The Essential Internal Audit Guide:



According to the Definition of Internal Auditing in The IIA’s International Professional Practices Framework (IPPF), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.


Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Performed by professionals with an in-depth understanding of the business culture, systems, and processes, the internal audit activity provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.

Evaluating emerging technologies. Analyzing opportunities. Examining global issues. Assessing risks, controls, ethics, quality, economy, and efficiency. Assuring that controls in place are adequate to mitigate the risks. Communicating information and opinions with clarity and accuracy. Such diversity gives internal auditors a broad perspective on the organization. And that, in turn, makes internal auditors a valuable resource to executive management and boards of directors in accomplishing overall goals and objectives, as well as in strengthening internal controls and organizational governance. You can find further information

Further Reading:



Internal audit provides a number of important services to company management including detecting and preventing fraud, testing internal control, and monitoring compliance with company policy and government regulation.

The law in many countries requires publicly-owned companies and public sector departments to have internal audit activities. Many privately-owned companies have internal audit activities as well. Some of the benefits derived from the internal audit activities are as follows:

Further Reading:



The International Professional Practice Framework (IPPF) states that the Mission of Internal Audit is: “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”

The Definition of Internal Auditing as per the IPPF framework is:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

The King IV code on corporate governance (copyright Institute of Directors Southern Africa) applies to all entities, regardless of their nature, size or form of incorporation. The Code is implemented on an “apply and explain” basis. The following principles relating to assurance are embodied in the Code: Principle 15: The governing body should ensure that the assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and of the organisation’s external reports.

Recommended Practices
The governing body should oversee that the combined assurance model is designed and implemented to cover effectively the organisation’s significant risks and material matters through a combination of the following assurance service providers and functions as is appropriate for the organisation:

  1. The organisation’s line functions that own and manage risks.
  2. The organisation’s specialist functions that facilitate and oversee risk management and compliance.
  3. Internal auditors, internal forensic fraud examiners and auditors, safety and process assessors, and statutory actuaries.
  4. Independent external assurance service providers such as external auditors.
  5. Other external assurance providers such as sustainability and environmental auditors, external actuaries, and external forensic fraud examiners and auditors.
  6. Regulatory inspectors.

Internal Audit
The governing body should assume responsibility for internal audit by setting the direction for the internal audit arrangements needed to provide objective and relevant assurance that contributes to the effectiveness of governance, risk management and control processes.

The governing body should monitor on an ongoing basis that internal audit:

  1. follows an approved risk-based internal audit plan; and
  2. reviews the organisational risk profile regularly and proposes adaptions to the internal audit plan accordingly.

The governing body should ensure that internal audit provides an overall statement annually as to the effectiveness of the organisation’s governance, risk management and control processes

The PFMA (Public Financial Management Act) of South Africa:
General responsibilities of accounting officers:
(1) The accounting officer for a department, trading entity or constitutional institution—

General responsibilities of accounting authorities:
(1) An accounting authority for a public entity—

The MFMA (Municipal Financial Management Act) of South Africa:
General financial management functions:
(1) The accounting officer of a municipality is responsible for managing the financial administration of the municipality, and must for this purpose take all reasonable steps to ensure—

(c) that the municipality has and maintains effective, efficient and transparent systems—

Internal audit unit:

(1) Each municipality and each municipal entity must have an internal audit unit, subject to subsection (3).

(2) The internal audit unit of a municipality or municipal entity must:

Audit committees:

(1) Each municipality and each municipal entity must have an audit committee, subject to subsection (6).

(2) An audit committee is an independent advisory body which must—


Further Reading:


Besides being general best practice, Internal Audit Software provides an organisation with a systematic and disciplined approach to the audit process. Using Internal Audit software can boost efficiency for internal audit departments creating greater cost savings and they can boost the overall capacity of understaffed departments. Other benefits of using internal audit software include:


Further Reading:



Governing bodies and senior management rely on Internal Auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management, and internal control processes. Internal audit software:


Further Reading:



Software implementation:

  1. Document your organisational structure (departments or business units) in line with reporting lines
  2. Document your existing processes / sub processes / system descriptions including risks, controls and tests
  3. Document your audit methodology including types of audit, project file organiser structure per type of audit, template documents, findings structure (e.g. standard, finding, impact, root cause, management comment, action plan), findings and project rating scale etc. Apply these to your organisational structure.
  4. Identify your audit users, their permissions (preparer, reviewer etc.) and software training requirements
  5. Ensure the software is able to generate final audit reports / audit committee reports as per your requirements
  6. Take-on: software must be able to import existing findings from Excel into the database

Now you are ready to use the software:

  1. Audit planning (where, when, who): based on high risk areas, site rating, repeat findings
  2. Perform audit execution: Perform testing, risk & control assessment and raise findings
  3. Finalise Audit Process: Review audit results, produce audit report, remediation plan (living action plans), and executive summary
  4. Follow up audits to check for resolution of findings

Further Reading:




Further Reading:



Use this comparison checklist to compare important feature sets from competing software solutions:

Important features BarnOwl Software B Software C
Does the software support risk and control based auditing. i.e. is it a fully integrated GRC solution
Flexible take-on / import functionality
Hand holding throughout the implementation process ensuring project success
Ability to maintain a central  library of process / working paper tests, not just as Excel attachments but within the database as fields
User-defined fields available anywhere in audit module and ability to report on user-defined fields
User / Group security restricting unit and project access
Facilitation of the typical audit process including planning, execution, reporting and follow-up
Facilitation of execution with business logic to create standard findings based on failed tests including the automatic identification of ‘repeat’ findings
Ability to automate the distribution of findings to management for comment and automatic import / capture of management comments back into the system
‘Check in’ / ‘check out’ functionality allowing multiple auditors to work on the same audit project without conflicts
Resource management and Timesheets
Review notes are stored in the database with preparer / reviewer audit trail history. Review notes can be captured anywhere in the system including directly against  findings and / or  Excel / Word working papers
Customisable reports with MS Word integration
Combined assurance reporting
Management and Auditor Dashboards
Graphical slice and dice reporting: e.g. root cause analysis, risk ranking, findings analysis, trends etc.
Automated risk and control self-assessments without any licensing or cost implications
Online questionnaires and surveys without any licensing or cost implications
Online action plans with email notifications to all auditees without any licensing or cost implications
Offline and online synchronisation enabling auditors to work offline
Seamless integration with best of breed data analytics software (e.g. Arbutus)  in support of continuous risk and control monitoring
Ease of use
End user support process, support portal
Ability and willingness of the vendor to respond to software enhancement requests
Online help, FAQs, up-to-date system documentation
Regular and seamless software upgrades including automated upgrading of offline users
Regular user groups, refresher training etc.
Client references and track record of the vendor


About BarnOwl

BarnOwl is a fully integrated governance, enterprise risk management, compliance and audit software solution used by close to 200 organisations in Africa, Europe and the UK. BarnOwl supports best practice risk management, compliance and audit frameworks (e.g. COSO, ISO31000, Compliance Institute’s handbook, International Professional Practice Framework), whilst offering a highly flexible and configurable parameter-driven system allowing you to configure BarnOwl to meet your specific requirements.

Subscribe to BarnOwl's Information Portal

Subscribe to BarnOwl’s information portal today and receive our monthly newsletter with the latest GRC and audit insights, industry updates, priority access to exclusive events, tip of the month and more straight to your inbox!


GRCReady is the official provider of risk management content for the BarnOwl GRC software solution. GRCReady provides extensive risk libraries and risk maturity checklists/surveys which are integrated with BarnOwl.

GRCReady, based in Australia, offers a comprehensive and holistic library of products and associated services including templates, policies, procedures, guidelines, checklists etc.t to help owners and directors of SMEs, startups and corporates to satisfy their corporate governance, risk management and regulatory compliance needs.

By integrating GRCReady's rich content libraries into BarnOwl's GRC software, we are able to offer our clients a state of the art, turnkey GRC solution.

GRCReady provides, arguably, the most comprehensive risk and governance maturity assessment framework with detailed steps and artefacts. BarnOwl's survey and action plan portal provides a simple and effective way to monitor and report on your current state of risk maturity and suggest and drive remedial action plans to take you to your desired state of risk and governance and maturity.

By integrating GRCReady's risk libraries with the BarnOwl GRC software, means that you don't have to start from scratch. In addition, ongoing updates and insights keep you informed and up-to-date on best practices.


Season Rhyrhm is BarnOwl's preferred partner in Botswana assisting with BarnOwl implementations, support services and client relationship management.

Season Rhythm is an established and distinguished player in the ICT sector in Botswana, specialising in a range of cutting-edge solutions. Season Rhythm leverages BarnOwl to provide tailored GRC&A services to businesses in Botswana facilitating:

  • Governance: Enabling organisations to establish and uphold effective governance structures, ensuring transparency and accountability in decision making processes.
  • Risk Management: Equipping businesses with tools to identify, assess and mitigate risks, safeguarding against potential threats and ensuring continuity in a business environment.
  • Compliance: Ensuring adherence to regulatory frameworks and industry standards, protecting businesses from non-compliance penalties and fostering trust among stakeholders.
  • Audit: Streamling the audit process with comprehensive tools for planning, execution and reporting, driving efficiency and accuracy in internal audit and compliance assessments.


BarnOwl works closely with NSA in the field of GRC and assurance.

NSA is an education and risk & assurance advisory services provider, consisting of a team of professional consultants and facilitators who have been hand-picked on experience and expertise. NSA services include:

  • Strategic intervention: 30 expert consultants facilitating strategic planning, combined assurance, effective governance and risk management assignments.
  • Continuous professional development: CPD training for internal auditors, external auditors, accountants, risk managers, government officials, and psychologists.
  • Online learning: accredited training for the local government sector, including the Municipal Financial Management Program and Supply Chain Management.
  • Online skills development: skills in demand for 2030, including cybersecurity, Protection of Personal Information, Artificial Intelligence, Robotics and programming.

BarnOwl and NSA work closely with our clients to align and enable best practice GRC and assurance framework & methodologies within BarnOwl. NSA regularly presents online information sharing sessions together with BarOwl.


Nico Technologies is BarnOwl's preferred partner in Malawi assisting with BarnOwl implementations, support services and client relationship management.

Nico Technologies Limited is an established IT products and services provider in Malawi, specialising in managed IT services, IT infrastructure services, IT project management, digital solutions, digital transformation and IT advisory.

Nico Technologies uses BarnOwl extensively within their own organisation to automate and manage their own risk and compliance functions.


Morgan Solus is BarnOwl's preferred business continuity specialist consulting firm with its 'BCM toolkit' software. BarnOwl GRC together with the BCM toolkit, provides a comprehensive risk management and BCM software solution.

Morgan Solus is a specialist consultancy firm focusing on risk, resilience and continuity. Morgan Solus's core services are centred on resilience, crisis management, business continuity (BCM), IT services continuity and disaster recovery (DRP) and training.

The BCM toolkit ensures a consistent approach to implementing BCM and IT disaster recover and cuts down implementation timelines by 60% whilst driving up successful outcomes.

BarnOwl's extensive GRC and assurance functionally coupled with Morgan Solus's BCM toolkit provide the ultimate risk management and BCM software solution.


Arbutus Analytics is Barnowl's preferred data analytics software. BarnOwl GRC integrated with Arbutus Analytics, provides the ultimate in continuous risk monitoring.

Arbutus Analyzer is a powerful data access and analysis solution specifically developed for auditors, business analysts, and fraud investigators. Its robust performance and user-friendly features offer you the ability to access and analyse data quickly and simply.

BarnOwl GRC, integrated with the real-time metrics from Arbutus provides a strategic early warning system driving preventative and predictive capability facilitating effective business decision making business improvement. with local sub-sahara African distributor


Barnowl works closely with Pax Resilience in the field of GRC and sustainability.

Pax Resilience offers solutions in risk, resilience and cyber security. Pax Resilience strive to create peace of mind by assisting you to build the resilience in your organisation so essential to survive and thrive in the volatile, uncertain, complex and ambiguous world we live in.

Pax Resilience regularly presents online information sharing sessions together with Barnowl.


Paige Law is the official provider of compliance content for the Barnowl GRC software solution. Paige Law provides an extensive Library of South African acts including provisions [CRMPs] and checklists which are integrated with Barnowl.

Paige Law specialises in compliance, Commercial Law, Legal process consultancy, managed legal services and POPIA/ GDPR.


Registered Address

75 Malibongwe Drive
Linden Ext
South Africa

Postal Address

PO BOX 3009


+27 (0) 11 540 9100


More Information:
Product Support:

Let Us Contact You
Let Us Contact You
I grant BarnOwl permission to contact me for marketing purposes*
*You will receive BarnOwl monthly newsletters & invitations to online events. You can unsubscribe at any time.


If you need assistance with your BarnOwl software, there are three channels available to you:


You will be emailed a ticket number from our issue tracking system and your request will be managed in
this ticket until it is completed.


You can view all your existing tickets or create new ones.


+27 (0) 11 540 9112
to speak to a support consultant

Let Support Contact You
Let Support Contact You