Performed by professionals with an in-depth understanding of the business culture, systems, and processes, the internal audit activity provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.
The IIA has developed the globally accepted definition of internal auditing as follows:
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Independence is established by the organizational and reporting structure. Objectivity is achieved by an appropriate mind-set. The internal audit activity evaluates risk exposures relating to the organization’s governance, operations and information systems, in relation to:
- Effectiveness and efficiency of operations.
- Reliability and integrity of financial and operational information.
- Safeguarding of assets.
- Compliance with laws, regulations, and contracts.
Based on the results of the risk assessment, the internal auditors evaluate the adequacy and effectiveness of how risks are identified and managed in the above areas. They also assess other aspects such as ethics and values within the organization, performance management, communication of risk and control information within the organization in order to facilitate a good governance process.
The internal auditors are expected to provide recommendations for improvement in those areas where opportunities or deficiencies are identified. While management is responsible for internal controls, the internal audit activity provides assurance to management and the audit committee that internal controls are effective and working as intended. The internal audit activity is led by the chief audit executive (CAE). The CAE delineates the scope of activities, authority, and independence for internal auditing in a written charter that is approved by the audit committee.
An effective internal audit activity is a valuable resource for management and the board or its equivalent, and the audit committee due to its understanding of the organization and its culture, operations, and risk profile. The objectivity, skills, and knowledge of competent internal auditors can significantly add value to an organization’s internal control, risk management, and governance processes. Similarly, an effective internal audit activity can provide assurance to other stakeholders such as regulators, employees, providers of finance, and shareholders.
As the primary body for the internal audit profession, The IIA maintains the International Standards for the Professional Practice of Internal Auditing (Standards) and the profession’s Code of Ethics. IIA members are required to adhere to the Standards and Code of Ethics.
A cornerstone of strong governance, internal auditing bridges the gap between management and the board, assesses the ethical climate and the effectiveness and efficiency of operations, and serves as an organization’s safety net for compliance with rules, regulations, and overall best business practices.
Management is responsible for establishing and maintaining a system of internal controls within an organization. Internal controls are those structures, activities, processes, and systems that help management effectively mitigate the risks to an organization’s achievement of objectives. Management is charged with this responsibility on behalf of the organization’s stakeholders and is held accountable for this responsibility by an oversight body (e.g. board of directors, audit committee, elected representatives).
Organizations that do not have an internal audit function are therefore missing out on the valuable benefits that professional internal auditors provide. In addition, they are also running the risk of relying on management who may not be in the best position to provide skilled, independent, and objective opinions on internal controls.
Some organizations assign internal auditing on a part-time basis to an existing staff member who has other responsibilities. When this occurs, the person does not have the professional internal audit training or experience necessary for optimal effectiveness. Such organizations run the risk of poorly performed audits and reviews, and this individual, who may be relatively junior in the organization, may lack the organizational status and stature to achieve positive results. In this environment, high-risk processes may not be identified for reviews and serious internal control deficiencies may be overlooked.
A primary lesson from the financial failure and collapse of numerous organizations is that good governance, risk management, and internal controls are essential to corporate success and longevity. Because of its unique and objective perspective, in-depth organizational knowledge, and application of sound audit and consulting principles, a well-functioning, fully resourced and independent internal audit activity is well positioned to provide valuable support and assurance to an organization and its oversight entities.
Whether an organization is required to have an internal audit activity or not depends on the respective regulatory requirements that govern the organization. In the United States, the New York Stock Exchange (NYSE) requires publicly traded companies to “maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal controls.” This requirement was effective October 31, 2004. Stock exchanges throughout the world have their own norms governing such companies, and some have implemented requirements similar to those of the NYSE.
Although private companies — those not publicly listed — are not required to have internal auditing, many of them have established an internal audit activity as one of its core organizational governance elements.
A well functioning, adequately resourced internal audit activity that works collaboratively with management and the board is a key resource in identifying risks and recommending improvements to an organization’s governance, risk management, internal controls, and operations. The internal auditors’ unique perspective of independence and objectivity, knowledge of the organization, and understanding and application of sound consulting and audit principles make them ideal for this role.
Helpful IIA References: Guidance on “Internal Auditing’s Role in Section 302 and 404 of the US Sarbanes Oxley Act of 2002” “Establishing an Internal Audit Shop” “The Role of Internal Audit in Corporate Governance and Management”
Internal auditors support management’s efforts to establish a culture that embraces ethics, honesty, and integrity. They assist management with the evaluation of internal controls used to detect or mitigate fraud, evaluate the organization’s assessment of fraud risk, and are involved in any fraud investigations.
Although it is management’s responsibility to design internal controls to prevent, detect, and mitigate fraud, the internal auditors are the appropriate resource for assessing the effectiveness of what management has implemented. Therefore, depending on directives from management, the board, audit committee, or other governing body, the internal auditors might play a variety of consulting, assurance, collaborative, advisory, oversight, and investigative roles in an organization’s fraud management process.
Competent professional internal auditors are highly proficient in techniques used to evaluate internal controls. That proficiency, coupled with their understanding of the indicators of fraud, enables them to assess an organization’s fraud risks and advise management of the necessary steps to take when indicators are present.
Establishing a culture of integrity is a critical component of fraud control. Executive management must set the tone at the top and model the highest level of integrity. The internal auditors may advise management on methods to ensure integrity and may become involved in communicating or interpreting those methods. They also may help develop training related to integrity policies and fraud.
As a part of their assurance activities, internal auditors watch for potential fraud risks, assess the adequacy of related controls, and make recommendations for improvement. They also can help benchmark statistics related to the probability of occurrence and consequences of fraud.
Because the internal auditors are exposed to key processes throughout the organization and have open lines of communication with the executive board and staff, they are able to play an important role in fraud detection. In many organizations, the chief audit executive (CAE) is responsible for responding to issues raised on the ethics hotline or through another process that may lead to detection of fraud.
When developing their annual audit plan, the internal auditors consider the organization’s assessment of fraud risk, and periodically might make assessments of management’s fraud detection capabilities. They design tests that use audit techniques like data mining to ensure the controls in place are effective.
Internal audit skills relate to gathering evidence, analysing the breakdown in controls that could enable a fraud, and making recommendations for improvement. And reporting directly to the board or governing body provides the internal auditors with a level of independence and objectivity necessary for them to undertake investigations of a sensitive nature.
Although the internal auditors may either have a direct role in investigating fraud incidents, or act as a resource to those responsible, they generally are not expected to have the expertise of those whose primary responsibility is detecting and investigating fraud.
When the internal auditors have the primary responsibility for fraud they must have the key competencies for this work — typically obtained through specialized training and related experiences. They also may be certified as fraud or forensic investigators.
As part of The IIA’s International Professional Practices Framework (IPPF), the International Standards for the Professional Practice of Internal Auditing (Standards) outline the tenets of the internal audit profession. Other applicable guidance, pronouncements, and regulations also may have an impact on how internal auditing is performed; and may provide clarification and delineation of acceptable and recommended processes.
The IIA is the internal audit profession’s acknowledged leader, recognized authority, and principal educator. Although the practice of internal auditing is not regulated, The IIA provides comprehensive guidance for the profession through its International Professional Practices Framework (IPPF). The IPPF comprises the official definition of internal auditing, the International Standards for the Professional Practice of Internal Auditing (Standards), the Code of Ethics, Practice Advisories, Position Papersm and Practice Guides, developmental and practice aids. Conformance with the Standards and the Code of Ethics is mandatory for all members of The IIA and Certified Internal Auditors (CIAs). The IIA also provides guidance on assessing, maintaining, and improving quality within the internal audit activity.
Public sector auditors are required to comply with specific governmental guidelines. For example, in the U.S., government audits are performed in accordance with the General Accounting Office’s Government Auditing Standards (the Yellow Book); government auditors in the United Kingdom comply with the HM Treasury’s Government Internal Audit Standards; and in Canada, government auditors perform in accordance with the Office of the Auditor General’s Comprehensive Auditing Manual. In addition, many public sector audit groups are members of the International Organization of Supreme Audit Institutions (INTOSAI), and thus adhere to the auditing standards promulgated by INTOSAI.
Several professional organizations offer certification programs. The IIA s Certified Internal Auditor® (CIA®) is the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competence and professionalism in the internal audit field. The IIA also offers several specialty certification programs, including Certification in Control Self-Assessment® (CCSA®); Certified Government Auditing Professional® (CGAP®); and Certified Financial Services Auditor® (CFSA®). ISACA offers the Certified Information Systems Auditor (CISA) certification; the Association of Certified Fraud Examiners offers the Certified Fraud Examiner (CFE) certification; and the Board of Environmental, Health and Safety Auditor Certifications (BEAC) offer the Certified Professional Environmental Auditor (CPEA).
The IIA believes that:
The responsibility for establishing and overseeing the scope and performance of internal auditing cannot be outsourced.
Internal auditing is the responsibility of an organization’s board — or equivalent governing body — and senior management.
Internal auditing should be managed within the organization by a chief audit executive who is accountable to the organization’s board and chief executive officer.
If an internal audit activity is outsourced, the chief audit executive within the organization should be responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and following up on engagement results.
Internal auditors may be internal employees, external resources, or a combination thereof based on the specific needs of the organization.
Internal auditing should be performed by competent professionals in full compliance with the International Standards for the Professional Practice of Internal Auditing (Standards) and Code of Ethics.
Effective prioritization involves staying in sync with the organization’s risk priorities and taking a risk-based approach to internal audit planning. By continuously monitoring organizational changes that might alter the plan, the CAE should be well equipped and positioned to make informed and educated recommendations to management and the board on the most effective use of internal audit resources.
Given the potential size of the audit universe, the related scope of work, and the need for efficient use of limited internal audit resources, it is critical to prioritize and plan audit engagements based on an annual risk assessment that is viewed from the perspective of organizational goals and objectives.
Most models used by CAEs for prioritization of their audit work take into consideration such factors as financial impact, asset liquidity, management competence, quality of internal controls, degree of change or stability, time of last audit engagement, complexity, and strategic risks. In conducting audit engagements, methods and techniques for testing and validating exposures should consider the risk materiality and likelihood of occurrence.
Although the annual audit plan’s subject areas will vary as a result of the internal audit activity’s risk assessment and related drivers, it should always address two critical areas:
- Throughout the year, the CAE should perform a sufficient amount of audit work and gather enough information to form an educated judgment about the adequacy and effectiveness of the organization’s risk management and control processes.
- The internal audit activity should review the organization’s regulatory compliance programs.
Once a risk-based audit plan is developed, the CAE should communicate the internal audit activity’s plans, resource requirements, and related limitations to senior management and to the appropriate governing body for review and approval.
Changes in management direction, objectives, emphasis, and focus should be reflected by changes to the audit universe and related audit plan, which might require frequent (quarterly) updating. All significant changes should be submitted to the oversight entities for review and approval.
Ultimately, the audit plan should address and support the most effective use of internal audit resources. Aligning internal audit activities with the organization’s operational and strategic goals and objectives through a risk assessment will ensure efficient utilization of internal audit resources while providing management with valuable insights on risk management activities.
INDEPENDENCE: The audit charter should establish independence of the internal audit activity by the dual reporting relationship to management and the organization’s most senior oversight group. Specifically, the CAE should report to executive management for assistance in establishing direction, support, and administrative interface; and typically to the audit committee for strategic direction, reinforcement, and accountability. The internal auditors should have access to records and personnel as necessary, and be allowed to employ appropriate probing techniques without impediment.
OBJECTIVITY: To maintain objectivity, internal auditors should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements.
Independence and objectivity are two critical components of an effective internal audit activity.
“The internal auditor occupies a unique position. He or she is employed by the management but is also expected to review the conduct of management which can create significant tension since the internal auditor’s independence from management is necessary for the auditor to objectively assess the management’s action, but the internal auditor’s dependence on the management for employment is very clear.”
Therefore, the internal audit activity should have a mandate through a written audit charter that establishes its purpose, authority, and responsibility to support its independence and objectivity within an organization.
Internal auditors are independent when they render impartial and unbiased judgment in the conduct of their engagement. To ensure this independence, best practices suggest the CAE should report directly to the audit committee or its equivalent. For day-to-day administrative purposes, the CAE should report to the most senior executive (i.e., the chief executive officer [CEO]) of the organization. The CAE should have direct communication with the audit committee, which reinforces the organizational status of internal auditing, enables full support and unrestricted access to organizational resources, and ensures that there is no impairment to independence. This provides sufficient authority to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on recommendations. Independence is further enhanced if the CAE reports to the board through its audit committee on the planning, execution, and results of audit activities. The audit committee is also responsible for the appointment, removal, and fixation of compensation of the CAE. The committee should safeguard the independence by approving the internal audit charter and mandate periodically.
Objectivity is a mental attitude that internal auditors should maintain while performing engagements. The internal auditor should have an impartial, unbiased attitude and avoid conflict-of-interest situations, as that would prejudice his/her ability to perform the duties objectively. The results of internal audit work should be reviewed before they are released in order to provide a reasonable assurance that the work has been performed objectively.
Internal auditors should not assume any operational responsibility. Objectivity can be presumed to be impaired when internal auditors perform an assurance review of any activity for which they had any authority or responsibility within the past year or a period significant enough to influence their judgment or opinion. Internal auditors should not accept gifts or favors from others such as employees, clients, or business associates.
The internal auditors should adopt a policy that endorses their commitment to abiding by the Code of Ethics, avoiding conflicts of interest, disclosing any activity that could result in a possible conflict of interest. Staff assignment of internal auditors should be rotated periodically whenever it is practicable.
The audit committee, or other appropriate independent oversight subset of the board of directors, the key oversight group of the internal auditors, is critical to ensuring the organization has strong and effective processes relating to independence, internal control, risk management, compliance, ethics, and financial disclosures.
An audit committee typically serves as the liaison among the board of directors, external auditors, internal auditors, and financial management. Generally, the audit committee’s purpose is to assist the board in overseeing the:
- Reliability of the entity’s financial statements and disclosures.
- Effectiveness of the entity’s internal control and risk management systems.
- Compliance with the entity’s code of business conduct, and legal and regulatory requirements.
- Independence, qualifications, and performance of the external auditors and the performance of the internal audit activity.
To foster and encourage this type of oversight, The IIA recommends that every public company have an audit committee organized as a standing subcommittee of the board of directors. This is also recommended for other types of organizations, including not-for-profit and governmental entities.
The role of the audit committee is expanding globally to include oversight of whistle-blowing mechanisms, enterprise risk management, related party transactions, and interaction with the entity’s legal function. It serves to improve the board’s oversight of company management by allowing for:
- Increased independence from company management, as members are normally required to be independent non-executive directors.
- Improved financial expertise and focus. Irrespective of legislative requirements, it is considered good practice for least one audit committee member to have financial management or accounting knowledge/expertise.
- Increased focus on defined critical tasks. Normally, an audit committee adopts a written charter to formalize its oversight responsibilities.
- Increased Independence. When only non-executive directors are appointed and audit committee independence is achieved, the financial reporting process, corporate governance, and internal control are all enhanced. An audit committee is normally granted the authority to conduct investigations within the scope of its responsibilities and to retain legal, accounting and other advisors. This status and authority plays an important role in resolving disagreements between management and the external auditors in regard to financial reporting and other issues.
- Audit committee independence benefits corporate governance and internal control. Internal audit independence is enhanced when the audit committee concurs on the appointment or removal of the CAE. Independence is further strengthened when the internal auditors directly report to the audit committee. This reporting relationship helps ensure the internal auditors have adequate recourse in cases of misconduct or fraud involving senior management, and also may improve their stature within the organization.
- Improved Financial Expertise. Making effective oversight decisions in the financial reporting, corporate governance, and control arena normally requires specialized expertise. As a result, the audit committee should comprise independent non-executive directors, at least one of whom has significant accounting or related financial management expertise. Having specialized skills in the areas of financial reporting, corporate governance, and internal control helps to ensure more effective management oversight, fosters financial statement accuracy and transparency, and places an appropriate focus on business risks and internal controls.
- Increased Focus on Critical Topics Defined in the Charter. An appropriate audit committee charter specifically defines important financial reviews, reporting relationships, and other matters. A charter helps ensure appropriate focus by defining the scope of the committee s responsibilities and how it carries out those responsibilities, including structure, processes, and membership requirements.
The audit committee of the board of directors and the internal auditors are interdependent and should be mutually accessible, with the internal auditors providing objective opinions, information, support, and education to the audit committee; and the audit committee providing validation and oversight to the internal auditors.
The IIA recognizes that audit committees and internal auditors have interlocking goals. A strong working relationship is essential for each to fulfill its responsibilities to senior management, the greater board of directors, shareholders, and other stakeholders. Appropriate reporting lines for the internal auditors are critical if they are to achieve their requisite independence, objectivity, and organizational stature needed to effectively assess the organization’s internal control, risk management, and governance processes. Best practice recommends that, to achieve necessary independence, the internal auditor should report directly to the audit committee or its equivalent.
Five activities are integral to an effective relationship between the audit committee and the internal auditors. The CAE should:
- Send to the audit committee periodic communications on risks faced by the organization. This should be consistent with what the CAE sends to senior management.
- Help the audit committee ensure that the committee’s charter, activities, and processes are appropriate.
- Ensure that internal auditing’s charter, role, and activities are clearly understood and responsive to the needs of the audit committee and the board.
- Maintain open and effective communications with the audit committee and the chair.
- Provide training, when appropriate, to the members of the audit committee on the topics of risk and internal control.
A direct channel of communication between the CAE and the audit committee is essential. This typically includes provisions for the CAE to have access to the audit committee chair and to attend audit committee meetings to present the audit plan, report on the results of major audits and key audit findings or other matters, and discuss internal auditing’s observations on risk and internal controls within the organization. The relationship can further be strengthened through explicitly allowing out-of-session communications between the CAE and the audit committee chairperson, particularly in the case of critical circumstances such as serious fraud and other material risk events.
The CAE and the audit committee should meet at regular frequencies without management and the external auditors present. These discussions should focus on assurance that internal auditing’s scope is not being limited, concerns the CAE might have about a member of senior management, any necessary administrative matters, and other items either party wishes to bring to the table.
The internal auditors provide to the audit committee objective assessment on the state of the organization’s risk, control, governance, and monitoring activities.
The internal auditors should regularly report to the audit committee significant risk exposures and control issues, corporate governance issues, and other requested information. Additionally, the internal auditors can act as an advisor and provide critical services that are integrated into each of the audit committee’s activities and processes. To accomplish this, a strong working relationship, mutual trust, and robust dialogue between the internal auditors and the audit committee is essential.
The internal auditors should provide the following to the audit committee on a regular basis:
- Independent, objective assurance and consulting activities related to assessing the effectiveness of the organization’s risk management, control, and governance processes. As a part of these services, the internal auditors should communicate significant engagement observations, information on fraud management, and recommendations to the board whether or not the issues have been satisfactorily resolved. When appropriate, the audit committee should meet privately with the CAE to discuss sensitive issues related to these assessments.
- Gathering of information, and/or arranging discussions with subject matter experts to address audit committee questions and information needs related to risk management, control, and governance processes. Additionally, the internal auditors should review related information submitted to the audit committee to help ensure completeness and accuracy.
- Confirmation on the adequacy of the audit staff and budget requirements, as well as the scope and result of internal audit activities. The intent of this review is to help ensure there are no budgetary or scope limitations impeding the ability of the internal audit activity to execute its responsibilities.
- Information on the coordination and oversight of other control and monitoring functions (e.g., risk management, compliance, security, business continuity, legal, ethics, environmental). This activity should help ensure that there is effective and efficient coordination of activities within the organization. The internal auditors also should coordinate its activities with the external auditors where appropriate and feasible.
- Information on emerging trends and successful practices in internal auditing.
Although they are independent of the activities they audit, internal auditors are integral to the organization and provide ongoing monitoring and assessment of all activities. On the contrary, external auditors are independent of the organization, and provide an annual opinion on the financial statements. The work of the internal and external auditors should be coordinated for optimal effectiveness and efficiency.
Internal and external auditors have mutual interests regarding the effectiveness of internal financial controls. Both professions adhere to codes of ethics and professional standards set by their respective professional associations. There are, however, major differences with regard to their relationships to the organization, and to their scope of work and objectives.
Internal auditors are part of the organization. Their objectives are determined by professional standards, the board, and management. Their primary clients are management and the board. External auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and their primary client — the board of directors.
The internal auditor’s scope of work is comprehensive. It serves the organization by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes. Concerned with all aspects of the organization — both financial and non-financial — the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. They also are concerned with the prevention of fraud in any form.
The primary mission of external auditors is to provide an independent opinion on the organization’s financial statements, annually. Their approach is historical in nature, as they assess whether the statements conform with generally accepted accounting principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period of time are accurately represented, and whether the financial statements have been materially affected.
The internal and external auditors should meet periodically to discuss common interests; benefit from their complementary skills, areas of expertise, and perspectives; gain understanding of each other’s scope of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to reports, programs and working papers; and jointly assess areas of risk. In fulfilling its oversight responsibilities for assurance, the board should require coordination of internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process.