Starting or Jump-Starting an Internal Audit Department?

Published June 22, 2021 By Peggy Maranan, Ph.D., DEMCO, Director, Finance

Originally Published in The Cooperative Accountant, Spring 2021 Issue

Overview of Internal Audit Department Function 

Organizations will deploy many layers of defense to ensure there are sufficient controls in place to manage risk, avoid setbacks, and aid in achieving company objectives.  The Institute of Internal Auditors (IIA) is an industry authority on internal auditing, along with other functions related to the internal auditing function. 

From the IIA website (n.d.), “About the IIA” section:   

Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Lake Mary, Florida, USA. The IIA is the internal audit profession's global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Generally, members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. (para. 1) 

They recommend the following best practices in regards to effectively managing risk: 

  • Risk and control processes should be structured in accordance with the Three Lines of Defense model. 
  • Each line of defense should be supported by appropriate policies and role definitions. 
  • There should be proper coordination among the separate lines of defense to foster efficiency and effectiveness. 
  • Risk and control functions operating at the different lines should appropriately share knowledge and information to assist all functions in better accomplishing their roles in an efficient manner. 
  • Lines of defense should not be combined or coordinated in a manner that compromises their effectiveness. 
  • In situations where functions at different lines are combined, the governing body should be advised of the structure and its impact. For organizations that have not established an internal audit activity, management and/or the governing body should be required to explain and disclose to their stakeholders that they have considered how adequate assurance on the effectiveness of the organization’s governance, risk management, and control structure will be obtained. (IIA, 2013, p. 7) 

Zaman (2016) describes the lines of defense in the IIA’s Three Lines of Defense model: 

The first layer of defense is the operational management (process owner). The second layer of defense is the control function such as internal control, risk management, and compliance. The third layer of defense is the internal and external audit function. (para. 2) 

These lines of defense are further described by the IIA in the following Table 1. 

Table 1:  IIA’s Lines of Defense described 

First Line of Defense 

Second Line of Defense 

Third Line of Defense 

Risk Owners/Managers 

Risk Control and Compliance 

Risk Assurance 

  • operating management 
  • limited independence 
  • reports primarily to management 
  • internal audit 
  • greater independence 
  • reports to governing body 

(IIA, 2013, p. 6) 

The IIA Three Lines of Defense Model is provided below, in Table 2. 

 

(IIA, 2020, para. 2) 

The IIA recommends that “all three lines should exist in some form at every organization, regardless of size or complexity” for strongest risk management practices (p. 7).  They also note that “because every organization is unique and specific situations vary, there is no one “right” way to coordinate the Three Lines of Defense” (p. 6).  They recommend that every company establish risk management practices that are applicable and effective to their specific organization.  Brasseur (2020) notes that “the model encourages management and internal audit to coordinate response” (para. 3). 

How to establish an Internal Audit Department  

Watson (2020) suggests identifying your specific needs in designing an internal audit department.  The three scenarios she describes include: 

Scenario 1 — Setting up a brand new department 

Scenario 2 — Switching from an outsourced team to in-house department 

Scenario 3 — Taking over an existing department (para. 5-7) 

Depending upon the scenario, the approach and effort to starting or jump-starting the department could vary.  Additionally, Watson offers a methodical approach by providing the following high-level roadmap steps: 

  1. Develop Relationships and Establish Expectations
  2. Understand the Business Strategy and Associated Risks
  3. Evaluate, Train, and Allocate Your Resources  (para. 10-12)

Zaman (2018) offers “How to establish the Internal Audit Department in 8 simple steps?”. The steps are outlined in Table 3 below.   

Table 3:  How to establish the Internal Audit Department in 8 Simple Steps  

Step 

Step description 

Step 1: Tone at The Top 

It is the most vital component before establishing any function especially internal audit. Internal auditors need the utmost support of the top management and the Board in the establishment of the Internal Audit Department. Once have it [sic], it will be easy to approve the framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity. 

Step 2: Business Understanding 

It is very much important to be acquainted with the culture and business acumen of the company. It gives a general idea of the company risk maturity and control environment; accordingly, an internal auditor can determine their approach to pitch the Internal Audit Department framework. 

Step 3: Structure 

The structure of the Internal Audit Department is very crucial. Some of the important questions to ponder upon are where does the Internal Audit Department will [sic] fall within the organization structure, to whom they will report? who will have the decision to hire or fire internal auditors, etc.In order to maintain independence, Internal Audit Department shall report to the Audit Committee or directly to the Board. 

Step 4: Audit Committee Charter 

Once the reporting line is defined, an Audit Committee Charter shall be developed to define the role and responsibilities of the Committee. The Charter shall be approved by the Board. 

Step 5: Internal Audit Charter 

The second governing document after the Audit Committee Charter is the Internal Audit Charter, which define the role and responsibilities of the Internal Audit Department. The Internal Audit Charter shall be approved by the Audit Committee. 

Step 6: Policies and Procedures 

As per the IPPF [IIA’s International Professional Practices Framework], the Head of Internal Audit must develop internal audit policies and procedures to regulate, standardize and document the audit activities. The policies shall cover the following process but not limited to; annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting to different stakeholders, quality assurance etc. The policies and procedures shall be approved by the Audit Committee. 

Step 7: Budget 

The Audit Committee shall approve the budget of the Internal Audit Department, sufficient enough to attract good talent and provide resources for the Internal Audit Department to carry out functional activities. 

Step 8: Liaison with Management and Other Departments 

Internal Audit Department shall meet with the Management and the other Departmental Heads to develop business and operational understanding. All another [sic] department especially the second line of defense will enable the Internal Audit Department to work together by leveraging their expertise to bridge silos within the organization. This interaction may also help in developing the Audit Universe and carry out Risk Assessment. 

Model templates from the IIA are provided in Table 4 for Audit Committee and Internal Audit Charters. These can be used as a starting place in developing charters for your organization. They also can be compared to existing charters within your organization for possible update or improvements. 

 Table 4:  Institute of Internal Auditors (IIA) model templates 

IIA Model Template name/  

(Zaman Step reference) 

URL 

Model Audit Committee Charter/ (Step 4) 

https://na.theiia.org/standards-guidance/Public%20Documents/Model-Audit-Committee-Charter.pdf 

 

Model Internal Audit Charter/ (Step 5) 

https://na.theiia.org/standards-guidance/Public%20Documents/Model%20Internal%20Audit%20Activity%20Charter.pdf 

 

From the IIA website https://na.theiia.org/Pages/IIAHome.aspx 

There are many risk assessment models and tools available, and you should select what works best for your organization after doing some research and becoming familiar with this topic. Table 5 includes some of Zaman’s articles offering step-by-step instructions in how to approach the annual risk assessment and audit planning processes. These could aid in either getting you started or refining current assessment processes. 

Table 5:  Zaman articles  

Article name 

(Zaman Step reference) 

URL 

Annual Risk Assessment - 4 Steps (Summary)/(Step 8) 

https://www.linkedin.com/pulse/annual-risk-assessment-4-steps-summary-arif-zaman-acca-/ 

 

Annual Audit Planning Process - 5 Steps/(Step 8) 

https://www.linkedin.com/pulse/annual-audit-planning-process-step-wise-arif-zaman-acca-/ 

 

Summary 

Cynthia Watson summarizes her article “How to Start a Successful Internal Audit Department” beautifully:   

There’s no one-size-fits-all approach to setting up an internal audit department. You must meet your organization where it is. Each organization will have different needs, risk appetites, and a different maturity level — and you must create or change the department to support the organization while still establishing a high standard. Don’t be afraid to be open to new ideas — change is here to stay, and being innovative helps audit teams provide value and be more effective. Understanding stakeholder expectations, fully comprehending the business strategy and associated risks, and evaluating your resources to determine if you have what’s needed to deliver value to your organization are essential steps in setting up a successful internal audit team. (para. 19) 

The important thing to remember is to just start somewhere, and try not to be intimidated by the process.  Also, if you already have an internal audit department in place, take the time periodically to revisit the framework and procedures to ensure that they are keeping up with changes in the business and are continuing to help mitigate risks to your organization.   

Note:  Some additional reading information has been cited below, including some articles related to internal auditing trends, risks in the energy and utilities industry, along with an article related to COVID-19 risks.   

To read this full article, visit nsacoop.org/publications/tca or NSAC Connect