Primary navigation:

QFINANCE Quick Links
QFINANCE Topics
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > What Is the Range of the Internal Auditor’s Work?

Auditing Best Practice

What Is the Range of the Internal Auditor’s Work?

by Andrew Cox

Executive Summary

The range and type of the internal auditor’s work depend on a number of factors:

But it’s a bit like Forrest Gump when he said “Life is like a box of chocolates—you never know what you’re gonna get.” Internal auditing is a bit like that box of chocolates as the range and quality of the services are variable—and, indeed, often you really don’t know what you’re going to get.

Back to top

Introduction

Internal auditing is an evolving profession. It has been around for a very long time, probably since the pharaohs in Egypt. But it wasn’t until 1947—when the foremost professional body for internal auditing, the Institute of Internal Auditors (IIA), was formed—that internal auditing was set on its path to emerging as a profession.

Subsequently, professional standards and a code of ethics for internal auditing have been established, and in 1974 professional certification for internal auditing was created, with the designation Certified Internal Auditor. Over that time, the scope of internal auditing has changed significantly.

Back to top

The Evolution of Internal Auditing

The evolution of how internal audit determined what it would audit can be tracked in Table 1.

Table 1. The evolution of internal auditing—up to the 1990s

Then (up to the 1990s) Advantages Disadvantages
Areas for internal audit identified on a functional basis from historic information.   Set of one-dimensional risk factors applied (high, moderate, low).   Input into a model and prioritization based on risk rankings.   3- or 5-year strategic internal audit plan based on risk rankings.   Annual internal audit plan based on available resources.   Presented to the audit committee (but not always). Often cyclical (every year).   Well known to internal auditors.   Safe approach. Done in isolation of the business.   Time-consuming.   Focus on functional areas.   May not be timely, relevant, or responsive.   Correlation between risk rankings and internal audit plan often weak. Assumed a static organization.

Nowadays, Table 2 could be the best representation.

Table 2. The evolution of internal auditing—1990s–2008

Now (1990s–2008) Advantages Disadvantages
Areas for internal audit identified on a functional, cross-organizational, and strategic basis—may use the organization’s risk register.   Discussed with senior management—additional internal audit areas may be added.   Set of risk factors applied, input into a model, and prioritized based on risk rankings.   3-year strategic internal audit plan based on risk rankings.   Annual internal audit plan based on available resources.   Presented to the audit committee. Well known to internal auditors.   Done in consultation with the business.   Broader scope that considers business risks.   Facilitates integration of internal audit, risk management, and strategic planning.     Requires strong understanding of the business. Can be challenging.   Time-consuming.   May not be timely, relevant, or responsive.

In the future Table 3 would be more accurate.

Table 3. The evolution of internal auditing—2008 onward

Future (2008 onward) Advantages Disadvantages
Areas for internal audit identified on a functional, cross-organizational, and strategic basis using the organization’s risk register and other relevant information.   Develop base audit plan.   Discuss with senior management, including facilitated workshops—additional audit areas may be added.   Develop annual or longer-term assurance plan.   Develop flexible, rolling internal audit consulting plan to provide timely, relevant, and responsive services. Present to audit committee. Done in consultation with the business.   Timely, relevant, and responsive.   Broader scope taking into account business risks.   Facilitates integration of internal audit, risk management, and strategic planning. Requires strong commitment from senior management.   Requires discipline to ensure that the internal audit consultation process is effective.   May not be well known to internal auditors.

The point is this: The range of an internal auditor’s work will generally be related to where the he or she is currently placed in regard to these three evolutionary phases of the internal audit continuum. As we move into the more difficult methods of operating an internal audit function, the complexity of internal audit work increases, and the capability and skills of the internal auditor need to be greater. Many internal auditors are still in the early evolutionary phases of internal auditing, because the future is seen as too difficult and daunting.

Back to top

What Do the Standards Say?

The internal auditing standards we will consider here are those issued by the Institute of Internal Auditors (IIA, 2007). The internationally accepted definition of internal auditing issued by the IIA is:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

This was a step up from the previous definition, which concentrated on assurance. This definition expanded the role of internal audit to encompass consulting services. To understand the difference between assurance services and consulting services, we need a couple of definitions:

Assurance: An objective examination of the evidence for the purpose of providing an independent assessment of risk management, control, or governance processes for an organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.

Consulting: Advisery and related client service activities, the nature and scope of which are agreed with the client, and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.

It should be noted that the definitions of internal auditing and the standards focus on risk management, control, and governance:

Risk management: Internal audit should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

Control: Internal audit should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

Governance: Internal audit should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

  • Promoting appropriate ethics and values within the organization.

  • Ensuring effective organizational performance management and accountability.

  • Effectively communicating risk and control information to appropriate areas of the organization.

  • Effectively coordinating the activities and communicating information among the board, external and internal auditors, and management.

Back to top

What Type of Work?

So, what should be the range and type of work carried out by internal audit for an organization? The IIA believes that the work and methods of internal audit should encompass:

  • Conducting enterprise risk assessment.

  • Utilizing risk and control self-assessment.

  • Using internal control processes based on COSO (Committee of Sponsoring Organizations) guidelines.

  • Partnering with management.

  • Integrating corporate governance into practice.

  • Increasing staff performance.

  • Communicating more effectively.

  • Developing staff, both personally and professionally.

  • Using technology to increase staff efficiency.

  • Establishing an assurance function.

  • Providing consulting services.

  • Conducting audits in emerging areas.

  • Utilizing performance measures.

This leads to the types of internal audit provided by the internal audit function, which may include some or all of the following:

Compliance audit: The review of both financial and operating controls and transactions to see how they conform with established laws, standards, regulations, and procedures.

Financial audit: The examination of the financial records and reports of a company to verify that the figures in the financial reports are relevant, accurate, and complete. The general focus is on making sure that all assets and liabilities are properly recorded on the balance sheet, and that the statement of income and expenses is correct.

Information technology (IT) audit: A review of the controls within an entity’s technology infrastructure. These reviews are typically performed in conjunction with a financial statement audit, internal audit review, or other form of attestation engagement.

On-demand audit: A request for an internal audit initiated by the board, audit committee, or management in response to their particular concerns, and which has not been scheduled in the internal audit plan of work. It may also be known as a management-initiated review.

Operational audit: Sometimes called program or performance audits, these examine the use of resources to evaluate whether those resources are being used in the most efficient and effective way to fulfill an organization’s objectives. An operational audit may include elements of a compliance audit, a financial audit, and an information systems audit. This term is mainly used in the private sector.

Performance audit: The independent and systematic examination of the management of an organization, program, or function for the purpose of identifying whether the management is being carried out in an efficient and effective manner, and whether management practices promote improvement. This term is mainly used in the public sector, and a performance audit may be the same as or similar to an operational audit.

Quality audit: The systematic examination and evaluation of all activities related to the quality of a product or service, to determine the suitability and effectiveness of the activities to meet quality goals.

Value for money (VFM) audit: An examination of how resources are allocated and utilized. The audit is concerned with interrelated concepts of efficiency, effectiveness, economy, and organizational outcomes. VFM audits are more common in the public sector than the private sector since the profit criterion is lacking in the public sector, and they may be the same as or similar to a performance audit.

Back to top

What Influences the Type of Work?

The range and type of the internal auditor’s work depend on a number of factors:

The mandate for internal audit contained in the internal audit charter: This is what the audit committee and the organization want internal audit to do. Although ideally this should include both assurance services and consulting services, it is true to say that some audit committees and management believe that internal audit should not stray from its roots of providing assurance, so in some organizations the internal audit charter has focused only on the provision of assurance services. This attitude peaked following the corporate collapses of the 1990s. However, more enlightened audit committees and management of today seek a more comprehensive internal auditing service for the organization. This has the potential to add a lot of value, rather than just reporting what is wrong in compliance and financial areas.

To whom the chief audit executive reports to: The chief audit executive should report to the audit committee functionally and for operations, and to the chief executive officer for administration. Where a chief audit executive may have other reporting arrangements—for example to a chief executive officer for operations and administration, or worse, to a chief financial officer—there is a risk that internal audit may lose a measure of its independence. This has a potential to impact negatively on the range and type of work to be performed by internal audit.

The capability and skills of the internal auditors: As the work of internal audit moves toward more difficult methods of operating, the complexity of internal audit work increases. This means that the capability and skills of the internal auditor need to be greater, and many internal auditors see this as a quantum leap so great that they prefer to remain comfortable where they are.

Any legislative or regulatory requirements of internal audit: The work of internal audit will nearly always have a role to provide assurance of legislative and regulatory compliance; this is an important role that should never be forgotten.

Back to top

Case Study

Designing a Comprehensive Internal Audit Plan

A large public sector organization with a significant commitment to internal auditing provided sufficient funds to resource an internal audit function of 25,000 audit hours each year. The audit committee wanted an annual internal audit plan of work that provided assurance and examined how well the organization was operating, but which was also responsive to the changing needs and risks of the organization. The risk-based annual internal audit plan of work to achieve this designed by the chief audit executive is summarized in Table 4.

Table 4. The chief audit executive’s risk-based annual internal audit plan

Audit type Cyclical 12 months scheduled hours Rolling 6 months scheduled hours Rolling 3 months reserve hours Rolling 3 months unassigned hours Annual total hours
Compliance Assurance Consulting   6,000 0   0 0   0 0   0 0 6,000
Financial Assurance Consulting   750 250   2,500 0   1,000 0   500 0 5,000
IT Assurance Consulting   3,000 3,000   0 0   0 0   0 0 6,000
Performance Assurance Consulting   0 500   0 2,500   0 1,000   0 1,000 5,000
Internal audit planning 500 0 0 0 500
Audit monitor and follow-up 500 0 0 0 500
Audit committee 500 0 0 0 500
External audit coordination 1,500 0 0 0 1,500
25,000

Rather than have a static annual internal audit plan, the plan shown in the table was designed to cover an 18-month period with a refresher every six months so that workflows could be smoothed and work allocated to internal auditors continuously. The plan encompassed the following areas:

  • Cyclical 12 months scheduled: For high-risk areas worthy of annual internal audit attention.

  • Rolling 6 months scheduled: Higher-risk areas scheduled for periodic or one-off internal audits.

  • Rolling 3 months reserve: Areas held in reserve in case of postponement or cancellation of other internal audits.

  • Rolling 3 months unassigned: Reserved for on-demand internal audits initiated by management for emerging business issues and risks.

Back to top

Conclusion

The range and type of the internal auditor’s work depend on a number of factors:

Back to top

Making It Happen

Chief audit executives should look to his or her audit committee and management for guidance on the range and type of work to be performed by the internal audit function. However, the chief audit executive, as an internal audit professional, should be using his or her knowledge and experience to identify and influence the formulation of a risk-based internal audit plan of work that best provides for the needs of the organization. This is likely to be a blended plan of internal audit work that encompasses both assurance services and consulting services:

Assurance Services

  • Part of the overall internal audit plan of work.

  • Annual or longer-term focus.

  • Risk-based.

  • May include cyclical internal audits of higher-risk areas.

  • Need to consider legislative and regulatory requirements.

  • Need to consider external audit to avoid duplication of audit effort.

  • Estimated hours for audit topics assessed from previous internal audits (structured gut feel).

  • Focus on compliance, financial issues and risks, financial controls, and IT reviews.

Consulting Services

  • Part of the overall internal audit plan of work.

  • Flexible, rolling focus—rather than fixed in time.

  • Risk-based and customer-focused.

  • If limited previous data are available, estimate hours needed for internal audit topics on the basis of the best available information and past experience (unstructured gut feel).

  • Focus on current and emerging business issues and risks, and system under development reviews.

Back to top

Back to Table of contents

Further reading

Books:

  • Australian National Audit Office. Public Sector Audit Committees: Having the Right People is the Key. Canberra: Australian National Audit Office, 2005.
  • Australian National Audit Office. Public Sector Internal Audit—An Investment in Assurance and Business Improvement. Canberra: Australian National Audit Office, 2007.
  • Picket, K. H. Spencer. Audit Planning: A Risk-Based Approach. Hoboken, NJ: Wiley, 2006.
  • Reding, Kurt F., Paul J. Sobel, Unton L. Anderson, Michael J. Head, Sridhar Ramamoorti, and Mark Salamasick. Internal Auditing: Assurance and Consulting Services. Altamonte Springs, FL: IIA Research Foundation, 2007.
  • Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. 5th ed. Altamonte Springs, FL: IIA Research Foundation, 2003.

Standards:

Website:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share