About the Profession:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Performed by professionals with an in-depth understanding of the business culture, systems, and processes, the internal audit activity provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.

Evaluating emerging technologies, Analyzing opportunities, Examining global issues, Assessing risks, controls, ethics, quality, economy and efficiency. Assuring that controls in place are adequate to mitigate the risks. Communicating information and opinions with clarity and accuracy. Such diversity gives internal auditors a broad perspective on the organization. And that, in turn, makes internal auditors a valuable resource to executive management and boards of directors in accomplishing overall goals and objectives, as well as in strengthening internal controls and organizational governance.

What is internal audit?

The role of internal audit is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively.

Internal auditors have to be independent people who are willing to stand up and be counted. Their employers value them because they provide an independent, objective and constructive view. To do this, they need a remarkably varied mix of skills and knowledge. They might be advising the project team running a difficult change program one day, or investigating a complex overseas fraud the next.

From very early on in their careers, they talk to executives at the very top of the organization about complex, strategic issues, which is one of the most challenging and rewarding parts of their role.

‘It is a very sociable career and I get to meet new people on a daily basis, who work at all levels, right from Executive Directors to the Managers and frontline staff. It is also immensely rewarding to go back and follow up my work after a year or so and see how my efforts have not only resulted in quantitative improvements, but also been accepted by the relevant people in charge.’

What do internal auditors do?

We have a professional duty to provide an unbiased and objective view. We must be independent from the operations we evaluate and report to the highest level in an organization: senior managers and governors. Typically this is the board of directors or the board of trustees, the accounting officer or the audit committee.

To be effective, the internal audit activity must have qualified, skilled and experienced people who can work in accordance with the Code of Ethics and the International Standards.

What is its value to the organization?

Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organization. Unlike external auditors, they look beyond financial risks and statements to consider wider issues such as the organization’s reputation, growth, its impact on the environment and the way it treats its employees.

In sum, internal auditors help organizations to succeed. We do this through a combination of assurance and consulting. The assurance part of our work involves telling managers and governors how well the systems and processes designed to keep the organization on track are working. Then, we offer consulting help to improve those systems and processes where necessary.

Internal auditors can be engaged in a range of of activities which are detailed below.

Assessing the management of risk:

The profession of internal audit is fundamentally concerned with evaluating an organization’s management of risk. All organizations face risks. For example, risks to the organization’s reputation if it treats customers incorrectly, health and safety risks, risks of supplier failure, risks associated with market failure, cyber security and financial risks to name some key areas. The key to an organization’s success is to manage those risks effectively – more effectively than competitors and as effectively as stakeholders demand.

To evaluate how well risks are being managed the internal auditor will assess the quality of risk management processes, systems of internal control and corporate governance processes, across all parts of an organization and report this directly and independently to the most senior level of executive management and to the board’s audit committee.

Assisting management in the improvement of internal controls:

An internal auditor’s knowledge of the management of risk also enables him or her to act as a consultant providing advice and acting as a catalyst for improvement in an organization’s practices.

So, for example if a line manager is concerned about a particular area of responsibility, working with the internal auditor could help to identify improvements. Or perhaps a major new project is being undertaken – the internal auditor can help to ensure that project risks are clearly identified and assessed with action taken to manage them.

Why is internal audit important to your organization?

By reporting to executive management that important risks have been evaluated and highlighting where improvements are necessary, the internal auditor helps executive management and boards to demonstrate that they are managing the organization effectively on behalf of their stakeholders. This is summarized in the mission statement of internal audit which says that internal audit’s role is ‘to enhance and protect organizational value by providing risk-based and objective assurance, advice and insight’.

Hence, internal auditors, along with executive management, non-executive management and the external auditors are a critical part of the top level governance of any organization.

Activities of internal audit:

Below are the key things an internal auditor does. Within these areas, it is important to think of the internal auditor as the organizations critical friend – someone who can challenge current practice, champion best practice and be a catalyst for improvement, so that the organization as a whole achieves its strategic objectives.

Evaluating controls and advising managers at all levels:

Internal audit’s role in evaluating the management of risk is wide ranging because everyone from the mailroom to the boardroom is involved in internal control. The internal auditor’s work includes assessing the tone and risk management culture of the organization at one level through to evaluating and reporting on the effectiveness of the implementation of management policies at another.

Evaluating risks:

It is management’s job to identify the risks facing the organization and to understand how they will impact the delivery of objectives if they are not managed effectively. Managers need to understand how much risk the organization is willing to live with and implement controls and other safeguards to ensure these limits are not exceeded. Some organizations will have a higher appetite for risk arising from changing trends and business/economic conditions. The techniques of internal auditing have therefore changed from a reactive and control based form to a more proactive and risk based approach. This enables the internal auditor to anticipate possible future concerns and opportunities providing assurance, advice and insight where it is most needed.

Analyzing operations and confirm information:

Achieving objectives and managing valuable organizational resources requires systems, processes and people. Internal auditors work closely with line managers to review operations then report their findings. The internal auditor must be well versed in the strategic objectives of their organization and the sector in which it operates in, so that they have a clear understanding of how the operations of any given part of the organization fit into the bigger picture.

Working with other assurance providers:

Providing assurance to executive management and the board’s audit committee that risks are being managed effectively is not the exclusive domain of internal audit. There are likely to be other assurance providers who perform a similar role. This can include risk management professionals, compliance officers, fraud investigators, quality managers and security experts to name just a few. The difference between these assurance sources and internal auditors is that internal audit are independent from management operations and are able to give objective and unbiased opinions about the way risk are reported and managed. Internal audit’s independence of executive managements is achieved through its functional reporting line to the chair of the audit committee and an administrative reporting line to the chief executive, as the most senior executive.

The interesting aspect within this structure is that internal auditors can work constructively with other assurance providers to make sure the board’s audit committee receives all the assurance they need to form an opinion about how well the organization is managing its risks. It also means that the available assurance resources are optimized by avoiding duplication and gaps in the provision of assurance. Teamwork and developing effective working relationships is a key feature of internal auditing.

But like all professions, internal audit has its own skills and its own qualifications, technical standards and codes of practice.

These are all provided through the internal audit professional body – The Institute of Certified Internal Auditors (ICIA-PAKISTAN).

Whilst the financial skills of accountants are very useful, to do their job effectively, internal auditors must possess a high level of technical internal auditing skills and knowledge. They must also be effective communicators, good project managers, analytically strong and good negotiators.

The difference between internal and external audit:

While sharing some characteristics, internal and external audit have very different objectives. These are explained in the table below:

External audit

Internal audit

Reports to Shareholders or members who are outside the organizations governance structure. The board and senior management who are within the organizations governance structure.
Objectives Add credibility and reliability to financial reports from the organization to its stakeholders by giving opinion on the report Evaluate and improve the effectiveness of governance, risk management and control processes.  This provides members of the boards and senior management with assurance that helps them fulfill their duties to the organization and its stakeholders.
Coverage Financial reports, financial reporting risks. All categories of risk, their management, including reporting on them.
Responsibility  for improvement None, however there is a duty to report problems. Improvement is fundamental to the purpose of internal auditing. But it is done by advising, coaching and facilitating in order to not undermine the responsibility of management.