1) To explain the existing internal audit process as it exists at XYZ. This process helps to formalize and document how audits are planned, conducted, closed and analyzed at the company.

2) To highlight problems with the existing audit process. These problems have pushed the IT department to automate the audit process. XYZ Corporation wishes to outsource the automation of this internal audit process. This case study is aimed to serve as a starting point for the software vendor who would do the job for them.

AUDIT PROCESS EXPLAINED

• The Process group is responsible for planning audits for the company on a monthly basis.
• An audit schedule is prepared using a list of qualified auditors and their time availability.
• An audit schedule after preparation is released, which comprises of planned dates for audits of each project
• This schedule is released to all Project Managers 2 weeks in advance for them to get their projects up to speed with the audits
• During the course of the month, the audit is conducted as per schedule (or changed schedule depending upon project), involving the auditee , auditors.
• The auditor uses an audit checklist to conduct the audit. The auditor verifies, discusses each checkpoint of the checklist with the auditee. Discussion on each checkpoint can lead to the following:
  • A Non Conformance (NC) can be raised if project does not conform to the checkpoint
  • An observation, recommendation can be raised if partial conformance is observed or in the event that the auditor wishes to document an observation or finding
  
  
• All NCs, Observations, Recommendations are filled up by the auditor in an audit report. This report is sent to the auditee after the audit for taking action against NCs, Recommendations and Observations
• The auditee is given 2 weeks to close the NCs, Recommendations and Observations. This is done by identifying corrective, preventive actions (CPA) for each NC, Recommendation, Observation in the Audit Report. The corrective, preventive actions also need to be implemented in the project. The auditee marks each NC, Recommendation, Observation as closed in the report after filling in CPAs.
• Once the CPA's have been identified, the auditor would verify the same in the audit report. The auditor would also verify the implementation of each CPA for completeness. On finding CPA's and their implementation complete the auditor would mark each NC, Recommendation, Observation as Closed&Verified.

• The process group spends a lot of time, effort in checking, confirming time availability of auditors. This leads to delay in preparing the monthly audit schedule.
• Multiple copies of Audit Reports are maintained. One copy which the auditor prepares initially, another which is maintained by the auditee. This one contains the CPAs. Copies of the report can lead to confusion, version conflicts.
• The entire audit process is paper based. All previous audit reports, checklists have to be maintained in paper files. This exposes a risk of loss of old data and all other problems that come with paper based documentation.
• Since history of audits are maintained in paper documents, audit analysis becomes very painful for the process group every quarter

• Automate the entire existing process of Insurance as described above.
• Resolve all existing problems encountered as mentioned above in the existing insurance process