What is the role of internal Audit? The historic basic role of internal audit has been to test on an interim basis the operations of internal controls within a business organization to see that they are operating effectively and efficiently.
The external auditors are also concerned with the effectiveness of internal controls because it is the primary basis on which they base their audit strategy, that is, the nature, timing and extent of their substantive audit tests.
What are internal controls? In essence they are systems of checks and balances to determine whether management’s policies and procedures are being carried out effectively, whether financial transactions are being reported properly, and whether the assets of the organization are being protected. Internal controls on an entity-wide basis consist of the “tone at the top,” the accounting system, risk evaluation and monitoring by management.
This post comprehensively overviews the role of the internal audit. Follow on…
How Corporate America Actually View The Internal Audit Function?
Views as how internal auditors can assist management in meeting the requirements of regulatory bodies, such as the SEC, the Department of Defense, and the banking regulators (i.e., the Federal Reserve, the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and numerous state regulatory agencies) have been rapidly evolving.
As banking regulators have been constrained from growing their own budgets, they have put pressure on financial institutions to improve the quality of their internal audit functions. In conjunction with these efforts, external accountants have informed cost-conscientious managers that better internal audit functions enable the former to reduce their efforts and, accordingly, the fees they charge.
There have been numerous situations where this has indeed been borne out. However, there are those who argue that this has not been substantiated. It is quite possible that the increased use of internal auditors for other management functions reduce their time spent on testing the system of internal control and therefore the ability of external auditors to rely on the internal audit work to effectively reduce the scope of their own audit testing of the various systems.
The task of substituting internal audit efforts for external audit work has been more successful with external regulators who do not have the financial and staffing resources that corporations do. Regulators have put pressure on corporations to put more money into their internal audit functions. This allows regulators to focus on the effectiveness of the internal auditor’s work versus performing the work themselves. In fact, more recently, bank regulators have asked that the internal audit work not be performed by the external auditors lest their independence be impaired.
How About External Auditor’s View?
Both external and internal auditors have argued that they should not be responsible for the detection of fraud. They feel that management has a comparative advantage here. Differences of opinion notwithstanding, the question of fraud became significant in the 1980s. Frauds that drew widespread attention related to savings and loan associations, commercial banks, defense industries, as well as insider trading activities. In the public view, these frauds were so blatant that it was difficult to understand how the auditors could distance themselves from them.
Accordingly, auditors have adjusted their view on fraud. However, if they focus totally on fraud, auditors will lose their value and credibility. Nevertheless, they are resident experts that can help managers understand how frauds occur. As the conscience of the organization, auditors are the best investigators of fraud. The biggest mistake is to have a manager responsible for the area where fraud occurs, overseeing the investigation. From a legal defense, as well as a corporate message, the independence issue comes into play.
The following discussion provides a hypothetical case:
The number one hotshot trader who has made millions for the firm is having a bad month. He fraudulently adjusts his positions to hide the fact that he is having losses in the month that the compensation committee is setting bonuses. His intention is to adjust his reported results next month so that the firm is not out of money and his compensation is not adversely impacted. If his manager reviews the facts and realizes how difficult it may be to replace the trader, he may look the other way.
Should not some independent individuals, such as the internal auditors, who are executing the corporate culture gather the facts here?
Managers have to be consistent in their signaling of corporate messages. If the trader were retained, the informal message would be “You can get away with anything if you make money for the firm”. Consequently, it will be harder to keep drawing the line on what is acceptable behavior and what is not. This is a classic case of “tone at the top,” to be monitored and reported on by the internal audit staff directly to the board of directors and/or its audit committee. Unfortunately, a recent international case involving the mismanagement of derivatives by an Asian trader was reported to the board of directors in London but the board failed to act. The internal auditors had nevertheless done their job.
The fraud challenge presents internal auditors with opportunities. Proper response to the challenge sells control recommendations. In the long run, proper response by the internal auditors and the organization not only builds professional credibility but also helps organizations to sidestep dangers and significant losses. The auditor who chooses to be part of the fraud solution can look forward to continuing professional challenge and a firm place in the management structure of an organization.
Broad Role Of The Internal Audit
Internal auditing, also referred to as management auditing, is generally thought of as the periodic evaluation of internal controls and management efficiency and effectiveness. Early on, internal auditors focused on protection of company assets and the detection of fraud. As noted in the 1963 National Industrial Conference Board Report, “Auditors concentrated most of their attention on examination of financial records and on the verification of assets that were most easily appropriated. A popular idea among management people a generation ago was that the main purpose of an auditing program was to serve as a psychological deterrent against wrongdoing by other employees.”
The internal audit role has changed considerably, adapting to significant changes in the world of business. Technology has allowed many manual tasks to be automatically checked. Furthermore, businesses’ need to curtail costs and increase efficiency took on greater importance. Cost versus benefit trade-off was quickly evident in management’s expectations of the internal audit function. To offset the costs of attracting qualified individuals to the internal audit function, it was important for auditors to provide input valued by management, such as operational reviews.
The IIA best described the broad role of internal auditing in its 1957 Statement of Responsibilities of Internal Auditing. According to that publication, the management services provided by internal auditors include:
- Reviewing and appraising the soundness, adequacy, and application of accounting, financial, and operational controls
- Ascertaining the extent of compliance with established policies, plans, and procedures
- Ascertaining the extent to which organizational assets are accounted for and safe-guarded from losses of all kinds
- Ascertaining the reliability of accounting and other data developed within the organization
- Appraising the quality of performance in carrying out assigned responsibilities
There are various ways these responsibilities can be modified and executed. An internal auditor can have a large staff, located centrally or dispersed throughout the world. The staff can have numerous specialists for areas such as products, technology, or compliance requirements. Conversely, the audit staff can be mainly generalists that hire specialists via external auditors or consulting firms to provide required skills. Some companies have totally outsourced their internal audit function to external accounting firms. This trend is fueled by the growing interest in general outsourcing, the belief that public accountants have deep knowledge and skill in performing the audit function, and the realization that internal audit salaries may have to increase significantly to attract qualified individuals.
Board Of Directors And The Internal Auditors
As directors have become aware of their increased liability to protect shareholders, they have often looked for sources to provide them with independent assurance that the information they receive from management is fair and accurate. At first, directors turned to the external independent accountants. However, as they became aware that external accountants really focus on a much higher level of materiality in connection with their audit of the annual financial statements, directors have increasingly turned to internal auditors. The apparent conflict of interest here is that management hires the internal auditors, compensates them, and evaluates them.
Can individuals who report to management really report on management, especially if the report may not be favorable?
The answer should be yes, of course they can based on professionalism. The challenge to corporate governance structure in business today is to maintain the proper “tone at the top”. That is where there is a real risk exposure.
Boards of directors need to ask themselves whether “Enron” could happen in their own companies and an essential protective device is to have an active aggressive internal audit function that can assist the Boards in monitoring the internal control environment in their companies. This is particularly true today because the Sarbanes-Oxley Act of 2002 requires management certification of financial statements and internal control reporting.
Auditors who bring very negative information have to be strong and have a good set of facts. The difficulty with the facts, except in a case of outright fraud, is that they can be viewed differently. Auditors can present evidence that management does not implement controls previously agreed to. Management can contend that they did not implement the controls for cost or reorganization reasons, to name a few. Audit committee chairmen need to understand the conflict that exists if management controls salaries, budgets, and promotions of the internal auditors who are expected to report independently.
The IIA in response has provided a number of tools on the issue of ethics. There is a Code of Ethics, a Standard for the Professional Practice of Internal Auditing, and a position paper on whistle-blowing and consultation with peers.
To quote the IIA:
Serving as the conscience of an organization is one facet of the internal auditor’s function. A strong sense of ethics is required to fulfill this responsibility. Like any skill or ability, a strong sense of ethics requires training and understanding. Regular reviews of the basic tenets of feedback is a mechanism that can prevent the pendulum of ethics from being either in the black/white only world, or in the one where telltale gray is more dominant than necessary [Flescher, 1991, p. 104].
Where Should Internal Audit to be Focused On?
An effective internal audit department became part of the overall internal control structure within an organization. It was important, therefore, to recognize that the internal auditors would not only be part of management but also a check on management. To achieve this objective it was recognized that a certain “independence” would be required of the internal audit function.
Internal auditors function best when they are required to report directly to the Board of Directors and/or the Audit Committee of the Board of Directors. In many situations, the internal auditors report to both executive management and the Board and/or Audit Committee. When the internal audit functions properly its work may be relied on by the external auditors in developing their audit plan and in reducing their control testing in connection with their audit.
In the current post-Enron business environment it is imperative that internal auditors focus their attention on “tone at the top,” that is, how top management conduct themselves with regard to policies of the organization including such matters as personal expenses, related-party transactions, and self-dealing. If top management does not observe policies with respect to protecting a company’s assets, how can all of the employees be expected to comply with protective policies.
In the United States, the internal audit professional has grown from being a verifier of data and fraud identifier to being a member of the management team. The auditor is an active participant in the risk management process. For example, internal auditors are also used as active participants in acquisitions and divestitures because internal audit resources can be leveraged to avoid costly consultants’ fees, identify potential problems, and prevent unnecessary expenditures. Auditors are also becoming “management advisors charged with developing new process flows and controls in the redesigned operation as well as gathering and reporting key performance information and monitoring operations stability during the transition” [Trampo, 1998].
The internal auditing function can be executed in many ways. Some companies consider it essential for management trainees to spend time in internal audit if they are being groomed for management positions. For example, General Electric feels management trainees cannot advance within their company if they have not spent some time in the audit function. Some companies also consider the internal audit experience a prerequisite to advancement. Truly progressive companies realize the value that internal audit brings to the management process.
Fortunately, the number of companies valuing the contributions being made by internal auditors is increasing. In the United States, the increased pressure on audit committees to provide independent reviews have in some cases led to greater recognition of the internal audit function.
Qualifications For An Internal Auditor
Owing to pressure from the IIA and its support, the number of schools offering courses in internal auditing is increasing. In the past, most have considered public accounting qualifications as appropriate background for internal auditing. Now, consider the following questions:
- Should internal auditors be generalists or specialists?
- Do they have to be certified public accountants?
- How important is it that internal auditors understand the industry they work in?
- Is internal auditing a training ground for young people, or is it a place for only really experienced people?
The answer is, “So much depends on how the function is run”. I believes that you need very bright, inquisitive staff and the right type of management and training. Sprinkling that with specialists and experience will only help to improve the quality of the function. Nothing succeeds like experience in training bright auditors.
The IIA introduced the concept of certification for the internal audit function in 1974. A number of individuals globally have achieved certification, and this does help in setting certain standards for auditing. However, there are a significant number of internal auditors in the world who are not members of the Institute, have not taken any audit courses, and do not understand financial statements. Does that make them inadequate auditors?
It depends on how they are being used in the function. It is important that management understand the internal audit responsibilities and the importance of independence in executing those functions.
It is to be hoped that the CFIA project will help in defining the competency requirements at various levels—entry, experienced, and manager. This will help provide guidance to schools in developing appropriate courses toward a degree or specialization in internal auditing.
How Internal Audit Function Can Succeed?
Management’s views of internal audit in general are guarded. Too many business managers do not appreciate the way their various business units can work with the internal auditors and tend to view the latter as a necessary evil. A game develops wherein managers do not communicate with auditors, and auditors try to catch managers doing something wrong. There is nothing to be gained by this. All that is accomplished is wasted energy and negative output. The organization is the loser in the process. Other managers truly see the auditors as team members.
The major public accounting firm of PricewaterhouseCoopers offers ten imperatives to help the internal audit function succeed in a post-Enron world:
- Sharpen dialogue with top management and directors in order to clearly establish the value-added objectives of internal audit (i.e., strategic issues, risk management and protection of company assets).
- Realign to meet key stakeholders’ expectations (stockholders, executive management, external auditors and regulators).
- Think and act strategically.
- Expand audit coverage to include “tone at the top,” the conduct of executive management in protecting the company.
- Assess and strengthen expertise for complex business auditing.
- Leverage technology in high-risk areas.
- Focus on enterprise risk management capabilities.
- Make the audit process dynamic, changing with changed business conditions.
- Strengthen quality assurance processes.
- Measure the enhanced performance against expectations of stakeholders.
If everyone begins to view the internal audit function as a truly challenging experience for which only the best and brightest are selected, the company will have a truly outstanding function. The function will work with management in helping them fulfill their responsibility for maintaining strong internal controls.
Internal auditors have five main stakeholders:
- the board of directors;
- the outside auditors;
- senior management;
- operating management,;and
It is important that the audit function clearly define how it will interact with each of these groups. As can be gathered from discussion on hiring the best and brightest, the cost of a top internal audit function is significant. If the function is considered as purely detective, managers will question that cost, to the detriment of the overall organization. However, if auditors are accepted on the risk assessment team and make their contribution in controlling exposures, their costs will be considered more than acceptable.
Evaluating The Internal Audit Function
Evaluation of the internal audit function is not easy. The head of the function should spend some time with management early on and agree on what are the criteria for success.
- A balanced scorecard approach, which combines some financial as well as project-driven measures, should help. Have a try!.
- There should exist an ability to bring in outside evidence for comparison with others in the industry. One option is to ask independent accountants to evaluate how well the internal audit function is being performed. Good!
- Other options include relying on the IIA guidelines or hiring qualified members of the Institute to evaluate the internal audit function. Even better!
BUT, a common drawback of all these approaches is that if management still does not believe in the quality of the function, outside evidence is not that helpful. The recognition of the internal audit function as “the best” by external peers will not always convince management.
The use of external auditors to evaluate internal auditors may have drawbacks. Until recently, many external auditors did not understand the full scope of what the internal auditors should be doing. If the internal auditors were not doing what the external auditors were doing, the external auditors tended to give a negative review of the work performed by the internal auditors.
In many cases, such reviews focused more on the documentation and training process rather than on the outcome of their work. External auditors, being acutely aware of how the lack of clear documentation processes has hurt in litigation, tend to spend more time refining the process than focusing on the outcome of the work of internal auditors.
Using a peer internal audit function in the evaluation process has a number of pluses:
- One is that the profession is evaluated on factors they should be evaluated on.
- Second, peers tend to be a friendlier audience, although this approach still does not help to overcome the gulf between management and the internal auditors.
In 1986, IIA established the Quality Assurance Review Service (QARS) with the object of providing internal audit directors with the assurance that they were in compliance with standards. A quality assurance review is conducted by volunteer members of the IIA. They receive training at headquarters in Altamonte Springs, Florida, prior to conducting their reviews. The average duration of a quality assurance review of an internal audit department is about one week.
Should Internal Audit Function Be In-sourced or Outsourced?
In recent years, the major accounting firms have created Internal Audit Services departments to service both audit clients and nonaudit clients in response to outsourcing needs of companies. However, there has grown to be a perception that the external audit function has compromised its independence (a key standard under generally accepted auditing standards) when it undertakes the internal audit function for an audit client. It has been alleged that as a result of such undertaking the external auditors become too closely associated with management of the company.
Studies have indicated that users of financial statements, such as credit grantors have greater confidence in the independence of outside auditors, when they use different staffs for the external and internal audit functions. Nevertheless, the American Institute of Certified Public Accountants (AICPA), under pressure from the Securities and Exchange Commission (SEC) and the audit failure environment resulting from the Enron case and others, has set forth guidelines in its Interpretation 101-13 under Rule of Conduct 101, Extended Audit Services. These guidelines indicate that independence would not be impaired if the audit firm did not offer to act and does not act in a capacity equivalent to a member of client management or as an employee. Pressure still exists from regulators and congressional sources for public accounting firms to disassociate their internal audit services for publicly held audit clients.
Nevertheless, it has been held by certain users of financial statements that benefits may be derived from having the external audit firm perform internal audit functions. Such benefits include greater understanding of the business and the key audit risks and therefore improved overall audit quality.
Nevertheless, the Sarbanes-Oxley Act of 2002 prohibits the performance of internal audit services by audit firms for their public company audit clients. It is quite clear, however, that the major accounting firms will nevertheless continue to perform internal audit services for nonaudit clients and nonpublic companies.
Regardless of whether internal audit services are outsourced or handled internally, the role of internal audit must be sufficiently dynamic to accommodate the changing views of management, the need to provide continuous value and innovation, a focus on sensitivity to risk and controls, and an emphasis on business strategy. All of these requirements have forever changed the role of internal audit, and, consequently, the expectation gap between management and the internal audit function is narrowing as companies go through periods of dynamic growth and ever increasing change.
Internal Auditing Role in the Future
The new internal auditing model focuses on risk. Instead of viewing a business process within a system of internal control, today’s auditor views the business process within an environment of risk. This shift in focus emphasizes the future as opposed to the past and is more likely to address the full range of issues that concern management.
An analysis of the way in which organizations are changing suggests ways that internal audit will have to adapt. Reengineering changes the way in which employees work. Changing technology alters the way we control work. Virtual organizations are gaining in importance. Regulatory compliance is here to stay.
What does the future of internal auditing look like?
The current business environment requires a leaner and more flexible approach to internal control. Many companies have addressed this challenge through reengineering and new information systems, creating entirely new types of businesses to manage and control. Senior managers can no longer impose structured internal control systems on their organizations; such systems are too costly both in terms of people and in terms of competitive advantage. Instead, senior executives must manage and control as an active team member in their organization’s business processes, providing real-time responses to current business challenges.
How can senior managers gauge how they are changing with their processes?
A good diagnostic is to start by asking a few simple questions. What have we done to ensure that:
- People in the organization are behaving the way intended?
- We are identifying our real risks and being alerted to critical changes?
- The internal and external data we rely on for critical decisions are accurate?
- Critical information and assets are protected?
- Regulations are followed?
- Underlying all of these questions is the ultimate question—are we setting the right tone at the top?
Internal auditing has entered a period of extreme challenge. Internal auditors must involve themselves in things that are happening in a company as they are evolving. They must become knowledgeable about the complex issues affecting their company operations. They have to identify risks that business manager might not be aware of.