Internal audit
Encyclopedia
Internal auditing is an independent, objective assurance
and consulting
activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness
of risk management
, control
, and governance
processes. Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency
by providing insight and recommendations based on analyses and assessments of data and business process
es. With commitment to integrity
and accountability
, internal auditing provides value to governing bodies
and senior management
as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud
, safeguarding assets, and compliance
with laws and regulations.
Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise
management and the Board of Directors
(or similar oversight
body) regarding how to better execute their responsibilities
. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds.
Publicly-traded corporations typically have an internal auditing department, led by a Chief Audit Executive
("CAE") who generally reports to the Audit Committee
of the Board of Directors
, with administrative reporting to the Chief Executive Officer
.
The profession is unregulated, though there are a number of international standard setting bodies (IIA
, IAASB
, ISACA... Cf. paragraph standard setting below).
's definition. A similar definition has been developed by the accounting profession and adopted by the government auditors: the ISA
610 and the INTOSAI’s standard ("ISSAI") 1003 define the Internal audit function as "An appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control
."
ing by public accounting firms, quality assurance
and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting
and public accounting professions. With the implementation in the United States of the Sarbanes-Oxley Act
of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law.
Associations and institutions related to some aspects of internal auditing:
, to enable unrestricted evaluation
of management activities and personnel. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit
activity is the entity charged with oversight
of management's activities. This is typically the Audit Committee
, a sub-committee of the Board of Directors
. To provide independence, most Chief Audit Executive
s report to the Chairperson of the Audit Committee and can only be replaced with the concurrence of that individual.
♦ According to the Institute of Internal Auditors
, the Internal Auditor's obligation of Independence refers to:
Organizational independence is effectively achieved when the chief audit executive reports functionally to the board (IIA practice advisory 1110A1). The board is a governing body, such as the board of directors
, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee
to whom the chief audit executive
may functionally report (IIA Glossary).
♦ According to Mautz R.K. & Sharaf H.A, American Accounting Association, there are three main ways in which the auditor’s independence can manifest itself: Programming independence, Investigative independence, reporting independence. For more detail, see the wikipage Auditor independence
which deals with the independence of the external auditors.
♦ The European Union is strongly in favor of "Audit committees and an effective internal control system" (8th EU Company Law Directive on Statutory Audit). This 8th Directive states that "Each public-interest entity shall have an audit committee" which inter alia shall "monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems". The European Confederation of Institutes of Internal Auditing (ECIIA) and Federation of European Risk Management Associations (FERMA) also support the independence of Internal Auditing. Their guidance on the 8th EU Company Law Directive states “The head of internal audit reports periodically to the board or the audit committee and to senior management on the internal audit activity’s purpose, authority, responsibility and performance relative to its plan. The main reporting line is to the audit committee.”
♦ Regarding public institutions, the same principle of independence of internal audit applies; cf. INTOSAI’s standard GOV9140 "Internal auditor independence in the public sector” endorsed in 2010, article 9.32. “The CAE should report ... to those charged with governance for strategic direction, reinforcement, and accountability. Those charged with governance (e.g. the audit committee) should safeguard the independence by approving the internal audit charter and (where applicable) the mandate."
The independence of the Internal Audit is applied by most international institutions: for instance, the European Commission audit is accountable to the Audit Progress Committee; the IBRD Auditor General reports to the president and to the audit committee comprising eight of the 24 executive directors; The IMF’s internal audit is overseen by the External Audit Committee (three members, all external and with the “accounting and financial expertise required”); The OSCE’s Office of Internal Oversight reports to the Secretariat General and the Permanent Council...
. Under the COSO
Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories:
Management is responsible for internal control. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement.
In the United States
, internal auditors may assist management with compliance with the Sarbanes-Oxley Act
(SOX).
processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives.
Under the COSO
enterprise risk management (ERM) Framework, risks fall under strategic, operational, financial reporting, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, and credit/lending practices. Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks.
In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose.
Internal auditors may help companies establish and maintain Enterprise Risk Management
processes. Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment
. In these latter two areas, internal auditors typically are part of the risk assessment team in an advisory role.
is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage, and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives effective information.
of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts (the focus prioritization is part of the annual/multi-year audit planning; usually, the audit plan is proposed by the Chief Internal Audit (sometimes with several options or alternatives) to the approval of the Audit Committee or Board of Directors). Internal auditing activity is generally conducted as one or more discrete assignments. A typical internal audit assignment involves the following steps:
Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.
By analyzing and recommending business improvements in critical areas, auditors help the organization meet its objectives. In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls.
The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals were met or compliance
with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs).
Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.
, updated at least annually. The input of senior management and the Board is typically included in this process. Many departments update their plan of engagements throughout the year as risks or organizational priorities change.
This effort helps ensure the audit activity is aligned with the organization’s objectives, by answering two key questions: First, what goals is the organization trying to accomplish in the upcoming period? Second, how can the Internal Audit Department assist the organization in achieving these goals?
Internal auditors often conduct a series of interviews of senior management to identify potential engagements. Changes in people, processes, or systems often generate audit project ideas. Various documents are reviewed, such as strategic plans, financial reports, consulting studies, etc. Further, the results of prior audits and resolution of open issues are considered. For example, automated programs such as NEMEA Compliance Center can collect responses, produce and write standardized compliance reports for an organization seeking or issuing compliance rules. Even if a business area is important, prior audit work and the nature and status of open issues may render further audit effort unnecessary. If the organization has a formal enterprise risk management (ERM) program, the risks identified therein help limit the amount of separate risk assessment performed by Internal Audit.
The preliminary plan of engagements is documented and prioritized. Audit resources and expertise are then considered and a final plan is presented to senior management and the Audit Committee. The presentations vary based on the needs of the stakeholders and may include the following:
approach. Internal audit functions are primarily evaluated based on the quality of counsel and information provided to the Audit Committee and top management. However, this is primarily qualitative and therefore difficult to measure. “Customer surveys” sent to key managers after each audit engagement or report can be used to measure performance, with an annual survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of counsel, timeliness of work product, utility of meetings, and quality of status updates are typical with such surveys. Understanding the expectations of senior management and the audit committee represent important steps in developing a performance measurement process, as well as how such measures help align the audit function with organizational priorities.
Quantitative measures can also be used to measure the function’s level of execution and qualifications of its personnel. Key measures include:
Plan completion: This is a measure of the degree to which the annual plan of engagements is completed, measured at a point in time. This may be measured using the number of audit engagements completed, weighted by the planned size of each assignment, with estimates for audits in-progress. Measured throughout the year, it is compared against the percentage of the year elapsed.
Report issuance: This is a measure of the time elapsed from completion of testing to issuance of the final audit report, including management’s action plans. This can be measured in average days or percentage of reports issued within a certain standard, such as 30 days. Establishing expectations for the timing of management’s response to report recommendations is critical. In addition, the scope and degree of change involved in the report’s action plans are key variables. For example, a report for a single retail store requiring only the store manager’s action might take 3–5 days to issue. However, a report consolidating findings from 20 retail stores, with action plans with national implications determined by top management, may take 30–60 days in complex organizations.
Issue closure: Reported audit findings are often called “issues” or “deficiencies.” Professional standards require audit functions to track reported findings to resolution, which effectively requires the maintenance of an issues follow-up database. The number of days that reported issues remain open, or open after their agreed-upon closure date, are key measures. In addition, reporting database statistics such as the number of issues open (unresolved), closed (resolved), and issues opened/closed during a given period are useful statistics.
Staff qualifications: This can be measured through the percentage of staff with professional certifications, graduate degrees, and overall years of experience.
Staff utilization rate: This is measured as the percentage of time spent on audit engagements, as opposed to administrative time such as training or vacation. Many internal audit departments track time by audit engagement. This is typically captured in a database or spreadsheet.
Staffing level: The number of positions filled relative to the authorized staffing level. Due to the challenge of finding qualified staff, departments may have rotational programs to bring in management to complete tours in the function or be "guest" auditors. Audit departments also "co-source," meaning they obtain contract auditors from service providers.
(CAE) typically reports the most critical issues to the Audit Committee
quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgment to select appropriate issues for the Audit Committee's attention and to describe them in the proper context.
Assurance services
Assurance service is an independent professional service, typically provided by CPAs, with the goal of improving the information or the context of the information so that decision makers can make more informed, and presumably better decisions...
and consulting
Consultant
A consultant is a professional who provides professional or expert advice in a particular area such as management, accountancy, the environment, entertainment, technology, law , human resources, marketing, emergency management, food production, medicine, finance, life management, economics, public...
activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness
Effectiveness
Effectiveness is the capability of producing a desired result. When something is deemed effective, it means it has an intended or expected outcome, or produces a deep, vivid impression.-Etymology:...
of risk management
Enterprise Risk Management
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
, control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
, and governance
Corporate governance
Corporate governance is a number of processes, customs, policies, laws, and institutions which have impact on the way a company is controlled...
processes. Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency
Efficiency
Efficiency in general describes the extent to which time or effort is well used for the intended task or purpose. It is often used with the specific purpose of relaying the capability of a specific application of effort to produce a specific outcome effectively with a minimum amount or quantity of...
by providing insight and recommendations based on analyses and assessments of data and business process
Business process
A business process or business method is a collection of related, structured activities or tasks that produce a specific service or product for a particular customer or customers...
es. With commitment to integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
and accountability
Accountability
Accountability is a concept in ethics and governance with several meanings. It is often used synonymously with such concepts as responsibility, answerability, blameworthiness, liability, and other terms associated with the expectation of account-giving...
, internal auditing provides value to governing bodies
Board of directors
A board of directors is a body of elected or appointed members who jointly oversee the activities of a company or organization. Other names include board of governors, board of managers, board of regents, board of trustees, and board of visitors...
and senior management
Senior management
Senior management, executive management, or management team is generally a team of individuals at the highest level of organizational management who have the day-to-day responsibilities of managing a company or corporation, they hold specific executive powers conferred onto them with and by...
as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
The scope of internal auditing within an organization is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
, safeguarding assets, and compliance
Regulatory compliance
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...
with laws and regulations.
Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise
ADVISE
ADVISE is a research and development program within the United States Department of Homeland Security Threat and Vulnerability Testing and Assessment portfolio...
management and the Board of Directors
Board of directors
A board of directors is a body of elected or appointed members who jointly oversee the activities of a company or organization. Other names include board of governors, board of managers, board of regents, board of trustees, and board of visitors...
(or similar oversight
Regulation
Regulation is administrative legislation that constitutes or constrains rights and allocates responsibilities. It can be distinguished from primary legislation on the one hand and judge-made law on the other...
body) regarding how to better execute their responsibilities
Professional responsibility
Professional responsibility is the area of legal practice that encompasses the duties of attorneys to act in a professional manner, obey the law, avoid conflicts of interest, and put the interests of clients ahead of their own interests....
. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds.
Publicly-traded corporations typically have an internal auditing department, led by a Chief Audit Executive
Chief Audit Executive
The Chief Audit Executive , Director of Audit, Director of Internal Audit, Auditor General, or Controller General is a high level independent corporate executive with overall responsibility for the Internal audit....
("CAE") who generally reports to the Audit Committee
Audit committee
In a U.S. publicly-traded company, an audit committee is an operating committee of the Board of Directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee...
of the Board of Directors
Board of directors
A board of directors is a body of elected or appointed members who jointly oversee the activities of a company or organization. Other names include board of governors, board of managers, board of regents, board of trustees, and board of visitors...
, with administrative reporting to the Chief Executive Officer
Chief executive officer
A chief executive officer , managing director , Executive Director for non-profit organizations, or chief executive is the highest-ranking corporate officer or administrator in charge of total management of an organization...
.
The profession is unregulated, though there are a number of international standard setting bodies (IIA
Institute of Internal Auditors
Established in 1941, The Institute of Internal Auditors is a guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United...
, IAASB
International Auditing and Assurance Standards Board
The International Auditing and Assurance Standards Board is the independent standard setting body which issue auditing, review, other assurance related services and quality control standards to be applied by the global auditing profession...
, ISACA... Cf. paragraph standard setting below).
Other definitions
The definition above (first sentence of this page) is in essence the IIAInstitute of Internal Auditors
Established in 1941, The Institute of Internal Auditors is a guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United...
's definition. A similar definition has been developed by the accounting profession and adopted by the government auditors: the ISA
International Standards on Auditing
International Standards on Auditing are professional standards for the performance of financial audit of financial information. These standards are issued by International Federation of Accountants through the International Auditing and Assurance Standards Board .-Respective responsibilities:*ISA...
610 and the INTOSAI’s standard ("ISSAI") 1003 define the Internal audit function as "An appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
."
History of internal auditing
The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditFinancial audit
A financial audit, or more accurately, an audit of financial statements, is the verification of the financial statements of a legal entity, with a view to express an audit opinion...
ing by public accounting firms, quality assurance
Quality Assurance
Quality assurance, or QA for short, is the systematic monitoring and evaluation of the various aspects of a project, service or facility to maximize the probability that minimum standards of quality are being attained by the production process...
and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting
Management consulting
Management consulting indicates both the industry and practice of helping organizations improve their performance primarily through the analysis of existing organizational problems and development of plans for improvement....
and public accounting professions. With the implementation in the United States of the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law.
Standard setting bodies and/or auditors' associations
The profession is unregulated, though there are a number of international and national standard setting bodies. And in addition to institutes/boards that work on internal auditing in the large sense, there are specialized bodies which target a particular type of internal auditing.International standard setting bodies and/or auditors' associations
- The Institute of Internal AuditorsInstitute of Internal AuditorsEstablished in 1941, The Institute of Internal Auditors is a guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United...
("IIA") has established Standards for the Professional Practice of Internal Auditing and has over 150,000 members representing 165 countries, including approximately 65,000 Certified Internal Auditors. - The IFACInternational Federation of AccountantsInternational Federation of Accountants is the global organization for the accountancy profession. IFAC has 164 member and associates in 124 countries and jurisdictions, representing more than 2.5 million accountants employed in public practice, industry and commerce, government, and academe...
's IAASBInternational Auditing and Assurance Standards BoardThe International Auditing and Assurance Standards Board is the independent standard setting body which issue auditing, review, other assurance related services and quality control standards to be applied by the global auditing profession...
is the independent standard setting body which issue external auditing, review, other assurance related services and quality controlQuality controlQuality control, or QC for short, is a process by which entities review the quality of all factors involved in production. This approach places an emphasis on three aspects:...
standards to be applied by the global external auditing profession. Some standards target the internal auditing practices, cf. the International Standards on AuditingInternational Standards on AuditingInternational Standards on Auditing are professional standards for the performance of financial audit of financial information. These standards are issued by International Federation of Accountants through the International Auditing and Assurance Standards Board .-Respective responsibilities:*ISA...
40X and 610. - The IRCA International Register of Certificated AuditorsInternational Register of Certificated AuditorsThe International Register of Certificated Auditors was formed in London in 1984 as part of the British government's enterprise initiative, designed to make industry and business more competitive through the implementation of quality principles and practices...
, formed in 1984, is a division of the Chartered Quality Institute. Based in the UK it claims 14,750 members in 150 countries.
National/Local internal audit bodies
The associations/institutes below are affiliated with the IIA (non exhaustive list):- European Confederation of Institutes of Internal Auditing (ECIIA)
- UK and Ireland: the internal audit profession is represented by the Chartered Institute of Internal AuditorsChartered Institute of Internal AuditorsThe Chartered Institute of Internal Auditors is the United Kingdom and Republic of Ireland chapter of the Institute of Internal Auditors and is a member of the . It was founded in 1948 and is the only professional UK body dedicated to internal auditing in the UK and representing its 8,000 members...
. - France: IFACI
- Germany: DIIR
Specialized audit associations and other institutions
- IS auditing: ISACA
- Anti-fraudFraudIn criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
auditing: ACFE - Environmental auditing: INTOSAIInternational Organization of Supreme Audit InstitutionsThe International Organization of Supreme Audit Institutions is a worldwide affiliation of governmental entities. Its members are the Chief Financial Controller/Comptroller General Offices of nations.INTOSAI was founded in 1953 in Havana, Cuba...
's Working Group on Environmental Auditing (WGEA); Environmental Auditors Registration Association, Regional Institute of Environmental Technology (According to their website, EARA is the leading UK membership organisation dedicated to the promotion of the goal of sustainable development.); The Institute of Environmental Management And Assessment in UK, now maintains the Environmental Auditors Register of the erstwhile EARA... etc.
Associations and institutions related to some aspects of internal auditing:
- Risk ManagementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
: Federation of European Risk Management Associations (FERMA), etc. - Quality auditQuality auditQuality audit is the process of systematic examination of a quality system carried out by an internal or external quality auditor or an audit team...
ing: Cf. International Organization for StandardizationInternational Organization for StandardizationThe International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
and its related national standards organizations.
Internal Audit qualifications
- IIAInstitute of Internal AuditorsEstablished in 1941, The Institute of Internal Auditors is a guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United...
: Certified Internal Auditor (CIA); Certification in Control Self-Assessment (CCSA); Certified Government Auditing Professional (CGAP) for Government performance auditingGovernment performance auditingGovernment performance auditing was developed in the late 1960s and shepherded by the United States Government Accountability Office, . Government performance auditing has since spread to most state governments and many closely managed local governments...
and Government Auditors; Certified Financial Services Auditor (CFSA). - ISACA: Certified Information Systems Auditor (CISA); Certified in the Governance of Enterprise IT (CGEIT); Certified in Risk and Information Systems Control.
- CIIA Chartered Institute of Internal Auditors: IACert, PIIA, CMIIA...
Organizational independence
To perform their role effectively, internal auditors require organizational independence from managementManagement
Management in all business and organizational activities is the act of getting people together to accomplish desired goals and objectives using available resources efficiently and effectively...
, to enable unrestricted evaluation
Evaluation
Evaluation is systematic determination of merit, worth, and significance of something or someone using criteria against a set of standards.Evaluation often is used to characterize and appraise subjects of interest in a wide range of human enterprises, including the arts, criminal justice,...
of management activities and personnel. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit
Audit
The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation.- Accounting...
activity is the entity charged with oversight
Regulation
Regulation is administrative legislation that constitutes or constrains rights and allocates responsibilities. It can be distinguished from primary legislation on the one hand and judge-made law on the other...
of management's activities. This is typically the Audit Committee
Audit committee
In a U.S. publicly-traded company, an audit committee is an operating committee of the Board of Directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee...
, a sub-committee of the Board of Directors
Board of directors
A board of directors is a body of elected or appointed members who jointly oversee the activities of a company or organization. Other names include board of governors, board of managers, board of regents, board of trustees, and board of visitors...
. To provide independence, most Chief Audit Executive
Chief Audit Executive
The Chief Audit Executive , Director of Audit, Director of Internal Audit, Auditor General, or Controller General is a high level independent corporate executive with overall responsibility for the Internal audit....
s report to the Chairperson of the Audit Committee and can only be replaced with the concurrence of that individual.
♦ According to the Institute of Internal Auditors
Institute of Internal Auditors
Established in 1941, The Institute of Internal Auditors is a guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, and principal educator, with global headquarters in Altamonte Springs, Fla., United...
, the Internal Auditor's obligation of Independence refers to:
- 1) The reporting line or status of the CAE The Chief Audit ExecutiveChief Audit ExecutiveThe Chief Audit Executive , Director of Audit, Director of Internal Audit, Auditor General, or Controller General is a high level independent corporate executive with overall responsibility for the Internal audit....
must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity (IIA standard 1110).
Organizational independence is effectively achieved when the chief audit executive reports functionally to the board (IIA practice advisory 1110A1). The board is a governing body, such as the board of directors
Board of directors
A board of directors is a body of elected or appointed members who jointly oversee the activities of a company or organization. Other names include board of governors, board of managers, board of regents, board of trustees, and board of visitors...
, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee
Audit committee
In a U.S. publicly-traded company, an audit committee is an operating committee of the Board of Directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee...
to whom the chief audit executive
Chief Audit Executive
The Chief Audit Executive , Director of Audit, Director of Internal Audit, Auditor General, or Controller General is a high level independent corporate executive with overall responsibility for the Internal audit....
may functionally report (IIA Glossary).
- 2) Attitude of auditors, procedures of the internal audit department. The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results (IIA practice advisory 1110A1).
- 3) Communication right. The chief audit executive must communicate and interact directly with the Board of Directors (IIA standard 1111).
♦ According to Mautz R.K. & Sharaf H.A, American Accounting Association, there are three main ways in which the auditor’s independence can manifest itself: Programming independence, Investigative independence, reporting independence. For more detail, see the wikipage Auditor independence
Auditor independence
Auditor independence refers to the independence of the internal auditor or of the external auditor from parties that may have a financial interest in the business being audited.Independence requires integrity and an objective approach to the audit process...
which deals with the independence of the external auditors.
♦ The European Union is strongly in favor of "Audit committees and an effective internal control system" (8th EU Company Law Directive on Statutory Audit). This 8th Directive states that "Each public-interest entity shall have an audit committee" which inter alia shall "monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems". The European Confederation of Institutes of Internal Auditing (ECIIA) and Federation of European Risk Management Associations (FERMA) also support the independence of Internal Auditing. Their guidance on the 8th EU Company Law Directive states “The head of internal audit reports periodically to the board or the audit committee and to senior management on the internal audit activity’s purpose, authority, responsibility and performance relative to its plan. The main reporting line is to the audit committee.”
♦ Regarding public institutions, the same principle of independence of internal audit applies; cf. INTOSAI’s standard GOV9140 "Internal auditor independence in the public sector” endorsed in 2010, article 9.32. “The CAE should report ... to those charged with governance for strategic direction, reinforcement, and accountability. Those charged with governance (e.g. the audit committee) should safeguard the independence by approving the internal audit charter and (where applicable) the mandate."
The independence of the Internal Audit is applied by most international institutions: for instance, the European Commission audit is accountable to the Audit Progress Committee; the IBRD Auditor General reports to the president and to the audit committee comprising eight of the 24 executive directors; The IMF’s internal audit is overseen by the External Audit Committee (three members, all external and with the “accounting and financial expertise required”); The OSCE’s Office of Internal Oversight reports to the Secretariat General and the Permanent Council...
Role in internal control
Internal auditing activity is primarily directed at improving internal controlInternal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
. Under the COSO
Committee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...
Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with laws and regulations.
Management is responsible for internal control. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement.
In the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
, internal auditors may assist management with compliance with the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
(SOX).
Role in risk management
Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk managementRisk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives.
Under the COSO
Committee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...
enterprise risk management (ERM) Framework, risks fall under strategic, operational, financial reporting, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, and credit/lending practices. Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks.
In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose.
Internal auditors may help companies establish and maintain Enterprise Risk Management
Enterprise Risk Management
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
processes. Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment
SOX 404 top-down risk assessment
In financial auditing of public companies in the United States, SOX 404 top-down risk assessment is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 . The term is used by the U.S. Public Company Accounting Oversight Board and the Securities and...
. In these latter two areas, internal auditors typically are part of the risk assessment team in an advisory role.
Role in corporate governance
Internal auditing activity as it relates to corporate governanceCorporate governance
Corporate governance is a number of processes, customs, policies, laws, and institutions which have impact on the way a company is controlled...
is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage, and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor.
A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives effective information.
Nature of the internal audit activity
Based on a risk assessmentRisk assessment
Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...
of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts (the focus prioritization is part of the annual/multi-year audit planning; usually, the audit plan is proposed by the Chief Internal Audit (sometimes with several options or alternatives) to the approval of the Audit Committee or Board of Directors). Internal auditing activity is generally conducted as one or more discrete assignments. A typical internal audit assignment involves the following steps:
- Establish and communicate the scope and objectives for the audit to appropriate management.
- Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.
- Describe the key risks facing the business activities within the scope of the audit.
- Identify control procedures used to ensure each key risk and transaction type is properly controlled and monitored.
- Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended.
- Report problems identified and negotiate action plans with management to address the problems.
- Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose.
Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.
By analyzing and recommending business improvements in critical areas, auditors help the organization meet its objectives. In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls.
Information technology controls
In business and accounting, Information technology controls are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control...
Internal audit reports
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's":- Condition: What is the particular problem identified?
- Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.
- Cause: Why did the problem occur?
- Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?
- Corrective action: What should management do about the finding? What have they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals were met or compliance
Regulatory compliance
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...
with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs).
Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.
Developing the plan of engagements
Internal auditing standards require the development of a plan of audit engagements (assignments) based on a risk assessmentRisk assessment
Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...
, updated at least annually. The input of senior management and the Board is typically included in this process. Many departments update their plan of engagements throughout the year as risks or organizational priorities change.
This effort helps ensure the audit activity is aligned with the organization’s objectives, by answering two key questions: First, what goals is the organization trying to accomplish in the upcoming period? Second, how can the Internal Audit Department assist the organization in achieving these goals?
Internal auditors often conduct a series of interviews of senior management to identify potential engagements. Changes in people, processes, or systems often generate audit project ideas. Various documents are reviewed, such as strategic plans, financial reports, consulting studies, etc. Further, the results of prior audits and resolution of open issues are considered. For example, automated programs such as NEMEA Compliance Center can collect responses, produce and write standardized compliance reports for an organization seeking or issuing compliance rules. Even if a business area is important, prior audit work and the nature and status of open issues may render further audit effort unnecessary. If the organization has a formal enterprise risk management (ERM) program, the risks identified therein help limit the amount of separate risk assessment performed by Internal Audit.
The preliminary plan of engagements is documented and prioritized. Audit resources and expertise are then considered and a final plan is presented to senior management and the Audit Committee. The presentations vary based on the needs of the stakeholders and may include the following:
- Summary of key goals, risks and corresponding major audits, to illustrate alignment;
- Analyses of audit effort along a variety of dimensions (e.g., by business segment, COSO objective category, IT, Sarbanes-Oxley, vs. prior year, etc.) along with commentary regarding changes;
- Brief description of critical potential audit engagements identified;
- Audit engagements requested but not planned for execution due to prioritization and resources;
- Required co-sourcing effort, typically where outside expertise is required or during peak periods;
- Coordination with other risk functions, such as legal, compliance or insurance, to ensure coverage of key organizational risks;
- Update on audit staffing levels, experience and certification; and
- Appendix materials, such as planning approach, assumptions (e.g., days per auditor and staffing level) and brief descriptions of all planned audits and related prioritization.
Measuring the internal audit function
The measurement of the internal audit function can involve a balanced scorecardBalanced scorecard
The Balanced Scorecard is a strategic performance management tool - a semi-standard structured report, supported by proven design methods and automation tools, that can be used by managers to keep track of the execution of activities by the staff within their control and to monitor the...
approach. Internal audit functions are primarily evaluated based on the quality of counsel and information provided to the Audit Committee and top management. However, this is primarily qualitative and therefore difficult to measure. “Customer surveys” sent to key managers after each audit engagement or report can be used to measure performance, with an annual survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of counsel, timeliness of work product, utility of meetings, and quality of status updates are typical with such surveys. Understanding the expectations of senior management and the audit committee represent important steps in developing a performance measurement process, as well as how such measures help align the audit function with organizational priorities.
Quantitative measures can also be used to measure the function’s level of execution and qualifications of its personnel. Key measures include:
Plan completion: This is a measure of the degree to which the annual plan of engagements is completed, measured at a point in time. This may be measured using the number of audit engagements completed, weighted by the planned size of each assignment, with estimates for audits in-progress. Measured throughout the year, it is compared against the percentage of the year elapsed.
Report issuance: This is a measure of the time elapsed from completion of testing to issuance of the final audit report, including management’s action plans. This can be measured in average days or percentage of reports issued within a certain standard, such as 30 days. Establishing expectations for the timing of management’s response to report recommendations is critical. In addition, the scope and degree of change involved in the report’s action plans are key variables. For example, a report for a single retail store requiring only the store manager’s action might take 3–5 days to issue. However, a report consolidating findings from 20 retail stores, with action plans with national implications determined by top management, may take 30–60 days in complex organizations.
Issue closure: Reported audit findings are often called “issues” or “deficiencies.” Professional standards require audit functions to track reported findings to resolution, which effectively requires the maintenance of an issues follow-up database. The number of days that reported issues remain open, or open after their agreed-upon closure date, are key measures. In addition, reporting database statistics such as the number of issues open (unresolved), closed (resolved), and issues opened/closed during a given period are useful statistics.
Staff qualifications: This can be measured through the percentage of staff with professional certifications, graduate degrees, and overall years of experience.
Staff utilization rate: This is measured as the percentage of time spent on audit engagements, as opposed to administrative time such as training or vacation. Many internal audit departments track time by audit engagement. This is typically captured in a database or spreadsheet.
Staffing level: The number of positions filled relative to the authorized staffing level. Due to the challenge of finding qualified staff, departments may have rotational programs to bring in management to complete tours in the function or be "guest" auditors. Audit departments also "co-source," meaning they obtain contract auditors from service providers.
Developing and retaining staff
Developing and retaining quality professionals is a key concern in the profession. Key methods for developing and retaining internal audit staff personnel include:- Providing challenging, varied assignments
- Ensuring quality supervision
- Ensuring staff participates in audit engagements from start to finish, to learn all phases of the audit process
- Providing opportunities to lead (in-charge) assignments, starting with more structured engagements such as Sarbanes-Oxley work
- Participating on departmental improvement task forces, such as preparation for quality assurance review
- Participating in the recruiting and interviewing process for new hires
- Rotating through various audit teams (in larger departments) or audits of various businesses
- Providing both outside training (e.g., seminars) and in-house training (e.g., company systems) for two weeks/year
- Participation in annual risk assessment activities, whether asking key questions or just taking notes
Reporting of critical findings
The Chief Audit ExecutiveChief Audit Executive
The Chief Audit Executive , Director of Audit, Director of Internal Audit, Auditor General, or Controller General is a high level independent corporate executive with overall responsibility for the Internal audit....
(CAE) typically reports the most critical issues to the Audit Committee
Audit committee
In a U.S. publicly-traded company, an audit committee is an operating committee of the Board of Directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee...
quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgment to select appropriate issues for the Audit Committee's attention and to describe them in the proper context.