What is internal audit?
The objective of internal audit is to perform independent health checks on business processes and controls, as well as to assess design effectiveness and operational efficiency to drive process improvement and optimisation, while giving stakeholders assurance that controls are appropriate and working effectively in line with the businesses risk appetite.
Internal audit is an independent function, which often has a focus on financial controls, but should nevertheless be deemed as a separate function, and not a sub-section of the finance function. Therefore, the internal audit function should have its own cost centre, budget, methodology, policies, etc.
Who’s heading up internal audit and reporting lines?
The most senior person in the internal audit function is the Chief Audit Executive (CAE) who is responsible for running it in line with the Internal Audit Charter. This position is often referred to as ‘Head of Internal Audit’ or ‘Internal Audit Director’ in the UK. The CAE reports directly (functionally) to the Audit Committee Chair to maintain independence, and dotted line (administratively) to the CEO. The reason the CAE should report dotted line to the CEO is because all business processes and controls should fall under internal audit’s scope, not just financial controls. However, if the primary focus of your internal audit team is financial controls for financial reporting, the CAE should also report dotted line into the CFO as well as the CEO.
Governance of internal audit
The internal audit function is governed by the Internal Audit Charter, which the Institute of Internal Audit defines as “a formal document that defines internal audit’s purpose, authority, responsibility and position within the organisation. The charter should set out the nature of services that internal audit will provide and how internal audit will help the organisation to achieve its objectives. Having a charter establishes the internal audit activity’s position within the organisation, including the Head of Internal Audit’s reporting lines, access to records, people and property, and the scope of its activities.” The charter should be signed by the Audit Committee Chair and be reviewed annually.
How does management relate to internal audit?
As the CAE reports directly into the Audit Committee Chair, the function is independent of management and is not responsible for implementing changes to controls and processes, or operating functions within a business. This responsibility sits with the Management team. Consequently, the internal audit function is able to perform an independent and unbiased assessment of the controls and processes to identify and collaborate with management on the best action plan to address findings.
Internal audit will monitor the progress of this action plan and periodically report on the status to Audit Committee, senior leaders, and management. As the internal audit function drives change and holds management accountable for that change; the CAE must be of the same seniority as the senior leaders who operate the functions.
The CAE should attend all Audit committee meetings and should meet annually with the Audit Committee Chair independently without senior leaders and management. To drive process improvement effectively, the CAE needs timely information. The CAE should have regular touch points with the CEO and CFO and will work closely, or be responsible for risk management, subject to appropriate safeguards.
The CAE should be included in senior leadership meetings and be an observer in other committees selected by the CAE as appropriate to execute the Internal Audit Charter. The CAE can attend committee meetings as an advisor; if outlined in the Internal Audit Charter, agreed with management, and if appropriate safeguards are put in place.
How to set up an internal audit function
To set up an Internal Audit function, the following documents are required.
- Internal Audit Charter.
- Audit methodology.
- Audit policies and procedures.
- Audit templates:
- Terms of reference.
- RCM.
- Reporting.
- Action tracking.
- Management reporting.
- Audit Committee reporting.
- Function objectives / KPIs / Balanced scorecard.
- Training schedule for the business to integrate internal audit.
The internal audit function should also consider whether the following internal documents need to be updated:
- Organisation charts / structures.
- Internal communications eg, intranet content.
- Onboarding material for new joiners.
- Training material.
Once the internal audit function is set up, emphasis should be placed on integrating the internal audit function and building relationships across the business’s functions. This is because the internal audit function, although independent, is a collaborative function that works together with management to support business maturity, manage risk, and strengthen governance though effective controls. Integration should be supported by the senior leadership team.