Key Takeaways
- Internal audit provides independent, objective assurance and consulting services to add value and improve operations.
- The Institute of Internal Auditors (IIA) sets standards and provides the definition and framework for internal auditing.
- Internal auditors must be independent from the activities they audit and maintain objectivity in their work.
- The audit process includes planning, fieldwork, reporting, and follow-up phases.
- Internal audit reports should include findings, root causes, recommendations, and management responses.
Internal Audit Function
Quick Answer: Internal audit is an independent, objective assurance and consulting activity designed to add value and improve operations. It helps organizations achieve their objectives by evaluating and improving risk management, control, and governance processes. Internal auditors report to the audit committee to maintain independence.
Definition of Internal Auditing
According to the Institute of Internal Auditors (IIA):
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
Internal vs. External Audit
| Aspect | Internal Audit | External Audit |
|---|---|---|
| Employment | Employees of the organization | Independent CPA firm |
| Primary Focus | Operational effectiveness, controls | Financial statement accuracy |
| Reports To | Audit committee/management | Shareholders/public |
| Standards | IIA Standards | GAAS/PCAOB Standards |
| Scope | Broad—operations, compliance, controls | Primarily financial statements |
| Frequency | Ongoing throughout year | Typically annual |
| Requirement | Voluntary (except for some industries) | Required for public companies |
Role of Internal Audit
Primary Responsibilities
- Assurance Services — Objective assessment of evidence to provide opinions on governance, risk, and controls
- Consulting Services — Advisory activities to improve processes without assuming management responsibility
- Fraud Investigations — Investigation of suspected fraud and irregularities
- Compliance Review — Ensuring adherence to laws, regulations, and policies
- Operational Audits — Evaluating efficiency and effectiveness of operations
What Internal Audit Evaluates
| Area | Focus | Examples |
|---|---|---|
| Risk Management | Are risks properly identified and managed? | ERM framework effectiveness |
| Internal Controls | Are controls designed and operating effectively? | Segregation of duties, authorizations |
| Governance | Are governance processes effective? | Board oversight, ethical culture |
| Operations | Are operations efficient and effective? | Process improvement opportunities |
| Compliance | Is the organization complying with requirements? | Regulatory adherence, policy compliance |
Independence and Objectivity
Independence
Organizational Independence — Internal audit should report functionally to the audit committee and administratively to senior management (typically the CEO or CFO).
| Reporting Relationship | Purpose |
|---|---|
| Functional Reporting to Audit Committee | Ensures independence from management |
| Administrative Reporting to CEO | Facilitates day-to-day operations |
Objectivity
Individual Objectivity — Internal auditors must have an impartial, unbiased attitude and avoid conflicts of interest.
Threats to Independence/Objectivity
| Threat | Description | Safeguard |
|---|---|---|
| Self-review | Auditing own previous work | Rotation of assignments |
| Social pressure | Relationships with auditees | Professional skepticism training |
| Familiarity | Long tenure in same area | Mandatory rotation policies |
| Economic interest | Financial ties to outcomes | Compensation policies |
| Self-interest | Personal benefit from results | Disclosure requirements |
The Internal Audit Process
Phase 1: Audit Planning
| Activity | Description | Output |
|---|---|---|
| Risk Assessment | Identify high-risk areas | Risk-based audit plan |
| Annual Audit Plan | Prioritize audits for the year | Board-approved plan |
| Engagement Planning | Plan individual audit engagements | Audit program |
| Resource Allocation | Assign staff and time | Staffing plan |
Risk-Based Audit Planning
Internal audit uses a risk-based approach to prioritize audits:
- Identify the audit universe — All auditable areas
- Assess risk factors — Financial impact, control environment, changes, time since last audit
- Prioritize audits — High-risk areas first
- Allocate resources — Match skills to audit needs
- Obtain approval — Audit committee approves plan
Phase 2: Fieldwork (Audit Execution)
| Activity | Description | Purpose |
|---|---|---|
| Opening Meeting | Meet with management | Set expectations, gather information |
| Walkthrough | Understand processes | Document understanding |
| Testing | Test controls and transactions | Gather evidence |
| Documentation | Prepare workpapers | Support findings |
| Identify Issues | Document control deficiencies | Basis for recommendations |
Testing Procedures
| Test Type | Description | Example |
|---|---|---|
| Inquiry | Ask questions of personnel | Interview process owners |
| Observation | Watch processes occur | Observe physical inventory count |
| Inspection | Examine documents/records | Review invoices for approval |
| Reperformance | Redo the control activity | Recalculate bank reconciliation |
| Analytical Procedures | Analyze relationships | Compare ratios period-over-period |
Phase 3: Reporting
Internal audit reports typically include:
| Section | Content |
|---|---|
| Executive Summary | High-level overview of findings |
| Scope and Objectives | What was audited and why |
| Findings | Control deficiencies identified |
| Root Cause Analysis | Why the deficiency exists |
| Recommendations | Suggested corrective actions |
| Management Response | Management's action plan |
| Rating/Opinion | Overall assessment |
Finding Components
Each audit finding should address:
- Condition — What is the current state? (What IS)
- Criteria — What should the state be? (What SHOULD BE)
- Cause — Why does the gap exist? (Root cause)
- Consequence — What is the impact? (Effect/risk)
- Corrective Action — What should be done? (Recommendation)
Phase 4: Follow-Up
| Activity | Purpose | Frequency |
|---|---|---|
| Track Remediation | Ensure issues are addressed | Ongoing |
| Verify Implementation | Confirm corrective actions taken | Per agreed timeline |
| Report Status | Update audit committee | Quarterly |
| Escalate Delays | Address overdue items | As needed |
IIA Standards
The International Standards for the Professional Practice of Internal Auditing (Standards) are issued by the IIA and include:
Attribute Standards
| Standard | Focus |
|---|---|
| 1000 - Purpose, Authority, Responsibility | Internal audit charter |
| 1100 - Independence and Objectivity | Free from interference |
| 1200 - Proficiency and Due Professional Care | Competence and skill |
| 1300 - Quality Assurance and Improvement Program | Internal and external assessments |
Performance Standards
| Standard | Focus |
|---|---|
| 2000 - Managing the Internal Audit Activity | Planning and oversight |
| 2100 - Nature of Work | Governance, risk, control |
| 2200 - Engagement Planning | Individual audit planning |
| 2300 - Performing the Engagement | Fieldwork execution |
| 2400 - Communicating Results | Reporting |
| 2500 - Monitoring Progress | Follow-up |
| 2600 - Communicating the Acceptance of Risks | Residual risk reporting |
Internal Audit Charter
The Internal Audit Charter is a formal document that:
- Defines the purpose, authority, and responsibility of internal audit
- Establishes internal audit's position within the organization
- Authorizes access to records, personnel, and physical properties
- Defines the scope of internal audit activities
- Must be approved by the board/audit committee
To maintain organizational independence, internal audit should report functionally to:
Which audit testing procedure involves actually redoing the control activity to verify it was performed correctly?
The "5 C's" of audit findings include Condition, Criteria, Cause, Consequence, and: