Internal audit

From Wikipedia, the free encyclopedia

Jump to navigationJump to search
Part of a series on

Accounting

 Historical cost
 Constant purchasing power
 Management
 Tax

Major types[show]

Key concepts[show]

Selected accounts[show]

Accounting standards[show]

Financial statements[show]
 

Bookkeeping[show]

Auditing[show]

People and organizations[show]

Development[show]

Business portal

 v
 t
 e

Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control and governance processes.[1] Internal auditing is a
catalyst for improving an organization's governance, risk management and management controls
by providing insight and recommendations based on analyses and assessments of data and
business processes.[2] With commitment to integrity and accountability, internal auditing provides
value to governing bodies and senior management as an objective source of independent advice.
Professionals called internal auditors are employed by organizations to perform the internal
auditing activity.

The scope of internal auditing within an organization is broad and may involve topics such as an
organization's governance, risk management and management controls over:
efficiency/effectiveness of operations (including safeguarding of assets), the reliability of
financial and management reporting,[3][4] and compliance with laws and regulations. Internal
auditing may also involve conducting proactive fraud audits to identify potentially fraudulent
acts; participating in fraud investigations under the direction of fraud investigation professionals,
and conducting post investigation fraud audits to identify control breakdowns and establish
financial loss.

Internal auditors are not responsible for the execution of company activities; they advise
management and the Board of Directors (or similar oversight body) regarding how to better
execute their responsibilities. As a result of their broad scope of involvement, internal auditors
may have a variety of higher educational and professional backgrounds.

The Institute of Internal Auditors (IIA) is the recognized international standard setting body for
the internal audit profession and awards the Certified Internal Auditor designation internationally
through rigorous written examination. Other designations are available in certain countries.[5] In
the United States the professional standards of the Institute of Internal Auditors have been
codified in several states' statutes pertaining to the practice of internal auditing in government
(New York State, Texas, and Florida being three examples). There are also a number of other
international standard setting bodies.

Internal auditors work for government agencies (federal, state and local); for publicly traded
companies; and for non-profit companies across all industries. Internal auditing departments are
led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of the
Board of Directors, with administrative reporting to the Chief Executive Officer (In the United
States this reporting relationship is required by law for publicly traded companies).

Contents
 1 History of internal auditing
 2 Organizational independence
 3 Role in internal control
 4 Role in risk management
 5 Role in corporate governance
 6 Audit Project Selection or "Annual Audit Plan"
 7 Internal Audit Execution
 8 Internal audit reports
o 8.1 Quality of Internal Audit Report[14]
 9 Strategy
 10 Other topics
o 10.1 Measuring the internal audit function
o 10.2 Reporting of critical findings
o 10.3 Audit philosophy
 11 See also
 12 References
History of internal auditing[edit]
The Internal Auditing profession evolved steadily with the progress of management science after
World War II. It is conceptually similar in many ways to financial auditing by public accounting
firms, quality assurance and banking compliance activities. While some of the audit technique
underlying internal auditing is derived from management consulting and public accounting
professions, the theory of internal auditing was conceived primarily by Lawrence Sawyer (1911-
2002), often referred to as "the father of modern internal auditing";[6] and the current philosophy,
theory and practice of modern internal auditing as defined by the International Professional
Practices Framework (IPPF) of the Institute of Internal Auditors owes much to Sawyer's vision.

With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the
profession's exposure and value was enhanced, as many internal auditors possessed the skills
required to help companies meet the requirements of the law. However, the focus by internal
audit departments of publicly traded companies on SOX related financial policy and procedures
derailed progress made by the profession in the late 20th century toward Larry Sawyer's vision
for internal audit. Beginning in about 2010, the IIA once again began advocating for the broader
role internal auditing should play in the corporate arena, in keeping with the IPPF's philosophy.[7]

Organizational independence[edit]
While internal auditors are not independent of the companies that employ them, independence
and objectivity are a cornerstone of the IIA professional standards; and are discussed at length in
the standards and the supporting practice guides and practice advisories. Professional internal
auditors are mandated by the IIA standards to be independent of the business activities they
audit. This independence and objectivity are achieved through the organizational placement and
reporting lines of the internal audit department. Internal auditors of publicly traded companies in
the United States are required to report functionally to the board of directors directly, or a sub-
committee of the board of directors (typically the audit committee), and not to management
except for administrative purposes.

The required organizational independence from management enables unrestricted evaluation of

management activities and personnel and allows internal auditors to perform their role
effectively. Although internal auditors are part of company management and paid by the
company, the primary customer of internal audit activity is the entity charged with oversight of
management's activities. This is typically the Audit Committee, a sub-committee of the Board of
Directors. Organizational independence is effectively achieved when the chief audit executive
reports functionally to the board. Examples of functional reporting to the board involve the
board:[8] Approving the internal audit charter; Approving the risk based internal audit plan;
Approving the internal audit budget and resource plan; Receiving communications from the chief
audit executive on the internal audit activity’s performance relative to its plan and other matters;
Approving decisions regarding the appointment and removal of the chief audit executive;
Approving the remuneration of the chief audit executive; and Making appropriate inquiries of
management and the chief audit executive to determine whether there are inappropriate scope or
resource limitations.
Role in internal control[edit]
Internal auditing activity is primarily directed at evaluating internal control. Under the COSO
Framework, internal control is broadly defined as a process, effected by an entity's board of
directors, management, and other personnel, designed to provide reasonable assurance regarding
the achievement of the following core objectives for which all businesses strive:

 Effectiveness and efficiency of operations.

 Reliability of financial and management reporting.
 Compliance with laws and regulations.
 Safeguarding of Assets

Management is responsible for internal control, which comprises five critical components: the
control environment; risk assessment; risk focused control activities; information and
communication; and monitoring activities. Managers establish policies, processes, and practices
in these five components of management control to help the organization achieve the four
specific objectives listed above. Internal auditors perform audits to evaluate whether the five
components of management control are present and operating effectively, and if not, provide
recommendations for improvement.

In the United States, internal auditors may assist management with compliance with the
Sarbanes-Oxley Act (SOX).