Internal Auditing:

Assurance, Insight, and Objectivity

WHAT IS INTERNAL AUDITING?
“INTERNAL AUDITING” – business people all around the world are familiar with the term.
But do they understand the value it brings to their organizations? Exactly what is this
somewhat illusive profession all about and why is it so essential to efficient and effective
business operations? And why is it so critical to optimal governance and organizational
sustainability?

INTERNAL AUDITING is an independent, objective assurance and consulting

activity designed to add value and improve an organization’s operations. It helps
an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.

Internal auditors have an in-depth understanding of the organization’s systems, process-

es, and culture. They provide assurance to executive management and governing bodies
that governance processes are sound and that existing internal controls are adequate
to mitigate risks. They also serve as consultants who evaluate emerging technologies,
analyze opportunities, and offer recommendations for improvement.

All of this means that internal auditors assess whether things are going as they should
in order for an organization to meet its strategic, financial, and operational goals, and to
maintain an ethical environment and culture of accountability. Simply put, internal audi-
tors bring enormous value to the organizations and stakeholders they serve.
INTERNAL AUDITING = ASSURANCE, INSIGHT, AND OBJECTIVITY
Governing bodies and senior management rely on internal auditing for objective assurance
and insight on the effectiveness and efficiency of governance, risk management, and
internal control processes.

INTERNAL AUDITING’S VALUE

ASSURANCE, INSIGHT, AND OBJECTIVITY – the value of might include experience and education from outside
internal auditing can be described by these three very of the finance and accounting fields. Many internal
important words. auditors come from operations, engineering, and
information technology (IT), and they can serve in a
Management and governing bodies can look to their
variety of capacities. They are catalysts for solutions,
internal auditors to provide assurance on whether
best-practice advocates, risk and control experts, and
policies are being followed, controls are effective, and
quality-oriented efficiency specialists. They are the
the organization is operating as management intends.
best resource available to management for assurance
Internal auditors have unique insight on which risks
on the effectiveness and efficiency of governance, risk
might lead to disaster; how to improve controls,
management, and internal control processes. And as a
processes, procedures, performance, and risk manage-
result of their insight, objectivity, and assurance, they
ment; and ways to reduce costs, enhance revenues,
are a safety net for management, the board, and the
and increase profits. And internal auditors view the
organization at large.
organization with the strictest sense of objectivity that
separates them from — but makes them integral to — Although value can be viewed as a subjective quality,
the business. when it comes to internal auditors, subjectivity has
no role to play. Executive management and boards of
Today’s internal audit professionals bring to their
directors agree: Internal auditors are invaluable!
organizations a broad range of backgrounds that
ASSURANCE = GOVERNANCE, RISK, AND CONTROL
Internal auditing provides assurance on the organization’s governance, risk management,
and control processes to help the organization achieve its strategic, operational,
financial, and compliance objectives.
MITIGATING RISKS
MANY ORGANIZATIONS achieve greatness through growth
— and one of the keys to successful growth is effec-
tive risk management. As defined by The IIA’s Interna-
tional Standards for the Professional Practice of Internal
Auditing, risk management is “a systematic process for
assessing and integrating professional judgments about
probable adverse conditions or events.” Risk impacts
an organization’s ability to compete and to maintain
its financial strength and quality of its products and
services.
The skills internal auditors possess assist them in ac-
curately identifying the risks an organization faces. As
internal auditors analyze risks, they must investigate
the sources, rank their severity, provide assurance that
adequate controls are in place, and communicate their
findings to the organization. Changing trends impact
the way an internal auditor assesses risk. Internal
auditing has changed from a reactive, control-based
activity to one that is risk-based and proactive which
places greater emphasis on the internal auditor’s role in
mitigating and providing assurance over risk.
Internal auditors must be flexible to the changing busi-
ness environment. Evaluating risk in a rapidly chang-
ing world means that internal auditors have to stay
abreast of global and workplace issues such as mergers
and acquisitions, emerging technology, and interna-
tional commerce. By focusing on effective enterprise
risk management, the internal auditor not only offers
remedies for current trouble areas, but also anticipates
problems or opportunities.
TESTING CONTROLS
INTERNAL CONTROLS are actions taken by management,
a governing body, and other parties to manage risk
and increase the likelihood that objectives and goals
will be achieved. As a part of control, organizations
establish policies and procedures, as well as processes
to ensure they are followed. Controls also help ensure
the consistent adherence to the organization’s ethical
values and performance measures. Everyone within the
organization plays an important role in internal control.
Internal control is at the very center of the internal
auditor’s world. It is also integral to effective organiza-
tional governance, and thereby is critical to manage-
ment and the governing body. Internal auditors evalu-
ate control efficiency and effectiveness and determine
whether the controls in place are adequate to mitigate
risks that threaten, or have the potential to threaten,
the organization. Internal auditing’s role in assuring in-
ternal controls are functioning as designed is essential
to organizational governance and success.
EVALUATING GOVERNANCE:
SIMPLY GOOD BUSINESS
ORGANIZATIONAL GOVERNANCE comprises the procedures
established by governing bodies to provide oversight
of the risk and control processes administered by
management.
According to The IIA and other thought-leading orga-
nizations, the four cornerstones of effective corporate
governance are the governing body, executive manage-
ment, internal auditing, and external auditing. When
these entities work together well with healthy inter-
dependence, internal controls are strong, reporting is
accurate, ethics are maintained, oversight is effective,
risks are mitigated, and investments are protected.
Good organizational governance is simply good business.
ASSURING COMPLIANCE
COMPLIANCE — conformity to fulfill obligations —
ensures that organizations adhere to rules such as
laws and regulations. Management’s role is to imple-
ment policies and maintain extensive knowledge of
the compliance requirements of all applicable laws,
regulations, and contracts. When management fails to
fulfill these obligations, the organization is subject to
significant risk.
Part of an internal auditor’s role is to review how well
management meets the organization’s compliance re-
sponsibilities. Specifically, internal auditors are respon-
sible for reviewing objectives, providing insight into the
impact that noncompliance would have to an organiza-
tion, and informing senior management of significant
noncompliance. They not only need to identify areas
that do not comply with policies and guidelines, but
also ensure that objectives set by management adhere
to the organization’s overall mission, vision, and goals.
Regulations in some parts of the world require those
who manage and govern public companies to be legally
responsible for financial statement accuracy. Internal
auditors may assist them by evaluating the adequacy
and effectiveness of controls throughout the orga-
nization. Their work includes an examination of the
reliability and integrity of financial and operational
information, the effectiveness and efficiency of opera-
tions, and the ways in which the organization safe-
guards assets and complies with laws, regulations, and
contracts. Based on their findings, the internal auditors
can provide assurance to management that financial
statements are accurate.
INSIGHT = CATALYST, ANALYSES, AND ASSESSMENTS
Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency
by providing insight and recommendations based on analyses and assessments of data
and business processes.

ANALYZING OPERATIONS
WHEN AN ORGANIZATION creates objectives and goals, it
must follow the appropriate procedures to ensure those
goals are achieved. Internal auditors review operations
closely, assessing whether correct protocols are being
followed and goals are met. This insight is vital to the
organization’s well-being.
Internal auditors assess whether assets in their organi-
zation are adequately protected and, if they are not, au-
ditors make recommendations to ensure the risk of loss
is appropriately mitigated. Assets are not just tangible
items such as computers, printers, and copiers, but
are also intangible items such as employees, IT, and
knowledge management. Internal auditors must also be
able to evaluate the procedures used within operations
to mitigate risks such as theft, fire, and illegal fraud or
improper activities and make the necessary recommen-
dations to reduce the likelihood and impact of these
risks.
Today, internal auditors work more closely than ever
with their customers. By doing so, they are more
insightful in their recommendations and help the
organization better achieve its objectives. As a valuable
resource who provides insight into internal processes
and operations, the internal auditor continues to pro-
vide value in analyzing organizational operations.
ASSESSING EFFICIENCY AND
EFFECTIVENESS
INTERNAL AUDITORS strive to provide value in address-
ing the challenges organizations face and constantly
enhance their skills and knowledge. They must thor-
oughly understand the business, industry and objec-
tives of their organization and have the ability to assess
its efficiency and effectiveness.

Organizational resources are valuable. It’s in the

organization’s best interest to defend and guard them
against potential waste. By reviewing the controls (poli-
cies and procedures) in place, internal auditors can
evaluate whether efficiencies are being recognized, and
by making suggestions, internal auditors constantly add
value to the organization. This means today’s internal
audit professional can vastly impact the efficiency and
effectiveness of operations throughout the organization.

BEING A CATALYST FOR

IMPROVEMENT
COMPETENT, professional internal auditors accurately
interpret facts and figures of organizational processes
and serve as catalysts for continuous improvement and
for bringing various areas together to address chal-
lenges facing the organization. A key attribute of ef-
fective internal auditors is the desire and commitment
to improve or change anything found to be deficient
within the organization. Further, they must influence
and persuade others to improve.

After evaluating processes, internal auditors report

their findings and recommend appropriate courses
of action. By developing a strong relationship and
partnership with management and the governing body,
internal auditors can submit recommendations that are
the starting point for the enhancement of risk man-
agement, internal control, and governance. Through
a strong commitment to the organization’s values and
goals, internal auditors’ understanding of the entire en-
terprise plays a crucial role in the overall success of the
organization.
OBJECTIVITY = INTEGRITY, ACCOUNTABILITY, AND INDEPENDENCE
With commitment to integrity and accountability, internal auditing provides value to
governing bodies and senior management as an independent source of objective advice.
ESTABLISHING OBJECTIVITY
AND INDEPENDENCE
INTERNAL AUDITORS pave a path toward continuous
improvement by providing objective and independent
advice to all levels of management. As such, indepen-
dence and objectivity are two of the most critical com-
ponents of an effective internal audit activity. Internal
auditors occupy a unique position as they are employed
by the organization, but are expected to review the
conduct of its management.
This could be viewed as a conflict of interest. There-
fore, to ensure their independence, The IIA suggests
the chief audit executive (CAE) has a dual reporting
relationship. For day-to-day administrative purposes,
the CAE should report to the most senior executive,
ideally to the chief executive officer (CEO) of the or-
ganization. Administrative reporting typically includes
responsibilities such as budgeting and management
accounting, and administration of the organization’s
internal policies and procedures. For functional
purposes, the CAE should have a direct reporting line
and unrestricted access to a governing body - such
as an audit committee of a board of directors - which
provides direction, enables full support and access to
organizational resources, and ensures there is no im-
pairment to independence. This reporting relationship
allows for open communication without fear of reprisal
or interference, and sets the stage for honest, straight-
forward feedback. It also allows the internal auditors to
raise red flags, draw attention to concerns, and engage
in further investigation as warranted.
Internal auditors must also maintain the attribute of
objectivity while performing engagements. The internal
auditor should have an impartial, unbiased attitude
and avoid conflict of interest situations that may impair
judgment. To help achieve objectivity, internal auditors
should not assume any of management’s operational
responsibilities.

EMBRACING THE PRINCIPLES OF

INTEGRITY AND ACCOUNTABILITY
THE ORGANIZATION’S internal controls should not be
viewed as something to be considered only by those in
management. Each employee throughout the organiza-
tion should understand the importance of a collective
consciousness about, and accountability for, a strong
system of internal control, an unwavering code of
ethics, and high standards of excellence. More than
just a philosophy, the desired state of an organization’s
culture requires the active agreement and participation
of all its employees (or associates).

Few attributes are more critical to internal auditors

than integrity, accountability, and unwavering ethical
conduct. Effective internal auditors are grounded in
professionalism, well-disciplined in their work, and
subscribe to a professional code of ethics. Uncom-
promising ethics, the ability to listen with an open
mind, and the strength and integrity to be firm under
pressure are attributes that enable internal auditors to
stand up and advise an organization what it sometimes
does not want to hear.

With a holistic view of the entire organization and its

wide range of risks, internal auditors are in a unique
position to help executive management and the govern-
ing body ensure that the corporate culture is ethical.
They assist management by making recommendations
for improving and maintaining an ethical corporate
culture, and play an important role in helping manage-
ment achieve organization-wide agreement and partici-
pation in creating the desired ethical culture.
THE VALUE OF PROFESSIONALISM
THE VALUE of internal auditing cannot be fully realized
without very important requisite qualities possessed by
absolute professionals. Internal audit professionalism
means competence and quality. It means standing up
for transparency and integrity and speaking out against
unethical business practices. And it means embrac- THE VALUE PROPOSITION TO
ing growth and change, seeking new ways of doing STAKEHOLDERS
things, and providing fresh ideas for ensuring risks
are mitigated. To be effective and provide the utmost THE INSTITUTE OF INTERNAL AUDITORS challenges internal
value, internal auditors should make a commitment to auditors around the world to continuously enhance
professionalism by: their competencies as professionals, and encourages
stakeholders to enthusiastically incorporate internal
• Practicing in accordance with the International auditing into their organization’s governance structure.
Standards for the Professional Practice of Internal
Auditing and other guidance within the Interna- Internal auditing is a profession, and the responsibili-
tional Professional Practices Framework. ties described here represent only a part of what is
mandated for and expected of professional internal
• Ensuring quality practices by maintaining an auditors. This speaks volumes as to internal audit-
ongoing Quality Assurance and Improvement ing’s value. But clearly, value is defined differently for
Program, including periodic internal and external different business functions. For some, saving money
quality assessments. is the most important goal; for others, protecting the
reputation is the focus. And for internal auditing, its
• Gaining a thorough understanding of their
value proposition to the organization’s stakeholders can
organization’s business and culture.
be best depicted as providing assurance, insight and
• Taking advantage of ongoing professional develop- objectivity to help management and governing bodies
ment and membership opportunities offered by meet their goals. And that, without question, is of great
organizations such as The Institute of Internal value.
Auditors.
For information on “Internal Auditing’s Value to
• Earning professional designations such as the Stakeholders,” visit The IIA’s website at
Certified Internal Auditor (CIA), Certified www.theiia.org/valueproposition.
Financial Services Auditor (CFSA), Certified
Government Audit Professional (CGAP), and the
Certification in Control Self-Assessment (CCSA).
The CIA designation is the only globally accepted
certification for internal auditors and remains the
standard by which individuals demonstrate their
competency and professionalism in the internal
auditing field.
THE INSTITUTE OF INTERNAL AUDITORS (IIA) is the internal audit profession’s
global voice, recognized authority, acknowledged leader, chief advocate, and
principal educator worldwide. Established in 1941, The IIA is a professional
association which serves members in 165 countries around the world who work
in internal auditing, IT auditing, governance, internal control, compliance, risk
management, security, and academia.

The world’s leader in certification, education, research, and technological

guidance for the profession, The Institute sets and promulgates the International
Standards for the Professional Practice of Internal Auditing and provides various
levels of accompanying guidance; certifies professionals through the globally
recognized Certified Internal Auditor® (CIA®) and specialty certifications in
government, control self-assessment, and financial services; presents leading-
edge conferences, professional development seminars, and Web-based training;
produces forward-thinking educational products; offers quality assurance
reviews, benchmarking, and consulting services; and creates growth and
networking opportunities for specialty groups.

The IIA also brings great value to its members through Internal Auditor, an
award-winning professional magazine, and through other outstanding periodicals
that address the profession’s most pressing issues and challenges and present
viable solutions and exemplary practices.

The IIA Research Foundation (IIARF) works in partnership with experts from
around the globe to conduct valuable research projects on the top issues
affecting the business world today. It delivers leading-edge educational
products through the IIARF Bookstore.

To serve chief audit executives (CAEs), The IIA offers its Audit Executive Center,
a comprehensive program for CAEs from industries and organizations of all
sizes. The foundation of the Center is the Audit Executive Center Web portal that
provides instant access to guidance, research, and thought leadership;
a resource library comprising tools and templates; discussion forums allowing
instant knowledge sharing; newsletters including The IIA’s CAE Bulletin; and
events focused on professional development.

The Institute’s Web site, www.theiia.org, is rich with professional guidance and
information on IIA programs, products, and services, as well as resources for
IT audit professionals.

The IIA is dedicated to providing extensive support and services to its worldwide
membership through support, networking and volunteerism at local, national
and international levels. For additional information, contact [email protected].
Global Headquarters T +1-407-937-1111
247 Maitland Avenue F +1-407-937-1101
Altamonte Springs, Florida 32701-4201 USA W www.theiia.org

08/10239/LK/JP