The Evolution of Internal Auditing
The evolution of how internal audit determined what it would audit can be tracked in Table 1.
Table 1. The evolution of internal auditing—up to the 1990s
| Then (up to the 1990s) | Advantages | Disadvantages |
| Areas for internal audit identified on a functional basis from historic information. Set of one-dimensional risk factors applied (high, moderate, low). Input into a model and prioritization based on risk rankings. 3- or 5-year strategic internal audit plan based on risk rankings. Annual internal audit plan based on available resources. Presented to the audit committee (but not always). | Often cyclical (every year). Well known to internal auditors. Safe approach. | Done in isolation of the business. Time-consuming. Focus on functional areas. May not be timely, relevant, or responsive. Correlation between risk rankings and internal audit plan often weak. Assumed a static organization. |
Nowadays, Table 2 could be the best representation.
Table 2. The evolution of internal auditing—1990s–2008
| Now (1990s–2008) | Advantages | Disadvantages |
| Areas for internal audit identified on a functional, cross-organizational, and strategic basis—may use the organization’s risk register. Discussed with senior management—additional internal audit areas may be added. Set of risk factors applied, input into a model, and prioritized based on risk rankings. 3-year strategic internal audit plan based on risk rankings. Annual internal audit plan based on available resources. Presented to the audit committee. | Well known to internal auditors. Done in consultation with the business. Broader scope that considers business risks. Facilitates integration of internal audit, risk management, and strategic planning. Requires strong understanding of the business. | Can be challenging. Time-consuming. May not be timely, relevant, or responsive. |
In the future Table 3 would be more accurate.
Table 3. The evolution of internal auditing—2008 onward
| Future (2008 onward) | Advantages | Disadvantages |
| Areas for internal audit identified on a functional, cross-organizational, and strategic basis using the organization’s risk register and other relevant information. Develop base audit plan. Discuss with senior management, including facilitated workshops—additional audit areas may be added. Develop annual or longer-term assurance plan. Develop flexible, rolling internal audit consulting plan to provide timely, relevant, and responsive services. Present to audit committee. | Done in consultation with the business. Timely, relevant, and responsive. Broader scope taking into account business risks. Facilitates integration of internal audit, risk management, and strategic planning. | Requires strong commitment from senior management. Requires discipline to ensure that the internal audit consultation process is effective. May not be well known to internal auditors. |
The point is this: The range of an internal auditor’s work will generally be related to where the he or she is currently placed in regard to these three evolutionary phases of the internal audit continuum. As we move into the more difficult methods of operating an internal audit function, the complexity of internal audit work increases, and the capability and skills of the internal auditor need to be greater. Many internal auditors are still in the early evolutionary phases of internal auditing, because the future is seen as too difficult and daunting.
- Page 2 of 7
- Previous section Executive Summary
- Next section What Do the Standards Say?
www.qfinance.com