Internal audit

Internal audit


"The role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively. Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organisation. Unlike external auditors, they look beyond financial risks and statements to consider wider issues such as the organisation’s reputation, growth, its impact on the environment and the way it treats its employees." (Chartered Institute of Internal Auditors)

The difference between internal and external audit

Internal auditors are often confused with external auditors, but there are significant differences between the two groups. Internal auditors look at all the risks facing an organisation and what is being done to manage these risks. External auditors on the other hand look at financial accounts. So internal audit’s role is broader and might, for example, include auditing the reputational risk that a company could be damaged by using cheap labour in foreign countries. It could also include auditing operational risks such as poor health and safety procedures, or strategic risks such as the board stretching company resources by producing too many products. (Chartered Institute of Internal Auditors)

Regulatory guidance

The UK Corporate Governance Code

This sets out the requirements relating to the composition and functions of the audit committee (or equivalent body). As a minimum, they must:

  • monitor the financial reporting process;
  • monitor the effectiveness of the company's internal control, internal audit, and risk management systems.

Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the board.

Where there is no internal audit function, the reasons for the absence of such a function should be explained in the relevant section of the annual report

The Sarbanes-Oxley Act (2002) (US)

Section 404 of the Act requires companies to document, evaluate, test and monitor their internal controls over financial reporting. This requires the senior management of a company to assess the design, operating effectiveness and adequacy of internal controls over financial reporting. Management often turns to internal audit to support compliance with these requirements.

Management are required to issue an annual report that addresses any material deficiencies in the company's internal controls. Section 404 also requires that the external auditor attests to assertions made by management about the effectiveness of the systems and controls.

The scope of the internal audit function

The role of internal audit can be much more varied than that of an external auditor depending on the requirements of the business.  Typically they provide assurance to internal management on issues such as:

  • the effectiveness of systems (financial, legal and operational);
  • the effectiveness of internal controls;
  • whether company procedures/manuals are being followed
  • whether internally produced information is reliable; and
  • whether the company is compliant with relevant corporate governance requirements.

In addition to the above, internal audit will carry out ad hoc assignments, as required by management, e.g.: internal fraud investigations.

Internal Audit Effectiveness

If the internal audit department is to be effective in providing assurance it needs to be:

  • sufficiently resourced, both financially and in terms of qualified, experienced staff;
  • well organised, so that it has well developed work practices; and
  • independent and objective.

This last point needs some explanation. Internal auditors are (generally) employed by the company they are reporting on and are often managed as part of the finance function. They will therefore have to report upon the effectiveness of financial systems that they form a part of. It is therefore difficult for internal audit to remain truly objective. However, acceptable levels of independence can be achieved through one, or more, of the following strategies:

  • Reporting channels separate from the management of the main financial reporting function, such as an audit committee;
  • Reviews of internal audit work by managers independent of the function under scrutiny; and
  • Outsourcing the internal audit function to a professional third party.

Outsourcing the internal audit function

In common with other areas of a company's operations, the directors may consider that outsourcing the internal audit function represents better value than an in-house provision. Local government authorities are under particular pressure to ensure that all their services represent 'best value' and this may prompt them to decide to adopt a competitive tender approach.

  • Greater focus on cost and efficiency of the internal audit function.
  • Staff may be drawn from a broader range of expertise.
  • Risk of staff turnover is passed to the outsourcing firm.
  • Specialist skills may be more readily available.
  • Costs of employing permanent staff are avoided.
  • May improve independence.
  • Access to new market place technologies, e.g. audit methodology software without associated costs.
  • Reduced management time in administering an in-house department.
  • Possible conflict of interest if provided by the external auditors (In some jurisdictions, e.g. the UK, the ethics rules specifically prohibit the external auditors from providing internal audit services).
  • Pressure on the independence of the outsourced function due to, e.g. threat by management not to renew contract.
  • Risk of lack of knowledge and understanding of the organisation's objectives, culture or business.
  • The decision may be based on cost with the effectiveness of the function being reduced.
  • Flexibility and availability may not be as high as with an in-house function.
  • Lack of control over standard of service.
  • Risk of blurring of roles between internal and external audit, losing credibility for both.
Created at 10/3/2012 2:02 PM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Last modified at 11/2/2016 11:20 AM  by System Account  (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London

Rating :

Ratings & Comments  (Click the stars to rate the page)


Internal audit;Operational audit;value for money;financial audit;the three E's;Audit committee;Corporate governance;auditing;SOX;internal auditing;audit internal;internal auditor;auditing internal;internal auditors;internal audits

Recent Discussions

There are no items to show in this view.