aboutsummaryrefslogtreecommitdiff
path: root/content/blog/2020-09-22-internal-audit.org
diff options
context:
space:
mode:
Diffstat (limited to 'content/blog/2020-09-22-internal-audit.org')
-rw-r--r--content/blog/2020-09-22-internal-audit.org247
1 files changed, 247 insertions, 0 deletions
diff --git a/content/blog/2020-09-22-internal-audit.org b/content/blog/2020-09-22-internal-audit.org
new file mode 100644
index 0000000..3074266
--- /dev/null
+++ b/content/blog/2020-09-22-internal-audit.org
@@ -0,0 +1,247 @@
+#+title: What is Internal Audit?
+#+date: 2020-09-22
+#+description: Learn about the Internal Audit function and their purpose.
+#+filetags: :audit:
+
+#+caption: Internal Audit Overview
+[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/internal-audit-overview.jpg]]
+
+* Definitions
+One of the many reasons that Internal Audit needs such thorough
+explaining to non-auditors is that Internal Audit can serve many
+purposes, depending on the organization's size and needs. However, the
+Institute of Internal Auditors (IIA) defines Internal Auditing as:
+
+#+begin_quote
+Internal auditing is an independent, objective assurance and consulting
+activity designed to add value and improve an organization's operations.
+It helps an organization accomplish its objectives by bringing a
+systematic, disciplined approach to evaluate and improve the
+effectiveness of risk management, control, and governance processes.
+
+#+end_quote
+
+However, this definition uses quite a few terms that aren't clear unless
+the reader already has a solid understanding of the auditing profession.
+To further explain, the following is a list of definitions that can help
+supplement understanding of internal auditing.
+
+** Independent
+Independence is the freedom from conditions that threaten the ability of
+the internal audit activity to carry out internal audit responsibilities
+in an unbiased manner. To achieve the degree of independence necessary
+to effectively carry out the responsibilities of the internal audit
+activity, the chief audit executive has direct and unrestricted access
+to senior management and the board. This can be achieved through a
+dual-reporting relationship. Threats to independence must be managed at
+the individual auditor, engagement, functional, and organizational
+levels.
+
+** Objective
+Objectivity is an unbiased mental attitude that allows internal auditors
+to perform engagements in such a manner that they believe in their work
+product and that no quality compromises are made. Objectivity requires
+that internal auditors do not subordinate their judgment on audit
+matters to others. Threats to objectivity must be managed at the
+individual auditor, engagement, functional, and organizational levels.
+
+** Assurance
+Assurance services involve the internal auditor's objective assessment
+of evidence to provide opinions or conclusions regarding an entity,
+operation, function, process, system, or other subject matters. The
+internal auditor determines the nature and scope of an assurance
+engagement. Generally, three parties are participants in assurance
+services: (1) the person or group directly involved with the entity,
+operation, function, process, system, or other subject - (the process
+owner), (2) the person or group making the assessment - (the internal
+auditor), and (3) the person or group using the assessment - (the user).
+
+** Consulting
+Consulting services are advisory in nature and are generally performed
+at the specific request of an engagement client. The nature and scope of
+the consulting engagement are subject to agreement with the engagement
+client. Consulting services generally involve two parties: (1) the
+person or group offering the advice (the internal auditor), and (2) the
+person or group seeking and receiving the advice (the engagement
+client). When performing consulting services, the internal auditor
+should maintain objectivity and not assume management responsibility.
+
+** Governance, Risk Management, & Compliance (GRC)
+The integrated collection of capabilities that enable an organization to
+reliably achieve objectives, address uncertainty and act with integrity.
+
+* Audit Charter & Standards
+First, it's important to note that not every organization needs internal
+auditors. In fact, it's unwise for an organization to hire internal
+auditors unless they have regulatory requirements for auditing and have
+the capital to support the department. Internal audit is a cost center
+that can only affect revenue indirectly.
+
+Once an organization determines the need for internal assurance
+services, they will hire a Chief Audit Executive and create the audit
+charter. This charter is a document, approved by the company's governing
+body, that will define internal audit's purpose, authority,
+responsibility, and position within the organization. Fortunately, the
+IIA has model charters available to IIA members for those developing or
+improving their charter.
+
+Beyond the charter and organizational documents, internal auditors
+follow a few different standards in order to perform their job. First is
+the International Professional Practices Framework (IPPF) by the IIA,
+which is the model of standards for internal auditing. In addition,
+ISACA's Information Technology Assurance Framework (ITAF) helps guide
+auditors in reference to information technology (IT) compliance and
+assurance. Finally, additional standards such as FASB, GAAP, and
+industry-specific standards are used when performing internal audit
+work.
+
+* Three Lines of Defense
+[[https://theiia.org][The IIA]] released the original Three Lines of
+Defense model in 2013, but have released an updated version in 2020.
+Here is what the Three Lines of Defense model has historically looked
+like:
+
+#+caption: 2013 Three Lines of Defense Model
+[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/three_lines_model.png]]
+
+I won't go into depth about the changes made to the model in this
+article. Instead, let's take a look at the most current model.
+
+#+caption: 2020 Three Lines of Defense Model
+[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/updated_three_lines_model.png]]
+
+The updated model forgets the strict idea of areas performing their own
+functions or line of defense. Instead of talking about management, risk,
+and internal audit as 1-2-3, the new model creates a more fluid and
+cooperative model.
+
+Looking at this model from an auditing perspective shows us that
+auditors will need to align, communicate, and collaborate with
+management, including business area managers and chief officers, as well
+as reporting to the governing body. The governing body will instruct
+internal audit /functionally/ on their goals and track their progress
+periodically.
+
+However, the internal audit department will report /administratively/ to
+a chief officer in the company for the purposes of collaboration,
+direction, and assistance with the business. Note that in most
+situations, the governing body is the audit committee on the company's
+board of directors.
+
+The result of this structure is that internal audit is an independent
+and objective function that can provide assurance over the topics they
+audit.
+
+* Audit Process
+A normal audit will generally follow the same process, regardless of the
+topic. However, certain special projects or abnormal business areas may
+call for changes to the audit process. The audit process is not set in
+stone, it's simply a set of best practices so that audits can be
+performed consistently.
+
+#+caption: The Internal Audit Process
+[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/internal-audit-process.jpg]]
+
+While different organizations may tweak the process, it will generally
+follow this flow:
+
+** 1. Risk Assessment
+The risk assessment part of the process has historically been performed
+annually, but many organizations have moved to performing this process
+much more frequently. In fact, some organizations are moving to an agile
+approach that can take new risks into the risk assessment and
+re-prioritize risk areas on-the-go. To perform a risk assessment,
+leaders in internal audit will research industry risks, consult with
+business leaders around the company, and perform analyses on company
+data.
+
+Once a risk assessment has been documented, the audit department has a
+prioritized list of risks that can be audited. This is usually in the
+form of auditable entities, such as business areas or departments.
+
+** 2. Planning
+During the planning phase of an audit, auditors will meet with the
+business area to discuss the various processes, controls, and risks
+applicable to the business. This helps the auditors determine the scope
+limits for the audit, as well as timing and subject-matter experts.
+Certain documents will be created in this phase that will be used to
+keep the audit on-track an in-scope as it goes forward.
+
+** 3. Testing
+The testing phase, also known as fieldwork or execution, is where
+internal auditors will take the information they've discovered and test
+it against regulations, industry standards, company rules, best
+practices, as well as validating that any processes are complete and
+accurate. For example, an audit of HR would most likely examine
+processes such as employee on-boarding, employee termination, security
+of personally identifiable information (PII), or the IT systems involved
+in these processes. Company standards would be examined and compared
+against how the processes are actually being performed day-to-day, as
+well as compared against regulations such as the Equal Employment
+Opportunity (EEO), American with Disabilities Act, and National Labor
+Relations Act.
+
+** 4. Reporting
+Once all the tests have been completed, the audit will enter the
+reporting phase. This is when the audit team will conclude on the
+evidence they've collected, interviews they've held, and any opinions
+they've formed on the controls in place. A summary of the audit
+findings, conclusions, and specific recommendations are officially
+communicated to the client through a draft report. Clients have the
+opportunity to respond to the report and submit an action plan and time
+frame. These responses become part of the final report which is
+distributed to the appropriate level of administration.
+
+** 5. Follow-Up
+After audits have been completed and management has formed action plans
+and time frames for audit issues, internal audit will follow up once
+that due date has arrived. In most cases, the follow-up will simply
+consist of a meeting to discuss how the action plan has been completed
+and to request documentation to prove it.
+
+* Audit Department Structure
+While an internal audit department is most often thought of as a team of
+full-time employees, there are actually many different ways in which a
+department can be structured. As the world becomes more digital and
+fast-paced, outsourcing has become a more attractive option for some
+organizations. Internal audit can be fully outsourced or partially
+outsourced, allowing for flexibility in cases where turnover is high.
+
+In addition, departments can implement a rotational model. This allows
+for interested employees around the organization to rotate into the
+internal audit department for a period of time, allowing them to obtain
+knowledge of risks and controls and allowing the internal audit team to
+obtain more business area knowledge. This program is popular in very
+large organizations, but organizations tend to rotate lower-level audit
+staff instead of managers. This helps prevent any significant knowledge
+loss as auditors rotate out to business areas.
+
+* Consulting
+Consulting is not an easy task at any organization, especially for a
+department that can have negative perceptions within the organization as
+the "compliance police." However, once an internal audit department has
+delivered value to organization, adding consulting to their suite of
+services is a smart move. In most cases, Internal Audit can insert
+themselves into a consulting role without affecting the process of
+project management at the company. This means that internal audit can
+add objective assurance and opinions to business areas as they develop
+new processes, instead of coming in periodically to audit an area and
+file issues that could have been fixed at the beginning.
+
+* Data Science & Data Analytics
+#+caption: Data Science Skill Set
+[[https://img.cleberg.net/blog/20200922-what-is-internal-audit/data-science-skillset.png]]
+
+One major piece of the internal audit function in the modern world is
+data science. While the process is data science, most auditors will
+refer to anything in this realm as data analytics. Hot topics such as
+robotic process automation (RPA), machine learning (ML), and data mining
+have taken over the auditing world in recent years. These technologies
+have been immensely helpful with increasing the effectiveness and
+efficiency of auditors.
+
+For example, mundane and repetitive tasks can be automated in order for
+auditors to make more room in their schedules for labor-intensive work.
+Further, auditors will need to adapt technologies like machine learning
+in order to extract more value from the data they're using to form
+conclusions.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-09-15 13:13:57 +0000