What is an Internal Audit?
The Institute of Internal Auditors (IIA) defines internal audit as the “independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
What is the Definition of a Certified Internal Auditor?
An internal auditor is a company employee who independently and objectively evaluates the organization’s operations. The role of an internal auditor is to gather relevant and objective information about the organization. An internal auditor essentially serves as the eyes and ears of the company’s senior leadership and board of directors. Their assigned work may cover any area of an organization; however, their work should be directed by the audit committee.
What Are the Different Types of Internal Audits?
Internal audits have historically been aligned with accounting and financial reporting audits. However, there are other types of audits. The following are a few examples of internal audit activity:
- Information Technology Audits: IT audits are performed to assess information systems to ensure that they are operating securely, and that sensitive data is secure and accurate. These audits can align with regulations and compliance, for example, PCI DSS ( Payment Card Industry Data Security Standard), ISO/IEC 27001:2022 (or other ISO security standards), SOC (System and Organization Control), and HIPAA (Health Insurance Portability and Accountability Act) compliance.
- Operation Audits: Operational audits may cover a variety of areas including evaluating whether or not internal controls are sufficient and working as intended, whether operating procedures are being performed consistently and efficiently, and whether activities within the company are in compliance with regulatory requirements, industry standards, and internal policies.
- Performance Audits: Performance audits are performed to evaluate an organization’s actual performance as compared with the goals and objectives set by its board of directors or members of senior leadership.
How Does an Internal Auditor Differ From an External Auditor?
There are several differences between an internal auditor and an external auditor, for example:
- Internal auditors are generally internal company employees while external auditors are always a third party to the organization and their clients.
- Internal auditors generally do not perform a single comprehensive annual audit, but rather conduct a number of smaller focused internal audits throughout the year.
- Internal auditors generate reports for the use of management, while external audit reports are prepared for use by external entities (e.g., investors, shareholders, clients, lenders, and other stakeholders).
- Internal auditors can also serve as internal consultants. Whereas external auditors are prohibited from providing attestation and consultative services to the same organization.
What is the Role of an Internal Auditor?
What does an internal auditor do? Internal auditor responsibilities and roles depend on the company, the particular type of an internal auditor, and what they are auditing… but at a very high level you can expect an internal auditor to:
- Objectively assess a company’s IT and/or business processes.
- Assess the company’s risks and the efficacy of its risk management efforts.
- Ensure that the organization is complying with relevant laws and statutes.
- Evaluate internal controls that safeguard company assets and make recommendations on how to improve.
- Assess business processes within organizations to identify improvements related to the accuracy, efficiency, reliability, and quality of the process and the resulting products and services.
- Promote ethics and help identify improper conduct.
- Assure safeguards are in place to protect the organization’s resources.
- Investigate fraud.
- Document the results of audit procedures.
- Communicate the findings, best practices, and recommendations to senior management.
- Provide opinions on the overall results of internal audits (Unqualified, qualified, adverse, or disclaim).
How Can an Internal Auditor Be Impartial and Objective?
An internal auditor must remain objective and impartial when conducting internal audits. This may be difficult at times with internal politics or biases that can impair an internal auditor or auditing team’s objectivity. When this occurs, it limits the team’s effectiveness and reduces their credibility and the value of any advice or guidance provided to the company. An organization can reduce this risk by preventing internal auditors from auditing their own work.
To the extent possible, an internal audit should not assess an individual or group that they report to within (i.e., their managers or team). While internal auditors strive to remain impartial, organizational leadership must realize that internal auditors need to remain impartial. Accordingly, leadership should strive to not influence or push internal audits to a particular conclusion. For example, leadership should not impose assumptions on an internal audit in order to come to or manipulate a conclusion.
Who Selects the Internal Auditors?
The internal audit function should report to the organization’s audit committee or a board of directors member who has oversight authority. The head of internal audit is appointed by the boards or their audit committees. The head of the internal audit is who appoints internal auditors to serve within the organization, designs the structure of the team, and creates the vision and mission in accordance with the guidance of the audit committee. The roles and responsibilities related to specific internal audit activities will depend on the size and structure of the internal audit team. However, plans for the scope and frequency of internal audits will be approved by the head of internal audit.
How to Become an Internal Auditor
There are plenty of certifications or specialties that one can obtain related to internal audits. One could be a jack-of-all-trades and support the company through many different types of internal audits or be a focused specialist. Some examples of specialists include: HIPAA compliance auditor, certified financial auditor, certified information systems auditor, medical claims auditor, PCI compliance auditor, etc. Essentially, you can specialize in any particular discipline if it is applicable to your organization.
There are also many different types of certifications available to help increase your knowledge in a certain area, or to help a company identify the right type of auditor. If you are looking to enter the world of internal audit, have been working in it for a while, or are looking to hire an internal auditor; there is probably a specialized certification that aligns with your desires or the job function. Each certification has a set of requirements related to the experience and qualifications a person must have or obtain to be certified. Since there are so many, I am just going to touch on a couple of the larger certifications.
Certified Internal Auditor (CIA)
This certification is governed and awarded by the Institute of Internal Auditors (IIA). The IIA states on its website that the CIA designation is recognized globally as a certification for internal auditors and is considered a standard that individuals may use to demonstrate their competency as an internal auditor. This certification comes in three parts. The IIA also provides additional specialized certifications that you may obtain, such as:
- Certification in Risk Management Assurance (CRMA),
- Certified Government Auditing Professional (CGAP), and
- Certified Process Safety Auditor (CPSA).
Certified Information Systems Auditor (CISA)
This certification is provided by the Information Systems Audit and Control Association (ISACA). The CISA designation is a certification that is recognized internationally as a benchmark to assess one’s competency in the field of audit, control, and security of information systems. It is focused on information systems and technology and some say has a high failure rate.
How can you check if someone is a CIA? You can use the IIA’s registry or ISACA’s registry to verify a person’s certification by their name or certification ID number.
Why (as a Company), Should You Hire an Internal Auditor?
How can you know if you need to hire an internal auditor? Having an internal auditor or team can help the company grow, become more efficient, maintain compliance, and identify issues of fraud or concern. Also, when your external audit comes around (if you have one), having an internal auditor that has already verified all the controls before the third-party steps foot in the door relieves a lot of pressure and saves a lot of time and money.
If you are planning on hiring an internal auditor there are a few key things to keep in mind.
- Make sure that the auditor maintains strong ethical standards and integrity
- Be sure to define the scope and goals of the position — without it, the auditor and the company will not be successful.
- Allow the position to be and remain objective and impartial; an auditor being resilient under pressure to bend or change their assessment is actually a good thing.
Conclusion
While not able to provide an internal audit job description, hopefully, this has helped you understand what an internal auditor is (some of the types of auditors, internal audit activities, internal audit roles and responsibilities, and the duties of an internal auditor or what internal auditors do) and why you should have them in your organization.
To learn more about the purpose of an internal audit function, read our blog post on internal audits. If you have any other questions regarding the audit process, or are interested in retaining the services of the audit team at Linford & Co, please contact us.
This article was originally published on 5/1/2019 and was updated on 6/7/2023.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.