What is Internal Audit
Internal audit is a function which provides assurance that:
- risks faced by an organization is appropriately managed and
- the internal control system that is devised to mitigate those risks are operating effectively
Assurance, according to the Oxford Dictionary of English, is a "positive declaration intended to give confidence".
In the context of internal auditing, assurance is the opinion provided by the auditor that:
- risks are (or are not) appropriately managed; and / or
- internal control system is (or is not) operating effectively
The internal audit function within an organization provides such assurance to the organization's governing body, usually the Board of Directors via the Board Audit Committee.
What do internal auditors do
To provide assurance over risk management practices and internal control system, internal auditors need to:
- understand the business of the organization
- understand the organization's business objectives
- understand and identify the risks that may impact the organization's ability (or possibility) to achieve those objectives
- assess the effectiveness of the risk management practices and internal control system in mitigating those risks
Internal auditors go through the above process to plan and conduct their activities and focus their effort on the highest risk areas. The objective is to provide assurance over risk management practices and internal control system.
This is, in essence, what is generally called as the "risk based audit" methodology.
Internal audit's reporting line in an organisation
Internal auditors must provide "objective" assurance to the Board of Directors and the Board Audit Committees and not be influenced by management, whose interests may not be fully in line with robust risk management practices and internal control systems.
Objectivity is assisted by having the Chief Audit Executive (CAE) reporting directly to the Board. The functional reporting line to the governing body and not to management is fundamental to the concept of "independence".
In practice, the CAE and the audit function may "administratively" report to the CEO, or more likely, the CFO or the Chief Risk Officer (CRO).
"Administrative" reporting refers to matters such as who pays the internal auditor's salary.
As you can see, objectivity and real independence depends on the individual, how he or she deals with a situation when management attempts to influence his or her assurance opinion.
Nevertheless, functional reporting to the governing body is important in promoting objectivity and independence.
Internal audit activities
The typical internal audit activities are:
Developing the audit plan
Development of the audit plan
- risk assessment
- control assessment
- prioritizing risk areas
- identify the sources of assurance
- determining the audit areas and available audit resources
- concluding on the audit areas, i.e. arriving at a list of audit assignments
Performing individual audits
- The initial steps are audit planning related. Let's call them
- The other steps are conducting audit work e.g. testing and concluding
Return from What is Internal Audit to Better Auditing