As microfinance institutions (MFIs) grow in size and complexity, the need for strong internal control systems to manage operating risks also grows. One of the key tools for ensuring effective internal control is the internal audit. How does an MFI make an internal audit department effective? What is the difference between an internal and external audit and how do they relate? How do MFIs ensure that internal audit recommendations are implemented? How can both staff and management be
persuaded to value the internal audit function and thus make the best use of it? The answers to many of the above questions are provided by an MFI’s management and board of directors and the system that they put in place for risk management and
internal audits. The board and management set the tone for an organization, influencing the way in which staff view internal controls. This control “environment” is fundamental for implementing an effective internal audit department.

This toolkit provides an overview of best practices for a well-functioning internal audit department in an MFI. It focuses on operational risks, rather than external risks (e.g., those related to regulation, competition, and the environment) or financial risks (e.g., those related to interest rates, foreign exchange rates, and liquidity). The toolkit assumes that an MFI’s board and governing bodies lead the risk management agenda of the MFI and effectively hold management accountable for the implementation of risk mitigation strategies.

Annex 3, Sample C: Excel Spreadsheet Risk Assessment Tool

Annex 8A & 8B: Sampling Calculation Tools (Poisson Sampling Table & Attribute Sampling Worksheet)