Internal auditing is an independent appraisal function that is performed in a wide variety of companies, institutions, and governments. What distinguishes internal auditors from governmental auditors and public accountants is the fact that they are employees of the same organizations they audit. Their allegiance is to their organization, not to an external authority. Because internal auditing has evolved only within the last few decades, the roles and responsibilities of internal auditors vary greatly from one organization to another. Internal audit functions have been structured based on the differing perceptions and objectives of owners, directors, and managers. Since the passage in 2002 of the Public Company Accounting Reform and Investor Protection Act, commonly called the Sarbanes-Oxley Act, the function of the auditor has been highlighted in compliance with the new regulations. In publicly held corporations, the internal auditing function has been greatly expanded as a part of fulfilling the requirements of Sarbanes-Oxley.
The structure given to the internal auditing function within a company depends to a great extent on four things: 1) the size of the company; 2) the type of business it carries out; 3) the philosophy of the management group, and 4) the level of interest or concern placed on auditing by the chief executive and the board of directors. In a very small business, the owner-manager will usually perform the role of internal auditor by continuously monitoring all of the business's activities. In larger companies, employees who fulfill internal auditing functions are known by a wide variety of titles—control analysts, systems analysts, business analysts, internal consultants, evaluators, and operations analysts.
The Institute of Internal Auditors (IIA) is an international governing body for internal auditors that brings some uniformity and consistency to the practice. The IIA provides general standards for performing internal audits and serves as a source for education and information. In its Standards for the Professional Practice of Internal Auditing, the IIA defines the internal auditing function as "an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes them analysis, appraisals, recommendations, counsel, and information concerning activities reviewed."
There is theoretically no restriction on what internal auditors can review and report about within an organization. In practice, internal auditors work within the parameters of the company's overall strategic plan, performing internal auditing functions so that they are coordinated with the larger goals and objectives of the organization. Internal auditors perform a variety of audits, including compliance audits, operational audits, program audits, financial audits, and information systems audits. Internal audit reports provide management with advice and information for making decisions or improving operations. When problems are discovered, the internal auditor serves the organization by finding ways to prevent them from recurring. Internal audits can also be used in a preventative fashion. For example, if the internal auditor communicates potential problems and risks in business operations during his/her review, management can take preemptive action to prevent the potential problem from developing.
DEVELOPMENT AND CURRENT STATUS OF INTERNAL AUDITING PRACTICES
Prior to the twentieth century, companies and other institutions relied on external auditing practices for financial and other information on their operations. The growing complexity of American companies after World War I, however, required better techniques for planning, directing, and evaluating business activities. These needs, coupled with the stock market crash of 1929 and increased evidence of questionable accounting practices by corporations, led to the creation of the Securities and Exchange Act of 1934. This legislation established the Securities and Exchange Commission (SEC) as a monitor of corporate financial reporting. In the wake of these developments, the new thrust for internal auditing was to verify financial statements, as well as to continue testing transactions. World War II led internal auditors into the assurance of compliance with government regulations. The boom that followed, with the growth of conglomerates and international subsidiaries, imposed further responsibility upon the auditors requiring them to review the adequacy of corporate procedures and practices in operational evaluations, as well as performing the financial audit.
The importance of quality internal auditing was further underlined with the passage of the Foreign Corrupt Practices Act and the establishment of the Financial Accounting Standards Board. While these developments did not specifically call for an internal auditing function, internal auditors were poised to help management fulfill the additional requirements implicit therein. In the 1980s, highly publicized business failures and fraudulent financial statements that went undetected by external auditing firms gave further merit to the concept of internal auditing.
In December of 2001, the Enron Corporation, which had ranked as the seventh largest U.S. corporation in terms of revenue just one year earlier, filed for bankruptcy protection. A string of similar high-profile bankruptcies of very large corporations followed. Serious allegations of accounting fraud were made and extended well beyond the bankrupt corporations to include some of the nation's largest and most reputable accounting firms. Confidence was shaken, the country was still reeling in the aftermath of the terrorist attacks of 9/11, and the stock market was dropping. The SEC acted by proposing regulations requiring enhanced certification of the financial statements of all publicly traded companies by their CEOs and CFOs. The U.S. Congress was quick to follow suit and passed the Sarbanes-Oxley Act, which was signed by President George W. Bush in July of 2002.
The Sarbanes-Oxley Act is a wide-reaching and complex law that imposes heavy reporting requirements on all publicly traded companies. Meeting the requirements of this law has increased the workload of auditing firms and increased the need for internal audits and controls in publicly held companies. In particular, Section 404 of the Sarbanes-Oxley Act requires that a company's annual report include an official write-up by management about the effectiveness of the company's internal controls. The section also requires that outside auditors attest to management's report on internal controls.
Private companies are not covered by the Sarbanes-Oxley Act. However, analysts suggest that even private firms should be aware of the law and how it may impact them under specific circumstances. For example, if a private company anticipates being acquired by a public company, it will need to comply with Sarbanes-Oxley's requirements on internal controls for several quarters before the acquisition date in order to reassure the acquiring company's CEO and CFO that they may certify the consolidated financials. In general, Sarbanes-Oxley has raised the bar in terms of expectations regarding internal controls and corporate governance.
INTERNAL AUDITING AND INTERNAL CONTROL
The manner in which internal auditing has evolved has linked it directly to the concepts and objectives of internal control. The IIA clearly advocates an internal control focus when it defines the scope of internal auditing: "The scope of internal auditing should encompass the examination and evaluation of the adequacy and effectiveness of the organization's system of internal control and the quality of performance in carrying out assigned responsibilities." At the most basic level, internal controls can be identified as individual preventive, detective, corrective, or directive actions that keep operations functioning as intended. These basic controls are aggregated to create whole networks and systems of control procedures which are known as the organization's overall system of internal control.
The IIA's Standards of Professional Practice outlines five key objectives for an organization's system of internal control: 1) reliability and integrity of information; 2) compliance with policies, plans, procedures, laws and regulations; 3) safeguarding of assets; 4) economical and efficient use of resources; and 5) accomplishment of established objectives and goals for operations or programs. It is these five internal control objectives that provide the internal auditing function with its conceptual foundation and focus for evaluating an organization's diverse operations and programs.
KEY ASSUMPTIONS ABOUT THE INTERNAL AUDIT FUNCTION
There are three important assumptions implicit in the definition, objectives, and scope of internal auditing: Independence, competence, and confidentiality.
Internal auditors have to be independent from the activities they audit so that they can evaluate them objectively. Internal auditing is an advisory function, not an operational one. Therefore, internal auditors should not be given responsibility or authority over any activities they audit. They should not be positioned in the organization where they would be subject to political or monetary pressures that could inhibit their audit process, sway their opinions, or compromise their recommendations. Independence and objectivity of internal auditors must exist in both appearance and in fact; otherwise the credibility of the internal auditing work product is jeopardized.
Related to independence is the assumption that internal auditors have unrestricted access to whatever they might need to complete an appraisal. That includes unrestricted access to plans, forecasts, people, data, products, facilities, and records necessary to perform their independent evaluations.
A business's internal auditors have to be people who possess the necessary education, experience, and proficiency to complete their work competently, in accordance with accepted internal auditing standards. An understanding of good business practices is essential for internal auditors. They must have the capability to apply broad knowledge to new situations, to recognize and evaluate the impact of actual or potential problems, and to perform adequate research as a basis for judgments. They must also be skilled communicators and be able to deal with people at various levels throughout the organization.
Evaluations and conclusions contained in internal auditing reports are directed internally to management and the board, not to stockholders, regulators, or the public. Presumably, management and the board can resolve issues that have surfaced through internal auditing and implement solutions privately, before problems get out of hand. Management is expected to acknowledge facts as stated in reports, but has no obligation to agree with an internal auditor's evaluations, conclusions, or recommendations. After internal auditors report their conclusions, management and the board have responsibility for subsequent operating decisions—to act or not to act. If action is taken, management has the responsibility to ensure that satisfactory progress is made and internal auditors later can determine whether the actions taken have the desired results. If no action is taken, internal auditors have the responsibility to determine that management and the board understand and have assumed any risks of inaction. Under all circumstances, internal auditors have the direct responsibility to apprise management and the board of any significant developments that the auditors believe warrant ownership/management consideration or action.
It should be noted, however, that the "confidential" aspect of the internal audit function is not absolute. According to the Securities and Exchange Commission (SEC), internal audit reports must be made available for review in case of regulatory inquiries. Business owners dislike this state of affairs because of an understandable reluctance to divulge sensitive business information. But the SEC cites Section 21 of the Securities and Exchange Act, which grants the agency the power to subpoena financial records as part of investigations. The United States' major stock exchanges, NASDAQ and the New York Stock Exchange (NYSE), have adopted similar positions regarding their own inquiries into alleged misdeeds, seeing internal audits as key indicators of supervision, policies, and controls within the firm in question. These exchanges generally regard failure to produce internal audit reports or other records when demanded as violations of their basic tenets.
Under some circumstances, however, experts contend that a firm may be able to claim a legal foundation for withholding particular internal audit reports. According to Compliance Reporter, "If a specific report has been prepared under the supervision of legal counsel and for the purpose of providing legal advice to the firm and not for more routine business purposes, or the report has been specifically prepared at the direction of attorneys in anticipation of threatened litigation, then the report may be protected by either the attorney-client privilege or the attorney work product doctrine."
DIFFERENCES BETWEEN INTERNAL AND EXTERNAL AUDITING
Internal auditors and external auditors both audit, but have different objectives and a different focus. Internal auditors generally consider operations as a whole with respect to the five key internal control objectives, not just the financial aspects. External auditors focus primarily on financial control systems that have a direct, significant effect on the figures reported in financial statements. Internal auditors are generally concerned with even small incidents of fraud, waste, and abuse as symptoms of underlying operational issues. But the external auditor may not be concerned if the incidents do not materially affect the financial statements—which is reasonable given the fact that external auditors are engaged to form an opinion only of the organization's financial statements. The external auditor does perform services for management, including making recommendations for improvement in systems and controls. By and large, however, these are financially oriented, and often are not based on the same level of understanding of an organization's systems, people, and objectives that an internal auditor would have. It should be recognized, however, that the traditionally limited role of the external auditor has broadened in recent years to include an increased operational review facet.
This comparison of internal auditing to external auditing considers only the external auditors' traditional role of attesting to financial statements. During the 1990s a number of the large public accounting firms began establishing divisions offering "internal auditing" services in addition to existing tax, actuarial, external auditing, and management consulting services. Predictably, the event has caused a flurry of debate among auditors about independence, objectivity, depth of organizational knowledge, operational effectiveness, and true costs to the organization.
One option available to small business enterprises is to investigate the possibility of "co-sourcing" its internal audit functions with an outside vendor. "Co-sourcing arrangements with outside vendors allow the in-house auditors to retain responsibility for the internal audit process while relying on the outside entity for specialized technical skills and personnel," wrote C. William Thomas and John T. Parish in Journal of Accountancy. "By contract, a company that outsources loses day-to-day control over its activities to the vendor—usually a professional service firm."
As Thomas and Parish note, the relative autonomy of the internal audit function makes it an ideal candidate for co-sourcing. Under such an arrangement, the outside vendor can attend to specialized elements of the internal audit function, such as "reconciliation of specialized accounts; valuation, disclosure and Environmental Protection Agency compliance issues for certain types of inventory; and reconciliation of foreign accounts where business customs pose review problems." In return, the company saves expenses on permanent staff, gains greater in-house flexibility in evaluating projects and practices, and garners the ability to maximize its access to specialized knowledge by selecting vendors for each functional area.
There are potential drawbacks to the co-sourcing arrangement, however. Thomas and Parish cite staff worries over long-term job security, the possibility of "turf battles" between in-house auditors and vendors, and loss of in-house focus on "big picture" issues of company-wide profitability and efficiency as stumbling blocks. But they charge that "a cost-conscious, proactive internal audit group with custom-designed co-sourcing programs retains the advantages of outsourcing along with the benefits of having an in-house internal audit staff, such as knowledge of management methods, accessibility, responsiveness, loyalty, and a shared vision for the organization's strategic business goals."
TYPES OF INTERNAL AUDITS
Various types of audits are used to achieve particular objectives. The types of audits briefly described below illustrate a few approaches internal auditing may take.
An operational audit is a systematic review and evaluation of an organizational unit to determine whether it is functioning effectively and efficiently, whether it is accomplishing established objectives and goals, and whether it is using all of its resources appropriately. Resources in this context include funds, personnel, property, equipment, materials, information, space, and whatever else may be used by that unit. Operational audits can include evaluations of the work flow and propriety of performance measurements. These audits are tailored to fit the nature of the operations being reviewed. "Carefully done, operational auditing is a cost-effective way of getting a higher return from the audit function by making it helpful to operating management," wrote Hubert D. Vos in What Every Manager Needs to Know About Finance.
A system analysis and internal control review is an analysis of systems and procedures for an entire function such as information services or purchasing.
Ethical Practices Audit
An ethical business practices audit assesses the extent to which a company and its employees follow established codes of conduct, policies, and standards of ethical practices. Policies that may fall within the scope of such an audit include adherence to specified guidelines in such areas as procurement, conflicts of interest, gifts and gratuities, entertainment, political lobbying, ownership of patents and licenses, use of organization name, speaking engagements, fair trade practices, and environmentally sensitive practices.
A compliance audit determines whether the organizational unit or function is following particular rules or directives. Such rules or directives can originate internally or externally and can include one or more of the following: organizational policies; performance plans; established procedures; required authorizations; applicable external regulations; relevant contractual provisions; and federal, state, and local laws.
A financial audit is an examination of the financial planning and reporting process, the conduct of financial operations, the reliability and integrity of financial records, and the preparation of financial statements. Such a review includes an appraisal of the system of internal controls related to financial functions.
Information Systems Audit
A systems development and life cycle review is a unique type of information systems audit conducted in partnership with operating personnel who are designing and installing new information systems. The objective is to appraise the new system from an internal control perspective and independently test the system at various stages throughout its design, development, and implementation. This approach intends to identify and correct internal control problems before systems are actually put in place because modifications made during the developmental stages are less costly. Sometimes problems can be avoided altogether. There is risk in this approach that the internal auditor could lose objectivity and independence with considerable participation in the design and installation process.
A program audit evaluates whether the stated goals or objectives of a certain program or project have been achieved. It may include an appraisal of whether an alternative approach can achieve the desired results at a lower cost. These types of audits are also called performance audits, project audits, or management audits.
A fraud audit investigates whether the organization has suffered a loss through misappropriation of assets, manipulation of data, omission of information, or any illegal or irregular acts. It assumes that intentional deception has occurred.
INTERNAL AUDIT PLANNING
Business consultants strongly encourage small business owners to establish self-auditing practices. "Not many years ago a company measured its success by how much of its product it was able to sell," stated Jeffrey Davidson and Charles Dean in Cash Traps: Small Business Secrets for Reducing Costs and Improving Cash Flow. "Today success is heavily influenced by the ability to keep costs under control and, of course, to maintain a healthy cash flow. Volatile interest rates, shrinking profit margins, and increasing operational costs are causing many businesses to reassess and upgrade their internal control procedures."
For a small business owner, knowing what areas to audit and where to commit resources is an integral part of the internal audit function. A long-range audit plan provides a complete view of audit strategy and coverage in relation to the relative significance of functions to be audited. The goal is to plan an audit strategy that is cost-effective and emphasizes audit projects that have high impact or address areas of significant risk. An in-depth understanding of the organization and how it operates is a prerequisite for the audit planning process. Developing the plan first requires identifying and listing all auditable units or functions. (This is frequently called the "audit universe.") Next, a rational system must be devised to assign significance and risk to each auditable unit or function. Based on perceived significance and estimated risk, the audit priorities and strategies are documented in the audit plan.
Business owners and managers, however, should recognize that the internal audit process is not a static one. Its character and emphasis should adapt to the changes that take place in the organization over time. Departure of key people, changes in markets, new demographics, new competitors, and other factors can dramatically affect the operations of small businesses and other organizations. Organizational processes and existing internal control systems may become obsolete with new technology. Legal and regulatory environments change with the political winds. Consequently, risks and significance rankings, the audit universe, and audit strategies will change. The successful small business owner, though, will learn to anticipate such changes, and adjust his or her internal auditing strategies accordingly.
Braiotta, Louis, Richard Hickok, and Main Hurdman The Audit Committee Handbook. 4th edition, John Wiley & Sons, 2004.
"Customer Documentation, Internal Audits." Compliance Reporter. 9 October 2000.
Hake, Eric R. "Financial Illusion: Accounting for Profits in an Enron World." Journal of Economic Issues. September 2005.
Moeller, Robert, and Herbert Witt. Brink's Modern Internal Auditing. 6th edition, John Wiley & Sons, 2005.
Pickett, K. H. Spencer. The Internal Audit Handbook. John Wiley & Sons, 2003.
Thomas, C. William, and John T. Parish. "Co-Sourcing: What's In It for Me?" Journal of Accountancy. May 1999.