The words “internal audit” often conjure a sense of fear, frustration, and time consumption. Even in the best circumstances, most would find having someone review their activities unsettling or intimidating. Having an understanding of the role of an internal audit, knowing what to expect during an internal audit, and knowing potential pitfalls to avoid will help put you at ease and make a much more pleasant and valuable experience.
What is an Internal Audit?
One of the most searched phrases on this subject is “internal audit meaning.” So, what is an internal audit or what does it mean? Internal Audit is a department or organization within a company tasked with providing unbiased, independent reviews of systems, business organizations, and processes. The role of an internal audit department is to provide senior leaders and governing bodies of an organization with an objective source of information regarding the following:
- The organization’s risks
- Control Environment
- Operational Effectiveness
- Compliance with applicable laws and regulations
What is the Role of Internal Audit?
As Internal Audit reports to senior leadership, it is only appropriate that its activities are directed by that CEO or Board of Directors through its Audit Committee. Members of Internal Audit must be independent of internal politics and unbiased to provide leadership with an objective source of information. Under the direction of the Audit Committee, Internal Audit works with management to systematically review control activities over critical systems and processes.
The reviews performed by Internal Audit are often called internal audits. An internal audit may be used to assess an organization’s performance or the execution of a process against a number of standards, policies, metrics, or regulations. These audits may include examining a business’s internal controls around corporate governance, accounting, financial reporting, and IT general controls. Internal audits may also entail evaluating the effectiveness/efficiency of critical business operations such as supply chain management. Those individuals working in Internal Audit are called internal auditors. Internal auditors may cover all areas of an organization or specialize based on their skill-sets.
What is the Purpose of an Internal Audit?
The aim of internal audits is to identify weaknesses within the organization’s processes and control environment internally so that they can be fixed as quickly as possible to prevent harm to the organization or its stakeholders. Accordingly, the internal audit plan for an organization should be driven on a risk basis or, in other words, be designed to examine those areas that present the greatest risk to the company. The internal audit plan should also include a component of the strategic needs of an organization. Similarly, each internal audit purpose should be aligned with the audit plan.
Internal vs External Audits: How Are They Different?
There is a little bit of confusion about the difference between internal and external audits. From my experience, whenever the word “audit” is appended to a phrase or a subject, it instantly becomes boring. Try it sometime—it is great for killing small talk during the holidays.
Whenever “audit” is mentioned, we, or at least most of us, switch into Charlie Brown school mode—our eyes glaze over and the speaker’s voice turns into a stream of mumbles. As a result, most people in any organization view them as synonyms for the same thing—audit. Despite this popular perception, internal and external audits are not the same thing.
I think the simplest way to explain the difference between external and internal audits is to compare the who, what, and why associated with the two types of audits. Some of the key differences are highlighted in the sections below.
Who Performs the Audit?
- Internal Audits – Who conducts internal audits? Internal auditors, typically employees of the company perform internal audits. However, companies lacking the competency or manpower may outsource this to an external entity.
- External Audits – External auditors, typically members of a CPA firm, perform external audits. External auditors and the firm they work at must be independent of the company being audited to maintain objectivity.
Who is the Audit Reported To?
- Internal Audits – Board of Directors, and members of management
- External Audits – Shareholders and members outside of the company
What Does the Audit Cover?
- Internal Audits – Internal Controls related to:
- Risk Management
- Process Improvement
- External Audits – Financial Reports, and Internal Controls related to Financial Reporting
Why is the Audit Performed?
- Internal Audits – To assess and improve the effectiveness of governance, risk management, and control over critical processes. To provide the board and management with information and assurance related to their duties.
- External Audits – To validate, or provide reasonable assurance, of the material accuracy of financial reports from the organization to its stakeholders.
When Are Results Reported by the Audit?
- Internal Audits – May report at any frequency designated by the Board
- External Audits – Annually
Where Do Internal Auditors Report?
- Internal Audits – Internal auditors generate reports that summarize the audits performed and the related results as they are completed. Typically, there is no set physical location of where these reports are stored. However, Internal Audit will typically report internal audit results to members of management with oversight responsibilities as they are completed. Internal Audit will also report on its activities, including significant findings, in Audit Committee meetings.
- External Audits – External auditors will typically deliver reports at the conclusion of an external audit without formally presenting the results in person. However, if they were to present the results of their assessments it is in the company’s Audit Committee meeting.
As you can see, there is a difference between an internal and external audit. Both are checking whether the organization is performing certain activities or controls correctly. However, internal audit results are reported in-house while the results from external audits are reported to individuals inside and outside of the organization. When the two cover the same scope, I like to say that an internal audit is a pre-test, and an external audit is the final. The organization can use the results from the internal audit to identify its weaknesses and work to correct or strengthen them in preparation for the external audit where the results will be shared publicly.
What is the Scope of Internal vs External Audits?
You will notice that the scope and objectives of the two types of audits also differ. Internal audits are typically smaller, focused audits that (collectively over a year) will cover a broader range of scope. This allows the company’s Board and management to get more frequent/timely information that they may use to govern and improve the organization. In contrast, a business will typically have one big external financial audit each year. The objective of the external audit is to determine the accuracy of annual financial statements.
The last area of difference that I would like to highlight regards the scope of responsibilities between internal and external auditors. Internal auditors function as a consultant who performs the assessment and then advises the organization’s management on how to address the risks identified. External auditors do not have any responsibility to the organization. External auditors’ only responsibility is to assess.
Why Do Organizations Have Internal Audits?
Knowing the objectives of internal audit is critical to understanding why organizations have Internal Audit functions. When the Sarbanes-Oxley Act of 2002 was passed, it made executives of publicly traded companies legally responsible for the accuracy of their financial statements and the internal controls over financial reporting. Internal Audit functions play a critical role in helping executives to reach their conclusions. Also, internal audit efforts to identify breakdowns in internal controls help safeguard against potential fraud, waste, or abuse, and ensure compliance with laws and regulations.
Is Internal Audit Mandatory?
So, if you were wondering, “Is Internal Audit mandatory?”
The answer is, “It depends.”
As noted above, publicly traded companies must perform internal audits to be able to assess and attest to the design and operating effectiveness of internal controls over financial reporting. Privately held companies are not required by law to have an internal audit function.
However, if the question was “Who needs an internal audit?” The argument could be made that all organizations have a need for it to some extent.
What Are the Benefits of Internal Audit?
Technically, Internal Audit is a cost center in a company—it does not generate revenue. However, a good internal audit function can be profoundly important to the survival and prosperity of any organization. Unlike external auditors, internal auditors look beyond financial statement reporting risk to consider broader issues such as the organization’s reputation, operational efficiency, strategic growth, its impact on the environment, and the way it treats its employees. Objective assessments of an organization’s processes and performance can provide valuable insight that personnel who perform or manage the actual operations are not able to see because of the paradigm or limited perspective that comes with being a part of the process being assessed.
What Are the Types of Internal Audits?
So, what is an internal audit, and what types of audits may be performed? While a significant portion of internal audits cover internal controls over financial reporting within the organization as they pertain to generally accepted accounting procedures (GAAP) impacting their financial statements. Many organizations also recognize the need for other types of assessments or audits outside of accounting or finance. Some of these key areas include compliance (i.e., regulatory), environmental, information technology, operational, and performance audits.
- Compliance Audits evaluate compliance with applicable laws, regulations, policies, and procedures. Some of these regulations may have a significant impact on the company’s financial well-being. Failure to comply with some laws, such as the Foreign Corrupt Practices Act (FCPA) or General Data Protection Regulation (GDPR), may result in millions of dollars in fines or preclude a company from doing business in certain jurisdictions.
- Environmental Audits assess the impact of a company’s operations on the environment. They may also assess the company’s compliance with environmental laws and regulations.
- Internal Financial Audits may be performed to recalculate internal financial reporting related to the business overall, budgets, capital assets, or projects. These may also be performed to check the validity and accuracy of billing, expenditures, or expense reimbursements.
- Information Technology Audits evaluate information systems and the underlying infrastructure to ensure the accuracy of their processing, the security and confidential customer information or intellectual property. They will typically include the assessment of general IT controls related to logical access, change management, system operations, and backup and recovery.
- Operational Audits assess the organization’s control mechanisms for their overall efficiency and reliability.
- Performance Audits evaluate whether the organization is meeting the metrics set by management in order to achieve the goals and objectives set forth by the Board of Directors.
What is the Difference Between Internal Checks & Internal Audits?
An important distinction is to understand the difference between internal checks and internal audits. Internal checks are when peers or team members check each other’s work as part of a process. Internal checks are a type of control activity within processes. Internal audits are process assessments performed by members of the same organization that are independent or do not have any responsibilities to perform the process.
Let’s use the change management or system development process as an example. As part of the process to develop changes to a system, most organizations have built-in checks within the process. For example, a peer who did not develop the code reviews the code developed for the change to check if it will have the desired impact on the system. A product owner or quality assurance member may also test the system in a non-production environment to see if the system functions as desired with the change. Both of these are examples of internal checks or internal controls.
What is an Example of an Internal Audit?
An internal audit of the change management process would have a member of Internal Audit or an employee from another part of the company checking whether the internal checks or control activities (e.g., peer reviews and change testing) were consistently performed for a sample of changes.
What is the Internal Audit Process?
An internal audit should have four general phases of activities—Planning, Fieldwork, Reporting, and Follow-up. The following provides a brief synopsis of each phase.
How do you start an internal audit? Each internal audit should start with a plan. During the planning process, the internal audit team will define the scope and objectives. This helps you determine what should the internal audit focus on. Once the scope is determined, the following steps should be implemented:
- The internal audit team should set internal audit requirement(s).
- Review guidance relevant to the audit (e.g., laws, regulations, industry standards, company policies, procedures, etc.).
- Review the results from previous audits.
- Set a timeline and budget for the audit.
- Create an audit plan and internal audit checklist(s) to be executed.
- Identify the process owners to involve.
- Schedule a kick-off meeting to commence the audit.
How do you do an internal audit? Fieldwork is the actual act of auditing. Throughout this phase, the audit team will execute the audit plan. This usually includes:
- Interviewing key personnel to confirm an understanding of the process and controls.
- Reviewing relevant documents and artifacts for an example of the execution of controls.
- Testing the controls for a sample over a period of time.
- Documenting the work performed.
- Identifying exceptions and recommendations.
As you might guess, an internal audit will draft the audit report during the reporting phase. The report should be written clearly and succinctly to avoid misinterpretation and to encourage the intended audience to actually read and understand the report. Findings should be accompanied by recommendations that are actionable and lead directly to process improvements. The process of issuing an internal audit report should include:
- Drafting the report.
- Reviewing the draft with management to ensure the accuracy of findings.
- Issuing and distributing the final report.
The final stage is an important one that is often overlooked and neglected. Following up is critical to ensure that the recommendations have been implemented to address the findings identified. This process should include appropriate follow-up with process owners needing to implement the recommendations as well as Board oversight of the company’s overall status in addressing findings identified by the internal audit. If an organization fails to follow up on the implementation of recommendations, it is unlikely that the changes will be made.
What Are Common Pitfalls That Can Derail an Internal Audit?
An internal audit can be extremely useful to help streamline processes, find gaps, and identify fraud. But what are the challenges of internal audit? My experience as an auditor has taught me to recognize the red flags that can quickly derail the process.
- Scope creep: Proper planning and definition of scope are key to a successful internal audit. The scope of the internal audit is decided by the needs of the organization. With complex systems and workflows, it is easy for the scope of internal audits to expand rapidly. Be sure to proactively plan for when an issue occurs that may affect the scope, so that the team can respond quickly and efficiently (e.g. do you ignore the issue, add to it, put it off until later). When scope starts to expand, be sure to pump the brakes and reassess; nothing is worse than allowing the scope to increase and later realizing that you are one step away from basically auditing the entire organization and all the processes.
- Not talking to all clients/stakeholders: Be sure to involve your client and stakeholders early and often. I recommend going deeper than managers or team leads; talk with the staff, engineers, etc. Many times, the “people in the trenches” may be following a completely different process than what is documented or understood by management.
- Not reviewing the data: When data is needed, it’s typical to ask the team you are auditing to provide it, but how do you know that the data is accurate? Was the data modified, trimmed, or altered in any way? If possible, sit with the DBA or data provider to understand how the data is being generated. Always ask questions and try to get data that has been generated directly from the system, along with the queries or constraints used to generate it.
- Objectivity and Independence: This is especially difficult in a smaller organization. In a larger organization, internal auditors report to a board of directors or an audit committee, but in smaller companies, an internal auditor may be reporting to the same person or group they are auditing. The key is to stay objective, independent, and to have a forward-looking mindset. Remember that an internal auditor is trying to help and should be allowed to do so even if the results are hard to hear.
What Are the Professional Standards in an Internal Audit?
The Institute of Internal Auditors (IIA) has set the internationally recognized framework for internal auditing. It is called the International Professional Practices Framework (IPPF). The IPPF provides “mandatory” and “strongly recommended” guidance. These standards are applied by over 160,000 internal auditors who are working globally within the framework. What qualifications do internal auditors need? As a common base, internal auditors need a solid understanding of the IPPF. While not required, individuals can be evidenced by their understanding of the IPPF and experience by becoming a Certified Internal Auditor.
I hope this has helped you to better understand the role of internal audit, anticipate the process in your next internal audit, and avoid the potential pitfalls that can derail an internal audit. For more information regarding how Linford & Company may assist your organization with its compliance needs, check our related organizational auditing services:
This article was originally published on 11/28/2018 and was updated on 9/7/2022.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.