Many of you may work in a company that has an Internal Audit (IA) Department. Some of you might even have been a “victim” of internal audit, so to speak. However, do many who work outside the world of internal audit understand what it is IA does all day, or why they do it? To help answer that question, let’s take an “inside baseball” look at the definition and role of internal audit.
“… an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
In other words, internal audit provides monitoring (i.e. audit) services that are designed to add value and improve operations. Internal audit does this through formal monitoring activities and often divides the areas under review into three broad categories: (1) governance activities and entities, (2) risk management activities and entities, and (3) control processes. We’ll take a closer look at these categories a little further on. But for now, let’s take a look at two key words in the first sentence of the IIA definition: (1) independent and (2) objective.
You may have wondered why sometimes it seems as if internal audit can look at anything they want to look at. Well, in order for internal audit to be able to objectively evaluate any particular aspect of an organization, it must have the independence to look at whatever is required to make that evaluation. Likewise, internal audit must have the independence to be able to come to conclusions, regardless of the status or political relationships of the management responsible for the area under review. Having independence from management (and thus minimizing management interference) provides the avenue whereby internal audit can do its job most effectively. Independence also helps to ensure the credibility of internal audit findings and recommendations. This is one reason why internal audit departments often report directly to the Audit Committee of the Board of Directors and report only dotted-line to management (often the CEO, CFO, or similar management roles).
To be truly effective, however, internal audit must be a partner with management, while still maintaining independence. Internal audit is a part of the organization and its mission is to “. help an organization accomplish its objectives,” as well as, “…add value and improve an organization’s operations.” Creating an adversarial relationship with other parts of the organization does not help internal audit to accomplish its mission.
The services internal audit provides to the organization can be described using two broad categories of activities: assurance services and consulting services. When IA is engaged in an audit for assurance purposes, it conducts an independent review of a particular process, location, department, etc. It evaluates the entity under review, typically using the policies, procedures and controls of that entity. It also may compare the entity to similar entities, internally or externally. From this review, internal audit records their findings and develops conclusions about how well the entity is functioning. Based on the findings and conclusions, a post-audit report is written. The report also may include recommendations for improvement. The audit report will be discussed with the responsible manager and then reported to the Audit Committee. As you can see, assurance services provided by internal audit are very similar to what a layperson might envision when the word, “audit,” is mentioned.
Usually, there are three parties involved in an audit for assurance purposes: (1) the auditor, (2) the requestor (typically the Audit Committee by way of an annual audit plan), and (3) the auditee (i.e. the responsible manager for the area audited). The IIA definition of assurance is:
“An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.”
There are some key terms in the definition above that also appear in the IIA definition of internal audit. These terms once again are: (1)
governance, (2) risk management, and (3) control processes. While each of these areas can be discussed in much greater detail than we have space for here, we’ll take a brief look at how internal auditors (and the IIA) use these broad categories to define the totality of areas which could be audited within any given organization (sometimes referred to as the audit universe ).
Governance consists of all the pieces and parts that provide the overall direction to an organization. It involves culture, Board oversight, management style and many other “soft” components. There also are more tangible aspects to governance, as embodied by policies, procedures and other organizational rules. Risk management involves those parts of the organization dealing with significant uncertainty (and, thus, risk). Just about every part of an organization deals with risk to some extent, but within some organizations there may be a specific risk management function that is responsible for activities such as hedging, insurance, long-term forecasting and similar areas. Control processes are the “ground level” policies, procedures and other guideposts that an organization uses to ensure (1) effective and efficient operations, (2) compliance to regulations, and (3) conformity to industry or other standards (both external and internal). By using this framework to define the audit universe, internal auditors can more effectively bring, “…a systematic, disciplined approach to evaluate and improve the effectiveness…” of an organization’s operations.
In addition to assurance audits, internal audit also can provide consulting services to just about any part of the organization. The activities involved in a consulting engagement are very similar (in some cases, exactly the same) to those that are part of an assurance audit. However, the consulting engagement differs from the assurance audit in at least one significant factor. As opposed to the three participants typical of an assurance audit, a consulting engagement typically has only two parties: (1) the auditor and (2) the requestor/auditee. The requestor/auditee is (usually) the responsible manager for the entity being reviewed. The person requesting the audit also can be referred to as the “client.” Any significant findings from a consulting engagement still may be reported to the Audit Committee, but the focus of the engagement is to provide a discovery and evaluation service for the manager or department who requested the assistance. The IIA defines consulting services as:
“Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”
Two key aspects of this definition are (1) the nature and scope of the consulting engagement are mutually agreed upon between the client and internal audit, and (2) the internal auditor does NOT assume any management responsibility. During an assurance audit, the auditee does not have the same level of input with respect to the nature and scope of the audit as they do with a consulting engagement. Regarding aspect number (2) above, it is very important that the internal auditor does not engage in any sort of management role when performing a consulting engagement. They are there to provide their expertise and advice, but it is up to the responsible manager to act (or not act) upon that advice.
In summary, internal audit exists to add value and improve operations. They do this by conducting assurance audits and consulting engagements. Both of these methods apply a systematic and disciplined approach to evaluate and improve the effectiveness of a particular department, entity, process or other component of an organization. Internal audit maintains independence from management to ensure that their evaluations are objective and accurate. Oftentimes (but not always), internal audit divides the audit universe into three broad areas for study: governance activities, risk management activities and control processes.
Hopefully this brief summary of the role and function of internal audit has provided some insights into what internal audit does and why they do it. Future columns will continue to discuss aspects of Enterprise Risk Management (ERM). internal audit, risk management and governance.