How to Start or Redesign an Internal Audit Function

Today, I responded to a question on the LinkedIn IIA discussion group. The individual was in the exciting position of starting an internal audit function for a large company and asked for advice.

This is what I said:

I have started up internal audit functions a few times, and this is essentially my process: 
1. Understand the business. Get out and see the operations and listen to not only the top executives but the people running the business. 
2. Understand the value drivers and the risks to them. 
3. Listen to the external auditors, the board, and top executives: their perspectives on #2, and what they would like to see from internal audit in (a) the short-term and (b) the longer term. Make sure you meet with other (internal) assurance providers and any risk management function. 
4. Develop a vision for the function, both for the first year and then for a few years out. 
5. Build a risk-based plan for the first year to focus on the more significant risks. Allow a lot of contingency so that changes can be made as more is learned. 
6. Develop a budget and review the vision, plan, and budget with top executives and the board. Obtain approval (after selling the vision and negotiation if necessary on resources). 
7. Identify the staffing that is needed to do the work (which may include co-sourcing). Identify the staff AFTER designing the program, so you can get the skills and experience levels you need. 
8. Go out and over-deliver. Build success through success.

Why this advice? Although I have run what others (my board members and top executives) have considered world-class and leading-edge internal audit functions over the years (profiled in the Journal of Accountancy), I strongly believe it is necessary to design internal audit to meet the current and anticipated needs of the company. So, when I was at Tosco (1990-2001) the initial focus was on basic controls, the IT environment, and compliance. As the company developed more mature controls and processes, the focus shifted to efficiency and adding value. (By the way, from the start I provided the board with an overall assessment of the quality of internal controls using the COSO '92 internal controls framework).

The steps I outline will, in my experience, help the CAE:

  1. Understand the business and the need for (the value of) internal audit.
  2. Develop a vision and a strategy for realizing that vision.
  3. Build the department capable of delivering.
  4. Recognize that the needs of the company, and therefore the design of the internal audit function, change over time.

What do you think?

Posted on Oct 3, 2011 by Norman Marks

Share This Article:    

  1. Hi Norman "skip the surveys" Marks, my standard response:

    1  Leadership

    2. Leading technology tools and auditing practices

    3. Risk based "continuous" audit scheduling

    4. Adherence to the IPPF (ethics, standards, advisories)

    5. Staff development and maintenance

    6. Audit results (timely and relevant)

    7. Achieve and maintain high level of customer satisfaction.

  1.  number two should be to understand the strategic/business objectives and the risks to achieving these

    also make sure that you understand who all the key stakeholders are in the business both internal and external and  their needs

    also make sure that internal audit has established and documented what the communications process will be with its key constitutents which you have noted above 

  1. I am quite sure that the weight of auditors should be changed, the bigger the better

  1. That about covers it - just getting the internal audit resources to bind it all together so that our results are timely, accurate & relevent is the challenge.


  1. Thanks for the article.  These are good points.  Two key activities I did differently when I built an Internal Audit function a couple years ago was to perform strategic and business segment risk assessments during the first year.  This allowed me to better understand the business through the eyes of executive management.  Thus, I used this information as part of developing my risk-based audit plan in year two instead of year one.  I also wanted to get a pulse on the control environment, and I used a company-wide survey to do this.  Input on the survey questions was asked of executives and the Audit Committee with follow-up discussions on results and action plan development.  Between these two activities, I got great overall buy-in on the Internal Audit function.

  1. Item 3 is, believe it or not, too narrow.  I'd call this reaching out to stakeholders, which includes not only the parties listed but, for many enterprises, outside regulators.  For many regulated companies, there are heightened expectations and requirements for internal audit that are "need to have's" and that often stand in the way of building something as elegant as an internal audit function geared solely to the company's strategies and board/senior management desires. 

    Regarding item 2, I also note the importance of also understanding the company's risk appetite and tolerance levels.  Knowing what risks the company is willing to accept or not is paramount to ensuring audit focus on where the residual risks are not acceptable.

  1. For #3, you may also want to consult the regulators and their concerns regarding the company.  The regulatory reports are a good source of information that may help the auditor gain a perspective on the risks the company faces.  In addition, I see that many times, the changing economic environment and how it impacts the company in terms of risks, is frequently ignored.  This should also be considered.

  1. I've learned through long experience (40+ years) that it's important to write your risk based audit plan in pencil, something driven home to me while working in Norman's Tosco department.  You must build in contingency time (Norman mentions this), to meet the inevitable ad hoc management requests.  If internal audit is unable to respond to management's needs, it is very difficult, if not impossible, to sell the value added concept. 

    Of course, you cannot afford to ignore/defer unnecessarily your high risk audits and your audit committee responsibilities.  So this often becomes a very important resource and responsibility balancing act. 

    I'm the first CAE when I am now, and this department clearyl reflects Norman's (and others) influence.  I have certainly put my spin and experience in the way we do things, but this approach works and pays dividends.

Leave a Reply