Building an internal audit function from the ground up may seem like a daunting task, but taking a measured approach and prioritizing what should be done first can ease some of the difficulties. Handling these initial steps with care also helps build trust in organizations that may have no experience with internal audit or may be suspicious of its motives. By selecting key areas of focus and seeking to make "quick wins," chief audit executives (CAEs) can soon win over management and the rest of the business, and establish a solid foundation for the audit function.
The Lay of the Land
Alyssa Martin, partner in charge at risk advisory services firm Weaver in Dallas, is no stranger to setting up internal audit functions from scratch. She says she typically sets up around three or four functions per year on behalf of clients, and that she has established — or "reconstituted" — more than 20 in her career to date.
Martin says the reason behind the organization's decision to set up an audit function can provide vital clues about what it will look like and how it will be resourced. Potential reasons include regulatory requirements; past governance failures that impacted operations; financial incentives such as improving processes, increasing efficiency, and minimizing potential frauds; or pressure from a large customer to provide it with more assurance. "The different circumstances behind the move to set up an internal audit function can influence the way it is developed, what its scope is, and what budget and resources it will have," she says.
The way in which internal audit will operate also needs adequate consideration, Martin adds. If, for example, the function comprises a head of internal audit who oversees a fully outsourced team, that individual must be a strong leader with lots of experience. He or she must be able to take charge and establish what the function's priorities should be, as well as determine what expertise the organization needs to obtain quickly.
Martin says internal audit needs a "sponsor" within the organization to champion the function and to send a message to the board and the rest of the organization that internal audit is a key player in ensuring effective governance and sound practice. Moreover, CAEs need to liaise and establish good working relationships with key second-line assurance functions in the business, particularly the chief risk and compliance officers, as well as maintain communication with the chief financial officer (CFO). "Internal audit can't act in isolation, and especially not when it is a new department," she says. "It needs to establish key partnerships with other functions in the business to see how they operate, how they view risk, and to learn their approaches."
Martin also notes the importance of building a good relationship with the audit committee, management, and the organization in general, and she stresses the need for audit heads to understand the audit universe and identify which activities are a priority for internal audit's involvement. "Find out where internal audit needs to be active first and what skills and experience you need to have to make a good impression straight away," she says. "You have to choose where you can make an immediate impact first to gain trust with management and the organization."
The head of internal audit also needs to look closely at the budget he or she has been given. "A low budget impacts hiring choices and what you can realistically do," Martin says. "It also means that you have to prioritize areas that need the most work or immediate focus." She advises audit leaders not to complain about receiving less funding than expected, noting that effective use of allotted resources can allow for quick wins and help build confidence with managers who control the purse strings, thereby making them more likely to agree to additional funding later.
Set the Standard
Anyone setting up a new audit function should be familiar with The IIA’s
International Standards for the Professional Practice of Internal Auditing. Several standards, in particular, are especially relevant to the process:1000 — Purpose, Authority, and Responsibility
1110 — Organizational Independence
1200 — Proficiency and Due Professional Care
2000 — Managing the Internal Audit Activity
2020 — Communication and Approval
2030 — Resource Management
2040 — Policies and Procedures
2050 — Coordination and Reliance
2060 — Reporting to Senior Management and the Board
2230 — Engagement Resource Allocation
Arif Zaman, head of internal audit at real estate company Emaar Industries and Investments based in Dubai, United Arab Emirates, was formerly a risk advisor at a consulting firm where he helped large corporate clients set up or reconstitute internal audit functions. Zaman says the experience taught him what a "good" internal audit function should look like, and what constitutes best practice.
Having board buy-in from the start is essential to the success of any internal audit function, Zaman says. "Once you have board backing, you can then get approval for the internal audit framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity," he explains.
Like Martin, Zaman says internal audit must know who will champion the audit function — usually the second line of defense functions like compliance or risk management. He adds that, to maintain independence, internal audit should report to the audit committee or directly to the board. Once the reporting line is defined, the head of internal audit should ensure that three documents are drawn up quickly:
- An audit committee charter to define the role and responsibilities of the committee (with board approval).
- An internal audit charter to define the scope, role, responsibilities, and reporting structure of the internal
- audit function.
- The standard operating procedures, which are policies and procedures that cover the annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting, and quality assurance.
According to Zaman, understanding the business, how it operates, and — crucially — its culture, also are key steps to successfully setting up an internal audit function. "It is very important to be acquainted with the culture and business acumen of the company," he says. "It gives a general idea of the company's risk maturity and its control environment. It also provides useful insight about how an internal auditor should determine his or her approach and how to pitch the internal audit department framework within the organization."
Zaman also notes the importance of considering the culture of the country in which the organization operates. "Internal audit is nothing new in countries like the U.S., U.K., or elsewhere in Europe," he says. "These countries have an understanding and appreciation of what internal audit can provide. But in developing markets, awareness of what internal audit is supposed to do, and what it is capable of, can be quite low."
To help gain trust in the organization, Zaman says it may be best if internal audit has a pragmatic — rather than dogmatic — mindset. He stresses that flexibility may be necessary, as a "by the book" approach may intimidate business units and deter them from coming forward and reporting problems. "You want to establish a culture of openness and transparency that encourages people to come forward with concerns, rather than reinforce the stereotype of internal audit being an internal policeman," he says.
Zaman also agrees with Martin that achieving quick wins early on can help turn people's attitudes around in the auditors' favor. He warns against starting with sweeping, ambitious objectives such as advising an overhaul of the way the organization is run or recommending controls around every single business process. Instead, Zaman suggests looking at simple ways to help cut costs and increase efficiencies, being sure to quantify the immediate and long-term cost savings. "Concentrate on just doing the main audit work you need to do first and where you know you can succeed," he says.
It is also important for internal audit to show that it is open and collaborative, notes Randy Pierson, internal audit manager and invalid traffic compliance leader at The Nielsen Co. in Oldsmar, Fla. “Audit needs to avoid being siloed," he says." You want to make sure that you are getting all the information that you need so that you can understand the risks to the business and whether they are being controlled. The best way of doing this is to build up trust within the organization.”
Like Zaman and Martin, Pierson also advises making a good impression quickly through small but effective changes to improve practices, cut costs, etc., but also by working with subject matter experts throughout the business to get a better sense of operations and the risks they face.
Working Within the Perimeter
Leslie Krepa, a retired former head of internal audit living in the United Kingdom, does not believe that any auditor sets up a function from scratch in reality. “There are always perimeters setting out what you are able to do and what you will need to look at — the job description/internal audit terms of reference will have done that at the outset," she says. "The board, and especially the audit committee if there is one, will have expectations of what they want to see done, and they will have a budget in mind as well. Heads of internal audit will, however, usually have overall control about how the work is done, how the budget is spent, and how the function is set up, but management will have a very clear view about what they want prioritized, particularly as they took the decision to establish an in-house function in the first place.”
Krepa warns heads of internal audit not to rush into anything. She advises, for example, that CAEs avoid the mistake of presenting an audit plan to key stakeholders during their first week in the position, lest they want to be told to come back when they learn the business. Krepa suggests first visiting key departments, getting to know stakeholders, and visiting office sites. "Look at what is going on with your own eyes — the key early on is to listen and observe and not say very much," she says.
Krepa also advises audit heads to spend time with external audit. “Audit committee chairs rely on external audit to give them an independent view of risks to the business, and chances are that they have already asked for external audit’s opinion on what you are doing," she says. "Having external audit on your side at the beginning could be a real help in winning other key stakeholders over.”
Several activities should be considered when establishing an internal audit function:
- Identify key internal and external stakeholders and obtain a clear understanding of their expectations.
- Communicate the role of internal audit to the board, audit committee, executive management, and the rest of the organization.
- Ensure that there is a functional reporting line to the audit committee and — ideally — an administrative reporting line to the CEO.
- Put an internal audit charter in place — one that is approved by the audit committee.
- Conform with The IIA’s
International Standards for the Professional Practice of Internal Auditing.
- Prepare an internal audit strategic plan that considers the organization’s objectives and key risks as well as any gaps within its assurance framework.
- Assess the organization’s risk maturity to help determine the internal audit strategy and approach.
- Agree with management on an annual internal audit plan that is approved by the audit committee.
- Agree with management on budgets (financial and staffing).
- Coordinate internal audit work with that of other assurance providers (internal and external).
*A version of this checklist originally appeared in the Chartered Institute of Internal Auditors guide, How to Set up a New Internal Audit Activity. Adapted with permission.
Replacing a Previous Function
Seidu Sumani, senior vice president, head of internal audit, at MFS Investment Management previously set up an internal audit function at another investment management firm in Boston after it was sold by its U.S. parent company. "The organization had previously been served by a group internal audit function, so management had a mature view of what internal audit did and the value it could add," he says.
With management buy-in already a given, Sumani had to work out quickly which departments and processes needed audit focus first, as well as demonstrate that he and his newly appointed team understood the business and the risks it faced. "I needed to establish what my priorities were very quickly, and what skills and experience I would need for my team," he says.
Sumani notes that it can be a struggle for heads of internal audit to assert their authority at the beginning. Budgets can often be decided by the CFO, for example, and if they are too low, audit heads need to deliver a compelling case about why they need more resources so early on. Sumani advises an assertive approach. "Disagreements with senior management can become quite common, quite tense, and quite political," he says. "But you have to be firm — yet persuasive — and be able to demonstrate that you have the knowledge and experience to back up what you are asking for."
For example, Sumani notes that he was given a budget for seven team members and was advised to outsource the IT audit function. Instead, he wanted an experienced IT auditor, which can be an expensive hire. "In the end, I was able to get what I wanted but it was not an easy argument to win," he says. There was also pressure on him to deliver results quickly, though he wasn't convinced that the areas management wanted internal audit to address first were in fact the riskiest or the best use of audit's limited resources. "So I took a risk-based approach, which was risky for me because results were not as quick," he says. "However, the results were more appropriate and in the end the stakeholders appreciated that."
Sumani also recruited someone who had more business experience than audit experience — two years in audit but a wealth of financial services experience; plus he had worked within the business. The new hire could "speak the same language" as managers in different departments, understood how they worked, and knew the key risks their departments faced, as well as how they addressed them. "As a result, we gained management's trust very early on," he says. In fact, he hired three people from within the business based on their knowledge of organizational processes and their ability to learn internal auditing quickly.
Sumani warns against hiring certain staff members just because management wants them on the team. "Choose your own team and hire who you need or want," he says. He also advises against letting management dictate what internal audit should be doing, emphasizing that it's the audit leader's job to prioritize which areas need the greatest resources and immediate focus. "If internal audit wants to show it is independent, it needs to assert that independence from the beginning," he says. "However, if you're going to ask for more resources and go up against management, be sure you can do what you say you are going to do."
The Right People
Phil Tarling, an internal audit consultant based in the U.K. and former chairman of The IIA's Global Board of Directors, also emphasizes the importance of staffing-related decisions early on. "Any new internal audit function will live or die by the people it has on its team," he says. "The question you need to ask is whether you want more low-level people who can do the nuts and bolts work effectively and can cover a lot of basic audits across the business, or do you go for high-level people who are willing to get their hands dirty, do the low-level work as well, but who can cover less ground?" He notes the answers depend largely on management's expectations, adding that staffing decisions can have ramifications down the road as internal audit matures.
Tarling says CAEs who are asked to manage a completely outsourced function can enjoy certain advantages. He points to the increased ease of saying that audit reports received are inadequate or requesting that a particular partner or subject matter expert lead an engagement, as well as leverage in negotiating additional services.
Regardless of team composition, Tarling, like Sumani, advises a firm, proactive approach. "If you are in charge of a fully outsourced function, or if you cosource, then make sure you flex your muscle and get exactly what you want," he says.
A Solid Foundation
Setting up internal audit from scratch will always present challenges, but taking a steady and realistic approach that involves management buy-in from the start will make the process a lot easier. And to build trust and avoid confusion or conflict, it is also important to remember that internal audit must define its scope and terms of reference from the outset. Management will be more likely to respond favorably if positive early impressions are made, and more likely to trust internal audit's judgment going forward.