Internal Audit Services
Internal Audit Services is an independent, objective assurance and consulting activity designed to add value to and improve an organization’s operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing achieves this by providing insight and recommendations based on analyses and assessments of data and business processes. With a commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform internal auditing activity.
The scope of Internal Audit Services within an organization is broad and may involve topics such as an organization’s governance, risk management, and management controls over: efficiency/effectiveness of operations (including the safeguarding of assets), the reliability of financial and management reporting, and compliance with laws and regulations. Internal auditing may also involve conducting proactive fraud audits to identify potentially fraudulent acts; participating in fraud investigations under the direction of fraud investigation professionals and conducting post investigation fraud audits to identify control breakdowns and establish financial loss.
Internal Audit Services auditors are not responsible for the execution of company activities; they advise management and the board of directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds.
The Institute of Internal Auditors (IIA) is the recognized international standard-setting body for the internal audit profession and awards the Certified Internal Auditor designation internationally through rigorous written examination. Other designations are available in certain countries. In the United States, the professional standards of the Institute of Internal Auditors have been codified in several states’ statutes pertaining to the practice of internal auditing in government (New York State, Texas, and Florida being three examples). There are also a number of other international standard-setting bodies.
Internal Audit Services auditors work for government agencies (federal, state, and local); for publicly traded companies; and for non-profit companies across all industries. Internal auditing departments are led by a chief audit executive (“CAE”) who generally reports to the audit committee of the board of directors, with administrative reporting to the chief executive officer (In the United States this reporting relationship is required by law for publicly traded.
Role in internal control
Internal Audit Services activity is primarily directed at evaluating internal control. Under the COSO Framework, internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the following core objectives for which all businesses strive:
- Effectiveness and efficiency of operations.
- Reliability of financial and management reporting.
- Compliance with laws and regulations.
- Safeguarding of Assets
Management is responsible for internal control, which comprises five critical components: the control environment; risk assessment; risk-focused control activities; information and communication; and monitoring activities. Managers establish policies, processes, and practices in these five components of management control to help the organization achieve the four specific objectives listed above. Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively, and if not, provide recommendations for improvement.
In the United States, the Internal Audit Services function independently tests managements control assertions and reports to the company’s audit committee of the board of directors.
Role in risk management
Internal auditing professional standards require the function to evaluate the effectiveness of the organization’s Risk management activities. Risk management is the process by which an organization identifies, analyzes, responds, gathers information about, and monitors strategic risks that could actually or potentially impact the organization’s ability to achieve its mission and objectives.
Under the COSO enterprise risk management (ERM) Framework, an organization’s strategy, operations, reporting, and compliance objectives all have associated strategic business risks – the negative outcomes resulting from internal and external events that inhibit the organization’s ability to achieve its objectives. Management assesses risk as part of the ordinary course of business activities such as strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, credit/lending practices, mergers and acquisitions, strategic partnerships, legislative changes, conducting business abroad, etc. Sarbanes–Oxley regulations require an extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities or focus on the overarching process used to manage risks entity-wide. For example, Internal Audit Services can advise management regarding the reporting of forward-looking operating measures to the board, to help identify emerging risks; or internal auditors can evaluate and report on whether the board and other stakeholders can have reasonable assurance the organization’s management team has implemented an effective enterprise risk management program.
In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the chief audit executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the audit committee or ensure management’s reporting is effective for that purpose.
The Internal Audit Services function may help the organization address its risk of fraud via a fraud risk assessment, using principles of fraud deterrence. Internal auditors may help companies establish and maintain Enterprise Risk Management processes. This process is highly valued by many businesses for establishing and implementing effective management systems and ensuring quality is maintained & professional standards are met Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment. In these latter two areas, internal auditors typically are part of the risk assessment team in an advisory role.
Some of the philosophy and approach of internal auditing is derived from the work of Lawrence Sawyer. His philosophy and guidance on the role of internal audit was a forerunner of the current definition of internal auditing. It emphasized assisting management and the board in achieving the organization’s objectives through well-reasoned audits, evaluations, and analyses of operational areas. He encouraged the modern internal auditor to act as a counselor to management rather than as an adversary. Sawyer saw Internal Audit Services as active players influencing events in the business rather than criticizing all degrees of errors and mistakes. He also foresaw a more desirable auditor future involving a stronger relationship with members of the audit committee and the board and a divorce from direct reporting to the chief financial officer.
Sawyer often talked about “catching a manager doing something right” and providing recognition and positive reinforcement. Writing about positive observations in audit reports was rarely done until Sawyer started talking about the idea. He understood and forecast the benefits of providing more balanced reporting while simultaneously building better relationships. Sawyer understood the psychology of interpersonal dynamics and the need for all people to receive acknowledgment and validation for relationships to prosper.
Sawyer helped make Internal Audit Services more relevant and more interesting through a sharp focus on operational or performance auditing. He strongly encouraged looking beyond financial statements and financial-related auditing into areas such as purchasing, warehousing and distribution, human resources, information technology, facilities management, customer service, field operations, and program management. This approach helped catapult the chief audit executive into the role of a respected and knowledgeable adviser who was thought to be reasonable, objective, and concerned about helping the organization achieve the stated goals.