Internal audit
This page provides an introduction to internal audit. It explains what internal auditors do and how they do it providing access to a range of guidance and other reference material.
Use the links below to navigate between sections of information on this page:
What is internal auditing? What is its value to the organisation?
Internal audit essentials
Risk based internal auditing
What internal auditors do
Communication skills
Auditors are auditors – right?
What is internal auditing? What is its value to the organisation?
We all find it difficult to answer these questions.There is no simple, easily understood phrase that captures what we do.
Internal auditors help our organisations to succeed - and success looks different depending on the aims of each organisation. We do this by telling the managers and governors whether the systems and processes that make sure the organisation is on track are themselves working well. That is assurance! But, we do more than that: we also help the managers to improve those systems and processes where necessary. That is consulting!
The official Definition of Internal Auditing says all that:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The Institute has published two short guides to raise awareness about internal audit entitled: Transparency, Reliability, Effectiveness, Ethics published by the Global Institute and What is Internal Auditing published by the IIA - UK and Ireland.
Internal audit essentials
We have a professional duty to provide an unbiased and objective view. We must be independent from the operations we evaluate and report to the highest level in an organisation, the senior managers and the governors, i.e. the board of directors or the board of trustees, the accounting officer or the audit committee.
To be effective the internal audit activity must have qualified and skilled people who have the expereince to do things in the right way, following the Code of Ethics and the International Standards.
The nature of internal auditing, its role within the organisation and the requirements for professional practice are contained within the International Professional Practices Framework (IPPF). The components and the detailed content of the IPPF are available in the Global professional guidance area of the website. This is supported by a range of practical guidance issued by the IIA UK and Ireland.
Internal auditing qualifications provide the theory and practical experience so you perform effectively. You can see a full range of information in the qualification section of our website. Internal auditors also need to keep up to date with the latest knowledge and skills to ensure they are equipped to resolve new issues and advise on emerging risks. The Institute's continuous professional development (CPD) contains an online tool for assessing competencies and planning professional development.
Risk based internal auditing
While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed. Professional internal audit activity can best achieve its mission as a cornerstone of governance by positioning its work in the context of the organisation’s own risk management framework. This involves looking at the way managers identify, assess, respond to and report risks, as well as how well managers monitor how responses to risks are working.
The Institute has published An approach to implementing Risk Based Internal Auditing that set out methodologies for assessing an organisation's risk maturity, the preparation of periodic audit plans and indvidual assurance enegagements. To learn more about risk management look at our risk management page.
What internal auditors do
While every internal audit is unique, the process of internal auditing is similar for most engagements and normally consists of four stages. The diagram below briefly explains what happens during each stage and the questions and actions the internal auditor needs to address for completion.
We have issued three pieces of guidance during 2009/10 that explain how to approach unfamiliar areas of work, how to plan an audit engagement and how to gather and evaluate information. Together these documents provide the basis for conducting an audit engagement.
Communication skills
Communicating effectively is a key skill for internal auditors at all levels and the Institute has published guidance in this area entitled: Communication skills. It is a skill that requires constant practice with a need to think about who you are communicating with, the message you want to get across and the actions you want people to take
.
The Plain English campaign website is dedicated to clear and precise use of the English language. There are free guides and software, an editing service and examples of the best and worst use of English. Organisations can apply for the Crystal Mark of clarity. There is a free booklet on ‘How to write reports in Plain English’.
The AskOxford website contains a Better Writing page that includes tips and best practice with regard to spelling, grammar and plain English. This includes the ‘One Step Ahead’ series for all those who want and need to communicate more effectively in a range of real-life situations. Each title provides up-to-date practical guidance, tips, and the language tools needed to enhance your writing and speaking.
Auditors are auditors – right?
Wrong! Internal audit and external audit, while sharing some characteristics, have very different objectives. These differences are explained in the table below:
| External audit | Internal audit | |
| Reports to | Shareholders or members who are outside the organisation's governance structure | The board and senior management who are within the organisation's governance structure |
| Objectives | Add credibility and reliability to financial reports from the organisation to its stakeholders by giving an opinion on the report. | Provide members of the board and senior management with assurance that they can use to fulfil their duties to the organisation and its stakeholders by evaluating and improving the effectiveness of governance, risk management and control processes. |
| Coverage | Financial reports, financial reporting risks | All categories of risk, their management, including reporting on them. |
| Responsibility for improvement |
None – duty to report problems, although there is an added value service perception of accounting firms. |
Fundamental to the purpose of internal auditing – but done so as not to undermine the responsibility of management: advising, coaching and facilitating. |