What Do the Standards Say?
The internal auditing standards we will consider here are those issued by the Institute of Internal Auditors (IIA, 2007). The internationally accepted definition of internal auditing issued by the IIA is:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
This was a step up from the previous definition, which concentrated on assurance. This definition expanded the role of internal audit to encompass consulting services. To understand the difference between assurance services and consulting services, we need a couple of definitions:
Assurance: An objective examination of the evidence for the purpose of providing an independent assessment of risk management, control, or governance processes for an organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.
Consulting: Advisery and related client service activities, the nature and scope of which are agreed with the client, and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.
It should be noted that the definitions of internal auditing and the standards focus on risk management, control, and governance:
Risk management: Internal audit should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
Control: Internal audit should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Governance: Internal audit should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and accountability.
Effectively communicating risk and control information to appropriate areas of the organization.
Effectively coordinating the activities and communicating information among the board, external and internal auditors, and management.