Internal Audit: Internal Auditing Is An Independent, Objective
Internal Audit: Internal Auditing Is An Independent, Objective
Internal Audit: Internal Auditing Is An Independent, Objective
Internal auditing is an independent, objective assurance and consulting activity designed to add
value to and improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control and governance processes.[1] Internal auditing
achieves this by providing insight and recommendations based on analyses and assessments of
data and business processes.[2] With commitment to integrityand accountability, internal auditing
provides value to governing bodies and senior management as an objective source of
independent advice. Professionals called internal auditors are employed by organizations to
perform the internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics such as an
organization's governance, risk management and management controls over:
efficiency/effectiveness of operations (including safeguarding of assets), the reliability of financial
and management reporting,[3][4] and compliance with laws and regulations. Internal auditing may
also involve conducting proactive fraud audits to identify potentially fraudulent acts; participating
in fraud investigations under the direction of fraud investigation professionals, and conducting
post investigation fraud audits to identify control breakdowns and establish financial loss.
Internal auditors are not responsible for the execution of company activities; they advise
management and the Board of Directors (or similar oversight body) regarding how to better
execute their responsibilities. As a result of their broad scope of involvement, internal auditors
may have a variety of higher educational and professional backgrounds.
The Institute of Internal Auditors (IIA) is the recognized international standard setting body for the
internal audit profession and awards the Certified Internal Auditor designation internationally
through rigorous written examination. Other designations are available in certain countries.[5] In
the United States the professional standards of the Institute of Internal Auditors have been
codified in several states' statutes pertaining to the practice of internal auditing in government
(New York State, Texas, and Florida being three examples). There are also a number of other
international standard setting bodies.
Internal auditors work for government agencies (federal, state and local); for publicly traded
companies; and for non-profit companies across all industries. Internal auditing departments are
led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of
the Board of Directors, with administrative reporting to the Chief Executive Officer (In the United
States this reporting relationship is required by law for publicly traded companies).
Contents
Organizational independence[edit]
While internal auditors are not independent of the companies that employ them, independence
and objectivity are a cornerstone of the IIA professional standards; and are discussed at length in
the standards and the supporting practice guides and practice advisories. Professional internal
auditors are mandated by the IIA standards to be independent of the business activities they
audit. This independence and objectivity are achieved through the organizational placement and
reporting lines of the internal audit department. Internal auditors of publicly traded companies in
the United States are required to report functionally to the board of directors directly, or a sub-
committee of the board of directors (typically the audit committee), and not to management
except for administrative purposes.
The required organizational independence from management enables unrestricted evaluation of
management activities and personnel and allows internal auditors to perform their role effectively.
Although internal auditors are part of company management and paid by the company, the
primary customer of internal audit activity is the entity charged with oversight of management's
activities. This is typically the Audit Committee, a sub-committee of the Board of Directors.
Organizational independence is effectively achieved when the chief audit executive reports
functionally to the board. Examples of functional reporting to the board involve the
board:[8] Approving the internal audit charter; Approving the risk based internal audit plan;
Approving the internal audit budget and resource plan; Receiving communications from the chief
audit executive on the internal audit activity’s performance relative to its plan and other matters;
Approving decisions regarding the appointment and removal of the chief audit executive;
Approving the remuneration of the chief audit executive; and Making appropriate inquiries of
management and the chief audit executive to determine whether there are inappropriate scope or
resource limitations.
1. Establishing and communicating the scope and objectives of the Audit to appropriate
members of management.
2. Developing an understanding of the business area under review - this includes
objectives, measurements & key transaction types and involves interviews and a review
of documents - flowcharts and narratives may be created, if necessary.
3. Describing the key risks facing the business activities within the scope of the Audit.
4. Identifying management practices in the five components of control used to ensure that
each key risk is properly controlled and monitored. Internal Audit Checklist[13] can be a
helpful tool to identify common risks and desired controls in the specific process or
specific industry being audited.
5. Developing and executing a risk-based sampling and testing approach to determine
whether the most important management controls are operating as intended.
6. Reporting issues and challenges identified and negotiating action plans with the
management to address these problems.
7. Following-up on reported findings at appropriate intervals. Internal Audit Departments
maintain a follow-up database for this purpose.
Audit Assignment length varies based on the complexity of the activity being audited and Internal
Audit resources available. Many of the above steps are iterative and may not all occur in the
sequence indicated.
In addition to assessing business processes, specialists called Information Technology (IT)
Auditors review Information technology controls.
Objectivity - The comments and opinions expressed in the Report should be objective and
unbiased.
Clarity - The language used should be simple and straightforward.
Accuracy - The information contained in the report should be accurate.
Brevity - The report should be concise.
Timeliness - The report should be released promptly immediately after the audit is
concluded, within a month.
Strategy[edit]
Internal audit functions may also develop functional strategies described in multi-year strategic
plans. Professional guidance on building an Internal Audit strategic plan was issued by
the Institute of Internal Auditors in July 2012 via a Practice Guide called Developing the Internal
Audit Strategic Plan.[15] A key aspect of developing IA strategy is understanding the expectations
of stakeholders, such as the Audit Committee and top management. This helps guide the IA
function in its mission of helping the organization address the risks it faces. Specific topics
considered in IA strategic planning include:
Scope and emphasis: An IA function may be involved in addressing risks related to financial
reporting, operations, legal and regulatory compliance, and the company strategy. There
may also be special topics of interest to stakeholders that change considerably year-to-year.
Portfolio of services: IA functions may provide traditional audit assurance across the risk
spectrum as well as consulting project support in a variety of areas such as project
management, data analysis, and monitoring of major company initiatives. Larger audit
functions may establish specialty areas to handle their service portfolio.
Competency development: The stakeholder expectations around scope and service portfolio
determine what competencies the function needs, which drives decisions regarding hiring of
specific skills and training programs. The internal audit function is often used as a
"management training ground" to provide employees with a deeper knowledge of the
company's operations before they are rotated into a management position.[16]
Technology: IA functions use a variety of technology tools/software to support audit process
workflow, statistical analysis, and obtaining data from systems.
Building the IA strategy may involve a variety of strategic management concepts and
frameworks, such as strategic planning, strategic thinking, and SWOT analysis.[15]
Other topics[edit]
Measuring the internal audit function[edit]
The measurement of the internal audit function can involve a balanced
scorecard approach.[17] Internal audit functions are primarily evaluated based on the quality of
counsel and information provided to the Audit Committee and top management. However, this is
primarily qualitative and therefore difficult to measure. "Customer surveys" sent to key managers
after each audit engagement or report can be used to measure performance, with an annual
survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of
counsel, timeliness of work product, utility of meetings, and quality of status updates are typical
with such surveys. Understanding the expectations of senior management and the audit
committee represent important steps in developing a performance measurement process, as well
as how such measures help align the audit function with organizational
priorities.[18][19] Independent peer reviews are part of the quality assurance process for many
internal audit groups as they are often required by standards.[20] The resulting peer review report
is made available to the Audit Committee.
Reporting of critical findings[edit]
The Chief Audit Executive (CAE) typically reports the most critical issues to the Audit
Committee quarterly, along with management's progress towards resolving them. Critical issues
typically have a reasonable likelihood of causing substantial financial or reputational damage to
the company. For particularly complex issues, the responsible manager may participate in the
discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at
the top" exists in the organization, and to expedite resolution of such issues. It is a matter of
considerable judgment to select appropriate issues for the Audit Committee's attention and to
describe them in the proper context.
Audit philosophy[edit]
Some of the philosophy and approach of internal auditing is derived from the work of Lawrence
Sawyer. His philosophy and guidance on the role of internal audit was a forerunner of the current
definition of internal auditing. It emphasized assisting management and the Board in achieving
the organization’s objectives through well-reasoned audits, evaluations, and analyses of
operational areas. He encouraged the modern internal auditor to act as a counselor to
management rather than as an adversary. Sawyer saw auditors as active players influencing
events in the business rather than criticizing all degrees of errors and mistakes. He also foresaw
a more desirable auditor future involving a stronger relationship with members of Audit
Committee and the Board and a divorce from direct reporting to the Chief Financial Officer.[21]
Sawyer often talked about “catching a manager doing something right” and providing recognition
and positive reinforcement. Writing about positive observations in audit reports was rarely done
until Sawyer started talking about the idea. He understood and forecast the benefits of providing
more balanced reporting while simultaneously building better relationships. Sawyer understood
the psychology of interpersonal dynamics and the need for all people to receive acknowledgment
and validation for relationships to prosper.[21]
Sawyer helped make internal auditing more relevant and more interesting through a sharp focus
on operational or performance auditing. He strongly encouraged looking beyond financial
statements and financial-related auditing into areas such as purchasing, warehousing and
distribution, human resources, information technology, facilities management, customer service,
field operations, and program management. This approach helped catapult the chief audit
executive into the role of a respected and knowledgeable adviser who was thought to be
reasonable, objective, and concerned about helping the organization achieve the stated goals.[21]