Internal Auditing

In the days following the collapse of Lehman Brothers and Bear Stearns, the one thing financial
examiners seemed to agree on was that the cause was, at least in part, a failure to implement or
respond to proper internal auditing practices. Although what's come to light reveals a much more
complex and systemic series of failures, it's clear that if the basic tenets of internal auditing had
been put into practice and internal controls respected, the firms would not have exposed
themselves to such unreasonable risk.
The Institute of Internal Auditors (IIA) is the foremost international professional association for
internal auditing. The IIA's globally accepted definition of internal auditing states that:

"Internal auditing is an independent, objective assurance and consulting

activity designed to add value and improve an organization's operations. It
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes."
In simplest terms, the duties of an internal auditor are to:

Objectively review an organization's business processes

Evaluate the efficacy of risk management procedures that are currently in place

Protect against fraud and theft of the organization's assets

Ensure that the organization is complying with relevant laws and statutes

Make recommendations on how to improve internal controls and governance processes

Auditing Statutes
Although several major congressional acts become law following the 1929 stock market crash the Securities Act of 1933, The Trust Indenture Act of 1939, The Investment Company Act of
1940, and The Investment Advisers Act of 1940 - there are two that have come to define the role
of internal auditing within a legal framework: the Securities Exchange Act of 1934 and the
Sarbanes-Oxley Act of 2002. More recently, the Dodd-Frank Wall Street Reform and Consumer
Protection Act has specifically targeted practices within the financial service sector.
The Dodd-Frank Wall Street Reform and Consumer Protection Act was signed into law in
2010 and is currently being implemented. It seeks to stabilize the U.S. economy by improving
transparency and accountability within the financial service sector. It's objective is to prevent the
possibility of an undue financial burden being placed on taxpayers by ending bailouts and doing
away with the 'too big to fail' mentality. The implementation of this act into law saw the creation of
two new federal oversight agencies: The Financial Stability Oversight Council and The Office of
Financial Research. As this sweeping legislative reform is being put into effect, internal auditors
are paying close attention to how this will affect the work they perform. Although there is some

uncertainty in it's early stages, there are some things that are known to affect internal auditing
practices:

Internal auditors that report questionable conduct will be protected from retributive
termination

There will be an increased occurrence of risk auditing

Internal auditors will adapt to new reporting mechanisms and audit systems

Internal auditors will adapt to new internal controls within organizations

Internal Auditors will work with new mandatory internal risk committees

The Securities Exchange Act of 1934 was one of the first modern pieces of federal legislation
that sought to regulate the financial markets in the United States. The Act accomplished this goal
by establishing a centralized regulatory agency, the Securities and Exchange Commission
(SEC). The Act also set forth several mandatory audit requirements in Section 10A for publicly
traded companies. Some of the highlights of Section 10A include:

The creation of auditing procedures that are designed to detect illegal activities that may
have a direct effect on the determination of accurate financial statement amounts

The creation of procedures designed to identify related-party transactions that may have
a material effect on the company's financial statements

An evaluation regarding the financial ability of an issuer of stock to continue offering

securities for the upcoming year

Required reporting of illegal activities to company management, the audit committee and
the board of directors

Refraining from engaging in prohibited activities that may result in a conflict of interest

The Sarbanes-Oxley Act of 2002 was passed in an effort to increase reporting and oversight
standards for publicly traded companies following Enron and WorldCom's high profile corporate
accounting scandals. In an effort to implement the new standards for integrated audits, the SEC
set up the Public Company Accounting Oversight Board (PCOAB) to oversee, inspect and
discipline companies that are required to comply with the provisions of the law. Some of the main
highlights of the Act include:

Mandatory financial reporting on a periodic basis

Certification of financial reports by company officers that reports do not contain false or
misleading information

Required periodic evaluations and reports regarding the efficacy of internal control
procedures and a list of any deficiencies in the current procedures

Required reports regarding any significant changes in internal auditing or control

procedures that could potentially expose the company to additional risk

Criminal sanctions for failing to comply with the requirements of the Act

Types of Internal Audits

Internal auditing has historically been synonymous with the performance of financial audits,
which seek to ensure an organization is using generally accepted accounting procedures (GAAP)
to create and manage financial information through the review of financial statements.
Businesses also recognize the need for other types of auditing that look beyond ledgers and
balance sheets with respect to legal compliance, IT security, environmental, operational and
performance oversight objectives:
Compliance Audits are used to evaluate an organization's compliance with applicable laws,
regulations, policies and procedures. Legal and policy requirements may be created by federal or
state statute. An organization's management or board of directors can also create compliance
requirements internally.
Environmental Audits identify the impact of a company's activities on the environment and
determine whether the company is complying with environmental laws and regulations.
Information Technology Audits evaluate information management systems and computer
databases to ensure that confidential customer information and proprietary intellectual property is
secure. Information technology audits ensure that only authorized users are able to gain access
to privileged information and that the information itself is accurate.
Performance Audits assess whether an organization is meeting the goals and objectives set
forth by the board of directors. If the organization is not meeting its stated goals, the internal
auditor will identify process shortfalls and make suggestions for improvement to the board of
directors.
Operational Audits assess the overall efficiency and reliability of an organization's control
mechanisms. An essential component of operational auditing is the objective review of the way
an organization allocates resources. If resources are not being used efficiently, the internal
auditor will report these findings along with recommendations on how to reduce wasteful or
inefficient resource allocation.

Who Uses Internal Auditing Procedures?

The Securities and Exchange Commission (SEC) requires all publicly traded companies to
conduct internal audits on a periodic basis. The New York Stock Exchange (NYSE) has also
reiterated this requirement in their Listed Company Manual, which states that any company that
offers to sell shares to the general public must conduct regular audits and assessments of their
internal controls.

Most closely held companies and small businesses are not required by law to conduct audits
within their businesses; however, many private companies elect to employ auditors in an effort to
improve their business processes and procedures.
Many government agencies and non-profit organizations also employ auditors to monitor financial
activities and eliminate wasteful spending. The General Accounting Office and the Defense
Contract Audit Agency are two of the federal government's internal auditing departments
responsible for ensuring that resources are used efficiently within the administrative and
legislative branches of government.

The Relationship between Internal Auditors and Other Segments of

the Organization
Most business organizations are set up with a three-tiered oversight structure:

The board of directors is responsible for making major decisions on behalf of the
business such as establishing corporate policies and procedures, enacting mergers and
taking steps to expand business operations.

The internal auditing department consisting of financial controllers led by a chief audit
executive (CAE), acts as the bridge between the board and the managers. They
essentially assess whether the Board's directives and policies are compliant with the law
and whether they increase the overall efficiency and productivity of the business. If the
board's directives are inefficient or are not being implemented by the management staff,
the internal auditor has a duty to report back to the board with his findings and
recommendations.

Various levels of management are responsible for carrying out the directions and
policies that are determined by the board of directors, as well as making day-to-day
decisions regarding how the business is run.

The Scope of the Internal Auditor's Job

The main goal of the internal auditing department of any organization is to gather information that
can be analysed and converted into valuable insights into how the company can be run more
efficiently. There are four common techniques that are used in the practice of internal auditing to
achieve this end:
1. Observing the target business environment
2. Inspecting the specific risk management, financial reporting and productivity strategies
that are currently in place
3. Inquiring or asking questions of management personnel related to the effectiveness of
the current internal controls
4. Confirming whether the goals and objectives of the business are being met

Collectively, the four techniques that make up the internal auditing process allow auditors to
collect information and evidence, analyze the collected data and report back to the board of
directors with suggestions for improvement if necessary.
In the course of bridging the gap between the board of directors and the corporate management
team, internal auditors are called upon to use their professional judgment to determine the
standards by which business activities are measured. This involves:

Conducting special studies

Analyzing business policies, processes and procedures

Defining audit objectives

Deciding the nature and extent of the audit procedure

Stating final opinions and conclusions

Reporting and distributing findings to the board and management

Arguably, one of the most important aspects of an internal auditor's job is the ability to perform an
objective evaluation of a company's activities. If company politics prevent the internal auditing
department from performing its job as intended, the company will not receive the benefits that are
associated with an honest internal audit such as increased efficiency and productivity, decreased
waste, financial savings and legal compliance.
Corporations can promote objective auditing by employing auditors that do not serve in any other
capacity within the organization. The Institute of Internal Auditors recommends in Section 1100 of
the IIA "Guidance and Standards" manual that internal auditors report to a single committee or
board member who has oversight authority over the internal auditing department in order to
maintain independence and objectivity. Auditors who fill other roles within the organization may
have a harder time performing objective audits since their findings may impact other groups,
individuals or managers who have seniority or authority over them.

Internal Auditing Practice Standards

Although laws are in place requiring companies to conduct ongoing audits of their operations,
qualification and practice standards for auditing professionals are unregulated by state and
federal licensing departments. That is to say that auditors do not need to take specific courses or
register with a governing body. State and federal licensing departments are responsible for
establishing and maintaining practice standards in regulated professions such as certified public
accounting; however, in keeping with the independent nature of the private sector, which makes
use of internal auditing services, standards are maintained by non-governmental professional
collectives.
The Institute of Internal Auditors (IIA) is the foremost independent regulatory body of the internal
auditing profession. While it is not mandatory that internal auditors join the IIA, membership in
this internationally recognized professional association offers opportunities for continued

professional development and certification designations. All members of the IIA are bound by the
Institute's Code of Ethics and Professional Standards.
In addition to the IIA's requirements, all internal auditors are bound by the standards contained in
procedure manuals that are developed and published by the individual companies that the
auditors work for. These standards may vary from business to business. Some smaller
businesses may not have established internal standards and procedures in place prior to bringing
an internal auditor on board. In such cases, the auditor will need to work closely with
management and the owners of the business to refine controls and develop internal auditing
procedures.

Internal Auditing Education and Degree Options

Internal auditors often have professional and educational backgrounds in accounting, finance,
behavioral science, communications, computer systems management, economics and law.
Internal auditors are well versed in quantitative methods, statistical sampling and business
processes. Their backgrounds can play a major role in their understanding of a particular
business niche, as understanding the overarching business being evaluated is vitally important to
the performance of successful internal auditing. For this reason individuals who have served in
different capacities within business will be better suited to identify the objectives and challenges
that are associated with the internal auditing process.
Although internal auditors generally hold baccalaureate or graduate degrees, they haven't all
participated in a rigid course of study exclusively in the area of auditing. Diverse coursework and
professional experiences only help to provide a better understanding of how the auditing teams fit
into the corporate structure.
According to the United States Department of Labor, Bureau of Labor Statistics, most jobs in the
area of internal auditing require at least a bachelor's degree; however, individuals seeking
employment in this field have several degree options that include:

Bachelor's degree with a focus in the area of private sector accounting and internal
auditing

Bachelor's degree in business, accounting or a related field with a minor concentration in

internal auditing

Master's of Science in Accounting

Master of Business Administration degree with a specialization in internal auditing

Graduate-level certificate in internal auditing to complement related degrees

Students interested in working in the area of internal auditing will select elective courses in:

Federal and state corporate income tax

Business law

Business Management

Statistics and Quantitative Methods

Accounting Principles

Financial Management and Auditing

Are you an accountant intested in auditing? Click here to learn more about Accounting vs.
Auditing.

Internal Auditing Certification

Established in 1972, the Institute of Internal Auditors (IIA) is the oldest and best recognized
certifying agency in the accountancy area of internal auditing. In order to be eligible for the
Certified Internal Auditor (CIA) designation, candidates must meet the following requirements:

Hold a bachelor's degree from an accredited college or university

Obtain a minimum of 24 months of internal auditing work experience (individuals with

Master's degrees must have 12 months of work experience)

Submit a character reference from another certified internal auditor or supervisor

Agree to uphold the Certified Internal Auditor Code of Ethics.

If applicants meet the eligibility criteria, they will be required to pass a written exam before
receiving their certification. The internal auditing exam consists of four main topics that include:
general principles of accounting, internal auditing techniques and principles of management.
The IIA also offers specialty certification including:

Certified Financial Services Auditor (CFSA), which offers three exam options based on a
candidate's industry: banking, insurance, or securities

Certification in Control Self-Assessment (CCSA) is specific to auditors who specialize in

control self-assessment (CSA) within their organization

Certified Government Auditing Professional (CGAP) is a public-sector designation for

those who work with fund accounts and grants.

What is Auditing?
By Carol Wiley, Accountingedu contributing writer
Updated April 2013

Financial auditing is the process of examining an organization's (or individual's) financial records
to determine if they are accurate and in accordance with any applicable rules (including accepted
accounting standards), regulations, and laws.
External auditors come in from outside the organization to examine accounting and financial
records and provide an independent opinion on these records. Law requires that all public
companies have their financial statements externally audited.
Internal auditors work for the organization as internal employees to examine records and help
improve internal processes such as operations, internal controls, risk management, and
governance.

Auditing Standards
The Public Company Accounting Oversight Board (PCAOB) maintains external auditing
standards for public companies (issuers) registered with the Securities and Exchange
Commission (SEC).
As of 2012, PCAOB has 15 permanent standards approved by the SEC and a number of interim
standards that reflect generally accepted auditing standards, as described in standards issued by
the Auditing Standards Board (ASB), which is part of the American Institute of CPAs (AICPA).
The ASB also issues Statements on Auditing Standards (SASs) that apply to preparing and
releasing audit reports for nonissuers (companies not required to register with the SEC). AICPA
members who audit a nonissuer are required by the AICPA Code of Professional Conduct to
comply with these standards. As of 2012, there are more than 60 active standards.
For internal auditing, the Institute of Internal Auditors provides a conceptual framework called the
International Professional Practices Framework (IPPF) that provides guidance for internal audits.
Some of the guidance is mandatory, while others are considered strongly recommended, but not
required by law.

Audit Planning
Audit planning includes deciding on the overall audit strategy and developing an audit plan.
Auditing Standard No. 9 from the PCAOB describes an external auditor's responsibility and the
requirements for planning an audit. According to standard No. 9, an audit plan is expected to
describe the planned nature, extent, and timing of the procedures for risk assessment and the
tests to be done on the controls and substantive procedures, along with a description of other
audit procedures planned to ensure the audit meets PCAOB standards.
For internal auditing, the Institute of Internal Auditors provides guidance for audit planning.
Planning starts with determining the scope and objectives of the audit.

Internal auditors need to understand the business, operations, and unique characteristics of the
department/unit being audited and to develop an audit plan that defines the procedures needed
to do an efficient and effective audit.

Internal Auditor Responsibilities

Include:

Performing the full audit cycle including risk management and control
management over operations effectiveness, financial reliability and
compliance with all applicable directives and regulations

Determining internal audit scope and developing annual plans

Obtaining, analyzing and evaluating accounting documentation, reports,

data, flowcharts etc

Job brief
We are looking for an objective Internal auditor to add value and improve our
operations by bringing a systematic and disciplined approach to the
effectiveness of risk management, control, and governance processes. The
successful candidate will possess a thorough knowledge of accounting
procedures and a sound judgement.
Responsibilities

Perform and control the full audit cycle including risk management and
control management over operations effectiveness, financial reliability
and compliance with all applicable directives and regulations

Determine internal audit scope and develop annual plans

Obtain, analyse and evaluate accounting documentation, previous reports,

data, flowcharts etc

Prepare and present reports that reflect audits results and document
process

Act as an objective source of independent advice to ensure validity,

legality and goal achievement

Identify loopholes and recommend risk aversion measures and cost

savings

Maintain open communication with management and audit committee

Document process and prepare audit findings memorandum

Conduct follow up audits to monitor managements interventions

Engage to continuous knowledge development regarding sectors rules,

regulations, best practices, tools, techniques and performance standards

Requirements

Proven working experience as Internal Auditor

Advanced computer skills on MS Office, accounting software and

databases

Ability to manipulate large amounts of data and to compile detailed

reports

Proven knowledge of auditing standards and procedures, laws, rules and

regulations

High attention to detail and excellent analytical skills

Sound independent judgement

BS degree in Accounting or Finance