The Institute of Internal Auditors (IIA) defines internal auditing as:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Key points highlighted by the definition:
- Independent and objective
- Assurance and consulting service
- Improve operations
- Evaluate and improve the effectiveness of risk manage, control and governance processes.
Let’s take the above points one by one.
Independent and Objective
The internal audit function usually reports to the board or audit committee. This reporting line is the key to the internal audit function’s independence. Internal auditors are independent when they can carry out their work freely and objectively. Independence is the freedom from conditions that threaten the ability of the internal audit activity or the chief audit executive to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive should have direct and unrestricted access to senior management and the board.
As for Objectivity, objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made.
Assurance and Consulting Service
Assurance is an objective examination of operations, documents and any other relevant evidence that aims to provide an assessment of risk, control and governance processes of the organization.
On the other hand, consulting services focus on adding value and helping an organization improve its operations. Consulting services usually focus on a specific process or area.
Because of the internal auditor’s position in the organization, they have a broad knowledge of the organization’s operations. This broad knowledge about the organization’s operations, processes, risks and controls enables them to contribute to the improvement of operations. Internal auditor’s expertise is usually in the fields of control, risk, efficiency, in addition to being great problem solvers. This knowledge is of great value for the organization.
Evaluate and improve the effectiveness of risk manage, control and governance processes.
Internal auditors bring all the knowledge and experience and other qualities, such as independence and objectivity, to evaluate the effectiveness of the core controls of the organization. Their main focus is: risk, control and governance. And the purpose of the evaluation is to help the organization achieve its goals.
To understand internal auditing let’s first compare it to external auditing and then look in more detail at what internal auditors do.
External auditing focuses on the financial aspects. Its main focus is risks and controls that would affect the integrity of the financial statements. On the other hand, internal auditing’s focus is broad. It encompasses the whole organization. Internal auditors may do any of the following types of engagements:
- Quality audit engagements
- Due diligence audit engagements
- Security audit engagements
- Privacy audit engagements
- Performance audit engagements
- Operational audit engagements
- Financial audit engagements
- Compliance audit engagements
In addition, internal auditors may provide the following services to the organization as part of their consulting duties:
- Training of staff on internal control
- Business process mapping
- System development reviews
Let’s see three examples of audit engagements that would give you a closer look at what internal auditors do.
- Human Resources Staffing Audit: The purpose of such an engagement would be to determine whether the organization has an appropriate framework, system and policies to manage the hiring process, and to determine whether the organization is in compliance with any government regulations related to hiring staff.
- Marketing Department Audit: An audit of the marketing department may look for answers for the following questions:
- Does the marketing plan match up with the overall goals of the organization? If not, why not?
- Do the individual marketing tactics or campaigns support the overall marketing plan?
- Does the marketing department have the required skills and expertise?
- How are marketing plans implemented?
- Risk Management Program Audit. Such an audit would evaluate the following:
- Determine whether the risk management program is well designed.
- Determine whether risks are identified, assessed, mitigated and monitored.
- Determine whether risk management is integrated into the organization’s strategic and operational planning processes, and into employee’s day-to-day activities.
- Determine whether the risk management program results are communicated to internal and external stakeholders, and whether managers are held accountable for results.
To conclude, the internal audit activity provides services to the whole organization, but mainly to senior management and the board. The main focus of internal audit is the evaluation of risk, control and governance processes and how those processes contribute to the organization’s achievement of its goals. I hope this article has provided you with a rough understanding of what is internal auditing and what internal auditors do.
- The definition of internal auditing: The Institute of Internal Auditors website (theiia.org)
- Types of Engagements: Powers Resource Corporation, CIA Part 2 textbook 8th