Below you’ll find the questions that are asked most frequently regarding internal audits and what they can do for your organization.

What does internal audit do?

The core function of internal auditing, as defined by The Institute of Internal Auditors, is to provide an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”


Why is an internal audit important?

While the potential scope of an internal audit is broad, it ultimately seeks to provide recommendations and insights aimed at improving the effectiveness of risk management, control and governance processes through data and process analysis. An internal audit is critically important in providing assurance regarding an organization’s business practices beyond what financial risks that organization may face.


Why does an internal audit require independence?

An internal auditor is required by professional standards to have an impartial, unbiased approach to fulfilling his or her duties. Although an internal auditor cannot be entirely independent of an organization that provides payment for their work, the auditor’s overall independence is important in avoiding potential conflicts of interest that would result from closer engagement with company management. If independence or objectivity is impaired, the details must be disclosed to the appropriate persons to whom the auditor is reporting.   


How does an internal audit add value?

An internal audit is a value-added service which assists an organization achieve its objectives, primarily through the examination of risk management, governance and control processes. The value of an internal audit depends on what is being examined and how an organization intends to utilize the audit findings. An auditor may suggest process improvements or simply verify compliance with current policies, but each of these provide value to stakeholders. By providing assurance to management regarding organizational risk, an internal audit actively seeks to provide solutions that benefit the overall health and longevity of a business.


How is an internal audit conducted and what is the process?

An internal audit is typically conducted following the steps below:

1.       Communication with management regarding scope and objectives of the proposed audit

2.       Planning and development of the risk assessment/audit program.

3.       Auditor begins fieldwork, carrying out procedures to assess effectiveness of controls, compliance with internal and external policies, and identify opportunities for efficiency improvements.

4.       Auditors meet with management to discuss findings, including addressing management’s response to the findings and any further questions the organization may have.

5.       If the Internal Audit team is working with an organization beyond the initial audit engagement, they may conduct follow-up processes to discuss action implementation or further risk acceptance strategies.


Which internal audit do I need?

Due to the broad nature of internal audit’s task of assessing the effectiveness of the controls and risk management procedures of a business, the assignments given to internal auditors encompass a wider spectrum of business functions than an external audit.


Although internal audit assignments will shift focus based on management’s understanding of company needs, there are defined audit types that assess risk management and company compliance within a pre-determined framework. Listed below are some of these internal audit types and their corresponding definitions as provided by the AICPA.


Compliance Audits:

A program-specific audit or an organization-wide audit of an entity’s compliance with applicable compliance requirements.

Financial Audits:

An audit that evaluates an organization’s financial reports and financial reporting processes to provide reasonable assurance that statements are accurate and complete.

Operational Audits:

An examination of business processes and procedures intended to illuminate potential improvements that will increase both efficiency and effectiveness.

Information Technology Audits:

An audit that reviews and evaluates a company’s technological infrastructure for efficiency improvements, in addition to regulatory compliance and risk evaluation.

Can an internal audit be outsourced?

It is often beneficial for a company to outsource some or all of their internal audit work to a third-party firm. This practice is particularly beneficial in providing companies the following:

·         Reduction in employment costs for companies with a limited and/or restricted size or cash flow to necessitate internal staffing for audit functions.

·         Independent auditors may have a wider understanding of industry risk and the ability to provide expert guidance to assist in protecting the organization against them.

·         An external firm provides an internal audit opinion that is unbiased, unlike an internal department which is still functionally tied to the organization and may suffer from bias, even if unintentional in nature.


Is an internal audit mandatory?

In the United States, publicly traded companies are required to maintain an internal audit function while private companies not listed on the NYSE do not have regulatory requirements that make internal auditing compulsory. This does not mean, however, that private companies do not involve internal audit activity as an element of corporate governance, as many such companies establish internal audit shops or outsource the activity.


Who does an internal auditor report to?

Internal audit is defined as having a responsibility to provide independent and objective assurance to the organization it is serving. This responsibility, in addition to enhancing the value of the audit, restricts to whom the internal audit leader may report. The Institute of Internal Auditors (IIA) remarks that internal audit leaders may report to the board and senior management who are within the organization’s governance structure, including a company’s internal audit committee.