Fig. 1 - Internal Audit Overview
One of the many reasons that Internal Audit needs such thorough explaining to non-auditors is that Internal Audit can serve many purposes, depending on the organization's size and needs. However, the Institute of Internal Auditors (IIA) defines Internal Auditing as:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
However, this definition uses quite a few terms that aren't clear unless the reader already has a solid understanding of the auditing profession. To further explain, the following is a list of definitions that can help supplement understanding of internal auditing.
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.
Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.
Assurance services involve the internal auditor's objective assessment of evidence to provide opinions or conclusions regarding an entity, operation, function, process, system, or other subject matters. The nature and scope of an assurance engagement are determined by the internal auditor. Generally, three parties are participants in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter - the process owner, (2) the person or group making the assessment - the internal auditor, and (3) the person or group using the assessment - the user.
Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice - the internal auditor, and (2) the person or group seeking and receiving the advice - the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.
Governance, Risk Management, & Compliance (GRC)
The integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.
Audit Charter & Standards
First, it's important to note that not every organization needs internal auditors. In fact, it's unwise for an organization to hire internal auditors unless they have regulatory requirements for auditing and have the capital to support the department. Internal audit is a cost center that can only affect revenue indirectly.
Once an organization determines the need for internal assurance services, they will hire a Chief Audit Executive and create the audit charter. This charter is a document, approved by the company's governing body, that will define internal audit's purpose, authority, responsibility, and position within the organization. Fortunately, the IIA has model charters available to IIA members for those developing or improving their charter.
Beyond the charter and organizational documents, internal auditors follow a few different standards in order to perform their job. First is the International Professional Practices Framework (IPPF) by the IIA, which is the model of standards for internal auditing. In addition, ISACA's Information Technology Assurance Framework (ITAF) helps guide auditors in reference to information technology (IT) compliance and assurance. Finally, additional standards such as FASB, GAAP, and industry-specific standards are used when performing internal audit work.
Three Lines of Defense
The IIA released their original three lines of defense model in 2013, but have released an updated version in 2020. Here is what the three lines of defense model has historically looked like:
Fig. 2 - 2013 Three Lines of Defense Model
I won't go into depth about the changes made to the model in this article. Instead, let's take a look at the most current model.
Fig. 3 - 2020 Three Lines of Defense Model
The updated model forgets the strict idea of areas performing their own functions or line of defense. Instead of talking about management, risk, and internal audit as 1-2-3, the new model creates a more fluid and cooperative model.
Looking at this model from an auditing perspective shows us that auditors will need to align, communicate, and collaborate with management - including business area managers and chief officers - as well as reporting to the governing body. The governing body will instruct internal audit functionally on their goals and track their progress periodically. However, the internal audit department will report administratively to a chief officer in the company for the purposes of collaboration, direction, and assistance with the business. Note that in most situations, the governing body is the audit committee on the company's board of directors.
The result of this structure is that internal audit is an independent and objective function that can provide assurance over the topics they audit.
A normal audit will generally follow the same process, regardless of the topic. However, certain special projects or abnormal business areas may call for changes to the audit process. The audit process is not set in stone, it's simply a set of best practices so that audits can be performed consistently.
Fig. 4 - The Internal Audit Process
While different organizations may tweak the process, it will generally follow this flow:
1. Risk Assessment
The risk assessment part of the process has historically been performed annually, but many organizations have moved to performing this process much more frequently. In fact, some organizations are moving to an agile approach that can take new risks into the risk assessment and re-prioritize risk areas on-the-go. To perform a risk assessment, leaders in internal audit will research industry risks, consult with business leaders around the company, and perform analyses on company data.
Once a risk assessment has been documented, the audit department has a prioritized list of risks that can be audited. This is usually in the form of auditable entities, such as business areas or departments.
During the planning phase of an audit, auditors will meet with the business area to discuss the various processes, controls, and risks applicable to the business. This helps the auditors determine the scope limits for the audit, as well as timing and subject-matter experts. Certain documents will be created in this phase that will be used to keep the audit on-track an in-scope as it goes forward.
The testing phase, also known as fieldwork or execution, is where internal auditors will take the information they've discovered and test it against regulations, industry standards, company rules, best practices, as well as validating that any processes are complete and accurate. For example, an audit of HR would most likely examine processes such as employee on-boarding, employee termination, security of personally identifiable information (PII), or the IT systems involved in these processes. Company standards would be examined and compared against how the processes are actually being performed day-to-day, as well as compared against regulations such as the Equal Employment Opportunity (EEO), American with Disabilities Act, and National Labor Relations Act.
Once all the tests have been completed, the audit will enter the reporting phase. This is when the audit team will conclude on the evidence they've collected, interviews they've held, and any opinions they've formed on the controls in place. A summary of the audit findings, conclusions, and specific recommendations are officially communicated to the client through a draft report. Clients have the opportunity to respond to the report and submit an action plan and time frame. These responses become part of the final report which is distributed to the appropriate level of administration.
After audits have been completed and management has formed action plans and time frames for audit issues, internal audit will follow-up once that due date has arrived. In most cases, the follow-up will simply consist of a meeting to discuss how the action plan has been completed and to request documentation to prove it.
Audit Department Structure
While an internal audit department is most often thought of as a team of full-time employees, there are actually many different ways in which a department can be structured. As the world becomes more digital and fast-paced, outsourcing has become a more attractive option for some organizations. Internal audit can be fully outsourced or partially outsourced, allowing for flexibility in cases where turnover is high.
In addition, departments can implement a rotational model. This allows for interested employees around the organization to rotate into the internal audit department for a period of time, allowing them to obtain knowledge of risks and controls and allowing the internal audit team to obtain more business area knowledge. This program is popular in very large organizations, but organizations tend to rotate lower-level audit staff instead of managers. This helps prevent any significant knowledge loss as auditors rotate out to business areas.
Consulting is not an easy task at any organization, especially for a department that can have negative perceptions within the organization as the "compliance police". However, once an internal audit department has delivered value to organization, adding consulting to their suite of services is a smart move. In most cases, internal audit can insert themselves into a consulting role without affecting the process of project management at the company. This means that internal audit can add objective assurance and opinions to business areas as they develop new processes, instead of coming in periodically to audit an area and file issues that could have been fixed at the beginning.
Data Science & Data Analytics
Fig. 5 - Data Science Skill Set
One major piece of the internal audit function in the modern world is data science. While the process is data science, most auditors will refer to anything in this realm as data analytics. Hot topics such as robotic process automation ( RPA), machine learning (ML), and data mining have taken over the auditing world in recent years. These technologies have been immensely helpful with increasing the effectiveness and efficiency of auditors.
For example, mundane and repetitive tasks can be automated in order for auditors to make more room in their schedules for labor-intensive work. Further, auditors will need to adapt technologies like machine learning in order to extract more value from the data they're using to form conclusions.