initial commit

1 files changed, 246 insertions, 0 deletions

diff --git a/blog/2020-09-22-internal-audit.org b/blog/2020-09-22-internal-audit.org
new file mode 100644
index 0000000..e10f8ea
--- /dev/null
+++ b/blog/2020-09-22-internal-audit.org
@@ -0,0 +1,246 @@
+#+date: 2020-09-22
+#+title: What is Internal Audit?
+
+#+CAPTION: Internal Audit Overview
+[[https://img.0x4b1d.org/blog/20200922-what-is-internal-audit/internal-audit-overview.jpg]]
+
+* Definitions
+
+One of the many reasons that Internal Audit needs such thorough explaining to
+non-auditors is that Internal Audit can serve many purposes, depending on the
+organization's size and needs. However, the Institute of Internal Auditors (IIA)
+defines Internal Auditing as:
+
+#+BEGIN_QUOTE
+Internal auditing is an independent, objective assurance and consulting activity
+designed to add value and improve an organization's operations. It helps an
+organization accomplish its objectives by bringing a systematic, disciplined
+approach to evaluate and improve the effectiveness of risk management, control,
+and governance processes.
+#+END_QUOTE
+
+However, this definition uses quite a few terms that aren't clear unless the
+reader already has a solid understanding of the auditing profession. To further
+explain, the following is a list of definitions that can help supplement
+understanding of internal auditing.
+
+** Independent
+
+Independence is the freedom from conditions that threaten the ability of the
+internal audit activity to carry out internal audit responsibilities in an
+unbiased manner. To achieve the degree of independence necessary to effectively
+carry out the responsibilities of the internal audit activity, the chief audit
+executive has direct and unrestricted access to senior management and the board.
+This can be achieved through a dual-reporting relationship. Threats to
+independence must be managed at the individual auditor, engagement, functional,
+and organizational levels.
+
+** Objective
+
+Objectivity is an unbiased mental attitude that allows internal auditors to
+perform engagements in such a manner that they believe in their work product and
+that no quality compromises are made. Objectivity requires that internal
+auditors do not subordinate their judgment on audit matters to others. Threats
+to objectivity must be managed at the individual auditor, engagement,
+functional, and organizational levels.
+
+** Assurance
+
+Assurance services involve the internal auditor's objective assessment of
+evidence to provide opinions or conclusions regarding an entity, operation,
+function, process, system, or other subject matters.  The internal auditor
+determines the nature and scope of an assurance engagement.  Generally, three
+parties are participants in assurance services: (1) the person or group directly
+involved with the entity, operation, function, process, system, or other
+subject - (the process owner), (2) the person or group making the assessment -
+(the internal auditor), and (3) the person or group using the assessment - (the
+user).
+
+** Consulting
+
+Consulting services are advisory in nature and are generally performed at the
+specific request of an engagement client. The nature and scope of the consulting
+engagement are subject to agreement with the engagement client. Consulting
+services generally involve two parties: (1) the person or group offering the
+advice (the internal auditor), and (2) the person or group seeking and receiving
+the advice (the engagement client). When performing consulting services, the
+internal auditor should maintain objectivity and not assume management
+responsibility.
+
+** Governance, Risk Management, & Compliance (GRC)
+
+The integrated collection of capabilities that enable an organization to
+reliably achieve objectives, address uncertainty and act with integrity.
+
+* Audit Charter & Standards
+
+First, it's important to note that not every organization needs internal
+auditors. In fact, it's unwise for an organization to hire internal auditors
+unless they have regulatory requirements for auditing and have the capital to
+support the department. Internal audit is a cost center that can only affect
+revenue indirectly.
+
+Once an organization determines the need for internal assurance services, they
+will hire a Chief Audit Executive and create the audit charter. This charter is
+a document, approved by the company's governing body, that will define internal
+audit's purpose, authority, responsibility, and position within the
+organization. Fortunately, the IIA has model charters available to IIA members
+for those developing or improving their charter.
+
+Beyond the charter and organizational documents, internal auditors follow a few
+different standards in order to perform their job. First is the International
+Professional Practices Framework (IPPF) by the IIA, which is the model of
+standards for internal auditing. In addition, ISACA's Information Technology
+Assurance Framework (ITAF) helps guide auditors in reference to information
+technology (IT) compliance and assurance. Finally, additional standards such as
+FASB, GAAP, and industry-specific standards are used when performing internal
+audit work.
+
+* Three Lines of Defense
+
+[[https://theiia.org][The IIA]] released the original Three Lines of Defense model in 2013, but have
+released an updated version in 2020. Here is what the Three Lines of Defense
+model has historically looked like:
+
+#+CAPTION: 2013 Three Lines of Defense Model
+[[https://img.0x4b1d.org/blog/20200922-what-is-internal-audit/three_lines_model.png]]
+
+I won't go into depth about the changes made to the model in this article.
+Instead, let's take a look at the most current model.
+
+#+CAPTION: 2020 Three Lines of Defense Model
+[[https://img.0x4b1d.org/blog/20200922-what-is-internal-audit/updated_three_lines_model.png]]
+
+The updated model forgets the strict idea of areas performing their own
+functions or line of defense. Instead of talking about management, risk, and
+internal audit as 1-2-3, the new model creates a more fluid and cooperative
+model.
+
+Looking at this model from an auditing perspective shows us that auditors will
+need to align, communicate, and collaborate with management, including business
+area managers and chief officers, as well as reporting to the governing body.
+The governing body will instruct internal audit /functionally/ on their goals
+and track their progress periodically.
+
+However, the internal audit department will report /administratively/ to a chief
+officer in the company for the purposes of collaboration, direction, and
+assistance with the business. Note that in most situations, the governing body
+is the audit committee on the company's board of directors.
+
+The result of this structure is that internal audit is an independent and
+objective function that can provide assurance over the topics they audit.
+
+* Audit Process
+
+A normal audit will generally follow the same process, regardless of the topic.
+However, certain special projects or abnormal business areas may call for
+changes to the audit process. The audit process is not set in stone, it's simply
+a set of best practices so that audits can be performed consistently.
+
+#+CAPTION: The Internal Audit Process
+[[https://img.0x4b1d.org/blog/20200922-what-is-internal-audit/internal-audit-process.jpg]]
+
+While different organizations may tweak the process, it will generally follow
+this flow:
+
+** 1. Risk Assessment
+
+The risk assessment part of the process has historically been performed
+annually, but many organizations have moved to performing this process much more
+frequently. In fact, some organizations are moving to an agile approach that can
+take new risks into the risk assessment and re-prioritize risk areas on-the-go.
+To perform a risk assessment, leaders in internal audit will research industry
+risks, consult with business leaders around the company, and perform analyses on
+company data.
+
+Once a risk assessment has been documented, the audit department has a
+prioritized list of risks that can be audited. This is usually in the form of
+auditable entities, such as business areas or departments.
+
+** 2. Planning
+
+During the planning phase of an audit, auditors will meet with the business area
+to discuss the various processes, controls, and risks applicable to the
+business. This helps the auditors determine the scope limits for the audit, as
+well as timing and subject-matter experts. Certain documents will be created in
+this phase that will be used to keep the audit on-track an in-scope as it goes
+forward.
+
+** 3. Testing
+
+The testing phase, also known as fieldwork or execution, is where internal
+auditors will take the information they've discovered and test it against
+regulations, industry standards, company rules, best practices, as well as
+validating that any processes are complete and accurate. For example, an audit
+of HR would most likely examine processes such as employee on-boarding, employee
+termination, security of personally identifiable information (PII), or the IT
+systems involved in these processes. Company standards would be examined and
+compared against how the processes are actually being performed day-to-day, as
+well as compared against regulations such as the Equal Employment Opportunity
+(EEO), American with Disabilities Act, and National Labor Relations Act.
+
+** 4. Reporting
+
+Once all the tests have been completed, the audit will enter the reporting
+phase. This is when the audit team will conclude on the evidence they've
+collected, interviews they've held, and any opinions they've formed on the
+controls in place. A summary of the audit findings, conclusions, and specific
+recommendations are officially communicated to the client through a draft
+report. Clients have the opportunity to respond to the report and submit an
+action plan and time frame. These responses become part of the final report
+which is distributed to the appropriate level of administration.
+
+** 5. Follow-Up
+
+After audits have been completed and management has formed action plans and time
+frames for audit issues, internal audit will follow up once that due date has
+arrived. In most cases, the follow-up will simply consist of a meeting to
+discuss how the action plan has been completed and to request documentation to
+prove it.
+
+* Audit Department Structure
+
+While an internal audit department is most often thought of as a team of
+full-time employees, there are actually many different ways in which a
+department can be structured. As the world becomes more digital and fast-paced,
+outsourcing has become a more attractive option for some organizations. Internal
+audit can be fully outsourced or partially outsourced, allowing for flexibility
+in cases where turnover is high.
+
+In addition, departments can implement a rotational model. This allows for
+interested employees around the organization to rotate into the internal audit
+department for a period of time, allowing them to obtain knowledge of risks and
+controls and allowing the internal audit team to obtain more business area
+knowledge. This program is popular in very large organizations, but
+organizations tend to rotate lower-level audit staff instead of managers. This
+helps prevent any significant knowledge loss as auditors rotate out to business
+areas.
+
+* Consulting
+
+Consulting is not an easy task at any organization, especially for a department
+that can have negative perceptions within the organization as the "compliance
+police."  However, once an internal audit department has delivered value to
+organization, adding consulting to their suite of services is a smart move. In
+most cases, Internal Audit can insert themselves into a consulting role without
+affecting the process of project management at the company. This means that
+internal audit can add objective assurance and opinions to business areas as
+they develop new processes, instead of coming in periodically to audit an area
+and file issues that could have been fixed at the beginning.
+
+* Data Science & Data Analytics
+
+#+CAPTION: Data Science Skill Set
+[[https://img.0x4b1d.org/blog/20200922-what-is-internal-audit/data-science-skillset.png]]
+
+One major piece of the internal audit function in the modern world is data
+science. While the process is data science, most auditors will refer to anything
+in this realm as data analytics. Hot topics such as robotic process automation
+(RPA), machine learning (ML), and data mining have taken over the auditing world
+in recent years. These technologies have been immensely helpful with increasing
+the effectiveness and efficiency of auditors.
+
+For example, mundane and repetitive tasks can be automated in order for auditors
+to make more room in their schedules for labor-intensive work. Further, auditors
+will need to adapt technologies like machine learning in order to extract more
+value from the data they're using to form conclusions.