Building a Strong Internal Audit Function

Despite the fact that the internal audit function plays a critical role over corporate governance, accountability and compliance, many organizations today dismiss its importance, putting them at risk for encountering the mistakes and fraud incidents that result from having a weak to non-existent internal audit function.

A successful internal audit should typically begin with an overall risk assessment, reviewing everything involved in accomplishing the organization’s objectives, including financial procedures and processes, from cash and banking practices to financial reporting. When high-risk areas are identified, auditors then use various methods, such as testing of transactions, interviews of staff, or electronic data extraction techniques, to assess the strength of internal controls.

The effectiveness of the internal audit function hinges on several factors, including:

• Independence – Internal auditors should be independent from management and other functions they review to avoid bias or a conflict of interest. 
• Executive support – The board and executive management must provide clear support for the internal audit function and its activities to convey their importance to the full organization. 
• Resources – For peak performance, internal audit should engage internal or outsourced staff with experience in compliance and controls, program areas, operations and specialized areas (such as IT), especially those identified as high-risk.
• Quality assurance review (QAR) – A QAR assesses the overall effectiveness of an internal audit function by applying three criteria: 1) compliance with professional standards; 2) effectiveness and efficiency of function activities, organization, resources and skill capabilities; and 3) evaluation and fulfillment of stakeholder needs. 

With proper independence and support, the internal audit function is invaluable. Proper assessment of risk — whether by an in-house or outsourced internal audit function — is crucial to thrive in today’s rigorous environment. And in addition to executing internal audits, the internal audit function can also perform other corporate governance activities, such as compliance and Sarbanes-Oxley monitoring, including planning, testing and reporting to senior management. 

Well-executed-SOX-monitoring offers peace of mind to management teams and investors of publicly traded companies, peace of mind that a company’s underlying day-to-day business transactions and financial reporting processes result in accurate financial statements. 

Smaller organizations aren’t exempt from the internal audit imperative and the implementation of SOX-related activities; though conducting these activities on their own may not be affordable or practical. In such instances, their board and management can oversee internal controls with the assistance of a qualified third party to conduct the various internal audit functions, to help them attain efficiency and optimize internal resources.

To learn more about the requirements of implementing a SOX program and how a strong internal audit function can help, download our SOX Insights document today.