Jump to content

Internal audit: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Best practices section
Line 89: Line 89:
* [http://www.internalaudit.biz Gives details of risk-based internal auditing]
* [http://www.internalaudit.biz Gives details of risk-based internal auditing]
* [http://www.iiabg.org The Institute of Internal Auditors (Bulgaria)]
* [http://www.iiabg.org The Institute of Internal Auditors (Bulgaria)]
* [http://www.aabaig.com A A Baig & Co., Chartered Accountants (Pakistan)]


Revision as of 07:20, 1 July 2007

Internal auditing is a profession and activity involved in advising organizations regarding how to better achieve their objectives. Internal auditing involves the utilization of a systematic methodology for analyzing business processes or organizational problems and recommending solutions. Professionals called internal auditors are employed by organizations to perform the internal auditing activity. The scope of internal auditing within an organization is broad and may involve internal control topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations. Internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds. Publicly-traded United States corporations typically have an internal auditing department, led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer. The profession is unregulated, with the international Institute of Internal Auditors ("IIA") the primary standard-setting body. The IIA has established the Standards for the Professional Practice of Internal Auditing.[1] The IIA has over 130,000 members representing 165 countries, including approximately 65,000 Certified Internal Auditors.[2]

Organizational independence

To perform their role effectively, internal auditors require organizational independence from management, to enable unrestricted evaluation of management activities and personnel. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management's activities. This is typically the Audit Committee of the Board of Directors in the United States. To provide independence, most Chief Audit Executives report to the Chairperson of the Audit Committee and can only be replaced with the concurrence of that individual.

Nature of the internal audit activity

Based on a risk assessment of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts. Internal auditing activity is generally conducted as one or more discrete projects. A typical internal audit project involves the following steps:

  1. Establish and communicate the scope and objectives for the audit to appropriate management.
  2. Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.
  3. Identify control procedures used to ensure each key transaction type is properly controlled and monitored.
  4. Develop a sampling and testing approach to determine whether the most important controls are operating as intended.
  5. Report problems identified and negotiate action plans with management to address the problems.
  6. Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose.

Projects typically take 8-12 weeks to complete, depending on the complexity of the business under review, management's availability to assist, and internal audit resources applied. Many of the above steps are iterative and may not all occur in the sequence indicated.

By analyzing and recommending business improvements in critical areas, auditors help the organization succeed. In addition to assessing business processes, specialists called Information Technology (IT) Auditors may review company IT systems and activities.

Role in internal control

Internal auditing activity is primarily directed at improving internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with laws and regulations.

Role in risk management

Internal auditors may assess the organization's Risk management or risk assessment processes. Risk management relates to how an organization identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives. Internal auditors may also play an important role in helping companies execute a SOX 404 top-down risk assessment. Internal auditors also help companies establish and maintain Enterprise Risk Management processes.[3]

Role in corporate governance

Internal auditing activity as it relates to corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage, and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives.[4] Internal auditing is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor.[5]

A primary focus area of internal auditing as it relates to corporate governance in helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives effective information.

Best Practices in Internal Auditing

Measuring the internal audit function

Best practices in measurement of internal audit functions includes a balanced scorecard approach.[6] Internal audit functions are primarily evaluated based on the quality of counsel and information provided to the Audit Committee and top management. However, this is primarily qualitative and therefore difficult to measure. “Customer surveys” sent to key managers after each audit project or report can be used to measure performance, with an annual survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of counsel, timeliness of work product, utility of meetings, and quality of status updates are typical with such surveys.

Quantitative measures can also be used to measure the function’s level of execution and qualifications of its personnel. Key measures include:

Plan completion: This is a measure of the degree to which the annual plan of engagements is completed, measured at a point in time. This may be measured using the number of projects completed, weighted by the planned size of each project, with estimates for projects in-progress. Measured throughout the year, it is compared against the percentage of the year elapsed.

Report issuance: This is a measure of the time elapsed from completion of testing to issuance of the final audit report, including management’s action plans. This can be measured in average days or percentage of reports issued within a certain standard, such as 30 days. Establishing expectations for the timing of management’s response to report recommendations is critical. In addition, the scope and degree of change involved in the report’s action plans are key variables. For example, a report for a single retail store requiring only the store manager’s action might take 3-5 days to issue. However, a report consolidating findings from 20 retail stores, with action plans with national implications determined by top management, may take 30-60 days in complex organizations.

Issue closure: Reported audit findings are often called “issues” or “deficiencies.” Professional standards require audit functions to track reported findings to resolution, which effectively requires the maintenance of an issues follow-up database. The number of days that reported issues remain open, or open after their agreed-upon closure date, are key measures. In addition, reporting database statistics such as the number of issues open (unresolved), closed (resolved), and issues opened/closed during a given period are useful statistics.

Staff qualifications: This can be measured through the percentage of staff with professional certifications, graduate degrees, and overall years of experience.

Staff utilization rate: This is measured as the percentage of time spent on projects, as opposed to administrative time such as training or vacation. Many internal audit departments track time by audit project. This is typically captured in a database or spreadsheet.

Developing and retaining staff

Developing and retaining quality professionals is a key concern in the profession.[7] Key methods for developing and retaining internal audit staff personnel include:

  • Providing challenging, varied assignments
  • Ensuring quality supervision
  • Ensuring staff participates in projects from start to finish, to learn all phases of the audit process
  • Providing opportunities to lead (in-charge) projects, starting with more structured projects such as Sarbanes-Oxley work
  • Participating on departmental improvement task forces, such as preparation for quality assurance review
  • Participating in the recruiting and interviewing process for new hires
  • Rotating through various audit teams (in larger departments) or audits of various businesses
  • Providing both outside training (e.g., seminars) and in-house training (e.g., company systems) for two weeks/year
  • Participation in annual risk assessment activities, whether asking key questions or just taking notes

Reporting of critical findings

The Chief Audit Executive (CAE) typically reports the most critical issues to the Audit Committee quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgment to select appropriate issues for the Audit Committee's attention and to describe them in the proper context.

History of internal auditing

The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting and public accounting professions. With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law.


  1. ^ IIA Standards
  2. ^ IIA Website
  3. ^ Role of Internal Auditing in ERM
  4. ^ Rezaee, Zabihollah. Financial Statement Fraud: Prevention and Detection. New York: Wiley; 2002.
  5. ^ IIA Article "Getting a Leg Up"
  6. ^ Frigo, Mark L. A Balanced Scorecard Framework for Internal Auditing Departments. IIA Research Foundation. Altamonte Springs, FL.: 2002
  7. ^ State of the IA Profession Survey 2007