Setting up a new department or function within an organization poses great challenges with everyone involved directly or indirectly. Reasonable amount of time, resources and energy is invested into actualizing it, but it may take more time to materialize than anticipated.
The same thing holds for setting up an internal audit function for any organization. Establishing an internal audit function is more challenging in that it is not utilized in day to day functions, and often requires a shift from the organization orthodox before it is seen to be of benefit.
This guides looks at relevant considerations and activities involved in setting up your internal audit function.
An alternative to setting up an internal audit function internally is to outsource your internal audit function. Some of the benefits from outsourcing your internal audits are immediate access specialist, no extra head counts or the effort setting up the department. Often the overall cost of outsourcing the function is lower than developing it internally.
Knowing your stakeholders and what they want is key in establishing your internal audit function. Internal stakeholders will include the audit committee, executives, board of directors and employees. External stakeholders should include the external auditor, local, state or national government, regulators and customers.
Members of the new function should actively identify and communicate with relevant stake holders at an early state because their views will greatly impact the role of the internal audit. Understanding the expectations of each stakeholder will prove very useful when preparing the internal audit strategy as it will detect areas where assurance is required.
Structure and Governance of the Internal Audit Function
Your new internal audit function must have a streamlined position within the organizational structure. In essence, there should a clear line between its activities and that of the organization at large. Its activities should be granted direct access to the audit committee, board and members of the executive management.
The activity of the internal audit function will be governed by the internal audit charter. The internal audit charter will document its purposes, responsibilities, right and place within the organization.
The charter review is carried out by the head of internal audit but the board (audit committee) has the responsibility for approving the charter. Therefore there is need for scheduled review for subsequent amendments.
Evaluate and Enhance Risk Management
The approach and strategy of an internal audit will be determined by such organization’s risk maturity. Less risk mature organization require that the auditor focuses more on the control while the auditor focuses more on design and application in a more risk mature organization.
Whatever the case may be, internal audit should try to periodically express a view to the board on the maturity level of the organization’s risk management. This will enormously support the organization’s annual governance.
The internal audit function should seek to contribute to enhancement of the organization of the organization’s risk management processes from time to time. This can be achieved by providing advice on risk management processes to the board or undertaking benchmarking evaluations to identify areas of improvement.
Agree Priorities and Formulate Plans for the Internal Audit Function
The internal audit function should develop a strategy which is in correspondence with the organization’s overall strategy over a period of time.
The head of the internal audit function should agree to key areas where stakeholders need assurance and incorporate these into the strategy. More focus may be placed on areas of higher risk.
In addition, the strategy should explain the internal audit’s key objectives and outputs, the procedure, method and resources that will be utilized to achieve them with measures of success.
An annual internal audit plan is essential. It will give a clear indication of the time table for internal audit work over the course of the following year.
Policies and Procedures Must Be Developed
The internal audit activity should have adequate policies and procedures to guide it work. The form, scope, procedure and policy will depend on the size of the internal audit function. For larger internal audit teams, some form of automation of procedures should be considered to enhance efficiency.
Measuring and Monitoring Performance with Key Performance Indicators (KPI)
The internal audit function should agree on some set of KPIs with the audit committee to allow evaluation of the performance of the activity. Quantitative and qualitative indicators should be monitored closely. Quantitative indicators include reviews completed against the speculated plan, recommendations implemented and performance against budget. Qualitative indicators may include training provided for audit team members and the fulfilment of continuing professional development.