How to Establish the Internal Audit Department in 8 simple steps?
By Arif Zaman , Head of Internal Audit, Emaar Industries & Investments, UAE
Building an internal audit function from the ground up may seem like a daunting task, but taking a measured approach and prioritizing what should be done first can ease some of the difficulties. Handling these initial steps with care also helps build trust in organizations that may have no experience with internal audit or may be suspicious of its motives. By selecting key areas of focus and seeking to make “quick wins,” chief audit executives (CAEs) can soon win over management and the rest of the business, and establish a solid foundation for the audit function.
I have been asked by a couple of new audit leaders to assist them in the formation of the Internal Audit Department. Based on my personal experience, I would like to illustrate my approach and share my learning experience in the following steps:
Step 1: Tone At The Top
It is the most vital component before establishing any function especially internal audit. Internal auditors need the utmost support of the top management and the Board in the establishment of the Internal Audit Department. Once have it, it will be easy to approve the framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity.
Once you have board backing, you can then get approval for the internal audit framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity
Step 2: Business Understanding
It is very much important to be acquainted with the culture and business acumen of the company. It gives a general idea of the company risk maturity and control environment, accordingly, an internal auditor can determine their approach to pitch the Internal Audit Department framework.
Step 3: Structure
The structure of the Internal Audit Department is very crucial. Some of the important questions to ponder upon are where does the Internal Audit Department will fall within the organization structure, to whom they will report? who will have the decision to hire or fire internal auditors Etc? In order to maintain independence, Internal Audit Department shall report to the Audit Committee or directly to the Board.
Step 4: Audit Committee Charter
Once the reporting line is defined, an Audit Committee Charter shall be developed to define the role and responsibilities of the Committee. The Charter shall be approved by the Board.
The model template of the Audit Committee Charter is available at the IIA website, click here.
Step 5: Internal Audit Charter
The second governing document after the Audit Committee Charter is the Internal Audit Charter, which define the role and responsibilities of the Internal Audit Department. The Internal Audit Charter shall be approved by the Audit Committee.
The model template of the Internal Audit Charter is available at the IIA website, click here
Step 6: Policies and Procedures
As per the IPPF, the Head of Internal Audit must develop internal audit policies and procedures to regulate, standardize and document the audit activities. The policies shall cover the following process but not limited to; annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting to different stakeholders, quality assurance etc. The policies and procedures shall be approved by the Audit Committee.
Step 7: Budget
The Audit Committee shall approve the budget of the Internal Audit Department, sufficient enough to attract good talent and provide resources for the Internal Audit Department to carry out functional activities.
Step 8: Liaison with Management and Other Departments
Internal Audit Department shall meet with the Management and the other Departmental Heads to develop business and operational understanding and work together by leveraging their expertise to bridge silos within the organization. This interaction may also help in developing the Audit Universe and carry out Risk Assessment.
Once the above prerequisites are met, Internal Audit Department can presume with carrying out an annual risk assessment, developing an annual audit plan, presenting to the appropriate authority for approval and executing the audit engagement according to the plan.
I hope the above simple steps might guide you in establishing the Internal Audit Department. There might be a possibility that some organization may not be having a proper governance framework, in that case, skip the steps which might not be practical to follow in the given circumstances. Similarly, the steps might be reshuffled as find appropriate.
His articles on the topic of cloud computing, audit planning, disruptive technology, governance etc. are published by the Institute of Internal Auditors as well.
Arif holds a MSc in Professional Accountancy from University of London and BSc Hons in Applied Accounting from Oxford Brookes University along with an impressive set of professional certification including the following: Chartered Certified Accountant (FCCA), Certified Internal Auditor (CIA), Certified Information System Auditor (CISA), Certified Fraud Examiner (CFE), Certificate in Control Self-Assessment (CCSA), Certificate in Risk Management Assurance (CRMA), Certified Risk Based Auditor (CRBA), Certified Public Accountant (CPA), Certified General Accountant (CGA) and ISO 31000 etc.
- Agile Auditing Methodology - June 22, 2021
- To Be or Not To Be an Internal Auditor? - June 11, 2021
- Governance, Risk & Compliance (GRC) – Big Time Confusion! - March 11, 2021
Very impressive Article step was defined. Appreciated the effort to made this knowledgeable Article to enhance our understanding.