Image: Thumbnail of Report Cover

Example internal audit protocol

The format and content of the internal audit protocol is a matter for the Head of Internal Audit in consultation with entity management. This example includes the key points found in a better practice internal audit protocol.

This type of document is intended for general reference by both management and internal audit and therefore ought to be made widely available (for example, by publication on the entity intranet).

Entities are encouraged to review their existing protocol against this better practice example.


This protocol outlines the respective roles and responsibilities of internal audit and management in the course of an audit and the opportunities for consultation during the audit process.

The purpose, responsibilities and authority of the internal audit function are set out in the Internal Audit Charter which was approved by the [Chief Executive/Board].

Planning and consultation

Internal audit prepares an internal audit strategy and a work plan in consultation with the [Chief Executive/Board] the Audit Committee and senior management. The internal audit strategy provides the context for internal audit activity. The audit work plan is based on the risks facing [entity] and the business improvement opportunities available to [entity].

The internal audit strategy and work plan are approved by the [insert as agreed]. The audit work plan is available at [entity intranet address].

In addition, internal audits not on the work plan can be commissioned by the [Chief Executive/Board], the Audit Committee or management.[57]

Audit process

The various stages in the audit process are outlined below.

Preliminary consultation

Prior to commencing the audit, internal audit will consult with the relevant senior manager on the:

  • objectives and scope of the audit;
  • likely commencement date and duration;
  • locations to be visited; and
  • nomination of a responsible manager from the area audited.

Any significant changes from the scope documented in the approved work plan will be subject to approval by the Audit Committee.

Opening interview

An opening interview will be conducted shortly before the start of the audit with management of the area to be reviewed. The purpose of the opening interview is to:

  • enable the audit team to meet key staff of the area being reviewed;
  • clarify the objectives, scope and timing of the audit;
  • provide an opportunity for staff of the area being reviewed to present their views and perspectives on the matters subject to audit;
  • finalise the plan for conducting the audit in terms of timing, duration, staff involvement; and
  • arrange access to buildings, personnel, files, systems and data in order to commence fieldwork.


Internal audit is committed to a ‘no surprises’ approach and ongoing discussions will be held with management as findings emerge and conclusions are developed. At the mid-point of the audit, a formal meeting will be sought with the audited area to discuss the progress of the internal audit and any emerging issues.

If necessary, internal audit will communicate significant matters of concern to the Chief Executive and/or the Audit Committee prior to the completion of the final report.

At the conclusion of the fieldwork, internal audit will hold discussions with nominees of the audited area. The aim of the discussions is to explain the issues identified by internal audit and to develop practical responses in cooperation with the area under review.

Exit interview

Following the discussions, internal audit will prepare a first draft report to be used as the basis for discussion at an exit interview.

The purpose of the exit interview is to:

  • advise management about the provisional findings, conclusions and recommendations;
  • afford management the opportunity to correct any misunderstandings or misinterpretations;
  • discuss findings and conclusions and obtain management’s views; and
  • discuss the practicality of recommendations and timeframes for any remedial action.

Draft report

Internal audit will issue a final draft audit report promptly following the exit interview, generally within 10 working days.

Management comments

On receipt of the final draft report, management of the work area under review should:

  • consider the findings and recommendations in the draft report;
  • formally advise internal audit whether management agrees or disagrees with the recommendations in the draft report;
  • where management agrees with a recommendation, management should:
  • prepare an action plan to address the recommendation;
  • set a timeframe for implementing the action plan; and
  • nominate the individual responsible for implementation;
  • where management disagrees with a recommendation, the reason for the disagreement should be provided.[58]

If any residual errors of fact remain, management must notify internal audit promptly.

Management comments are required within [insert number of days] working days of the receipt of the draft report so that they can be included in the final report.

Final report

Within five working days of the receipt of management comments, internal audit will issue a final report to:

  • the Chief Executive;
  • the Chair and members of the Audit Committee; and
  • management of the audited area.

Where appropriate, lessons learnt and examples of better practice will be disseminated to a wider audience in [entity].

A client satisfaction questionnaire will be sent with the final report. The manager of the audited area should complete the client satisfaction questionnaire and return it to the Head of Internal Audit. The Head of Internal Audit will follow up on any feedback indicating possible shortcomings in internal audit performance.

Monitoring the implementation of agreed recommendations

The Audit Committee is responsible for examining all internal audit reports and monitoring the implementation of recommendations.

Internal audit assists the Audit Committee in monitoring progress in implementing agreed recommendations. Internal audit will, therefore, periodically seek advice from management regarding progress in implementing agreed recommendations.

With the endorsement of the Audit Committee, internal audit may conduct further reviews with a view to determining whether agreed action has been completed and the reported issue satisfactorily addressed.

[58] While management agreement is not always necessary, it would be expected that discussions would be held with the aim of reaching agreement. The reasons for any disagreement will be included in the final audit report together with any internal audit response.