Starting internal audit function
Below is a suggested set of guidelines for starting internal audit function includes:
• Clarify expectations with senior management, the board and audit committee, including required listing standards for listed companies. Non-listed organizations should consider voluntary compliance.
• Develop an audit charter, with audit committee input and approval.
• Consider the appropriate budget and staffing model (e.g., in-house, co-sourced or outsourced). As part of this process, research actions taken by similar companies in your industry.
• Formulate reporting responsibilities of the internal audit function.
• Identify the “universe” of auditable entities within the organization.
• Complete an initial risk assessment with company management and audit committee involvement. Consider using recognized approaches and frameworks for this effort, such as the COSO internal control and COSO enterprise risk management (ERM) frameworks as applied in USA. Other recognized and acceptable frameworks that can help in starting internal audit function include: the King Report on Corporate Governance for South Africa - 2002 (King II Report) and the Turnbull Report in the United Kingdom.
• Consider the results of the work required to comply with Sarbanes-Oxley Act when conducting the risk assessment. This is relevant for companies in the USA which have to comply with the Sarbanes Oxley Act which gives specific requirements that a company has to meet.
• Develop an internal audit plan responsive to the risk assessment.
• Determine staffing requirements and whether the department will be staffed internally, co-sourced or outsourced.
• Plan and execute audit work called for in the audit plan, including a system to monitor and follow up on audit recommendations.
• Update the risk assessment for changing circumstances during the year.
• Continuously enhance and modify the internal audit function to meet changing needs of management and the audit committee.
The IIA has developed 16 steps for starting internal audit function; Establishing an Internal Audit Shop.