Primary navigation:

QFINANCE Quick Links
QFINANCE Topics
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > What Is the Range of the Internal Auditor’s Work?

Auditing Best Practice

What Is the Range of the Internal Auditor’s Work?

by Andrew Cox
You have recommended this article

Executive Summary

The range and type of the internal auditor’s work depend on a number of factors:

But it’s a bit like Forrest Gump when he said “Life is like a box of chocolates—you never know what you’re gonna get.” Internal auditing is a bit like that box of chocolates as the range and quality of the services are variable—and, indeed, often you really don’t know what you’re going to get.

Introduction

Internal auditing is an evolving profession. It has been around for a very long time, probably since the pharaohs in Egypt. But it wasn’t until 1947—when the foremost professional body for internal auditing, the Institute of Internal Auditors (IIA), was formed—that internal auditing was set on its path to emerging as a profession.

Subsequently, professional standards and a code of ethics for internal auditing have been established, and in 1974 professional certification for internal auditing was created, with the designation Certified Internal Auditor. Over that time, the scope of internal auditing has changed significantly.

The Evolution of Internal Auditing

The evolution of how internal audit determined what it would audit can be tracked in Table 1.

Table 1. The evolution of internal auditing—up to the 1990s

Then (up to the 1990s) Advantages Disadvantages
Areas for internal audit identified on a functional basis from historic information.   Set of one-dimensional risk factors applied (high, moderate, low).   Input into a model and prioritization based on risk rankings.   3- or 5-year strategic internal audit plan based on risk rankings.   Annual internal audit plan based on available resources.   Presented to the audit committee (but not always). Often cyclical (every year).   Well known to internal auditors.   Safe approach. Done in isolation of the business.   Time-consuming.   Focus on functional areas.   May not be timely, relevant, or responsive.   Correlation between risk rankings and internal audit plan often weak. Assumed a static organization.

Nowadays, Table 2 could be the best representation.

Table 2. The evolution of internal auditing—1990s–2008

Now (1990s–2008) Advantages Disadvantages
Areas for internal audit identified on a functional, cross-organizational, and strategic basis—may use the organization’s risk register.   Discussed with senior management—additional internal audit areas may be added.   Set of risk factors applied, input into a model, and prioritized based on risk rankings.   3-year strategic internal audit plan based on risk rankings.   Annual internal audit plan based on available resources.   Presented to the audit committee. Well known to internal auditors.   Done in consultation with the business.   Broader scope that considers business risks.   Facilitates integration of internal audit, risk management, and strategic planning.     Requires strong understanding of the business. Can be challenging.   Time-consuming.   May not be timely, relevant, or responsive.

In the future Table 3 would be more accurate.

Table 3. The evolution of internal auditing—2008 onward

Future (2008 onward) Advantages Disadvantages
Areas for internal audit identified on a functional, cross-organizational, and strategic basis using the organization’s risk register and other relevant information.   Develop base audit plan.   Discuss with senior management, including facilitated workshops—additional audit areas may be added.   Develop annual or longer-term assurance plan.   Develop flexible, rolling internal audit consulting plan to provide timely, relevant, and responsive services. Present to audit committee. Done in consultation with the business.   Timely, relevant, and responsive.   Broader scope taking into account business risks.   Facilitates integration of internal audit, risk management, and strategic planning. Requires strong commitment from senior management.   Requires discipline to ensure that the internal audit consultation process is effective.   May not be well known to internal auditors.

The point is this: The range of an internal auditor’s work will generally be related to where the he or she is currently placed in regard to these three evolutionary phases of the internal audit continuum. As we move into the more difficult methods of operating an internal audit function, the complexity of internal audit work increases, and the capability and skills of the internal auditor need to be greater. Many internal auditors are still in the early evolutionary phases of internal auditing, because the future is seen as too difficult and daunting.

Back to Table of contents

Further reading

Books:

  • Australian National Audit Office. Public Sector Audit Committees: Having the Right People is the Key. Canberra: Australian National Audit Office, 2005.
  • Australian National Audit Office. Public Sector Internal Audit—An Investment in Assurance and Business Improvement. Canberra: Australian National Audit Office, 2007.
  • Picket, K. H. Spencer. Audit Planning: A Risk-Based Approach. Hoboken, NJ: Wiley, 2006.
  • Reding, Kurt F., Paul J. Sobel, Unton L. Anderson, Michael J. Head, Sridhar Ramamoorti, and Mark Salamasick. Internal Auditing: Assurance and Consulting Services. Altamonte Springs, FL: IIA Research Foundation, 2007.
  • Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. 5th ed. Altamonte Springs, FL: IIA Research Foundation, 2003.

Standards:

Website:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share