Professional Documents
Culture Documents
Unit 1 Internal Audit Role
Unit 1 Internal Audit Role
SCOPE
This chapter covers the role of internal auditing and describes what it takes to become a good
auditor. The areas covered are:
1. Internal Audit 1 Review 5. Police Officer versus Consultant
2. The Audit Charter 6. Audit Competencies
3. Audit Services 7. Training and Development
4. Audit Ethics
We can analyse the IIA’s formal definition in detail by examining each of the material concepts:
‘Internal auditing’ The service is provided within the organization and is distinct from the external audit
role (but see ‘activity’ below). Years ago the IIA considered changing the name of internal auditing to
reflect the modern and increasingly professional approach. No alternative was forthcoming and the idea
was dropped.
‘Independent’ The concept of independence is fundamental. Internal auditing cannot survive if it is not
objective. All definitions of internal audit feature an element of independence, although its extent, and
how it is achieved, is a topic in its own right. The audit function must have sufficient status and be able to
stand back from the operation under review for it to be of use. If this is not achieved, then this forms a
fundamental flaw in the audit service and some internal audit functions may not be able to subscribe to
the standards.
‘Assurance and consulting’ This part of the definition refers to the fundamental shift in the role of
internal audit. The shift makes clear that the past tinkering with the advice and consulting aspect of
auditing is now a full-blown additional consultancy arm of the function. Internal audit may provide advice
and assistance to management in a way that best suits each manager’s needs. Even consulting work
should take on board the impact of risks and IIA Implementation Standard 2110.C1 says that: ‘during
consulting engagements, internal auditors should address risk consistent with the engagement’s
objectives and should be alert to the existence of other significant risks’. Meanwhile the primary role of
internal audit is to provide independent assurances that the organization is, or is not, managing risk well.
‘Activity’ The fact that the internal audit function as an activity is important. This means it is a defined
service, although not necessarily located within the organization (e.g. it may be outsourced).
‘Designed to add value’ As a service, auditing has to form a client base and understand the needs of
the organization. Here the service role should lead to a defined benefit to the organization rather than
internal audit working for its own mysterious goals. Adding value should be uppermost in the minds of
chief audit executives (CAE) and this feature should drive the entire audit process.
‘And improve an organization’s operations’ This brings into play the notion of continuous
improvement. The auditors are really there to make things better and not inspect and catch people out.
In one sense, if the CAE cannot demonstrate how the auditors improve the business, there is less reason
to resource the service.
‘It helps an organization accomplish its objectives’ The task of internal audit is set firmly around the
organization’s corporate objectives. Making an organization successful is the key driver for corporate
governance (a badly governed organization will not be successful), for risk management (where risks to
achieving objectives are the main focus) and internal controls (that seek to ensure objectives are realized).
1 of 7
Lecture notes in Internal Auditing
Moreover, it is the search for long-term corporate success that must steer the internal audit shop, or
there is little point setting up the team.
‘Systematic, disciplined approach’ Internal audit is now a full-blown profession. This means it has a
clear set of professional standards and is able to work to best practice guidelines in delivering a quality
service. One measure of this professionalism is that the organization can expect its auditors to apply a
systematic and disciplined approach to its work. Be it consulting or assurance work, IIA Performance
Standard 2040 requires that: ‘The CAE should establish policies and procedures to guide the internal audit
activity.’
‘Evaluate and improve’ We have mentioned the need to focus on making improvements in the
organization and part of this search for improvement entails making evaluations. Internal audit set what
is found during an audit against what should be present to ensure good control. This necessarily entails
the use of evaluation techniques that are applied in a professional and impartial manner to give reliable
results. Many review teams leave out the evaluation aspect of review work and simply ask a few questions
or check a few records and their results are not robust. Internal audit, on the other hand, has built into its
definition the formal use of evaluation procedures to support steps to improve operations.
‘Effectiveness’ Effectiveness is a bottom-line concept based on the notion that management is able to
set objectives and control resources in such a way as to ensure that these goals are in fact achieved. The
link between controls and objectives becomes clear, and audit must be able to understand the
fundamental needs of management as it works to its goals. The complexities behind the concept of
effectiveness are great, and by building this into the audit definition, the audit scope becomes potentially
very wide.
‘Risk management, control and governance processes’ Organizations that have not developed vigorous
systems for these matters will fail in the long run and fall foul of regulators in the short term. The internal
auditors are the only professionals who have these dimensions of corporate life as a living and breathing
component of their role. They should therefore be the first port of call for anyone who needs to get to
grips with corporate governance and IIA Performance Standard 2130 makes it clear that the internal audit
activity should assess and make appropriate recommendations for improving the governance process in
its accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization.
• Effectively communicating risk and control information to appropriate areas of the organization.
• Effectively coordinating the activities of and communicating information among the board, external
2 of 7
Lecture notes in Internal Auditing
Compliance with laws, regulations and contracts Internal auditors should review the systems
established to ensure compliance with those policies, plans, procedures, laws, regulations and important
contracts that could have a significant impact on operations and reports, and should determine whether
the organization is in compliance.
Internal audit reviews the extent to which management has established sound systems of internal
control so that objectives are set and resources applied to these objectives in an efficient manner. This
includes being protected from loss and abuse. Adequate information systems should be established to
enable management to assess the extent to which objectives are being achieved via a series of suitable
reports. Controls are required to combat risks to the achievement of value for money and it is these areas
that internal audit is concerned with. Compliance, information systems and safeguarding assets are all
prerequisites to good value for money.
DEFINITIONS
formal definition of internal audit
SCOPE OF WORK
SERVICES
management’s responsibilities, planned
assurance work, investigations and consultancy
ACCESS
rights of access
INDEPENDENCE
cornerstone of IA: organizational status and professional standards
FIGURE 5.1 Structure of the audit charter.
KEYSTONEAUDITSERVICES—AUDITCHARTER
This audit charter sets out the role, authority and responsibilities of the internal audit function and has been
formally adopted by Keystone Ltd. on 1 January 20xx.
1. Role
Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. It helps organizations accomplish their objectives by bringing a
3 of 7
Lecture notes in Internal Auditing
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and
governance processes. Internal audit is concerned with controls that ensure:
• reliability and integrity of financial and operating information
• effectiveness and efficiency of operations
• safeguarding of assets
• compliance with laws, regulations and contracts.
2. Responsibilities
Management is responsible for maintaining an adequate system of internal control to manage risks to the
organization. Internal audit will provide assurance services to management, the board and the audit
committee in terms of reviewing the adequacy of these systems of internal control. Internal audit will also
provide a consulting role in helping promote and facilitate the development of effective systems of risk
management and internal control. In addition, and subject to the availability of resources, audit will seek to
respond to management’s requests for investigations into matters of fraud, probity and compliance. Internal
audit will provide advice on addressing these problems, which remain the responsibility of management.
Furthermore, internal audit shall have no responsibilities over the operations that it audits over and above
the furnishing of recommendations to management. The results of consulting and ad hoc projects requested
by management will be used to inform internal audit’s position on assurances where appropriate.
3. Plans
Internal audit is required to publish an annual audit plan to the board and audit committee and perform the
audits that are contained within this plan, to the standards set out in the audit manual. Annual audit plans will
be based on the risk assessments carried out by management and the board and take into account issues
derived from the current audit strategy that is approved by the audit committee.
4. Reports
All audit reports will be cleared with the relevant management and once agreed will be copied to the
appropriate director, the audit committee and external audit. Management is expected to implement all
agreed audit recommendations within a reasonable time frame and each audit will be followed up to assess
the extent to which this has happened. The audit committee will be given a summary of audits where agreed
recommendations have not been implemented by management without reasonable explanation. The audit
committee will also receive a summary of all audits where management have decided not to implement an
audit recommendation without reasonable explanation. The overall results of audit work will be reported
quarterly to the audit committee (who in turn report to the board of directors). Internal audit is also required
to furnish an annual assurance on the state of internal control in the organization.
5. Access
Internal audit has access to all officers, buildings, information, explanations and documentation required to
discharge the audit role. Any interference with this right of access will be investigated and, if found to be
unreasonable, will be deemed a breach of organizational procedure and dealt with accordingly.
6. Independence
Internal audit is required to provide an objective audit service in line with professional auditing standards (as
embodied within the audit manual) and the auditor’s code of ethics. To this end it is essential that sufficient
independence attaches to this work for it to have any impact on Keystone Ltd. This is dependent on sufficient
organizational status and the ability to work to professional standards and the audit committee will undertake
an ongoing review of the impact of these two factors.
4 of 7
Lecture notes in Internal Auditing
products that are on offer. These may include one or more of the following possible interpretations of the
audit role. Note the following are SOME listed internal audit services selected at random from various
websites that feature internal audit shops from both private and public sector organizations:
Principles Internal auditors are expected to apply and uphold the following principles:
Integrity - The integrity of internal auditors establishes trust and thus provides the basis for reliance
on their judgement.
Objectivity -Internal auditors exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being examined. Internal
auditors make a balanced assessment of all relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgements.
Confidentiality - Internal auditors respect the value and ownership of information they receive and
do not disclose information without appropriate authority unless there is a legal or professional
obligation to do so.
Competency - Internal auditors apply the knowledge, skills and experience needed in the performance
of internal auditing services.
Rules of Conduct
1. Integrity
Internal auditors:
1.1 Shall perform their work with honesty, diligence, and responsibility.
1.2 Shall observe the law and make disclosures expected by the law and the profession.
1.3 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization.
1.4 Shall respect and contribute to the legitimate and ethical objectives of the organization.
2. Objectivity
Internal auditors:
2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their
unbiased assessment. This participation includes those activities or relationships that may be in
conflict with the interests of the organization.
2.2 Shall not accept anything that may impair or be presumed to impair their professional judgement.
5 of 7
Lecture notes in Internal Auditing
2.3 Shall disclose all material facts known to them that if not disclosed, may distort the reporting of
activities under review.
4. Competency
Internal auditors:
4.1 Shall engage only in those services for which they have the necessary knowledge, skills and experience.
4.2 Shall perform internal auditing services in accordance with the Standards for the Professional Practice
of Internal Auditing.
4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.
These are two extremes which might on the one hand mean that an audit function is imposed on
management to police the organization. Alternatively, the audit service may be more like a partnership
with audit providing professional advice in line with management’s needs. Clearly modern internal
auditing is moving towards the partnership role with management as it does not report to itself, or work
6 of 7
Lecture notes in Internal Auditing
towards its own mysterious goals. The auditor should recognize the culture that exists in the area being
audited and ensure that audit recommendations are framed in a way that fits into management’s needs.
Participative auditing means working with management rather than auditing them. This is in line with the
view that controls belong to management and they should be encouraged to maintain and improve them.
There are various ways that audit staff may be trained and developed:
1. Specialist skills training via internal or external skills workshops These can be extremely efficient in
terms of auditor development.
2. Professional training This may be based on passing examinations of a defined professional body such
as the Institute of Internal Auditors, which is a completely different form of training from skills-based
courses.
3. The trainingco-ordinator Appointing a training co-ordinator is a positive way of promoting various
training programmes, particularly where the co-ordinator can undertake some of the actual training.
4. Directed reading This is one way of encouraging auditors to research aspects of internal audit. The
department should subscribe to all relevant journals and publications.
5. Training through work Programmed audits enable audit management to ensure auditors are rotated
and exposed to a variety of audits and experiences. It is possible to designate smaller audits as ‘training
audits’ where they form part of the auditors’ personal development programme.
6. The audit review The audit review process enables audit managers and team leaders to direct the work
of junior staff and also provides experience in staff management.
7. Professional affiliations These can be part of continuing professional development (CPD) and
stimulate group discussions.
8. The audit manual This sets out the defined methods and procedures required to discharge the audit
mission.
7 of 7