Internal Audit is an important function within an
organisation. In the present context of increasing emphasis on good governance,
the need for well-defined risks and controls framework, the focus on prevention
rather than detection and desire for a strong compliance culture, there is an
urgent need to ensure that the Internal Audit function has been set up with due
This article highlights some of the key areas that require
attention while setting up the Internal Audit function in an organisation.
For organisations that already have such a function, there may be a need to
revisit the manner in which it has been set up and make suitable changes to
ensure that the Internal Audit function is engineered to perform effectively.
The management of the company while setting up the Internal
Audit function has to take a few key decisions:
Organisational placement: Who will IA
Structure: Will IA be an in-house
function, a totally outsourced function or a co-sourced function?
Team composition and location: What
skill sets will be required for the IA team? How should the team be selected /
Scope: How will the scope of IA be
determined? What will be kept out of the scope?
Budget and resources: What is a
reasonable budget and what resources need to be made available to IA?
The audit committee of the
Board (“ACB”) is required to take primary responsibility for ensuring an effective
Internal Audit function. In an ideal situation, internal auditors functionally
report to the ACB and administratively to the CEO. In organisations that do not
require to have an ACB, the responsibility for setting up and overseeing the
Internal Audit function rests with the Board or an equivalent Governing Body,
in case of non-corporate bodies.
In reality, in a large
number of cases, the Internal Audit function reports to the CFO, both
administratively and functionally. Even where it does not report to the CFO,
the CFO wields strong influence on the Internal Audit function. Th