According to the Institute of Internal Auditors (IIA):
“internal auditing is an independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Our Definition of Certified Internal Auditor: Generally speaking, an internal auditor is an employee of a company that provides independent and objective evaluations of a company’s operations. Historically, internal auditing has been aligned with financial audits, but there are other types of audits as well. Here are few quick examples:
- Information Technology Audits: Evaluate information systems to ensure that sensitive data is protected and accurate and the system operates securely. These audits can align with regulations and compliance, for example PCI, ISO, SOC, and HIPAA.
- Operation Audits: Assess whether internal controls are sufficient and working as intended, and operating procedures are efficient and complete.
- Financial Audits: Determine the fairness of the presentation of financial data.
- Performance Audits: Determine whether an organization is meeting the goals and objectives defined by senior leadership or the board of directors.
Internal Auditor vs External Auditor
There are also many differences between and internal auditor and an external auditor, for example:
- Internal audits are generally not a single annual audit, but rather conducted throughout the year.
- Internal auditors are generally internal company employees while external auditors are always a third-party to the organization and their clients.
- Internal audit reports are used by management, while external audit reports are used by investors, clients, lenders, and other stakeholders.
- Internal auditors can provide consulting services (see below under “How can an internal auditor be impartial and objective?” on why this could be an issue) while external auditors cannot.
The Duties of an Internal Auditor
So what are the duties of an internal auditor? That depends on the company, the particular role of an internal auditor, and what they are auditing, but at a very high level you can expect an internal auditor to:
- Objectively assess a company’s IT and/or business processes
- Assess the company’s risks and the efficacy of its risk management efforts
- Ensure that the organization is complying with relevant laws and statutes
- Evaluate internal control and make recommendations on how to improve
- Identifying shortfalls or gaps in processes
- Promote ethics and help identify improper conduct
- Assure safeguards
- Investigate fraud
- Communicate the findings and recommendations
- Provide an opinion (Unqualified, qualified, adverse, or disclaimer)
For more information, read our blog post about what internal auditors do.
How Can an Internal Auditor be Impartial and Objective?
The most important part of an internal auditor’s job is the ability to perform an objective and impartial evaluation. Many times, politics can get in the way of the internal auditor or internal auditing team remaining objective which limits the team’s effectiveness and reduces their value to the company. This risk can be reduced by making sure internal auditing does not audit their own work and reports to a single committee or a board member who has oversight authority and the internal auditor does not report to an individual or group they are auditing. Also, a company should realize that the purpose of the internal auditor is to remain impartial, and should strive to not influence or push them into a conclusion. Requesting the internal auditor to include more and more assumptions in order to come to a different conclusion is a quick example of how the company may try to influence objectivity.
How to Become an Internal Auditor
There is no lack of certifications or specialties you can achieve when it comes to internal audit. One could be a jack of all trades and support the company through many different types of internal audits, or one could specialize, for example, HIPAA compliance auditor, certified financial auditor, medical claims auditor, PCI compliance auditor, etc. Basically, you name it, you can probably specialize in it.
There are also many different types of certifications available to help increase your knowledge in a certain area, or to help a company identify the right type of auditor. When exploring at a high level, I saw about 25 different certifications, and that is not counting higher education (and I am 100% sure there are way more out there). Needless to say, if you are looking to enter the world of internal audit, have been in it for a while, or are looking to hire an internal auditor, there is probably a specialized certification that aligns with your desires or the job function. Since there are so many, I am just going to touch on a couple of the larger certifications.
Certified Internal Auditor: CIA – This certification is awarded by the Institute of Internal Auditors (IIA). According to their website, the Certified Internal Auditor (CIA) designation is a globally recognized certification for internal auditors and is a standard by which individuals may demonstrate their competency and professionalism in the internal audit field. This certification comes in three parts and there are a lot of specialized certifications you can get as well. For example, the Certification in Risk Management Assurance (CRMA), Certified Government Auditing Professional (CGAP), and Certified Process Safety Auditor (CPSA) just to name a few.
Certified Information Systems Auditor: CISA – This certification is awarded by Information Systems Audit and Control Association (ISACA). The Certified Information Systems Auditor (CISA) is a globally recognized certification in the field of audit, control, and security of information systems. It is focused on information systems and technology and some say has a high failure rate.
Why (as a company), Should You Hire an Internal Auditor?
If you are planning on hiring an internal auditor there are a few key things to keep in mind. One, make sure that the auditor maintains strong ethical standards and integrity. Two, be sure to define the scope and goals of the position — without it, the auditor and the company will not be successful. And three, allow the position to be and remain objective and impartial; an auditor being resilient under pressure to bend or change their assessment is actually a good thing.
Having an internal auditor or team can help the company grow, become more efficient, maintain compliance, and identify issues of fraud or concern. Also, when your external audit comes around (if you have one), having an internal auditor that has already verified all the controls before the third-party steps foot in the door, relieve a lot of pressure and save a lot of time and money.