Establishment of an internal audit function
- Preparation of the formal foundation consisting of rules of procedure (charter) and an internal auditing manual
- Identification of the audit universe (entirety of all audit topics) and preparation of a risk-based audit plan
- The formal basis of internal auditing, i.e. the charter and the manual, is required both according to the Professional Practices Framework of the Institute of Internal Auditors (IIA) and the corresponding standard of the Deutsches Institut für Interne Revision (DIIR).
- The rules of procedure (charter) regulate the relationship of the internal auditing function with the organization, i.e. the “external relationship”. They define the tasks, rights and duties of internal auditing and the communication and reporting of the results developed by them. Rules of procedure are the most important criterion for any internal and external parties involved in assessing the professionalism of an internal auditing system.
- The internal auditing manual (audit manual) describes the “internal relationship” and at the same time provides the basis for assessing the quality of an internal auditing function. It defines the procedure of audit projects based on important milestones such as planning and reporting, and it communicates the audit procedures within an organization.
- A modern, risk-based audit plan for internal auditing ensures that only those topics, processes and organizational units that are subject to significant risks are audited. Risks can, for example, cause significant deviations in an organization’s fiscal results and/or in an organization achieving its objectives.
What are “risks”? We define “risks” as obstacles that prevent an organization from achieving its goals.