path: root/content/blog/2020-09-22-internal-audit.org

#+date:        <2020-09-22 Tue 00:00:00>
#+title:       The Strategic Role of Internal Audit in Risk, Governance, and Compliance
#+description: Analysis of internal audit processes, their contribution to risk management, governance frameworks, and compliance monitoring within corporate structures.
#+slug:        internal-audit
#+filetags:    :audit:internal-audit:governance:

* Definitions

One of the many reasons that Internal Audit needs such thorough explaining to
non-auditors is that Internal Audit can serve many purposes, depending on the
organization's size and needs. However, the Institute of Internal Auditors (IIA)
defines Internal Auditing as:

#+begin_quote
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.
#+end_quote

However, this definition uses quite a few terms that aren't clear unless the
reader already has a solid understanding of the auditing profession. To further
explain, the following is a list of definitions that can help supplement
understanding of internal auditing.

** Independent

Independence is the freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an
unbiased manner. To achieve the degree of independence necessary to effectively
carry out the responsibilities of the internal audit activity, the chief audit
executive has direct and unrestricted access to senior management and the board.
This can be achieved through a dual-reporting relationship. Threats to
independence must be managed at the individual auditor, engagement, functional,
and organizational levels.

** Objective

Objectivity is an unbiased mental attitude that allows internal auditors to
perform engagements in such a manner that they believe in their work product and
that no quality compromises are made. Objectivity requires that internal
auditors do not subordinate their judgment on audit matters to others. Threats
to objectivity must be managed at the individual auditor, engagement,
functional, and organizational levels.

** Assurance

Assurance services involve the internal auditor's objective assessment of
evidence to provide opinions or conclusions regarding an entity, operation,
function, process, system, or other subject matters. The internal auditor
determines the nature and scope of an assurance engagement. Generally, three
parties are participants in assurance services: (1) the person or group directly
involved with the entity, operation, function, process, system, or other subject

- (the process owner), (2) the person or group making the assessment - (the
  internal auditor), and (3) the person or group using the assessment - (the
  user).

** Consulting

Consulting services are advisory in nature and are generally performed at the
specific request of an engagement client. The nature and scope of the consulting
engagement are subject to agreement with the engagement client. Consulting
services generally involve two parties: (1) the person or group offering the
advice (the internal auditor), and (2) the person or group seeking and receiving
the advice (the engagement client). When performing consulting services, the
internal auditor should maintain objectivity and not assume management
responsibility.

** Governance, Risk Management, & Compliance (GRC)

The integrated collection of capabilities that enable an organization to
reliably achieve objectives, address uncertainty and act with integrity.

* Audit Charter & Standards

First, it's important to note that not every organization needs internal
auditors. In fact, it's unwise for an organization to hire internal auditors
unless they have regulatory requirements for auditing and have the capital to
support the department. Internal audit is a cost center that can only affect
revenue indirectly.

Once an organization determines the need for internal assurance services, they
will hire a Chief Audit Executive and create the audit charter. This charter is
a document, approved by the company's governing body, that will define internal
audit's purpose, authority, responsibility, and position within the
organization. Fortunately, the IIA has model charters available to IIA members
for those developing or improving their charter.

Beyond the charter and organizational documents, internal auditors follow a few
different standards in order to perform their job. First is the International
Professional Practices Framework (IPPF) by the IIA, which is the model of
standards for internal auditing. In addition, ISACA's Information Technology
Assurance Framework (ITAF) helps guide auditors in reference to information
technology (IT) compliance and assurance. Finally, additional standards such as
FASB, GAAP, and industry-specific standards are used when performing internal
audit work.

* Three Lines of Defense

[[https://theiia.org][The IIA]] released the original Three Lines of Defense model in 2013, but have
released an updated version in 2020.

I won't go into depth about the changes made to the model in this article.
Instead, let's take a look at the most current model.

The updated model forgets the strict idea of areas performing their own
functions or line of defense. Instead of talking about management, risk, and
internal audit as 1-2-3, the new model creates a more fluid and cooperative
model.

Looking at this model from an auditing perspective shows us that auditors will
need to align, communicate, and collaborate with management, including business
area managers and chief officers, as well as reporting to the governing body.
The governing body will instruct internal audit /functionally/ on their goals
and track their progress periodically.

However, the internal audit department will report /administratively/ to a chief
officer in the company for the purposes of collaboration, direction, and
assistance with the business. Note that in most situations, the governing body
is the audit committee on the company's board of directors.

The result of this structure is that internal audit is an independent and
objective function that can provide assurance over the topics they audit.

* Audit Process

A normal audit will generally follow the same process, regardless of the topic.
However, certain special projects or abnormal business areas may call for
changes to the audit process. The audit process is not set in stone, it's simply
a set of best practices so that audits can be performed consistently.

While different organizations may tweak the process, it will generally follow
this flow:

** 1. Risk Assessment

The risk assessment part of the process has historically been performed
annually, but many organizations have moved to performing this process much more
frequently. In fact, some organizations are moving to an agile approach that can
take new risks into the risk assessment and re-prioritize risk areas on-the-go.
To perform a risk assessment, leaders in internal audit will research industry
risks, consult with business leaders around the company, and perform analyses on
company data.

Once a risk assessment has been documented, the audit department has a
prioritized list of risks that can be audited. This is usually in the form of
auditable entities, such as business areas or departments.

** 2. Planning

During the planning phase of an audit, auditors will meet with the business area
to discuss the various processes, controls, and risks applicable to the
business. This helps the auditors determine the scope limits for the audit, as
well as timing and subject-matter experts. Certain documents will be created in
this phase that will be used to keep the audit on-track an in-scope as it goes
forward.

** 3. Testing

The testing phase, also known as fieldwork or execution, is where internal
auditors will take the information they've discovered and test it against
regulations, industry standards, company rules, best practices, as well as
validating that any processes are complete and accurate. For example, an audit
of HR would most likely examine processes such as employee on-boarding, employee
termination, security of personally identifiable information (PII), or the IT
systems involved in these processes. Company standards would be examined and
compared against how the processes are actually being performed day-to-day, as
well as compared against regulations such as the Equal Employment Opportunity
(EEO), American with Disabilities Act, and National Labor Relations Act.

** 4. Reporting

Once all the tests have been completed, the audit will enter the reporting
phase. This is when the audit team will conclude on the evidence they've
collected, interviews they've held, and any opinions they've formed on the
controls in place. A summary of the audit findings, conclusions, and specific
recommendations are officially communicated to the client through a draft
report. Clients have the opportunity to respond to the report and submit an
action plan and time frame. These responses become part of the final report
which is distributed to the appropriate level of administration.

** 5. Follow-Up

After audits have been completed and management has formed action plans and time
frames for audit issues, internal audit will follow up once that due date has
arrived. In most cases, the follow-up will simply consist of a meeting to
discuss how the action plan has been completed and to request documentation to
prove it.

* Audit Department Structure

While an internal audit department is most often thought of as a team of
full-time employees, there are actually many different ways in which a
department can be structured. As the world becomes more digital and fast-paced,
outsourcing has become a more attractive option for some organizations. Internal
audit can be fully outsourced or partially outsourced, allowing for flexibility
in cases where turnover is high.

In addition, departments can implement a rotational model. This allows for
interested employees around the organization to rotate into the internal audit
department for a period of time, allowing them to obtain knowledge of risks and
controls and allowing the internal audit team to obtain more business area
knowledge. This program is popular in very large organizations, but
organizations tend to rotate lower-level audit staff instead of managers. This
helps prevent any significant knowledge loss as auditors rotate out to business
areas.

* Consulting

Consulting is not an easy task at any organization, especially for a department
that can have negative perceptions within the organization as the "compliance
police." However, once an internal audit department has delivered value to
organization, adding consulting to their suite of services is a smart move. In
most cases, Internal Audit can insert themselves into a consulting role without
affecting the process of project management at the company. This means that
internal audit can add objective assurance and opinions to business areas as
they develop new processes, instead of coming in periodically to audit an area
and file issues that could have been fixed at the beginning.

* Data Science & Data Analytics

One major piece of the internal audit function in the modern world is data
science. While the process is data science, most auditors will refer to anything
in this realm as data analytics. Hot topics such as robotic process automation
(RPA), machine learning (ML), and data mining have taken over the auditing world
in recent years. These technologies have been immensely helpful with increasing
the effectiveness and efficiency of auditors.

For example, mundane and repetitive tasks can be automated in order for auditors
to make more room in their schedules for labor-intensive work. Further, auditors
will need to adapt technologies like machine learning in order to extract more
value from the data they're using to form conclusions.