The Scope of Internal Audit
Contemporary internal auditing provides assurance to management and to the board, and also offers consulting services. The nature of both these services should be set out in the internal audit charter. The two services overlap: an assurance audit is likely to lead to advice on making improvements; consulting work may reveal issues that have to be taken up by internal audit in the context of its assurance role. Of the two, assurance is the core role, but some would argue that not to offer consulting services would now be inconsistent with professional internal auditing standards and would miss an opportunity to add value.
There should be no no-go areas for internal audit assurance as this limits the assurance that internal audit is able to provide; where there are no-go areas (i.e. restrictions of scope) the implications need to be clearly understood by those who rely on the assurance that internal audit gives.
Unlimited scope for internal audit includes the authority to audit across the operational areas of the business, not just within accounting and finance, and at all levels. An emerging issue is whether internal audit is able to provide assurance to boards themselves that the policies of boards are being implemented by management and that there are no banana skins round the corner, unknown to the board, on which the company may slip in the future.
Consulting services by internal auditors may include the provision of counsel and advice, of facilitation (such as facilitating control self-assessment workshops of managers and staff), or of training services. Internal auditors avoid assuming any management responsibilities as part of their consulting services, neither would they take on responsibility for designing processes except in an advisory capacity. One reason is that internal auditors need to be independent of management processes in order to be able to audit those processes objectively.
Internal auditors will undertake consulting work only when both internal audit and the client consider this to be justified. On the other hand, the management of a business activity should not be allowed to prevent an assurance audit from taking place.
“The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.”3
More and more heads of internal audit are being asked not just to report the results of individual audits but also to provide overall assurance opinions, annually or more frequently, to top management and to boards or their audit committees. This makes it more important that internal audit optimizes the utilization of its scarce internal audit resources—in order to maximize the reliability of the overall opinion that internal audit gives.
Internal audit should plan its program of audits annually, based on a risk assessment which makes use of inputs from management and from the board or the board’s audit committee. Internal audit should map its plan of audits to management’s own risk map or risk register. But a proportion of internal audit time should be set aside to “look round the corners” that top management are not looking around in case there are major unnoticed or concealed risks. Not all critical risks may be on top management’s radar screen, and so value is added when internal audit spends a proportion of its available time auditing in areas of the business that are not perceived to carry significant risks.
While the future plan of audits will be determined annually, the internal audit function should have a longer perspective on audit coverage that takes into account audit work done over previous years and earmarked to be done over the next three years or so. The chief audit executive should consider the extent to which work done in earlier years can be utilized in coming to the overall assurance opinion.