Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
[1] Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes.
[2] With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice.
It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities.
Beginning in about 2010, the IIA once again began advocating for the broader role internal auditing should play in the corporate arena, in keeping with the IPPF's philosophy.
Internal auditors perform audits to evaluate whether the five components of management control are present and operating effectively, and if not, provide recommendations for improvement.
Internal auditing professional standards require the function to evaluate the effectiveness of the organization's Risk management activities.
Under the COSO enterprise risk management (ERM) Framework, an organization's strategy, operations, reporting, and compliance objectives all have associated strategic business risks – the negative outcomes resulting from internal and external events that inhibit the organization's ability to achieve its objectives.
As a member of senior management, the chief audit executive (CAE) may participate in status updates on these major initiatives.
[9] This process is highly valued by many businesses for establishing and implementing effective management systems and ensuring quality is maintained & professional standards are met[10] Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment.
Internal auditing activity as it relates to corporate governance has in the past been generally informal, accomplished primarily through participation in meetings and discussions with members of the board of directors.
According to COSO's ERM framework, governance is the policies, processes and structures used by the organization's leadership to direct activities, achieve objectives, and protect the interests of diverse stakeholder groups in a manner consistent with ethical standards.
Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management.
In providing perspective, analysis and workable recommendations for business improvements in critical areas, auditors help the organization meet its objectives.
[16] A key aspect of developing IA strategy is understanding the expectations of stakeholders, such as the audit committee and top management.
[19][20] Independent peer reviews are part of the quality assurance process for many internal audit groups as they are often required by standards.
Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues.
It emphasized assisting management and the board in achieving the organization's objectives through well-reasoned audits, evaluations, and analyses of operational areas.
Sawyer saw auditors as active players influencing events in the business rather than criticizing all degrees of errors and mistakes.
He also foresaw a more desirable auditor future involving a stronger relationship with members of audit committee and the board and a divorce from direct reporting to the chief financial officer.
Sawyer understood the psychology of interpersonal dynamics and the need for all people to receive acknowledgment and validation for relationships to prosper.
[22] The "Three Lines of Defence Model" [23] [24] [25] [26] is a framework outlining the relationship between business functions, risk management, and internal audit, delineating how responsibilities should be divided.