How to Establish the Internal Audit Department in 8 simple steps?

By Arif Zaman , Head of Internal Audit, Emaar Industries & Investments, UAE


Building an internal audit function from the ground up may seem like a daunting task, but taking a measured approach and prioritizing what should be done first can ease some of the difficulties. Handling these initial steps with care also helps build trust in organizations that may have no experience with internal audit or may be suspicious of its motives. By selecting key areas of focus and seeking to make “quick wins,” chief audit executives (CAEs) can soon win over management and the rest of the business, and establish a solid foundation for the audit function.

I have been asked by a couple of new audit leaders to assist them in the formation of the Internal Audit Department. Based on my personal experience, I would like to illustrate my approach and share my learning experience in the following steps:


Step 1: Tone At The Top 

It is the most vital component before establishing any function especially internal audit. Internal auditors need the utmost support of the top management and the Board in the establishment of the Internal Audit Department. Once have it, it will be easy to approve the framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity.

Once you have board backing, you can then get approval for the internal audit framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity


Step 2: Business Understanding 

It is very much important to be acquainted with the culture and business acumen of the company. It gives a general idea of the company risk maturity and control environment, accordingly, an internal auditor can determine their approach to pitch the Internal Audit Department framework.


Step 3: Structure

The structure of the Internal Audit Department is very crucial. Some of the important questions to ponder upon are where does the Internal Audit Department will fall within the organization structure, to whom they will report? who will have the decision to hire or fire internal auditors Etc? In order to maintain independence, Internal Audit Department shall report to the Audit Committee or directly to the Board.


Step 4: Audit Committee Charter

Once the reporting line is defined, an Audit Committee Charter shall be developed to define the role and responsibilities of the Committee. The Charter shall be approved by the Board.

The model template of the Audit Committee Charter is available at the IIA websiteclick here.


Step 5: Internal Audit Charter

 The second governing document after the Audit Committee Charter is the Internal Audit Charter, which define the role and responsibilities of the Internal Audit Department. The Internal Audit Charter shall be approved by the Audit Committee.

The model template of the Internal Audit Charter is available at the IIA website, click here


Step 6: Policies and Procedures

As per the IPPF, the Head of Internal Audit must develop internal audit policies and procedures to regulate, standardize and document the audit activities. The policies shall cover the following process but not limited to; annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting to different stakeholders, quality assurance etc. The policies and procedures shall be approved by the Audit Committee.


Step 7: Budget 

The Audit Committee shall approve the budget of the Internal Audit Department, sufficient enough to attract good talent and provide resources for the Internal Audit Department to carry out functional activities.


Step 8: Liaison with Management and Other Departments

Internal Audit Department shall meet with the Management and the other Departmental Heads to develop business and operational understanding and  work together by leveraging their expertise to bridge silos within the organization. This interaction may also help in developing the Audit Universe and carry out Risk Assessment.

Once the above prerequisites are met, Internal Audit Department can presume with carrying out an annual risk assessment, developing an annual audit plan, presenting to the appropriate authority for approval and executing the audit engagement according to the plan.


I hope the above simple steps might guide you in establishing the Internal Audit Department. There might be a possibility that some organization may not be having a proper governance framework, in that case, skip the steps which might not be practical to follow in the given circumstances. Similarly, the steps might be reshuffled as find appropriate.

Arif Zaman