The Institute of Internal Auditors (IIA) defines internal audit as the “independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Definition of Certified Internal Auditor: An internal auditor is a company employee who independently and objectively evaluates the organization’s operations. The role of an internal auditor is to gather relevant and objective information about the organization. An internal auditor essentially serves as the eyes and ears of the company’s senior leadership and board of directors. Their assigned work may cover any area of an organization; however, their work should be directed by the audit committee. Internal audits have historically been aligned with accounting and financial reporting audits. However, there are other types of audits. The following are a few examples:
- Information Technology Audits: IT audits are performed to assess information systems to ensure that they are operating securely, and that sensitive data is secure and accurate. These audits can align with regulations and compliance, for example PCI DSS ( Payment Card Industry Data Security Standard), ISO 27001 (or other ISO security standards), SOC (System and Organization Control), and HIPAA (Health Insurance Portability and Accountability Act) compliance.
- Operation Audits: Operational audits may cover a variety of areas including evaluating whether or not internal controls are sufficient and working as intended, operating procedures are being performed consistently and efficiently, and activities within the company are in compliance with regulatory requirements, industry standards, and internal policies.
- Performance Audits: Performance audits are performed to evaluate an organization’s actual performance as compared with the goals and objectives set by its board of directors or members of senior leadership.
Internal Auditor vs. External Auditor
There are also several differences between an internal auditor and an external auditor, for example:
- Internal auditors are generally internal company employees while external auditors are always a third-party to the organization and their clients.
- Internal auditors generally do not perform a single comprehensive annual audit, but rather conduct a number of smaller focused internal audits throughout the year.
- Internal auditors generate reports for the use of management, while external audit reports are prepared for use by external entities (e.g., investors, clients, lenders, and other stakeholders).
- Internal auditors can also serve as internal consultants. Whereas external auditors are prohibited from providing attestation and consultative services to the same organization.
The Duties of an Internal Auditor
What are the duties of an internal auditor? That depends on the company, the particular role of an internal auditor, and what they are auditing… but at a very high level you can expect an internal auditor to:
- Objectively assess a company’s IT and/or business processes
- Assess the company’s risks and the efficacy of its risk management efforts
- Ensure that the organization is complying with relevant laws and statutes
- Evaluate internal control and make recommendations on how to improve
- Identifying shortfalls or gaps in processes
- Promote ethics and help identify improper conduct
- Assure safeguards
- Investigate fraud
- Communicate the findings and recommendations
- Provide an opinion (Unqualified, qualified, adverse, or disclaim)
For more information, read our blog post about what internal auditors do.
How Can an Internal Auditor be Impartial and Objective?
An internal auditor must remain objective and impartial when conducting internal audits. This may be difficult at times with internal politics or biases that can impair an internal auditor or auditing team’s objectivity. When this occurs, it limits the team’s effectiveness and reduces their value to the company. An organization can reduce this risk by making sure internal auditing does not audit their own work. Internal audit should not report to an individual or group that they are auditing. The internal audit function should report to the organization’s audit committee or a board member who has oversight authority. While internal auditors strive to remain impartial, organizational leadership must realize that internal auditors need to remain impartial. Accordingly, leadership should strive to not influence or push internal audits into a particular conclusion. For example, leadership should not impose assumptions on an internal audit in order to come to manipulate a conclusion.
How to Become an Internal Auditor
There are plenty of certifications or specialties that one can obtain related to internal audit. One could be a jack-of-all-trades and support the company through many different types of internal audits or be a focused specialist. Some examples of specialists include: HIPAA compliance auditor, certified financial auditor, certified information systems auditor, medical claims auditor, PCI compliance auditor, etc. Essentially, you can specialize in any particular discipline if it is applicable to your organization.
There are also many different types of certifications available to help increase your knowledge in a certain area, or to help a company identify the right type of auditor. If you are looking to enter the world of internal audit, have been in working in it for a while, or are looking to hire an internal auditor; there is probably a specialized certification that aligns with your desires or the job function. Since there are so many, I am just going to touch on a couple of the larger certifications.
Certified Internal Auditor (CIA) – This certification is governed and awarded by the Institute of Internal Auditors (IIA). The IIA states on their website that the CIA designation is recognized globally as a certification for internal auditors and is considered a standard that individuals may use to demonstrate their competency as an internal auditor. This certification comes in three parts. The IIA also provide additional specialized certifications that you may obtain, such as:
- Certification in Risk Management Assurance (CRMA),
- Certified Government Auditing Professional (CGAP), and
- Certified Process Safety Auditor (CPSA).
Certified Information Systems Auditor (CISA) – This certification is provided by the Information Systems Audit and Control Association (ISACA). The CISA designation is a certification that is recognized internationally as a benchmark to assess one’s competency in the field of audit, control, and security of information systems. It is focused on information systems and technology and some say has a high failure rate.
Why (as a Company), Should You Hire an Internal Auditor?
How can you know if you need hire an internal auditor? Having an internal auditor or team can help the company grow, become more efficient, maintain compliance, and identify issues of fraud or concern. Also, when your external audit comes around (if you have one), having an internal auditor that has already verified all the controls before the third-party steps foot in the door, relieve a lot of pressure and save a lot of time and money.
If you are planning on hiring an internal auditor there are a few key things to keep in mind.
- Make sure that the auditor maintains strong ethical standards and integrity
- Be sure to define the scope and goals of the position — without it, the auditor and the company will not be successful.
- Allow the position to be and remain objective and impartial; an auditor being resilient under pressure to bend or change their assessment is actually a good thing.
To learn more about the purpose of an internal audit function, read our blog post on internal audit.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.