Internal auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organization’s operations.
Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. They ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. Internal audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.
While internal auditors are hired directly by their company, they can achieve independence through their reporting relationships. Independence and objectivity are a cornerstone of the IIA professional standards; and are discussed at length in the standards and the supporting practice guides and practice advisories. Professional internal auditors are mandated by the IIA standards to be independent of the business activities they audit. This independence and objectivity are achieved through the organizational placement and reporting lines of the internal audit department. Internal auditors of publicly traded companies in the United States are required to report functionally to the board of directors directly, or a sub-committee of the board of directors (typically the audit committee), and not to management except for administrative purposes.
The required organizational independence from management enables unrestricted evaluation of management activities and personnel and allows internal auditors to perform their role effectively. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management’s activities. This is typically the Audit Committee, a sub-committee of the Board of Directors. Organizational independence is effectively achieved when the chief audit executive reports functionally to the board.
Examples of functional reporting to the board involve the board:
- Approving the internal audit charter.
- Approving the risk based internal audit plan.
- Approving the internal audit budget and resource plan.
- Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.
Internal Audit Process
Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.
Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing documentation. If documented procedures are not being followed, direct discussion with department staff may be necessary.
Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliations as is required by law. Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.
Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. The formal report is reviewed with management and recommendations for improvement are discussed. Follow up after a period of time is necessary to ensure the new recommendations have been implemented and have improved operating efficiency.
Internal Audit Execution
A typical internal audit assignment involves the following steps:
- Establishing and communicating the scope and objectives of the audit to appropriate members of management.
- Developing an understanding of the business area under review – this includes objectives, measurements & key transaction types and involves interviews and a review of documents – flowcharts and narratives may be created, if necessary.
- Describing the key risks facing the business activities within the scope of the audit.
- Identifying management practices in the five components of control used to ensure that each key risk is properly controlled and monitored. An internal audit checklist can be a helpful tool to identify common risks and desired controls in the specific process or specific industry being audited.
- Developing and executing a risk-based sampling and testing approach to determine whether the most important management controls are operating as intended.
- Reporting issues and challenges identified and negotiating action plans with the management to address these problems.
- Following-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose.
Audit assignment length varies based on the complexity of the activity being audited and internal audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.
In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls.
Internal Audit Reports
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary—a body that includes the specific issues or findings identified and related recommendations or action plans, and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the “5 C’s”:
- Condition: What is the particular problem identified?
- Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.
- Cause: Why did the problem occur?
- Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?
- Corrective action: What should management do about the finding? What have they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization achieve effective and efficient governance, risk and control processes associated with operations objectives, financial and management reporting objectives; and legal/regulatory compliance objectives.
Audit findings and recommendations may also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.
Under the IIA standards, a critical component of the audit process is the preparation of a balanced report that provides executives and the board with the opportunity to evaluate and weigh the issues being reported in the proper context and perspective. In providing perspective, analysis and workable recommendations for business improvements in critical areas, auditors help the organization meet its objectives.
Quality of Internal Audit Report
- Objectivity – The comments and opinions expressed in the report should be objective and unbiased.
- Clarity – The language used should be simple and straightforward.
- Accuracy – The information contained in the report should be accurate.
- Brevity – The report should be concise.
- Timeliness – The report should be released promptly immediately after the audit is concluded, within a month.
What is the Difference Between Internal and External Audit?
Internal auditors are often confused with external auditors, however, there are significant differences between the professions. External auditors focus on the accuracy of the annual report and financial statements whereas the internal auditor has a wide reaching brief which considers anything which might be important to an organization’s success.
Certificates for Internal Auditor
- CIA Certified Internal Auditor: Certified Internal Auditor (CIA) is a certification offered to accountants who conduct internal audits. The Certified Internal Auditor designation is conferred by the Institute of Internal Auditors (IIA) and is the only such credential that is accepted worldwide.
- ISO/IEC 27001 ISMS Internal Audit: An ISO 27001 internal audit involves a thorough examination of your organization’s ISMS to ensure that it meets the Standard’s requirements. Unlike a certification review, it’s conducted by your own staff, who will use the results to guide the future of your ISMS.
- ISO 22301 BCMS Internal Audit: This course develops the necessary skills to assess and report on the implementation and effectiveness of processes based on ISO 22301:2019. Using a case study BCMS, you’ll learn how to initiate an audit, prepare and conduct audit activities, compile and distribute audit reports, and complete follow-up activities.