Internal audit is a process of obtaining and evaluating data and appraisal of requirements fulfilment level. It's the first party audit. The internal audit should be run on the same principles as other types of audit. However, it doesn't require external auditors.
It is important, that audit is "searching for conformity", and non-conformity should be only the side effect. Finding non-conformity is not an objective of the auditor. However, if he spots one, he's required to describe it in the report.
Internal auditor is usually an employee. There is however possible to hire external consultant as internal auditor. To become auditor, the person has to fulfil following requirements:
- to have enough training and expertise in the area being audited,
- to be trained in audit process,
- to be appointed by top management.
Internal auditors are responsible to perform audits according to internal procedures and external legislation.
Internal audit procedure
Internal audit procedure should include several elements:
- programming audits,
- planning audit,
- performing audit,
- reporting audit,
- analysing series of audits.
ISO 19011 standard can be a good guide for internal auditors. Sections below discuss listed elements.
Internal audits program
Manager responsible for audits (e.g. Quality manager) should prepare program of audits which covers all requirements, e.g. all chapters of standard, all processes, etc. The program should be prepared for a longer period, usually a year. Certification bodies often require to cover with internal audit all requirements during time between supervision audits (third party).
Internal audit planning
Appointed auditor should prepare for the audit:
- establish date of audit,
- become acquainted with documentation,
- prepare list of questions or issues (check-list).
Plan / Charter
The plan/charter includes usually:
- date of the audit
- information about independence of auditor, accountability and responsibility
- access and authority
- relationship with other functions not being audited
- the basis of the audit (procedures, regulations, operating standards, etc.)
- requirements regarding reporting and publication
Auditor's check-list (List of audit questions) is a set of audit questions and required checks. Using the audit check-list allows:
- Maintain the logical order of research,
- Remind not to miss an item,
- Facilitate the preparation of report,
- Evidence of the audit - is part of the documentation.
There is no standard list of questions, each auditor makes himself his own (customized to his needs) depending on experience and scope of the audit. The list must be kept updated on changing regulations and adapt to the situation.
Questions on the list can be divided into ten groups:
- Decision about starting audit (e.g. Do I know who is my customer?)
- Getting information from person requesting audit (e.g. Did the customer described the purpose of the audit?)
- The first contact with the audited entity (e.g. Do I know how to behave in relation to the auditee?)
- Preparation of the audit (e.g. Had I set the term of the audit?)
- Meeting beginning the audit (e.g. Do I know what I want to pass on the opening meeting?)
- The visit in the audited company (e.g. Does the caller answers about?)
- Meeting auditors (e.g. Do I have all the information we need?)
- The meeting ending audit (e.g. Do you all understand my speech?)
- The audit report (e.g. Are the conclusions of the audit not superficial?)
- After the audit (e.g. Am I satisfied with the audit?)
The list of audit questions should be treated as a set of guidelines to facilitate the work of the auditor, and not as a rigid frame. The auditor has to use it intelligently, maintaining professionalism and flexibility to signals from the outside.
Performing internal audit
Performing audit consists of following steps:
- opening meeting - presentation of audit aims and plan.
- interviews with audited managers and employees,
- analysis of documents,
- observation of processes,
- other methods,
- closing meeting - summary, presentation of results.
During the audit, auditor should avoid checking all the data. That behaviour is typical to inspection. In case of audit, auditor should take a sample and judge on basis of its evaluation. The sample usually doesn't exceed 10% of the population. There are several methods of sampling, e.g.:
- pick newest data
- pick one from each month
- pick one every 10 records
- pick randomly
The auditor should avoid letting the employee to pick the sample, as he/she can pick only proper records.
Internal audit report
After performing audit, auditor should prepare written report. The scope of report depends on enterprise requirements. Report should be accepted by manager responsible for audits and then sent to units that were audited. Usually report consists of:
- data from audit plan
- information about conformity
- information about non-conformity
- possibility of improvement
Analysis of series of internal audits
After each programming period, manager responsible for audits should perform analysis and present its results to top managers. The results should be also an input for next programming period.
Concepts using internal audit
- Management systems
- Quality management system
- Environmental management system
- Health and safety management system
- Information security management system
- Financial management
- Risk management
Examples of Internal audit
- Financial Audit: This type of audit focuses on the financial performance and records of an organization. It looks for financial inconsistencies, such as fraud, errors, and mismanagement of funds. Financial auditors review the company’s records, such as their income statements, balance sheets, and other financial documents to assess their accuracy and completeness.
- Operational Audit: Operational auditing is designed to evaluate the effectiveness, efficiency, and compliance of operations and processes within an organization. It looks at the ways in which resources, such as manpower and equipment, are being used and whether they are being utilized in the most efficient way possible. It also looks for any possible operational risks that could impact the organization.
- Compliance Audit: Compliance audits assess whether the organization is adhering to applicable regulations and laws. It looks at internal policies and procedures to ensure they are in line with external regulatory requirements. This type of audit is particularly important for organizations operating in heavily regulated industries, such as finance and healthcare.
- Information Systems Audit: Information systems audits evaluate the security of information systems and networks within an organization. The audit looks for any potential vulnerabilities and risks that could be exploited by malicious actors. It also assesses the organization’s ability to protect its data from unauthorized access.
Advantages of Internal audit
An internal audit provides many benefits to an organization. These include:
- Improved operational efficiency and effectiveness - Internal audits help to identify areas for improvement, such as weak processes, control deficiencies, and mismanaged resources. This allows organizations to make the necessary changes to improve their operational efficiency and effectiveness.
- Enhanced customer satisfaction - Internal audits help to ensure that customer requirements are met and customer complaints are addressed. This helps to improve customer satisfaction and create a better customer experience.
- Improved compliance - Internal audits help to ensure that the organization is in compliance with all applicable laws, regulations, and standards. This helps to minimize the risk of non-compliance and legal liability.
- Improved organizational performance - Internal audits help to identify areas for improvement, such as weak processes, control deficiencies, and mismanaged resources. This allows organizations to make the necessary changes to improve their performance.
- Increased visibility of risk management - Internal audits provide an opportunity to review and assess the risk management process. This helps to ensure that the organization is prepared for potential risks and mitigating them appropriately.
Limitations of Internal audit
Internal audit has its own set of limitations, which include:
- Lack of independence: Internal auditors are employed by the organization they are auditing and may struggle to be truly objective.
- Limited resources and expertise: Internal auditors may lack the expertise or resources to audit complex matters.
- Lack of external perspective: Internal auditors’ knowledge is often limited to the organization they are auditing, and they may not be able to draw on external experiences.
- Limited access to information: Internal auditors may not have access to all the information they need to properly evaluate the organization.
- Lack of enforcement power: Internal auditors can only provide advice, but lack the enforcement power to enforce their recommendations.
Internal audit is a process of obtaining and evaluating data and appraisal of requirements fulfilment level. It is the first party audit and the internal audit should be run on the same principles as other types of audit. Other approaches that are related to Internal audit are as follows:
- Risk Assessment - Risk assessment is the process of understanding the risks associated with any business process and its impacts on the organization. It is an important part of the internal audit process, as it helps identify areas where corrective action needs to be taken.
- Process Improvement – Process improvement is a systematic approach used to identify and review existing processes to ensure they are efficient and effective. During the internal audit process, the auditor evaluates the existing processes and makes recommendations for improvements.
- Quality Assurance – Quality assurance is the process of ensuring that products and services meet the specified requirements. During the internal audit process, the auditor checks to ensure that the organization's processes and procedures comply with applicable standards.
- Compliance Auditing – Compliance auditing is the process of verifying that an organization is adhering to all laws and regulations applicable to its operations. Internal auditors are responsible for conducting compliance audits to ensure that the organization is following all applicable regulations.
In summary, Internal audit is a process of obtaining and evaluating data and appraisal of requirements fulfilment level. Other approaches related to Internal audit include Risk Assessment, Process Improvement, Quality Assurance and Compliance Auditing.
- ISO 19011 - Guidelines for auditing management systems
- Douglas F. Prawitt, Jason L. Smith, and David A. Wood (2009) Internal Audit Quality and Earnings Management. The Accounting Review: July 2009, Vol. 84, No. 4, p. 1255-1280.
- Gramling, Audrey A; Maletta, Mario J; Schneider, Arnold; Church, Bryan K. The role of the internal audit function in corporate governance. Journal of Accounting Literature23 (2004): 194.
- Meigs, Walter B., Principles of Auditing, IRWIN, Boston 1989.
- Taylor D. H., Glezen G. W., Auditing. An assertions approach, John Wiley & Sons, New York 1997
Author: Slawomir Wawak