Wipfli logo

Securities Industry and Financial Markets Association


3 steps to building an internal audit process

Mar 18, 2020

Whether you are looking to implement an internal audit department at your organization, or formalize one that you have had in place for some time, there are three core building blocks to the process:

1. Establish an independent audit committee

At some organizations an independent audit committee can be the full board of directors but is more often a sub-committee of the board.  Although management may attend meetings, it is important that the voting members of the audit committee are independent of the organization’s management and employees.  The size of the audit committee generally ranges from three to six voting members.  The roles and responsibilities of the group should be contained with an audit committee charter.

2. Draft an audit committee charter

An audit committee charter lays out the roles and responsibilities of the audit committee, including providing oversight of financial reporting, risk management, internal control, compliance, ethics, management, internal auditors and external auditors.  The charter should define membership requirements, determine the cadence and timing of meetings, outline the responsibilities and authority of the committee and address the relationship between the committee and auditors (both internal and external) providing services to the organization.  It is critical that the charter accommodate executive sessions with the auditors, as necessary, and allow for engagement of outside counsel as needed. 

3. Drafting an internal audit charter

The internal audit charter generally defines the mission, role, authority, independence and responsibilities of the internal audit department.  Although these will certainly vary by organization, several key items should be included within every charter, including:

  • Internal auditors will not have direct operational responsibility or authority over any of the activities being audited.
  • Internal auditors can assist with determining ideas for remediation of audit findings or improvement to operations but cannot be responsible for implementation of internal controls or complete development of procedures.
  • Internal auditors should have full, free and unrestricted access to all functions, records and personnel

The charter should also address compliance with the Institute of Internal Auditors Standards and the Red Book, if so desired. 

Those basic building blocks of internal audit governance should be in place regardless of whether you have an in-house internal audit function or outsource this to a professional service organization

How often should you meet?

Audit committee meetings should be held at least quarterly (larger organizations may hold these meetings monthly) and should generally include:

  • Presentation of internal audit reports, including scope of work and findings noted
  • Presentation of management responses to noted issues
  • Follow-up on previously noted issues
  • The internal audit department’s audit plan and performance relative to the plan (are they on track to complete all necessary audits, do they need additional resources, etc).
  • Annual review of the audit committee charter and Internal Audit charter, including the internal audit department’s purpose, authority, and responsibility
  • Annual review of the organization’s risk assessment/heat map that drives internal audit plans
  • Annual review of the internal audit department’s compliance with the Institute of Internal Auditors Code of Ethics and Standards

The audit committee, when making motions to accept internal audit reports, should ensure they fully understand the issues noted by the internal auditor and how management plans to correct the noted issue.  If management does not intend to take any corrective action, the audit committee members should ensure they are not submitting the organization to an undue level of risk exposure.  

Ultimately, an internal audit function can only be as successful as the tone at the top and governance structure allows it to be.  By ensuring the appropriate internal audit governance building blocks are in place, you can help set up the internal audit function to be more effective.

How Wipfli can help

Our experienced auditors can work with your internal audit team to complete a risk-based internal audit plan. Learn more about the insights you can gain and the risks you can mitigate on our internal audit web page

Or learn more from these articles:

The impact of AI on internal audits

What is continuous auditing?

Are you following IIA standards with your internal audit?


Sarah G. Lutzke, CIA
Principal, Risk Advisory Services
View Profile