A collective sigh goes around the room (or zoom call) whenever I say the phrase, “we have an internal audit coming up.” Though it may seem like just another item on the compliance checklist to “get through,” the internal audit process is an essential process for companies of all sizes. Internal audits allow companies to assure customers that they are delivering secure, quality, and compliant services and/or products while at the same time identifying ways to improve and mature the company’s business practices.
Though this process can feel like pulling teeth (especially if you are doing it for the first time), it doesn’t have to! I recently completed our internal audit at LogicGate using Risk Cloud and I found, by doing a few key things, you can make it much easier on yourself and those participating.
Before an Internal Audit Assessment Begins
1. Establish Responsibilities
As a smaller company, there are some things we take into consideration at LogicGate when assigning our internal audit responsibilities given our limited people resources. For example, how do we stay objective in our assessment?
Plain and simple, we abide by the rule of “do not audit your own work,” also known as the separation of duties. By enabling employees through training and experience, different roles or departments can audit another department’s work. For example, if the security compliance manager owns several of the internal controls that they are responsible for auditing, the responsibility of reviewing and auditing those controls would be passed to another individual (i.e., information security VP, legal, etc.).
2. Write Out Communications
Write out your internal audit communications beforehand, with at least one detailing the basics of the assessment (i.e., date of kickoff, the due date for evidence submission, internal control owners/evidence owners, expectations, estimated time required, etc.). This allows you to set reminders and send out the messages throughout the process without taking time away from conducting the internal audit and reviewing evidence.
The first message sent out to those participating should happen before the kickoff of the assessment to help those involved prepare, set time aside, and prioritize their work accordingly for the audit period.
3. Create Enablement Materials
For companies of all sizes, participation from employees in an internal audit is a first for many. Create some basic enablement materials to educate your internal control owners and employees participating in the assessment. This helps ensure they are better equipped to execute their responsibilities and provide you with more pointed questions and helpful feedback. Topics could include information about what an internal control is, internal control owner responsibilities, the purpose of an internal audit, best practices for internal audits, etc.
4. Schedule a Kickoff Meeting
Although you may have already sent out messages to all those participating along with the enablement materials, it is good practice to meet with all the stakeholders involved to kick off the assessment on a positive note. Offer words of encouragement, reiterate the expectations for the internal audit, and deliver important information or updates. This also gives those participating the opportunity to ask questions, give feedback, and allow others to hear and learn more about the process.
5. Automate Reminders
If you have the ability to set up automatic reminders to those participating with reminders for them to complete their work (if it’s still outstanding), do it! People get busy, people forget, so these reminders are very helpful in pushing the audit along to completion. LogicGate’s Risk Cloud allows one to set up integrations with common communication channels (like Slack) and automatically send out reminders and updates to all those participating, taking a lot of the mundane check-in or reminder work off of one’s to-do list. If you do not have the capability to set up automatic reminders, set aside some time to check in with internal control owners/participants.
6. Have an Evidence Repository
Establish a location for an evidence repository where all participants will submit their internal audit evidence for review (i.e., Google Drive folder, box folder, etc.) and ensure that least privilege access is established. For example, Bob owns five internal controls, so, in the evidence repository, we will create a folder for Bob to submit his evidence that is only accessible by Bob and the reviewer of Bob’s evidence. With Risk Cloud, one is able to link the evidence repositories directly to the internal control evaluation records, making it very easy for the control owner to submit evidence and the evidence to be reviewed accordingly.
During the Internal Audit Assessment
1. Set Office Hours
During the internal audit period, set aside time during the day/week to have one-on-one meetings with participants, allowing them to ask questions and give you feedback on the process.
2. Designate an Escalation Path to Follow
When getting close to the end of the internal audit assessment, it is valuable to have a plan in place to document which controls/evidence submissions will possibly not be completed in time and the corresponding actions that need to be taken. For example, the control owner who needs to submit evidence is out-of-office and has not completed their work, who is their backup? How do we escalate this issue to ensure that evidence is submitted in a timely manner?
After the Internal Audit Assessment
1. Host a Close-out Meeting
Once all the evidence has been submitted, reviewed, and approved, host a close-out meeting with participants to thank them for their time and commitment to the internal audit process. Internal audit is not an easy task and an employee's dedication to this process allows their company to recognize the weak spots, identify where the company is strong, and continue to grow and improve. Share the results, the lessons learned, and goals for the next internal audit.
2. Prioritize Goals for the Next Audit
Whether it was your first or thirty-second internal audit, there are always things that can be improved upon. To make the next time even easier and productive, listen to everyone’s feedback, learn from your experience, and prioritize a few key goals to implement the next go around.
As a startup with only a few resources dedicated to internal audit, we have run into our share of road bumps, but these practices along with the Internal Audit Application in Risk Cloud help to make the process smoother, more efficient, and definitely more productive for all involved.