Articles on Internal Auditing
An Overview of the Professional Practice of Internal Auditing
With the various activities and reviews internal auditors are being
called on to perform, and changes taking place today in the practice
of internal auditing, I have lately been thinking more and more about
the way internal auditing is perceived, and how it perhaps ought to be
perceived. About twelve years ago, I was offered the opportunity to expand
my professional development by moving into an internal audit department.
At the time, having come from a background in public accounting, and
having no familiarity with internal auditing standards, if you had asked
me to define "internal auditing", I probably would have said
something like "it's auditing within an organization to help safeguard
assets". I'm willing to bet that in many organizations, if you where
randomly to ask employees, managers and executives about their perception
of internal auditing today, many would tell you "it's the same thing
that our external CPAs do, only it's done by employees of the company".
Others might say that
"it's anything our internal auditors do".
The purpose of this article is to examine the concept of internal auditing
from the perspective of The Standards for the Professional Practice of
Internal Auditing. For a moment, think about how important The Standards
are in day to day professional internal audit activities. Some of the
routine ways internal audit professionals apply the standards include
how they plan and carry out their work, how the audit director determines
what that work will be, and how the results of their efforts are communicated.
By obtaining a clearer understanding of the essence of professional internal
auditing standards, we can develop a clearer understanding of the essence
of internal auditing itself. Obtaining that understanding is critical
not only to presenting ourselves in the most professional way, but also
to clearly defining our area of expertise and thus the value we can provide
to our organizations.
The basic framework of The Standards For The Professional Practice Of Internal Auditing consists of:
- the Statement of Responsibilities of Internal Auditing
- the Code of Ethics
- the Standards for the Professional Practice of Internal Auditing, consisting of five general standards, twenty five specific standards, and suggested guidelines for complying with the standards.
- the Statements on Internal Auditing Standards
- professional practice releases
Some of the key points emphasized in the introduction to The Standards are:
- the principal elements of the organization served by internal auditing are management and the board of directors, with internal auditors owing a responsibility to both
- "the board" means the board of directors, the audit committees of such boards, heads of agencies or legislative bodies to whom the internal auditors report, boards of trustees, or any other designated governing body of organizations.
- "Management" is anyone in an organization with responsibility for setting and/or achieving objectives.
- "senior management" is the individual, or group of individuals in management to whom the director of internal auditing is responsible.
- The purpose of The Standards is:
* to impart an understanding of the role of internal auditing
* to establish a basis for the guidance and measurement of internal auditing performance
* to improve the practice and professionalism of internal auditing - Compliance with the concepts enunciated by the standards is essential before the responsibilities of internal audit can be met.
When performing internal audits, the Code of Ethics of the Institute of Internal Auditors (IIA) requires each member of the Institute and each Certified Internal Auditor (CIA) to adopt suitable means to comply with The Standards and to conduct internal audits in accordance with the requirements and spirit of The Standards. This is one of the key provisions of the Code of Ethics.
Not everything that an internal auditor might be called on to do is internal auditing. If you are a member of the IIA and/or are a CIA, it is your responsibility to understand the essence of what internal auditing is; to know what is, and is not, an internal auditing activity; to distinguish internal auditing from other types of audit activity that are not internal audits; and to distinguish internal auditing from other types of non-audit activities that an internal auditor might be called on to perform. The following table compares internal auditing (as defined by The Standards) with other activities performed by internal auditors.
PROFESSIONAL INTERNAL AUDITING UNDER THE STANDARDS
Professional Internal Auditing focuses on an evaluation of the system or framework of internal control |
OTHER AUDIT ACTIVITIES
While these all may be value-added activities that auditors perform, they do not meet the criteria of "Internal Auditing" described by The Standards". Many, if not all, of these audit activities are governed by other professional auditing standards, such as those of the AICPA and the General Accounting Office; or various federal regulations such as OMB Circular A-133. |
As practiced under the Standards, professional internal auditing focuses
on an evaluation of the system or framework of internal control, which
the Standards describe as "the integrated collection of control
systems developed by the organization to achieve its objectives and goals".
There is a very close correlation between the Standards and COSO (for
a detailed discussion, see "The Standards and the Framework",
Internal Auditor, April 1997). The primary objective of internal controls
is to give managers reasonable assurance that:
- financial and operating information is accurate and reliable
- policies, procedures, plans, laws and regulations are complied with
- assets are safeguarded against loss and theft
- resources are used economically and efficiently
- established program/operating goals and objectives will be met.
The elements of internal auditing therefore consist of :
- Appraising the reliability and integrity of financial and operating information by evaluating the means developed by management to identify, classify, measure, and report such information
- Appraising the systems management has established to ensure compliance with policies, plans, procedures, laws and regulations that could have a significant impact on operations and reports, and determining whether the organization is in compliance
- Appraising the means management has established to safeguard assets, and, as appropriate, verifying the existence of such assets
- Appraising the systems management has established to ensure economical and efficient use of resources
- Appraising the systems management has established to ensure results are consistent with established objectives/goals and operations or programs are carried out as planned.
Although there is some degree of overlap, these five elements differ
from performance audits. The primary objective of a performance audit
is to evaluate operational processes (which may or may not include internal
controls) and the related results of operations, rather than the system
of control itself (GAO Yellow Book, 1994 Revision, Chapter 2, sections
2.6 through 2.9). While some might consider this distinction insignificant,
under the Standards, it is not the internal auditor's job to evaluate
a manager's performance; to decide what the organization's objectives
and goals are, or whether they are the correct objectives and goals.
These determinations and decisions are the responsibility of management.
The SPPIA instead focuses the internal auditor primarily on forming an
opinion as to whether or not management has reasonable assurance that
desired objectives and goals are being achieved, and the degree to which
controls provide the reasonable assurance that managers need (SPPIA 300.04,
300.08, and 300.08.2.c).
When we combine the definition of internal control with the scope of
internal auditing, five possible audit objectives emerge regarding how
managers plan, organize and direct activities. Internal auditors seek
to answer one or more of the following questions:
- Do controls over financial and operating data provide managers with
reasonable assurance that the financial and operating data is accurate
and reliable
- Do controls over compliance with policies, procedures, plans, laws
and regulations provide managers with reasonable assurance that proper
compliance actually occurs
- Do controls over assets provide managers with reasonable assurance
that assets exist and are protected against loss that could result
from theft, fire, improper or illegal activities, or exposure to the
elements
- Do controls over operations provide managers with reasonable assurance
that resources are used efficiently and economically. In this context,
the auditor wants to know whether operating standards have been established
for measuring economy and efficiency; whether operating standards are
understood and are being met; whether deviations from operating standards
are identified, analyzed and communicated to those responsible for
corrective action; and whether effective corrective action has been
taken
- Do controls over operations and programs provide managers with reasonable assurance that the operations and programs are being carried out as planned, and that the results of operations are consistent with established goals and objectives.
To meet these audit objectives, internal auditors evaluate the things
managers do to plan, organize and direct activities and operations. The
reasonable assurance that managers need comes about when managers plan,
organize and direct in such a way that in the normal course of doing
business, cost-effective actions are taken to minimize the risk that
undesired outcomes will occur, and maximize the likelihood that desired
outcomes will occur.
After examining the way managers have planned, organized and directed
the activities of the organization, the internal auditor draws conclusions
about the adequacy and the effectiveness of the controls. The internal
auditor then expresses an opinion as to whether or not the control system
provides the necessary reasonable assurances. When the internal auditor
is of the opinion that weaknesses or conditions are present that significantly
reduce the likelihood that reasonable assurance exists, the internal
auditor reports to senior management:
- the condition(s) found
- criteria or standard against which the condition is being measured
- the cause(s) that produced the condition
- potential or actual effect(s) on desired outcomes; and recommendations for corrective action that will improve the degree of reasonable assurance.
Internal auditors perform other activities, such as: contract auditing;
compliance auditing; voucher auditing; claims auditing; financial statement
auditing; performance auditing; external auditing of other organizations;
and other management activities associated with the planning, organizing
and directing of operations. While these all may be value-added activities,
they do not meet the criteria of "Internal Auditing" described
by the Standards". Many, if not all, of these audit activities
are governed by other standards. In the United States, for example,
these might be those of the American Institute of CPAs; the US General
Accounting Office' Government Auditing Standards; regulations and laws
of the Securities and Exchange Commission; or various other federal
regulations such as Circular A-133 of the US Office of Management and
Budget. Does that mean internal auditors should refrain from doing
these other things when requested to do so? No. But they should not
confuse these other activities with internal audits; and should not
represent them as being internal audits.
What about consulting? Almost all of us at one time or another get involved
in "consulting" situations within our organizations. How does
internal auditing activity compare to consulting work?
According to studies by the IIA:
Internal Audits
- are based on past or current activities
- address management's reasonable assurance of achieving objectives
- are initiated by the Audit Director
- have the Audit Committee/Senior Management as the primary client
- are conducted primarily by members of the internal audit department
- lead to production of a standard audit report.
Consulting Activities
- are future oriented
- address implementing activities
- are initiated by a line manager
- have the line manager as the primary client
- involves staff outside the internal audit department
- yield a product or outcome other than an audit report opinion
Based on the IIA research, most internal auditors agree that the following activities are examples of consulting:
- Business Planning
- Non-Accounting System Consulting
- Business or Project Feasibility Studies
- Accounting System Design and Implementation
- Total Quality Management
- Budgeting
- Forecasts and Projections
The more progressive practitioners of internal auditing have recognized
the value of and have embraced the idea that partnering with audit clients
can improve significantly the results of internal audit work. These innovative
approaches and the required paradigm shifts are endorsed by the IIA.
While the Standards do not pose any impediments to their use, additional
implementation guidance is needed. This is particularly true regarding
the issue of auditor independence vis a vis auditing in consultation
with management. "Auditor Independence" has been a cornerstone
of the profession for many years - a carryover from internal audit's
roots in public accounting. IIA studies indicate that some practitioners,
in hiding behind The Standards' guidance on independence, have needlessly
sacrificed opportunities to make significant contributions to their organizations.
This is an area requiring further study by the IIA.
These issues also have sparked some interesting observations regarding
the exclusion of compliance audits and performance audits from the "internal
audit" category. The material above briefly touches on the issue
of performance audits. Regarding compliance audits, the issue is one
of focus. Further examination may serve as an example of how an internal
audit is conducted under the Standards.
The objective in a typical compliance audit is to determine whether an
entity has followed applicable laws and regulations or followed proper
procedures. For example, in an audit of a youth detention center, if
government regulations require that the cafeteria only serve items listed
on a dinner menu, and the kitchen runs out of the listed ice cream and
serves pudding for dessert, a compliance audit would cite the center
for failing to follow the regulations (a ludicrous, but true example).
The compliance auditor doesn't really care about the system of internal
control. In audit parlance, internal control risk is assessed at maximum
(i.e., it is assumed controls are not effective). Nor does the compliance
auditor necessarily care why a violation has occurred. The compliance
auditor's job is to identify violations or deviations, and, where necessary,
impose sanctions, withhold payments, obtain refunds, identify and report
employee mistakes, etc. This is not an internal audit; and more importantly,
using this methodology to carry out an internal audit is not a particularly
efficient or effective way to identify systemic, mission critical control
problems.
An internal audit of the detention center under the Standards, however,
would focus on whether or not the management of the detention center
has reasonable assurance that significant applicable laws and regulations
are being complied with. The internal auditor would want to see evidence,
for example, that management has conveyed the importance of compliance
to the employees; that employees have the necessary tools and resources
to effect compliance; that employees have been properly trained in and
understand compliance issues; that management has assessed and addressed
the risks and obstacles associated with compliance; that policies and
procedures have been established to address identified risks; that information
and communications systems provide necessary data in an accurate and
timely way regarding issues associated with effective compliance; and
that monitoring activities will, in the normal course of events, identify
and correct problems, and bring significant issues to light for attention,
corrective action and follow up by higher level management. If this sounds
very much like COSO, it should, since the SPPIA and COSO are two sides
of the same coin (as might be expected since the IIA is one of the sponsoring
organizations). The SPPIA actually is a framework for audit implementation
of COSO theory.
If the internal auditor determines significant weaknesses exist in the
control system over compliance, he/she may conclude that the required
reasonable assurance does not exist, and recommend corrective actions.
To reinforce the need for corrective action, the internal auditor may
test for evidence of errors, omissions or other adversities associated
with non-compliance that are so serious that immediate intervention by
management is required to mitigate the resultant business risks. If the
internal auditor believes the internal control system is effective, and
that as a result management has the requisite reasonable assurance, some
testing may still be done to confirm the effectiveness of the control
system (it depends on the internal auditor's assessment of his/her own
risk of arriving at an incorrect opinion).
Conclusion
We, as internal audit professionals, have to be clear about what it
is we are "expert" in. That clarity comes from the Standards.
Our reason for being as a profession is to support executive management
and the board of directors in carrying out corporate governance. We do
that by providing them professional opinions about the degree to which
reasonable assurance exists that business objectives will be achieved
(i.e. the state of internal control) and by keeping them informed about
critical control issues that impact on achievement of business objectives.
Does that mean we can't help operating management do a better job in
the process? No. Does that mean we hide behind the Standards and avoid
going in new directions? No. Does that mean we do whatever we feel like,
or whatever our management requests, in disregard of the Standards, and
still call it "internal auditing"? While that might appear
beneficial on an individual level, we can't, as a profession, do that
either, because in the larger picture, doing so confuses, obscures and
weakens the role of our profession in corporate governance; undermines
our profession's value to those we are supposed to serve; and ultimately
hurts us as a profession. But does that mean internal auditors should
refrain from doing such things when requested to? No, it does not. However,
we should not confuse these other activities with internal audits; and
we should not represent them as being internal audits.
Internal auditors perform many different functions that add value to
the organizations they serve, and only the foolhardy would respond "that's
not my job" when asked by senior management to perform work outside
the bounds of The Standards. Internal auditing is a management control,
however, and like any other control, when its actual function digresses
further and further from its original purpose, the control is weakened.
The Standards define the mission of internal auditing, and establish
how both the internal audit function, and individual internal audits,
should be planned, organized and directed. Government entities that have
incorporated
"professional internal auditing standards" as part of the defining
language of legislation regarding internal audit activities in government
explicitly require and rely upon compliance with The Standards as a minimum
level of expected professionalism. When properly understood and applied,
The Standards provide the foundation for reasonable assurance that the
internal audit function will be both professional and effective. Achieving
those goals is critical to presenting ourselves in the most professional
way, to clearly defining the expertise and value we can provide to our
organizations, and most importantly, to maintaining oversight of control
systems - the primary reason the internal audit function exists.
There are those who might not necessarily agree with any one, or several,
of the particulars raised in this article. The point, however, has been
to stimulate strategic thought about who we are, what it is we do, and
what we should be doing. Over the next year, the Standards Guidance Task
Force of the Institute of Internal Auditors will assess whether the Standards
in fact represent internal auditing as it is actually practiced today,
and as it should be practiced in the future. The opinions of Certified
Internal Auditors, members of the IIA, and others engaged in the practice
of internal auditing are important to the work of the Task Force. If
you would like to comment or make suggestions on this topic, you can
contact Wayne Moore of the Task Force by fax at (302) 773-4841; or Susan
Leone, IIA Manager of Standards at her fax number (407) 831-5171; or
by e-mail at slione@theiia.org or standards@theiia.org .
Home | Bio | Internal Auditing | Fraud Investigation | Request to Reprint | Privacy | Site Map
© 1996-2010 Mark R Simmons, CIA, CFE. All rights reserved. Updated
12-Oct-2010
Designed and maintained by Web
Wise Concepts, LLC for http://www.facilitatedcontrols.com