The range and type of the internal auditor’s work depend on a number of factors:
To whom the chief audit executive (head of internal audit) reports.
The capability and skills of the internal auditors.
Any legislative or regulatory requirements of internal audit.
But it’s a bit like Forrest Gump when he said “Life is like a box of chocolates—you never know what you’re gonna get.” Internal auditing is a bit like that box of chocolates as the range and quality of the services are variable—and, indeed, often you really don’t know what you’re going to get.
Internal auditing is an evolving profession. It has been around for a very long time, probably since the pharaohs in Egypt. But it wasn’t until 1947—when the foremost professional body for internal auditing, the Institute of Internal Auditors (IIA), was formed—that internal auditing was set on its path to emerging as a profession.
Subsequently, professional standards and a code of ethics for internal auditing have been established, and in 1974 professional certification for internal auditing was created, with the designation Certified Internal Auditor. Over that time, the scope of internal auditing has changed significantly.
The Evolution of Internal Auditing
The evolution of how internal audit determined what it would audit can be tracked in Table 1.
|Then (up to the 1990s)||Advantages||Disadvantages|
|Areas for internal audit identified on a functional basis from historic information. Set of one-dimensional risk factors applied (high, moderate, low). Input into a model and prioritization based on risk rankings. 3- or 5-year strategic internal audit plan based on risk rankings. Annual internal audit plan based on available resources. Presented to the audit committee (but not always).||Often cyclical (every year). Well known to internal auditors. Safe approach.||Done in isolation of the business. Time-consuming. Focus on functional areas. May not be timely, relevant, or responsive. Correlation between risk rankings and internal audit plan often weak. Assumed a static organization.|
Nowadays, Table 2 could be the best representation.
|Areas for internal audit identified on a functional, cross-organizational, and strategic basis—may use the organization’s risk register. Discussed with senior management—additional internal audit areas may be added. Set of risk factors applied, input into a model, and prioritized based on risk rankings. 3-year strategic internal audit plan based on risk rankings. Annual internal audit plan based on available resources. Presented to the audit committee.||Well known to internal auditors. Done in consultation with the business. Broader scope that considers business risks. Facilitates integration of internal audit, risk management, and strategic planning. Requires strong understanding of the business.||Can be challenging. Time-consuming. May not be timely, relevant, or responsive.|
In the future Table 3 would be more accurate.
|Future (2008 onward)||Advantages||Disadvantages|
|Areas for internal audit identified on a functional, cross-organizational, and strategic basis using the organization’s risk register and other relevant information. Develop base audit plan. Discuss with senior management, including facilitated workshops—additional audit areas may be added. Develop annual or longer-term assurance plan. Develop flexible, rolling internal audit consulting plan to provide timely, relevant, and responsive services. Present to audit committee.||Done in consultation with the business. Timely, relevant, and responsive. Broader scope taking into account business risks. Facilitates integration of internal audit, risk management, and strategic planning.||Requires strong commitment from senior management. Requires discipline to ensure that the internal audit consultation process is effective. May not be well known to internal auditors.|
The point is this: The range of an internal auditor’s work will generally be related to where the he or she is currently placed in regard to these three evolutionary phases of the internal audit continuum. As we move into the more difficult methods of operating an internal audit function, the complexity of internal audit work increases, and the capability and skills of the internal auditor need to be greater. Many internal auditors are still in the early evolutionary phases of internal auditing, because the future is seen as too difficult and daunting.
- Page 1 of 3
- Next section What Do the Standards Say?