What is Internal Audit?

Internal audit refers to the department located within a business that monitors the efficacy of its processes and controls. The internal audit function is especially necessary in larger organizations with high levels of process complexity, where it is easier for process failures and control breaches to occur. Internal audit is especially necessary in a publicly-held business, which must attest to the robustness of its systems of internal control. Internal audit is not simply a watchdog that monitors a business and flags problems. It can also act as an internal consulting department that adds value to company operations. It does so by highlighting opportunities for improvement and facilitating changes within the organization.

Who Does Internal Audit Work For?

Ideally, the internal audit department reports to the board of directors or a committee of the board. By doing so, it remains independent of the management team, and so is able to investigate issues related to the team, reporting its findings back to the board of directors. This level of independence means that the internal audit function cannot directly engage in company operations, since it would then be working for the management team it is supposed to be evaluating.

Related AccountingTools Course

Internal Auditing Guidebook

The internal audit staff is responsible for the activities noted below.

Fraud Detection

The internal audit staff routinely examines systems and transactions to see if there are any indicators of fraud being perpetrated within the business. If so, the staff may collect evidence for prosecution purposes, as well as recommend control changes to eliminate the opportunity for additional fraud.

Internal Control Assessments

The internal audit staff engages in ongoing reviews of controls, to see if they are adequate as constructed, and whether employees are using them in the intended manner.

Legal and Regulatory Compliance

The internal audit staff examines whether the company is compliant with all applicable legal and regulatory issues. This work is typically done in conjunction with the company’s legal department.

Process Assessments

The internal audit staff reviews proposed changes to processes to see if the controls associated with them are still adequate. If not, the staff recommends changes, and will review them at a later date to see if the changes have been properly installed and followed.

Risk Assessments

The internal audit staff will conduct reviews of the risks to which a business is subjected, looking in particular at the probability of risks being incurred and the amount of loss associated with them. This information is used by management to determine whether strategic or tactical changes should be made to mitigate the indicated risk issues.

Safeguarding of Assets

The internal auditing staff will examine the controls associated with assets, to see if any assets are at risk of loss. This may result in recommendations to alter controls in order to better safeguard assets.

Management of the Internal Audit Function

The internal audit manager schedules audit work, usually focusing on high-risk areas. Other examinations may be conducted as directed by the audit committee of the board of directors, or as requested by department managers. The areas being targeted for an examination are normally given advance notice, so that they can assemble all required documents for the internal audit team. In some cases where fraud is suspected, the audit team will appear without any prior announcement, in hopes of catching the perpetrator.

Internal Audit vs. External Audit

External auditors pass judgment on whether the financial statements of a business are a fair reflection of its financial results and financial position. This goal differs dramatically from the activities conducted by an internal audit group, which are to monitor the efficacy of processes and controls. This results in several differences between the two types of auditors. First, external auditors need be certified as CPAs under certain circumstances, whereas there is no certification requirement for internal auditors. Second, the company cannot select the external auditors that will be evaluating it - the audit committee can only select an audit firm, and then the audit firm assigns staff to the audit. Third, the external auditors’ final report is used to certify the company’s financial statements, while internal audit reports are intended for internal consumption, and can trigger management decisions to revise company operations. Finally, external audits tend to focus on very specifically-defined areas of a business, whereas internal auditors may be assigned to investigations in literally any area of a business. In short, the two audit functions are quite different.