What Do the Standards Say?
The internal auditing standards we will consider here are those issued by the Institute of Internal Auditors (IIA, 2007). The internationally accepted definition of internal auditing issued by the IIA is:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
This was a step up from the previous definition, which concentrated on assurance. This definition expanded the role of internal audit to encompass consulting services. To understand the difference between assurance services and consulting services, we need a couple of definitions:
Assurance: An objective examination of the evidence for the purpose of providing an independent assessment of risk management, control, or governance processes for an organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
Consulting: Advisery and related client service activities, the nature and scope of which are agreed with the client, and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
It should be noted that the definitions of internal auditing and the standards focus on risk management, control, and governance:
Risk management: Internal audit should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
Control: Internal audit should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Governance: Internal audit should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and accountability.
Effectively communicating risk and control information to appropriate areas of the organization.
Effectively coordinating the activities and communicating information among the board, external and internal auditors, and management.
What Type of Work?
So, what should be the range and type of work carried out by internal audit for an organization? The IIA believes that the work and methods of internal audit should encompass:
Conducting enterprise risk assessment.
Utilizing risk and control self-assessment.
Using internal control processes based on COSO (Committee of Sponsoring Organizations) guidelines.
Partnering with management.
Integrating corporate governance into practice.
Increasing staff performance.
Communicating more effectively.
Developing staff, both personally and professionally.
Using technology to increase staff efficiency.
Establishing an assurance function.
Providing consulting services.
Conducting audits in emerging areas.
Utilizing performance measures.
This leads to the types of internal audit provided by the internal audit function, which may include some or all of the following:
Compliance audit: The review of both financial and operating controls and transactions to see how they conform with established laws, standards, regulations, and procedures.
Financial audit: The examination of the financial records and reports of a company to verify that the figures in the financial reports are relevant, accurate, and complete. The general focus is on making sure that all assets and liabilities are properly recorded on the balance sheet, and that the statement of income and expenses is correct.
Information technology (IT) audit: A review of the controls within an entity’s technology infrastructure. These reviews are typically performed in conjunction with a financial statement audit, internal audit review, or other form of attestation engagement.
On-demand audit: A request for an internal audit initiated by the board, audit committee, or management in response to their particular concerns, and which has not been scheduled in the internal audit plan of work. It may also be known as a management-initiated review.
Operational audit: Sometimes called program or performance audits, these examine the use of resources to evaluate whether those resources are being used in the most efficient and effective way to fulfill an organization’s objectives. An operational audit may include elements of a compliance audit, a financial audit, and an information systems audit. This term is mainly used in the private sector.
Performance audit: The independent and systematic examination of the management of an organization, program, or function for the purpose of identifying whether the management is being carried out in an efficient and effective manner, and whether management practices promote improvement. This term is mainly used in the public sector, and a performance audit may be the same as or similar to an operational audit.
Quality audit: The systematic examination and evaluation of all activities related to the quality of a product or service, to determine the suitability and effectiveness of the activities to meet quality goals.
Value for money (VFM) audit: An examination of how resources are allocated and utilized. The audit is concerned with interrelated concepts of efficiency, effectiveness, economy, and organizational outcomes. VFM audits are more common in the public sector than the private sector since the profit criterion is lacking in the public sector, and they may be the same as or similar to a performance audit.