Internal Audit

Internal auditing has two key functions. First, it provides management with information on the extent to which the control systems are working effectively. This is especially relevant for those responsible for the governance of an organization. Second, it can deliver advice to management for improvements in the functioning of control systems.

An internal audit is executed mainly by people working within the organization. In contrast, external or independent audits are performed by public accounting firms. External audits attest to and report on the effectiveness of internal controls to the audit committee and the company's officers as part of the preparation and issuance of an annual report. The cooperation between internal and external auditors may be restricted depending on applicable regulatory requirements. In general, the information of internal auditing activities can be passed on to the external auditors to review whether the controls of the audited company are adequately evaluated and documented.

Internal control systems relate to the policies, procedures, practices, and organizational structures and are designed to provide reasonable assurances that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Generally, effective control systems require seven coherent elements:

• 1.
  Compliance with norms and procedures to prevent violations of the law
• 2.
  Organizational leadership that promotes a culture of compliance
• 3.
  Screening of employees in high-risk functions
• 4.
  Training, education, and communication over compliance norms
• 5.
  Internal monitoring and auditing
• 6.
  Maintenance of appropriate disciplines and incentives
• 7.
  Corrective actions when violations occur

Internal auditing is thus a part of the comprehensive internal control systems. Interactions between the elements of the control systems are crucial, and therefore internal auditors need to cooperate with all those involved.

The application of internal auditing activities has accelerated due to the imposition of standards and regulations requiring organizations to demonstrate the effectiveness of their control systems. The Federal Sentencing Guidelines (United States), effectuated in 1991, the Cadbury report (United Kingdom), published in 1992, the COSO report (United States), published in 1992, and Sections 302 and 404 of the Sarbanes-Oxley Act, enacted in 2003, are especially relevant in this respect.

The main social function of internal auditing reflects its added value for stakeholders of organizations in demanding that boards demonstrate publicly that they are in control of their organizations. To fulfill this function, internal auditors need to apply and uphold ethical principles of integrity, objectivity, competency, and confidentiality. To achieve this, it is important that the internal audit function be adequately resourced and competently staffed, and that it have direct reporting lines to the audit committee, the board, and the chief executive officer.

Internal auditing professionals are internationally represented by the Institute of Internal Auditors (IIA), established in 1941. Internal auditing is used increasingly in privately owned organizations and governmental and nongovernmental institutions. In 2005, the IIA represented more than 100,000 auditors in 160 countries.