The Institute of Internal Auditors (with more than 120,000 members as of 2008) defines internal auditing as “…an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
One way to distinguish between internal auditors and their more familiar counterparts (external auditors) is the intended audience of their reports. External auditors are hired by a company to audit that firm's financial statements and issue an opinion on the reliability of those financial statements. While external auditors are in a contractual relationship to the firm whose financial statements are being audited, external auditors owe their primary fiduciary responsibility to groups outside of the firm, such as investors and creditors. The external auditor's report or opinion is provided to groups outside of the firm that hired him to
audit by including it in that firm's annual report. In contrast, internal auditors are employed by the organization that they are auditing. Similar to external auditors, the internal auditor might provide a written opinion based on his evaluation. However, in contrast to external auditors, the audience for that opinion will always be corporate management instead of investors and creditors.
Typically, the role of internal auditors is broader than that of external auditors. While a company's external auditors will focus on evaluating the firm's financial statements, internal auditors can provide financial, compliance, and operational auditing.
The significance of the contribution of internal auditors to financial audits was dramatically increased with the passage of the Sarbanes-Oxley Act of 2002. That act made widespread changes in the responsibility of the parties involved in the financial reporting process.
One change that has enhanced the role of the internal auditor is the requirement in Section 302 of Sarbanes-Oxley that a firm's certifying officers (typically the chief executive officer and chief financial officer) must state that they are responsible for establishing and maintaining internal controls over financial reporting. As part of this certification, they must also indicate that the internal controls were designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with generally accepted accounting principles in the United States. These Section 302 certifications are required to be included with the firm's annual financial statements. Most firms will rely extensively on the work of their internal auditors to provide the justification for the Section 302 certifications.
Section 404 of the Sarbanes-Oxley act also increased the responsibilities of internal auditors. This section requires that management include a report on internal controls in the firm's annual financial statements. The report must indicate that management is responsible for establishing and maintaining internal controls over financial reporting, and management's conclusions regarding the effectiveness of those internal controls. In most companies, the internal auditors will provide the documentation and testing of internal controls that will be necessary for management to make that report.
COMPLIANCE OR OPERATIONAL AUDITS
A compliance audit assures that the company's activities comply with relevant laws and regulations. An operational audit explores the effectiveness and efficiency of the firm's activities, seeking to reduce the risks faced by the specific firm. In performing an operational audit, performance standards may include a variety of criteria other than monetary measures, such as the percentage of late deliveries or idle labor time. It is the responsibility of the internal auditor to determine appropriate measures on the basis of experience and insight into the integrated functions of the company's activities. Typically, performance is measured against prior periods, industry standards, other operational units, or budgeted activity.
ENTERPRISE RISK MANAGEMENT
Internal auditors can provide an enterprise-wide approach to risk management. Enterprise Risk Management, or ERM, is a broader approach to risk management than that taken by a single department within an organization. ERM can identify risks and opportunities affecting the creation or preservation of value within the enterprise. Internal auditing can ensure that ERM processes are effective in managing key risks as well as provide important information to the company's board and senior management.
Internal auditing provides a broad-based, independent, value-adding function that is essential for the effective management of a firm. The value of internal audit has been greatly enhanced by the passage of the Sarbanes-Oxley Act of 2002.
SEE ALSO Financial Issues for Managers
Arens, Alvin A. Auditing: An Integrated Approach. 7th ed. Upper Saddle River, NJ: Prentice Hall, 1997.
Burke, Jacqueline, and Anthony N. Dalessio. “Highlights of SAS No. 82 for the Internal Auditor.” Internal Auditing November/December 1998, 40–44.
Financial Accounting Standards Board. “Facts About FASB-Mission Section.” Available from: http://www.rutgers.edu/Accounting/raw/fasb/facts/fasfact1.html.
Gauntt, James E., Jr., and G. William Glezen. “Analytical Auditing Procedures.” Internal Auditor February 1997, 56–60.
Grand, Bernard. “Theoretic Approaches to Audits.” Internal Auditing November/December 1998, 14–19.
The Institute of Internal Auditors. Website. Available from: http://www.theiia.org.
Jacka, J. Mike, and Paulette Keller. “The Building's On Fire!” Internal Auditor February 1996, 46–50.
The Library of Congress.“H.R. 3763 Sarbanes-Oxley Act of 2002.” Available from: http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3763.ENR:.
Ridley, Anthony J. “A Profession for the Twenty-First Century.” Internal Auditor October 1996, 20–25.
Rittenberg, Larry, and Patricia Miller. Sarbanes-Oxley Section 404 Work: Looking at the Benefits. Institute of Internal Auditors, 2008.
Simmons, Mark R. “COSO Based Auditing.” Internal Auditor December 1997, 68–73.
———. “The Standards and the Framework.” Internal Auditor April 1997, 50–55.
Swtitzer, Susan M. Internal Audit Reports Post Sarbanes-Oxley: A Guide to Process-driven Reporting. New York: Wiley. 2007.
Taylor, Donald H., and G. William Glezen. Auditing: An Assertions Approach. 7th ed. New York: John Wiley and Sons, 1997.
Walz, Anthony. “Adding Value.” Internal Auditor February 1997, 51–54.