TPL-IA — Internal Audit (IIA-aligned)
Risk-based internal audit per IIA International Professional Practices Framework (Standards 2010–2440). Outsourced or co-sourced for clients without in-house IA. Output: scoped IA report with findings, root-causes, recommendations, action plan.
Template metadata
| code | TPL-IA |
| requires_workpapers | 0 (uses task checklist instead) |
| est_total_hours | 50-200 per IA cycle |
| typical duration | 4-12 weeks per cycle (annual / quarterly cycles common) |
| deliverables | Risk-based IA plan · Scoping memo · Working papers · IA report (findings + recommendations + action plan) · Follow-up report |
| quality_criteria | Independence statement · Risk-based scoping documented · Findings cross-ref to evidence · Mgmt response captured |
The 5 task phases
| Phase | Key tasks | IIA Std |
|---|---|---|
| planning | Annual risk assessment · IA universe + cycle plan · scoping memo · resource allocation | 2010, 2200 |
| fieldwork | Walkthrough · controls testing · sample selection · evidence gathering · root-cause analysis | 2310, 2320, 2330 |
| reporting | Draft findings · management discussion · final IA report · action plan | 2410, 2420 |
| review | Quality reviewer (head of IA) · partner sign-off | 2340 |
| admin | Issue · invoice · follow-up tracker setup | 2440 |
Step-by-step
Annual risk assessment
Build / refresh the entity's risk universe (financial, operational, IT, compliance, strategic). Score each on impact + likelihood. Top-quartile risks become the year's IA scope.
Cycle plan
Break into 3-4 cycles (e.g. Q1 procurement, Q2 payroll, Q3 IT GC, Q4 revenue cycle). Each cycle becomes a separate TPL-IA job.
Scoping memo
For each cycle: objective · scope · approach · sample basis · timeline · resource · key risks. Approved by head of IA + audit committee chair.
Walkthroughs + testing
Walk one transaction end-to-end through the process. Identify controls. Test design + operating effectiveness. Sample 25-50 items per control depending on frequency.
Findings register
Each finding: condition · criteria · cause · effect · recommendation · severity (low/med/high) · management response · action owner · target date. Drives the action plan.
Final report
Cover note · executive summary · scope statement · methodology · ratings · findings table · management response · audit committee letter. Branded firm template.
Follow-up tracker
Each finding gets a separate task on a follow-up TPL-IA job — verified closure within target date or escalation.
For a multi-cycle annual IA contract, create one "umbrella" TPL-IA job for the year + 4 child jobs (one per quarter). Use comments on the parent job to track cumulative findings + closure rates.
Independence in IA is different from external audit. The IA team can't be auditing functions where they had operational responsibility within the last 12 months. Document the independence statement at the start of every cycle.
Use a consistent 3-grade scale: High (material financial / regulatory / reputational impact), Medium (operational inefficiency or control gap), Low (minor improvement). Audit committees lose interest in reports with 30 "medium" findings — focus on the 5-10 that matter.
The 5 seeded tasks
| # | Task | Phase | Days |
|---|---|---|---|
| 1 | Risk assessment + scoping memo · audit-committee approval | Planning | 3-5 |
| 2 | Walkthrough + control identification · update IA universe | Planning | 3-5 |
| 3 | Test design + operating effectiveness · sample 25-50 items per control | Fieldwork | 15-25 |
| 4 | Findings register · management response · severity grading | Reporting | 5-7 |
| 5 | Final report · audit-committee presentation · follow-up tracker | Reporting | 5-8 |
The IIA Standards mapping
| Standard | What it requires | Where AuditPro implements it |
|---|---|---|
| IIA 1100 | Independence + objectivity | Independence statement on job · 12-month operational gap rule |
| IIA 2010 | Risk-based annual planning | Annual risk register · scoring matrix · cycle plan |
| IIA 2200 | Engagement planning | Scoping memo template · objective + scope + criteria + approach |
| IIA 2300 | Performing the engagement | Walkthrough + testing tasks · sample tracker |
| IIA 2400 | Communicating results | Findings register · branded report PDF · audit-committee letter |
| IIA 2440 | Disseminating results | Distribution list · restricted-access flag · audit-trail |
| IIA 2500 | Monitoring progress | Follow-up tracker · escalation path · reopening status |
Worked example — procurement cycle review
Client: Group of 5 hotels (audit committee mandate, annual IA)
Cycle: Procurement (Q1)
Risk: Vendor collusion / kickback / split-PO to evade approval limit
Walkthrough (Day 4-5):
1 transaction traced from PR → quotation → comparison → PO →
receipt → invoice → payment. Identified 6 controls.
Testing (Day 6-15):
C1 - Approval limit (≤OMR 5k = mgr / OMR 5-25k = GM / >25k = MD)
→ 50 POs sampled. 3 split-POs found (OMR 4,800 + 4,500 to
same vendor same day). HIGH severity.
C2 - Vendor master onboarding (3 quotes ≥OMR 1k)
→ 30 invoices sampled. 4 had no 3-quote evidence. MEDIUM.
C3 - Receipt confirmation (signed GRN)
→ 50 invoices sampled. 2 missing GRN. LOW.
Findings (3 logged):
F1 HIGH - Split-PO control bypass · vendor X
F2 MEDIUM - 3-quote rule not consistently applied
F3 LOW - GRN documentation gaps
Mgmt response (Day 19-20):
F1 → Block vendor X · review 12-mo history (OMR 280k impact)
owner: GM · target: 30 days
F2 → Update procurement SOP, monthly compliance review
owner: Procurement Mgr · target: 60 days
F3 → Train warehouse on GRN process
owner: Warehouse Lead · target: 30 days
Audit-committee meeting Day 22.
Findings register — anatomy
Factual statement of what was found. "3 of 50 POs were split below OMR 5k limit."
The standard / SOP / regulation. "Procurement SOP §4.2: orders > OMR 5k require GM approval."
Root cause — control design or operation. "ERP allows multiple PO lines under same PR but no aggregation check."
What this risks. "Approval-limit bypass · OMR 280k unauthorised spend in 12 months · vendor-collusion exposure."
Specific, actionable. "Add ERP control: aggregate PO value per PR + per vendor + per day; route > OMR 5k to GM."
Owner + target + agreed action. "GM · 30 days · block vendor + ERP fix."
For SME audit firms, internal audit is often co-sourced or fully outsourced. The same TPL-IA template covers both. The difference is who owns the universe, who chairs the audit committee, and how findings are escalated. Document the relationship in the engagement letter.