Skip Ribbon Commands
Skip to main content

The Internal Audit Function The Internal Audit Function

Have you ever been asked to set up a new internal audit function? These suggestions and resources can help you get started.

Step 1: Establish the Authority of Internal Audit

Establish the authority of the internal audit activity and review the definition of internal auditing and the International Standards for the Professional Practice of Internal Auditing (Standards) to become familiar with what is required.

Step 2: Interview Leadership

Interview senior management and board of directors/audit committee chairmen to build rapport, to ensure those at the top have a clear picture of the internal audit function, and to clarify expectations of all. Use this opportunity to quickly learn and address what management and the board view as the greatest risks to the organization, while keeping in mind issues, problems, and opportunities that have already been identified. Develop a system for cataloging such information, including date and name of person interviewed for quick reference in the future. There are many considerations that should be evaluated in determining the optimal structure and source for internal auditing resources. Those responsible for making such determinations should evaluate the additional guidance and considerations outlined in The IIA's Position Paper, "The Role of Internal Auditing in Resourcing the Internal Audit Activity."

The Role of Internal Auditing in Resourcing the Internal Audit Activity

Step 3: Review the Audit Committee Charter

Obtain and review the audit committee charter. Of course, no sample charter encompasses all activities that might be appropriate to a particular audit committee, nor will all activities identified in a sample charter be relevant to every committee. Accordingly, this charter must be tailored to each committee's needs and governing rules.

Model Audit Committee Charter

Step 4: Understand Benchmarking Needs

Understand "benchmarking" needs, i.e., industry, specialty groups, organizations with same staff size, etc. Ask senior management who they consider to be leaders and laggards in your organization's market niche. Check out The IIA's GAIN Benchmarking services and review past GAIN surveys.

Step 5: Review Policies and Procedures

Obtain and review your organization's written policies and procedures, especially the policy pertaining to management's responsibility to control the organization.

Step 6: Discuss Control Issues

Discuss with external auditors open and closed internal control issues, which they may have identified during their reviews.

Step 7: Develop the "Audit Universe"

Start to develop the "audit universe," or the list of all auditable entities.

Step 8: Map Major Processes/Operations

Map the major processes/operations within the organization. Meet with operations managers, including those in information technology, in order to understand their risks and concerns.

Step 9: Develop Risk Assessment

Develop a risk assessment for your organization. This should be a macro-level assessment, which includes both external and internal risk factors.

Step 10: Develop Charter for Internal Audit

Develop a charter for internal audit. Ensure that both senior management and the audit committee review and approve the charter. Information on audit charters can be found within the International Professional Practices Framework (IPPF), Establishing an Internal Audit Activity manual and Essentials: An Internal Audit Operations Manual. Additional resources and samples are provided at the bottom of this page.

Model Internal Audit Activity Charter

Step 11: Build the Budget

Build the budget, including personnel and travel.

Step 12: Develop an Audit Plan

Based on your risk assessment, develop an audit plan. The amount of the plan that can be accomplished in the allotted time period (usually a year) will depend on the risks identified and the internal audit resources and staff. You should always leave time in your audit plan for management requests (usually 10 percent).

Step 13: Hire Staff and Develop Training Plan

Hire your staff and develop a plan for staff training. Ensure your staff covers the range of expertise needed based on your risk assessment. You may also consider outsourcing portions of your audit plan to outside service providers or using professionals internal to the organization. For additional information, refer to The IIA's Position Paper, "The Role of Internal Auditing in Resourcing the Internal Audit Activity."

The Role of Internal Auditing in Resourcing the Internal Audit Activity

Step 14: Ensure Complete Cooperation

Ensure that senior management notifies other departments of your existence and calls for complete cooperation.

The IIA offers the following complimentary brochure:

All in a Day's Work

Use the search feature on this website to help you identify other valuable resources.

Step 15: Establish Best-Practice Reporting Relationships

Work with management to establish best-practice reporting relationships, to ensure internal audit is promoted throughout the organization, and to develop a methodology for following up on audit recommendations and measuring performance.

Step 16: Establish Quality Assurance Program

Establish a quality assurance program.

Sample Quality Assurance Improvement Program

Resources from the IIA Bookstore

21st Century Audit Management — Opportunities and Challenges
A Balanced Scorecard Framework for Internal Audit Departments
Audit Committee Reporting: A Guide for Internal Auditing
Audit Committee Briefing — Understanding the 21st Century Audit Committee and its Governance Roles
Audit Committee Effectiveness — What Works Best, 4th Edition
Control Model Implementation: Best Practices
Board Effectiveness: What Works Best, 2nd Edition
Corporate Governance and the Board — What Works Best
Fundamental Libraries
Quality Assessment Manual for the Internal Audit Activity
Sawyer's Guide for Internal Auditors, 6th Edition
Strategies for Small Audit Shops, 2nd Edition

IIA Services

Certified Internal Auditor® (CIA®) certification
Certified Government Auditing Professionals® (CGAP®) certification
Certified Financial Services Auditor® (CFSA®) certification
Certification in Control Self-Assessment® (CCSA®) certificationCertification in Risk Management Assurance™ (CRMA®) certification
Global Audit Information Network (GAIN)
Quality Assessment

Sample Documents

Model Management Control Policy


An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.
Copyright © The Institute of Internal Auditors. All Rights Reserved.