Developing an Effective Internal Audit Function

A group of people looking at papers on a table.

Understanding your objectives, identifying organizational risk, enlisting executive support, and evaluating internal controls are among the keys to developing an effective internal audit function.

Internal audit provides the company, on an ongoing basis, with insights into its performance, policies, and procedures that can improve operational, compliance, and financial risks. Common objectives for an internal audit include:

  • Identifying and mitigating organizational risk
  • Enhancing financial processes and regulatory compliance
  • Testing the design and operation of internal controls and correcting any deficiencies

Create the Blueprint for Your Internal Audit Program

The first step in developing an effective internal audit function is developing a framework that defines management’s needs and expectations. This will vary depending on the company’s industry but will typically include examining the various categories of risk the organization faces, as well as any specific compliance requirements.

This step should be followed by conversations with leaders in different business units — finance, planning, operations, the audit committee, and others — as the first stages of a broader risk assessment. This will involve asking questions about the organization’s risks and whether the implications of a given risk are material.

You can’t eliminate risk completely, but instead, you want to develop a cross-functional view of the appropriate thresholds, so you’re devoting time and resources most effectively during the internal audit.

Deciding Who Will Lead the Audit

It’s also important for the organization to designate an executive sponsor of the internal audit function to highlight unequivocally the organization’s commitment to compliance and ethical behavior. Everyone participating in or supporting the audit needs to understand the organization will accept any findings and address shortcomings discovered during the audit process. If people believe the audit will not result in action, the process can become an unproductive exercise that wastes time and money.

Define Scope

Together, these steps will help the company define the scope of the internal audit and optimize management’s risk tolerance, as well as the thresholds for testing during the audit. For example, reviewing the approval of $49 transactions may not be an appropriate use of internal audit’s time.

This discussion also will help you design the objectives and attributes of the tests you will perform during the audit process. This may include, for example:

  • Interviewing process owners about their role.
  • Observing processes and procedures to understand whether they are performing as designed.
  • Reviewing documentation for completeness and accuracy.
  • Reconciling accounts to make sure transactions and amounts match.

Find the Best Time to Conduct the Internal Audit Procedures

The next step is scheduling time with management, process owners, and other key participants to align the audit process with the organization’s calendar to avoid intrusions during busy seasons or other important periods. You probably can’t eliminate the perception that the audit is interrupting routine work, but working to accommodate peak periods will improve cooperation and the effectiveness of the audit overall.

With this plan in place, you can launch an internal audit process knowing that it’s backed by a carefully designed, well-reasoned plan that’s aligned with the company’s financial, operational, and compliance risk management objectives.

We Can Help You with Your Auditing Needs

Whether you’re looking to establish, enhance, or outsource your internal audit function, we provide ‘right-sized’ audit support to assist you. For more information about optimizing the value of your SOX investment, reach out to our team.