I am fortunate to have experience of establishing the Internal Audit Department in several parts of the world.
I have been asked by a couple of new audit leaders to assist them in the formation of the Internal Audit Department. Based on my personal experience, I would like to illustrate my approach and share my learning experience in the following steps:
Step 1: Tone At The Top – It is the most vital component before establishing any function especially internal audit. Internal auditors need the utmost support of the top management and the Board in the establishment of the Internal Audit Department. Once have it, it will be easy to approve the framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity.
Step 2: Business Understanding – It is very much important to be acquainted with the culture and business acumen of the company. It gives a general idea of the company risk maturity and control environment; accordingly, an internal auditor can determine their approach to pitch the Internal Audit Department framework.
Step 3: Structure - The structure of the Internal Audit Department is very crucial. Some of the important questions to ponder upon are where does the Internal Audit Department will fall within the organization structure, to whom they will report? who will have the decision to hire or fire internal auditors Etc? In order to maintain independence, Internal Audit Department shall report to the Audit Committee or directly to the Board.
Step 4: Audit Committee Charter - Once the reporting line is defined, an Audit Committee Charter shall be developed to define the role and responsibilities of the Committee. The Charter shall be approved by the Board.
The model template of the Audit Committee Charter is available at the IIA website.
Step 5: Internal Audit Charter - The second governing document after the Audit Committee Charter is the Internal Audit Charter, which define the role and responsibilities of the Internal Audit Department. The Internal Audit Charter shall be approved by the Audit Committee.
The model -template of the Internal Audit Charter is available at the IIA website.
Step 6: Policies and Procedures - As per the IPPF, the Head of Internal Audit must develop internal audit policies and procedures to regulate, standardize and document the audit activities. The policies shall cover the following process but not limited to; annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting to different stakeholders, quality assurance etc. The policies and procedures shall be approved by the Audit Committee.
Step 7: Budget - The Audit Committee shall approve the budget of the Internal Audit Department, sufficient enough to attract good talent and provide resources for the Internal Audit Department to carry out functional activities.
Step 8: Liaison with Management and Other Departments - Internal Audit Department shall meet with the Management and the other Departmental Heads to develop business and operational understanding. All another department especially the second line of defense will enable the Internal Audit Department to work together by leveraging their expertise to bridge silos within the organization. This interaction may also help in developing the Audit Universe and carry out Risk Assessment.
Once the above prerequisites are met, Internal Audit Department can presume with carrying out an annual risk assessment, developing an annual audit plan, presenting to the appropriate authority for approval and execute the audit engagement according to the plan.