What Is Internal Auditing?
About Internal Audit
The internal audit profession, through The Institute of Internal Auditors (IIA), has continued to redefine itself as business risk and organizational complexity have evolved. So, what is internal auditing? Prior to June 1999, The IIA defined internal auditing as follows:
Internal auditing is an independent appraisal function established within an organization examine and evaluate its activities as a service to the organization. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes them with analysis, appraisals, recommendations, counsel and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost.
Today, The IIA uses the following definition:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improves an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The internal audit professional presently is not regulated by the Securities and Exchange Commission (SEC), Public Accounting Oversight Board (PCAOB) or any U.S. government agency. The IIA is the self-governing professional body that includes the International Accounting Standards Board (IASB), which is charged with evaluating and developing practice standards that are issued in draft form and subject to a public comment period, much like other professional standards and accounting pronouncements. The IIA Standards includes a code of ethics that members must follow or face disciplinary action, including expulsion.
Key Performance Indicators
The following table shows key objectives for conducting internal audits, the outcome measures associated with each objective, and the activity measures that drive each outcome measure. The list provides a starting point from which companies may select a set of five to nine measures to track. To start tracking performance, a company chooses one or two key objectives and begins measuring the corresponding outcome and activity measures. As these objectives are attained, the company may change its focus to other objectives and their related measures.
| Key Objective | Outcome Measures | Activity Measures |
|---|---|---|
| Minimize financial loss due to inside fraud. | Revenue lost to fraud. | - Amount lost to fraud detected from financial compliance audits. - Amount lost to fraud detected by IA through data mining and data extraction. - Amount unaccounted for through revenue reconciliation and operating expenses.
|
| Total annual number of fraudulent occurrences. | - Percentage of employees who receive ethics compliance training. - Number of calls to fraud hotline. - Number of fraudulent activities discovered. | |
| Build the IA department as an internal knowledge resource. | Percentage of audit customers who say they are "highly satisfied" with IA. | - Number of audit requests. - Percentage of audit recommendations implemented. - Percentage of audit customers audited by the same auditor within the past three years. - Percentage of new business initiatives in which IA is invited to participate during planning sessions. |
| Percentage of audits performed by third-party providers. | - Percentage of auditors with certification. - Percentage of auditors with non-audit business experience. - Percentage of staff auditors who "own" specific business unit audit duties. - Percentage of audit customers who request outside expertise to conduct audits. | |
| Percentage of IA budget resources devoted to orientation, work paper reviews and training. | - Internal audit turnover rate. - Average years of experience of new hires. - Average tenure of each staff auditor. - Average number of hours to complete an audit. - Number of audits performed per year per auditor. | |
| Minimize exposure to unexpected risk. | Percentage of business units undergoing annual risk assessments. | - Percentage of business units for which the company has a risk management strategy. - Percentage of business units with ongoing risk assessments. - Percentage of managers trained to assess their own risk. - Percentage of business units with a predetermined risk threshold to trigger audits. |
| Create a highly flexible IA department. | Percentage of total audits not scheduled in the annual audit plan. | - Lead time to fulfill audit requests. - Percentage of risk-based audits. - Percentage of audits requested by business managers. - Percentage of unfulfilled audit requests. |
| Minimize third-party risk. | Percentage of business partners and suppliers that IA assesses for risk. | - Percentage of potential mergers or acquisitions in which IA contributes to due diligence review. - Percentage of service providers that undergo IA risk assessments. - Percentage of suppliers and business partners that undergo IA risk assessments. - Percentage of joint ventures in which the IA function is predetermined. |
Protiviti’s Guide to Internal Audit is designed to be a resource internal audit professionals can refer to regularly in their jobs. The publication offers detailed insights into everything from building an internal audit function to managing and improving the function as the organization evolves.