Triggers for the establishment of an Internal Audit Function (IAF) include an increased need to identify business process improvement opportunities and to enhance the reliability of mitigating controls against strategic, business, and other emerging risks. An established IAF ensures compliance with regulatory requirements and leading practices for corporate governance. Further, an IAF increases the board’s confidence in the efficiency of business processes and controls.
Maturity of Organization
While developing an IAF, the Chief Audit Executive (CAE) considers the organization’s overall maturity. The CAE assesses the operational design, business processes, technological advancements, control environment, and maturity of other assurance providers (i.e., any second lines of defense) within the organization. This assessment helps align the IA resources and strategic plan with the overall organizational strategy, technologies, budgets, external consultants, and potential consultancy engagements in the future.
Nature and Structure
The departmental structure of an IAF varies with the form of an organization and the nature of its business. For example, a bank with a widespread network of branches and regions is likely to have a separate Internal Audit team for individual branch audits. A natural gas company might have a dedicated team of engineers for conducting technical audits.
The structure of IAF is affected by local regulatory requirements, particularly for more rigorously monitored sectors such as banking and finance. For example, a country’s central bank may require all IAFs of in-scope companies to annually review a certain percent of advances portfolio, which might affect the annual planning, resource allocation, and departmental structure of their IAF.
CAE’s first step is developing a governance framework to guide internal audit activity. The governance framework will define the IAF’s mandate, positioning within the organization, authority, responsibilities, and nature of any work the IAF may perform. Development of governance framework involves the following:
Understanding the Organization
The CAE obtains business understanding by analyzing the organization and getting feedback from senior management related to its strategic direction, emerging risks, and anticipated business operations changes. This analysis and feedback help the CAE during the formulation of the IAF Charter and Internal Audit Strategy.
Understanding the Role of the Board Audit Committee
The IA team reviews the Board Audit Committee (BAC) Terms of Reference (TORs) and interviews BAC members and senior management to understand the BAC’s current role.
The IAF Charter
The Charter is the critical governance document defining the mandate of IAF. While developing the IAF Charter, CAE reviews BAC Charter and gathers input from BAC members to identify the purpose, mission, and overall objectives of the IAF function and aligns them with those contained in BAC Charter.
The Charter should define IAF’s purpose, authority, responsibility, nature of services, and reporting protocols. Ideally, the board approves the Charter, and it is disseminated across the organization to ensure management understands the mandate.
Internal Audit Strategy
Internal Audit Strategy (The Strategy) serves to align the IAF approach with organizational objectives. The strategy captures IA’s mission and vision, aligning IAF with the organization’s strategic plan, stakeholder expectations, and potential technology advancements required by IAF in years ahead.
The role of the Internal Audit Function is that of an independent, objective assurance function, adding value, and improving operations in the organization. Therefore, it is essential to establish an operational framework to help guide the Internal Audit Function’s daily activities.
The Charter, BAC TORs, and discussions with senior management all form the basis for developing internal audit operating procedures. The procedures cover tactical guidelines related to different internal auditing phases, including risk assessment methodology, annual audit planning, a stakeholder input mechanism, engagement planning, engagement supervision, sampling methodology, audit reporting, reporting to BAC, and the quality assurance mechanism.
The operational manual can provide standardized templates used while executing internal audit operations. The manual may include templates and guidelines for the following:
An engagement plan includes:
Timelines for each phase of engagement
Identification of key risks and controls
Engagement teams may utilize planning questionnaires to capture new risks, changes in business processes, changes to regulatory requirements, and input from the relevant process owner before beginning the engagement.
Preliminary Risk Assessment
In addition to annual risk assessment (see below), IAF performs engagement level risk assessment to identify changes in the risk profile and new risks resulting from business operations changes. IAF further revises the mapping of risk and control to reflect any differences identified.
An audit program outlines key testing strategies and procedural steps in evaluating control design and operating effectiveness of the controls identified during the preliminary risk assessment. Test procedures link with the risks and objectives of the engagement. Mapping engagement objectives and critical risks within testing procedures help internal auditors ensure that testing covers all relevant engagement objectives.
Issues Tracking Sheet
An issue tracking sheet is a tool that Internal Auditors can use to perform follow-up and monitoring of current and outstanding audit findings. It mainly comprises process reference, observation details, rectification date, and status.
An audit report might use various formats depending on the nature of engagement. An audit report should include—at a minimum—engagement scope, engagement objectives, details of observations, remediation timelines, and an action plan.
Documented guidelines ensure the standardization of working papers used across multiple engagement teams. Different working paper templates and procedures might be developed for each type of engagement.
Management Feedback Form
Seeking auditee management feedback for each engagement plays a vital role in gauging internal auditors’ performance and acts as a tool for on-going monitoring of IAF staff performance.
Quality Assurance and Improvement Program (QAIP)
QAIP covers guidelines related to internal assessments, external assessments, and reporting of QAIP results to BAC and senior management. Internal assessments consist of two components—on-going monitoring and periodic self-assessment against IIA mandatory guidelines.
After developing the governance framework, the CAE performs a risk assessment exercise. Components of this exercise include:
Business Risk Register
To start the risk assessment phase, CAE first assesses the maturity of the Risk Management Function (RMF). Where a mature RMF exists, IAF may utilize the risk register developed by RMF. However, in the absence of a mature RMF, IAF may create risk registers to capture all significant risks that may affect achieving organizational objectives. This effort helps IAF identify critical risks that threaten organizational goals and forms the basis for developing an internal audit plan. Any identified risks form the basis of a new business risk register.
IAF maps identified risks with mitigating controls and categorizes the risks based on risk assessment methodology as defined in the internal audit operating procedures. Risks are generally categorized as high, medium, and low based on inherent and residual risk factors.
What is needed to develop an Internal Audit Plan?
IAF develops an Internal Audit Plan based on an initial risk assessment, the audit universe, staffing strategy, and input from relevant stakeholders.
An audit universe refers to the documentation of auditable entities within an organization. An audit universe can be organized by geographic locations, functions, or business processes. After performing a risk assessment, IAF develops an audit universe to detail all possible auditable entities within an organization.
Mapping Results of Risk Assessment with the Audit Universe
After documenting the audit universe, IAF maps and prioritizes the risk assessment results with the identified auditable entities. The mapping helps rank each area of the audit universe as high, medium, or low, as related to the rating of assessed risks. This exercise enables the CAE to identify critical processes and assess the overall control environment within the organization.
Input from Senior Management
IAF seeks input from senior management to identify audit focus areas. This input helps align the internal audit plan with the expectations of relevant stakeholders and identifies any consulting engagement opportunities.
Internal Audit Plan
Using the risk assessment results and senior management input, IAF develops an audit plan covering details of engagements to be performed, a high-level scope, a rationale for inclusion in an annual audit, resource and hours required, and a time frame for each engagement.Organizations may develop a single- or multi-year audit plan depending on several factors, including the nature of business dynamics, evolving risks, and the organization’s strategic plan.
A staffing strategy outlines short- and long-term resource planning methodologies. To develop a staffing strategy, IAF performs a skill assessment activity. This activity identifies the number of resources required to complete the annual audit plan, the competencies needed to meet IAF objectives, the requirements to hire subject matter specialists, or outsourcing/ co-sourcing arrangements. The staffing strategy relates to and supports the IAF strategic plan and the annual audit plan.
Approval and Renewal
The IAF presents the annual internal audit plan, the staffing strategy, budget, risk assessment, and risk register to the BAC for review and approval. BAC may suggest changes to the draft audit plan and ultimately provides authorization to implement.<br>
About the Author
Hassan Rizvi is an ACCA Member working with KPMG Risk & Management consulting for the past five years. Before joining KPMG, he was an Internal Audit Associate at SSGCL (Sui Southern Gas Company Limited).