Internal audit provides a level of monitoring which is generally not available when working with a third-party auditor. If you’re going on a long road trip, how likely are you to hop in the car and start driving? You’re not – most people will take the car to the shop for an oil change and overall inspection. If the road trip is the audit engagement, the practice of taking the car to the shop equates to the usage of an internal audit function to ensure the car (the organization) is ready for the road trip (the third-party assessment).
So, you’ve recognized the value of an internal audit program, you have senior management’s support, you’ve developed an internal audit program, and now you’re implementing it. What does internal audit require on a day-to-day basis?
What Does an Internal Audit Require on a Day-to-Day Basis?
Part of your internal audit team should consist of project management personnel and operational auditors. Project management personnel are responsible for the execution of audit functions which translate activity at the operational level to information driven by reporting requirements established by executive management. Operational auditors are responsible for the execution of audit activities including compliance requirement identification, testing, evidence evaluation, and reporting. By now, though, you may be wondering what this team does on a day-to-day basis. The duties performed by internal auditors normally include:
- Objectively review your organization’s business processes. This is the process of providing a non-biased assessment of the completeness and adequacy of an organization’s business processes with a focus on the effectiveness and efficiency of the process.
- Evaluate the efficiency of risk management procedures that are currently in place. What one individual or business considers to be an acceptable risk may not be so reasonable to executive management. Internal audit represents management’s interests while evaluating risk decisions and handling techniques.
- Protect against fraud and theft of the organization’s assets. Again, while serving as a representative of executive management, internal audit can identify and bring to light incidents of fraud, waste, and abuse.
- Ensure that the organization is complying with relevant laws and regulations. Internal audit can create control mappings which translate legal, regulatory, or ethical requirements into actionable controls, which can be evaluated for compliance with defined requirements. For each separate legal statute or contractual obligation, a control can specifically address the organization’s business processes and translate business activities into measurable actions which support compliance.
- Make recommendations on how to improve internal controls and governance processes. Based on control reviews, evidence collection, and interviews, internal audit can provide insights regarding how improving controls or the supporting process may better assess the organization’s compliance levels.
How Does an Internal Audit Team Work with a Third-Party Auditor?
Internal audit can be a valuable resource when working with third-party auditors since internal audit can supply the third-party auditor with control objectives used by the organization as well as the mappings to common frameworks for assessment. This activity allows third-party auditors to better understand the assessment activities performed by the organization and provide an assessment or opinion of the organization’s compliance efforts.
About Richard Rieben
Richard Rieben has 20 years of experience in the information technology field, including operations and project management experience. Motivated by empowering and inspiring his clients, Richard enjoys improving processes based on incremental improvement. Richard currently serves as Director of Audit Operations at KirkpatrickPrice, where he leads a team of Information Security Specialists. Richard holds CCSFP, PCI QSA, GSNA, CISSP, CompTIA CSA+, CompTIA CASP, CompTIA Network+, CompTIA Project+, CompTIA Security+, Certified Scrum Master, PMP, and FITSP-M certifications.