy to review

●​ Useful for discussions

Cons:

●​ Can be too detailed

●​ Requires learning symbols

INTERNAL CONTROL QUESTIONNAIRE (ICQ)

Definition:​
An ICQ is a list of questions used to assess internal controls in specific areas of a business.

Why It's Used:

●​ Collect info quickly, especially in large organizations.

●​ Evaluate control practices without needing interviews for everyone.
Types of Questions:

●​ Open-ended: “Describe your process for vendor payments.”

●​ Closed-ended: “Are receipts prenumbered?” Yes/No.

Tips for Use:

●​ Questions must be clear and focused.

●​ Combine ICQs with interviews and flowcharts for complete info.

Pros:

●​ Easy to develop and flexible

●​ Focuses on specific control areas

Cons:

●​ Might miss deeper insights

●​ Could limit creativity in responses

REPORTING
Definition:​
This phase involves communicating audit findings (also called observations), and suggesting
recommendations.

What Makes an Effective Finding? (CCCER Framework):

1.​ Criteria – What should happen

2.​ Condition – What actually happened
3.​ Cause – Why there’s a difference
4.​ Effect – What’s the impact
5.​ Recommendation – What should be done

Design vs. Operating Deficiencies:

●​ Design: The process structure itself is flawed.

●​ Operating: Controls aren’t working as intended.

Best Practices:

●​ Discuss findings with process owners first.

●​ Encourage owners to suggest their own solutions.​

●​ Avoid creating dependency on auditors for every fix.

FOLLOW-UP
Purpose:​
To check if corrective actions were implemented and effective.

When to Follow Up?

●​ Immediately: For high-risk issues (e.g., security flaws)

●​ Several months to a year: For most other findings

Methods of Verification:

●​ Review updated documents

●​ Test new processes
●​ Site visits if needed

Why It Matters:

●​ Shows that internal audit adds value.

●​ Prevents recurring issues.
●​ Builds credibility with management.

Red Flags in Follow-Up:

●​ Symptoms treated, not root cause

●​ Temporary fixes
●​ No action taken (ignored findings)

METRICS
Definition:​
Metrics are performance indicators used to measure how well a process or goal is being
achieved.

Why They're Important:

●​ They guide action and focus attention.

●​ Help in decision-making and process improvement.
●​ Provide accountability and support reward systems.

Tips for Effective Use:

●​ Metrics must be relevant and aligned with goals.

●​ Make them visible and regularly reviewed.
●​ Tailor reports based on the audience.
Balanced Scorecard:​
A tool to view organizational performance across multiple perspectives—not just financial.

Example Metrics in Supply Chain:

●​ Cost per unit

●​ Inventory turnover
●​ Delivery lead time
●​ Customer complaints

Remember:​
Don’t measure everything—just what truly matters.

PEOPLE, PROCESSES, AND TECHNOLOGY

The Golden Triangle of Organizational Success:

1.​ People – Skills, motivation, training

2.​ Processes – Structure, workflow, design
3.​ Technology – Tools that support the above

Key Concept:​
All three elements must work together. Improving one won’t fix the problem if the others are
broken.

Common Mistakes:

●​ Using new tech to fix a broken process = failure

●​ Hiring more staff for a broken system = waste
●​ Skipping training or communication during changes = resistance

Best Practices:

●​ Address all three areas in change initiatives.

●​ Communicate benefits clearly.
●​ Provide training and support during transitions.
SCRIPT

FLOWCHART

A flowchart is a diagram that shows the sequence of steps in a process. Internal auditors use it
to understand how a business activity works and to spot areas for improvement. It’s a visual
representation of processes, and each symbol has a specific meaning, which I’ll explain in the
next slide.

These are the standard symbols used in flowcharts:

●​ The oval is for the start and end of the process.

●​ A rectangle shows a regular step or task.
●​ A diamond represents a decision point, like a Yes/No question.
●​ A parallelogram is used for input or output, like entering or receiving data.
●​ A circle or arrow connects different parts of the flow.
●​ The cylinder shows storage—like a file or database.
●​ The wavy rectangle is for paper documents used in the process.

Define boundaries – What’s the start and end?

List steps in order – Walk through the process.

Use proper symbols – Based on each action.

Check completeness – Are there any loops, dead ends, or missing steps?

Review with the team – Get feedback and approval.

✅ Advantages:
●​ Easy to understand
●​ Great for teaching and analysis
●​ Helps visualize errors and inefficiencies
●​ Supports team discussions

❌ Disadvantages:
●​ Can become too detailed
●​ May take time to create
●​ Requires learning the correct symbols
–

Let me walk you through a real-world example of a flowchart using all the symbols:

●​ The oval marks the beginning: "Start."

●​ Rectangles show steps like receiving and logging the order.
●​ Diamonds show decisions like "Is the item in stock?"
●​ A parallelogram is used to show sending confirmation emails.
●​ We use a cylinder to show storing transaction records.
●​ If there's a paper receipt, the wavy rectangle would represent it.
●​ Arrows and connectors guide us from one step to the next.

INTERNAL CONTROL QUESTIONNAIRE

An ICQ is essentially a list of questions designed to evaluate how well controls are functioning in
a specific area. Auditors use it to collect information quickly and efficiently, especially when
dealing with large departments or multiple locations.

Why is it used?

ICQs are particularly helpful when there's a lot of ground to cover. Instead of interviewing
everyone one by one, auditors can distribute questionnaires to gather input from many people
all at once. This saves time and allows them to identify risks faster.

Type of questions

●​ Open-ended: Requires explanation

○​ Example: "Describe the process of handling cash receipts."
●​ Closed-ended: Yes/No, multiple-choice, or numeric
○​ Example: "Are receipts prenumbered? Yes or No."

ICQs can include both open and closed questions. Open-ended questions help uncover details
and explanations, while closed-ended ones give quick, factual answers. Using a mix ensures
the auditor gets both depth and clarity.

Tips for use​

When creating ICQs, it’s important to be clear and direct. Use language the respondents will
understand and include a mix of question types. Always tailor the questions to the specific
process or department you’re auditing.
Advantages

ICQs offer many benefits. They’re simple to create, provide consistency in audits, and can be
adjusted to fit different departments or operations. They're a quick way to gather and compare
control-related data.

Disadvantages

However, ICQs have some limitations. Because they're question-based, they might not reveal all
the complexities of a situation. That’s why auditors often use them along with other tools like
interviews or flowcharts.

REPORTING

Reporting is the phase where internal auditors communicate the results of the audit to
management and other stakeholders. It’s not just about pointing out problems—it’s about
sharing insights and solutions, all based on solid evidence.

The purpose of audit reporting is to document what was found, explain why it matters, and
suggest how to fix it. A good audit report is more than a checklist—it’s a tool that drives
improvement and accountability.

CCCER Framework

A strong finding includes five elements—this is called the CCCER model. It starts with the
criteria or what’s expected–it consists of what should exist or occur, then states the condition
or what’s actually happening (what the auditor discovered). The cause explains why there’s a
gap/difference, the effect shows the impact also referred to as the consequence, and lastly, the
recommendation suggests how to fix it.

Design vs. Operating Deficiencies

●​ Design Deficiency: A poorly structured process.

●​ Operating Deficiency: A process not functioning as intended.

Findings usually fall into two categories: design deficiencies, where the process itself is
flawed, and operating deficiencies, where the process exists but isn’t working as it should.
Identifying which type it is helps management respond more effectively.
Best practices

While the CCCER model includes R for recommendation, this doesn’t mean that the auditor has
to formulate every recommendation every time. In most experiences, telling the clients what to
do presents two key problems: Dependency and Lack of Ownership

A good practice is to involve the process owners—the people directly responsible for the area
being audited. Letting them review findings first encourages transparency, ownership, and often
better solutions.

FOLLOW-UP

After the audit report is issued, what’s next?

That brings us to Follow-Up. This is where auditors check whether the recommended
corrective actions were actually implemented—and whether they worked.

If follow-ups don’t happen, it could mean serious problems are left unresolved. Worse, it might
send a message that audit results aren’t taken seriously. This phase protects the value of the
audit and helps improve the organization.

When to follow-up?​
Depends on the severity of the finding:

○​ High-risk: Immediate follow-up (e.g., security breaches)

○​ Medium/low-risk: Usually 3 months to 1 year

The timing of follow-up depends on how risky the issue is. For critical problems like system
failures or safety threats, the auditor should check right away. For less urgent issues, a few
months is more realistic.

Methods

To follow up, auditors might review updated policies, check new transaction records, visit the
workplace, or even redo some of their original tests. The goal is to confirm the problem was
corrected properly.

Redflags

Sometimes, even after a follow-up, the problem is still there. That might be because the fix only
addressed the surface issue—or the solution didn’t stick. In some cases, management might not
act at all, which is a major red flag.

A successful follow-up means the problem has been resolved, and the solution is effective.
This shows that internal audit isn't just about pointing out flaws—but actually helping improve
the organization.
METRICS

Metrics are simply ways of measuring performance. In internal auditing, they allow us to
compare what should be happening versus what is actually happening—and that’s key in
identifying areas for improvement.

Why Are Metrics Important?

We’ve all heard the phrase, “what gets measured gets managed.” If something is important, we
should track it. Metrics help managers and auditors identify weaknesses and make better
decisions based on real data.

Good Metric Practices

Not all data is useful. Good metrics are purpose-driven—they support goals, are easy to
understand, and trigger action. It’s also important to present them in ways that fit your audience:
top-level summaries for executives, and detailed breakdowns for front-line managers.

The Balanced Scorecard Approach

A great tool for organizing metrics is the balanced scorecard. It’s a framework that combines
different kinds of metrics (financial & non-financial) to give a full picture—not just profits, but also
customer satisfaction, process efficiency, and employee development.

PEOPLE, PROCESSES, and TECH

Lastly, I want to talk about the three pillars of operational success: People, Processes, and
Technology.

You can’t fix a broken process just by buying new software or hiring more people. These three
elements—people, processes, and technology—must work together in harmony. If one is weak,
the whole system suffers.

For example, if a company has a confusing payment system, adding new employees won’t help
unless the process itself is redesigned. And even the best technology can’t fix things if
employees aren’t trained or motivated to use it. Real success comes from aligning skills,
structures, and tool

Mistakes

Many organizations make the mistake of jumping to a quick fix—like buying a fancy new system
or hiring more people. But if the underlying process is flawed, these efforts won’t help. And if
people don’t understand or accept the changes, the improvement won’t last.
Practice

So what should organizations do instead? They should approach change holistically—fix the
process, train and support the people, and make sure the technology is the right fit.
Communication is critical so everyone understands what’s changing and why.