Internal audit

What Is Internal Audit?

Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing falls under the broader financial category of corporate governance. Professionals who perform internal auditing are known as internal auditors. The scope of internal auditing within an organization can be extensive, covering areas such as the efficiency and effectiveness of operations, the reliability of financial reporting, and compliance with laws and regulations.

History and Origin

The roots of internal auditing can be traced back to ancient civilizations, where overseers were appointed to verify the accuracy of financial records and transactions. However, modern internal auditing emerged as a profession in the early 20th century, spurred by the increasing complexity of business operations and the need for more sophisticated oversight²⁵. A pivotal moment in its development was the establishment of The Institute of Internal Auditors (IIA) in 1941²³, ²⁴.

The period following World War II saw a significant expansion of the internal auditing profession as businesses recognized the value of internal auditors in evaluating operational efficiency and safeguarding assets beyond just financial accuracy²². This era marked a shift toward internal audit taking a more strategic role, contributing to risk management and decision-making²¹. The profession's exposure and value were further enhanced in the United States with the implementation of the Sarbanes-Oxley Act (SOX) of 2002, enacted in response to major corporate scandals like Enron and WorldCom¹⁹, ²⁰. SOX mandated stricter internal control assessments and required top management to certify financial statements, increasing the visibility and importance of internal audit functions within organizations¹⁷, ¹⁸. The IIA issues the International Standards for the Professional Practice of Internal Auditing (Standards), which guide the worldwide practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function¹⁵, ¹⁶.

Key Takeaways

• Internal audit is an independent function that provides assurance and consulting services to an organization.
• Its primary goal is to improve an organization's risk management, control, and governance processes.
• Internal auditors operate under professional standards, such as those set by The Institute of Internal Auditors (IIA).
• The scope of internal audit extends beyond financial reporting to include operational efficiency, compliance, and strategic objectives.
• Effective internal audit can help prevent corporate scandals and enhance organizational resilience.

Interpreting the Internal Audit

Interpreting the findings of an internal audit involves understanding the context of the observations and recommendations. Internal auditors assess the adequacy and effectiveness of an organization's internal controls, risk management frameworks, and governance structures. Their reports typically highlight areas of non-compliance, inefficiencies, or potential risks. For instance, an internal audit might identify weaknesses in a company's data security protocols or recommend improvements to its supply chain management processes. The value derived from an internal audit lies in management's ability to implement the suggested corrective actions and enhance the organization's overall operational effectiveness and control environment. The chief audit executive plays a crucial role in establishing a risk-based plan for the internal audit activity, ensuring alignment with the organization's goals and stakeholder expectations.¹⁴

Hypothetical Example

Consider "Tech Innovations Inc.," a growing software company. The internal audit department decides to conduct an audit of the company's software development lifecycle to identify potential risks and inefficiencies.

1. Planning Phase: The internal audit team develops an audit plan, identifying key stages of the software development process, such as requirements gathering, coding, testing, and deployment. They prioritize areas with higher inherent risk, like cybersecurity measures in the coding phase.
2. Fieldwork Phase: Auditors review documentation, interview developers and project managers, and observe processes. They might find that code reviews are sometimes skipped due to tight deadlines, a control deficiency.
3. Reporting Phase: The internal audit report details the findings, including the skipped code reviews. It explains the potential impact (e.g., increased bugs, security vulnerabilities) and provides recommendations, such as enforcing mandatory code review checklists and allocating more time for this critical step.
4. Follow-up Phase: Management develops an action plan to address the recommendations. The internal audit team will later verify that these actions have been implemented effectively, improving the company's development practices and mitigating risks. This continuous cycle ensures ongoing improvement in the company's operational processes.

Practical Applications

Internal audit plays a critical role across various facets of an organization:

• Risk Management: Internal auditors assess an organization's exposure to various risks, including financial, operational, strategic, and compliance risks. They evaluate the effectiveness of controls designed to mitigate these risks. For example, they might review a company's financial controls to ensure accuracy and prevent fraud.
• Corporate Governance: Internal audit provides independent assurance to the board of directors and audit committee regarding the effectiveness of governance processes. This includes promoting appropriate ethics and values, overseeing risk management, and ensuring accountability within the organization¹², ¹³.
• Operational Efficiency: Internal auditors review operational processes to identify inefficiencies, waste, and opportunities for improvement. This can involve examining areas like procurement, human resources, or IT systems.
• Compliance: They ensure that the organization adheres to relevant laws, regulations, and internal policies. This is particularly crucial in highly regulated industries. The Sarbanes-Oxley Act, for instance, significantly increased the focus on internal controls over financial reporting¹⁰, ¹¹. Failures in internal audit can lead to significant corporate scandals, as seen in the case of Toshiba, where an internal audit function was criticized for not adequately addressing accounting irregularities⁸, ⁹.

Limitations and Criticisms

While vital, internal audit is not without limitations. One criticism is the potential for a lack of true independence, especially if the internal audit function reports directly to management rather than the audit committee or board of directors. This reporting structure can create perceived or actual conflicts of interest. For example, a 2015 report on Toshiba's financial misstatements highlighted criticisms of its internal audit function, noting that an over-reliance on a rotational staffing model and a focus on consulting services over assurance contributed to its shortcomings in detecting accounting irregularities⁷.

Another challenge can be the scope and depth of audits. If internal audit functions are under-resourced or lack the necessary expertise in complex areas like information technology, they may miss significant risks. Research suggests that companies are sometimes more likely to hire internal auditors after accounting failures or compliance enforcement actions, indicating a reactive rather than proactive approach to internal audit investment⁶. Furthermore, internal audit cannot guarantee the complete absence of fraud or errors, as it operates on a reasonable assurance basis due to inherent limitations of any control system. The effectiveness of internal audit is also dependent on the cooperation and receptiveness of management to implement recommendations.

Internal Audit vs. External Audit

Internal audit and external audit both provide oversight and assurance, but they differ significantly in their objectives, scope, and reporting lines.

While internal audit is an ongoing, internal function focused on internal improvements and risk mitigation, external audit is a periodic, external review focused on the reliability of financial reporting for public consumption. Both are crucial for robust corporate governance.

FAQs

What is the role of the chief audit executive (CAE)?

The chief audit executive (CAE) is the senior-most internal audit professional in an organization. Their role involves leading the internal audit function, developing a risk-based audit plan, communicating with the audit committee and senior management, and ensuring the quality and effectiveness of internal audit activities.

How does internal audit contribute to corporate governance?

Internal audit strengthens corporate governance by providing independent assurance that an organization's risk management, control, and governance processes are effective. This helps the board of directors and management fulfill their oversight responsibilities and ensures accountability.⁴, ⁵

What are the "International Standards for the Professional Practice of Internal Auditing"?

These are principles-based, mandatory requirements issued by The Institute of Internal Auditors (IIA) that guide the professional practice of internal auditing worldwide. They cover attribute standards (characteristics of auditors and audit activities) and performance standards (nature of internal audit services).¹, ², ³

Can internal auditors conduct fraud investigations?

Yes, internal auditors can participate in fraud investigations. Their role may include conducting proactive fraud audits to identify potentially fraudulent acts, assisting in investigations under the direction of fraud investigation professionals, and performing post-investigation audits to identify control breakdowns and assess financial losses.

Is internal audit mandatory for all companies?

The requirement for an internal audit function varies by jurisdiction and company type. Publicly traded companies in many countries, particularly those subject to regulations like the Sarbanes-Oxley Act in the U.S., often have a mandatory or strongly recommended internal audit function as part of their corporate governance structure. While not always legally mandated for private companies, many still choose to have one due to the value it adds in terms of risk management and operational efficiency.