The Internal Audit team is an independent function within a company and is crucial in identifying process design inadequacies and ineffective controls. The internal audit team needs to be closely connected with businesses, auditees, and other stakeholders.
The three lines of defense
Every company usually has 3 lines of defense which include the following:
Image Source: www.internalaudit.olemiss.edu
FIRST LINE- Management Team – They are business and process owners who are directly involved in the execution of processes and responsible for following the procedures defined to ensure controls are in place.
SECOND LINE- Risk Management & Compliance Teams – They are responsible for identifying risks and suggesting controls to mitigate the risks in the process and also provide guidance to the Management team while developing standard procedures. The first and second line
THIRD LINE- Internal Audit Team – They provide assurance to the senior management that processes are functioning as intended, the first and second lines of defense are functioning appropriately and provide recommendations for strengthening processes.
Purpose of internal audits
- Ensure policies and procedures are defined in accordance with regulations and other compliances.
- The processes are functioning as per defined procedures and process controls defined are adequate.
- Controls defined are operating effectively to ensure any lapses, financial leakages or potential frauds are identified.
- Providing assurance to stakeholders and senior management regarding how effectively the processes are functioning and having an understanding of process gaps.
- Helping operations and business teams with recommendations on how to close control gaps and improve the overall process functioning.
A brief overview of the Internal Audit process
- Defining the scope of areas to be covered in the audit through discussions with the process owners and management.
- Conducting walkthroughs with the process owners to understand the processes and controls therein to ensure the adequacy of controls.
- Documentation of the process notes, risk and control matrix, and testing procedures based on process understanding discussions.
- Sample selection is based on control frequency and testing of samples to ensure the effectiveness of controls.
- Drafting initial observations and discussions with process owners to ensure factual accuracy, suggest action plans to close the discrepancy, and recommendations to improve the process.
- Post acceptance of action plans, discussion of final observations with Senior Management.
- Conducting follow-up audits to ensure remediations and implementation of action plans.
Conclusion
Internal audits have come a long way from being a mere checklist-driven audit to a risk-based approach. Internal audit teams are constantly challenged in how they focus on risks and add value to processes while ensuring compliance with standard procedures. As times evolve, the internal audit function is embracing new GRC tools and technology while conducting risk and value-driven audits.