The Internal Audit Process
What is Internal Auditing ?
Who are Internal Auditors?
Internal auditors' roles
WHAT IS INTERNAL AUDITING?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Evaluating emerging technologies. Analyzing opportunities. Examining global issues. Assessing risks, controls, ethics, quality, economy, and efficiency. Assuring that controls in place are adequate to mitigate the risks. Communicating information and opinions with clarity and accuracy.
Such diversity gives internal auditors a broad perspective on the organization.
And that, in turn, makes internal auditors a valuable resource to executive management and boards of directors in accomplishing overall goals and objectives as well as in strengthening internal controls and corporate governance.
Seems like a lot to ask from one organizational resource? Maybe for some, but for internal auditors, it’s all in a day’s work.
WHO ARE INTERNAL AUDITORS?
Internal auditors step up with bold ideas to solve tough problems. Continually striving for the best, constantly polishing their skills, and consistently modeling integrity and ingenuity.
Internal auditors are, to a great extent, key to an organization’s success in today’s business world. They are involved in reviewing an organization’s processes, operations, and goals. They provide objective, independent, professional advice to all levels of management and pave the path toward continuous improvement. They are explorers, reporters, and analysts. They discover, interpret, and question.
The most valuable and effective internal auditors anticipate and stay abreast of business trends and continually update their knowledge to stay on top of key issues. They are proactive, responsive, and reactive.
Internal auditors bring a variety of skills to the organization. Their education and expertise differ broadly. They come from diverse areas such as engineering, operations, finance, and information technology. And today’s internal audit professionals, regardless of their industry, have extensive knowledge of computer systems and the Internet, and work to mitigate risks posed to the organization by technology and electronic commerce.
Professional internal auditors address problems and improve performance. They help the organization function at the highest, most ethical level and constantly cast their eyes to the horizon to scan for signs of trouble. They bring to the organization a sense of well-being and comfort, providing the secure knowledge that if there are glitches, they will find them.
An organization cannot shrink its way to greatness. It must grow, and one of the keys to successful growth is effective risk management.
Risk assessment, as defined by the IIA Standards for the Professional Practice of Internal Auditing, is a systematic process, for assessing and integrating professional judgments about probable adverse conditions or events. Risk impacts an organization’s ability to compete and to maintain its financial strength and the quality of its products and services. It’s the internal auditor’s job to identify all auditable activities and relevant risk factors and to assess their significance.
The polished skills internal auditors possess assist them in accurately identifying the risks an organization faces, put a relative value on each, and keep the lines of communication open in the process. This not only fosters a close and invaluable relationship with management but also enables the auditor to anticipate emerging issues and opportunities.
Changing trends impact the way an internal auditor assesses risk. Today’s internal auditing has changed from a reactive, control-based form to one that is risk-based and proactive.
This means that greater emphasis is placed on the internal auditor’s role in mitigating risk. By focusing on effective enterprise risk management, the internal auditor not only offers remedies for current trouble areas but also anticipates problems and plays an important role on protecting the organization from catastrophes or missed opportunities in the future.
Internal auditors must be flexible to the changing tides of today’s business environment. Evaluating risk in a rapidly changing world means that auditors have to stay abreast of global and workplace issues such as mergers and acquisitions, new computer systems, and electronic commerce.
Internal auditors are in the unique position to protect their organizations from potential disasters today and in the future.
Confirming information is a critical step in the audit process, and if compromised, diminishes the value of the audit. It is the responsibility of the internal auditors to keep their organizations informed of all discoveries and research observations made during the audit process. They must be careful to keep the lines of communication open with those in the organization who are directly involved in the audit. Therefore, the importance of excellent communication skills to the professional audit practitioner cannot be overemphasized.
As internal auditors research and gather information, they must make absolutely sure it is factual and complete. They also must remain aware that senior management and the audit committee are interested in receiving constant feedback on the status of the audit process. Continuing confirmation of all information with the client assures that the audit is accurate and concise. It keeps the internal auditor focused on the material that is vital to the audit.
By confirming information with the client on a continual basis, the internal auditor can analyze information quickly and make sound and accurate judgments. Working closely with the organization results in smaller error margins and an audit that is representative and conclusive.
The confirmation process in internal auditing requires auditors to be inquisitive, speculative, and observant. Internal auditors have an aptitude for problem solving and for making sure that things are in order.
By modeling communication and making suggestions, the internal auditor operates as a team player, constantly adding value to the organization. This means today’s audit professional – a coach, not a cop – can vastly impact the effectiveness and efficiency of operations and help set the tone for ethical practices and behavior throughout the organization.
When an organization creates corporate objectives and goals, it must follow the appropriate procedures to make sure those goals are reached. Internal auditors review operations closely, confirming that the correct protocol is being followed and the goals are being met. This is vital to the organization’s health and well-being.
The internal auditors must be well versed in the objectives of their organization and have the ability to examine and analyze to make sure operations are effective. After investigating the process, they report their findings and recommend appropriate courses of action. They may also have to establish criteria, based on their objective opinion, for meeting their organization’s goals.
Competent professional internal auditors accurately interpret facts and figures of the organizational process quickly and strive for continuous improvement. Through a strong commitment to the organization’s corporate values and goals, their understanding of the “big picture” plays a crucial role in the overall success of the organization.
Today, internal auditors work closer than ever with their customers. By doing so, they can be more accurate in their recommendations and help the organization adhere more closely to its objectives. As valuable resources for internal processes and operations, internal auditors continue to prove themselves vital.
Compliance – conformity to fulfill obligations in the audit world – ensures that organizations adhere to rules and regulations. When those in an organization ignore guidelines, the structure can crumble. Part of an internal auditor’s job is to review compliance and ensure that the structure stays solid.
Management’s role is to implement policies and maintain extensive knowledge of the compliance requirements of all applicable laws, regulations, and contracts.
The internal auditors provide a valuable service to management and the Board by staying fully educated about the intricacies of, implementation strategies for, and compliance with all current regulations and such legislation as the Sarbanes-Oxley Act.
In reviewing compliance, the realm of responsibility over which internal auditors preside is large. Specifically, internal auditors are responsible for reviewing objectives, providing insight into the impact that noncompliance would have on an organization, and informing senior management of indications of significant noncompliance. In short, they make sure the base structure of an organization is strong so that it can hold steady during potentially turbulent times.
Compliance issues are always changing. As organizations alter policies, internal auditors have to be prepared to deal with the onset of new challenges. They not only need to identify areas that do not comply with policies and guidelines but also see that objectives set by management adhere to the organization’s overall mission, culture, and climate.
Whether determining if an organization fulfills its legal and ethical obligations or its members comply with the proper guidelines, internal auditors’ areas of expertise are constantly growing. By ensuring that an organization’s structure is strong and can withstand the tests of negative weathering from outside and inside, it is the internal auditors who help senior management sleep well at night.
Controls refer to ethical values, consistency in meeting goals, performance measures, and much more. Everybody within the organization – from the mailroom to the boardroom – plays an important role in internal control. Internal control is at the very center of the internal auditor’s world. It is also integral to effective corporate governance, and thereby is critical to management and the Board.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control consists of: (1) the control environment that sets the tone of the organization, (2) risk assessment, or the identification and analysis of relevant risks, (3) the policies and procedures or control activities that help ensure management directives are carried out, (4) the identification and communication of pertinent information, and (5) a monitoring process that assesses the quality of the internal control system’s performance.
The internal auditors evaluate control efficiency and effectiveness and determine whether the controls in place are adequate to mitigate the risks that threaten or have the potential for threatening the organization.
Frameworks such as COSO provide guidelines for effective internal control implementation and monitoring.
Today, a broad array of successful internal control practices is available to practitioners who want to stay on the leading edge of the profession. Control Self-Assessment (CSA) is just one such practice. And, with advanced control implementation and, ideally, the cooperation of those throughout the organization, internal auditors can broadly address problems quickly and work to prevent disasters in the future. Modern internal auditing’s role in internal control is essential. Working in partnership with management, the internal audit function can be invaluable to every aspect of the organization.
Organizational resources are valuable. It’s in the company’s best interest to defend and guard them against potential damage. Since most holdings can be pricey and even priceless, there is a great risk of loss if they aren’t safeguarded appropriately.
Enter the internal auditors. By reviewing the means used by the organization to protect its assets, internal auditors can determine whether appropriate safeguards are in place. They must be able to evaluate the procedures used to safeguard assets from different types of losses like theft, fire, activities that are illegal or improper, and exposure to elements.
Section 404 of the Sarbanes-Oxley Act requires an annual assessment of internal control to ensure financial statement accuracy. The internal auditors fill this need by evaluating the adequacy and effectiveness of controls throughout the organization. Their work includes an examination of the reliability and integrity of financial and operational information, the effectiveness and efficiency of operations, and the ways in which the organization safeguards assets and complies with laws, regulations, and contracts. Based on their findings, the internal auditors can provide assurance to management, so that the CEO and CFO can certify, as required by law, the accuracy of the financial statements with confidence.
If the assets in an organization aren’t protected appropriately, then internal auditors must make recommendation to ensure that they are.
Assets aren’t just tangible items such as computers, printers, and copiers. Employees and information are also important assets to be safeguarded. A high turnover in staff results in loss of human assets: good, educated employees and the cost of time and training for new hires. Information, knowledge management, and information technology are just as imperative. And, as technology continues to develop, so do challenges in safeguarding it. New dimensions include product support, advisory and consulting engagements, and active involvement in the process of restructuring. Internal auditors must be accomplished in anticipating emerging issues and creating solutions.
INTERNAL AUDITORS’ ROLES
Internal auditors are grounded in professionalism, integrity, and efficiency. They make objective assessments of operations and share ideas for best practices; provide counsel for improving controls, processes and procedures, performance, and risk management; suggest ways for reducing costs, enhancing revenues, and improving profits; and deliver competent consulting, assurance, and facilitation services.
Internal auditors are well disciplined in their craft and subscribe to a professional code of ethics. They are diverse and innovative. They are committed to growing and enhancing their skills. They are continually on the lookout for emerging risks and trends in the profession. They are good thinkers. And to effectively fulfill all their roles, internal auditors must be excellent communicators who listen attentively, speak effectively, and write clearly.
Sitting on the right hand of management, modern-day internal auditors are consulted on all aspects of the organization and must be prepared for just about anything. They are coaches, internal and external stakeholder advocates, risk managers, controls experts, efficiency specialists, and problem-solving partners. They are the organization’s safety net.
It’s certainly not easy, but for these skilled and competent professionals, it’s all in a day’s work.