What is an Internal Audit? As defined by the Institute of Internal Auditors (IIA), internal audit is “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Types of Audits First-Party Audits: These are performed within an organization to measure its strengths and weaknesses against its own procedures or methods and/or external standards. Internal audits are first-party audits and are conducted by auditors who are employed by the company being audited, but have no vested interest in the audit results of the area(s) being audited. Second-Party Audits: These are external audits performed on a supplier by a customer or by a contracted firm (consulting firm) on behalf of a customer. Third-Party Audits: These are external audit performed on a supplier or regulated entity by an external participant other than a customer. They are conducted for recognition or registration purposes are performed either by Extrinsic Regulatory (FDA, FAA, NRC, USDA) or Registrars (ISO9001, AIB, JCAHCO ).
Plan Audit Properly During the planning phase, the following has to be done: • The purpose of the audit • A complete description of the GRC program. This should include details such as the entity which is to be audited and the key measures of the program • The scope of the audit and the scope exclusions • The objective of the audit and the approach to be taken • A high level schedule of the audit and a detailed timeline • The necessary skills needed to complete the audit • The selection of members of the internal audit team • Any other resources required for successful completion of the audit • Document management and archival/ retention policies and processes
Define Audit Scope and Objectives • Defining the scope of the audit and its objectives is an important part of planning the process, ensuring that the audit is carried out successfully. • In order to conduct a successful GRC program audit, the auditors need to have a thorough understanding of the following: • The organization’s culture, business, strategic goals and objectives • Key risks that the program and the organization face • The organization and structure of the GRC program and its future evolution • Auditors must determine the following: • The major operational processes • Various initiatives being implemented within the organization • The IT systems that support the operation of the GRC program
Audit Objectives An audit of a GRC program should have the following objectives: • Evaluate the “tone at the top” – Is it proper and effective in promoting a culture that is ethical and compliant? • Check if the program provides reasonable assurance of compliance with organizational policies and all applicable laws and regulations. • Determine if the motivation/incentive/reward system is well planned and structured. • Determine if the GRC program has a robust management framework that is well documented and has enough resources to carry out its tasks. • Check whether the GRC program has been implemented and if the program’s performance reporting system accurately represented the end results of the program’s efforts. • Conduct a cost-benefit analysis of the GRC program. • Determine whether the program is up-to-date with prevailing industry practices and is adequate for the size and complexity of the organization. • Include other audit objectives that the board or management has requested.
Want to learn more about audit, its process and best practices for auditing? ComplianceOnline webinars and seminars are a great training resource. Check out the following links: • Risk Based Internal Auditing (RBIA) • Internal Auditing Essentials for Medical Device Manufacturers • How to Audit GRC Programs? • Role of the Audit Committee in Corporate Governance • Internal Audit's Role in Enterprise Risk Management • OCEG Approved GRC (Governance, Risk and Compliance) Professional Seminar • Auditing Technology and IT Investment Management