The Essential Internal
Audit Guide
CONTENTS
- Chapter 1: What is Internal audit?
- Chapter 2: The need for internal audit
- Chapter 3: What do the standards say?
- Chapter 4: Why implement internal audit software?
- Chapter 5: What will internal audit software do for my business?
- Chapter 6: Steps to the successful implementation of internal audit software
- Chapter 7: Considerations and key questions when buying internal audit software
- Chapter 8: Key Feature comparison checklist
CHAPTER 1: WHAT IS INTERNAL AUDIT?
According to the Definition of Internal Auditing in The IIA’s International Professional Practices Framework (IPPF), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Source: https://theiia.org/en/about-us/about-internal-audit/
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Performed by professionals with an in-depth understanding of the business culture, systems, and processes, the internal audit activity provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.
Evaluating emerging technologies. Analyzing opportunities. Examining global issues. Assessing risks, controls, ethics, quality, economy, and efficiency. Assuring that controls in place are adequate to mitigate the risks. Communicating information and opinions with clarity and accuracy. Such diversity gives internal auditors a broad perspective on the organization. And that, in turn, makes internal auditors a valuable resource to executive management and boards of directors in accomplishing overall goals and objectives, as well as in strengthening internal controls and organizational governance. You can find further information
Further Reading:
CHAPTER 2: THE NEED FOR INTERNAL AUDIT
Internal audit provides a number of important services to company management including detecting and preventing fraud, testing internal control, and monitoring compliance with company policy and government regulation.
The law in many countries requires publicly-owned companies and public sector departments to have internal audit activities. Many privately-owned companies have internal audit activities as well. Some of the benefits derived from the internal audit activities are as follows:
- Assess the effectiveness of the design and execution of the system of internal control and risk management.
- Assist management in the effective discharge of their duties.
- Evaluate compliance with laws and regulations.
- Evaluate the reliability and integrity of financial and operational information.
- Provide recommendation for the improvement of operations.
- Help in safeguarding company assets and utilization of its resources.
- Reduce the exposure to unpleasant surprises.
- Having an internal audit activity is a good corporate governance practice.
- The cost of preventive actions is much less than those of corrective actions.
Further Reading:
- 6 Ways Risk-based Auditing Adds Value to Your Organisation
- ‘King IV – an update on the progress so far’ and ‘What makes an internal audit function a valuable asset’.
- Managing and Auditing Ethics – Starting Point or End Goal?
CHAPTER 3: WHAT DO THE STANDARDS SAY?
The International Professional Practice Framework (IPPF) states that the Mission of Internal Audit is: “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
The Definition of Internal Auditing as per the IPPF framework is:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
- 1220.A3 – Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.
- 2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
- 2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.
- 2100 – Nature of Work – The internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact.
- 2120 – Risk Management – The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes:
- Organizational objectives support and align with the organization’s mission.
- Significant risks are identified and assessed.
- Appropriate risk responses are selected that align risks with the organization’s risk appetite.
- Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
- 2200 – Engagement Planning – Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement
- 2450 – Overall Opinions – When an overall opinion is issued, it must take into account the strategies, objectives, and risks of the organization; and the expectations of senior management, the board, and other stakeholders. The overall opinion must be supported by sufficient, reliable, relevant, and useful information.
- 2600 – Communicating the Acceptance of Risks – When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.
The King IV code on corporate governance (copyright Institute of Directors Southern Africa) applies to all entities, regardless of their nature, size or form of incorporation. The Code is implemented on an “apply and explain” basis. The following principles relating to assurance are embodied in the Code: Principle 15: The governing body should ensure that the assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and of the organisation’s external reports.
Recommended Practices
The governing body should oversee that the combined assurance model is designed and implemented to cover effectively the organisation’s significant risks and material matters through a combination of the following assurance service providers and functions as is appropriate for the organisation:
- The organisation’s line functions that own and manage risks.
- The organisation’s specialist functions that facilitate and oversee risk management and compliance.
- Internal auditors, internal forensic fraud examiners and auditors, safety and process assessors, and statutory actuaries.
- Independent external assurance service providers such as external auditors.
- Other external assurance providers such as sustainability and environmental auditors, external actuaries, and external forensic fraud examiners and auditors.
- Regulatory inspectors.
Internal Audit
The governing body should assume responsibility for internal audit by setting the direction for the internal audit arrangements needed to provide objective and relevant assurance that contributes to the effectiveness of governance, risk management and control processes.
The governing body should monitor on an ongoing basis that internal audit:
- follows an approved risk-based internal audit plan; and
- reviews the organisational risk profile regularly and proposes adaptions to the internal audit plan accordingly.
The governing body should ensure that internal audit provides an overall statement annually as to the effectiveness of the organisation’s governance, risk management and control processes
The PFMA (Public Financial Management Act) of South Africa:
General responsibilities of accounting officers:
(1) The accounting officer for a department, trading entity or constitutional institution—
- (a) must ensure that that department, trading entity or constitutional institution has and maintains—
- (i) effective, efficient and transparent systems of financial and risk management and internal control;
- (ii) a system of internal audit under the control and direction of an audit committee complying with and operating in accordance with regulations and instructions prescribed in terms of sections 76 and 77;
- (iii) an appropriate procurement and provisioning system which is fair, equitable, transparent, competitive and cost-effective;
- (iv) a system for properly evaluating all major capital projects prior to a final decision on the project;
General responsibilities of accounting authorities:
(1) An accounting authority for a public entity—
- (a) must ensure that that public entity has and maintains—
- (i) effective, efficient and transparent systems of financial and risk management and internal control;
- (ii) a system of internal audit under the control and direction of an audit committee complying with and operating in accordance with regulations and instructions prescribed in terms of sections 76 and 77; and
- (iii) an appropriate procurement and provisioning system which is fair, equitable, transparent, competitive and cost-effective;
- (iv) a system for properly evaluating all major capital projects prior to a final decision on the project;
The MFMA (Municipal Financial Management Act) of South Africa:
General financial management functions:
(1) The accounting officer of a municipality is responsible for managing the financial administration of the municipality, and must for this purpose take all reasonable steps to ensure—
(c) that the municipality has and maintains effective, efficient and transparent systems—
- (i) of financial and risk management and internal control; and
- (ii) of internal audit operating in accordance with any prescribed norms and standards;
Internal audit unit:
(1) Each municipality and each municipal entity must have an internal audit unit, subject to subsection (3).
(2) The internal audit unit of a municipality or municipal entity must:
- (a) prepare a risk based audit plan and an internal audit program for each financial year;
- (b) advise the accounting officer and report to the audit committee on the implementation of the internal audit plan and matters relating to—
- (i) internal audit;
- (ii) internal controls;
- (iii) accounting procedures and practices;
- (iv) risk and risk management;
- (v) performance management;
- (vi) loss control; and
- (vii) compliance with this Act, the annual Division of Revenue Act and any other applicable legislation; and
Audit committees:
(1) Each municipality and each municipal entity must have an audit committee, subject to subsection (6).
(2) An audit committee is an independent advisory body which must—
- (a) advise the municipal council, the political office bearers, the accounting officer and the management staff of the municipality, or the board of directors, the accounting officer and the management staff of the municipal entity, on matters relating to—
- (i) internal financial control and internal audits;
- (ii) risk management;
- (iii) accounting policies;
- (iv) the adequacy, reliability and accuracy of financial reporting and information;
- (v) performance management;
- (vi) effective governance;
- (vii) compliance with this Act, the annual Division of Revenue Act and any other applicable legislation;
- (viii) performance evaluation; and
- (ix) any other issues referred to it by the municipality or municipal entity;
Further Reading:
- Key Updates to the IPPF Framework You Should Know About
- Elevating Audit Through Risk-based Auditing with Continuous Monitoring
CHAPTER 4: WHY IMPLEMENT INTERNAL AUDIT SOFTWARE?
Besides being general best practice, Internal Audit Software provides an organisation with a systematic and disciplined approach to the audit process. Using Internal Audit software can boost efficiency for internal audit departments creating greater cost savings and they can boost the overall capacity of understaffed departments. Other benefits of using internal audit software include:
- Creating a central and secure repository for all audit documentation
- Enabling access to audit information and documentation regardless of location, or stage of audit process
- Providing a highly structured format to support the audit process of planning, execution, reporting, follow-up and document management
- Increasing coordination and integration with other organisational risk management activities
- Risk & Control based auditing ensuring that risks that matter to the organisation are audited and aligned back to the business
- Improving the ability to create reports and information insights for management
- Providing ‘live’ updating and monitoring of action plans as well as follow-up audits
Further Reading:
- Powerful Data Analytics Integrated with GRC: The Complete Continuous Monitoring Solution
- Still Using Excel for Risk Management and / Or Audit?
CHAPTER 5: WHAT WILL INTERNAL AUDIT SOFTWARE DO FOR MY BUSINESS?
Governing bodies and senior management rely on Internal Auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management, and internal control processes. Internal audit software:
- Facilitates objective, risk & control based auditing, ensuring that risks that matter to the organisation are audited and aligned back to the business
- Fully integrated with risk management, providesenterprise-wide visibility of risk and combined assurance reporting
- Incorporates built-in best practices and supports the adoption of the IIA standards
- Simplifies and standardises audit processes with centralised ‘working-paper’ library for all types of audit: risk & control, ad hoc, forensic, compliance etc.
- Eliminates audit errors and inconsistencies by standardising the audit process and enabling centralised library look-up
- Generates final audit reports, audit committee reporting, advanced business intelligence dashboard reporting at the click of a button:
- Final audit reports (in MS Word)
- Top risk trends by business unit based on number findings
- Top risks and their root causes
- Root cause analysis by business unit and process
- Key performance linked to business objectives and risk management
- Combined assurance reporting
- Allows for online follow-up of findings via web-based action plans
- Facilitates a risk intelligent early-warning system including dynamic re-assessment of risks & controls, trend monitoring, continuous risk and control monitoring
- Increases audit coverage whilst reducing audit time and cost
- Minimizes reputational damage and provides Director / Accounting officer protection
Further Reading:
- 4 Ways Auditors Can Add Value to Your Organisation
- The Imperative to Fast Track the 4ir in the Wake of Covid-19
- Managing Procurement Fraud Risk through Continuous Monitoring
CHAPTER 6: STEPS TO THE SUCCESSFUL IMPLEMENTATION OF INTERNAL AUDIT SOFTWARE
Software implementation:
- Document your organisational structure (departments or business units) in line with reporting lines
- Document your existing processes / sub processes / system descriptions including risks, controls and tests
- Document your audit methodology including types of audit, project file organiser structure per type of audit, template documents, findings structure (e.g. standard, finding, impact, root cause, management comment, action plan), findings and project rating scale etc. Apply these to your organisational structure.
- Identify your audit users, their permissions (preparer, reviewer etc.) and software training requirements
- Ensure the software is able to generate final audit reports / audit committee reports as per your requirements
- Take-on: software must be able to import existing findings from Excel into the database
Now you are ready to use the software:
- Audit planning (where, when, who): based on high risk areas, site rating, repeat findings
- Perform audit execution: Perform testing, risk & control assessment and raise findings
- Finalise Audit Process: Review audit results, produce audit report, remediation plan (living action plans), and executive summary
- Follow up audits to check for resolution of findings
Further Reading:
CHAPTER 7: CONSIDERATIONS AND KEY QUESTIONS WHEN BUYING AUDIT SOFTWARE
- Define your system requirements in enough detail to provide basis for evaluation
- How flexible is the software to support your audit methodology
- Does the software support best practice standards (risk & control based auditing) and is it integrated with risk management
- Apart from the software having the standard features, what are the differentiators / value adds
- Take into account the benefit of local support and responsiveness of the vendor to your requirements
- What is the setup process and estimated timelines; be aware of the ‘box-dropper’ approach versus a ‘hand’s on’ approach ensuring project success
- Are there any hidden fees or costs (e.g. hosting, support, additional implementation, other required 3rd party software licenses, online action plan licenses etc?)
- Check the reporting capability of the software
- Ensure the upgrade of the software is non-intrusive, simple and that there are regular updates
- Check the ability / stability to work offline
- Request client references / testimonials
Don’t:
- just select the software based on cost and ease of use
- just buy the most popular software assuming it will be best for your company
- buy basic software which meets your current requirements but won’t meet your future requirements
Further Reading:
CHAPTER 8 : KEY FEATURE COMPARISON CHECKLIST
Use this comparison checklist to compare important feature sets from competing software solutions:
Important features | BarnOwl | Software B | Software C |
Does the software support risk and control based auditing. i.e. is it a fully integrated GRC solution | |||
Flexible take-on / import functionality | |||
Hand holding throughout the implementation process ensuring project success | |||
Ability to maintain a central library of process / working paper tests, not just as Excel attachments but within the database as fields | |||
User-defined fields available anywhere in audit module and ability to report on user-defined fields | |||
User / Group security restricting unit and project access | |||
Facilitation of the typical audit process including planning, execution, reporting and follow-up | |||
Facilitation of execution with business logic to create standard findings based on failed tests including the automatic identification of ‘repeat’ findings | |||
Ability to automate the distribution of findings to management for comment and automatic import / capture of management comments back into the system | |||
‘Check in’ / ‘check out’ functionality allowing multiple auditors to work on the same audit project without conflicts | |||
Resource management and Timesheets | |||
Review notes are stored in the database with preparer / reviewer audit trail history. Review notes can be captured anywhere in the system including directly against findings and / or Excel / Word working papers | |||
Customisable reports with MS Word integration | |||
Combined assurance reporting | |||
Management and Auditor Dashboards | |||
Graphical slice and dice reporting: e.g. root cause analysis, risk ranking, findings analysis, trends etc. | |||
Automated risk and control self-assessments without any licensing or cost implications | |||
Online questionnaires and surveys without any licensing or cost implications | |||
Online action plans with email notifications to all auditees without any licensing or cost implications | |||
Offline and online synchronisation enabling auditors to work offline | |||
Seamless integration with best of breed data analytics software (e.g. Arbutus) in support of continuous risk and control monitoring | |||
Ease of use | |||
End user support process, support portal | |||
Ability and willingness of the vendor to respond to software enhancement requests | |||
Online help, FAQs, up-to-date system documentation | |||
Regular and seamless software upgrades including automated upgrading of offline users | |||
Regular user groups, refresher training etc. | |||
Client references and track record of the vendor |
About BarnOwl
BarnOwl is a fully integrated governance, enterprise risk management, compliance and audit software solution used by close to 200 organisations in Africa, Europe and the UK. BarnOwl supports best practice risk management, compliance and audit frameworks (e.g. COSO, ISO31000, Compliance Institute’s handbook, International Professional Practice Framework), whilst offering a highly flexible and configurable parameter-driven system allowing you to configure BarnOwl to meet your specific requirements.