October 03, 2011
How to Start or Redesign an Internal Audit Function
Today, I responded to a question on the LinkedIn IIA discussion group. The individual was in the exciting position of starting an internal audit function for a large company and asked for advice.
This is what I said:
I have started up internal audit functions a few times, and this is essentially my process:
1. Understand the business. Get out and see the operations and listen to not only the top executives but the people running the business.
2. Understand the value drivers and the risks to them.
3. Listen to the external auditors, the board, and top executives: their perspectives on #2, and what they would like to see from internal audit in (a) the short-term and (b) the longer term. Make sure you meet with other (internal) assurance providers and any risk management function.
4. Develop a vision for the function, both for the first year and then for a few years out.
5. Build a risk-based plan for the first year to focus on the more significant risks. Allow a lot of contingency so that changes can be made as more is learned.
6. Develop a budget and review the vision, plan, and budget with top executives and the board. Obtain approval (after selling the vision and negotiation if necessary on resources).
7. Identify the staffing that is needed to do the work (which may include co-sourcing). Identify the staff AFTER designing the program, so you can get the skills and experience levels you need.
8. Go out and over-deliver. Build success through success.
Why this advice? Although I have run what others (my board members and top executives) have considered world-class and leading-edge internal audit functions over the years (profiled in the Journal of Accountancy), I strongly believe it is necessary to design internal audit to meet the current and anticipated needs of the company. So, when I was at Tosco (1990-2001) the initial focus was on basic controls, the IT environment, and compliance. As the company developed more mature controls and processes, the focus shifted to efficiency and adding value. (By the way, from the start I provided the board with an overall assessment of the quality of internal controls using the COSO '92 internal controls framework).
The steps I outline will, in my experience, help the CAE:
- Understand the business and the need for (the value of) internal audit.
- Develop a vision and a strategy for realizing that vision.
- Build the department capable of delivering.
- Recognize that the needs of the company, and therefore the design of the internal audit function, change over time.
What do you think?