INTERNAL AUDITING

---

---

Photo by: pressmaster

Most large companies, major institutions, governmental agencies, and federal, state, and local governments have established internal auditing functions. Job titles other than "internal auditor"—such as internal consultants, compliance officers, quality assurance managers, or operations analysts—are sometimes given to those performing internal audit functions. Regardless of the position title, it is the character of service that classifies it as internal auditing. From their organization's point of view, "internal" auditors serve in a self-evaluative or self-assessing function. They compare existing conditions ("what is") to a standard ("what should be") and suggest how to achieve the ideal.

A governing body, the Institute of Internal Auditors (IIA), operates to bring uniformity and consistency to the practice of internal auditing. The IIA is an international association with chapters operating in approximately 120 countries. By 1999, the IIA had grown to 70,000 individual members. The IIA provides performance standards for internal audit professionals and serves as a source for education, training, research, and reference materials. The Association also administers a Certified Internal Auditor program, which leads to an internationally recognized certification—CIA.

In June 1999, the IIA Board of Directors unanimously approved the following definition of internal auditing produced by their Guidance Task Force:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

There is theoretically no restriction on what internal auditors can evaluate and report about within an organization. But, internal audit projects tend to vary from one company to another, reflecting particular objectives of owners, directors, and senior management. Internal auditors typically operate under a board-approved charter that defines their role, objectives, and scope. The following five directives from the IIA's Statement of Responsibilities of Internal Auditing are included in most charters:

• Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information;
• Review the systems established to ensure compliance with those policies, plans, procedures, laws, regulations, and contracts which could have a significant impact on operations and reports, and determine whether the organization is in compliance;
• Review the means of safeguarding assets and, as appropriate, verify the existence of such assets;
• Appraise the economy and efficiency with which resources are employed; and,
• Review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

HISTORY AND BACKGROUND

The double-entry bookkeeping system invented in the 13th century provided the means for those engaged in commerce to control transactions with suppliers and customers, and check the work of employees. Historical records suggest that internal auditors were being utilized prior to the 15th century. These auditors, employed by kings or merchants, were charged with detecting or preventing theft, fraud, and other improprieties. Control techniques such as separation of duties, independent verification, and questioning (i.e. "auditing") to detect and prevent irregularities are thought to have originated during that time. Thus, control assessment and fraud detection have become known as the "roots" of internal auditing.

As industry and commerce evolved, so did control methods and auditing techniques. These methods migrated to the United States from England during the industrial revolution. Managerial control through auditing continued to gain favor up to and through the 20th century. Many events contributed.

The economy of the United States was growing rapidly after World War I and required better techniques for planning, directing, and evaluating business activities. Unfortunately, the growth was accompanied by a rise in price-fixing, interlocking directorates, stock manipulations, and false statements of business performance. Regulatory actions followed and auditing was used as a means to confirm that laws were being followed. The Federal Trade Commission (FTC) was created in 1914. The Great Depression and the 1930s brought more regulatory action for publicly traded securities. The Securities Act of 1933, the Securities and Exchange Act of 1934, the Public Utilities Holding Company Act of 1935, and the Investment Company Act of 1940 were enacted by the United States Congress.

As the need for auditing grew, corporations realized that they could no longer rely solely on external auditors from public accounting firms. Corporations began hiring auditors as their own employees to verify financial transactions and test compliance with accounting controls. Many of these internal auditors were hired from external auditing firms. They brought to the companies that hired them auditing methods used by public accountants with a financial statement focus. These internal auditors concentrated on financial auditing. Management viewed these internal auditors as a means to reduce external audit fees while maintaining the same level of financial audit coverage. Within some organizations this image of internal auditing still persists.

Internal auditing started to emerge as a function distinctly different from external auditing about the middle of the 20th century. Then, a significant event brought internal auditing to the forefront—the Foreign Corrupt Practices Act of 1977. The Act was the government's response to outcries as news of corporate wrong-doings increased. The Act was passed to prevent secret funds and bribery. It specifically prohibited offering of bribes to foreign officials. It required organizations to maintain adequate systems of internal control and maintain complete and accurate financial records. While the Act did not specifically call for an internal auditing function, internal auditors were poised and ready to help management fulfill the requirements of this Act. Testing and evaluation of internal controls within companies increased significantly. The role of internal auditors was viewed with new importance.

In the mid-to-late 1980s there were a number of large business failures and financial statement frauds. On several occasions external auditing firms failed to detect those frauds. The issues of fraudulent financial reporting were examined by a group of private sector organizations which included the American Institute of Certified Public Accounts (AICPA), the American Accounting Association (AAA), the Financial Executives Institute (FEI), the Institute of Internal Auditors (IIA), and the National Association of Accountants (NAA). This group of organizations, known as the Treadway Commission, issued its final recommendations in 1987. Several recommendations of the Treadway Commission were of great significance to internal auditors. Among other recommendations, the Commission's report directs companies to maintain adequate internal control systems, to establish effective and objective internal audit functions staffed with adequate qualified personnel, and to coordinate internal auditing with the external audit of the financial reports. The Commission's report also directed internal auditors to consider whether their findings of a non-financial nature could impact the financial statements. The Treadway Commission also directed its sponsoring organizations to develop guidance on internal control. That sponsoring group did so, issuing its report Internal Control — Integrated Framework in 1992, which again emphasized the importance of internal controls in organizations.

The evolution of internal auditing tracks changing business practices and concepts of internal control. At the most basic level, internal controls are individual preventive, detective, corrective, or directive actions that keep the operations functioning as intended. Basic controls, when aggregated, create whole networks and systems of control procedures, which are known as the organization's overall system of internal control. During the 1990s, business process "reengineering" and downsizing, removed layers of management and flattened organizational hierarchies. Traditional controls were loosened or dismantled to improve efficiency and lower costs. In response, internal auditing's control orientation moved away from evaluating individual process controls toward assessing the overall control environment—integrated control frameworks, corporate governance, and the ethical climate—within the organization. Internal auditors increased their use of risk assessments and aligned their activities with broader organizational goals to deploy their own scarce audit resources. Internal auditing's focus shifted to risk prevention and to promoting change. Even so, control assessment and fraud detection, the "roots" of internal auditing, still retained a place in the internal audit function.

THE INSTITUTE OF INTERNAL AUDITORS

In 1941, the Institute of Internal Auditors (IIA) was founded in New York by a small group of practicing internal auditors. The group recognized that they had many commonalities in the way they worked despite the fact that they worked in different businesses and industries. They agreed that merely applying external auditing techniques internally was not sufficient. They felt the need for a formal approach to sharing and organizing their body of knowledge and their mutual concerns. They began the long process of achieving an identity for internal auditing as a distinct profession concerned with providing independent appraisals for all activities within an organization. The first textbook for the practice, Brinks Internal Auditing (United States), was published in 1941. A technical journal for the field, Internal Auditor, distributed its first issue in 1943. The Institute developed the first version of a Statement of Responsibilities in 1947 and has continued to revise it (1957,1971, 1976, 1981, 1990) as internal auditing practices matured. In 1978 the IIA published the Standards for Professional Practice to serve as the primary source of reference for directing an internal audit function. The Institute has modified or amended the Standards by issuing Statements on Internal Auditing Standards and Administrative Directives. Also, a Guidance Task Force, chartered by The IIA board of directors in 1997, has been reviewing the Standards to ensure that they reflect the current practices.

In 1974 the Institute began a certification program—Certified Internal Auditor (CIA). The credential requires a combination of education and work experience with successful completion of a four-part comprehensive exam which tests: Internal Audit Process; Internal Audit Skills; Management, Control and Information Technology; and, Audit Environment. In 1992 the IIA completed and published an in-depth study— A Common Body of Knowledge for the Practice of Internal Auditing. It identified 334 competencies in 20 different disciplines needed by practicing internal auditors. The study lists needed disciplines in the following order of perceived importance: reasoning, communications, auditing, ethics, organizations, sociology, fraud, computers, financial accounting, data gathering, managerial accounting, government, legal, finance, taxes, quantitative methods, marketing, statistics, economics, and international business.

The IIA Research Foundation subsequently planned to update and expand the Common Body of Knowledge. But, the project expanded to study, document, and define internal auditing and its competencies on a global level. The research, Competency Framework for Internal Auditing (CFIA), led by William P. Birkett, was published in six separate modules: 1) Internal Auditing: The Global Landscape; 2) Competency: Best Practices and Competent Practitioners ; 3) Internal Auditing Knowledge: Global Perspectives; 4) The Future of Internal Auditing: A Delphi Study; 5) Assessing Competency in Internal Auditing: Structures and Methodologies; and, 6) Conceptual Foundations of Internal Auditing.

The CFIA study found a need for a universal definition of internal auditing. The study observed that internal auditing had moved beyond control evaluation and risk management toward risk prevention, even though risk issues had become more complex with complicated business relationships, new products and services, rapid advances in information and network technology, and global commerce. "Organizations are moving toward an ideal where they will review and seek assurance for their risk exposures in totality," Birkett said. "Thus, areas that were previously viewed as separate in terms of risk management—quality assurance, environmental management, occupational health and safety, and internal auditing—are likely to be amalgamated." CFIA predicts internal auditors in the future "will provide advice, promote understanding, facilitate change, and sponsor continuous improvement programs, in addition to the traditional role of providing assurance."

KEY ASSUMPTIONS ABOUT THE
INTERNAL AUDIT FUNCTION

There are three important assumptions implicit in the definition, objectives, and scope for internal auditing. First, is the assumption that internal auditors can evaluate objectively, free from conflicts of interest, political, or monetary pressures that could inhibit their questioning, bias their reporting, or compromise their recommendations. This is called auditor independence. Independence and objectivity should exist in appearance and in fact for a credible work product. Related to independence is the assumption that internal auditors have unrestricted access to whatever they might need to make an objective assessment. That includes unrestricted access to plans, forecasts, people, data, products, facilities, and records necessary to perform their independent evaluations. Second, is the assumption that the internal auditing function is staffed with people possessing the necessary education, experience, and proficiency to perform competently. Third, is the presumption that the evaluations and conclusions contained in internal auditing reports are directed internally to management and the board, not to stockholders, regulators, or the public.

It is presumed that management and the board can resolve issues that have surfaced through internal auditing and implement solutions. After internal auditors present conclusions, management and the board have responsibility for subsequent decisions—to act or not to act. If action is taken, management has responsibility to assure progress is made. Internal auditors later can determine whether the actions had the desired results. If no action is taken, internal auditors have responsibility to determine if management and the board understand and have assumed risks of inaction. Under all circumstances, internal auditors have the direct responsibility to notify management and the board of significant matters that the internal auditors believe need their attention.

INTERNAL AUDITING VS. EXTERNAL
AUDITING AND INDUSTRIAL
ENGINEERING

The industrial engineer studies methods of performing work, suggests improvements, designs and installs work systems, and evaluates results. Internal auditors do utilize some of the analytical techniques belonging to industrial engineers, but do not focus on them. Further, internal auditors do not design and install systems.

Internal auditors and external auditors both audit, but have different objectives. Internal auditors generally consider operations a whole relative to objectives. External auditors focus primarily on financial systems that have a direct, significant effect on the amounts reported in financial statements. Internal auditors consider even small amounts of fraud, waste, and abuse as symptoms of underlying issues. The external auditor considers just what materially affects the financial statements since that is the nature of their engagement. Sawyer's Internal Auditing summarizes the differences in the following way.

Management controls over financial activities have been greatly strengthened throughout the years. The same cannot always be said of controls elsewhere in the enterprise. Embezzlement can hurt a corporation; the poor management of resources can bankrupt it. Therein lies the basic difference between external auditing and modern internal auditing; the first is narrowly focused and the second is comprehensive in scope. True, the external auditor performs services for management and submits letters to management, which recommend improvement in systems and controls. By and large, however, these are financially oriented. Also, the external auditor's occasional sally into nonfinancial operations may not benefit from the same depth of understanding as does the resident internal auditor, who is intimately familiar with the organization's systems, people, and objectives.

"OUTSOURCING" OR "CO-SOURCING"
THE INTERNAL AUDIT FUNCTION

The previous comparison of internal auditing to external auditing considers only the external auditors' traditional role of attesting to financial statements. During the 1990s a number of the large professional service firms (the "Big 5" public accounting firms) began establishing divisions offering internal auditing services in additional to tax, financial planning, actuarial, external auditing, and management consulting. New firms also emerged offering internal auditing services but not attestation (external audits) of financial statements. Predictably, the arrival of "outside" consultants ready to do "internal" audits caused a flurry of debate about independence, objectivity, depth of organizational knowledge, operational effectiveness, and long run costs to the organization. Regardless, the trend continued throughout the rest of the decade. Initial protests gave way to acknowledgment that non-employees can indeed perform internal audits. Orderly analyses of outsourcing's pros and cons followed. "Co-sourcing" (using outsiders for selected projects) became a useful compromise. That option provided access to an outside firm's resources while retaining a knowledgeable core of internal auditors to direct and manage co-sourced projects.

However, perceptions of impaired independence continued when public accounting firms providing opinions on financial statements also staffed the internal auditing function. In 1998, the American Institute of Certified Public Accounts (AICPA) decided that professionals from the same CPA firm could serve as external auditors of the financial statements and still perform internal auditing functions (called "extended services") without impairing independence if certain conditions were met. The AICPA required that outside professionals not act as employees and not assume ongoing control or other functions. It required management to retain responsibility for internal audit scope, planning, and risk assessments and to designate a competent executive to retain responsibility for the overall internal audit function. In New Zealand and several European countries, external auditors of financial statements in public sector companies may not provide internal audit services to the same company.

TYPES OF AUDITS

Various types of audits are used to achieve particular objectives. The types of audits briefly described below illustrate a few approaches internal auditing may take. The examples are not all inclusive.

OPERATIONAL AUDIT.

An operational audit is a systematic review and evaluation of an organizational unit to determine whether it is functioning effectively and efficiently, whether it is accomplishing established objectives and goals, and whether it is utilizing all of its resources appropriately. Resources in this context include funds, personnel, property, equipment, materials, information, intellectual property, or space. Operational audits often include evaluations of the work flow and propriety of performance measurements. These audits are tailored to fit the nature and objectives of the operations being reviewed.

PROGRAM AUDIT.

A program audit evaluates whether the stated goals or objectives for a project or initiative have been achieved. It may include an appraisal of whether an alternative approach can achieve the desired results at a lower cost. These types of audits are also called performance audits or management audits.

FRAUD AUDIT.

A fraud audit investigates whether the organization has suffered through misappropriation of assets, manipulation of data, omission of information, or illegal acts. It assumes that deceptions were intentional.

ETHICAL BUSINESS PRACTICES AUDIT.

An ethical business practices audit determines the extent to which the organization, management, and employees support established codes of conduct, policies, and standards of ethical practices. Topics that may fall within the scope of such audits include procurement policies, conflicts of interest, gifts and gratuities, entertainment, political lobbying, patents, copyrights, and licenses (including software use), or fair trade practices

COMPLIANCE AUDIT.

A compliance audit determines whether a process or transaction is or is not following applicable rules. Such rules can originate internally as corporate bylaws, policies, and procedures or externally as laws and regulations. Characteristic of compliance audits are the yes/no aspects of the evaluation. For each process or transaction examined, the auditor must ultimately decide whether it complies with the rule or not. Reaching that conclusion is not necessarily simple in domains governed by complex regulations (e.g. occupational health and safety, environmental, federal grants and contracts, employee pensions and benefits, or federal tax). Compliance auditors and attorneys specializing in these fields may be engaged to assist with evaluations if such specialists are not part of the internal audit staff.

SYSTEMS DEVELOPMENT AND LIFE CYCLE REVIEW.

A systems development and life cycle review is an information systems audit conducted in partnership with operating personnel who are implementing a new information system. The objective is to appraise and independently test the system at various stages throughout the design, development, and installation. The approach intends to identify issues and correct problems early because modifications made during developmental stages are less costly. and some problems can be avoided altogether. The concern about this type of audit is that the internal auditor could lose objectivity through extended participation in the system design and installation.

CONTROL SELF-ASSESSMENT AUDIT.

A control self-assessment audit enlists management to share audit responsibility by evaluating and reporting on the state of controls and levels of risks under their supervision. Internal auditors provide training and act as facilitators. In effect this become a problem solving partnership and can be a cost-effective. Its inherent risk is that management's self-evaluation may be biased. Although, the internal auditor can retain the right to independently verify any reported conclusions.

FINANCIAL AUDIT.

A financial audit is an examination of the financial planning and reporting process, the conduct of financial operations, the reliability and integrity of financial records, and the preparation of financial statements. Such a review includes an appraisal of the system of internal controls related to financial functions.

INTERNAL AUDIT PLANNING

A prerequisite to successful internal audit planning is a keen understanding of the organization, its strategic plan, and how it operates. In that context, the internal auditor can develop audit priorities and strategies that take into account significance of activities, and relative risk. The planning process is dynamic. Departures of key people, shifts in markets, new demographics, or drastic upheavals in the business environment can totally transform a company. Organizational processes can become obsolete with new technology. Laws and regulations may change, as well as attitudes about the degree of compliance necessary. Consequently, organizational objectives and related audit strategies will change. The person directing the internal audit function is usually the one responsible for creating a comprehensive audit plan. It is customary for senior management to review the plan and submit it to the board for approval.