Where would you start if you were tapped to set up a brand new internal audit function, make a change from an outsourced department, or restructure an existing one to deliver more value to the business? Cynthia Watson shares key steps and best practices to help you establish a successful internal audit department from the ground up.
Strong Internal Audit Department Can Help Business Leaders Make Better Decisions
With so much global uncertainty these days, change seems to be the only true constant. Having a strong internal audit department can help business leaders make better decisions for future growth and success. Auditors are not fortune tellers, but we understand risks and how they may impact the organization — and once an organization understands this, we can help them prepare to effectively respond to changes.
About five years ago, after building an in-house team for a Fortune 100 company’s division that was outsourced, I was approached to build out the internal audit department at one of it’s spin-offs. I’ve learned a lot as a result of that experience, and have collected some of my key steps and best practices to launching a successful internal audit function.
How to Set Up an Internal Audit Department: 3 Scenarios
The design of your internal audit department can depend on several factors, but the first one to consider is what drove the change. Is this a new organization that has plans to go public in the near future? Was there a desire of change from the Audit Committee or the organization’s leadership to bring an outsourced team in-house? Or is the change driven by a need to increase or alter the current team’s skillset?
Scenario 1 — Setting up a brand new department
In this scenario, all internal audit policies, procedures, reporting, and risk assessments must be created. This usually happens when a company has decided that at some point in the near-term that they will attempt to make an initial public offering on the stock market and will need to comply with the related regulatory requirements such as Sarbanes-Oxley (SOX) Act reporting for the US. This is not always the case, so a new audit leader should reach out to the C-Suite, and potentially to the external audit firm, to understand the group’s needs and expectations.
Scenario 2 — Switching from an outsourced team to in-house department
Under this scenario, typically there will have been a change in leadership, but some history of the activities performed by the outsource team will exist than can be leveraged to support the creation of the in-house team. Working with the outsource team will be critical during the transition period.
Scenario 3 — Taking over an existing department
The current company leadership may not be happy with an internal audit team’s performance and decide to make a change. As the world changes, so do the needs from internal audit. Many audit shops have been slow or resistant to changing their operations to properly support their organizations. Internal audit must do more with less, be agile and flexible, and embrace data analytics and new skills to become a ‘trusted advisor’ that the organization needs. Shifting from telling leaders what happened in the past to assisting in the preparation for what is over the horizon will increase internal audit’s value and profile.
Each one of these scenarios presents its own unique challenges that audit leaders will need to be prepared for. How much time do you have to prepare for regulatory requirements? Are the existing records usable, and do they provide enough information to support the new environment? Will the existing team or organizational leaders be open to trying something new or will they resist change? Any one of these or numerous other issues may be present in any of the scenarios. Audit leaders need to think about how they will address and minimize the risk to the department’s success.
3 Keys to Starting a Successful Internal Audit Department
The first thing most people ask is, “What or where is the audit plan?” Audit plans are not produced out of thin air. There is work and due diligence required in order to understand the control environment, strategy, and what really matters to your organization. These are key steps to take first — though not necessarily sequentially — that will help you build the understanding, relationships, and resources needed to establish a successful internal audit department and plan.
1. Develop Relationships and Establish Expectations
One of the first things to do is to meet with leadership. Set up time to meet key stakeholders like the Audit Committee chair, the CEO, and the CFO to establish their expectations, and ensure those are aligned with each other. Identify the leaders responsible for each key business area and talk to each leader about their strategies and initiatives for the next 6 to 12 months. These early meetings are a prime opportunity to educate the business about what internal audit does, and how the department can support them in achieving their goals and objectives. Based on their previous experience, there may be some with inaccurate assumptions about auditors or internal audit — that we are corporate police or snitches, or that we are there to highlight trouble spots and point fingers. With the right approach, you can do a lot to build trust by explaining how internal audit can be a resource to help solve problems and offer support rather than beelining to the boss or the external auditor.
One strategy that I found particularly effective in my first year of building my team and presence was to not perform “audits.” I know this sounds counterintuitive, but when you are in an immature environment where it is known that processes and procedures are still under development, doing a traditional audit does not provide the support that management needs to be successful — and will likely make them defensive and reluctant to allow internal audit in.
These were new departments with new people using new tools, so I instructed my team to provide management with information to help with their departmental development by performing “Baseline Assessments.” Management was reassured that we wouldn’t be issuing a traditional audit report with an overall ‘weak’ or ‘unsatisfactory’ rating, but would instead help to describe the department, provide background information on the process under review, identify potential exposure points, and rank those to help the business leader prioritize and plan going forward.
These assessments gave the department time to get things in order and expose potential resource needs to strengthen the environment in the next 12 to 18 months. Internal audit would return later to evaluate the implementation of the changes in a form closer to a traditional audit. The business leaders felt comfortable with this approach, and it helped to establish mutual respect and demonstrate from the beginning that audit isn’t here to bust them, but to work together to make their department and the organization better.
2. Understand the Business Strategy and Associated Risks
Setting up an internal audit department is a process that requires careful planning and prioritization. Depending on which of the 3 scenarios your company fits, you’ll want to locate and review previous audit reports, working papers, or any related documentation of previous work performed. The source can be the current audit team (if existing), business leaders, or external auditors. This gives you some basis to start to create a draft risk assessment. If you are in a situation where these things don’t exist, you will need to use other means to determine what you can and should do. As an audit leader, you have to understand where you are — which means understanding where the company is in their maturity and what is important to their future success.
Invest time early on to learn about the business, its history, and its strategy and objectives — as well as existing and potential risks. The first 90 days are a perfect opportunity to gather the data and information to enable you to talk intelligently about the business and prove that you deserve a seat at the table. If you don’t understand the organization, it will be impossible for you to take on a trusted advisor role to help the business make informed decisions and know where to take calculated risks.
It is also critical to develop, assess, and prioritize risks before making recommendations. I created a 10-point criteria and five-point ratings system to help identify which risks are material to lines of business vs. the organization as a whole, and to identify low-risk or non-critical activities that waste time and resources. All risk assessments were shared with business leaders to kick off conversations and make decisions.
3. Evaluate, Train, and Allocate Your Resources
The effectiveness of your internal audit team depends on its resourcing. You’ll need to determine what resources you have and what you’ll need to deliver value to your organization. You’ll also want to evaluate technology resources available, and look into implementing audit management technology to centralize documentation, facilitate collaboration amongst team members and with stakeholders, and get real-time visibility into status. All audit shops are required to figure out how to do more with less, and technology is the only way you can do that — especially in these post-pandemic times. More boots on the ground is not an option for most.
You’ll also want to leverage what you’ve learned about the business to get the right mix of skill sets and experience to audit all areas of the business effectively. You may start with an audit team of one — yourself — and identify immediate needs: perhaps a SOX and an IT subject matter specialist to enable internal audit to cover all bases from a leadership perspective and create department strategy as we build out the larger team.
As the world becomes more and more involved in IT technologies, I firmly believe that internal auditors need to be cross-trained to understand general business processes and basic controls across different areas of the organization, including IT. For example, if a product was developed in the last ten years, it probably connects to the internet — does the organization have the security protocols in place to protect the data? Internal audit can add value by learning about the organization’s cybersecurity and data security measures, and thinking about the types of data and where it’s collected, stored, and in what form. Through hiring, cross-training, and leveraging online tools, we built a team that was conversant enough in data and InfoSec to provide effective assurance for our specific organization.
There’s no one-size-fits-all approach to setting up an internal audit department. You must meet your organization where it is. Each organization will have different needs, risk appetites, and a different maturity level — and you must create or change the department to support the organization while still establishing a high standard. Don’t be afraid to be open to new ideas — change is here to stay, and being innovative helps audit teams provide value and be more effective. Understanding stakeholder expectations, fully comprehending the business strategy and associated risks, and evaluating your resources to determine if you have what’s needed to deliver value to your organization are essential steps in setting up a successful internal audit team.