path: root/content/blog/2020-09-22-internal-audit.org

#+date: <2020-09-22>
#+title: Who is Internal Audit? 
#+description: 


* Definitions

One of the many reasons that Internal Audit needs such thorough
explaining to non-auditors is that Internal Audit can serve many
purposes, depending on the organization's size and needs. However, the
Institute of Internal Auditors (IIA) defines Internal Auditing as:

#+begin_quote
Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
#+end_quote

However, this definition uses quite a few terms that aren't clear unless
the reader already has a solid understanding of the auditing profession.
To further explain, the following is a list of definitions that can help
supplement understanding of internal auditing.

** Independent

Independence is the freedom from conditions that threaten the ability of
the internal audit activity to carry out internal audit responsibilities
in an unbiased manner. To achieve the degree of independence necessary
to effectively carry out the responsibilities of the internal audit
activity, the chief audit executive has direct and unrestricted access
to senior management and the board. This can be achieved through a
dual-reporting relationship. Threats to independence must be managed at
the individual auditor, engagement, functional, and organizational
levels.

** Objective

Objectivity is an unbiased mental attitude that allows internal auditors
to perform engagements in such a manner that they believe in their work
product and that no quality compromises are made. Objectivity requires
that internal auditors do not subordinate their judgment on audit
matters to others. Threats to objectivity must be managed at the
individual auditor, engagement, functional, and organizational levels.

** Assurance

Assurance services involve the internal auditor's objective assessment
of evidence to provide opinions or conclusions regarding an entity,
operation, function, process, system, or other subject matters. The
internal auditor determines the nature and scope of an assurance
engagement. Generally, three parties are participants in assurance
services: (1) the person or group directly involved with the entity,
operation, function, process, system, or other subject

- (the process owner), (2) the person or group making the assessment -
  (the internal auditor), and (3) the person or group using the
  assessment - (the user).

** Consulting

Consulting services are advisory in nature and are generally performed
at the specific request of an engagement client. The nature and scope of
the consulting engagement are subject to agreement with the engagement
client. Consulting services generally involve two parties: (1) the
person or group offering the advice (the internal auditor), and (2) the
person or group seeking and receiving the advice (the engagement
client). When performing consulting services, the internal auditor
should maintain objectivity and not assume management responsibility.

** Governance, Risk Management, & Compliance (GRC)

The integrated collection of capabilities that enable an organization to
reliably achieve objectives, address uncertainty and act with integrity.

* Audit Charter & Standards

First, it's important to note that not every organization needs internal
auditors. In fact, it's unwise for an organization to hire internal
auditors unless they have regulatory requirements for auditing and have
the capital to support the department. Internal audit is a cost center
that can only affect revenue indirectly.

Once an organization determines the need for internal assurance
services, they will hire a Chief Audit Executive and create the audit
charter. This charter is a document, approved by the company's governing
body, that will define internal audit's purpose, authority,
responsibility, and position within the organization. Fortunately, the
IIA has model charters available to IIA members for those developing or
improving their charter.

Beyond the charter and organizational documents, internal auditors
follow a few different standards in order to perform their job. First is
the International Professional Practices Framework (IPPF) by the IIA,
which is the model of standards for internal auditing. In addition,
ISACA's Information Technology Assurance Framework (ITAF) helps guide
auditors in reference to information technology (IT) compliance and
assurance. Finally, additional standards such as FASB, GAAP, and
industry-specific standards are used when performing internal audit
work.

* Three Lines of Defense

[[https://theiia.org][The IIA]] released the original Three Lines of
Defense model in 2013, but have released an updated version in 2020.

I won't go into depth about the changes made to the model in this
article. Instead, let's take a look at the most current model.

The updated model forgets the strict idea of areas performing their own
functions or line of defense. Instead of talking about management, risk,
and internal audit as 1-2-3, the new model creates a more fluid and
cooperative model.

Looking at this model from an auditing perspective shows us that
auditors will need to align, communicate, and collaborate with
management, including business area managers and chief officers, as well
as reporting to the governing body. The governing body will instruct
internal audit /functionally/ on their goals and track their progress
periodically.

However, the internal audit department will report /administratively/ to
a chief officer in the company for the purposes of collaboration,
direction, and assistance with the business. Note that in most
situations, the governing body is the audit committee on the company's
board of directors.

The result of this structure is that internal audit is an independent
and objective function that can provide assurance over the topics they
audit.

* Audit Process

A normal audit will generally follow the same process, regardless of the
topic. However, certain special projects or abnormal business areas may
call for changes to the audit process. The audit process is not set in
stone, it's simply a set of best practices so that audits can be
performed consistently.

While different organizations may tweak the process, it will generally
follow this flow:

** 1. Risk Assessment

The risk assessment part of the process has historically been performed
annually, but many organizations have moved to performing this process
much more frequently. In fact, some organizations are moving to an agile
approach that can take new risks into the risk assessment and
re-prioritize risk areas on-the-go. To perform a risk assessment,
leaders in internal audit will research industry risks, consult with
business leaders around the company, and perform analyses on company
data.

Once a risk assessment has been documented, the audit department has a
prioritized list of risks that can be audited. This is usually in the
form of auditable entities, such as business areas or departments.

** 2. Planning

During the planning phase of an audit, auditors will meet with the
business area to discuss the various processes, controls, and risks
applicable to the business. This helps the auditors determine the scope
limits for the audit, as well as timing and subject-matter experts.
Certain documents will be created in this phase that will be used to
keep the audit on-track an in-scope as it goes forward.

** 3. Testing

The testing phase, also known as fieldwork or execution, is where
internal auditors will take the information they've discovered and test
it against regulations, industry standards, company rules, best
practices, as well as validating that any processes are complete and
accurate. For example, an audit of HR would most likely examine
processes such as employee on-boarding, employee termination, security
of personally identifiable information (PII), or the IT systems involved
in these processes. Company standards would be examined and compared
against how the processes are actually being performed day-to-day, as
well as compared against regulations such as the Equal Employment
Opportunity (EEO), American with Disabilities Act, and National Labor
Relations Act.

** 4. Reporting

Once all the tests have been completed, the audit will enter the
reporting phase. This is when the audit team will conclude on the
evidence they've collected, interviews they've held, and any opinions
they've formed on the controls in place. A summary of the audit
findings, conclusions, and specific recommendations are officially
communicated to the client through a draft report. Clients have the
opportunity to respond to the report and submit an action plan and time
frame. These responses become part of the final report which is
distributed to the appropriate level of administration.

** 5. Follow-Up

After audits have been completed and management has formed action plans
and time frames for audit issues, internal audit will follow up once
that due date has arrived. In most cases, the follow-up will simply
consist of a meeting to discuss how the action plan has been completed
and to request documentation to prove it.

* Audit Department Structure

While an internal audit department is most often thought of as a team of
full-time employees, there are actually many different ways in which a
department can be structured. As the world becomes more digital and
fast-paced, outsourcing has become a more attractive option for some
organizations. Internal audit can be fully outsourced or partially
outsourced, allowing for flexibility in cases where turnover is high.

In addition, departments can implement a rotational model. This allows
for interested employees around the organization to rotate into the
internal audit department for a period of time, allowing them to obtain
knowledge of risks and controls and allowing the internal audit team to
obtain more business area knowledge. This program is popular in very
large organizations, but organizations tend to rotate lower-level audit
staff instead of managers. This helps prevent any significant knowledge
loss as auditors rotate out to business areas.

* Consulting

Consulting is not an easy task at any organization, especially for a
department that can have negative perceptions within the organization as
the "compliance police." However, once an internal audit department has
delivered value to organization, adding consulting to their suite of
services is a smart move. In most cases, Internal Audit can insert
themselves into a consulting role without affecting the process of
project management at the company. This means that internal audit can
add objective assurance and opinions to business areas as they develop
new processes, instead of coming in periodically to audit an area and
file issues that could have been fixed at the beginning.

* Data Science & Data Analytics

One major piece of the internal audit function in the modern world is
data science. While the process is data science, most auditors will
refer to anything in this realm as data analytics. Hot topics such as
robotic process automation (RPA), machine learning (ML), and data mining
have taken over the auditing world in recent years. These technologies
have been immensely helpful with increasing the effectiveness and
efficiency of auditors.

For example, mundane and repetitive tasks can be automated in order for
auditors to make more room in their schedules for labor-intensive work.
Further, auditors will need to adapt technologies like machine learning
in order to extract more value from the data they're using to form
conclusions.