If you are reading this article, you are likely in the internal audit (IA) profession or looking to refine your internal audit practice. Or perhaps you are satisfied with your IA function but want to stay abreast of the topic. Whatever the case, it's always good to refresh and update your knowledge of an ever-changing and demanding organizational requirement.
The internal audit profession has undergone significant change since the New York Stock Exchange (NYSE) issued its new listing standard requiring an IA function. Companies are far more likely to have highly developed IA functions in place that address not only the NYSE standards but also the SEC’s interpretive guidance on Section 404 of the Sarbanes-Oxley (SOX) Act and PCAOB Auditing Standard No. 5 (AS5). These regulatory developments have had a significant impact on internal audit functions.
Not only are accounting and taxation rules frequently changing, but legislative issues may arise, serving as precursors to regulatory changes. Thus, an audit team should always be nimble, prepared and ready to adjust to these changes. Furthermore, new technologies, methodologies, and service provider guidance and offerings are also continuously changing, for the most part, to facilitate the role of internal auditors and their teams while reducing auditing risks.
Internal Audit: Definition and Objectives
Internal audit is an independent appraisal activity. It is established within a business or organization for the review of operations as a service to management. It is a type of managerial control that functions by examining and evaluating the effectiveness of other controls.
The objective of internal auditing is to assist management in the effective discharge of the management team’s responsibilities by furnishing it with analyses, appraisals, recommendations and relevant comments concerning reviewed activities. To fulfill the overall IA objective, we recommend taking the following seven steps, each representing a key part of the internal auditor job description.
- Review and appraise the soundness, adequacy and application of accounting, financial and other operating controls to promote effective control at a reasonable cost.
- Ascertain the extent of compliance with solid internal accounting controls, established policies and procedures and government laws and regulations, and then suggest policies and procedures or their modifications, where required.
- Determine the extent to which corporate assets are safeguarded from losses.
- Ascertain the reliability and integrity of accounting and reporting systems and recommend improvements, if any.
- Appraise the quality of performance in carrying out assigned responsibilities (economically and efficiently) by appraising functional effectiveness measured against corporate and industry standards and best practices.
- Effect cost savings by reducing external auditing fees with internal auditing, where possible.
- Participate in special projects and activities as directed by corporate management.
Internal Audit Policies
Any organization that has an internal auditor or auditing team should have an audit policy in place. The policy should establish and support the Internal Audit Department to assist management in the effective discharge of its responsibilities for the control of corporate assets. The basic functions of inspection, evaluation and reporting are constant responsibilities of the internal audit department.
The policy should state that all operating activities be audited on a scheduled, periodic basis by the corporate internal audit department to assure that financial statements and operations comply with established policies and procedures. An ad hoc audit may be required if a major internal or external change comes about that would warrant it, such as the addition of a new arm of the business or a regulatory change.
The policy should require a report that details the findings and recommendations to be furnished to management upon the conclusion of each internal audit. The internal audit department should coordinate its activities with those of the corporation’s independent public accountants. Additional features of the policy should include such facets as the coordinated efforts of the corporate management policy and the audit committee of the board of directors to establish all of the responsibilities of the internal auditor.
It should also require that the CFO respond to comments and recommendations included in the internal audit reports in writing, within a reasonable time. Many other details can be included in this general policy overview.
The Importance of Independence
Independence is essential for the effectiveness of internal auditing. Independence is obtained predominantly through organizational status and objectivity. The following are some examples of audit independence:
- The organizational status of the internal auditing function and the support accorded to it by management are key determinants of its range and value. The head of the internal auditing function should be responsible to an officer whose authority is sufficient to assure both a broad range of audit coverage, adequate consideration of, and effective action on the audit findings and recommendations.
- Objectivity is essential for independence. An internal auditor should refrain from developing and installing procedures, preparing records, or engaging in any other activity which they would normally review and appraise, nor that which could reasonably be construed to compromise their independence. Their objectivity need not be adversely affected, nevertheless, by their determination and recommendation. Control standards may be applied in the development of systems and procedures under their review.
- There should be instructions regarding independence regarding potential audit conflicts, such as limitations in scope or access to data. At the same time, every effort should be made to resolve the problem at the immediate supervisory level. Instructions on what actions to take, if not resolved, should also be included. There should be defined responsibilities for the CEO as well as the COOs and managers of each unit within the company.
It can be challenging for internal auditors to stay abreast of the many ongoing changes within the IA industry. In fact, internal auditors have been calling out enterprise risks for several years. Still, it has only been recently that the profession has begun a journey of transformation to next-generation internal audit governance, methodologies and enabling technology.
According to Protiviti’s 2022 Internal Audit Capabilities and Needs Survey, only two out of three respondents indicated that their IA organizations have fully embraced an innovation agenda.
KnowledgeLeader can help auditors looking to undertake innovation and transformation activities, serving as a hub for many of the tools and insights internal auditors employ daily. Here are just a few examples of our offerings specifically addressing the internal audit function:
The Internal Audit Risk Assessment Questionnaire tool contains three samples that provide questions organizations can use for assessing and improving their internal audit functions. Questions to consider include:
- Are there any areas that concern you and/or cause problems or backlogs?
- Where do you believe the greatest exposure for losses exists?
- Where do you feel internal audit can benefit most?
- Are qualifications/requirements and salaries appropriately set for job openings?
- Are appropriate background checks being performed?
- Are employees provided with the appropriate level of training to allow them to succeed in new positions and advance within the company?
Protiviti publishes frequently updated booklets focusing on internal audit. One example is Guide to Internal Audit: Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function: Second Edition. This booklet is designed to be a resource that IA professionals can regularly refer to in their jobs. The publication offers detailed insights into everything from building an IA function to managing and improving the function as the organization evolves.
KnowledgeLeader often publishes articles on internal audit. One example is Internal Audit Innovation for the Next Generation. This article reflects on the true meaning of audit innovation, helping internal audit grasp the scope and speed of change in the global marketplace today.
Protiviti performs annual industry surveys to tap into the minds of audit professionals and better understand their needs and concerns. The 2022 Internal Audit Capabilities and Needs Survey (mentioned above) takes an in-depth look at the adoption of next-generation internal audit competencies such as agile auditing, artificial intelligence, machine learning, robotic process automation and continuous monitoring, among many others. It provides a detailed assessment of how internal audit groups are progressing on their next-generation journeys.
It’s encouraging to see that most internal audit functions have launched innovation and transformation activities, starting their next-generation journeys. However, more substantive progress is needed in several areas of early-stage next-generation internal audit models to mature and fulfill their massive potential.
- Two out of three internal audit functions are now engaged in or have completed innovation and transformation initiatives, a 6% increase over our 2021 results.
- A majority of internal audit groups in midsize and small organizations have undertaken or are currently undertaking innovation and transformation activities, and most of these groups are at a maturity level where the internal audit function actively encourages innovation and the exploration of new and better ways of delivering.
- Close to half of internal audit teams see a high- or medium-level return on investment (ROI) resulting from innovation and transformation initiatives, while a majority of CAEs see these levels of ROI.
In addition to the above list of offerings, KnowledgeLeader provides internal audit templates, internal audit procedures, IA data and best practices. We encourage
communication and shared engagement to continuously improve the IA practice.
Embracing the Next Generation of Internal Auditing
Now is the time to commit to the journey to evolve into a next-generation internal audit function. While this may be a long journey marked with significant challenges and undoubted setbacks, it also will be an exciting transformation with great rewards for your internal audit team and the stakeholders it serves. We invite you to join KnowledgeLeader on this journey.