What is Internal Audit?

The role of internal audit is to provide independent and objective assurance that an organisation's risk management, governance, and internal control processes are operating effectively, thereby ensuring the organisation can achieve its goals.

What do internal auditors do?

All organisations face risks, for example:

• Reputational risk (risks to the organisation’s reputation if it treats customers or employees incorrectly
• Health and safety risks
• Risks of supplier failure
• Financial risks

Internal auditors independently evaluate and assess an organisation’s management and control of these risks.

Internal auditors (and the internal audit function) operate independently from the operations they evaluate, reporting directly to the board –- typically via the audit committee – to provide effective oversight and governance. 

To evaluate how well risks are being identified, managed, and mitigated, the internal auditor will assess the quality of risk management processes, systems of internal control and corporate governance processes, across all parts of an organisation. The internal auditor then reports their findings directly and independently to the most senior level of executive management and the board’s audit committee.

The risks that an internal auditor looks at are not just financial risks, but also non-financial risks like cybersecurity, supply chains and ESG-related risks including climate change and even assessing the corporate culture or diversity and inclusion initiatives.

An internal auditor’s knowledge of the management of risk also enables them to act as a consultant providing advice and acting as a catalyst for improvement in an organisation’s practices. So, for example, if a major new project is being undertaken – the internal auditor can help to ensure that project risks are clearly identified and assessed with action taken to manage them.

What is internal audit not?

Everyone will have heard of auditors, and for many this will mean what is technically known as external audit. External auditors analyse and test financial accounts to ensure the financial statements give a true and fair view of the financial situation of an organisation. As the name suggests, these auditors must be external to the organisation whose accounts are being audited, rather than internal.

Internal auditors therefore do not audit organisations’ financial accounts, although they may audit any corporate governance or risk controls involved in the external audit process.

What value does internal audit add?

Internal audit carries out independent risk assessments and provides independent assurance that the controls and measures put in place to manage and mitigate these risks are effective. 

The role and value of internal audit in promoting greater accountability, transparency, effective risk management, and good corporate governance, all helps to support sustained economic growth and wealth creation across all sectors of the economy. 

Supporting initiatives that strengthen internal audit functions can also drive improvements across all sectors, helping to safeguard investment, protect jobs, and support a resilient and prosperous economy.

Internal audit can add value to organisations, for example, by:

• recommending fraud detection procedures, and helping ensure compliance with anti-fraud policies
• identifying vulnerabilities, detecting fraudulent activities, and recommending improvements to reduce the likeliness and impact of fraud
• mitigating cybersecurity and data security risks
• identifying weaknesses in cybersecurity controls and measures and recommending improvements
• assisting with the mitigation of legal and reputational risks
• conducting independent assessments of an organisation's sustainability practices, carbon footprint, climate transition and ESG compliance
• recommending environmentally friendly practices and promoting ethical and responsible corporate behaviour
• helping to optimise human capital potential, assessing diversity, equality and inclusion, and reducing risks associated with talent acquisition and workforce retention
• preparing for geopolitical and macroeconomic events by providing advice and recommending risk mitigation strategies

What defines a successful internal audit function?

The Institute of Internal Auditors (IIA Global) believes an internal audit function should have the following minimum criteria:

• Independence from management - reporting directly and accountable to either an entity’s audit committee or the governing body
• A written internal audit charter - agreed upon by both the governing body and the Chief Audit Executive (CAE) or equivalent leader of the internal audit function
• Follows globally accepted internal audit standards
• Has qualified staff, as demonstrated through such means as holding appropriate certifications or other credentials, such as the Certified Internal Auditor (CIA) credential and/or specialty credentials related to expertise in areas or topics subject to an internal audit
• Has the ability to perform activities in an objective and unbiased manner, and
• Is subject to an external quality assessment (i.e. an audit of the internal audit function), such as The IIA’s External Quality Assessment (EQA) or Self-Assessment with Independent Validation (SAIV) no less than once every five years.

What types of organisations have internal audit?

In the UK and Ireland, the requirement for having an internal audit function is not universal across all types of organisations. Whether or not an organisation has an internal audit function will largely depend on its size, complexity, and risk profile. 

However, certain types of organisations and businesses are mandated or encouraged to have internal audit functions, and the Chartered IIA advocates for all public interest enterprises (PIEs) to have an internal audit function.