• Internal audit departments can also undertake consulting activities. You should keep these separate, make it clear in the terms of reference and reports that they aren’t internal audits and make any documentation given to the business look different to those from internal audit
  • Assess whether and when an audit is required over a particular subject, process or risk and ensure that different personnel are involved. Ensure all parties are aware of the differences
  • Heads of internal audit (HoIA) in smaller organisations may have additional responsibilities. To maintain independence and objectivity, the HoIA can remove themselves from decisions on initiating and managing related audits, including discussions with the audit committee, external auditors and regulators
  • The audit work may also be outsourced, but this should still be managed by someone other than the HoIA. Even where this happens, you may still have to manage other senior managers’ perceptions that the HoIA has received preferential treatment 
  • Remember that even if you don’t let a personal relationship affect your objectivity on an audit, other people may still think it has. Just as importantly, it may damage that relationship. So from all perspectives, it’s best avoided
  • If your boss asks you to do something which breaches internal auditing values or you know to be wrong, challenge them on it. If they still want you to do it, escalate this to their boss or the chair of the audit committee
  • Attending committees is a great way to find out what’s happening in the organisation and the key emerging issues. It’s also an opportunity to influence. Always ensure that it’s recorded in the terms of reference that you’re there as an attendee, not a member, and that you have no voting rights
  • Internal audit is sometimes referred to as the third line of defence, with business managers being the first line and risk management the second
  • Remember, assurance over risks and controls can be given by the first and second lines of defence, but only internal audit’s assurance is independent and objective
  • Risk management are a control that internal audit should assess, especially as working effectively with risk management is critical to success
  • Internal audit isn’t the police; it’s management’s responsibility to ensure that their risks are appropriately managed and that their controls are complied with
  • Internal audit is sometimes referred to as an ‘agent for change’. It doesn’t just provide assurance and is only truly successful if poorly managed risks are improved to an acceptable level. Internal audit creates the momentum for improvement
  • Remember, it’s not just important for auditors to understand what internal audit is, it’s also important that the business and senior management understand this as well. What are you doing to make this happen? How are you checking that this is understood?