Many medium and large organizations have an internal audit function. This is a requirement for companies listed on the Luxembourg Stock Exchange and for banks and other financial institutions with major fiduciary responsibilities. Other companies have an internal audit function as it is considered to be a valuable element of management control which provides assurance to the audit committee and adds to the organization’s credibility with investors and creditors.

Management is responsible for establishing and maintaining a system of internal financial controls and, in some cases, may be required by regulators to provide written certification of the adequacy of such controls. Legal and regulatory requirements are changing fast and companies must make sure they are aware of the latest rules.

In smaller organizations, managers are usually close enough to daily operations that they can effectively supervise and monitor the activities of their staff. When the volume and/or complexity of transactions becomes too great, management may need to add people whose primary role is to check the work of others and thereby strengthen internal control.

Organizations that do not have an internal audit function should give strong consideration to establishing one if their size and type of business, source of capital, and risk factors warrant it. The potential benefits of the internal audit function should be assessed and compared against the estimated costs.

Internal auditing is a valuable resource for management and the audit committee because of its objectivity, auditing skills, and in-depth knowledge of the organization. Internal audit does not perform the internal controls since this is a line management responsibility, but their role does provide another level of assurance to management and the audit committee that controls are effective. Historically, the emphasis was on compliance with company policy and the deterrence, prevention, and detection of fraud and errors—which are still important elements of the internal audit function.

Over time, many internal audit functions have addressed broader aspects of control and provide services in other areas, including:

• Reviewing controls over major projects and new systems to help anticipate problems. This can enable timely corrective action and allows for controls to be “built in” rather than retro-fitted after being detected by a subsequent audit or system failure;
• Conducting audits of the efficiency and effectiveness of operations;
• Assessing the risks related to reputation, customer service, the environment, privacy, etc.;
• Providing consultation and advisory services on enterprise risk management and control;
• Participating in the investigation of fraud.

The role of the internal audit should be formally defined in a written charter, approved by the audit committee, with annually reviewed activities outlined in an audit plan.

Internal auditors need a mandate that provides the authority they
need within a structure that supports their independence and
objectivity. This can best be achieved through a written charter that is
aligned with an approved mandate, compatible with best current
practices, and needs of the audit committee. Any restrictions by
management should be disclosed to, and approved by, the audit committee.

Internal audit should not have any operational accountability or
perform functions that would be subject to subsequent internal audit
review. The internal audit charter is reviewed and updated regularly and
includes:

• Role and responsibilities of the internal audit function;
• Functional reporting relationship to the audit committee;
• Administrative reporting relationship;
• Access to corporate employees, facilities, and records (including those of contractors);
• Any restrictions of the scope or authority of internal audit;
• Requirement that managers cooperate with internal audit and respond to reports;
• Code of ethics;
• Internal audit standards;
• Relationship with external auditors;
• Distribution of audit reports and summaries;
• Follow up of recommendations;
• Specific mention of areas such as fraud, technology, safety, environment, etc. as may be required for clarification;
• The right of the chief audit executive to attend audit committee meetings.

Internal auditing activities can be conducted by:

• In-house resources: The organization may assign
  responsibility for audit activities to a corporate internal audit
  department or include some audit activities in the responsibilities of
  line functions (for risks such as safety, environment, etc.). The
  internal audit department may include staff from other departments as
  part of the audit team.
• Outsourcing: The organization may fully outsource the
  internal audit by engaging an external firm to perform the entire
  function and who will then report to a designated executive.
• A combination of the above: The organization may outsource
  specific activities or projects to specialist firms or include one or
  more outside experts with internal audit staff on a project team.

The internal audit function is a major source of information and
assurance to the audit committee on internal financial controls and
other risk management activities. For this reason, most internal audit
functions have a functional reporting relationship to the audit
committee which is defined in the charter of internal audit and the
audit committee. A key element of this relationship is a direct channel
of communication between the chief audit executive and the audit
committee. This typically includes provisions for the chief audit
executive to have access to the chair of the audit committee and attend
audit committee meetings to present the plan for approval and to report
findings.

The CFO and chief audit executive are usually present at all audit
committee meetings. Much of the work performed by the committee relates
to the roles of these individuals and one or the other may take a role
in supporting the committee’s planning activities. There is generally no
requirement for the CEO to be present at such meetings, but in many
cases he or she may attend for information purposes.

Chief audit executives do not generally attend Board meetings. At
least annually, the chair of the audit committee should report to the
Board, referencing internal audit’s effectiveness, capabilities, the
results of its work, and any concerns.

An annual plan is the key element of the internal audit function and its
ability to meet the needs and expectations of the audit committee,
external auditors, and senior management. An audit plan is prepared
based on a comprehensive review and analysis of the organization’s
business activities and associated risks. Where an enterprise risk
management process is already in place, this will provide a critical
basis for developing a plan aligned with corporate priorities. It
includes all projected internal audits and other activities, including
reviews of the development of new systems and critical business
projects. The audit plan includes the budget and staff resources
required to accomplish its goals but allows flexibility to respond to
unforeseen issues and events during the year. A regular review and
update is essential to consider any changes.

The prevention, deterrence, and detection of fraud are the
responsibility of management. The usual role of internal auditors is to
develop audit programs and procedures to evaluate the internal controls
that management has established in order to manage the risk of fraud. In
practice, auditing sometimes deters employees from committing fraud and
occasionally detects a fraud, but these are not usually the major
objectives of auditors.

The term “fraud” covers a number of activities, some of which could be:

• Property fraud: The theft or misuse of assets and, sometimes, the related information;
• Financial reporting fraud: The manipulation of information to mislead or deceive stakeholders.

Internal audit may participate in the investigation of fraud and
provide forensic accounting services—provided that it is cost-effective
to do so. The skills to investigate fraud may be within the internal
audit function, or in a separate security department.

It is critical that the internal audit staff have the diverse set of
skills, industry knowledge, and experience (supplemented where
necessary by external resources) to provide the control assurance and
related advice that the audit committee requires.

Consideration should be given to using the expertise of other
corporate staff, engaging outside experts, or outsourcing where the
necessary skills do not reside within internal audit.

Internal audit periodically reports to the audit committee on its
staff capabilities, including academic and professional qualifications
and years of audit, industry, and organizational experience.

Audit reports and findings are in writing and include the scope and
objectives of the audit, the findings, and recommendations for improving
control. These reports:

• Are action-oriented and include comments and proposals for corrective action from the management of the audited business unit;
• Are balanced, reporting the positive risk and control practices as well as the weaknesses observed;
• Identify the best practices observed throughout the organization;
• Rate recommendations as high, medium, or low in order to assist management in assigning priority to the issues raised.
  

The chief audit executive provides summaries of audit reports to
senior management and the audit committee. The level of detail depends
on the size of the organization, but is sufficient to allow the audit
committee to understand the types and frequency of control issues that
internal audit raises and how management is responding to them.

Good internal audit functions have processes for assessing their own effectiveness. They use the results, together with feedback from the stakeholders, to monitor trends over time and achieve continuous improvement in their practices and performance. Examples of measurement techniques include customer satisfaction surveys, post audit debriefing, and internal quality assurance reviews.