We regularly write blog posts about the internal auditing process and what you need to do to prepare, but we recently realized we haven’t laid out the process from your internal auditor’s perspective. We thought this might be a good time to demystify this point person’s role and needs to better serve you in the process.
Of course, you know the basics of who your internal auditor is. He or she is a professional who holds the expertise and authorization to review and verify the accuracy of business records and to ensure information security and regulatory compliance.
Internal auditors are engaged by government entities or private organizations, investigating the suspected mismanagement of funds, searching for ways to eliminate fraud and waste, and providing assurance that an organization’s risk management, internal control processes and governance are all in peak condition and operating effectively. Perhaps most importantly, objectively conducted internal audits by experienced auditors are designed to improve and mature an organization’s business practices.
Your internal auditor will work with you to secure the most accurate reflection of the condition of your business, related to the nature of the audit. This candid and insightful information lets you know whether you and your team are on the right path toward optimal compliance, or if your operations could use some work to avoid unnecessary risk, penalties and any other adverse consequences.
What Internal Auditors Typically Do
An internal auditor’s primary objective is to monitor and assure that all of your business assets—whether financial, technological or otherwise—have been appropriately secured and safeguarded from threats. He or she also verifies that your business processes align with your planned and documented policies and procedures.
A few additional key things internal auditors typically do include:
Offer Objective Insight.
The very reason that you, as a business leader, cannot perform your own audit is that it would be a conflict of interest. Your internal auditor, or internal auditing team, must not have any operational affiliation or any responsibility to your organization in achieving an object insight into the issue at hand.
Smooth Out Problems to Improve Efficiency of Operations.
A professional auditor’s review of your organization’s policies and procedures quickly points out the strong and weak points in mitigating risk and other goals.
The insights you gain from an internal auditor’s review can help you improve your organization’s control environment to help mitigate risks and achieve other important goals.
Evaluate Risks and Protect Valuable Organizational Assets.
Every internal audit program focuses on assisting an organization’s management and stakeholders to protect their control environment by identifying risks via a systematic risk assessment. Your internal auditor can help you identify any dangerous gaps in your control environment, providing you the opportunity to pursue a remediation plan.
Assist in Ensuring Compliance with Relevant and Required Regulations and Laws.
Depending on your industry, you may have anywhere from zero to several regulations or laws with which you must comply. Your internal auditor stays up to speed on all the latest updates on any regulations and laws that apply to your business.
5 Important Things Your Auditor Will Need from You for an Internal Audit
Now that you know more about who your internal auditor is, as well as what he or she brings to the table, you may already have a better idea of what you can do to make their work easier, expedite the auditing process and get the results you want.
In addition to what you have in mind, we thought would share our top five important things your auditor will need from you for an internal audit.
1. Policies and Procedures
Your internal auditor will use your baseline data, such as your policies and procedures, as the metric against which he or she will review your details of the year’s operations in action. Make sure you provide your auditor with the most updated list of policies and procedures that you, your company’s CEOs, CFOs and IT team members produced over the year.
Cite incidents where an executive, manager or staff member veered from the policies and procedures, as well as spots where everyone shines. Your auditor can provide insights into making improvements and any corrective actions that may be necessary.
2. Service Agreements with Business Associates and Service Organizations
If your organization is like many growing businesses, you might be considering outsourcing some of the non-core, production-related responsibilities for your company, such as cloud hosting or payroll processing. If so, you must ensure that your service organization has aligned their control environment to your own to protect your valuable data.
Let your auditor review the service agreements you have signed with each organization to make sure your organization is fully covered. He or she will also review the results of any System and Organization Controls (SOC) for Service Organizations reports that are relevant to the audit at hand to gain insights into the service organization’s controls and overall operations.
3. Results of Any Exercises, Q&As or Tests Performed Between Official Internal Audits
There are some types of audits that require businesses to perform testing and to answer questions between audits. The PCI DSS, for example, gives organizations the option to perform penetration or vulnerability tests. In a penetration test, your auditor will simulate an actual hacking incident that targets potential vulnerabilities while a vulnerability assessment is a less intrusive method of assessing a live computing system.
Tests like these and others for different industries and functions show the internal auditor your determination to keep your system running smoothly while working to avoid risks that can lead to compromised data in the instance of a data breach. Talk to your auditor about these interim exercises to make sure you have everything you need for your official audit.
4. Incident Reports on Data Breaches or Any Other Compromises to Your System
In the case of a data breach, it is important to document everything that occurs to provide every detail to your internal auditor during your audit. Develop a form that serves as a method of communicating the initial known details of a possible or actual information security incident within your organization. This report will help your internal auditor understand the nature of the incident better, as well as how he or she can most accurately and fairly report the data breach and everything leading to it.
5. A Listing of Any New Regulations or Laws with Which You Must Comply
Whether your business just went international and you are working with European Union customers and you must comply with the GDPR or want to start working toward compliance with the new California Consumer Privacy Act, let your internal auditor know about all of them. He or she can review your standing at the time of the audit and offer you recommendations if there are any oversights.
Are You Ready to Schedule Your Next Internal Audit with a Member of Our Internal Auditing Team?
Do you feel like you have a better idea of what an internal auditor does and what he or she needs from you? If you still have questions, our I.S. Partners, LLC. team can definitely clear things up for you. Our internal auditors want to build an ongoing, upbeat and trust-based professional relationship with you and your team. We would be happy to provide more details on the list of things we need so you don’t have to spend valuable time trying to figure it out on your own.