How can internal audit audit a process when risks and controls are not documented?
Yes, internal audit can still perform the engagement, but the objective should be framed carefully. Start by identifying the process objective and the risk, not by asking for a finished control matrix. If management has no formal documentation, perform walkthroughs, review available evidence, and build an audit working map of expected controls, actual practices, owners, and evidence sources.
That working map is not management's official control inventory. It is the auditor's documentation of understanding. The report can then conclude on design gaps, missing ownership, or limited ability to test operating effectiveness. For example, if Keystone Medical Devices has no approved process for reviewing employee-purchased cloud tools, internal audit can report that management has not designed a consistent control for identifying unauthorized software that stores company data.
For the CIA exam, the key is sequencing: objective, risk, expected control, actual control, evidence, design conclusion, and then operating-effectiveness testing only if the design is testable.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.