What is Internal Audit

Internal audit is a function which provides assurance that:

  • risks faced by an organization is appropriately managed and
  • the internal control system that is devised to mitigate those risks are operating effectively

Assurance, according to the Oxford Dictionary of English, is a "positive declaration intended to give confidence".

In the context of internal auditing, assurance is the opinion provided by the auditor that:

  • risks are (or are not) appropriately managed; and / or
  • internal control system is (or is not) operating effectively

The internal audit function within an organization provides such assurance to the organization's governing body, usually the Board of Directors via the Board Audit Committee.

What do internal auditors do

To provide assurance over risk management practices and internal control system, internal auditors need to:

  • understand the business of the organization
  • understand the organization's business objectives
  • understand and identify the risks that may impact the organization's ability (or possibility) to achieve those objectives
  • assess the effectiveness of the risk management practices and internal control system in mitigating those risks

Internal auditors go through the above process to plan and conduct their activities and focus their effort on the highest risk areas. The objective is to provide assurance over risk management practices and internal control system.

This is, in essence, what is generally called as the "risk based audit" methodology.

Internal audit's reporting line in an organisation

Internal auditors must provide "objective" assurance to the Board of Directors and the Board Audit Committees and not be influenced by management, whose interests may not be fully in line with robust risk management practices and internal control systems.

Objectivity is assisted by having the Chief Audit Executive (CAE) reporting directly to the Board. The functional reporting line to the governing body and not to management is fundamental to the concept of "independence".

In practice, the CAE and the audit function may "administratively" report to the CEO, or more likely, the CFO or the Chief Risk Officer (CRO).

"Administrative" reporting refers to matters such as who pays the internal auditor's salary.

As you can see, objectivity and real independence depends on the individual, how he or she deals with a situation when management attempts to influence his or her assurance opinion.

Nevertheless, functional reporting to the governing body is important in promoting objectivity and independence.

Internal audit activities

The typical internal audit activities are:

Developing the audit plan

Development of the audit plan involves:

  • risk assessment
  • control assessment
  • prioritizing risk areas
  • identify the sources of assurance
  • determining the audit areas and available audit resources
  • concluding on the audit areas, i.e. arriving at a list of audit assignments

Performing individual audits


Return from What is Internal Audit to Better Auditing