The following are the stages of the internal audit process:


Meeting with managers and key personnel relevant to the audited activity.

Risk assessment

Collection of information necessary to understand the audited activity and assess relevant risks thoroughly.


Preparing an audit plan based on the review of the operational environment and the relevant regulation.

Data collection

Collecting relevant and related data.

Data analysis

Analyzing the accumulated data.


Reviewing the draft report with the auditees to verify the findings.

Draft report

Presenting a draft report to the management and discussing the findings.

Final report

Distributing a final report to the prescribed addressees.

Audit Committee

Discussing the report, its findings, and recommendations with the Audit Committee.


Monitoring the implementation of the recommendations approved by the Audit Committee.


Every five or six years, the Institute's Internal Auditor's Office builds a multi-year work plan to examine various issues based on: a risk survey (identification and assessment of operational, financial, compliance risks, etc.); conversations and feedback from the institute's senior management and middle management levels; accumulated experience, and more. The Audit Committee approves the multi-year work plan. Usually, a subject is reviewed on average once every five years, in coordination with the institute's management and according to the frequency required for inspection based on a risk survey. The Audit Committee may propose and approve changes to the work plans, including adding topics for review.

The amount of time depends on the scope of the topic under review, its complexity, and the availability of information and key personnel. Also, auditees with effective guidelines, work plans, computerized processes, controls, etc., must devote less time and resources during the audit process.

The audit reports are sent only to the following Institute officials:

  • Chair of the Executive Council
  • President
  • Vice president
  • Vice President for Administration and Finance
  • Chair and members of the Audit Committee
  • Auditees
  • Legal advisor

The auditees must implement the audit recommendations, as approved by the Audit Committee, within the time set for this in the report. It is the responsibility of the Internal Auditor's Office to monitor the implementation of the recommendations systematically. Follow-up is done by contacting the relevant auditees and documenting every successful implementation, postponement, etc. The Internal Auditor's Office can approve an extension to implement the recommendation. The auditor's office annually submits a report on this matter to the Audit Committee.