INTERNAL AUDIT

Internal auditing is a profession and activity involved in helping

organizations achieve their stated objectives. It does this by using a
systematic methodology for analyzing business processes,
procedures and activities with the goal of highlighting
organizational problems and recommending solutions.
Professionals called internal auditors are employed by
organizations to perform the internal auditing activity.

The scope of internal auditing within an organization is broad and

may involve topics such as the efficacy of operations, the
reliability of financial reporting, deterring and investigating fraud,
safeguarding assets, and compliance with laws and regulations.

Internal auditing frequently involves measuring compliance with

the entity's policies and procedures. However, Internal auditors are
not responsible for the execution of company activities; they
advise management and the Board of Directors (or similar
oversight body) regarding how to better execute their
responsibilities. As a result of their broad scope of involvement,
internal auditors may have a variety of higher educational and
professional backgrounds.

Publicly-traded corporations typically have an internal auditing

department, led by a Chief Audit Executive ("CAE") who
generally reports to the Audit Committee of the Board of
Directors, with administrative reporting to the Chief Executive
Officer.

The profession is unregulated, though there are a number of

international standard setting bodies, an example of which is the
Institute of Internal Auditors ("IIA"). The IIA has established
Standards for the Professional Practice of Internal Auditing[1] and
has over 150,000 members representing 165 countries, including
approximately 65,000 Certified Internal Auditors.
History of internal auditing

The Internal Auditing profession evolved steadily with the

progress of management science after World War II. It is
conceptually similar in many ways to financial auditing by public
accounting firms, quality assurance and banking compliance
activities. Much of the theory underlying internal auditing is
derived from management consulting and public accounting
professions. With the implementation in the United States of the
Sarbanes-Oxley Act of 2002, the profession's growth accelerated,
as many internal auditors possess the skills required to help
companies meet the requirements of the law.

Organizational independence
To perform their role effectively, internal auditors require organizational independence
from management, to enable unrestricted evaluation of management activities and
personnel. Although internal auditors are part of company management and paid by the
company, the primary customer of internal audit activity is the entity charged with
oversight of management's activities. This is typically the [Audit Committee], a sub-
committee of the Board of Directors. To provide independence, most Chief Audit
Executives report to the Chairperson of the Audit Committee and can only be replaced
with the concurrence of that individual.

According to the Institute of Internal Auditors, the Internal Auditor's obligation of

Independence refers to:

• 1) The reporting line or status of the CAE The Chief Audit Executive must
report to a level within the organization that allows the internal audit activity to
fulfill its responsibilities. The chief audit executive must confirm to the board, at
least annually, the organizational independence of the internal audit activity.
• 2) Attitude of auditors, procedures of the internal audit department. The
internal audit activity must be free from interference in determining the scope of
internal auditing, performing work, and communicating results.
 • 3) Communication right. The chief audit executive must communicate and
interact directly with the Board of Directors.

Role in internal control

Internal auditing activity is primarily directed at improving internal control. Under the
COSO Framework, internal control is broadly defined as a process, effected by an entity's
board of directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following internal control
categories:

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.
• Compliance with laws and regulations.

Management is responsible for internal control. Managers establish policies and

processes to help the organization achieve specific objectives in each of these categories.
Internal auditors perform audits to evaluate whether the policies and processes are
designed and operating effectively and provide recommendations for improvement.

In the United States, internal auditors may assist management with compliance with the
Sarbanes-Oxley Act (SOX).

Role in risk management

Internal auditing professional standards require the function to monitor and evaluate the
effectiveness of the organization's Risk management processes. Risk management relates
to how an organization sets objectives, then identifies, analyzes, and responds to those
risks that could potentially impact its ability to realize its objectives.

Under the COSO enterprise risk management (ERM) Framework, risks fall under
strategic, operational, financial reporting, and legal/regulatory categories. Management
performs risk assessment activities as part of the ordinary course of business in each of
these categories. Examples include: strategic planning, marketing planning, capital
planning, budgeting, hedging, incentive payout structure, and credit/lending practices.
Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting
processes. Corporate legal counsel often prepares comprehensive assessments of the
current and potential litigation a company faces. Internal auditors may evaluate each of
these activities, or focus on the processes used by management to report and monitor the
risks identified. For example, internal auditors can advise management regarding the
reporting of forward-looking operating measures to the Board, to help identify emerging
risks.

In larger organizations, major strategic initiatives are implemented to achieve objectives

and drive changes. As a member of senior management, the Chief Audit Executive
(CAE) may participate in status updates on these major initiatives. This places the CAE
in the position to report on many of the major risks the organization faces to the Audit
Committee, or ensure management's reporting is effective for that purpose.

Internal auditors may help companies establish and maintain Enterprise Risk
Management processes. Internal auditors also play an important role in helping
companies execute a SOX 404 top-down risk assessment. In these latter two areas,
internal auditors typically are part of the project team in an advisory role.

Role in corporate governance

Internal auditing activity as it relates to corporate governance is generally informal,
accomplished primarily through participation in meetings and discussions with members
of the Board of Directors. Corporate governance is a combination of processes and
organizational structures implemented by the Board of Directors to inform, direct,
manage, and monitor the organization's resources, strategies and policies towards the
achievement of the organizations objectives. The internal auditor is often considered one
of the "four pillars" of corporate governance, the other pillars being the Board of
Directors, management, and the external auditor.

A primary focus area of internal auditing as it relates to corporate governance is helping

the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities
effectively. This may include reporting critical internal control problems, informing the
Committee privately on the capabilities of key managers, suggesting questions or topics
for the Audit Committee's meeting agendas, and coordinating carefully with the external
auditor and management to ensure the Committee receives effective information.

Nature of the internal audit activity

Based on a risk assessment of the organization, internal auditors, management and
oversight Boards determine where to focus internal auditing efforts. Internal auditing
activity is generally conducted as one or more discrete projects. A typical internal audit
project involves the following steps:

1. Establish and communicate the scope and objectives for the audit to appropriate
management.
2. Develop an understanding of the business area under review. This includes
objectives, measurements, and key transaction types. This involves review of
documents and interviews. Flowcharts and narratives may be created if necessary.
3. Describe the key risks facing the business activities within the scope of the audit.
4. Identify control procedures used to ensure each key risk and transaction type is
properly controlled and monitored.
5. Develop and execute a risk-based sampling and testing approach to determine
whether the most important controls are operating as intended.
 6. Report problems identified and negotiate action plans with management to
address the problems.
7. Follow-up on reported findings at appropriate intervals. Internal audit departments
maintain a follow-up database for this purpose.

Project length varies based on the complexity of the activity being audited and Internal
Audit resources available. Many of the above steps are iterative and may not all occur in
the sequence indicated.

By analyzing and recommending business improvements in critical areas, auditors help

the organization meet its objectives. In addition to assessing business processes,
specialists called Information Technology (IT) Auditors review information technology
controls.

Internal audit reports

Internal auditors typically issue reports at the end of each audit that summarize their
findings, recommendations, and any responses or action plans from management. An
audit report may have an executive summary; a body that includes the specific issues or
findings identified and related recommendations or action plans; and appendix
information such as detailed graphs and charts or process information. Each audit finding
within the body of the report may contain five elements, sometimes called the "5 C's":

1. Condition: What is the particular problem identified?

2. Criteria: What is the standard that was not met? The standard may be a company
policy or other benchmark.
3. Cause: Why did the problem occur?
4. Consequence: What is the risk/negative outcome (or opportunity foregone)
because of the finding?
5. Corrective action: What should management do about the finding? What have
they agreed to do and by when?
The recommendations in an internal audit report are designed to help the organization
achieve its goals, which may relate to operations, financial reporting or legal/regulatory
compliance. They may relate to effectiveness (i.e., whether goals were met or compliance
with standards was achieved) or efficiency (i.e., whether the outputs were generated with
minimum inputs).

Audit findings and recommendations also relate to particular assertions about

transactions, such as whether the transactions audited were valid or authorized,
completely processed, accurately valued, processed in the correct time period, and
properly disclosed in financial or operational reporting, among other elements.

Developing the plan of engagements

Internal auditing standards require the development of a plan of audit engagements
(projects) based on a risk assessment, updated at least annually. The input of senior
management and the Board is typically included in this process. Many departments
update their plan of engagements throughout the year as risks or organizational priorities
changeThis effort helps ensure the audit activity is aligned with the organization’s
objectives, by answering two key questions: First, what goals are the organization trying
to accomplish in the upcoming period? Second, how can the Internal Audit Department
assist the organization in achieving these goals?

Internal auditors often conduct a series of interviews of senior management to identify

potential engagements. Changes in people, processes, or systems often generate audit
project ideas. Various documents are reviewed, such as strategic plans, financial reports,
consulting studies, etc. Further, the results of prior audits and resolution of open issues
are considered. For example, even if a business area is important, prior audit work and
the nature and status of open issues may render further audit effort unnecessary. If the
organization has a formal enterprise risk management (ERM) program, the risks
identified therein help limit the amount of separate risk assessment performed by Internal
Audit.

The preliminary plan of engagements is documented and prioritized. Audit resources and
expertise are then considered and a final plan is presented to senior management and the
Audit Committee. The presentations vary based on the needs of the stakeholders and may
include the following:
 • Summary of key goals, risks and corresponding major audits, to illustrate
alignment;
• Analyses of audit effort along a variety of dimensions (e.g., by business segment,
COSO objective category, IT, Sarbanes-Oxley, vs. prior year, etc.) along with
commentary regarding changes;
• Brief description of critical projects identified;
• Projects requested but not planned for execution due to prioritization and
resources;
• Required co-sourcing effort, typically where outside expertise is required or
during peak periods;
• Coordination with other risk functions, such as legal, compliance or insurance, to
ensure coverage of key organizational risks;
• Update on audit staffing levels, experience and certification; and
• Appendix materials, such as planning approach, assumptions (e.g., days per
auditor and staffing level) and brief descriptions of all planned audits and related
prioritization.

Best Practices in Internal Auditing

Measuring the internal audit function

The measurement of the internal audit function can involve a balanced scorecard
approach. Internal audit functions are primarily evaluated based on the quality of counsel
and information provided to the Audit Committee and top management. However, this is
primarily qualitative and therefore difficult to measure. “Customer surveys” sent to key
managers after each audit project or report can be used to measure performance, with an
annual survey to the Audit Committee. Scoring on dimensions such as professionalism,
quality of counsel, timeliness of work product, utility of meetings, and quality of status
updates are typical with such surveys. Understanding the expectations of senior
management and the audit committee represent important steps in developing a
performance measurement process, as well as how such measures help align the audit
function with organizational priorities.

Quantitative measures can also be used to measure the function’s level of execution and
qualifications of its personnel. Key measures include:

Plan completion: This is a measure of the degree to which the annual plan of
engagements is completed, measured at a point in time. This may be measured using the
number of projects completed, weighted by the planned size of each project, with
estimates for projects in-progress. Measured throughout the year, it is compared against
the percentage of the year elapsed.

Report issuance: This is a measure of the time elapsed from completion of testing to
issuance of the final audit report, including management’s action plans. This can be
measured in average days or percentage of reports issued within a certain standard, such
as 30 days. Establishing expectations for the timing of management’s response to report
recommendations is critical. In addition, the scope and degree of change involved in the
report’s action plans are key variables. For example, a report for a single retail store
requiring only the store manager’s action might take 3–5 days to issue. However, a report
consolidating findings from 20 retail stores, with action plans with national implications
determined by top management, may take 30–60 days in complex organizations.

Issue closure: Reported audit findings are often called “issues” or “deficiencies.”
Professional standards require audit functions to track reported findings to resolution,
which effectively requires the maintenance of an issues follow-up database. The number
of days that reported issues remain open, or open after their agreed-upon closure date, are
key measures. In addition, reporting database statistics such as the number of issues open
(unresolved), closed (resolved), and issues opened/closed during a given period are useful
statistics.

Staff qualifications: This can be measured through the percentage of staff with
professional certifications, graduate degrees, and overall years of experience.

Staff utilization rate: This is measured as the percentage of time spent on projects, as
opposed to administrative time such as training or vacation. Many internal audit
departments track time by audit project. This is typically captured in a database or
spreadsheet.

Staffing level: The number of positions filled relative to the authorized staffing level. Due
to the challenge of finding qualified staff, departments may have rotational programs to
bring in management to complete tours in the function or be "guest" auditors. Audit
departments also "co-source," meaning they obtain contract auditors from service
providers.
Developing and retaining staff

Developing and retaining quality professionals is a key concern in the professionKey

methods for developing and retaining internal audit staff personnel include:

• Providing challenging, varied assignments

• Ensuring quality supervision
• Ensuring staff participates in projects from start to finish, to learn all phases of the
audit process
• Providing opportunities to lead (in-charge) projects, starting with more structured
projects such as Sarbanes-Oxley work
• Participating on departmental improvement task forces, such as preparation for
quality assurance review
• Participating in the recruiting and interviewing process for new hires
• Rotating through various audit teams (in larger departments) or audits of various
businesses
• Providing both outside training (e.g., seminars) and in-house training (e.g.,
company systems) for two weeks/year
• Participation in annual risk assessment activities, whether asking key questions or
just taking notes

Reporting of critical findings

The Chief Audit Executive (CAE) typically reports the most critical issues to the Audit
Committee quarterly, along with management's progress towards resolving them. Critical
issues typically have a reasonable likelihood of causing substantial financial or
reputational damage to the company. For particularly complex issues, the responsible
manager may participate in the discussion. Such reporting is critical to ensure the
function is respected, that the proper "tone at the top" exists in the organization, and to
expedite resolution of such issues. It is a matter of considerable judgment to select
appropriate issues for the Audit Committee's attention and to describe them in the proper
context.
Internal auditing and fraud investigation

Internal Auditing

Internal Auditing is an independent, objective assurance

and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
— Institute of Internal Auditors

Fraud Investigation

Fraud Investigation consists of the multitude of steps

necessary to resolve allegations of fraud — interviewing witnesses, assembling evidence,
writing reports, and dealing with prosecutors and the courts.
—Association of Certified Fraud Examiners
Articles on Internal Auditing
COSO - The Framework for Internal Control:
A Strategic Approach to Internal Audits
Compiled by Mark R. Simmons, CIA CFE

In 1992, the American Institute of Certified Public Accountants, the Institute of Internal
Auditors, the American Accounting Association, the Institute of Management
Accountants and the Financial Executives Institute issued a jointly prepared body of work
entitled Internal Control - An Integrated Framework. This authoritative document
identifies the fundamental and essential objectives of any business or government entity:
economy and efficiency of operations, including safeguarding of assets and achievement
of desired outcomes; reliability of financial and management reports; and compliance
with laws and regulations.

To achieve quality, processes must first be in control. To improve quality, controlled

processes must be measured and evaluated to identify obstacles to success. Effective
internal control opens the door that leads to achievement of success. The approach
presented by the Framework goes directly to the one key issue of any business - is there
reasonable assurance of achieving our mission, objectives, goals and desired outcomes,
while adhering to laws and regulations; and can we accurately report our success and
outcomes to the public and interested third parties.

The Framework describes a unified approach for evaluation of the internal control
systems that management has designed to provide reasonable assurance of achieving the
fundamental business objectives described above.

What is Internal Control?

Internal control is a broadly defined process, effected by people, designed to provide

reasonable assurance regarding the achievement of the following three objectives that all
businesses strive for:

1. Economy and efficiency of operations, including achievement of performance goals

and safeguarding of assets against loss;

2. Reliable financial and operational data and reports; and

3. Compliance with laws and regulations

What is Needed to Help Assure the Achievement of these Primary
Business Objectives ?
A. A SOUND CONTROL ENVIRONMENT

* Managers and employees who possess integrity, ethical values and competence;

* Management's philosophy and operating style;

* Proper assignment of authority and responsibility;

* Proper organization of available resources;

* Proper training and development of people; and

* Proper attention and direction from senior management.

B. A SOUND RISK ASSESSMENT PROCESS

* An awareness of and ability to deal with the risks and obstacles to successful
achievement of business objectives;

* Establishment by management of a set of objectives that integrate all the organization's

resources so that the organization operates in concert; and

* Identification, analysis and management of the risks and obstacles to successful

achievement of the three primary business objectives.

C. SOUND OPERATIONAL CONTROL ACTIVITIES

* The establishment and execution of policies and procedures to help ensure effective
implementation of the actions identified by management as being necessary to address
risks and obstacles to achievement of business objectives.

(These control activities help ensure that management's directives are carried out; occur
at all levels of the organization; and in all activities, units and functions. Examples
include authorizations, reviews of operating performance, security of assets, and
segregation of duties.)
D. A SOUND INFORMATION AND COMMUNICATIONS SYSTEM

* Information systems produce reports, containing operational, financial and compliance

related information, that make it possible to run and control a business. They deal with
internally generated data as well as the external activities, conditions and events
necessary to informed business decision making and external reporting.

* The organization's people must be able to capture and exchange the information needed
to conduct, manage and control operations.

* Pertinent information must be identified, captured and communicated in a form and

time frame that enables people to carry out their responsibilities.

* Effective communication must flow down, up and across the organization. (This
includes a clear message from top management to all personnel that control
responsibilities must be taken seriously.)

* All personnel must understand their own role in the internal control system, as well as
how their individual activities relate to the work of others.

* All personnel must have a means of communicating significant information upstream.

* There must be effective communication with external parties.

E. EFFECTIVE MONITORING

* The entire control system must be monitored to assess the quality of the system's
performance over time.
(Ongoing monitoring, which should occur in the normal course of operations, includes
such things as regular management and supervisory activities; and actions personnel take
in performing their duties.)

* Internal deficiencies should be reported upstream, with serious matters reported to top
management.

* There should also be separate, independent evaluations of the internal control system.
The scope and frequency of these independent evaluations depend primarily on the
assessment of risks and obstacles, and the effectiveness of ongoing monitoring
procedures.

Collectively, the three primary business objectives and the five components needed to
achieve those objectives constitute the internal control framework.
How Can We Assess the Effectiveness of the Internal Control System?

When looking at any one of the three primary business objectives, all five components of
the control system must be present and functioning effectively in order to conclude that
internal controls over operations are effective.

While internal control is a process, its effectiveness is a state or condition of the process
at a fixed point in time. When an internal control system meets the following standard, it
can be deemed "effective":

"Internal Control can be judged effective for each of the three business objectives if
management have reasonable assurance that they understand the extent to which the
organization's objectives are being met; financial and management reports are being
prepared reliably; and applicable laws and regulations are being complied with."

Determining whether a particular internal control system is "effective" is a subjective

judgement resulting from an assessment of whether the five components of control are
present and functioning effectively. Their effective functioning provides the "reasonable
assurance" regarding achievement of the primary objectives. The components thus form
the criteria for effective control.

Internal audits can use the Framework to focus on three different levels of control:

1. Strategic
planning, organizing and directing activities that address achieving the long range
mission and objectives of the entity under review.

2. Tactical
planning, organizing and directing activities that address achieving short term (annual)
objectives and goals of the entity under review that lead to success in achieving the
entity's strategic mission and objectives.

3. Operational
planning, organizing and directing controls that address the day- to-day operations of the
entity.

Using a survey tool based upon the five components, internal audits can be conducted at a
strategic, rather than operational, level. These strategic internal audits can be designed to
gather testimonial and documentary evidence to either support achievement of the
standard for effective internal control; or to identify to senior managers deficiencies and
improvement opportunities for achieving effective internal control. Essentially, this
means assessing planning activities; the means of measuring accomplishment; the
reliability of data used to benchmark, report and measure; and the resources used to
achieve outcomes. The Framework approach provides an ideal vehicle for adding value
to the organization.
Some specific issues that internal auditors might look at include:

• Management Plans
• Management Objectives
• Communication of Desired Outcomes and the Policies and Procedures to achieve
outcomes
• Written Standards to Measure Achievement of Desired Outcomes
• Assignment of Responsibility and Granting of Authority
• Budget vs Workloads
• Staffing Efficiency
• Communications
• Process Measurement
• Corrective Actions Taken and Measures of Success
• Outcome Measurement and Reporting Systems

To accomplish strategic internal audits most effectively, the audit process should start at
the top of the organization with interviews of senior executives. This provides for a
professional assessment at the highest levels of operation; a benchmark against which to
compare lower level strategic internal control activities; and a clear message of support
for the strategic internal audit process.

Articles on Internal Auditing

What is Internal Auditing
About the Profession

Internal Auditing is an independent, objective assurance and consulting activity designed

to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.

Managers are responsible for designing control processes that provide reasonable
assurance the following business objectives can be achieved:

• Effective and efficient operations

• Compliance with laws and regulations
• Reliable financial reporting

Internal auditors evaluate how well the control processes designed by managers function,
and therefore the extent to which managers can have reasonable assurance business
objectives will be realized. The internal audit funciton reports to top management and
normally has direct communication with the audit committee and the board of directors.
Because of their expertise and thorough knowledge of operations, internal auditors often
fulfill a consulting role to top management.
Statement of Responsibilities of Internal Auditing

The purpose of this statement is to provide in summary form a general understanding of

the responsibilities of internal auditing. For more specific guidance, readers should refer
to the standards for the Professional Practice of Internal Auditing.

OBJECTIVE AND SCOPE

Internal Auditing is an independent appraisal function established within an organization

to examine and evaluate its activities as a service to the organization. The objective of
internal auditing is to assist members of the organization in the effective discharge of
their responsibilities. To this end, internal auditing furnishes them with analyses,
appraisals, recommendations, counsel, and information concerning the activities
reviewed. The audit objective includes promoting effective control at reasonable cost.
The members of the organization assisted by internal auditing include those in
management and the board of directors.

The scope of internal auditing should encompass the examination and evaluation of the
adequacy and effectiveness of the organization's system of internal control and the quality
of performance in carrying out assigned responsibilities. Internal auditors should:

• Review the reliability and integrity of financial and operating information and the
means used to identify, measure, classify, and report such information.
• Review the systems established to ensure compliance with those policies, plans,
procedures, laws, and regulations which could have a significant impact on
operations and reports, and should determine whether the organization is in
compliance.
• Review the means of safeguarding assets and, as appropriate, verify the existence
of such assets.
• Appraise the economy and efficiency with which resources are employed.
• Review operations or programs to ascertain whether results are consistent with
established objectives and goals and whether the operations or programs are being
carried out as planned.
RESPONSIBILITY AND AUTHORITY

The internal auditing department is an integral part of the organization and functions
under the policies established by senior management and the board. The purpose,
authority and responsibility of the internal auditing department should be defined in a
formal written document (charter). The director of internal auditing should seek approval
of the charter by senior management as well as acceptance by the board. The charter
should make clear the purposes of the internal auditing department, specify the
unrestricted scope of its work, and declare that auditors are to have no authority or
responsibility for the activities they audit.

Throughout the world internal auditing is performed in diverse environments and within
organizations which vary in purpose, size, and structure. In addition, the laws and
customs within various countries differ from one another. These differences may affect
the practice of internal auditing in each environment. The implementation of the
tandards for the Professional Practice of Internal Auditing, therefore, will be governed
by the environment in which the internal auditing department carries out is assigned
responsibilities. Compliance with the concepts enunciated by the tandards for the
Professional Practice of Internal Auditing is essential before the responsibilities of
internal auditors can be met. As stated in the ode of Ethics, members of The Institute of
Internal Auditors, Inc. and Certified Internal Auditors shall adopt suitable means to
comply with the Standards for the Professional Practice of Internal Auditing.

INDEPENDENCE

Internal auditors should be independent of the activities they audit. Internal auditors are
independent when they can carry out their work freely and objectively. Independence
permits internal auditors to render the impartial and unbiased judgments essential to the
proper conduct of audits. It is achieved through organizational status and objectivity.

The organizational status of the internal auditing department should be sufficient to

permit the accomplishment of its audit responsibilities. The director of the internal
auditing department should be responsible to an individual in the organization with
sufficient authority to promote independence and to ensure a broad audit coverage,
adequate consideration of audit reports, and appropriate action on audit
recommendations.

Objectivity is an independent mental attitude which internal auditors should maintain in

performing audits. Internal auditors are not to subordinate their judgment on audit matters
to that of others. Designing, installing, and operating systems are not audit functions.
Also, the drafting of procedures for systems is not an audit function. Performing such
activities is presumed to impair audit objectivity.
Articles on Internal Auditing
An Overview of the Professional Practice of Internal Auditing
By Mark R. Simmons, CIA CFE

With the various activities and reviews internal auditors are being called on to perform,
and changes taking place today in the practice of internal auditing, I have lately been
thinking more and more about the way internal auditing is perceived, and how it perhaps
ought to be perceived. About twelve years ago, I was offered the opportunity to expand
my professional development by moving into an internal audit department. At the time,
having come from a background in public accounting, and having no familiarity with
internal auditing standards, if you had asked me to define "internal auditing", I probably
would have said something like "it's auditing within an organization to help safeguard
assets". I'm willing to bet that in many organizations, if you where randomly to ask
employees, managers and executives about their perception of internal auditing today,
many would tell you "it's the same thing that our external CPAs do, only it's done by
employees of the company". Others might say that "it's anything our internal auditors
do".

The purpose of this article is to examine the concept of internal auditing from the
perspective of The Standards for the Professional Practice of Internal Auditing. For a
moment, think about how important The Standards are in day to day professional internal
audit activities. Some of the routine ways internal audit professionals apply the standards
include how they plan and carry out their work, how the audit director determines what
that work will be, and how the results of their efforts are communicated. By obtaining a
clearer understanding of the essence of professional internal auditing standards, we can
develop a clearer understanding of the essence of internal auditing itself. Obtaining that
understanding is critical not only to presenting ourselves in the most professional way,
but also to clearly defining our area of expertise and thus the value we can provide to our
organizations.

The basic framework of The Standards For The Professional Practice Of Internal
Auditing consists of:

• the Statement of Responsibilities of Internal Auditing

• the Code of Ethics
• the Standards for the Professional Practice of Internal Auditing, consisting of five
general standards, twenty five specific standards, and suggested guidelines for
complying with the standards.
• the Statements on Internal Auditing Standards
• professional practice releases
Some of the key points emphasized in the introduction to The Standards are:

• the principal elements of the organization served by internal auditing are

management and the board of directors, with internal auditors owing a
responsibility to both
• "the board" means the board of directors, the audit committees of such boards,
heads of agencies or legislative bodies to whom the internal auditors report,
boards of trustees, or any other designated governing body of organizations.
• "Management" is anyone in an organization with responsibility for setting and/or
achieving objectives.
• "senior management" is the individual, or group of individuals in management to
whom the director of internal auditing is responsible.
• The purpose of The Standards is:
* to impart an understanding of the role of internal auditing
* to establish a basis for the guidance and measurement of internal auditing
performance
* to improve the practice and professionalism of internal auditing
• Compliance with the concepts enunciated by the standards is essential before the
responsibilities of internal audit can be met.

When performing internal audits, the Code of Ethics of the Institute of Internal Auditors
(IIA) requires each member of the Institute and each Certified Internal Auditor (CIA) to
adopt suitable means to comply with The Standards and to conduct internal audits in
accordance with the requirements and spirit of The Standards. This is one of the key
provisions of the Code of Ethics.

Not everything that an internal auditor might be called on to do is internal auditing. If you
are a member of the IIA and/or are a CIA, it is your responsibility to understand the
essence of what internal auditing is; to know what is, and is not, an internal auditing
activity; to distinguish internal auditing from other types of audit activity that are not
internal audits; and to distinguish internal auditing from other types of non-audit
activities that an internal auditor might be called on to perform. The following table
compares internal auditing (as defined by The Standards) with other activities performed
by internal auditors.
PROFESSIONAL
INTERNAL
AUDITING
UNDER THE
STANDARDS
A REVIEW OF HOW
MANAGERS PLAN, OTHER AUDIT ACTIVITIES
ORGANIZE AND DIRECT
OPERATIONS • CONTRACT AUDITING
CONDUCTED BY • COMPLIANCE AUDITING
MEMBERS OF THE • VOUCHER AUDITING
ORGANIZATION • CLAIMS AUDITING
TO FORM AN OPINION AS • FINANCIAL STATEMENT AUDITING
TO WHETHER OR NOT • PERFORMANCE AUDITING
MANAGEMENT HAS • EXTERNAL AUDITING OF OTHER
REASONABLE ASSURANCE ORGANIZATIONS
THAT: • OR ANY MANAGEMENT ACTIVITY
ASSOCIATED WITH THE PLANNING,
• Assets are safeguarded ORGANIZING AND DIRECTING OF
• Laws, rules, regulations, OPERATIONS
policies and procedures
are complied with While these all may be value-added activities that
• Business objectives are auditors perform, they do not meet the criteria of
met "Internal Auditing" described by The Standards". Many,
• Financial and if not all, of these audit activities are governed by other
management data is professional auditing standards, such as those of the
accurate and reliable AICPA and the General Accounting Office; or various
• Operations are carried federal regulations such as OMB Circular A-133.
out efficiently and
economically

Professional Internal Auditing

focuses on an evaluation of the
system or framework of internal
control
As practiced under the Standards, professional internal auditing focuses on an evaluation
of the system or framework of internal control, which the Standards describe as "the
integrated collection of control systems developed by the organization to achieve its
objectives and goals". There is a very close correlation between the Standards and COSO
(for a detailed discussion, see "The Standards and the Framework", Internal Auditor,
April 1997). The primary objective of internal controls is to give managers reasonable
assurance that:

• financial and operating information is accurate and reliable

• policies, procedures, plans, laws and regulations are complied with
• assets are safeguarded against loss and theft
• resources are used economically and efficiently
• established program/operating goals and objectives will be met.

The elements of internal auditing therefore consist of :

• Appraising the reliability and integrity of financial and operating information by

evaluating the means developed by management to identify, classify, measure,
and report such information
• Appraising the systems management has established to ensure compliance with
policies, plans, procedures, laws and regulations that could have a significant
impact on operations and reports, and determining whether the organization is in
compliance
• Appraising the means management has established to safeguard assets, and, as
appropriate, verifying the existence of such assets
• Appraising the systems management has established to ensure economical and
efficient use of resources
• Appraising the systems management has established to ensure results are
consistent with established objectives/goals and operations or programs are
carried out as planned.

Although there is some degree of overlap, these five elements differ from performance
audits. The primary objective of a performance audit is to evaluate operational processes
(which may or may not include internal controls) and the related results of operations,
rather than the system of control itself (GAO Yellow Book, 1994 Revision, Chapter 2,
sections 2.6 through 2.9). While some might consider this distinction insignificant, under
the Standards, it is not the internal auditor's job to evaluate a manager's performance; to
decide what the organization's objectives and goals are, or whether they are the correct
objectives and goals. These determinations and decisions are the responsibility of
management. The SPPIA instead focuses the internal auditor primarily on forming an
opinion as to whether or not management has reasonable assurance that desired
objectives and goals are being achieved, and the degree to which controls provide the
reasonable assurance that managers need (SPPIA 300.04, 300.08, and 300.08.2.c).

When we combine the definition of internal control with the scope of internal auditing,
five possible audit objectives emerge regarding how managers plan, organize and direct
activities. Internal auditors seek to answer one or more of the following questions:

• Do controls over financial and operating data provide managers with reasonable
assurance that the financial and operating data is accurate and reliable
• Do controls over compliance with policies, procedures, plans, laws and
regulations provide managers with reasonable assurance that proper compliance
actually occurs
• Do controls over assets provide managers with reasonable assurance that assets
exist and are protected against loss that could result from theft, fire, improper or
illegal activities, or exposure to the elements
• Do controls over operations provide managers with reasonable assurance that
resources are used efficiently and economically. In this context, the auditor wants
to know whether operating standards have been established for measuring
economy and efficiency; whether operating standards are understood and are
being met; whether deviations from operating standards are identified, analyzed
and communicated to those responsible for corrective action; and whether
effective corrective action has been taken
• Do controls over operations and programs provide managers with reasonable
assurance that the operations and programs are being carried out as planned, and
that the results of operations are consistent with established goals and objectives.

To meet these audit objectives, internal auditors evaluate the things managers do to plan,
organize and direct activities and operations. The reasonable assurance that managers
need comes about when managers plan, organize and direct in such a way that in the
normal course of doing business, cost-effective actions are taken to minimize the risk that
undesired outcomes will occur, and maximize the likelihood that desired outcomes will
occur.

After examining the way managers have planned, organized and directed the activities of
the organization, the internal auditor draws conclusions about the adequacy and the
effectiveness of the controls. The internal auditor then expresses an opinion as to whether
or not the control system provides the necessary reasonable assurances. When the internal
auditor is of the opinion that weaknesses or conditions are present that significantly
reduce the likelihood that reasonable assurance exists, the internal auditor reports to
senior management:

• the condition(s) found

• criteria or standard against which the condition is being measured
• the cause(s) that produced the condition
• potential or actual effect(s) on desired outcomes; and recommendations for
corrective action that will improve the degree of reasonable assurance.
Internal auditors perform other activities, such as: contract auditing; compliance auditing;
voucher auditing; claims auditing; financial statement auditing; performance auditing;
external auditing of other organizations; and other management activities associated with
the planning, organizing and directing of operations. While these all may be value-added
activities, they do not meet the criteria of "Internal Auditing" described by the
Standards". Many, if not all, of these audit activities are governed by other standards. In
the United States, for example, these might be those of the American Institute of CPAs;
the US General Accounting Office' Government Auditing Standards; regulations and
laws of the Securities and Exchange Commission; or various other federal regulations
such as Circular A-133 of the US Office of Management and Budget. Does that mean
internal auditors should refrain from doing these other things when requested to do so?
No. But they should not confuse these other activities with internal audits; and should not
represent them as being internal audits.

What about consulting? Almost all of us at one time or another get involved in
"consulting" situations within our organizations. How does internal auditing activity
compare to consulting work?

According to studies by the IIA:

Internal Audits

• are based on past or current activities

• address management's reasonable assurance of achieving objectives
• are initiated by the Audit Director
• have the Audit Committee/Senior Management as the primary client
• are conducted primarily by members of the internal audit department
• lead to production of a standard audit report.

Consulting Activities

• are future oriented

• address implementing activities
• are initiated by a line manager
• have the line manager as the primary client
• involves staff outside the internal audit department
• yield a product or outcome other than an audit report opinion
Based on the IIA research, most internal auditors agree that the following activities are
examples of consulting:

• Business Planning
• Non-Accounting System Consulting
• Business or Project Feasibility Studies
• Accounting System Design and Implementation
• Total Quality Management

The more progressive practitioners of internal auditing have recognized the value of and
have embraced the idea that partnering with audit clients can improve significantly the
results of internal audit work. These innovative approaches and the required paradigm
shifts are endorsed by the IIA. While the Standards do not pose any impediments to their
use, additional implementation guidance is needed. This is particularly true regarding the
issue of auditor independence vis a vis auditing in consultation with management.
"Auditor Independence" has been a cornerstone of the profession for many years - a
carryover from internal audit's roots in public accounting. IIA studies indicate that some
practitioners, in hiding behind The Standards' guidance on independence, have needlessly
sacrificed opportunities to make significant contributions to their organizations. This is an
area requiring further study by the IIA.

These issues also have sparked some interesting observations regarding the exclusion of
compliance audits and performance audits from the "internal audit" category. The
material above briefly touches on the issue of performance audits. Regarding compliance
audits, the issue is one of focus. Further examination may serve as an example of how an
internal audit is conducted under the Standards.

The objective in a typical compliance audit is to determine whether an entity has

followed applicable laws and regulations or followed proper procedures. For example, in
an audit of a youth detention center, if government regulations require that the cafeteria
only serve items listed on a dinner menu, and the kitchen runs out of the listed ice cream
and serves pudding for dessert, a compliance audit would cite the center for failing to
follow the regulations (a ludicrous, but true example). The compliance auditor doesn't
really care about the system of internal control. In audit parlance, internal control risk is
assessed at maximum (i.e., it is assumed controls are not effective). Nor does the
compliance auditor necessarily care why a violation has occurred. The compliance
auditor's job is to identify violations or deviations, and, where necessary, impose
sanctions, withhold payments, obtain refunds, identify and report employee mistakes, etc.
This is not an internal audit; and more importantly, using this methodology to carry out
an internal audit is not a particularly efficient or effective way to identify systemic,
mission critical control problems.

An internal audit of the detention center under the Standards, however, would focus on
whether or not the management of the detention center has reasonable assurance that
significant applicable laws and regulations are being complied with. The internal auditor
would want to see evidence, for example, that management has conveyed the importance
of compliance to the employees; that employees have the necessary tools and resources to
effect compliance; that employees have been properly trained in and understand
compliance issues; that management has assessed and addressed the risks and obstacles
associated with compliance; that policies and procedures have been established to address
identified risks; that information and communications systems provide necessary data in
an accurate and timely way regarding issues associated with effective compliance; and
that monitoring activities will, in the normal course of events, identify and correct
problems, and bring significant issues to light for attention, corrective action and follow
up by higher level management. If this sounds very much like COSO, it should, since the
SPPIA and COSO are two sides of the same coin (as might be expected since the IIA is
one of the sponsoring organizations). The SPPIA actually is a framework for audit
implementation of COSO theory.

If the internal auditor determines significant weaknesses exist in the control system over
compliance, he/she may conclude that the required reasonable assurance does not exist,
and recommend corrective actions. To reinforce the need for corrective action, the
internal auditor may test for evidence of errors, omissions or other adversities associated
with non-compliance that are so serious that immediate intervention by management is
required to mitigate the resultant business risks. If the internal auditor believes the
internal control system is effective, and that as a result management has the requisite
reasonable assurance, some testing may still be done to confirm the effectiveness of the
control system (it depends on the internal auditor's assessment of his/her own risk of
arriving at an incorrect opinion).

Conclusion

We, as internal audit professionals, have to be clear about what it is we are "expert" in.
That clarity comes from the Standards. Our reason for being as a profession is to support
executive management and the board of directors in carrying out corporate governance.
We do that by providing them professional opinions about the degree to which reasonable
assurance exists that business objectives will be achieved (i.e. the state of internal
control) and by keeping them informed about critical control issues that impact on
achievement of business objectives. Does that mean we can't help operating management
do a better job in the process? No. Does that mean we hide behind the Standards and
avoid going in new directions? No. Does that mean we do whatever we feel like, or
whatever our management requests, in disregard of the Standards, and still call it
"internal auditing"? While that might appear beneficial on an individual level, we can't,
as a profession, do that either, because in the larger picture, doing so confuses, obscures
and weakens the role of our profession in corporate governance; undermines our
profession's value to those we are supposed to serve; and ultimately hurts us as a
profession. But does that mean internal auditors should refrain from doing such things
when requested to? No, it does not. However, we should not confuse these other activities
with internal audits; and we should not represent them as being internal audits.