The Institute of Internal Auditors (2005) defines internal auditing as "…an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."
One way to distinguish between internal auditors and their more familiar counterparts, external auditors, is the intended audience of their reports. External auditors are hired by a company to audit that firm's financial statements and issue an opinion on the reliability of those financial statements. While external auditors are in a contractual relationship to the firm whose financial statements are being audited, external auditors owe their primary fiduciary responsibility to groups outside of the firm, such as investors and creditors. The external auditor's report or opinion is provided to groups outside of the firm that hired him to audit by including it in that firm's annual report. In contrast, internal auditors are employed by the organization that they are auditing. Similar to external auditors, the internal auditor might provide a written opinion based on his evaluation. However, in contrast to external auditors, the audience for that opinion will always be corporate management instead of investors and creditors.
Typically, the role of internal auditors is broader than that of external auditors. While a company's external auditors will focus on evaluating the firm's financial statements, internal auditors can provide financial, compliance, and operational auditing.
The significance of the contribution of internal auditors to financial audits was dramatically increased with the passage of the Sarbanes-Oxley Act of 2002. That act made wide-spread changes in the responsibility of the parties involved in the financial reporting process.
One change that has enhanced the role of the internal auditor is the requirement in Section 302 of Sarbanes-Oxley that a firm's certifying officers (typically the chief executive officer and chief financial officer) must state that they are responsible for establishing and maintaining internal controls over financial reporting. As part of this certification, they must also indicate that the internal controls were designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with generally accepted accounting principles in the United States. These Section 302 certifications are required to be included with the firm's annual financial statements. Most firms will rely extensively on the work of their internal auditors to provide the justification for the Section 302 certifications.
Section 404 of the Sarbanes-Oxley act also increased the responsibilities of internal auditors. This section requires that management include, in the firm's annual financial statements, a report on internal controls. The report must indicate that management is responsible for establishing and maintaining internal controls over financial reporting, and management's conclusions regarding the effectiveness of those internal controls. In most companies, the internal auditors will provide the documentation and testing of internal controls that will be necessary for management to make that report.
A compliance audit assures that the company's activities comply with relevant laws and regulations. An operational audit explores the effectiveness and efficiency of the firm's activities, seeking to reduce the risks faced by the specific firm. In performing an operational audit, performance standards may include a variety of criteria other than monetary measures, such as the percentage of late deliveries or idle labor time. It is the responsibility of the internal auditor to determine appropriate measures on the basis of experience and insight into the integrated functions of the company's activities. Typically, performance is measured against prior periods, industry standards, other operational units, or budgeted activity.
Internal auditing provides a broad-based, independent, value-adding function that is essential for the effective management of a firm. The value of internal audit has been greatly enhanced by the passage of the Sarbanes-Oxley Act of 2002.
SEE ALSO: Financial Issues for Managers
Karen L. Brown
Revised by Diana Franz
Arens, Alvin A. Auditing: An Integrated Approach. 7th ed. Upper Saddle River, NJ: Prentice Hall, 1997.
Burke, Jacqueline, and Anthony N. Dalessio. "Highlights of SAS No. 82 for the Internal Auditor." Internal Auditing, November/December 1998, 40–44.
Financial Accounting Standards Board. "Facts About FASB-Mission Section." Available from http://www.rutgers.edu/Accounting/raw/fasb/facts/fasfact1.html.
Gauntt, James E., Jr., and G. William Glezen. "Analytical Auditing Procedures." Internal Auditor, February 1997, 56–60.
Grand, Bernard. "Theoretic Approaches to Audits." Internal Auditing, November/December 1998, 14–19.
"H.R. 3763 Sarbanes-Oxley Act of 2002." Available from < http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3763.ENR: >.
The Institute of Internal Auditors. Website. Available from < http://www.theiia.org >.
Jacka, J. Mike, and Paulette Keller. "The Building's On Fire!" Internal Auditor, February 1996, 46–50.
Ridley, Anthony J. "A Profession for the Twenty-First Century." Internal Auditor, October 1996, 20–25.
Simmons, Mark R. "COSO Based Auditing." Internal Auditor, December 1997, 68–73.
——. "The Standards and the Framework." Internal Auditor, April 1997, 50–55.
Taylor, Donald H., and G. William Glezen. Auditing: An Assertions Approach. 7th ed. New York: John Wiley and Sons, 1997.
Walz, Anthony. "Adding Value." Internal Auditor, February 1997, 51–54.